def __init__(self, app, conf): log = logging.getLogger(conf.get('log_name', __name__)) log.info('Starting Keystone auth_token middleware') self._conf = config.Config('auth_token', _base.AUTHTOKEN_GROUP, list_opts(), conf) token_roles_required = self._conf.get('service_token_roles_required') if not token_roles_required: log.warning('AuthToken middleware is set with ' 'keystone_authtoken.service_token_roles_required ' 'set to False. This is backwards compatible but ' 'deprecated behaviour. Please set this to True.') super(AuthProtocol, self).__init__( app, log=log, enforce_token_bind=self._conf.get('enforce_token_bind'), service_token_roles=self._conf.get('service_token_roles'), service_token_roles_required=token_roles_required) # delay_auth_decision means we still allow unauthenticated requests # through and we let the downstream service make the final decision self._delay_auth_decision = self._conf.get('delay_auth_decision') self._include_service_catalog = self._conf.get( 'include_service_catalog') self._hash_algorithms = self._conf.get('hash_algorithms') self._auth = self._create_auth_plugin() self._session = self._create_session() self._identity_server = self._create_identity_server() self._auth_uri = self._conf.get('auth_uri') if not self._auth_uri: self.log.warning( 'Configuring auth_uri to point to the public identity ' 'endpoint is required; clients may not be able to ' 'authenticate against an admin endpoint') # FIXME(dolph): drop support for this fallback behavior as # documented in bug 1207517. self._auth_uri = self._identity_server.auth_uri self._signing_directory = _signing_dir.SigningDirectory( directory_name=self._conf.get('signing_dir'), log=self.log) self._token_cache = self._token_cache_factory() revocation_cache_timeout = datetime.timedelta( seconds=self._conf.get('revocation_cache_time')) self._revocations = _revocations.Revocations(revocation_cache_timeout, self._signing_directory, self._identity_server, self._cms_verify, self.log) self._check_revocations_for_cached = self._conf.get( 'check_revocations_for_cached')
def test_read_file_doesnt_exist(self): # Show what happens when try to read a file that wasn't written. signing_directory = _signing_dir.SigningDirectory() self.addCleanup(shutil.rmtree, signing_directory._directory_name) file_name = self.getUniqueString() self.assertRaises(IOError, signing_directory.read_file, file_name)
def test_use_directory_already_exists(self): # The directory can already exist. tmp_name = uuid.uuid4().hex parent_directory = '/tmp/%s' % tmp_name directory_name = '/tmp/%s/%s' % ((tmp_name, ) * 2) os.makedirs(directory_name, stat.S_IRWXU) self.addCleanup(shutil.rmtree, parent_directory) _signing_dir.SigningDirectory(directory_name)
def test_calc_path(self): # calc_path returns the actual filename built from the directory name. signing_directory = _signing_dir.SigningDirectory() self.addCleanup(shutil.rmtree, signing_directory._directory_name) file_name = self.getUniqueString() actual_path = signing_directory.calc_path(file_name) expected_path = os.path.join(signing_directory._directory_name, file_name) self.assertEqual(expected_path, actual_path)
def test_read_file(self): # Can read a file that was written. signing_directory = _signing_dir.SigningDirectory() self.addCleanup(shutil.rmtree, signing_directory._directory_name) file_name = self.getUniqueString() contents = self.getUniqueString() signing_directory.write_file(file_name, contents) actual_contents = signing_directory.read_file(file_name) self.assertEqual(contents, actual_contents)
def test_write_file(self): # write_file when the file doesn't exist creates the file. signing_directory = _signing_dir.SigningDirectory() self.addCleanup(shutil.rmtree, signing_directory._directory_name) file_name = self.getUniqueString() contents = self.getUniqueString() signing_directory.write_file(file_name, contents) file_path = signing_directory.calc_path(file_name) with open(file_path) as f: actual_contents = f.read() self.assertEqual(contents, actual_contents)
def _setup_revocations(self, revoked_list): directory_name = '/tmp/%s' % uuid.uuid4().hex signing_directory = _signing_dir.SigningDirectory(directory_name) self.addCleanup(shutil.rmtree, directory_name) identity_server = mock.Mock() verify_result_obj = {'revoked': revoked_list} cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj)) revocations = _revocations.Revocations( timeout=datetime.timedelta(1), signing_directory=signing_directory, identity_server=identity_server, cms_verify=cms_verify) return revocations
def test_recreate_directory(self): # If the original directory is lost, it gets recreated when a file # is written. signing_directory = _signing_dir.SigningDirectory() self.addCleanup(shutil.rmtree, signing_directory._directory_name) # Delete the directory. shutil.rmtree(signing_directory._directory_name) file_name = self.getUniqueString() contents = self.getUniqueString() signing_directory.write_file(file_name, contents) actual_contents = signing_directory.read_file(file_name) self.assertEqual(contents, actual_contents)
def test_directory_created_when_doesnt_exist(self): # When _SigningDirectory is created, if the directory doesn't exist # it's created with the expected permissions. tmp_name = uuid.uuid4().hex parent_directory = '/tmp/%s' % tmp_name directory_name = '/tmp/%s/%s' % ((tmp_name, ) * 2) # Directories are created by __init__. _signing_dir.SigningDirectory(directory_name) self.addCleanup(shutil.rmtree, parent_directory) self.assertTrue(os.path.isdir(directory_name)) self.assertTrue(os.access(directory_name, os.W_OK)) self.assertEqual(os.stat(directory_name).st_uid, os.getuid()) self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode), stat.S_IRWXU)
def __init__(self, app, conf): self._LOG = logging.getLogger(conf.get('log_name', __name__)) self._LOG.info(_LI('Starting Keystone auth_token middleware')) # NOTE(wanghong): If options are set in paste file, all the option # values passed into conf are string type. So, we should convert the # conf value into correct type. self._conf = _conf_values_type_convert(conf) self._app = app # delay_auth_decision means we still allow unauthenticated requests # through and we let the downstream service make the final decision self._delay_auth_decision = self._conf_get('delay_auth_decision') self._include_service_catalog = self._conf_get( 'include_service_catalog') self._identity_server = self._create_identity_server() self._auth_uri = self._conf_get('auth_uri') if not self._auth_uri: self._LOG.warning( _LW('Configuring auth_uri to point to the public identity ' 'endpoint is required; clients may not be able to ' 'authenticate against an admin endpoint')) # FIXME(dolph): drop support for this fallback behavior as # documented in bug 1207517. self._auth_uri = self._identity_server.auth_uri self._signing_directory = _signing_dir.SigningDirectory( directory_name=self._conf_get('signing_dir'), log=self._LOG) self._token_cache = self._token_cache_factory() revocation_cache_timeout = datetime.timedelta( seconds=self._conf_get('revocation_cache_time')) self._revocations = _revocations.Revocations(revocation_cache_timeout, self._signing_directory, self._identity_server, self._cms_verify, self._LOG) self._check_revocations_for_cached = self._conf_get( 'check_revocations_for_cached') self._init_auth_headers()
def test_replace_file(self): # write_file when the file already exists overwrites it. signing_directory = _signing_dir.SigningDirectory() self.addCleanup(shutil.rmtree, signing_directory._directory_name) file_name = self.getUniqueString() orig_contents = self.getUniqueString() signing_directory.write_file(file_name, orig_contents) new_contents = self.getUniqueString() signing_directory.write_file(file_name, new_contents) file_path = signing_directory.calc_path(file_name) with open(file_path) as f: actual_contents = f.read() self.assertEqual(new_contents, actual_contents)
def __init__(self, app, conf): log = logging.getLogger(conf.get('log_name', __name__)) log.info(_LI('Starting Keystone auth_token middleware')) # NOTE(wanghong): If options are set in paste file, all the option # values passed into conf are string type. So, we should convert the # conf value into correct type. self._conf = _conf_values_type_convert(conf) # NOTE(sileht): If we don't want to use oslo.config global object # we can set the paste "oslo_config_project" and the middleware # will load the configuration with a local oslo.config object. self._local_oslo_config = None if 'oslo_config_project' in conf: if 'oslo_config_file' in conf: default_config_files = [conf['oslo_config_file']] else: default_config_files = None # For unit tests, support passing in a ConfigOpts in # oslo_config_config. self._local_oslo_config = conf.get('oslo_config_config', cfg.ConfigOpts()) self._local_oslo_config({}, project=conf['oslo_config_project'], default_config_files=default_config_files, validate_default_values=True) self._local_oslo_config.register_opts(_OPTS, group=_base.AUTHTOKEN_GROUP) auth.register_conf_options(self._local_oslo_config, group=_base.AUTHTOKEN_GROUP) super(AuthProtocol, self).__init__( app, log=log, enforce_token_bind=self._conf_get('enforce_token_bind')) # delay_auth_decision means we still allow unauthenticated requests # through and we let the downstream service make the final decision self._delay_auth_decision = self._conf_get('delay_auth_decision') self._include_service_catalog = self._conf_get( 'include_service_catalog') self._hash_algorithms = self._conf_get('hash_algorithms') self._identity_server = self._create_identity_server() self._auth_uri = self._conf_get('auth_uri') if not self._auth_uri: self.log.warning( _LW('Configuring auth_uri to point to the public identity ' 'endpoint is required; clients may not be able to ' 'authenticate against an admin endpoint')) # FIXME(dolph): drop support for this fallback behavior as # documented in bug 1207517. self._auth_uri = self._identity_server.auth_uri self._signing_directory = _signing_dir.SigningDirectory( directory_name=self._conf_get('signing_dir'), log=self.log) self._token_cache = self._token_cache_factory() revocation_cache_timeout = datetime.timedelta( seconds=self._conf_get('revocation_cache_time')) self._revocations = _revocations.Revocations(revocation_cache_timeout, self._signing_directory, self._identity_server, self._cms_verify, self.log) self._check_revocations_for_cached = self._conf_get( 'check_revocations_for_cached')