def get_middleware_app(self): if not self._auth_method: return None if not self._auth_needed: return None # keystone middleware is needed for fetching objects app = AuthPostKeystone(self._server_mgr.api_bottle, {'auth_svc': self}) auth_middleware = auth_token.AuthProtocol(app, self._conf_info) self._auth_middleware = auth_middleware while True: try: self._auth_token = auth_middleware._identity_server._adapter.get_token( ) break except auth_token.ServiceError as e: msg = "Error in getting admin token: " + str(e) time.sleep(2) self._server_mgr.config_log("Auth token fetched from keystone.", level=SandeshLevel.SYS_NOTICE) # open access for troubleshooting admin_port = self._conf_info['admin_port'] self._local_auth_app = LocalAuth(self._server_mgr.api_bottle, self._conf_info) vnc_greenlets.VncGreenlet("VNC Auth Keystone", self._local_auth_app.start_http_server) app = AuthPreKeystone(auth_middleware, None, self._server_mgr) return app
def setup_app(pecan_config=None, extra_hooks=None): app_hooks = [hooks.ConfigHook(), hooks.DBHook(), hooks.ContextHook(), hooks.RPCHook(), ] # TODO(sbauza): Add stevedore extensions for loading hooks if extra_hooks: app_hooks.extend(extra_hooks) app = pecan.make_app( pecan_config.app.root, debug=CONF.debug, hooks=app_hooks, wrap_app=middleware.ParsableErrorMiddleware, guess_content_type_from_ext=False ) # WSGI middleware for debugging if CONF.log_exchange: app = debug.Debug.factory(pecan_config)(app) # WSGI middleware for Keystone auth # NOTE(sbauza): ACLs are always active unless for unittesting where # enable_acl could be set to False if pecan_config.app.enable_acl: CONF.register_opts(auth_token.opts, group=OPT_GROUP_NAME) keystone_config = dict(CONF.get(OPT_GROUP_NAME)) app = auth_token.AuthProtocol(app, conf=keystone_config) return app
def setUp(self, expected_env=None): expected_env = expected_env or {} conf = { 'admin_token': 'admin_token1', 'auth_host': 'keystone.example.com', 'auth_port': 1234, 'auth_admin_prefix': '/testadmin', 'signing_dir': CERTDIR, } self.middleware = auth_token.AuthProtocol(FakeApp(expected_env), conf) self.middleware.http_client_class = FakeHTTPConnection self.middleware._iso8601 = iso8601 self.response_status = None self.response_headers = None self.middleware.revoked_file_name = tempfile.mkstemp()[1] cache_timeout = datetime.timedelta(days=1) self.middleware.token_revocation_list_cache_timeout = cache_timeout self.middleware.token_revocation_list = jsonutils.dumps( {"revoked": [], "extra": "success"}) signed_list = 'SIGNED_REVOCATION_LIST' valid_signed_list = 'VALID_SIGNED_REVOCATION_LIST' globals()[signed_list] = globals()[valid_signed_list] super(BaseAuthTokenMiddlewareTest, self).setUp()
def get_middleware_app(self): if not self._auth_method: return None if not self._multi_tenancy: return None # keystone middleware is needed for fetching objects app = AuthPostKeystone(self._server_mgr.api_bottle, {'auth_svc': self}) auth_middleware = auth_token.AuthProtocol(app, self._conf_info) self._auth_middleware = auth_middleware # open access for troubleshooting admin_port = self._conf_info['admin_port'] self._local_auth_app = LocalAuth(self._server_mgr.api_bottle, self._conf_info) vnc_greenlets.VncGreenlet("VNC Auth Keystone", self._local_auth_app.start_http_server) app = auth_middleware # allow multi tenancy to be updated dynamically app = AuthPreKeystone(auth_middleware, None, self._multi_tenancy, self._server_mgr) return app
def get_auth_headers_from_token(self, request, token): if not self._hdr_from_token_auth_middleware: conf_info = self._conf_info.copy() conf_info['delay_auth_decision'] = True def token_to_headers(env, start_response): start_response('200 OK', [('Content-type', 'text/plain')]) status = env.get('HTTP_X_IDENTITY_STATUS') if status and status.lower() == 'invalid': return {} ret_headers_dict = {} for hdr_name in [ 'HTTP_X_DOMAIN_ID', 'HTTP_X_PROJECT_ID', 'HTTP_X_PROJECT_NAME', 'HTTP_X_USER', 'HTTP_X_ROLE', 'HTTP_X_API_ROLE' ]: hdr_val = env.get(hdr_name) if hdr_val: ret_headers_dict[hdr_name] = hdr_val return ret_headers_dict self._hdr_from_token_auth_middleware = auth_token.AuthProtocol( token_to_headers, conf_info) return self._hdr_from_token_auth_middleware(request.headers.environ, self.start_response)
def get_middleware_app(self): if not self._auth_method: return None if not self._multi_tenancy: return None # keystone middleware is needed for fetching objects # app = bottle.app() app = AuthPostKeystone(bottle.app(), {'auth_svc': self}) auth_middleware = auth_token.AuthProtocol(app, self._conf_info) self._auth_middleware = auth_middleware while True: try: self._auth_token = auth_middleware.get_admin_token() break except auth_token.ServiceError as e: self._server_mgr.config_log_error( "Error in getting admin token: " + str(e)) time.sleep(2) # open access for troubleshooting self._open_app = AuthOpen('127.0.0.1', '8095', bottle.app()) gevent.spawn(self._open_app.start_http_server) app = auth_middleware # allow multi tenancy to be updated dynamically app = AuthPreKeystone(auth_middleware, {'admin_token': self._auth_token}, self._multi_tenancy) return app
def validate_user_token(self, request): # following config forces keystone middleware to always return the result # back in HTTP_X_IDENTITY_STATUS env variable conf_info = self._conf_info.copy() conf_info['delay_auth_decision'] = True auth_middleware = auth_token.AuthProtocol(self.token_valid, conf_info) return auth_middleware(request.headers.environ, self.start_response)
def test_nomemcache(self): conf = { 'admin_token': 'admin_token1', 'auth_host': 'keystone.example.com', 'auth_port': 1234, 'memcached_servers': 'localhost:11211', } auth_token.AuthProtocol(FakeApp(), conf)
def install(app, conf): """Install ACL check on application. :param app: A WSGI applicatin. :param conf: Settings. Must include OPT_GROUP_NAME section. :return: The same WSGI application with ACL installed. """ keystone_config = dict(conf.get(OPT_GROUP_NAME)) return auth_token.AuthProtocol(app, conf=keystone_config)
def test_config_revocation_cache_timeout(self): conf = { 'auth_host': 'keystone.example.com', 'auth_port': 1234, 'auth_admin_prefix': '/testadmin', 'revocation_cache_time': 24 } middleware = auth_token.AuthProtocol(self.fake_app, conf) self.assertEquals(middleware.token_revocation_list_cache_timeout, datetime.timedelta(seconds=24))
def test_keystone_middleware_conf(self): self.CONF.set_override("auth_protocol", "file", group=acl.OPT_GROUP_NAME) self.CONF.set_override("auth_version", "v2.0", group=acl.OPT_GROUP_NAME) self.CONF.set_override("auth_uri", None, group=acl.OPT_GROUP_NAME) api_app = app.make_app(self.CONF, attach_storage=False) conf = dict(self.CONF.get(acl.OPT_GROUP_NAME)) api_app = auth_token.AuthProtocol(api_app, conf=conf) self.assertTrue(api_app.auth_uri.startswith('file'))
def test_keystone_middleware_parse_conffile(self): content = "[{0}]\nauth_protocol = file"\ "\nauth_version = v2.0".format(acl.OPT_GROUP_NAME) tmpfile = fileutils.write_to_tempfile(content=content, prefix='ceilometer', suffix='.conf') service.prepare_service( ['ceilometer-api', '--config-file=%s' % tmpfile]) api_app = app.make_app(self.CONF, attach_storage=False) conf = dict(self.CONF.get(acl.OPT_GROUP_NAME)) api_app = auth_token.AuthProtocol(api_app, conf=conf) self.assertTrue(api_app.auth_uri.startswith('file')) os.unlink(tmpfile)
def set_middleware(self, fake_app=None, fake_http=None, expected_env=None, conf=None): """Configure the class ready to call the auth_token middleware. Set up the various fake items needed to run the middleware. Individual tests that need to further refine these can call this function to override the class defaults. """ conf = conf or self.conf if fake_http: conf['http_handler'] = fake_http fake_app = fake_app or self.fake_app self.middleware = auth_token.AuthProtocol(fake_app(expected_env), conf) self.middleware._iso8601 = iso8601 self.middleware.revoked_file_name = tempfile.mkstemp()[1] self.middleware.token_revocation_list = jsonutils.dumps( {"revoked": [], "extra": "success"})
def get_middleware_app(self): if not self._auth_method: return None if not self._auth_needed: return None # keystone middleware is needed for fetching objects app = AuthPostKeystone(self._server_mgr, self) auth_middleware = auth_token.AuthProtocol(app, self._conf_info) self._auth_middleware = auth_middleware # open access for troubleshooting self._local_auth_app = LocalAuth(self._server_mgr.api_bottle, self._conf_info) vnc_greenlets.VncGreenlet("VNC Auth Keystone", self._local_auth_app.start_http_server) app = AuthPreKeystone(auth_middleware, None, self._server_mgr) return app
def get_middleware_app(self): if not self._auth_method: return None if not self._multi_tenancy: return None # keystone middleware is needed for fetching objects # app = bottle.app() app = AuthPostKeystone(bottle.app(), {'auth_svc': self}) auth_middleware = auth_token.AuthProtocol(app, self._conf_info) self._auth_middleware = auth_middleware while True: try: self._auth_token = auth_middleware.get_admin_token() break except auth_token.ServiceError as e: msg = "Error in getting admin token: " + str(e) time.sleep(2) self._server_mgr.config_log("Auth token fetched from keystone.", level=SandeshLevel.SYS_NOTICE) # open access for troubleshooting admin_port = self._conf_info['admin_port'] self._local_auth_app = LocalAuth(bottle.app(), self._conf_info) gevent.spawn(self._local_auth_app.start_http_server) app = auth_middleware # allow multi tenancy to be updated dynamically app = AuthPreKeystone( auth_middleware, {'admin_token': self._auth_token}, self._multi_tenancy) return app
def validate_user_token(self): if not self._user_auth_middleware: # following config forces keystone middleware to always return the # result back in HTTP_X_IDENTITY_STATUS env variable conf_info = self._conf_info.copy() conf_info['delay_auth_decision'] = True self._user_auth_middleware = auth_token.AuthProtocol( self.token_valid, conf_info) if not self._user_auth_middleware: return False, (403, six.ensure_str(" Permission denied")) request_attrs = { 'REQUEST_METHOD': get_request().route.method, 'bottle.app': get_request().environ['bottle.app'], } if 'HTTP_X_AUTH_TOKEN' in get_request().environ: request_attrs['HTTP_X_AUTH_TOKEN'] =\ get_request().environ['HTTP_X_AUTH_TOKEN'].encode("ascii") elif 'HTTP_X_USER_TOKEN' in get_request().environ: request_attrs['HTTP_X_USER_TOKEN'] =\ get_request().environ['HTTP_X_USER_TOKEN'].encode("ascii") else: return False, (400, six.ensure_str("User token needed for validation")) b_req = bottle.BaseRequest(request_attrs) # get permissions in internal context orig_context = get_context() i_req = ApiInternalRequest(b_req.url, b_req.urlparts, b_req.environ, b_req.headers, None, None) set_context(ApiContext(internal_req=i_req)) try: token_info = self._user_auth_middleware( get_request().headers.environ, self.start_response) finally: set_context(orig_context) return True, token_info
def install(app, conf): """Install ACL check on application.""" register_opts(cfg.CONF) return auth_token.AuthProtocol(app, conf=dict(conf.get(OPT_GROUP_NAME)))
def setup(app): if cfg.CONF.pecan.auth_enable: return auth_token.AuthProtocol(app, conf=dict(cfg.CONF.keystone)) else: return app
def install(app, conf): """Installs ACL check on application.""" app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, conf=dict(conf.get(OPT_GROUP_NAME))) app.before_request(check)
def install(cls, app, conf): """Install Auth check on application.""" LOG.debug(u'Installing Keystone\'s auth protocol') cls._register_opts(conf) conf = dict(conf.get(cls.OPT_GROUP_NAME)) return auth_token.AuthProtocol(app, conf=conf)