def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info('Starting Keystone auth_token middleware')
self._conf = config.Config('auth_token', _base.AUTHTOKEN_GROUP,
list_opts(), conf)
token_roles_required = self._conf.get('service_token_roles_required')
if not token_roles_required:
log.warning('AuthToken middleware is set with '
'keystone_authtoken.service_token_roles_required '
'set to False. This is backwards compatible but '
'deprecated behaviour. Please set this to True.')
super(AuthProtocol, self).__init__(
app,
log=log,
enforce_token_bind=self._conf.get('enforce_token_bind'),
service_token_roles=self._conf.get('service_token_roles'),
service_token_roles_required=token_roles_required)
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf.get('delay_auth_decision')
self._include_service_catalog = self._conf.get(
'include_service_catalog')
self._hash_algorithms = self._conf.get('hash_algorithms')
self._auth = self._create_auth_plugin()
self._session = self._create_session()
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf.get('auth_uri')
if not self._auth_uri:
self.log.warning(
'Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint')
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf.get('signing_dir'), log=self.log)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf.get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self.log)
self._check_revocations_for_cached = self._conf.get(
'check_revocations_for_cached')
def test_read_file_doesnt_exist(self):
# Show what happens when try to read a file that wasn't written.
signing_directory = _signing_dir.SigningDirectory()
self.addCleanup(shutil.rmtree, signing_directory._directory_name)
file_name = self.getUniqueString()
self.assertRaises(IOError, signing_directory.read_file, file_name)
def test_use_directory_already_exists(self):
# The directory can already exist.
tmp_name = uuid.uuid4().hex
parent_directory = '/tmp/%s' % tmp_name
directory_name = '/tmp/%s/%s' % ((tmp_name, ) * 2)
os.makedirs(directory_name, stat.S_IRWXU)
self.addCleanup(shutil.rmtree, parent_directory)
_signing_dir.SigningDirectory(directory_name)
def test_calc_path(self):
# calc_path returns the actual filename built from the directory name.
signing_directory = _signing_dir.SigningDirectory()
self.addCleanup(shutil.rmtree, signing_directory._directory_name)
file_name = self.getUniqueString()
actual_path = signing_directory.calc_path(file_name)
expected_path = os.path.join(signing_directory._directory_name,
file_name)
self.assertEqual(expected_path, actual_path)
def test_read_file(self):
# Can read a file that was written.
signing_directory = _signing_dir.SigningDirectory()
self.addCleanup(shutil.rmtree, signing_directory._directory_name)
file_name = self.getUniqueString()
contents = self.getUniqueString()
signing_directory.write_file(file_name, contents)
actual_contents = signing_directory.read_file(file_name)
self.assertEqual(contents, actual_contents)
def test_write_file(self):
# write_file when the file doesn't exist creates the file.
signing_directory = _signing_dir.SigningDirectory()
self.addCleanup(shutil.rmtree, signing_directory._directory_name)
file_name = self.getUniqueString()
contents = self.getUniqueString()
signing_directory.write_file(file_name, contents)
file_path = signing_directory.calc_path(file_name)
with open(file_path) as f:
actual_contents = f.read()
self.assertEqual(contents, actual_contents)
def _setup_revocations(self, revoked_list):
directory_name = '/tmp/%s' % uuid.uuid4().hex
signing_directory = _signing_dir.SigningDirectory(directory_name)
self.addCleanup(shutil.rmtree, directory_name)
identity_server = mock.Mock()
verify_result_obj = {'revoked': revoked_list}
cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj))
revocations = _revocations.Revocations(
timeout=datetime.timedelta(1),
signing_directory=signing_directory,
identity_server=identity_server,
cms_verify=cms_verify)
return revocations
def test_recreate_directory(self):
# If the original directory is lost, it gets recreated when a file
# is written.
signing_directory = _signing_dir.SigningDirectory()
self.addCleanup(shutil.rmtree, signing_directory._directory_name)
# Delete the directory.
shutil.rmtree(signing_directory._directory_name)
file_name = self.getUniqueString()
contents = self.getUniqueString()
signing_directory.write_file(file_name, contents)
actual_contents = signing_directory.read_file(file_name)
self.assertEqual(contents, actual_contents)
def test_directory_created_when_doesnt_exist(self):
# When _SigningDirectory is created, if the directory doesn't exist
# it's created with the expected permissions.
tmp_name = uuid.uuid4().hex
parent_directory = '/tmp/%s' % tmp_name
directory_name = '/tmp/%s/%s' % ((tmp_name, ) * 2)
# Directories are created by __init__.
_signing_dir.SigningDirectory(directory_name)
self.addCleanup(shutil.rmtree, parent_directory)
self.assertTrue(os.path.isdir(directory_name))
self.assertTrue(os.access(directory_name, os.W_OK))
self.assertEqual(os.stat(directory_name).st_uid, os.getuid())
self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode),
stat.S_IRWXU)
def __init__(self, app, conf):
self._LOG = logging.getLogger(conf.get('log_name', __name__))
self._LOG.info(_LI('Starting Keystone auth_token middleware'))
# NOTE(wanghong): If options are set in paste file, all the option
# values passed into conf are string type. So, we should convert the
# conf value into correct type.
self._conf = _conf_values_type_convert(conf)
self._app = app
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf_get('delay_auth_decision')
self._include_service_catalog = self._conf_get(
'include_service_catalog')
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf_get('auth_uri')
if not self._auth_uri:
self._LOG.warning(
_LW('Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint'))
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf_get('signing_dir'), log=self._LOG)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf_get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self._LOG)
self._check_revocations_for_cached = self._conf_get(
'check_revocations_for_cached')
self._init_auth_headers()
def test_replace_file(self):
# write_file when the file already exists overwrites it.
signing_directory = _signing_dir.SigningDirectory()
self.addCleanup(shutil.rmtree, signing_directory._directory_name)
file_name = self.getUniqueString()
orig_contents = self.getUniqueString()
signing_directory.write_file(file_name, orig_contents)
new_contents = self.getUniqueString()
signing_directory.write_file(file_name, new_contents)
file_path = signing_directory.calc_path(file_name)
with open(file_path) as f:
actual_contents = f.read()
self.assertEqual(new_contents, actual_contents)
def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info(_LI('Starting Keystone auth_token middleware'))
# NOTE(wanghong): If options are set in paste file, all the option
# values passed into conf are string type. So, we should convert the
# conf value into correct type.
self._conf = _conf_values_type_convert(conf)
# NOTE(sileht): If we don't want to use oslo.config global object
# we can set the paste "oslo_config_project" and the middleware
# will load the configuration with a local oslo.config object.
self._local_oslo_config = None
if 'oslo_config_project' in conf:
if 'oslo_config_file' in conf:
default_config_files = [conf['oslo_config_file']]
else:
default_config_files = None
# For unit tests, support passing in a ConfigOpts in
# oslo_config_config.
self._local_oslo_config = conf.get('oslo_config_config',
cfg.ConfigOpts())
self._local_oslo_config({},
project=conf['oslo_config_project'],
default_config_files=default_config_files,
validate_default_values=True)
self._local_oslo_config.register_opts(_OPTS,
group=_base.AUTHTOKEN_GROUP)
auth.register_conf_options(self._local_oslo_config,
group=_base.AUTHTOKEN_GROUP)
super(AuthProtocol, self).__init__(
app,
log=log,
enforce_token_bind=self._conf_get('enforce_token_bind'))
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf_get('delay_auth_decision')
self._include_service_catalog = self._conf_get(
'include_service_catalog')
self._hash_algorithms = self._conf_get('hash_algorithms')
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf_get('auth_uri')
if not self._auth_uri:
self.log.warning(
_LW('Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint'))
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf_get('signing_dir'), log=self.log)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf_get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self.log)
self._check_revocations_for_cached = self._conf_get(
'check_revocations_for_cached')
