From d202ed827eff2dfcdf09fc21cc8d1b11229ffa2c Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Thu, 15 Oct 2015 16:29:31 +1100 Subject: [PATCH] Use keystoneauth With the release of keystoneauth we should use that instead of keystoneclient in auth_token middleware. Change-Id: Id0876e90a1373ba31e4ec23d5275618149ca36d1 --- keystonemiddleware/auth_token/__init__.py | 87 ++++++++------- keystonemiddleware/auth_token/_auth.py | 104 +++++++++--------- keystonemiddleware/auth_token/_identity.py | 19 ++-- keystonemiddleware/auth_token/_request.py | 4 +- keystonemiddleware/auth_token/_user_plugin.py | 2 +- keystonemiddleware/opts.py | 6 +- .../tests/unit/auth_token/test_auth.py | 20 ++-- .../auth_token/test_auth_token_middleware.py | 82 ++++++++------ .../unit/auth_token/test_base_middleware.py | 2 +- .../tests/unit/auth_token/test_request.py | 18 +-- .../unit/auth_token/test_user_auth_plugin.py | 17 +-- .../tests/unit/client_fixtures.py | 2 +- keystonemiddleware/tests/unit/test_opts.py | 2 +- requirements.txt | 1 + 14 files changed, 192 insertions(+), 174 deletions(-) diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index d77846c7..3dd746e7 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -169,8 +169,8 @@ keystone.token_info well as basic information about the project and user. keystone.token_auth - A keystoneclient auth plugin that may be used with a - :py:class:`keystoneclient.session.Session`. This plugin will load the + A keystoneauth1 auth plugin that may be used with a + :py:class:`keystoneauth1.session.Session`. This plugin will load the authentication data provided to auth_token middleware. @@ -210,13 +210,14 @@ import binascii import datetime import logging -from keystoneclient import access -from keystoneclient import adapter -from keystoneclient import auth +from keystoneauth1 import access +from keystoneauth1 import adapter +from keystoneauth1 import discover +from keystoneauth1 import exceptions as ksa_exceptions +from keystoneauth1 import loading +from keystoneauth1.loading import session as session_loading from keystoneclient.common import cms -from keystoneclient import discover from keystoneclient import exceptions as ksc_exceptions -from keystoneclient import session from oslo_config import cfg from oslo_serialization import jsonutils import pkg_resources @@ -368,7 +369,7 @@ _OPTS = [ ' only while migrating from a less secure algorithm to a more' ' secure one. Once all the old tokens are expired this option' ' should be set to a single value for better performance.'), -] +] + _auth.OPTS CONF = cfg.CONF CONF.register_opts(_OPTS, group=_base.AUTHTOKEN_GROUP) @@ -398,7 +399,7 @@ def _conf_values_type_convert(conf): return {} opt_types = {} - for o in (_OPTS + _auth.AuthTokenPlugin.get_options()): + for o in _OPTS: type_dest = (getattr(o, 'type', str), o.dest) opt_types[o.dest] = type_dest # Also add the deprecated name with the same type and dest. @@ -506,7 +507,7 @@ class _BaseAuthProtocol(object): """Perform the validation steps on the token. :param auth_ref: The token data - :type auth_ref: keystoneclient.access.AccessInfo + :type auth_ref: keystoneauth1.access.AccessInfo :raises exc.InvalidToken: if token is rejected """ @@ -519,7 +520,7 @@ class _BaseAuthProtocol(object): data = self._fetch_token(token) try: - return data, access.AccessInfo.factory(body=data, auth_token=token) + return data, access.create(body=data, auth_token=token) except Exception: self.log.warning(_LW('Invalid token contents.'), exc_info=True) raise ksm_exceptions.InvalidToken(_('Token authorization failed')) @@ -561,21 +562,11 @@ class _BaseAuthProtocol(object): if self._enforce_token_bind == _BIND_MODE.DISABLED: return - try: - if auth_ref.version == 'v2.0': - bind = auth_ref['token']['bind'] - elif auth_ref.version == 'v3': - bind = auth_ref['bind'] - else: - self._invalid_user_token() - except KeyError: - bind = {} - # permissive and strict modes don't require there to be a bind permissive = self._enforce_token_bind in (_BIND_MODE.PERMISSIVE, _BIND_MODE.STRICT) - if not bind: + if not auth_ref.bind: if permissive: # no bind provided and none required return @@ -589,12 +580,12 @@ class _BaseAuthProtocol(object): else: name = self._enforce_token_bind - if name and name not in bind: + if name and name not in auth_ref.bind: self.log.info(_LI('Named bind mode %s not in bind information'), name) self._invalid_user_token() - for bind_type, identifier in six.iteritems(bind): + for bind_type, identifier in six.iteritems(auth_ref.bind): if bind_type == _BIND_MODE.KERBEROS: if req.auth_type != 'negotiate': self.log.info(_LI('Kerberos credentials required and ' @@ -658,8 +649,8 @@ class AuthProtocol(_BaseAuthProtocol): self._local_oslo_config.register_opts( _OPTS, group=_base.AUTHTOKEN_GROUP) - auth.register_conf_options(self._local_oslo_config, - group=_base.AUTHTOKEN_GROUP) + loading.register_auth_conf_options(self._local_oslo_config, + group=_base.AUTHTOKEN_GROUP) super(AuthProtocol, self).__init__( app, @@ -851,8 +842,8 @@ class AuthProtocol(_BaseAuthProtocol): self._token_cache.store(token_hashes[0], data) - except (ksc_exceptions.ConnectionRefused, - ksc_exceptions.RequestTimeout, + except (ksa_exceptions.ConnectFailure, + ksa_exceptions.RequestTimeout, ksm_exceptions.RevocationListError, ksm_exceptions.ServiceError) as e: self.log.critical(_LC('Unable to validate token: %s'), e) @@ -975,17 +966,33 @@ class AuthProtocol(_BaseAuthProtocol): # !!! - UNDER NO CIRCUMSTANCES COPY ANY OF THIS CODE - !!! group = self._conf_get('auth_section') or _base.AUTHTOKEN_GROUP - plugin_name = self._conf_get('auth_plugin', group=group) + + # NOTE(jamielennox): auth_plugin was deprecated to auth_type. _conf_get + # doesn't handle that deprecation in the case of conf dict options so + # we have to manually check the value + plugin_name = (self._conf_get('auth_type', group=group) + or self._conf.get('auth_plugin')) + + if not plugin_name: + return _auth.AuthTokenPlugin( + log=self.log, + auth_admin_prefix=self._conf_get('auth_admin_prefix', + group=group), + auth_host=self._conf_get('auth_host', group=group), + auth_port=self._conf_get('auth_port', group=group), + auth_protocol=self._conf_get('auth_protocol', group=group), + identity_uri=self._conf_get('identity_uri', group=group), + admin_token=self._conf_get('admin_token', group=group), + admin_user=self._conf_get('admin_user', group=group), + admin_password=self._conf_get('admin_password', group=group), + admin_tenant_name=self._conf_get('admin_tenant_name', + group=group) + ) + + plugin_loader = loading.get_plugin_loader(plugin_name) + plugin_opts = [o._to_oslo_opt() for o in plugin_loader.get_options()] plugin_kwargs = dict() - if plugin_name: - plugin_class = auth.get_plugin_class(plugin_name) - else: - plugin_class = _auth.AuthTokenPlugin - # logger object is a required parameter of the default plugin - plugin_kwargs['log'] = self.log - - plugin_opts = plugin_class.get_options() (self._local_oslo_config or CONF).register_opts(plugin_opts, group=group) @@ -995,7 +1002,7 @@ class AuthProtocol(_BaseAuthProtocol): val = opt.type(val) plugin_kwargs[opt.dest] = val - return plugin_class.load_from_options(**plugin_kwargs) + return plugin_loader.load_from_options(**plugin_kwargs) def _determine_project(self): """Determine a project name from all available config sources. @@ -1041,14 +1048,14 @@ class AuthProtocol(_BaseAuthProtocol): # same as calling Session.load_from_conf_options(CONF, GROUP) # however we can't do that because we have to use _conf_get to # support the paste.ini options. - sess = session.Session.construct(dict( + sess = session_loading.Session().load_from_options( cert=self._conf_get('certfile'), key=self._conf_get('keyfile'), cacert=self._conf_get('cafile'), insecure=self._conf_get('insecure'), timeout=self._conf_get('http_connect_timeout'), user_agent=self._build_useragent_string() - )) + ) auth_plugin = self._get_auth_plugin() diff --git a/keystonemiddleware/auth_token/_auth.py b/keystonemiddleware/auth_token/_auth.py index cf7ed84d..1b3ca0bf 100644 --- a/keystonemiddleware/auth_token/_auth.py +++ b/keystonemiddleware/auth_token/_auth.py @@ -12,10 +12,11 @@ import logging -from keystoneclient import auth -from keystoneclient.auth.identity import v2 -from keystoneclient.auth import token_endpoint -from keystoneclient import discover +from keystoneauth1 import discover +from keystoneauth1.identity import v2 +from keystoneauth1 import loading +from keystoneauth1 import plugin +from keystoneauth1 import token_endpoint from oslo_config import cfg from keystonemiddleware.auth_token import _base @@ -25,7 +26,7 @@ from keystonemiddleware.i18n import _, _LW _LOG = logging.getLogger(__name__) -class AuthTokenPlugin(auth.BaseAuthPlugin): +class AuthTokenPlugin(plugin.BaseAuthPlugin): def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix, admin_user, admin_password, admin_tenant_name, admin_token, @@ -104,7 +105,7 @@ class AuthTokenPlugin(auth.BaseAuthPlugin): service or None if not available. :rtype: string """ - if interface == auth.AUTH_INTERFACE: + if interface == plugin.AUTH_INTERFACE: return self._identity_uri if not version: @@ -114,7 +115,7 @@ class AuthTokenPlugin(auth.BaseAuthPlugin): if not self._discover: self._discover = discover.Discover(session, - auth_url=self._identity_uri, + url=self._identity_uri, authenticated=False) if not self._discover.url_for(version): @@ -142,53 +143,48 @@ class AuthTokenPlugin(auth.BaseAuthPlugin): def invalidate(self): return self._plugin.invalidate() - @classmethod - def get_options(cls): - options = super(AuthTokenPlugin, cls).get_options() - options.extend([ - cfg.StrOpt('auth_admin_prefix', - default='', - help='Prefix to prepend at the beginning of the path. ' - 'Deprecated, use identity_uri.'), - cfg.StrOpt('auth_host', - default='127.0.0.1', - help='Host providing the admin Identity API endpoint. ' - 'Deprecated, use identity_uri.'), - cfg.IntOpt('auth_port', - default=35357, - help='Port of the admin Identity API endpoint. ' - 'Deprecated, use identity_uri.'), - cfg.StrOpt('auth_protocol', - default='https', - help='Protocol of the admin Identity API endpoint ' - '(http or https). Deprecated, use identity_uri.'), - cfg.StrOpt('identity_uri', - default=None, - help='Complete admin Identity API endpoint. This ' - 'should specify the unversioned root endpoint ' - 'e.g. https://localhost:35357/'), - cfg.StrOpt('admin_token', - secret=True, - help='This option is deprecated and may be removed in ' - 'a future release. Single shared secret with the ' - 'Keystone configuration used for bootstrapping a ' - 'Keystone installation, or otherwise bypassing ' - 'the normal authentication process. This option ' - 'should not be used, use `admin_user` and ' - '`admin_password` instead.'), - cfg.StrOpt('admin_user', - help='Service username.'), - cfg.StrOpt('admin_password', - secret=True, - help='Service user password.'), - cfg.StrOpt('admin_tenant_name', - default='admin', - help='Service tenant name.'), - ]) - - return options +OPTS = [ + cfg.StrOpt('auth_admin_prefix', + default='', + help='Prefix to prepend at the beginning of the path. ' + 'Deprecated, use identity_uri.'), + cfg.StrOpt('auth_host', + default='127.0.0.1', + help='Host providing the admin Identity API endpoint. ' + 'Deprecated, use identity_uri.'), + cfg.IntOpt('auth_port', + default=35357, + help='Port of the admin Identity API endpoint. ' + 'Deprecated, use identity_uri.'), + cfg.StrOpt('auth_protocol', + default='https', + help='Protocol of the admin Identity API endpoint ' + '(http or https). Deprecated, use identity_uri.'), + cfg.StrOpt('identity_uri', + default=None, + help='Complete admin Identity API endpoint. This ' + 'should specify the unversioned root endpoint ' + 'e.g. https://localhost:35357/'), + cfg.StrOpt('admin_token', + secret=True, + help='This option is deprecated and may be removed in ' + 'a future release. Single shared secret with the ' + 'Keystone configuration used for bootstrapping a ' + 'Keystone installation, or otherwise bypassing ' + 'the normal authentication process. This option ' + 'should not be used, use `admin_user` and ' + '`admin_password` instead.'), + cfg.StrOpt('admin_user', + help='Service username.'), + cfg.StrOpt('admin_password', + secret=True, + help='Service user password.'), + cfg.StrOpt('admin_tenant_name', + default='admin', + help='Service tenant name.'), +] -auth.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) -AuthTokenPlugin.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) +loading.register_auth_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) +cfg.CONF.register_opts(OPTS, group=_base.AUTHTOKEN_GROUP) diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py index fc14ec3a..687f2c9f 100644 --- a/keystonemiddleware/auth_token/_identity.py +++ b/keystonemiddleware/auth_token/_identity.py @@ -12,8 +12,9 @@ import functools -from keystoneclient import auth -from keystoneclient import discover +from keystoneauth1 import discover +from keystoneauth1 import exceptions as ksa_exceptions +from keystoneauth1 import plugin from keystoneclient import exceptions as ksc_exceptions from keystoneclient.v2_0 import client as v2_client from keystoneclient.v3 import client as v3_client @@ -29,7 +30,7 @@ def _convert_fetch_cert_exception(fetch_cert): def wrapper(self): try: text = fetch_cert(self) - except ksc_exceptions.HTTPError as e: + except ksa_exceptions.HttpError as e: raise ksc_exceptions.CertificateConfigError(e.details) return text @@ -145,7 +146,7 @@ class IdentityServer(object): @property def auth_uri(self): - auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE) + auth_uri = self._adapter.get_endpoint(interface=plugin.AUTH_INTERFACE) # NOTE(jamielennox): This weird stripping of the prefix hack is # only relevant to the legacy case. We urljoin '/' to get just the @@ -204,18 +205,18 @@ class IdentityServer(object): user authentication when an indeterminate response is received. Optional. :returns: access info received from identity server on success - :rtype: :py:class:`keystoneclient.access.AccessInfo` + :rtype: :py:class:`keystoneauth1.access.AccessInfo` :raises exc.InvalidToken: if token is rejected :raises exc.ServiceError: if unable to authenticate token """ try: auth_ref = self._request_strategy.verify_token(user_token) - except ksc_exceptions.NotFound as e: + except ksa_exceptions.NotFound as e: self._LOG.warning(_LW('Authorization failed for token')) self._LOG.warning(_LW('Identity response: %s'), e.response.text) raise ksm_exceptions.InvalidToken(_('Token authorization failed')) - except ksc_exceptions.Unauthorized as e: + except ksa_exceptions.Unauthorized as e: self._LOG.info(_LI('Identity server rejected authorization')) self._LOG.warning(_LW('Identity response: %s'), e.response.text) if retry: @@ -224,7 +225,7 @@ class IdentityServer(object): msg = _('Identity server rejected authorization necessary to ' 'fetch token data') raise ksm_exceptions.ServiceError(msg) - except ksc_exceptions.HttpError as e: + except ksa_exceptions.HttpError as e: self._LOG.error( _LE('Bad response code while validating token: %s'), e.http_status) @@ -237,7 +238,7 @@ class IdentityServer(object): def fetch_revocation_list(self): try: data = self._request_strategy.fetch_revocation_list() - except ksc_exceptions.HTTPError as e: + except ksa_exceptions.HttpError as e: msg = _('Failed to fetch token revocation list: %d') raise ksm_exceptions.RevocationListError(msg % e.http_status) if 'signed' not in data: diff --git a/keystonemiddleware/auth_token/_request.py b/keystonemiddleware/auth_token/_request.py index f54ab4d8..254376c7 100644 --- a/keystonemiddleware/auth_token/_request.py +++ b/keystonemiddleware/auth_token/_request.py @@ -165,13 +165,13 @@ class _AuthTokenRequest(webob.Request): doc info at start of __init__ file for details of headers to be defined :param auth_ref: The token data - :type auth_ref: keystoneclient.access.AccessInfo + :type auth_ref: keystoneauth.access.AccessInfo """ if not auth_ref.has_service_catalog(): self.headers.pop(self._SERVICE_CATALOG_HEADER, None) return - catalog = auth_ref.service_catalog.get_data() + catalog = auth_ref.service_catalog.catalog if auth_ref.version == 'v3': catalog = _v3_to_v2_catalog(catalog) diff --git a/keystonemiddleware/auth_token/_user_plugin.py b/keystonemiddleware/auth_token/_user_plugin.py index 93075c5c..30f97389 100644 --- a/keystonemiddleware/auth_token/_user_plugin.py +++ b/keystonemiddleware/auth_token/_user_plugin.py @@ -10,7 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient.auth.identity import base as base_identity +from keystoneauth1.identity import base as base_identity class _TokenData(object): diff --git a/keystonemiddleware/opts.py b/keystonemiddleware/opts.py index ed74d18b..fad40e87 100644 --- a/keystonemiddleware/opts.py +++ b/keystonemiddleware/opts.py @@ -18,17 +18,15 @@ __all__ = ( import copy -from keystoneclient import auth +from keystoneauth1 import loading import keystonemiddleware.auth_token -from keystonemiddleware.auth_token import _auth from keystonemiddleware.auth_token import _base auth_token_opts = [ (_base.AUTHTOKEN_GROUP, keystonemiddleware.auth_token._OPTS + - _auth.AuthTokenPlugin.get_options() + - auth.get_common_conf_options()) + loading.get_auth_common_conf_options()) ] diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth.py b/keystonemiddleware/tests/unit/auth_token/test_auth.py index d6ebc9a0..c22f35a0 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth.py @@ -13,9 +13,9 @@ import logging import uuid -from keystoneclient import auth -from keystoneclient import fixture -from keystoneclient import session +from keystoneauth1 import fixture +from keystoneauth1 import plugin as ksa_plugin +from keystoneauth1 import session from requests_mock.contrib import fixture as rm_fixture import six @@ -32,7 +32,7 @@ class DefaultAuthPluginTests(utils.BaseTestCase): if not log: log = self.logger - return _auth.AuthTokenPlugin.load_from_options( + return _auth.AuthTokenPlugin( auth_host=auth_host, auth_port=auth_port, auth_protocol=auth_protocol, @@ -65,9 +65,9 @@ class DefaultAuthPluginTests(utils.BaseTestCase): auth_port=auth_port, auth_admin_prefix=auth_admin_prefix) - self.assertEqual(expected, - plugin.get_endpoint(self.session, - interface=auth.AUTH_INTERFACE)) + endpoint = plugin.get_endpoint(self.session, + interface=ksa_plugin.AUTH_INTERFACE) + self.assertEqual(expected, endpoint) def test_identity_uri_overrides_fragments(self): identity_uri = 'http://testhost:8888/admin' @@ -76,9 +76,9 @@ class DefaultAuthPluginTests(utils.BaseTestCase): auth_port=9999, auth_protocol='ftp') - self.assertEqual(identity_uri, - plugin.get_endpoint(self.session, - interface=auth.AUTH_INTERFACE)) + endpoint = plugin.get_endpoint(self.session, + interface=ksa_plugin.AUTH_INTERFACE) + self.assertEqual(identity_uri, endpoint) def test_with_admin_token(self): token = uuid.uuid4().hex diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py index 016673a2..761813d6 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py @@ -23,11 +23,12 @@ import time import uuid import fixtures -from keystoneclient import auth +from keystoneauth1 import exceptions as ksa_exceptions +from keystoneauth1 import fixture +from keystoneauth1 import loading +from keystoneauth1 import session from keystoneclient.common import cms from keystoneclient import exceptions as ksc_exceptions -from keystoneclient import fixture -from keystoneclient import session import mock from oslo_config import cfg from oslo_serialization import jsonutils @@ -549,24 +550,29 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, headers={'X-Subject-Token': uuid.uuid4().hex}, json=fixture.V3Token()) - conf = {'auth_uri': auth_url, - 'auth_url': auth_url + '/v3', - 'auth_plugin': 'v3password', - 'username': 'user', - 'password': 'pass'} + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) + + opts = loading.get_auth_plugin_conf_options('v3password') + self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP) + + self.cfg.config(auth_url=auth_url + '/v3', + auth_type='v3password', + username='user', + password='pass', + user_domain_id=uuid.uuid4().hex, + group=_base.AUTHTOKEN_GROUP) self.assertEqual(0, east_mock.call_count) self.assertEqual(0, west_mock.call_count) - east_app = self.create_simple_middleware(conf=dict(region_name='east', - **conf)) + east_app = self.create_simple_middleware(conf=dict(region_name='east')) self.call(east_app, headers={'X-Auth-Token': uuid.uuid4().hex}) self.assertEqual(1, east_mock.call_count) self.assertEqual(0, west_mock.call_count) - west_app = self.create_simple_middleware(conf=dict(region_name='west', - **conf)) + west_app = self.create_simple_middleware(conf=dict(region_name='west')) self.call(west_app, headers={'X-Auth-Token': uuid.uuid4().hex}) @@ -1412,7 +1418,7 @@ class V3CertDownloadMiddlewareTest(V2CertDownloadMiddlewareTest): def network_error_response(request, context): - raise ksc_exceptions.ConnectionRefused("Network connection refused.") + raise ksa_exceptions.ConnectFailure("Network connection refused.") class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, @@ -1682,7 +1688,7 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, if token_id == ERROR_TOKEN: msg = "Network connection refused." - raise ksc_exceptions.ConnectionRefused(msg) + raise ksa_exceptions.ConnectFailure(msg) try: response = self.examples.JSON_TOKEN_RESPONSES[token_id] @@ -2251,16 +2257,17 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest): def test_loading_password_plugin(self): # the password options aren't set on config until loading time, but we # need them set so we can override the values for testing, so force it - opts = auth.get_plugin_options('password') + opts = loading.get_auth_plugin_conf_options('password') self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP) project_id = uuid.uuid4().hex # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) # configure the authentication options - self.cfg.config(auth_plugin='password', + self.cfg.config(auth_type='password', username='testuser', password='testpass', auth_url=self.AUTH_URL, @@ -2279,27 +2286,30 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest): return app._identity_server._adapter.auth def test_invalid_plugin_fails_to_initialize(self): - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - self.cfg.config(auth_plugin=uuid.uuid4().hex, + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) + self.cfg.config(auth_type=uuid.uuid4().hex, group=_base.AUTHTOKEN_GROUP) self.assertRaises( - ksc_exceptions.NoMatchingPlugin, + ksa_exceptions.NoMatchingPlugin, self.create_simple_middleware) def test_plugin_loading_mixed_opts(self): # some options via override and some via conf - opts = auth.get_plugin_options('password') + opts = loading.get_auth_plugin_conf_options('password') self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP) username = 'testuser' password = 'testpass' # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) # configure the authentication options - self.cfg.config(auth_plugin='password', + self.cfg.config(auth_type='password', + auth_url='http://keystone.test:5000', password=password, project_id=self.project_id, user_domain_id='userdomainid', @@ -2326,22 +2336,24 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest): username = 'testuser' password = 'testpass' - auth.register_conf_options(self.cfg.conf, group=section) - opts = auth.get_plugin_options('password') + loading.register_auth_conf_options(self.cfg.conf, group=section) + opts = loading.get_auth_plugin_conf_options('password') self.cfg.register_opts(opts, group=section) # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) # configure the authentication options self.cfg.config(auth_section=section, group=_base.AUTHTOKEN_GROUP) - self.cfg.config(auth_plugin='password', + self.cfg.config(auth_type='password', + auth_url=self.AUTH_URL, password=password, project_id=self.project_id, user_domain_id='userdomainid', group=section) - conf = {'username': username, 'auth_url': self.AUTH_URL} + conf = {'username': username} body = uuid.uuid4().hex app = self.create_simple_middleware(body=body, conf=conf) @@ -2368,16 +2380,17 @@ class TestAuthPluginUserAgentGeneration(BaseAuthTokenMiddlewareTest): self.section = uuid.uuid4().hex self.user_domain_id = uuid.uuid4().hex - auth.register_conf_options(self.cfg.conf, group=self.section) - opts = auth.get_plugin_options('password') + loading.register_auth_conf_options(self.cfg.conf, group=self.section) + opts = loading.get_auth_plugin_conf_options('password') self.cfg.register_opts(opts, group=self.section) # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) # configure the authentication options self.cfg.config(auth_section=self.section, group=_base.AUTHTOKEN_GROUP) - self.cfg.config(auth_plugin='password', + self.cfg.config(auth_type='password', password=self.password, project_id=self.project_id, user_domain_id=self.user_domain_id, @@ -2431,14 +2444,15 @@ class TestAuthPluginUserAgentGeneration(BaseAuthTokenMiddlewareTest): class TestAuthPluginLocalOsloConfig(BaseAuthTokenMiddlewareTest): def test_project_in_local_oslo_configuration(self): options = { - 'auth_plugin': 'password', + 'auth_type': 'password', 'auth_uri': uuid.uuid4().hex, 'password': uuid.uuid4().hex, } content = ("[keystone_authtoken]\n" - "auth_plugin=%(auth_plugin)s\n" + "auth_type=%(auth_type)s\n" "auth_uri=%(auth_uri)s\n" + "auth_url=%(auth_uri)s\n" "password=%(password)s\n" % options) conf_file_fixture = self.useFixture( createfile.CreateFileWithContent("my_app", content)) diff --git a/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py index c47c0d36..8a791b63 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py @@ -13,7 +13,7 @@ import datetime import uuid -from keystoneclient import fixture +from keystoneauth1 import fixture import mock import six import testtools diff --git a/keystonemiddleware/tests/unit/auth_token/test_request.py b/keystonemiddleware/tests/unit/auth_token/test_request.py index abe241b7..bd8a7b30 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_request.py +++ b/keystonemiddleware/tests/unit/auth_token/test_request.py @@ -13,8 +13,8 @@ import itertools import uuid -from keystoneclient import access -from keystoneclient import fixture +from keystoneauth1 import access +from keystoneauth1 import fixture from keystonemiddleware.auth_token import _request from keystonemiddleware.tests.unit import utils @@ -139,7 +139,7 @@ class RequestObjectTests(utils.TestCase): token.set_project_scope() token_id = uuid.uuid4().hex - auth_ref = access.AccessInfo.factory(token_id=token_id, body=token) + auth_ref = access.create(auth_token=token_id, body=token) self.request.set_user_headers(auth_ref) self._test_v3_headers(token, '') @@ -149,7 +149,7 @@ class RequestObjectTests(utils.TestCase): token.set_project_scope() token_id = uuid.uuid4().hex - auth_ref = access.AccessInfo.factory(token_id=token_id, body=token) + auth_ref = access.create(auth_token=token_id, body=token) self.request.set_service_headers(auth_ref) self._test_v3_headers(token, '-Service') @@ -199,7 +199,7 @@ class RequestObjectTests(utils.TestCase): def test_token_without_catalog(self): token = fixture.V3Token() - auth_ref = access.AccessInfo.factory(body=token) + auth_ref = access.create(body=token) self.request.set_service_catalog_headers(auth_ref) self.assertNotIn('X-Service-Catalog', self.request.headers) @@ -222,8 +222,8 @@ class CatalogConversionTests(utils.TestCase): internal=self.INTERNAL_URL, region=self.REGION_ONE) - auth_ref = access.AccessInfo.factory(body=token) - catalog_data = auth_ref.service_catalog.get_data() + auth_ref = access.create(body=token) + catalog_data = auth_ref.service_catalog.catalog catalog = _request._v3_to_v2_catalog(catalog_data) self.assertEqual(1, len(catalog)) @@ -246,8 +246,8 @@ class CatalogConversionTests(utils.TestCase): s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO) s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE) - auth_ref = access.AccessInfo.factory(body=token) - catalog_data = auth_ref.service_catalog.get_data() + auth_ref = access.create(body=token) + catalog_data = auth_ref.service_catalog.catalog catalog = _request._v3_to_v2_catalog(catalog_data) self.assertEqual(1, len(catalog)) diff --git a/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py b/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py index 648933f4..194c818b 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py +++ b/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py @@ -12,8 +12,8 @@ import uuid -from keystoneclient import auth -from keystoneclient import fixture +from keystoneauth1 import fixture +from keystoneauth1 import loading from keystonemiddleware.auth_token import _base from keystonemiddleware.tests.unit.auth_token import base @@ -26,18 +26,19 @@ AUTH_URL = 'https://keystone.auth.com:1234' class BaseUserPluginTests(object): def configure_middleware(self, - auth_plugin, + auth_type, **kwargs): - opts = auth.get_plugin_class(auth_plugin).get_options() + opts = loading.get_auth_plugin_conf_options(auth_type) self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP) # Since these tests cfg.config() themselves rather than waiting for # auth_token to do it on __init__ we need to register the base auth # options (e.g., auth_plugin) - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) + loading.register_auth_conf_options(self.cfg.conf, + group=_base.AUTHTOKEN_GROUP) self.cfg.config(group=_base.AUTHTOKEN_GROUP, - auth_plugin=auth_plugin, + auth_type=auth_type, **kwargs) def assertTokenDataEqual(self, token_id, token, token_data): @@ -92,7 +93,7 @@ class V2UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase): admin=BASE_URI, internal=BASE_URI) - self.configure_middleware(auth_plugin='v2password', + self.configure_middleware(auth_type='v2password', auth_url='%s/v2.0/' % AUTH_URL, user_id=self.service_token.user_id, password=uuid.uuid4().hex, @@ -146,7 +147,7 @@ class V3UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase): admin=BASE_URI, internal=BASE_URI) - self.configure_middleware(auth_plugin='v3password', + self.configure_middleware(auth_type='v3password', auth_url='%s/v3/' % AUTH_URL, user_id=self.service_token.user_id, password=uuid.uuid4().hex, diff --git a/keystonemiddleware/tests/unit/client_fixtures.py b/keystonemiddleware/tests/unit/client_fixtures.py index ee4111ec..ea36a018 100644 --- a/keystonemiddleware/tests/unit/client_fixtures.py +++ b/keystonemiddleware/tests/unit/client_fixtures.py @@ -15,8 +15,8 @@ import os import fixtures +from keystoneauth1 import fixture from keystoneclient.common import cms -from keystoneclient import fixture from keystoneclient import utils from oslo_serialization import jsonutils from oslo_utils import timeutils diff --git a/keystonemiddleware/tests/unit/test_opts.py b/keystonemiddleware/tests/unit/test_opts.py index 2b04a4ab..806a6370 100644 --- a/keystonemiddleware/tests/unit/test_opts.py +++ b/keystonemiddleware/tests/unit/test_opts.py @@ -64,7 +64,7 @@ class OptsTestCase(utils.TestCase): 'enforce_token_bind', 'check_revocations_for_cached', 'hash_algorithms', - 'auth_plugin', + 'auth_type', 'auth_section', ] opt_names = [o.name for (g, l) in result for o in l] diff --git a/requirements.txt b/requirements.txt index 8ad82747..c05b9b78 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,6 +3,7 @@ # process, which may cause wedges in the gate later. Babel>=1.3 +keystoneauth1>=1.0.0 oslo.config>=2.7.0 # Apache-2.0 oslo.context>=0.2.0 # Apache-2.0 oslo.i18n>=1.5.0 # Apache-2.0