def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info('Starting Keystone auth_token middleware')
self._conf = config.Config('auth_token', _base.AUTHTOKEN_GROUP,
list_opts(), conf)
token_roles_required = self._conf.get('service_token_roles_required')
if not token_roles_required:
log.warning('AuthToken middleware is set with '
'keystone_authtoken.service_token_roles_required '
'set to False. This is backwards compatible but '
'deprecated behaviour. Please set this to True.')
super(AuthProtocol, self).__init__(
app,
log=log,
enforce_token_bind=self._conf.get('enforce_token_bind'),
service_token_roles=self._conf.get('service_token_roles'),
service_token_roles_required=token_roles_required)
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf.get('delay_auth_decision')
self._include_service_catalog = self._conf.get(
'include_service_catalog')
self._hash_algorithms = self._conf.get('hash_algorithms')
self._auth = self._create_auth_plugin()
self._session = self._create_session()
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf.get('auth_uri')
if not self._auth_uri:
self.log.warning(
'Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint')
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf.get('signing_dir'), log=self.log)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf.get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self.log)
self._check_revocations_for_cached = self._conf.get(
'check_revocations_for_cached')
def _setup_revocations(self, revoked_list):
directory_name = '/tmp/%s' % uuid.uuid4().hex
signing_directory = _signing_dir.SigningDirectory(directory_name)
self.addCleanup(shutil.rmtree, directory_name)
identity_server = mock.Mock()
verify_result_obj = {'revoked': revoked_list}
cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj))
revocations = _revocations.Revocations(
timeout=datetime.timedelta(1),
signing_directory=signing_directory,
identity_server=identity_server,
cms_verify=cms_verify)
return revocations
def __init__(self, app, conf):
self._LOG = logging.getLogger(conf.get('log_name', __name__))
self._LOG.info(_LI('Starting Keystone auth_token middleware'))
# NOTE(wanghong): If options are set in paste file, all the option
# values passed into conf are string type. So, we should convert the
# conf value into correct type.
self._conf = _conf_values_type_convert(conf)
self._app = app
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf_get('delay_auth_decision')
self._include_service_catalog = self._conf_get(
'include_service_catalog')
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf_get('auth_uri')
if not self._auth_uri:
self._LOG.warning(
_LW('Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint'))
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf_get('signing_dir'), log=self._LOG)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf_get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self._LOG)
self._check_revocations_for_cached = self._conf_get(
'check_revocations_for_cached')
self._init_auth_headers()
def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info(_LI('Starting Keystone auth_token middleware'))
# NOTE(wanghong): If options are set in paste file, all the option
# values passed into conf are string type. So, we should convert the
# conf value into correct type.
self._conf = _conf_values_type_convert(conf)
# NOTE(sileht): If we don't want to use oslo.config global object
# we can set the paste "oslo_config_project" and the middleware
# will load the configuration with a local oslo.config object.
self._local_oslo_config = None
if 'oslo_config_project' in conf:
if 'oslo_config_file' in conf:
default_config_files = [conf['oslo_config_file']]
else:
default_config_files = None
# For unit tests, support passing in a ConfigOpts in
# oslo_config_config.
self._local_oslo_config = conf.get('oslo_config_config',
cfg.ConfigOpts())
self._local_oslo_config({},
project=conf['oslo_config_project'],
default_config_files=default_config_files,
validate_default_values=True)
self._local_oslo_config.register_opts(_OPTS,
group=_base.AUTHTOKEN_GROUP)
auth.register_conf_options(self._local_oslo_config,
group=_base.AUTHTOKEN_GROUP)
super(AuthProtocol, self).__init__(
app,
log=log,
enforce_token_bind=self._conf_get('enforce_token_bind'))
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf_get('delay_auth_decision')
self._include_service_catalog = self._conf_get(
'include_service_catalog')
self._hash_algorithms = self._conf_get('hash_algorithms')
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf_get('auth_uri')
if not self._auth_uri:
self.log.warning(
_LW('Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint'))
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf_get('signing_dir'), log=self.log)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf_get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self.log)
self._check_revocations_for_cached = self._conf_get(
'check_revocations_for_cached')
