diff options
-rw-r--r-- | heat/common/auth_password.py | 38 | ||||
-rw-r--r-- | heat/common/context.py | 28 | ||||
-rw-r--r-- | heat/tests/clients/test_heat_client.py | 1 | ||||
-rw-r--r-- | heat/tests/db/test_sqlalchemy_api.py | 1 | ||||
-rw-r--r-- | heat/tests/test_auth_password.py | 73 | ||||
-rw-r--r-- | heat/tests/test_common_context.py | 4 | ||||
-rw-r--r-- | heat/tests/utils.py | 2 |
7 files changed, 65 insertions, 82 deletions
diff --git a/heat/common/auth_password.py b/heat/common/auth_password.py index 35404e446..e977d85a1 100644 --- a/heat/common/auth_password.py +++ b/heat/common/auth_password.py @@ -72,37 +72,31 @@ class KeystonePasswordAuthProtocol(object): def _build_user_headers(self, token_info): """Build headers that represent authenticated user from auth token.""" - if token_info.get('version') == 'v3': - keystone_token_info = {'token': token_info} - tenant_id = token_info['project']['id'] - tenant_name = token_info['project']['name'] - user_id = token_info['user']['id'] - user_name = token_info['user']['name'] - roles = ','.join( - [role['name'] for role in token_info['roles']]) - service_catalog = None - auth_token = token_info['auth_token'] + if token_info.version == 'v3': + project_id = token_info.project_id + project_name = token_info.project_name else: - keystone_token_info = token_info - tenant_id = token_info['token']['tenant']['id'] - tenant_name = token_info['token']['tenant']['name'] - user_id = token_info['user']['id'] - user_name = token_info['user']['name'] - roles = ','.join( - [role['name'] for role in token_info['user']['roles']]) - service_catalog = token_info['serviceCatalog'] - auth_token = token_info['token']['id'] + project_id = token_info.tenant_id + project_name = token_info.tenant_name + + user_id = token_info.user_id + user_name = token_info.username + roles = ','.join( + [role for role in token_info.role_names]) + service_catalog = token_info.service_catalog + auth_token = token_info.auth_token + user_domain_id = token_info.user_domain_id headers = { - 'keystone.token_info': keystone_token_info, 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'HTTP_X_PROJECT_ID': tenant_id, - 'HTTP_X_PROJECT_NAME': tenant_name, + 'HTTP_X_PROJECT_ID': project_id, + 'HTTP_X_PROJECT_NAME': project_name, 'HTTP_X_USER_ID': user_id, 'HTTP_X_USER_NAME': user_name, 'HTTP_X_ROLES': roles, 'HTTP_X_SERVICE_CATALOG': service_catalog, 'HTTP_X_AUTH_TOKEN': auth_token, + 'HTTP_X_USER_DOMAIN_ID': user_domain_id, } return headers diff --git a/heat/common/context.py b/heat/common/context.py index 74d080ace..abdd70a79 100644 --- a/heat/common/context.py +++ b/heat/common/context.py @@ -178,8 +178,8 @@ class RequestContext(context.RequestContext): 'show_deleted': self.show_deleted, 'region_name': self.region_name, 'user_identity': user_idt, - 'user_domain_id': self.user_domain, - 'project_domain_id': self.project_domain} + 'user_domain': self.user_domain, + 'project_domain': self.project_domain} @classmethod def from_dict(cls, values): @@ -253,6 +253,13 @@ class RequestContext(context.RequestContext): return access_plugin.AccessInfoPlugin( auth_ref=access_info, auth_url=self.keystone_v3_endpoint) + if self.password: + return generic.Password(username=self.username, + password=self.password, + project_id=self.tenant_id, + user_domain_id=self.user_domain, + auth_url=self.keystone_v3_endpoint) + if self.auth_token: # FIXME(jamielennox): This is broken but consistent. If you # only have a token but don't load a service catalog then @@ -261,13 +268,6 @@ class RequestContext(context.RequestContext): return token_endpoint.Token(endpoint=self.keystone_v3_endpoint, token=self.auth_token) - if self.password: - return generic.Password(username=self.username, - password=self.password, - project_id=self.tenant_id, - user_domain_id=self.user_domain, - auth_url=self.keystone_v3_endpoint) - LOG.error("Keystone API connection failed, no password " "trust or auth_token!") raise exception.AuthorizationFailure() @@ -352,6 +352,8 @@ class ContextMiddleware(wsgi.Middleware): username = None password = None aws_creds = None + user_domain = None + project_domain = None if headers.get('X-Auth-User') is not None: username = headers.get('X-Auth-User') @@ -359,6 +361,12 @@ class ContextMiddleware(wsgi.Middleware): elif headers.get('X-Auth-EC2-Creds') is not None: aws_creds = headers.get('X-Auth-EC2-Creds') + if headers.get('X-User-Domain-Id') is not None: + user_domain = headers.get('X-User-Domain-Id') + + if headers.get('X-Project-Domain-Id') is not None: + project_domain = headers.get('X-Project-Domain-Id') + project_name = headers.get('X-Project-Name') region_name = headers.get('X-Region-Name') auth_url = headers.get('X-Auth-Url') @@ -375,6 +383,8 @@ class ContextMiddleware(wsgi.Middleware): password=password, auth_url=auth_url, request_id=req_id, + user_domain=user_domain, + project_domain=project_domain, auth_token_info=token_info, region_name=region_name, auth_plugin=auth_plugin, diff --git a/heat/tests/clients/test_heat_client.py b/heat/tests/clients/test_heat_client.py index e17427ceb..1c520c61b 100644 --- a/heat/tests/clients/test_heat_client.py +++ b/heat/tests/clients/test_heat_client.py @@ -471,6 +471,7 @@ class KeystoneClientTest(common.HeatTestCase): ctx = utils.dummy_context() ctx.auth_token = None + ctx.password = 'password' ctx.trust_id = None ctx.user_domain = 'adomain123' heat_ks_client = heat_keystoneclient.KeystoneClient(ctx) diff --git a/heat/tests/db/test_sqlalchemy_api.py b/heat/tests/db/test_sqlalchemy_api.py index 6e3b3acaf..b480e5d1b 100644 --- a/heat/tests/db/test_sqlalchemy_api.py +++ b/heat/tests/db/test_sqlalchemy_api.py @@ -933,6 +933,7 @@ class SqlAlchemyTest(common.HeatTestCase): self.m.VerifyAll() def test_user_creds_password(self): + self.ctx.password = 'password' self.ctx.trust_id = None self.ctx.region_name = 'RegionOne' db_creds = db_api.user_creds_create(self.ctx) diff --git a/heat/tests/test_auth_password.py b/heat/tests/test_auth_password.py index 000b1066a..0768c36be 100644 --- a/heat/tests/test_auth_password.py +++ b/heat/tests/test_auth_password.py @@ -40,53 +40,34 @@ EXPECTED_ENV_RESPONSE = { 'HTTP_X_AUTH_TOKEN': 'lalalalalala', } +TOKEN_V3_RESPONSE = { + 'version': 'v3', + 'project_id': 'tenant_id1', + 'project_name': 'tenant_name1', + 'user_id': 'user_id1', + 'username': 'user_name1', + 'service_catalog': None, + 'role_names': ['role1', 'role2'], + 'auth_token': 'lalalalalala', + 'user_domain_id': 'domain1' +} TOKEN_V2_RESPONSE = { - 'token': { - 'id': 'lalalalalala', - 'expires': '2020-01-01T00:00:10.000123Z', - 'tenant': { - 'id': 'tenant_id1', - 'name': 'tenant_name1', - }, - }, - 'user': { - 'id': 'user_id1', - 'name': 'user_name1', - 'roles': [ - {'name': 'role1'}, - {'name': 'role2'}, - ], - }, - 'serviceCatalog': {} + 'version': 'v2', + 'tenant_id': 'tenant_id1', + 'tenant_name': 'tenant_name1', + 'user_id': 'user_id1', + 'service_catalog': None, + 'username': 'user_name1', + 'role_names': ['role1', 'role2'], + 'auth_token': 'lalalalalala', + 'user_domain_id': 'domain1' } -TOKEN_V3_RESPONSE = { - 'version': 'v3', - 'project': { - 'id': 'tenant_id1', - 'name': 'tenant_name1', - }, - 'token': { - 'id': 'lalalalalala', - 'expires': '2020-01-01T00:00:10.000123Z', - 'tenant': { - 'id': 'tenant_id1', - 'name': 'tenant_name1', - }, - 'methods': ['password'], - }, - 'user': { - 'id': 'user_id1', - 'name': 'user_name1', - }, - 'roles': [ - {'name': 'role1'}, - {'name': 'role2'}, - ], - 'auth_token': 'lalalalalala' -} +class FakeAccessInfo(object): + def __init__(self, **args): + self.__dict__.update(args) class FakeApp(object): @@ -131,9 +112,8 @@ class KeystonePasswordAuthProtocolTest(common.HeatTestCase): username='user_name1').AndReturn(mock_auth) m = mock_auth.get_access(mox.IsA(ks_session.Session)) - m.AndReturn(TOKEN_V2_RESPONSE) + m.AndReturn(FakeAccessInfo(**TOKEN_V2_RESPONSE)) - self.app.expected_env['keystone.token_info'] = TOKEN_V2_RESPONSE self.m.ReplayAll() req = webob.Request.blank('/tenant_id1/') req.headers['X_AUTH_USER'] = 'user_name1' @@ -154,11 +134,8 @@ class KeystonePasswordAuthProtocolTest(common.HeatTestCase): username='user_name1').AndReturn(mock_auth) m = mock_auth.get_access(mox.IsA(ks_session.Session)) - m.AndReturn(TOKEN_V3_RESPONSE) + m.AndReturn(FakeAccessInfo(**TOKEN_V3_RESPONSE)) - self.app.expected_env['keystone.token_info'] = { - 'token': TOKEN_V3_RESPONSE - } self.m.ReplayAll() req = webob.Request.blank('/tenant_id1/') req.headers['X_AUTH_USER'] = 'user_name1' diff --git a/heat/tests/test_common_context.py b/heat/tests/test_common_context.py index 9145fd3f4..9f66d9e0d 100644 --- a/heat/tests/test_common_context.py +++ b/heat/tests/test_common_context.py @@ -50,8 +50,8 @@ class TestRequestContext(common.HeatTestCase): 'aws_creds': 'blah', 'region_name': 'RegionOne', 'user_identity': 'fooUser 456tenant', - 'user_domain_id': None, - 'project_domain_id': None} + 'user_domain': None, + 'project_domain': None} super(TestRequestContext, self).setUp() diff --git a/heat/tests/utils.py b/heat/tests/utils.py index 511a31466..85d802070 100644 --- a/heat/tests/utils.py +++ b/heat/tests/utils.py @@ -72,7 +72,7 @@ def reset_dummy_db(): def dummy_context(user='test_username', tenant_id='test_tenant_id', - password='password', roles=None, user_id=None, + password='', roles=None, user_id=None, trust_id=None, region_name=None, is_admin=False): roles = roles or [] return context.RequestContext.from_dict({ |