diff options
-rw-r--r-- | etc/keystone-paste.ini | 9 | ||||
-rw-r--r-- | keystone/auth/controllers.py | 7 | ||||
-rw-r--r-- | keystone/common/authorization.py | 6 | ||||
-rw-r--r-- | keystone/common/request.py | 12 | ||||
-rw-r--r-- | keystone/middleware/core.py | 25 | ||||
-rw-r--r-- | keystone/tests/unit/test_cli.py | 4 | ||||
-rw-r--r-- | keystone/tests/unit/test_middleware.py | 11 | ||||
-rw-r--r-- | releasenotes/notes/remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml | 16 |
8 files changed, 55 insertions, 35 deletions
diff --git a/etc/keystone-paste.ini b/etc/keystone-paste.ini index b629b48c9..79b670a05 100644 --- a/etc/keystone-paste.ini +++ b/etc/keystone-paste.ini @@ -9,9 +9,6 @@ use = egg:oslo.middleware#request_id [filter:build_auth_context] use = egg:keystone#build_auth_context -[filter:token_auth] -use = egg:keystone#token_auth - [filter:json_body] use = egg:keystone#json_body @@ -55,17 +52,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service +pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service +pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 +pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 0fd534b93..bc7070e52 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -309,7 +309,7 @@ class Auth(controller.V3Controller): @controller.protected() def check_token(self, request): - token_id = request.context_dict.get('subject_token_id') + token_id = request.subject_token window_seconds = authorization.token_validation_window(request) token_data = PROVIDERS.token_provider_api.validate_token( token_id, window_seconds=window_seconds) @@ -320,12 +320,11 @@ class Auth(controller.V3Controller): @controller.protected() def revoke_token(self, request): - token_id = request.context_dict.get('subject_token_id') - return PROVIDERS.token_provider_api.revoke_token(token_id) + return PROVIDERS.token_provider_api.revoke_token(request.subject_token) @controller.protected() def validate_token(self, request): - token_id = request.context_dict.get('subject_token_id') + token_id = request.subject_token window_seconds = authorization.token_validation_window(request) include_catalog = 'nocatalog' not in request.params token_data = PROVIDERS.token_provider_api.validate_token( diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py index dfe3675a3..5c0a89e2d 100644 --- a/keystone/common/authorization.py +++ b/keystone/common/authorization.py @@ -87,13 +87,13 @@ def token_validation_window(request): def _handle_subject_token_id(self, request, policy_dict): - if request.context_dict.get('subject_token_id') is not None: + if request.subject_token is not None: window_seconds = token_validation_window(request) token_ref = token_model.KeystoneToken( - token_id=request.context_dict['subject_token_id'], + token_id=request.subject_token, token_data=self.token_provider_api.validate_token( - request.context_dict['subject_token_id'], + request.subject_token, window_seconds=window_seconds)) policy_dict.setdefault('target', {}) policy_dict['target'].setdefault(self.member_name, {}) diff --git a/keystone/common/request.py b/keystone/common/request.py index 4a14473e4..4b32c5f01 100644 --- a/keystone/common/request.py +++ b/keystone/common/request.py @@ -70,6 +70,10 @@ class Request(webob.Request): context['is_admin_project'] = self.context.is_admin_project context.setdefault('is_admin', False) + context['token_id'] = self.auth_token + if self.subject_token: + context['subject_token_id'] = self.subject_token + return context @property @@ -119,6 +123,14 @@ class Request(webob.Request): return initiator + @property + def auth_token(self): + return self.headers.get(authorization.AUTH_TOKEN_HEADER, None) + + @property + def subject_token(self): + return self.headers.get(authorization.SUBJECT_TOKEN_HEADER, None) + auth_type = environ_getter('AUTH_TYPE', None) remote_domain = environ_getter('REMOTE_DOMAIN', None) context = environ_getter(context.REQUEST_CONTEXT_ENV, None) diff --git a/keystone/middleware/core.py b/keystone/middleware/core.py index 0b556b2af..5b6e5eb72 100644 --- a/keystone/middleware/core.py +++ b/keystone/middleware/core.py @@ -13,9 +13,9 @@ # under the License. from oslo_log import log +from oslo_log import versionutils from oslo_serialization import jsonutils -from keystone.common import authorization from keystone.common import wsgi from keystone import exception @@ -24,15 +24,22 @@ LOG = log.getLogger(__name__) class TokenAuthMiddleware(wsgi.Middleware): - def process_request(self, request): - context = request.environ.setdefault(wsgi.CONTEXT_ENV, {}) - - token = request.headers.get(authorization.AUTH_TOKEN_HEADER) - context['token_id'] = token - subject_token = request.headers.get(authorization.SUBJECT_TOKEN_HEADER) - if subject_token: - context['subject_token_id'] = subject_token + @versionutils.deprecated( + as_of=versionutils.deprecated.ROCKY, + what='TokenAuthMiddleware in the paste-ini pipeline.', + remove_in=+2) + def __init__(self, *args, **kwargs): + super(TokenAuthMiddleware, self).__init__(*args, **kwargs) + + LOG.warning('The token_auth middleware functionality has been ' + 'merged into the main auth middleware ' + '(keystone.middleware.auth.AuthContextMiddleware). ' + 'The [filter:token_auth] block will need to be' + 'removed from your paste ini file. Failure to' + 'remove these elements from your paste ini file will ' + 'result in keystone to no longer start/run when the ' + '`token_auth` is removed in the Stein release.') class JsonBodyMiddleware(wsgi.Middleware): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 247df99f8..62557bfe7 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -178,7 +178,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self._do_test_bootstrap(bootstrap) # build validation request request = self.make_request(is_admin=True) - request.context_dict['subject_token_id'] = token + request.headers['X-Subject-Token'] = token # Make sure the token we authenticate for is still valid. v3_token_controller.validate_token(request) @@ -209,7 +209,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self._do_test_bootstrap(bootstrap) # build validation request request = self.make_request(is_admin=True) - request.context_dict['subject_token_id'] = token + request.headers['X-Subject-Token'] = token # Since the user account was recovered with a different password, we # shouldn't be able to validate this token. Bootstrap should have # persisted a revocation event because the user's password was updated. diff --git a/keystone/tests/unit/test_middleware.py b/keystone/tests/unit/test_middleware.py index c9b4abfe5..5bf1e0c2c 100644 --- a/keystone/tests/unit/test_middleware.py +++ b/keystone/tests/unit/test_middleware.py @@ -103,17 +103,6 @@ class MiddlewareRequestTestBase(unit.TestCase): return self._do_middleware_response(*args, **kwargs).request -class TokenAuthMiddlewareTest(MiddlewareRequestTestBase): - - MIDDLEWARE_CLASS = middleware.TokenAuthMiddleware - - def test_request(self): - headers = {authorization.AUTH_TOKEN_HEADER: 'MAGIC'} - req = self._do_middleware_request(headers=headers) - context = req.environ[wsgi.CONTEXT_ENV] - self.assertEqual('MAGIC', context['token_id']) - - class JsonBodyMiddlewareTest(MiddlewareRequestTestBase): MIDDLEWARE_CLASS = middleware.JsonBodyMiddleware diff --git a/releasenotes/notes/remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml b/releasenotes/notes/remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml new file mode 100644 index 000000000..41133736b --- /dev/null +++ b/releasenotes/notes/remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml @@ -0,0 +1,16 @@ +--- +prelude: > + The token_auth middleware functionality has been merged into the main auth + middleware (keystone.middleware.auth.AuthContextMiddleware). + `admin_token_auth` must be removed from the [pipeline:api_v3], + [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini + file. The [filter:token_auth] block will also need to be removed from your + paste ini file. Failure to remove these elements from your paste ini file + will result in keystone to no longer start/run when the `token_auth` is + removed in the Stein release. +upgrade: + - Remove token_auth from your keystone paste.ini file. Failure to remove + these elements from your paste ini file will result in keystone to no + longer start/run when the `token_auth` is removed in the Stein release. +deprecations: + - The keystone.middleware.core:TokenAuthMiddleware is deprecated for removal. |