def _wrap_app(app):
"""Wraps wsgi app with additional middlewares."""
app = request_id.RequestId(app)
if CONF.audit.enabled:
try:
app = audit_middleware.AuditMiddleware(
app,
audit_map_file=CONF.audit.audit_map_file,
ignore_req_list=CONF.audit.ignore_req_list)
except (EnvironmentError, OSError,
audit_middleware.PycadfAuditApiConfigError) as e:
raise exceptions.InputFileError(
file_name=CONF.audit.audit_map_file, reason=e)
if cfg.CONF.api_settings.auth_strategy == constants.KEYSTONE:
app = keystone.SkippingAuthProtocol(app, {})
# This should be the last middleware in the list (which results in
# it being the first in the middleware chain). This is to ensure
# that any errors thrown by other middleware, such as an auth
# middleware - are annotated with CORS headers, and thus accessible
# by the browser.
app = cors.CORS(app, cfg.CONF)
cors.set_defaults(
allow_headers=['X-Auth-Token', 'X-Openstack-Request-Id'],
allow_methods=['GET', 'PUT', 'POST', 'DELETE'],
expose_headers=['X-Auth-Token', 'X-Openstack-Request-Id'])
return app
def _wrap_app(app):
app = request_id.RequestId(app)
if cfg.CONF.auth_strategy == 'noauth':
pass
elif cfg.CONF.auth_strategy == 'keystone':
app = auth_token.AuthProtocol(app, {})
else:
raise n_exc.InvalidConfigurationOption(
opt_name='auth_strategy', opt_value=cfg.CONF.auth_strategy)
# version can be unauthenticated so it goes outside of auth
app = versions.Versions(app)
# This should be the last middleware in the list (which results in
# it being the first in the middleware chain). This is to ensure
# that any errors thrown by other middleware, such as an auth
# middleware - are annotated with CORS headers, and thus accessible
# by the browser.
app = cors.CORS(app, cfg.CONF)
app.set_latent(allow_headers=[
'X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog',
'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID', 'X-Trace-Info',
'X-Trace-HMAC'
],
allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
expose_headers=[
'X-Auth-Token', 'X-Subject-Token', 'X-Service-Token',
'X-OpenStack-Request-ID', 'X-Trace-Info', 'X-Trace-HMAC'
])
return app
def _wrap_app(app):
app = request_id.RequestId(app)
if cfg.CONF.auth_strategy == 'noauth':
pass
elif cfg.CONF.auth_strategy == 'keystone':
app = auth_token.AuthProtocol(app, {})
else:
raise n_exc.InvalidConfigurationOption(
opt_name='auth_strategy', opt_value=cfg.CONF.auth_strategy)
return app
def _wrap_app(app):
app = request_id.RequestId(app)
if cfg.CONF.auth_strategy == 'noauth':
pass
elif cfg.CONF.auth_strategy == 'keystone':
p_excp.NotImplemented(func_name='keystone as auth_strategy')
else:
raise p_excp.InvalidConfigurationOption(
opt_name='auth_strategy', opt_value=cfg.CONF.auth_strategy)
return app
def test_generate_request_id(self):
@webob.dec.wsgify
def application(req):
return req.environ[request_id.ENV_REQUEST_ID]
app = request_id.RequestId(application)
req = webob.Request.blank('/test')
res = req.get_response(app)
res_req_id = res.headers.get(request_id.HTTP_RESP_HEADER_REQUEST_ID)
self.assertThat(res_req_id, matchers.StartsWith(b'req-'))
# request-id in request environ is returned as response body
self.assertEqual(res_req_id, res.body)
def _wrap_app(app):
app = request_id.RequestId(app)
if cfg.CONF.pecan.auth_enable and cfg.CONF.auth_strategy == 'keystone':
conf = dict(cfg.CONF.keystone_authtoken)
# Change auth decisions of requests to the app itself.
conf.update({'delay_auth_decision': True})
# NOTE: Policy enforcement works only if Keystone
# authentication is enabled. No support for other authentication
# types at this point.
return auth_token.AuthProtocol(app, conf)
else:
return app
def make_app():
"""App builder (wsgi)
Entry point for Sahara REST API server
"""
app = flask.Flask('sahara.api')
@app.route('/', methods=['GET'])
def version_list():
context.set_ctx(None)
return api_utils.render(
{"versions": [{
"id": "v1.0",
"status": "CURRENT"
}]})
@app.teardown_request
def teardown_request(_ex=None):
context.set_ctx(None)
app.register_blueprint(api_v10.rest, url_prefix='/v1.0')
app.register_blueprint(api_v10.rest, url_prefix='/v1.1')
app.register_blueprint(api_v11.rest, url_prefix='/v1.1')
def make_json_error(ex):
status_code = (ex.code if isinstance(
ex, werkzeug_exceptions.HTTPException) else 500)
description = (ex.description if isinstance(
ex, werkzeug_exceptions.HTTPException) else str(ex))
return api_utils.render(
{
'error': status_code,
'error_message': description
},
status=status_code)
for code in six.iterkeys(werkzeug_exceptions.default_exceptions):
app.error_handler_spec[None][code] = make_json_error
if CONF.debug and not CONF.log_exchange:
LOG.debug('Logging of request/response exchange could be enabled using'
' flag --log-exchange')
if CONF.log_exchange:
app.wsgi_app = log_exchange.LogExchange.factory(CONF)(app.wsgi_app)
app.wsgi_app = auth_valid.wrap(app.wsgi_app)
app.wsgi_app = acl.wrap(app.wsgi_app)
app.wsgi_app = request_id.RequestId(app.wsgi_app)
return app
def auth_app(app):
app = request_id.RequestId(app)
if cfg.CONF.auth_strategy == 'noauth':
pass
elif cfg.CONF.auth_strategy == 'keystone':
# NOTE(zhiyuan) pkg_resources will try to load tricircle to get module
# version, passing "project" as empty string to bypass it
app = auth_token.AuthProtocol(app, {'project': ''})
else:
raise t_exceptions.InvalidConfigurationOption(
opt_name='auth_strategy', opt_value=cfg.CONF.auth_strategy)
return app
def test_global_request_id_set(self):
"""Test that global request_id is set."""
@webob.dec.wsgify
def application(req):
return req.environ[request_id.GLOBAL_REQ_ID]
global_req = "req-%s" % uuid.uuid4()
app = request_id.RequestId(application)
req = webob.Request.blank(
'/test', headers={"X-OpenStack-Request-ID": global_req})
res = req.get_response(app)
res_req_id = res.headers.get(request_id.HTTP_RESP_HEADER_REQUEST_ID)
if isinstance(res_req_id, bytes):
res_req_id = res_req_id.decode('utf-8')
# global-request-id in request environ is returned as response body
self.assertEqual(res.body.decode('utf-8'), global_req)
self.assertNotEqual(res.body.decode('utf-8'), res_req_id)
def _wrap_app(app):
"""Wraps wsgi app with additional middlewares."""
app = request_id.RequestId(app)
if cfg.CONF.auth_strategy == constants.KEYSTONE:
app = auth_token.AuthProtocol(app, {})
# This should be the last middleware in the list (which results in
# it being the first in the middleware chain). This is to ensure
# that any errors thrown by other middleware, such as an auth
# middleware - are annotated with CORS headers, and thus accessible
# by the browser.
app = cors.CORS(app, cfg.CONF)
app.set_latent(allow_headers=['X-Auth-Token', 'X-Openstack-Request-Id'],
allow_methods=['GET', 'PUT', 'POST', 'DELETE'],
expose_headers=['X-Auth-Token', 'X-Openstack-Request-Id'])
return app
def test_global_request_id_drop(self):
"""Test that bad format ids are dropped.
This ensures that badly formatted ids are dropped entirely.
"""
@webob.dec.wsgify
def application(req):
return req.environ.get(request_id.GLOBAL_REQ_ID)
global_req = "req-%s-bad" % uuid.uuid4()
app = request_id.RequestId(application)
req = webob.Request.blank(
'/test', headers={"X-OpenStack-Request-ID": global_req})
res = req.get_response(app)
res_req_id = res.headers.get(request_id.HTTP_RESP_HEADER_REQUEST_ID)
if isinstance(res_req_id, bytes):
res_req_id = res_req_id.decode('utf-8')
# global-request-id in request environ is returned as response body
self.assertEqual(res.body.decode('utf-8'), '')
def _wrap_app(app):
app = request_id.RequestId(app)
if cfg.CONF.auth_strategy == 'noauth':
pass
elif cfg.CONF.auth_strategy == 'keystone':
app = auth_token.AuthProtocol(app, {})
else:
raise n_exc.InvalidConfigurationOption(
opt_name='auth_strategy', opt_value=cfg.CONF.auth_strategy)
# This should be the last middleware in the list (which results in
# it being the first in the middleware chain). This is to ensure
# that any errors thrown by other middleware, such as an auth
# middleware - are annotated with CORS headers, and thus accessible
# by the browser.
app = cors.CORS(app, cfg.CONF)
app.set_latent(allow_headers=['X-Auth-Token', 'X-Openstack-Request-Id'],
allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
expose_headers=['X-Auth-Token', 'X-Openstack-Request-Id'])
return app
def _wrap_app(app):
app = request_id.RequestId(app)
if CONF.api.auth_strategy == 'noauth':
pass
elif CONF.api.auth_strategy == 'keystone':
app = auth_token.AuthProtocol(app, {})
LOG.info("Keystone authentication is enabled")
else:
raise g_exc.InvalidConfigurationOption(opt_name='auth_strategy',
opt_value=CONF.auth_strategy)
# dont bother authenticating version
# app = versions.Versions(app)
# gluon server is behind the proxy
app = http_proxy_to_wsgi.HTTPProxyToWSGI(app)
# This should be the last middleware in the list (which results in
# it being the first in the middleware chain). This is to ensure
# that any errors thrown by other middleware, such as an auth
# middleware - are annotated with CORS headers, and thus accessible
# by the browser.
app = cors.CORS(app, CONF)
cors.set_defaults(allow_headers=[
'X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog',
'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID', 'X-Trace-Info',
'X-Trace-HMAC'
],
allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
expose_headers=[
'X-Auth-Token', 'X-Subject-Token', 'X-Service-Token',
'X-OpenStack-Request-ID', 'X-Trace-Info',
'X-Trace-HMAC'
])
return app
def _wrap_app(app):
"""Wraps wsgi app with additional middlewares."""
app = request_id.RequestId(app)
return app
