summaryrefslogtreecommitdiff
path: root/keystonemiddleware
diff options
context:
space:
mode:
authorZuul <zuul@review.opendev.org>2019-06-21 21:31:56 +0000
committerGerrit Code Review <review@openstack.org>2019-06-21 21:31:56 +0000
commit2ed915f4fe29138a88687e70efd95ea014b948bc (patch)
treef9ecbe2bf087f70def445d62836d1d47a74355a6 /keystonemiddleware
parentd040cf67fb186ba2e8458e7a8228034ecba7b474 (diff)
parentb3e84aafc0302b1a87754f438696794076ba844f (diff)
downloadkeystonemiddleware-2ed915f4fe29138a88687e70efd95ea014b948bc.tar.gz
Merge "Remove PKI/PKIZ support"
Diffstat (limited to 'keystonemiddleware')
-rw-r--r--keystonemiddleware/auth_token/__init__.py147
-rw-r--r--keystonemiddleware/auth_token/_identity.py52
-rw-r--r--keystonemiddleware/auth_token/_opts.py20
-rw-r--r--keystonemiddleware/auth_token/_signing_dir.py90
-rw-r--r--keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py292
-rw-r--r--keystonemiddleware/tests/unit/auth_token/test_signing_dir.py145
-rw-r--r--keystonemiddleware/tests/unit/client_fixtures.py132
-rw-r--r--keystonemiddleware/tests/unit/test_opts.py4
8 files changed, 14 insertions, 868 deletions
diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index 6041e9e..dcf166b 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -217,7 +217,6 @@ object is stored.
"""
-import binascii
import copy
from keystoneauth1 import access
@@ -226,8 +225,6 @@ from keystoneauth1 import discover
from keystoneauth1 import exceptions as ksa_exceptions
from keystoneauth1 import loading
from keystoneauth1.loading import session as session_loading
-from keystoneclient.common import cms
-from keystoneclient import exceptions as ksc_exceptions
import oslo_cache
from oslo_config import cfg
from oslo_log import log as logging
@@ -242,7 +239,6 @@ from keystonemiddleware.auth_token import _exceptions as ksm_exceptions
from keystonemiddleware.auth_token import _identity
from keystonemiddleware.auth_token import _opts
from keystonemiddleware.auth_token import _request
-from keystonemiddleware.auth_token import _signing_dir
from keystonemiddleware.auth_token import _user_plugin
from keystonemiddleware.i18n import _
@@ -289,16 +285,6 @@ class _BIND_MODE(object):
KERBEROS = 'kerberos'
-def _uncompress_pkiz(token):
- # TypeError If the signed_text is not zlib compressed binascii.Error if
- # signed_text has incorrect base64 padding (py34)
-
- try:
- return cms.pkiz_uncompress(token)
- except (TypeError, binascii.Error):
- raise ksm_exceptions.InvalidToken(token)
-
-
class BaseAuthProtocol(object):
"""A base class for AuthProtocol token checking implementations.
@@ -534,9 +520,6 @@ class BaseAuthProtocol(object):
class AuthProtocol(BaseAuthProtocol):
"""Middleware that handles authenticating client calls."""
- _SIGNING_CERT_FILE_NAME = 'signing_cert.pem'
- _SIGNING_CA_FILE_NAME = 'cacert.pem'
-
def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info('Starting Keystone auth_token middleware')
@@ -568,9 +551,7 @@ class AuthProtocol(BaseAuthProtocol):
self._delay_auth_decision = self._conf.get('delay_auth_decision')
self._include_service_catalog = self._conf.get(
'include_service_catalog')
- self._hash_algorithms = self._conf.get('hash_algorithms')
self._interface = self._conf.get('interface')
-
self._auth = self._create_auth_plugin()
self._session = self._create_session()
self._identity_server = self._create_identity_server()
@@ -590,9 +571,6 @@ class AuthProtocol(BaseAuthProtocol):
self._www_authenticate_uri = \
self._identity_server.www_authenticate_uri
- self._signing_directory = _signing_dir.SigningDirectory(
- directory_name=self._conf.get('signing_dir'), log=self.log)
-
self._token_cache = self._token_cache_factory()
def process_request(self, request):
@@ -674,37 +652,6 @@ class AuthProtocol(BaseAuthProtocol):
header_val = 'Keystone uri="%s"' % self._www_authenticate_uri
return [('WWW-Authenticate', header_val)]
- def _token_hashes(self, token):
- """Generate a list of hashes that the current token may be cached as.
-
- The first element of this list is the preferred algorithm and is what
- new cache values should be saved as.
-
- :param str token: The token being presented by a user.
-
- :returns: list of str token hashes.
- """
- if cms.is_asn1_token(token) or cms.is_pkiz(token):
- return list(cms.cms_hash_token(token, mode=algo)
- for algo in self._hash_algorithms)
- else:
- return [token]
-
- def _cache_get_hashes(self, token_hashes):
- """Check if the token is cached already.
-
- Functions takes a list of hashes that might be in the cache and matches
- the first one that is present. If nothing is found in the cache it
- returns None.
-
- :returns: token data if found else None.
- """
- for token in token_hashes:
- cached = self._token_cache.get(token)
-
- if cached:
- return cached
-
def fetch_token(self, token, allow_expired=False):
"""Retrieve a token from either a PKI bundle or the identity server.
@@ -713,11 +660,8 @@ class AuthProtocol(BaseAuthProtocol):
:raises exc.InvalidToken: if token is rejected
"""
data = None
- token_hashes = None
-
try:
- token_hashes = self._token_hashes(token)
- cached = self._cache_get_hashes(token_hashes)
+ cached = self._token_cache.get(token)
if cached:
if cached == _CACHE_INVALID_INDICATOR:
@@ -733,13 +677,11 @@ class AuthProtocol(BaseAuthProtocol):
data = cached
else:
- data = self._validate_offline(token, token_hashes)
- if not data:
- data = self._identity_server.verify_token(
- token,
- allow_expired=allow_expired)
+ data = self._identity_server.verify_token(
+ token,
+ allow_expired=allow_expired)
- self._token_cache.set(token_hashes[0], data)
+ self._token_cache.set(token, data)
except (ksa_exceptions.ConnectFailure,
ksa_exceptions.DiscoveryFailure,
@@ -755,9 +697,7 @@ class AuthProtocol(BaseAuthProtocol):
'The Keystone service is temporarily unavailable.')
except ksm_exceptions.InvalidToken:
self.log.debug('Token validation failure.', exc_info=True)
- if token_hashes:
- self._token_cache.set(token_hashes[0],
- _CACHE_INVALID_INDICATOR)
+ self._token_cache.set(token, _CACHE_INVALID_INDICATOR)
self.log.warning('Authorization failed for token')
raise
except ksa_exceptions.EndpointNotFound:
@@ -767,34 +707,6 @@ class AuthProtocol(BaseAuthProtocol):
return data
- def _validate_offline(self, token, token_hashes):
- if cms.is_pkiz(token):
- token_data = _uncompress_pkiz(token)
- inform = cms.PKIZ_CMS_FORM
- elif cms.is_asn1_token(token):
- token_data = cms.token_to_cms(token)
- inform = cms.PKI_ASN1_FORM
- else:
- # Can't do offline validation for this type of token.
- return
-
- try:
- verified = self._cms_verify(token_data, inform)
- except ksc_exceptions.CertificateConfigError:
- self.log.warning('Fetch certificate config failed, '
- 'fallback to online validation.')
- else:
- self.log.warning('auth_token middleware received a PKI/Z token. '
- 'This form of token is deprecated and has been '
- 'removed from keystone server and will be '
- 'removed from auth_token middleware in the Rocky '
- 'release. Please contact your administrator '
- 'about upgrading keystone and the token format.')
-
- data = jsonutils.loads(verified)
-
- return data
-
def _validate_token(self, auth_ref, **kwargs):
super(AuthProtocol, self)._validate_token(auth_ref, **kwargs)
@@ -802,53 +714,6 @@ class AuthProtocol(BaseAuthProtocol):
msg = _('Unable to determine service tenancy.')
raise ksm_exceptions.InvalidToken(msg)
- def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM):
- """Verify the signature of the provided data's IAW CMS syntax.
-
- If either of the certificate files might be missing, fetch them and
- retry.
- """
- def verify():
- try:
- signing_cert_path = self._signing_directory.calc_path(
- self._SIGNING_CERT_FILE_NAME)
- signing_ca_path = self._signing_directory.calc_path(
- self._SIGNING_CA_FILE_NAME)
- return cms.cms_verify(data, signing_cert_path,
- signing_ca_path,
- inform=inform).decode('utf-8')
- except (ksc_exceptions.CMSError,
- cms.subprocess.CalledProcessError) as err:
- self.log.warning('Verify error: %s', err)
- msg = _('Token authorization failed')
- raise ksm_exceptions.InvalidToken(msg)
-
- try:
- return verify()
- except ksc_exceptions.CertificateConfigError:
- # the certs might be missing; unconditionally fetch to avoid racing
- self._fetch_signing_cert()
- self._fetch_ca_cert()
-
- try:
- # retry with certs in place
- return verify()
- except ksc_exceptions.CertificateConfigError as err:
- # if this is still occurring, something else is wrong and we
- # need err.output to identify the problem
- self.log.error('CMS Verify output: %s', err.output)
- raise
-
- def _fetch_signing_cert(self):
- self._signing_directory.write_file(
- self._SIGNING_CERT_FILE_NAME,
- self._identity_server.fetch_signing_cert())
-
- def _fetch_ca_cert(self):
- self._signing_directory.write_file(
- self._SIGNING_CA_FILE_NAME,
- self._identity_server.fetch_ca_cert())
-
def _create_auth_plugin(self):
# NOTE(jamielennox): Ideally this would use load_from_conf_options
# however that is not possible because we have to support the override
diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py
index aeeb8d9..4c10521 100644
--- a/keystonemiddleware/auth_token/_identity.py
+++ b/keystonemiddleware/auth_token/_identity.py
@@ -10,12 +10,9 @@
# License for the specific language governing permissions and limitations
# under the License.
-import functools
-
from keystoneauth1 import discover
from keystoneauth1 import exceptions as ksa_exceptions
from keystoneauth1 import plugin
-from keystoneclient import exceptions as ksc_exceptions
from keystoneclient.v2_0 import client as v2_client
from keystoneclient.v3 import client as v3_client
from six.moves import urllib
@@ -25,18 +22,6 @@ from keystonemiddleware.auth_token import _exceptions as ksm_exceptions
from keystonemiddleware.i18n import _
-def _convert_fetch_cert_exception(fetch_cert):
- @functools.wraps(fetch_cert)
- def wrapper(self):
- try:
- text = fetch_cert(self)
- except ksa_exceptions.HttpError as e:
- raise ksc_exceptions.CertificateConfigError(e.details)
- return text
-
- return wrapper
-
-
class _RequestStrategy(object):
AUTH_VERSION = None
@@ -49,20 +34,6 @@ class _RequestStrategy(object):
def verify_token(self, user_token, allow_expired=False):
pass
- @_convert_fetch_cert_exception
- def fetch_signing_cert(self):
- return self._fetch_signing_cert()
-
- def _fetch_signing_cert(self):
- pass
-
- @_convert_fetch_cert_exception
- def fetch_ca_cert(self):
- return self._fetch_ca_cert()
-
- def _fetch_ca_cert(self):
- pass
-
class _V2RequestStrategy(_RequestStrategy):
@@ -82,12 +53,6 @@ class _V2RequestStrategy(_RequestStrategy):
return {'access': auth_ref}
- def _fetch_signing_cert(self):
- return self._client.certificates.get_signing_certificate()
-
- def _fetch_ca_cert(self):
- return self._client.certificates.get_ca_certificate()
-
class _V3RequestStrategy(_RequestStrategy):
@@ -112,12 +77,6 @@ class _V3RequestStrategy(_RequestStrategy):
return {'token': auth_ref}
- def _fetch_signing_cert(self):
- return self._client.simple_cert.get_certificates()
-
- def _fetch_ca_cert(self):
- return self._client.simple_cert.get_ca_certificates()
-
_REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy]
@@ -126,9 +85,8 @@ class IdentityServer(object):
"""Base class for operations on the Identity API server.
The auth_token middleware needs to communicate with the Identity API server
- to validate UUID tokens, signing certificates,
- etc. This class encapsulates the data and methods to perform these
- operations.
+ to validate tokens. This class encapsulates the data and methods to perform
+ the operations.
"""
@@ -241,11 +199,5 @@ class IdentityServer(object):
else:
return auth_ref
- def fetch_signing_cert(self):
- return self._request_strategy.fetch_signing_cert()
-
- def fetch_ca_cert(self):
- return self._request_strategy.fetch_ca_cert()
-
def invalidate(self):
return self._adapter.invalidate()
diff --git a/keystonemiddleware/auth_token/_opts.py b/keystonemiddleware/auth_token/_opts.py
index 6231b6d..b551407 100644
--- a/keystonemiddleware/auth_token/_opts.py
+++ b/keystonemiddleware/auth_token/_opts.py
@@ -99,13 +99,6 @@ _OPTS = [
cfg.BoolOpt('insecure', default=False, help='Verify HTTPS connections.'),
cfg.StrOpt('region_name',
help='The region in which the identity server can be found.'),
- cfg.StrOpt('signing_dir',
- deprecated_for_removal=True,
- deprecated_reason='PKI token format is no longer supported.',
- deprecated_since='Ocata',
- help='Directory used to cache files related to PKI tokens. This'
- ' option has been deprecated in the Ocata release and will be'
- ' removed in the P release.'),
cfg.ListOpt('memcached_servers',
deprecated_name='memcache_servers',
help='Optionally specify a list of memcached server(s) to'
@@ -172,19 +165,6 @@ _OPTS = [
' unknown the token will be rejected. "required" any form of'
' token binding is needed to be allowed. Finally the name of a'
' binding method that must be present in tokens.'),
- cfg.ListOpt('hash_algorithms', default=['md5'],
- deprecated_for_removal=True,
- deprecated_reason='PKI token format is no longer supported.',
- deprecated_since='Ocata',
- help='Hash algorithms to use for hashing PKI tokens. This may'
- ' be a single algorithm or multiple. The algorithms are those'
- ' supported by Python standard hashlib.new(). The hashes will'
- ' be tried in the order given, so put the preferred one first'
- ' for performance. The result of the first hash will be stored'
- ' in the cache. This will typically be set to multiple values'
- ' only while migrating from a less secure algorithm to a more'
- ' secure one. Once all the old tokens are expired this option'
- ' should be set to a single value for better performance.'),
cfg.ListOpt('service_token_roles', default=['service'],
help='A choice of roles that must be present in a service'
' token. Service tokens are allowed to request that an expired'
diff --git a/keystonemiddleware/auth_token/_signing_dir.py b/keystonemiddleware/auth_token/_signing_dir.py
deleted file mode 100644
index 698e055..0000000
--- a/keystonemiddleware/auth_token/_signing_dir.py
+++ /dev/null
@@ -1,90 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import os
-import stat
-import tempfile
-
-from oslo_log import log as logging
-import six
-
-from keystonemiddleware.auth_token import _exceptions as exc
-from keystonemiddleware.i18n import _
-
-_LOG = logging.getLogger(__name__)
-
-
-class SigningDirectory(object):
-
- def __init__(self, directory_name=None, log=None):
- self._log = log or _LOG
-
- self._directory_name = directory_name
- if self._directory_name:
- self._log.info(
- 'Using %s as cache directory for signing certificate',
- self._directory_name)
- self._verify_signing_dir()
-
- def write_file(self, file_name, new_contents):
-
- # In Python2, encoding is slow so the following check avoids it if it
- # is not absolutely necessary.
- if isinstance(new_contents, six.text_type):
- new_contents = new_contents.encode('utf-8')
-
- def _atomic_write():
- with tempfile.NamedTemporaryFile(dir=self._directory_name,
- delete=False) as f:
- f.write(new_contents)
- os.rename(f.name, self.calc_path(file_name))
-
- try:
- _atomic_write()
- except (OSError, IOError):
- self._verify_signing_dir()
- _atomic_write()
-
- def read_file(self, file_name):
- path = self.calc_path(file_name)
- open_kwargs = {'encoding': 'utf-8'} if six.PY3 else {}
- with open(path, 'r', **open_kwargs) as f:
- return f.read()
-
- def calc_path(self, file_name):
- self._lazy_create_signing_dir()
- return os.path.join(self._directory_name, file_name)
-
- def _lazy_create_signing_dir(self):
- if self._directory_name is None:
- self._directory_name = tempfile.mkdtemp(prefix='keystone-signing-')
- self._log.info(
- 'Using %s as cache directory for signing certificate',
- self._directory_name)
- self._verify_signing_dir()
-
- def _verify_signing_dir(self):
- if os.path.isdir(self._directory_name):
- if not os.access(self._directory_name, os.W_OK):
- raise exc.ConfigurationError(
- _('unable to access signing_dir %s') %
- self._directory_name)
- uid = os.getuid()
- if os.stat(self._directory_name).st_uid != uid:
- self._log.warning('signing_dir is not owned by %s', uid)
- current_mode = stat.S_IMODE(os.stat(self._directory_name).st_mode)
- if current_mode != stat.S_IRWXU:
- self._log.warning(
- 'signing_dir mode is %(mode)s instead of %(need)s',
- {'mode': oct(current_mode), 'need': oct(stat.S_IRWXU)})
- else:
- os.makedirs(self._directory_name, stat.S_IRWXU)
diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
index 1e2dcc3..04e605c 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@@ -14,9 +14,6 @@
import datetime
import os
-import shutil
-import stat
-import tempfile
import time
import uuid
@@ -25,7 +22,6 @@ from keystoneauth1 import exceptions as ksa_exceptions
from keystoneauth1 import fixture
from keystoneauth1 import loading
from keystoneauth1 import session
-from keystoneclient.common import cms
from keystoneclient import exceptions as ksc_exceptions
import mock
import oslo_cache
@@ -282,11 +278,8 @@ class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase):
self.fake_app = fake_app or FakeApp
self.middleware = None
- signing_dir = self._setup_signing_directory()
-
self.conf = {
'identity_uri': 'https://keystone.example.com:1234/testadmin/',
- 'signing_dir': signing_dir,
'auth_version': auth_version,
'www_authenticate_uri': 'https://keystone.example.com:1234',
'admin_user': uuid.uuid4().hex,
@@ -299,16 +292,6 @@ class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase):
def call_middleware(self, **kwargs):
return self.call(self.middleware, **kwargs)
- def _setup_signing_directory(self):
- directory_name = self.useFixture(fixtures.TempDir()).path
-
- # Copy the sample certificate files into the temporary directory.
- for filename in ['cacert.pem', 'signing_cert.pem', ]:
- shutil.copy2(os.path.join(client_fixtures.CERTDIR, filename),
- os.path.join(directory_name, filename))
-
- return directory_name
-
def set_middleware(self, expected_env=None, conf=None):
"""Configure the class ready to call the auth_token middleware.
@@ -528,10 +511,7 @@ class CommonAuthTokenMiddlewareTest(object):
"""These tests are run once using v2 tokens and again using v3 tokens."""
def test_init_does_not_call_http(self):
- conf = {
- 'revocation_cache_time': '1'
- }
- self.create_simple_middleware(conf=conf)
+ self.create_simple_middleware(conf={})
self.assertLastPath(None)
def test_auth_with_no_token_does_not_call_http(self):
@@ -578,40 +558,6 @@ class CommonAuthTokenMiddlewareTest(object):
self.assert_valid_request_200(self.token_dict['uuid_token_default'])
self.assert_valid_last_url(self.token_dict['uuid_token_default'])
- def test_valid_signed_request(self):
- for _ in range(2): # Do it twice because first result was cached.
- self.assert_valid_request_200(
- self.token_dict['signed_token_scoped'])
- # ensure that signed requests do not generate HTTP traffic
- self.assertLastPath(None)
-
- def test_valid_signed_compressed_request(self):
- self.assert_valid_request_200(
- self.token_dict['signed_token_scoped_pkiz'])
- # ensure that signed requests do not generate HTTP traffic
- self.assertLastPath(None)
-
- def test_validate_offline_succeeds_for_unrevoked_token(self):
- token = self.middleware._validate_offline(
- self.token_dict['signed_token_scoped'],
- [self.token_dict['signed_token_scoped_hash']])
- self.assertIsInstance(token, dict)
-
- def test_verify_signed_compressed_token_succeeds_for_unrevoked_token(self):
- token = self.middleware._validate_offline(
- self.token_dict['signed_token_scoped_pkiz'],
- [self.token_dict['signed_token_scoped_hash']])
- self.assertIsInstance(token, dict)
-
- def test_validate_offline_token_succeeds_for_unrevoked_token_sha256(self):
- self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
- self.set_middleware()
- token = self.middleware._validate_offline(
- self.token_dict['signed_token_scoped'],
- [self.token_dict['signed_token_scoped_hash_sha256'],
- self.token_dict['signed_token_scoped_hash']])
- self.assertIsInstance(token, dict)
-
def test_request_invalid_uuid_token(self):
# remember because we are testing the middleware we stub the connection
# to the keystone server, but this is not what gets returned
@@ -623,20 +569,6 @@ class CommonAuthTokenMiddlewareTest(object):
self.assertEqual('Keystone uri="https://keystone.example.com:1234"',
resp.headers['WWW-Authenticate'])
- def test_request_invalid_signed_token(self):
- token = self.examples.INVALID_SIGNED_TOKEN
- resp = self.call_middleware(headers={'X-Auth-Token': token},
- expected_status=401)
- self.assertEqual('Keystone uri="https://keystone.example.com:1234"',
- resp.headers['WWW-Authenticate'])
-
- def test_request_invalid_signed_pkiz_token(self):
- token = self.examples.INVALID_SIGNED_PKIZ_TOKEN
- resp = self.call_middleware(headers={'X-Auth-Token': token},
- expected_status=401)
- self.assertEqual('Keystone uri="https://keystone.example.com:1234"',
- resp.headers['WWW-Authenticate'])
-
def test_request_no_token(self):
resp = self.call_middleware(expected_status=401)
self.assertEqual('Keystone uri="https://keystone.example.com:1234"',
@@ -653,19 +585,8 @@ class CommonAuthTokenMiddlewareTest(object):
self.assertEqual('Keystone uri="https://keystone.example.com:1234"',
resp.headers['WWW-Authenticate'])
- def _get_cached_token(self, token, mode='md5'):
- token_id = cms.cms_hash_token(token, mode=mode)
- return self.middleware._token_cache.get(token_id)
-
- def test_memcache(self):
- token = self.token_dict['signed_token_scoped']
- self.call_middleware(headers={'X-Auth-Token': token})
- self.assertIsNotNone(self._get_cached_token(token))
-
- def test_expired(self):
- token = self.token_dict['signed_token_scoped_expired']
- self.call_middleware(headers={'X-Auth-Token': token},
- expected_status=401)
+ def _get_cached_token(self, token):
+ return self.middleware._token_cache.get(token)
def test_memcache_set_invalid_uuid(self):
invalid_uri = "%s/v2.0/tokens/invalid-token" % BASE_URI
@@ -702,7 +623,7 @@ class CommonAuthTokenMiddlewareTest(object):
conf.update(extra_conf)
self.set_middleware(conf=conf)
- token = self.token_dict['signed_token_scoped']
+ token = self.token_dict['uuid_token_default']
self.call_middleware(headers={'X-Auth-Token': token})
req = webob.Request.blank('/')
@@ -948,7 +869,7 @@ class CommonAuthTokenMiddlewareTest(object):
orig_cache_set = cache.set
cache.set = mock.Mock(side_effect=orig_cache_set)
- token = self.token_dict['signed_token_scoped']
+ token = self.token_dict['uuid_token_default']
self.call_middleware(headers={'X-Auth-Token': token})
@@ -1085,144 +1006,6 @@ class CommonAuthTokenMiddlewareTest(object):
resp.request.headers['X-Service-Identity-Status'])
-class V2CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest,
- testresources.ResourcedTestCase):
-
- resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)]
-
- def __init__(self, *args, **kwargs):
- super(V2CertDownloadMiddlewareTest, self).__init__(*args, **kwargs)
- self.auth_version = 'v2.0'
- self.fake_app = None
- self.ca_path = '/v2.0/certificates/ca'
- self.signing_path = '/v2.0/certificates/signing'
-
- def setUp(self):
- super(V2CertDownloadMiddlewareTest, self).setUp(
- auth_version=self.auth_version,
- fake_app=self.fake_app)
- self.logger = self.useFixture(fixtures.FakeLogger())
- self.base_dir = tempfile.mkdtemp()
- self.addCleanup(shutil.rmtree, self.base_dir)
- self.cert_dir = os.path.join(self.base_dir, 'certs')
- os.makedirs(self.cert_dir, stat.S_IRWXU)
- conf = {
- 'signing_dir': self.cert_dir,
- 'auth_version': self.auth_version,
- }
-
- self.requests_mock.get(BASE_URI,
- json=VERSION_LIST_v3,
- status_code=300)
-
- self.set_middleware(conf=conf)
-
- # Usually we supply a signed_dir with pre-installed certificates,
- # so invocation of /usr/bin/openssl succeeds. This time we give it
- # an empty directory, so it fails.
- def test_request_no_token_dummy(self):
- cms._ensure_subprocess()
-
- self.requests_mock.get('%s%s' % (BASE_URI, self.ca_path),
- status_code=404)
- self.requests_mock.get('%s%s' % (BASE_URI, self.signing_path),
- status_code=404)
-
- token = self.middleware._validate_offline(
- self.examples.SIGNED_TOKEN_SCOPED,
- [self.examples.SIGNED_TOKEN_SCOPED_HASH])
-
- self.assertIsNone(token)
-
- self.assertIn('Fetch certificate config failed', self.logger.output)
- self.assertIn('fallback to online validation', self.logger.output)
-
- def test_fetch_signing_cert(self):
- data = 'FAKE CERT'
- url = "%s%s" % (BASE_URI, self.signing_path)
- self.requests_mock.get(url, text=data)
- self.middleware._fetch_signing_cert()
-
- signing_cert_path = self.middleware._signing_directory.calc_path(
- self.middleware._SIGNING_CERT_FILE_NAME)
- with open(signing_cert_path, 'r') as f:
- self.assertEqual(f.read(), data)
-
- self.assertEqual(url, self.requests_mock.last_request.url)
-
- def test_fetch_signing_ca(self):
- data = 'FAKE CA'
- url = "%s%s" % (BASE_URI, self.ca_path)
- self.requests_mock.get(url, text=data)
- self.middleware._fetch_ca_cert()
-
- ca_file_path = self.middleware._signing_directory.calc_path(
- self.middleware._SIGNING_CA_FILE_NAME)
- with open(ca_file_path, 'r') as f:
- self.assertEqual(f.read(), data)
-
- self.assertEqual(url, self.requests_mock.last_request.url)
-
- def test_prefix_trailing_slash(self):
- del self.conf['identity_uri']
- self.conf['auth_protocol'] = 'https'
- self.conf['auth_host'] = 'keystone.example.com'
- self.conf['auth_port'] = '1234'
- self.conf['auth_admin_prefix'] = '/newadmin/'
-
- base_url = '%s/newadmin' % BASE_HOST
- ca_url = "%s%s" % (base_url, self.ca_path)
- signing_url = "%s%s" % (base_url, self.signing_path)
-
- self.requests_mock.get(base_url,
- json=VERSION_LIST_v3,
- status_code=300)
- self.requests_mock.get(ca_url, text='FAKECA')
- self.requests_mock.get(signing_url, text='FAKECERT')
-
- self.set_middleware(conf=self.conf)
-
- self.middleware._fetch_ca_cert()
- self.assertEqual(ca_url, self.requests_mock.last_request.url)
-
- self.middleware._fetch_signing_cert()
- self.assertEqual(signing_url, self.requests_mock.last_request.url)
-
- def test_without_prefix(self):
- del self.conf['identity_uri']
- self.conf['auth_protocol'] = 'https'
- self.conf['auth_host'] = 'keystone.example.com'
- self.conf['auth_port'] = '1234'
- self.conf['auth_admin_prefix'] = ''
-
- ca_url = "%s%s" % (BASE_HOST, self.ca_path)
- signing_url = "%s%s" % (BASE_HOST, self.signing_path)
-
- self.requests_mock.get(BASE_HOST,
- json=VERSION_LIST_v3,
- status_code=300)
- self.requests_mock.get(ca_url, text='FAKECA')
- self.requests_mock.get(signing_url, text='FAKECERT')
-
- self.set_middleware(conf=self.conf)
-
- self.middleware._fetch_ca_cert()
- self.assertEqual(ca_url, self.requests_mock.last_request.url)
-
- self.middleware._fetch_signing_cert()
- self.assertEqual(signing_url, self.requests_mock.last_request.url)
-
-
-class V3CertDownloadMiddlewareTest(V2CertDownloadMiddlewareTest):
-
- def __init__(self, *args, **kwargs):
- super(V3CertDownloadMiddlewareTest, self).__init__(*args, **kwargs)
- self.auth_version = 'v3.0'
- self.fake_app = v3FakeApp
- self.ca_path = '/v3/OS-SIMPLE-CERT/ca'
- self.signing_path = '/v3/OS-SIMPLE-CERT/certificates'
-
-
def network_error_response(request, context):
raise ksa_exceptions.ConnectFailure("Network connection refused.")
@@ -1261,13 +1044,6 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
'uuid_token_unscoped': self.examples.UUID_TOKEN_UNSCOPED,
'uuid_token_bind': self.examples.UUID_TOKEN_BIND,
'uuid_token_unknown_bind': self.examples.UUID_TOKEN_UNKNOWN_BIND,
- 'signed_token_scoped': self.examples.SIGNED_TOKEN_SCOPED,
- 'signed_token_scoped_pkiz': self.examples.SIGNED_TOKEN_SCOPED_PKIZ,
- 'signed_token_scoped_hash': self.examples.SIGNED_TOKEN_SCOPED_HASH,
- 'signed_token_scoped_hash_sha256':
- self.examples.SIGNED_TOKEN_SCOPED_HASH_SHA256,
- 'signed_token_scoped_expired':
- self.examples.SIGNED_TOKEN_SCOPED_EXPIRED,
'uuid_service_token_default':
self.examples.UUID_SERVICE_TOKEN_DEFAULT,
}
@@ -1284,9 +1060,7 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
self.examples.UUID_TOKEN_BIND,
self.examples.UUID_TOKEN_UNKNOWN_BIND,
self.examples.UUID_TOKEN_NO_SERVICE_CATALOG,
- self.examples.UUID_SERVICE_TOKEN_DEFAULT,
- self.examples.SIGNED_TOKEN_SCOPED_KEY,
- self.examples.SIGNED_TOKEN_SCOPED_PKIZ_KEY,):
+ self.examples.UUID_SERVICE_TOKEN_DEFAULT,):
url = "%s/v2.0/tokens/%s" % (BASE_URI, token)
text = self.examples.JSON_TOKEN_RESPONSES[token]
self.requests_mock.get(url, text=text)
@@ -1316,10 +1090,6 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
self.assert_unscoped_default_tenant_auto_scopes(
self.examples.UUID_TOKEN_DEFAULT)
- def test_default_tenant_signed_token(self):
- self.assert_unscoped_default_tenant_auto_scopes(
- self.examples.SIGNED_TOKEN_SCOPED)
-
def assert_unscoped_token_receives_401(self, token):
"""Unscoped requests with no default tenant ID should be rejected."""
resp = self.call_middleware(headers={'X-Auth-Token': token},
@@ -1327,14 +1097,6 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
self.assertEqual('Keystone uri="https://keystone.example.com:1234"',
resp.headers['WWW-Authenticate'])
- def test_unscoped_uuid_token_receives_401(self):
- self.assert_unscoped_token_receives_401(
- self.examples.UUID_TOKEN_UNSCOPED)
-
- def test_unscoped_pki_token_receives_401(self):
- self.assert_unscoped_token_receives_401(
- self.examples.SIGNED_TOKEN_UNSCOPED)
-
def test_request_prevent_service_catalog_injection(self):
token = self.examples.UUID_TOKEN_NO_SERVICE_CATALOG
resp = self.call_middleware(headers={'X-Service-Catalog': '[]',
@@ -1456,15 +1218,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
'uuid_token_bind': self.examples.v3_UUID_TOKEN_BIND,
'uuid_token_unknown_bind':
self.examples.v3_UUID_TOKEN_UNKNOWN_BIND,
- 'signed_token_scoped': self.examples.SIGNED_v3_TOKEN_SCOPED,
- 'signed_token_scoped_pkiz':
- self.examples.SIGNED_v3_TOKEN_SCOPED_PKIZ,
- 'signed_token_scoped_hash':
- self.examples.SIGNED_v3_TOKEN_SCOPED_HASH,
- 'signed_token_scoped_hash_sha256':
- self.examples.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256,
- 'signed_token_scoped_expired':
- self.examples.SIGNED_TOKEN_SCOPED_EXPIRED,
'uuid_service_token_default':
self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT,
}
@@ -1559,39 +1312,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
self.examples.v3_UUID_TOKEN_DOMAIN_SCOPED)
self.assertLastPath('/v3/auth/tokens')
- def test_gives_v2_catalog(self):
- self.set_middleware()
- req = self.assert_valid_request_200(
- self.examples.SIGNED_v3_TOKEN_SCOPED)
-
- catalog = jsonutils.loads(req.headers['X-Service-Catalog'])
-
- for service in catalog:
- for endpoint in service['endpoints']:
- # no point checking everything, just that it's in v2 format
- self.assertIn('adminURL', endpoint)
- self.assertIn('publicURL', endpoint)
- self.assertIn('internalURL', endpoint)
-
- def test_fallback_to_online_validation_with_signing_error(self):
- self.requests_mock.get('%s/v3/OS-SIMPLE-CERT/certificates' % BASE_URI,
- status_code=404)
- self.assert_valid_request_200(self.token_dict['signed_token_scoped'])
- self.assert_valid_request_200(
- self.token_dict['signed_token_scoped_pkiz'])
-
- def test_fallback_to_online_validation_with_ca_error(self):
- self.requests_mock.get('%s/v3/OS-SIMPLE-CERT/ca' % BASE_URI,
- status_code=404)
- self.assert_valid_request_200(self.token_dict['signed_token_scoped'])
- self.assert_valid_request_200(
- self.token_dict['signed_token_scoped_pkiz'])
-
- def test_fallback_to_online_validation_with_revocation_list_error(self):
- self.assert_valid_request_200(self.token_dict['signed_token_scoped'])
- self.assert_valid_request_200(
- self.token_dict['signed_token_scoped_pkiz'])
-
def test_user_plugin_token_properties(self):
token = self.examples.v3_UUID_TOKEN_DEFAULT
token_data = self.examples.TOKEN_RESPONSES[token]
diff --git a/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py b/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py
deleted file mode 100644
index 5664d7d..0000000
--- a/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py
+++ /dev/null
@@ -1,145 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import os
-import shutil
-import stat
-import uuid
-
-from keystonemiddleware.auth_token import _signing_dir
-from keystonemiddleware.tests.unit import utils
-
-
-class SigningDirectoryTests(utils.BaseTestCase):
-
- def test_directory_created_when_doesnt_exist(self):
- # When _SigningDirectory is created, if the directory doesn't exist
- # it's created with the expected permissions.
- tmp_name = uuid.uuid4().hex
- parent_directory = '/tmp/%s' % tmp_name
- directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2)
-
- # Directories are created by __init__.
- _signing_dir.SigningDirectory(directory_name)
- self.addCleanup(shutil.rmtree, parent_directory)
-
- self.assertTrue(os.path.isdir(directory_name))
- self.assertTrue(os.access(directory_name, os.W_OK))
- self.assertEqual(os.stat(directory_name).st_uid, os.getuid())
- self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode),
- stat.S_IRWXU)
-
- def test_use_directory_already_exists(self):
- # The directory can already exist.
-
- tmp_name = uuid.uuid4().hex
- parent_directory = '/tmp/%s' % tmp_name
- directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2)
- os.makedirs(directory_name, stat.S_IRWXU)
- self.addCleanup(shutil.rmtree, parent_directory)
-
- _signing_dir.SigningDirectory(directory_name)
-
- def test_write_file(self):
- # write_file when the file doesn't exist creates the file.
-
- signing_directory = _signing_dir.SigningDirectory()
-
- file_name = self.getUniqueString()
- contents = self.getUniqueString()
- signing_directory.write_file(file_name, contents)
-
- self.addCleanup(shutil.rmtree, signing_directory._directory_name)
-
- file_path = signing_directory.calc_path(file_name)
- with open(file_path) as f:
- actual_contents = f.read()
-
- self.assertEqual(contents, actual_contents)
-
- def test_replace_file(self):
- # write_file when the file already exists overwrites it.
-
- signing_directory = _signing_dir.SigningDirectory()
-
- file_name = self.getUniqueString()
- orig_contents = self.getUniqueString()
- signing_directory.write_file(file_name, orig_contents)
-
- self.addCleanup(shutil.rmtree, signing_directory._directory_name)
-
- new_contents = self.getUniqueString()
- signing_directory.write_file(file_name, new_contents)
-
- file_path = signing_directory.calc_path(file_name)
- with open(file_path) as f:
- actual_contents = f.read()
-
- self.assertEqual(new_contents, actual_contents)
-
- def test_recreate_directory(self):
- # If the original directory is lost, it gets recreated when a file
- # is written.
-
- signing_directory = _signing_dir.SigningDirectory()
- original_file_name = self.getUniqueString()
- original_contents = self.getUniqueString()
- signing_directory.write_file(original_file_name, original_contents)
-
- self.addCleanup(shutil.rmtree, signing_directory._directory_name)
-
- # Delete the directory.
- shutil.rmtree(signing_directory._directory_name)
-
- new_file_name = self.getUniqueString()
- new_contents = self.getUniqueString()
- signing_directory.write_file(new_file_name, new_contents)
-
- actual_contents = signing_directory.read_file(new_file_name)
- self.assertEqual(new_contents, actual_contents)
-
- def test_read_file(self):
- # Can read a file that was written.
-
- signing_directory = _signing_dir.SigningDirectory()
- file_name = self.getUniqueString()
- contents = self.getUniqueString()
- signing_directory.write_file(file_name, contents)
-
- self.addCleanup(shutil.rmtree, signing_directory._directory_name)
-
- actual_contents = signing_directory.read_file(file_name)
-
- self.assertEqual(contents, actual_contents)
-
- def test_read_file_doesnt_exist(self):
- # Show what happens when try to read a file that wasn't written.
-
- signing_directory = _signing_dir.SigningDirectory()
-
- file_name = self.getUniqueString()
- self.assertRaises(IOError, signing_directory.read_file, file_name)
- self.addCleanup(shutil.rmtree, signing_directory._directory_name)
-
- def test_calc_path(self):
- # calc_path returns the actual filename built from the directory name.
-
- signing_directory = _signing_dir.SigningDirectory()
-
- file_name = self.getUniqueString()
- actual_path = signing_directory.calc_path(file_name)
-
- self.addCleanup(shutil.rmtree, signing_directory._directory_name)
-
- expected_path = os.path.join(signing_directory._directory_name,
- file_name)
- self.assertEqual(expected_path, actual_path)
diff --git a/keystonemiddleware/tests/unit/client_fixtures.py b/keystonemiddleware/tests/unit/client_fixtures.py
index fae3e07..a807054 100644
--- a/keystonemiddleware/tests/unit/client_fixtures.py
+++ b/keystonemiddleware/tests/unit/client_fixtures.py
@@ -17,24 +17,12 @@ import uuid
import fixtures
from keystoneauth1 import fixture
-from keystoneclient.common import cms
-from keystoneclient import utils
from oslo_serialization import jsonutils
-import six
import testresources
TESTDIR = os.path.dirname(os.path.abspath(__file__))
ROOTDIR = os.path.normpath(os.path.join(TESTDIR, '..', '..', '..'))
-CERTDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'certs')
-CMSDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'cms')
-KEYDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'private')
-
-
-def _hash_signed_token_safe(signed_text, **kwargs):
- if isinstance(signed_text, six.text_type):
- signed_text = signed_text.encode('utf-8')
- return utils.hash_signed_token(signed_text, **kwargs)
class Examples(fixtures.Fixture):
@@ -55,54 +43,9 @@ class Examples(fixtures.Fixture):
def setUp(self):
super(Examples, self).setUp()
- # The data for several tests are signed using openssl and are stored in
- # files in the signing subdirectory. In order to keep the values
- # consistent between the tests and the signed documents, we read them
- # in for use in the tests.
- with open(os.path.join(CMSDIR, 'auth_token_scoped.json')) as f:
- self.TOKEN_SCOPED_DATA = cms.cms_to_token(f.read())
-
- with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f:
- self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read())
- self.SIGNED_TOKEN_SCOPED_HASH = _hash_signed_token_safe(
- self.SIGNED_TOKEN_SCOPED)
- self.SIGNED_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe(
- self.SIGNED_TOKEN_SCOPED, mode='sha256')
- with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f:
- self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read())
- with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f:
- self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read())
- self.SIGNED_v3_TOKEN_SCOPED_HASH = _hash_signed_token_safe(
- self.SIGNED_v3_TOKEN_SCOPED)
- self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe(
- self.SIGNED_v3_TOKEN_SCOPED, mode='sha256')
- with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f:
- self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read())
- with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f:
- self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read())
- with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f:
- self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read())
- with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f:
- self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read())
- with open(os.path.join(CMSDIR,
- 'auth_token_scoped_expired.pkiz')) as f:
- self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read())
-
- self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem')
- with open(self.SIGNING_CERT_FILE) as f:
- self.SIGNING_CERT = f.read()
-
self.KERBEROS_BIND = 'USER@REALM'
self.SERVICE_KERBEROS_BIND = 'SERVICE_USER@SERVICE_REALM'
- self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem')
- with open(self.SIGNING_KEY_FILE) as f:
- self.SIGNING_KEY = f.read()
-
- self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem')
- with open(self.SIGNING_CA_FILE) as f:
- self.SIGNING_CA = f.read()
-
self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d"
self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df'
self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776'
@@ -120,57 +63,6 @@ class Examples(fixtures.Fixture):
self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229'
self.v3_UUID_SERVICE_TOKEN_BIND = 'be705e4426d0449a89e35ae21c380a05'
self.v3_NOT_IS_ADMIN_PROJECT = uuid.uuid4().hex
- self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token(
- self.SIGNED_TOKEN_SCOPED)
- self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token(
- self.SIGNED_TOKEN_UNSCOPED)
- self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token(
- self.SIGNED_v3_TOKEN_SCOPED)
-
- self.SIGNED_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token(
- self.SIGNED_TOKEN_SCOPED_PKIZ)
- self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY = cms.cms_hash_token(
- self.SIGNED_TOKEN_UNSCOPED_PKIZ)
- self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token(
- self.SIGNED_v3_TOKEN_SCOPED_PKIZ)
-
- self.INVALID_SIGNED_TOKEN = (
- "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
- "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
- "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
- "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
- "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "0000000000000000000000000000000000000000000000000000000000000000"
- "1111111111111111111111111111111111111111111111111111111111111111"
- "2222222222222222222222222222222222222222222222222222222222222222"
- "3333333333333333333333333333333333333333333333333333333333333333"
- "4444444444444444444444444444444444444444444444444444444444444444"
- "5555555555555555555555555555555555555555555555555555555555555555"
- "6666666666666666666666666666666666666666666666666666666666666666"
- "7777777777777777777777777777777777777777777777777777777777777777"
- "8888888888888888888888888888888888888888888888888888888888888888"
- "9999999999999999999999999999999999999999999999999999999999999999"
- "0000000000000000000000000000000000000000000000000000000000000000")
-
- self.INVALID_SIGNED_PKIZ_TOKEN = (
- "PKIZ_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
- "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
- "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
- "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
- "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "0000000000000000000000000000000000000000000000000000000000000000"
- "1111111111111111111111111111111111111111111111111111111111111111"
- "2222222222222222222222222222222222222222222222222222222222222222"
- "3333333333333333333333333333333333333333333333333333333333333333"
- "4444444444444444444444444444444444444444444444444444444444444444"
- "5555555555555555555555555555555555555555555555555555555555555555"
- "6666666666666666666666666666666666666666666666666666666666666666"
- "7777777777777777777777777777777777777777777777777777777777777777"
- "8888888888888888888888888888888888888888888888888888888888888888"
- "9999999999999999999999999999999999999999999999999999999999999999"
- "0000000000000000000000000000000000000000000000000000000000000000")
# JSON responses keyed by token ID
self.TOKEN_RESPONSES = {}
@@ -225,20 +117,6 @@ class Examples(fixtures.Fixture):
token.add_role(ROLE_NAME2)
self.TOKEN_RESPONSES[self.UUID_TOKEN_NO_SERVICE_CATALOG] = token
- token = fixture.V2Token(token_id=self.SIGNED_TOKEN_SCOPED_KEY,
- tenant_id=PROJECT_ID,
- tenant_name=PROJECT_NAME,
- user_id=USER_ID,
- user_name=USER_NAME)
- token.add_role(ROLE_NAME1)
- token.add_role(ROLE_NAME2)
- self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = token
-
- token = fixture.V2Token(token_id=self.SIGNED_TOKEN_UNSCOPED_KEY,
- user_id=USER_ID,
- user_name=USER_NAME)
- self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY] = token
-
token = fixture.V2Token(token_id=self.UUID_TOKEN_BIND,
tenant_id=PROJECT_ID,
tenant_name=PROJECT_NAME,
@@ -338,7 +216,6 @@ class Examples(fixtures.Fixture):
token.add_role(name=ROLE_NAME2)
svc = token.add_service(self.SERVICE_TYPE)
svc.add_endpoint('public', self.SERVICE_URL)
- self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY] = token
token = fixture.V3Token(user_id=USER_ID,
user_name=USER_NAME,
@@ -416,15 +293,6 @@ class Examples(fixtures.Fixture):
svc.add_endpoint('public', self.SERVICE_URL)
self.TOKEN_RESPONSES[self.v3_NOT_IS_ADMIN_PROJECT] = token
- # PKIZ tokens generally link to above tokens
-
- self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = (
- self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY])
- self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY] = (
- self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY])
- self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY] = (
- self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY])
-
self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in
self.TOKEN_RESPONSES.items()])
diff --git a/keystonemiddleware/tests/unit/test_opts.py b/keystonemiddleware/tests/unit/test_opts.py
index 143264c..7700d17 100644
--- a/keystonemiddleware/tests/unit/test_opts.py
+++ b/keystonemiddleware/tests/unit/test_opts.py
@@ -53,7 +53,6 @@ class OptsTestCase(utils.TestCase):
'cafile',
'region_name',
'insecure',
- 'signing_dir',
'memcached_servers',
'token_cache_time',
'memcache_security_strategy',
@@ -66,7 +65,6 @@ class OptsTestCase(utils.TestCase):
'memcache_pool_socket_timeout',
'include_service_catalog',
'enforce_token_bind',
- 'hash_algorithms',
'auth_type',
'auth_section',
'service_token_roles',
@@ -99,7 +97,6 @@ class OptsTestCase(utils.TestCase):
'cafile',
'region_name',
'insecure',
- 'signing_dir',
'memcached_servers',
'token_cache_time',
'memcache_security_strategy',
@@ -112,7 +109,6 @@ class OptsTestCase(utils.TestCase):
'memcache_pool_socket_timeout',
'include_service_catalog',
'enforce_token_bind',
- 'hash_algorithms',
'auth_type',
'auth_section',
'service_token_roles',
View Lorry Controller Status