diff options
72 files changed, 801 insertions, 2914 deletions
@@ -1,4 +1,4 @@ [gerrit] -host=review.openstack.org +host=review.opendev.org port=29418 project=openstack/keystonemiddleware.git @@ -2,11 +2,8 @@ templates: - openstack-cover-jobs - openstack-lower-constraints-jobs - - openstack-python-jobs - - openstack-python36-jobs - - openstack-python37-jobs + - openstack-python3-ussuri-jobs - publish-openstack-docs-pti - check-requirements - - lib-forward-testing - lib-forward-testing-python3 - release-notes-jobs-python3 @@ -28,7 +28,7 @@ For information on contributing, see ``CONTRIBUTING.rst``. * License: Apache License, Version 2.0 * Documentation: https://docs.openstack.org/keystonemiddleware/latest/ -* Source: https://git.openstack.org/cgit/openstack/keystonemiddleware +* Source: https://opendev.org/openstack/keystonemiddleware * Bugs: https://bugs.launchpad.net/keystonemiddleware * Release notes: https://docs.openstack.org/releasenotes/keystonemiddleware/ diff --git a/doc/requirements.txt b/doc/requirements.txt index 6e62d8d..4f27cc1 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -4,11 +4,14 @@ # For generating sphinx documentation doc8>=0.6.0 # Apache-2.0 -openstackdocstheme>=1.18.1 # Apache-2.0 -reno>=2.5.0 # Apache-2.0 -sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD +openstackdocstheme>=2.2.1 # Apache-2.0 +reno>=3.1.0 # Apache-2.0 +sphinx>=2.0.0,!=2.1.0 # BSD sphinxcontrib-apidoc>=0.2.0 # BSD +# PDF Docs +sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD + # For autodoc builds mock>=2.0.0 # BSD oslotest>=3.2.0 # Apache-2.0 diff --git a/doc/source/conf.py b/doc/source/conf.py index 9e8aaff..4c39b3a 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -42,6 +42,7 @@ extensions = ['sphinx.ext.todo', 'openstackdocstheme', 'oslo_config.sphinxconfiggen', 'sphinxcontrib.apidoc', + 'sphinxcontrib.rsvgconverter', ] # sphinxcontrib.apidoc options @@ -71,18 +72,8 @@ source_suffix = '.rst' master_doc = 'index' # General information about the project. -project = 'keystonemiddleware' copyright = 'OpenStack Contributors' -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -version_info = pbr.version.VersionInfo('keystonemiddleware') -# The short X.Y version. -version = version_info.version_string() -# The full version, including alpha/beta/rc tags. -release = version_info.release_string() - # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None @@ -116,7 +107,7 @@ add_module_names = True #show_authors = False # The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' +pygments_style = 'native' # A list of ignored prefixes for module index sorting. modindex_common_prefix = ['keystonemiddleware.'] @@ -161,11 +152,7 @@ html_theme = 'openstackdocs' # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". -html_static_path = ['_static'] - -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -html_last_updated_fmt = '%Y-%m-%d %H:%M' +#html_static_path = ['_static'] # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. @@ -214,12 +201,24 @@ htmlhelp_basename = 'keystonemiddlewaredoc' # (source start file, target name, title, author, documentclass [howto/manual]) # . latex_documents = [ - ('index', 'keystonmiddleware.tex', - 'keystonemiddleware Documentation', - 'Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss', + ('index', 'doc-keystonemiddleware.tex', + u'keystonemiddleware Documentation', + u'Openstack Developers', 'manual'), ] +# Disable usage of xindy https://bugzilla.redhat.com/show_bug.cgi?id=1643664 +latex_use_xindy = False + +latex_domain_indices = False + +latex_elements = { + 'extraclassoptions': 'openany', + 'makeindex': '', + 'printindex': '', + 'preamble': r'\setcounter{tocdepth}{3}', + 'maxlistdepth': 10, +} # The name of an image file (relative to this directory) to place at the top of # the title page. #latex_logo = None @@ -243,6 +242,7 @@ intersphinx_mapping = {'keystoneclient': (keystoneclient, None), } # -- Options for openstackdocstheme ------------------------------------------- -repository_name = 'openstack/keystonemiddleware' -bug_project = 'keystonemiddleware' -bug_tag = '' +openstackdocs_repo_name = 'openstack/keystonemiddleware' +openstackdocs_bug_project = 'keystonemiddleware' +openstackdocs_bug_tag = '' +openstackdocs_pdf_link = True diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst index 123b841..7b68cbc 100644 --- a/doc/source/middlewarearchitecture.rst +++ b/doc/source/middlewarearchitecture.rst @@ -129,7 +129,7 @@ a WSGI component. Example for the auth_token middleware: .. literalinclude:: _static/keystonemiddleware.conf.sample -If the ``auth_plugin`` configuration option is set, you may need to refer to +If the ``auth_type`` configuration option is set, you may need to refer to the `Authentication Plugins <https://docs.openstack.org/keystoneauth/latest/ authentication-plugins.html>`_ document for how to configure the auth_token middleware. @@ -163,12 +163,12 @@ and set in ``nova.conf``: to use options in the [keystone_authtoken] section. The following is an example of a service's auth_token middleware configuration -when ``auth_plugin`` is set to ``password``. +when ``auth_type`` is set to ``password``. .. code-block:: ini [keystone_authtoken] - auth_plugin = password + auth_type = password project_domain_name = Default project_name = service user_domain_name = Default @@ -178,9 +178,9 @@ when ``auth_plugin`` is set to ``password``. auth_url = http://127.0.0.1:5000 # Any of the options that could be set in api-paste.ini can be set here. -If using an ``auth_plugin``, connection to the Identity service will be +If using an ``auth_type``, connection to the Identity service will be established on the ``interface`` as registered in the service catalog. -In the case where you are using an ``auth_plugin`` and have multiple regions, +In the case where you are using an ``auth_type`` and have multiple regions, also specify the ``region_name`` option to fetch the correct endpoint. If the service doesn't use the global oslo.config object (CONF), then the diff --git a/examples/pki/certs/cacert.pem b/examples/pki/certs/cacert.pem deleted file mode 100644 index 952bdae..0000000 --- a/examples/pki/certs/cacert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID1jCCAr6gAwIBAgIJAJOtRP2+wrM/MA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD -VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55 -dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG -CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs -ZiBTaWduZWQwIBcNMTMwOTEzMTYyNTQyWhgPMjA3MjAzMDcxNjI1NDJaMIGeMQow -CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1 -bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl -MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML -U2VsZiBTaWduZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl8906 -EaRpibQFcCBWfxzLi5x/XpZ9iL6UX92NrSJxcDbaGws7s+GtjgDy8UOEonesRWTe -qQEZtHpC3/UHHOnsA8F6ha/pq9LioqT7RehCnZCLBJwh5Ct+lclpWs15SkjJD2LT -Dkjox0eA9nOBx+XDlWyU/GAyqx5Wsvg/Kxr0iod9/4IcJdnSdUjq4v0Cxg/zNk08 -XPJX+F0bUDhgdUf7JrAmmS5LA8wphRnbIgtVsf6VN9HrbqtHAJDxh8gEfuwdhEW1 -df1fBtZ+6WMIF3IRSbIsZELFB6sqcyRj7HhMoWMkdEyPb2f8mq61MzTgE6lJGIyT -RvEoFie7qtGADIofAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADggEBAJRMdEwAdN+crqI9dBLYlbBbnQ8xr9mk+REMdz9+SKhDCNdVisWU -iLEZvK/aozrsRsDi81JjS4Tz0wXo8zsPPoDnXgDYEicNPTKifbPKgHdDIGFOwBKn -y2cF6fHEn8n3KIBrDCNY6rHcYGZ7lbq/8eF0GoYQboPiuYesvVpynPmIK5/Mmire -EuuZALAe1IFqqFt+l6tiJU2JWUFjLkFARMOD14qFZm+SInl64toi08j6gdou+NMW -7GEMbVHwNTafM/TgFN5j0yP9SAnYubckLSyH6hwR+rM8dztP5769joxQfnc9O/Bn -TBD9KFpeQv6VJWLAxiIKcQCRTTDJLZZ0MQI= ------END CERTIFICATE----- diff --git a/examples/pki/certs/middleware.pem b/examples/pki/certs/middleware.pem deleted file mode 100644 index 7d593ef..0000000 --- a/examples/pki/certs/middleware.pem +++ /dev/null @@ -1,50 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgZAxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDL06AaJROwHPgJ9tcySSBepzJ81jYars2sMvLjyuvd -iIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rpv8dGDIDsxZQVjT/4SLaQUOeDM+9b -fkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLYWso0SJD0vAi1gmGDlSM/mmhhHTpC -DGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1ZrslPC5lFvlHD7KBBf6IU2A8Xh/dUa3 -p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYRR45pPCVkk6vFsy6P0JwwpnkszB+L -cK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4YEPirGGrAgMBAAEwDQYJKoZIhvcN -AQEFBQADggEBAAjU7YomUx/U56p1KWHvr1B7oczHF8fPHYbuk5c/N81WOJeSRy+P -5ZGZ2UPjvqqXByv+78YWMKGY1BZ/2doeWuydr0sdSxEwmIUBYxFpujuYY+0AjS/n -mMr1ZijK7TJssteKM7/MClzghUhPweDZrAg3ff1hbhK5QSy+9UPxUqLH44tfYSVC -/BzM6se0p5ToM0bwdsa8TofaBRE1L1IW/Hg4VIGOoKs0R0uLm7+Oot2me2cEuZ6h -Wls6MED8ND1Nz8EAKwndkeDu2iMM+qx/YFp6K8BQ5E5nXd2rbUZUlQMp1WbUlZ87 -KvC98aT0UYIq6uo1Lx/dQvJs7faAkYd4lmE= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDL06AaJROwHPgJ -9tcySSBepzJ81jYars2sMvLjyuvdiIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rp -v8dGDIDsxZQVjT/4SLaQUOeDM+9bfkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLY -Wso0SJD0vAi1gmGDlSM/mmhhHTpCDGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1Zrs -lPC5lFvlHD7KBBf6IU2A8Xh/dUa3p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYR -R45pPCVkk6vFsy6P0JwwpnkszB+LcK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4 -YEPirGGrAgMBAAECggEATwvbY0hNwlb5uqOIAXBqpUqiQdexU9fG26lGmSDxKBDv -9o5frcRgBDrMWwvDCgY+HT4CAvB9kJx4/qnpVjkzJp/ZNiJ5VIiehIlbv348rXbh -xkk+bz5dDATCFOXuu1fwL2FhyM5anwhMAav0DyK1VLQ3jGzr9GO6L8hqAn+bQFFu -6ngiODwfhBMl5aRoL9UOBEhccK07znrH0JGRz+3+5Cdz59Xw91Bv210LhNNDL58+ -0JD0N+YztVOQd2bgwo0bQbOEijzmYq+0mjoqAnJh1/++y7PlIPs0AnPgqSnFPx9+ -6FsQEVRgk5Uq3kvPLaP4nT2y6MDZSp+ujYldvJhyQQKBgQDuX2pZIJMZ4aFnkG+K -TmJ5wsLa/u9an0TmvAL9RLtBpVpQNKD8cQ+y8PUZavXDbAIt5NWqZVnTbCR79Dnd -mZKblwcHhtsyA5f89el5KcxY2BREWdHdTnJpNd7XRlUECmzvX1zGj77lA982PhII -yflRBRV3vqLkgC8vfoYgRyRElwKBgQDa5jnLdx/RahfYMOgn1HE5o4hMzLR4Y0Dd -+gELshcUbPqouoP5zOb8WOagVJIgZVOSN+/VqbilVYrqRiNTn2rnoxs+HHRdaJNN -3eXllD4J2HfC2BIj1xSpIdyh2XewAJqw9IToHNB29QUhxOtgwseHciPG6JaKH2ik -kqGKH/EKDQKBgFFAftygiOPCkCTgC9UmANUmOQsy6N2H+pF3tsEj43xt44oBVnqW -A1boYXNnjRwuvdNs9BPf9i1l6E3EItFRXrLgWQoMwryakv0ryYh+YeRKyyW9RBbe -fYs1TJ8unx4Ae79gTxxztQsVNcmkgLs0NWKTjAzEE3w14V+cDhYEie1DAoGBAJdI -V5cLrBzBstsB6eBlDR9lqrRRIUS2a8U9m+1mVlcSfiWQSdehSd4K3tDdwePLw3ch -W4qR8n+pYAlLEe0gFvUhn5lMdwt7U5qUCeehjUKmrRYm2FqWsbu2IFJnBjXIJSC4 -zQXRrC0aZ0KQYpAL7XPpaVp1slyhGmPqxuO78Y0dAoGBAMHo3EIMwu9rfuGwFodr -GFsOZhfJqgo5GDNxxf89Q9WWpMDTCdX+wdBTrN/wsMbBuwIDHrUuRnk6D5CWRjSk -/ikCgHN3kOtrbL8zzqRomGAIIWKYGFEIGe1GHVGo5r//HXHdPxFXygvruQ/xbOA4 -RGvmDiji8vVDq7Shho8I6KuT ------END PRIVATE KEY----- diff --git a/examples/pki/certs/signing_cert.pem b/examples/pki/certs/signing_cert.pem deleted file mode 100644 index 63ab247..0000000 --- a/examples/pki/certs/signing_cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpTCCAo0CAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgY8xCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMREwDwYDVQQDEwhLZXlzdG9uZTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMz5WsgsuX3rZUdLwQpZXN2Ro7LQ6jEZnreBqMztVObw -BuC1WdiJsg6dVlC7PVdt+0gY1c8WFg1TKmsucxesQSyfGAPg+9T/hsRMb6y12uJx -fp3Wgqqw0U1HsXvMiaJH87MaGnt043BxzF+R9fhAcDk6Cyj5cx9J0LvZJEOzN4J4 -ZRyO6j/DZZItb3lK5W9xkuoT+mTdDZOQJnXyG818uiWfjdCkLjr1ruytRcBOo4na -Y828voT/A7I95+YCgKgbjiUWhHeTaNmMEQiGy0nGYfteC+oSsHOlxZ3b12azzHPk -83Bh2ez0Ih9vcZoe9DqvlFOXfv9q8OsYc5Yo6gPTXEsCAwEAATANBgkqhkiG9w0B -AQUFAAOCAQEAmaYE98kOQWu6DV84ZcZP/OdT8eeu3vdB247nRj+6+GYItN/Gzqt4 -HVvz7c+FVTolCcAQQ+z3XGswI9fIJ78Hb0p9CgnLprc3L7Xtk60Im59Xlf3tcurn -r/ZnSDcjRBXKiEDrSM0VrhAnc0GoSeb6aDWopec+1hWOWfBVAg9R8yJgU9sUgO3O -0gimGyrw8eubmNhckSQLJTunUTsrkcBjuSg63wAD9OqCiX6c2eoQr+0YBp2eV2/n -aOiJXWNLbeueMKSYiJNyyvM/dlON7/56cdwDTzKzgD34TImouM5VKipUwCX1ovLu -ITLzALzpqFFzc8ugV9pMgUKtDbZoPp9EEA== ------END CERTIFICATE----- diff --git a/examples/pki/certs/ssl_cert.pem b/examples/pki/certs/ssl_cert.pem deleted file mode 100644 index cdd2e4c..0000000 --- a/examples/pki/certs/ssl_cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgZAxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDL06AaJROwHPgJ9tcySSBepzJ81jYars2sMvLjyuvd -iIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rpv8dGDIDsxZQVjT/4SLaQUOeDM+9b -fkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLYWso0SJD0vAi1gmGDlSM/mmhhHTpC -DGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1ZrslPC5lFvlHD7KBBf6IU2A8Xh/dUa3 -p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYRR45pPCVkk6vFsy6P0JwwpnkszB+L -cK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4YEPirGGrAgMBAAEwDQYJKoZIhvcN -AQEFBQADggEBAAjU7YomUx/U56p1KWHvr1B7oczHF8fPHYbuk5c/N81WOJeSRy+P -5ZGZ2UPjvqqXByv+78YWMKGY1BZ/2doeWuydr0sdSxEwmIUBYxFpujuYY+0AjS/n -mMr1ZijK7TJssteKM7/MClzghUhPweDZrAg3ff1hbhK5QSy+9UPxUqLH44tfYSVC -/BzM6se0p5ToM0bwdsa8TofaBRE1L1IW/Hg4VIGOoKs0R0uLm7+Oot2me2cEuZ6h -Wls6MED8ND1Nz8EAKwndkeDu2iMM+qx/YFp6K8BQ5E5nXd2rbUZUlQMp1WbUlZ87 -KvC98aT0UYIq6uo1Lx/dQvJs7faAkYd4lmE= ------END CERTIFICATE----- diff --git a/examples/pki/cms/auth_token_revoked.json b/examples/pki/cms/auth_token_revoked.json deleted file mode 100644 index 3da8f8b..0000000 --- a/examples/pki/cms/auth_token_revoked.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "access": { - "token": { - "expires": "2038-01-18T21:14:07Z", - "id": "placeholder", - "tenant": { - "id": "tenant_id1", - "enabled": true, - "description": null, - "name": "tenant_name1" - } - }, - "serviceCatalog": [ - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v2.0", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v2.0", - "publicURL": "http://127.0.0.1:5000/v2.0" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "username": "revoked_username1", - "roles_links": [ - "role1", - "role2" - ], - "id": "revoked_user_id1", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "revoked_username1" - } - } -} diff --git a/examples/pki/cms/auth_token_revoked.pem b/examples/pki/cms/auth_token_revoked.pem deleted file mode 100644 index a685a45..0000000 --- a/examples/pki/cms/auth_token_revoked.pem +++ /dev/null @@ -1,75 +0,0 @@ ------BEGIN CMS----- -MIINnQYJKoZIhvcNAQcCoIINjjCCDYoCAQExCTAHBgUrDgMCGjCCC6oGCSqGSIb3 -DQEHAaCCC5sEgguXew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMzgtMDEtMThUMjE6MTQ6MDda -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUxIiwNCiAg -ICAgICAgICAgICJyb2xlc19saW5rcyI6IFsNCiAgICAgICAgICAgICAgICAicm9s -ZTEiLA0KICAgICAgICAgICAgICAgICJyb2xlMiINCiAgICAgICAgICAgIF0sDQog -ICAgICAgICAgICAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsDQogICAgICAgICAg -ICAicm9sZXMiOiBbDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg -ICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAg -ICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIi -DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAg -ICJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUxIg0KICAgICAgICB9DQogICAgfQ0K -fQ0KMYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjAN -BgkqhkiG9w0BAQEFAASCAQAxJMbNZf0/IWg/+/ciWQr9yuW9M48hQdaHcN+t6qvZ -OlPev8N1tP8pNTupW9LXt0N8ZU/8AzPLPeRXHqd4lzuDV6ttesfLL3Ag410o4Elb -Aum11Y1kDGlbwnaYoD9m07FML1ZfOWJ81Z0CITVGGRX90e+jlYjtnmdshmi2saVl -r/Sae6ta52gjptaZE9tOu42uXlfhWNuC0/W7lRuWbWSHZENZWtTHHz2Q+v/HxORf -jY3kwSaVEkx9faQ9Npy6J+rSQg+lIMRAYw/rFWedEsP9MzHKBcKTXid0yIQ2ox1r -1Em3WapL1FDpwJtHaaL92WTEQulpxJUcmzPgEd5H78+Q ------END CMS----- diff --git a/examples/pki/cms/auth_token_revoked.pkiz b/examples/pki/cms/auth_token_revoked.pkiz deleted file mode 100644 index 9fbe8ea..0000000 --- a/examples/pki/cms/auth_token_revoked.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVtly4jgUfddXzHuqK9jGED_Mgze8BInYeEF-8wJeBYTF29ePbEh3p9OZycxQRZUtS_eee87Rlb59oz9J1Qz0hwzXw8s3AA1DZxpsPh8CI6tjJFqxfKBjnSLL0pMli5bayo6oS6l7UlIoawUd31qavH7V1kbEAcVSdTGkg4mrpunG3nZmhllUxRzMV7k0N_b0eR8cMespeGNnkSbsjeKQ-tw5j8jiAoK1MTNkk43Ylol8N1_KYh74fBlrwjHa2_3bZOzbl9DnPbdsaGAxD3V7EiuHGix7tUPdtFkW4hU6hynqY3bJ4XbZ4wkuAgLZIMcsZGBv9ch3p9jBTUAQWSlVjgvMAugkmZE3qbE3q4Ct6igfEXWBnxwjln-JyA0VzT4JNuYV--07FGCA8X9QgAHGDxQSg0l7xIy3duQRySHR7WaVP9XQMbgxgTxtV0XKoR7XSaHWABV2jgjuA2IWuHd7pEAmcLIMFRLBLJ6ufDNHBW4Rq-Y7b3KmQSfbjVQN5Br7oAaR7l2oEsOHKiJ2E7HVNdHRLtKqa3iTMtps6EL9JttdtX2kLa6YdXPwb2X7hS8ewKLsBsL-qxLgs8jvA39OLnjPbtmtHGNg9yNhpLpgP6nGgMS7BrpUD4hAzAhn-nCKOxp5cUl26yal-4HCZO4L-Toh6qcWB18kazDXZDQX1f5n6cE_aT9kjom3D33hetP-TnQpXAf5Aa1zgFTFhM-ixVccaA0cXeH6iUWawYKgoGAIKpADJ7D3qpWmslALiqBIeUwMFhUqh29GaxLfpHyhL22m39b7u3LB33qdoDraSEyifWw0G7Y9RuTSg1EOhhGWMm1fAw-0K43wWI-PObt-c-FndgdfkLCn_DCoE1iYT5tfLT-osP5q9_ldcPAx-lebittARaxBUhh0wBQ262GxzcfanQPfrmi9x0QvPyVw4AIMBN4X15S40W10L1RbXTpSB46TjMJoYJ9eoKJeoJO5sFBn0LFmUElCcINNs5HFNRkg085Ds2W0jCoY3-0u8d1B3h8b7G3-QriCYRDenFYGG1TEpGoS7d5UNJ6JtGb4dgxufEyG4LSMXehbrbGf3PbC_WND-1wR-FkdaXRv5KYw1J5s6NGW35DFRDjTJO_6JaCa0gXuW0sbnjujmvwC2awSIpwC396NAW-GG9fcA3j9zwfmvfN29Lyk5ZkfXDoicYzR-kMJTMx63c8Lg00wKFJuOK-_Geo7T2_lfp8D7pPupDDCztFkMT40aaprYqpK0NBK-t9C69DIIlY8y1qojcpA69zIFlYAHdDUxvTcXl1CsdRExlVlCcrWRG3VQrSkFHmSGDuyh5iI8HxCFhS-uoaSOM4FcgZNh5OqqEIT7KMTtNVGacZMS7XJlsGm6hONti9HraAMv99M6MXEFG3sgx_b1hOjIdD-FmhJhC7oVRdKxphJbOHSZb1zkEtO6CfXwKfXH5oMSA1ePDdTRcwOjWL9fFdSJckS6bVHFfF1IvDP-CWbCmXy9NpVu_BpqcRivc16oLGr4hK_vmoz1BDkvSxetosqVk-l6J5X-elhpsFty70GHNfuNX6VQnbGwedWP0pnp9wFMTBTn1wV_hryDJ7He69j2piEh31eh4yyeDTnVnOUqwekOJskWmXPiGm6R-UlY4xz-ZjMe0C6bus-TBfLy45cLuHM19gyW1Df1s5JbjUu1XU3FphSW7XS6UnvrDYL42XW7YvwyD-fOhBCxpuHZbEsrSeTeY6cR3W5TY66RQ4MmmvZUYXRflFI5uuWEecPjMA9If-BMIFQZVOb04E_O0ai7my7iTy3iyjLPXa6O678kDwyBSTepGIrln2AO_U4mzlzS-TU7WP1_DJr_vwTjHdVFSk_7q1_AfJ_mjc=
\ No newline at end of file diff --git a/examples/pki/cms/auth_token_scoped.json b/examples/pki/cms/auth_token_scoped.json deleted file mode 100644 index cf18fa1..0000000 --- a/examples/pki/cms/auth_token_scoped.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "access": { - "token": { - "expires": "2038-01-18T21:14:07Z", - "id": "placeholder", - "tenant": { - "id": "tenant_id1", - "enabled": true, - "description": null, - "name": "tenant_name1" - }, - "audit_ids": [ - "SLIXlXQUQZWUi9VJrqdXqA" - ] - }, - "serviceCatalog": [ - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v2.0", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v2.0", - "publicURL": "http://127.0.0.1:5000/v2.0" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "username": "user_name1", - "roles_links": [ - "role1", - "role2" - ], - "id": "user_id1", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "user_name1" - } - } -} diff --git a/examples/pki/cms/auth_token_scoped.pem b/examples/pki/cms/auth_token_scoped.pem deleted file mode 100644 index 68f5049..0000000 --- a/examples/pki/cms/auth_token_scoped.pem +++ /dev/null @@ -1,77 +0,0 @@ ------BEGIN CMS----- -MIIN5QYJKoZIhvcNAQcCoIIN1jCCDdICAQExDTALBglghkgBZQMEAgEwggvqBgkq -hkiG9w0BBwGgggvbBIIL13sNCiAgICAiYWNjZXNzIjogew0KICAgICAgICAidG9r -ZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMDM4LTAxLTE4VDIxOjE0 -OjA3WiIsDQogICAgICAgICAgICAiaWQiOiAicGxhY2Vob2xkZXIiLA0KICAgICAg -ICAgICAgInRlbmFudCI6IHsNCiAgICAgICAgICAgICAgICAiaWQiOiAidGVuYW50 -X2lkMSIsDQogICAgICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVlLA0KICAgICAg -ICAgICAgICAgICJkZXNjcmlwdGlvbiI6IG51bGwsDQogICAgICAgICAgICAgICAg -Im5hbWUiOiAidGVuYW50X25hbWUxIg0KICAgICAgICAgICAgfSwNCiAgICAgICAg -ICAgICJhdWRpdF9pZHMiOiBbDQogICAgICAgICAgICAgICAgIlNMSVhsWFFVUVpX -VWk5VkpycWRYcUEiDQogICAgICAgICAgICBdDQogICAgICAgIH0sDQogICAgICAg -ICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAg -ICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAgICAgImVu -ZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAg -ICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92 -MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4 -Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAg -ICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAu -MTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIg0KICAg -ICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAg -ICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAgICJuYW1l -IjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQogICAg -ICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAgICAg -ICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4x -OjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJy -ZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVybmFsVVJM -IjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAg -ICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIN -CiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQogICAg -ICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAgICAgICJu -YW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQog -ICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAg -ICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAg -ICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAu -MC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIs -DQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIs -DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDov -LzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJi -NjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VSTCI6ICJo -dHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZj -Zjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAg -ICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIsDQogICAg -ICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0sDQogICAg -ICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtd -LA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg -ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJo -dHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAgICAgICAg -ICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAg -ICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIu -MCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6 -Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAgICB9DQog -ICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJpZGVu -dGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUiDQogICAg -ICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0KICAgICAg -ICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAgICAgInJv -bGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xlMSIsDQogICAgICAg -ICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJp -ZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMiOiBbDQogICAgICAg -ICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJyb2xlMSIN -CiAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAg -ICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAgICAgfQ0K -ICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJfbmFtZTEi -DQogICAgICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCBnjEKMAgGA1UE -BRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZh -bGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkq -hkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYg -U2lnbmVkAgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCgtkCXRzS8 -s7WjZCsKDhMt6q5JQIm7x6EMKCBaOABQG9EOVIAyqfoJDdjDtz9rZEPO3UVTpPkg -VjtA0QV97qT8bX55AcCkk7kBRDOKTtco5GOGwjMxL+GWbIwWiB7DKIP4RA6NLZtF -WxUbLBY+OgBSiayuHqSx+Rd08QC9oHf25wRkTNp3VFPxtAleDmASzdAoIafoS+FB -Po+9WuTaGdeya7S+ms4SSyXf9cdMKGv010R/aMINWUWaBrkB4wlespYLmKH/XzwS -pENRIdbI9XHEOYTWKqul5tucA3p21IA24ND6acl9CXHr3KeqXpRwclSZ38Kg/23T -92D+SowEjlGf ------END CMS----- diff --git a/examples/pki/cms/auth_token_scoped.pkiz b/examples/pki/cms/auth_token_scoped.pkiz deleted file mode 100644 index cbfc082..0000000 --- a/examples/pki/cms/auth_token_scoped.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVkuXojgY3edXzL5OnwLUKlnMgrdBwAJDgOx4KK-gVimC_PoJWFVdM93z6DNuNEFu7nfv98i3b-wjawZ0flPs7bj4BmwIV8s8MtdHAotr6khuqhzZ3nxQFFlcKpKr9SqSLDmneVHnMnFtTcq1Ls_DmZzXr6CoS0PsOFnujJxtHmUI9cXqXEaBU5HQGWB1zHc3k0uEC01K-ATZMxIWXRyaNL3BJwAVeLNVe24hqbeQNscq7DeVxm0qaRaU8AwV80QU9qJidomhVyQoronh0fT-jAMkWBTJwS03pfwMG9xGgXkmwbTm0gOmliKV8bSWyswYny-4UKC1vZ0AWhAFPB1pwoNHk0ZvM11sx733P9QsjCptaJcZ9DqFYCz4xOjFETgKcQ3i0NvHgTfFGtxMhDQaJXrhYazHmMenDSbr9KDXwUqXIeWnF1MB37KGVsR3CpAZ-jkR0pFywsRiLLwuEWibreyPvYIY_CmheIvuWhyzlddtyuXVRnAGrEpqbWXOhMtnzhBds0q7OpVXOk00kMasosEfHNXmCSoKp5KbSIjmm8AsnSrqHUErwUSpwYc4ENu7FiYlAou3Flty1-GUMH3Shomt_8gCjDT-Dwsw0phYrHCZGLTC2LQnJk3BZSvpybote7tKxwM6q9KeNmo6c0pRsLdLwTGgAEjFzmmcykE2Zw-YbgxNsA1SkSpfRA0UnEqbRVtTDLddPuYJWcnXmOVCyotn9v0GxnSE-iUbWWQr2rG4xxiFROj5JPAndiw_Ln_d3zPA0TXwq7Z916u-bRC8AiZY-X-cAH-H_An8L-KCT3URXNiTun8v2M_0AhO9QD-8U20_i6vJzqzyKsIALeVeqZ-AdyC2p9cgCWj7n7xXRnbz3hoiLqpIYwukjASbB_bgDk7gzyMUdaRxmo1Ky6hij1BWwLL7Lmg5CXcjQXZKhMVL0twtBiMlEo7Ue-zX3dQ44pXHperxag3azbmNLJjA6Dh3hpSzZlFvfUl18F8q7p_cAL8S78_CBZ_xHvjJHtYj69QQx8QZQqE_Jc3l3q14bmqiu1B-d8m5JqHMs470Q763yYwwQPbC2MK_AE5As7Hlexem3aQZ-AfRBlahvHNj4ZTz7ieObEdHwFdLfsGRT3DwHV3mo6Y_Rfy_VaHf2arEagWytSmCX8n7aUqx4cJmBLf7YbA0F7oLHTYDF_TDkSx0xhE2zcPp91jOrJlMU2pcU_EO8D6Fbqzb0D8zOLM-IZ4J-ugZ429Y3lnTejwYwAMemHBsOrn9u9JseOJPy77YOx1gf1bnnc1k4wfyHnN_Lul38AmEsdiHvGhHUB4qRZHS43h36EAeu11O5r1SSVDOHSxLPpKQ3yuDZN7XEZIoRrZ77hQ3UrHrQq0zVRdpW1uWDCDxvib3tunPcJscqMBygNoe7DRp-vNa6-hLypT3Z14RCedeQ9LLHfiMFO1CwYfy9tbvYPf1qlPLekHeSEiHzGDN1ZevI1B6B2Lpbh5sz-2Alk8nqVp3QSToG6g7J8IACYtI-8ndSHW_HqLJQHYlLc81aX3lauEoClh6VuT6CVmW_Xx4cUKMVpistrF-8znERbl2fHvMwv1Zg7ipXuENxJolYFGlM8EwxIGkw0pI51zZPri711NwFfOy9-h2eDMzXGe6HAtPSqjDtyZSZq0lXBUA-dVBNQ9FszxyDqe-1DG0sq2P0nb_-vCoLDptv3s43RpcnC1-vVPWh6J_uR7D1-xVklHsgVJt1t5DSq3mbKql9HradSuMTCoWQ_HywKdLk7-01l5nbWlbqI8WXjxrwgYhdFwe0MF9AUVO9lb9XD9JQ2Ku-TjaCYawm8_np5i1w2pmP9qSdKH5rttzT12SxPlSXOs3xXe0U6N6BnD2jNsSSlK1ffBnwirm-se3_a7NcLsk-e-_g-lCqznq98vtH9MPoOI=
\ No newline at end of file diff --git a/examples/pki/cms/auth_token_scoped_expired.json b/examples/pki/cms/auth_token_scoped_expired.json deleted file mode 100644 index 04ec9f3..0000000 --- a/examples/pki/cms/auth_token_scoped_expired.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "access": { - "token": { - "expires": "2010-06-02T14:47:34Z", - "id": "placeholder", - "tenant": { - "id": "tenant_id1", - "enabled": true, - "description": null, - "name": "tenant_name1" - } - }, - "serviceCatalog": [ - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v2.0", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v2.0", - "publicURL": "http://127.0.0.1:5000/v2.0" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "username": "user_name1", - "roles_links": [ - "role1", - "role2" - ], - "id": "user_id1", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "user_name1" - } - } -} diff --git a/examples/pki/cms/auth_token_scoped_expired.pem b/examples/pki/cms/auth_token_scoped_expired.pem deleted file mode 100644 index c3de8bb..0000000 --- a/examples/pki/cms/auth_token_scoped_expired.pem +++ /dev/null @@ -1,75 +0,0 @@ ------BEGIN CMS----- -MIINhwYJKoZIhvcNAQcCoIINeDCCDXQCAQExCTAHBgUrDgMCGjCCC5QGCSqGSIb3 -DQEHAaCCC4UEgguBew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMTAtMDYtMDJUMTQ6NDc6MzRa -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAg -ICAgInJvbGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xlMSIsDQog -ICAgICAgICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAgICAgICAg -ICAgICJpZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMiOiBbDQog -ICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJy -b2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAg -ICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAg -ICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJf -bmFtZTEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHKMIIBxgIBATCBpDCBnjEK -MAgGA1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlT -dW5ueXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUx -JTAjBgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMT -C1NlbGYgU2lnbmVkAgERMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBALYxBjRE -hecjo98fUdki3cwcpGU8zY8XHQa4x15WGkPxkI1HwSYaId/WjrOWP2CxmT3vVe7Z -lqV2a0YmdPx9zdDm09VmoiZr3HxYaNzXztT817dECYINCgz33EnansIyPHG2hjOR -4Gt7R26MXf+AIRiCNuCFZPnHI1pfCbwuky9/iBokvE9mThA+bVrUPZd/2+jp4s3B -n3+fbC+FCoZ5t522wGgEtVyMNvC90Wvvuf2mx7baXNo4/0ZG8C86lT+qmMe22zlf -+DxmJl149p419zdv6rzTU7p2OeTBnkdw1GsEqKyvtHYxzAjLYjiJo6jyaERXBaLm -/J7ZRSBmhHoLuWk= ------END CMS----- diff --git a/examples/pki/cms/auth_token_scoped_expired.pkiz b/examples/pki/cms/auth_token_scoped_expired.pkiz deleted file mode 100644 index 766b4cd..0000000 --- a/examples/pki/cms/auth_token_scoped_expired.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVtlyozgUfddXzHuqK2xOzCObMdiSzW7pzUCMwchLbNavH4GT6kmnM5OZcZWrQEhH555z75V-_GA_1TAt9IcGveHlB4CWNW8cbC9OxNrXCVKcRDuxsWuhaeqTpCmO0Wq-Mlez4FXPoGYO44lkat7F9KxYBLpjzJUtG4ynRpZFzy-dvccCKhMR5qtcfbaO7PlIzlgIdbxx97EpH63ilEXiNY_p7AaIZz1Zmi3EQsvHUZAvNSUn0eSQmPI5Prr9-2QcubdtNAmDQ8OAlXw7d7lEP9Vg2Rsd6qRmWSgV9E8S6hNhKeJ22WMOF4RCgeRYgDzsnR5FgYR93BCK6Eovc1xgAUA_3Vt5k1lHuyRCWcf5yKgjUXqOhck6pndWbHeObOwKR-0HFmCg8X9YgIHGTxYqj2l7xnzo-drI5JTO3WaVT2voW-K4gSa1qyITUY_rtDBqgAo3RxT3hNoF7oMe6ZAn_n6PCpViAUuryM5RgVskGPku5K4MlHvZqOUgrnUkNYjn4Y05MXwoY-o2sVBW6RztYrOstncr482GLZzfbXtz7RibswoLQQ7-rW2_6DUBsDh0g2D_1QnwFfJH4K_FBR_VPXQr3xrU_SwYLW84SssRkIYVmav1wAgkvHxlD69Jx5Bnt3TnNRmrB0aTf1s4qVNqfJni4JtiDcnFjcnFvP-r9eCfvB92Tmh43EZydff-TeiDXA32AxbnQKlM6GQfz76Tgc6gUQW9qYBMSwCkYGQoKpAPOdiH5co0BGiSghTZBFNLQIUh4nuiNWlkM73Qt4rpt_H-Llzwt7lOUR1vVD41PzeajdCeY3rrwWgHz8tLjbWvQQfWlUZ6QjhJRLd-z8Kv0h18w8Ke6cOjThZgLjW_pvzggvfd7vM7cPAZ_btNJWigrtQgLSw2YMsbb1jsThLzTYPILVm853R--FLAQQswCPi2uGbCjdnGaqF8matnloHjJKuwGugrN6hj9rcD6DtPSE-eYO9uwZ02243OqnSgzDoP223PwijJ-O52aRQM9v4ssPf5M7kCwyC8Z9qBbFCR0LJJzbemYk742GyGb2dy14MbwFkYu23ktNaRu9fC28eG9bmCRPs6Nllt5LY8xJ5u2NGW35klVL6yTT70S8A8ZQuC95Y2PHdWyf1COeyZrbuxqfrvFTqAwRwMKB8ayDvg8VMn7tj5WcL83bER9K7BV7uwOEdLxzBK-Ux0Vi8bXobYUjt2zCsJ1gA7_5ts6zQZkVqtUCw1Q6GqBL7iB63WK_b9HftKGfrQuTaag_XQcSyjsXXHNzwAVcVU-MBQW2gHYljFx1JgKVxC12oMZZy8MJpynZhhFYguuztcW8NX1nfgqw8041a-bBDHaoHZGTRW89fbykGd7ckr2ZR9arIWFqj1AJTcgapYtI8Auk5jZONOutHcfBK11JqhM2GAhEVkfLjeKEjNDpf9ITflhlNZ-DOgKB67B2niTXTXpH1IYeWIT09VZWNhm5pu_7LFotenk40hKN5tMWmeLuGz5F_p9Lw8CZct2Exj5Vhc1ig3oPTgy6G0cGOnnYclRPPLjp6a5elZauAxWJk7U3pep74japd2cbW6ykoJIP5aWuX7hwdztjNlszcnrfuwmnC8LJSzZ11Osktpha621jm0Jdw6epycXy3yWK5odqWiC66rXBCk-CJeBffxOaJazV2mNJhOt4l2eFXI3o0Wt2oBV3SWRiePSlr56B_UY9dRTz2YEvCb9bK-zFdQrRHO5cuZqx5fIiHT1CZ3-SQq7Cpz7MNRvjxORbSpQnmy7B7YRZI_16hsr-B6Pb2IF9vVHjxzkSbJLjhEi9h4DOIVBeNd1ED6z3vpnxbOkgI=
\ No newline at end of file diff --git a/examples/pki/cms/auth_token_unscoped.json b/examples/pki/cms/auth_token_unscoped.json deleted file mode 100644 index 4156688..0000000 --- a/examples/pki/cms/auth_token_unscoped.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "access": { - "token": { - "expires": "2112-08-17T15:35:34Z", - "id": "01e032c996ef4406b144335915a41e79" - }, - "serviceCatalog": {}, - "user": { - "username": "user_name1", - "roles_links": [], - "id": "c9c89e3be3ee453fbf00c7966f6d3fbd", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "user_name1" - } - } -} diff --git a/examples/pki/cms/auth_token_unscoped.pem b/examples/pki/cms/auth_token_unscoped.pem deleted file mode 100644 index 6855221..0000000 --- a/examples/pki/cms/auth_token_unscoped.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CMS----- -MIIERgYJKoZIhvcNAQcCoIIENzCCBDMCAQExCTAHBgUrDgMCGjCCAlMGCSqGSIb3 -DQEHAaCCAkQEggJAew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIxMTItMDgtMTdUMTU6MzU6MzRa -IiwNCiAgICAgICAgICAgICJpZCI6ICIwMWUwMzJjOTk2ZWY0NDA2YjE0NDMzNTkx -NWE0MWU3OSINCiAgICAgICAgfSwNCiAgICAgICAgInNlcnZpY2VDYXRhbG9nIjog -e30sDQogICAgICAgICJ1c2VyIjogew0KICAgICAgICAgICAgInVzZXJuYW1lIjog -InVzZXJfbmFtZTEiLA0KICAgICAgICAgICAgInJvbGVzX2xpbmtzIjogW10sDQog -ICAgICAgICAgICAiaWQiOiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2NmY2ZDNm -YmQiLA0KICAgICAgICAgICAgInJvbGVzIjogWw0KICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTEiDQogICAgICAgICAg -ICAgICAgfSwNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAg -ICJuYW1lIjogInJvbGUyIg0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAg -IF0sDQogICAgICAgICAgICAibmFtZSI6ICJ1c2VyX25hbWUxIg0KICAgICAgICB9 -DQogICAgfQ0KfQ0KMYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAH -BgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQAXNWXYv3q2EcEjigKDJEOvnKBGTHeV -o9iwYmtdJ2kKtbuZiSGOcWymxNtv//IPMmNDWZ/uwDZt37YdPwCMRJa79h6dastD -5slEZGMxgFekm/1yqpV2F7xGqGIED2rNTeBlVnYS6ZOL8hCqekPb1OqXZ3vDaHtQ -rrBzNP8RbWS4MyUoVZtSEYANjJVp/zou/pYASml9iNPPKrl2xRgYuzaAirVIiTZt -QZY4LQYnHdVBLTZ0fQQugohTba789ix0U79ReQrIOqnBD3OnmN0uRovu5s1HYyre -c67FixOpNgA4IBFsqYG2feP6ZF1zCmAaRYX4LpprZLGzg/aPHxqjXGsT ------END CMS----- diff --git a/examples/pki/cms/auth_token_unscoped.pkiz b/examples/pki/cms/auth_token_unscoped.pkiz deleted file mode 100644 index 13c5e40..0000000 --- a/examples/pki/cms/auth_token_unscoped.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJx9VMmSozgQvfMVfa-oMAbbVRzmIAlZCFvQGLHewAs72MaY5esHuzt65tSKUEiZkS_z5RL5-TkfiAk1fiBmv4RPgVGq7kCg75qQps-jAawjamYd4QiBwUHAwgPiQIOJc1cThkg-67lDkH0jNo1lQbWwBqJZaQc4SXB2HvU0kIzyKLPMzOAXred_HV4DyVUD_5DGRKlp3iRnWWwp0kUhlh5lnNEN1dos9NM-8vXyOM4yoiPjeNxzsNpzLLsqXpo5e13Ry-gLfA0R3QizYc88p2eTnpu8kEIvEA0VSEGO55dNBi8Gw8PibCObtq7sEchO_szqd1DhWClt6BuXmJRd9It27Nt9Qqt1GnvOLP8GlEoXeMuS2e_oYywNb6YC3T6-_m_8dshxdpmdzPV4g14501p_xsQZab08_WEx44S_RHnnOL-56bGV6TlTUDlT6DmiwY0qqIKeESYLJg-kMA8LJoVZiHTl4otDkmi7ub1wSCgEHMGrimCd4x0DCQFLB8MDgwbHewYKIrwVKUOuywY0AR0mhgtBwkFhQHagPQaB6lqWhvuSn7x1d_bDuZXOgHNgvWwFCBqOHKUPvTU_kW0eTfjAwPc7EhoYtSV3fZQPz7hyBp2DHCbFLS0yovQiRBb2hG31KM--IcbSurTI29H0djSun8fqOGxVYP9ixThaGmVMgsSRyjqu3AIk-CAwcCTQbk3Q04gB8c-IzhMKgeUAONcCbO8atS73i3mAGF0iWEaZWKcHN11FAj1_r8a1F5ZGKDWGyD468ZlOstqwRb1jnp5-5fK-M-cJvXSTbE6Vxqs4Sg9dUQdNcSuE_Cfc3JzH-fqxLruP-wpoqpNGV9iP8lMuzsmGtUkY1PCeUyJHQ7Nl2vfJslSkKOoJWpOw21fD1JDztsjbyx27Hw95icVWut-JOC6a_SUK-k1AmpUrNtpjm3T5osNNEn608g1lsSOgZBVvppgUhx2vm-5ate56rZynjSgam_tr6J7awn9y4n5Lth48bJRdy6Wx8m52ju7IE1Z-G92-ldZegIXrbm6gHJuBT63Ss1g3be9i5-ZTVotYxMm5WNrPXaB2_PpzsPt_hPdKwYb633r5FzKfcIU=
\ No newline at end of file diff --git a/examples/pki/cms/auth_v3_token_revoked.json b/examples/pki/cms/auth_v3_token_revoked.json deleted file mode 100644 index c5dc01a..0000000 --- a/examples/pki/cms/auth_v3_token_revoked.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "token": { - "catalog": [ - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "endpoints_links": [], - "type": "volume", - "name": "volume" - }, - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "endpoints_links": [], - "type": "image", - "name": "glance" - }, - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "endpoints_links": [], - "type": "compute", - "name": "nova" - }, - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v3", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v3", - "publicURL": "http://127.0.0.1:5000/v3" - } - ], - "endpoints_links": [], - "type": "identity", - "name": "keystone" - } - ], - "expires_at": "2038-01-18T21:14:07Z", - "project": { - "enabled": true, - "description": null, - "name": "tenant_name1", - "id": "tenant_id1", - "domain": { - "id": "domain_id1", - "name": "domain_name1" - } - }, - "user": { - "name": "revoked_username1", - "id": "revoked_user_id1", - "domain": { - "id": "domain_id1", - "name": "domain_name1" - } - }, - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "methods": [ - "password" - ] - } -} diff --git a/examples/pki/cms/auth_v3_token_revoked.pem b/examples/pki/cms/auth_v3_token_revoked.pem deleted file mode 100644 index 94a077b..0000000 --- a/examples/pki/cms/auth_v3_token_revoked.pem +++ /dev/null @@ -1,76 +0,0 @@ ------BEGIN CMS----- -MIINrQYJKoZIhvcNAQcCoIINnjCCDZoCAQExCTAHBgUrDgMCGjCCC7oGCSqGSIb3 -DQEHAaCCC6sEggunew0KICAgICJ0b2tlbiI6IHsNCiAgICAgICAgImNhdGFsb2ci -OiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50cyI6 -IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAg -ICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNm -YmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0 -YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx -LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIg0KICAgICAgICAgICAg -ICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAi -ZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAgICAgInR5cGUiOiAi -dm9sdW1lIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJ2b2x1bWUiDQogICAg -ICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJlbmRw -b2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdpb25PbmUi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6 -Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAgICAi -cHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSINCiAgICAgICAg -ICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAgICAgICAgICJ0eXBl -IjogImltYWdlIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJnbGFuY2UiDQog -ICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJl -bmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAg -ICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQv -djEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAu -MTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJiNjYxN2EiLA0K -ICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3 -YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQog -ICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAg -ICAgICAgICJ0eXBlIjogImNvbXB1dGUiLA0KICAgICAgICAgICAgICAgICJuYW1l -IjogIm5vdmEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdp -b24iOiAiUmVnaW9uT25lIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRl -cm5hbFVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAg -ICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1 -MDAwL3YzIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAg -XSwNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAg -ICAgICAgICAgICAgInR5cGUiOiAiaWRlbnRpdHkiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogImtleXN0b25lIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0K -ICAgICAgICAiZXhwaXJlc19hdCI6ICIyMDM4LTAxLTE4VDIxOjE0OjA3WiIsDQog -ICAgICAgICJwcm9qZWN0Ijogew0KICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVl -LA0KICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAg -ICJuYW1lIjogInRlbmFudF9uYW1lMSIsDQogICAgICAgICAgICAiaWQiOiAidGVu -YW50X2lkMSIsDQogICAgICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAgICAg -ICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6 -ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQogICAg -ICAgICJ1c2VyIjogew0KICAgICAgICAgICAgIm5hbWUiOiAicmV2b2tlZF91c2Vy -bmFtZTEiLA0KICAgICAgICAgICAgImlkIjogInJldm9rZWRfdXNlcl9pZDEiLA0K -ICAgICAgICAgICAgImRvbWFpbiI6IHsNCiAgICAgICAgICAgICAgICAiaWQiOiAi -ZG9tYWluX2lkMSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAiZG9tYWluX25h -bWUxIg0KICAgICAgICAgICAgfQ0KICAgICAgICB9LA0KICAgICAgICAicm9sZXMi -OiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgIm5hbWUiOiAicm9s -ZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAg -ICAgICJuYW1lIjogInJvbGUyIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0K -ICAgICAgICAibWV0aG9kcyI6IFsNCiAgICAgICAgICAgICJwYXNzd29yZCINCiAg -ICAgICAgXQ0KICAgIH0NCn0NCjGCAcowggHGAgEBMIGkMIGeMQowCAYDVQQFEwE1 -MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTES -MBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMGCSqGSIb3 -DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2VsZiBTaWdu -ZWQCAREwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAwFCjl3GSGrlil3cLwS11 -1gtc6K3gBSMbc7LviIFk4KDRBvHWEHT1fs/Q4T0Y12P97Uaxh47f2sNgdbsDKSE8 -K/KCeMy+0I7Eo3iDoXKcIRPux1sXFhOX36qLPpY4eWd3Q77MiUPng+78qA3AMPPl -wEcfb2OaYsWmVi9jGsDfAvksF/WO5dg+G9m2l+zcboIJswsKbBJnM5bn8EDHk7bg -YuMnOzqZsoymr6sehOPQ8QTV6kIj1w/gmtkaIH2QtBo78hCqjZ+cFeYy4zDk2HJg -Mf7PDm0hx1G0hJMVxdNzkWoFvLreTzRselsrXrx8Gejof92JyKuBjZq0kBpphOHG -6w== ------END CMS----- diff --git a/examples/pki/cms/auth_v3_token_revoked.pkiz b/examples/pki/cms/auth_v3_token_revoked.pkiz deleted file mode 100644 index 67823fd..0000000 --- a/examples/pki/cms/auth_v3_token_revoked.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVsmSozgQvesr5l7R0Symyhz6wG5oS5jFgLixtDEY7PLC-vUjYXd31Sw1PTOOcNgIZerle7no0yfykTXDRL8p0KMPnwA0zdWywNbXU2zuuwxJTqacyNpiUhRZXCqSow2KL63kYntRC6gYFVnfLQ3FOxuemfJAdbSVlNBFSSuK6PpttJiUu9VpaT6bq2uZrawuaYIqV-7PcSjscTPU8fzsjiAPt1dTsQ4px-6TcFHapfxiNsI-Dbfkv1TGhnjDYd1G3Lw2mGVfmE19MKsT-XU7kIb6a1qLr7GqlTuPvvxpnBtBi0OBeW_s1hmHxiSSmSQUW0A9pcfgmipvPB_dOm30NtffOkb73NCvKZdRlCkJlThna3A3iLt0Fdxiz6ThEGO3T7m6zVfw--Z9bLAEaeD5NHbFOuUrt7fLZQegb_LrSmqhshjsquDRhLu80jpUuSVq8BQ3VoWn7YRUyMb-fo8qucEcXtihVaIKDwBxWrlWpDJrgiON6Y7IqmOu7tKD2D5QvaYkrIzyo79HASiM_4MCUBg_UKyCMjXqKggseJdpz-Qr6Xk9LgdYZfSAfl1pz7aa8agUOegtOYAMk4srck6DKuRDBk5BbRsaB424iqtCwI3JoUrjsWeJEVXj6AqZ8ZC5Ea8kkdj6rm_Qxiu5S4juGSteye8lG0ms-i2nMn6X7Y4sv5L8qCg_4N_K9p6vwwhs36SE_WclwN95fuf4A3LBO3Z9U4Azu38mLAnZfcxtZ4ekIg-ZIVJEE4i44TVtbhP1HLKsuFbeV2PaiBz-IMXBr5FFk8uhIbVU-7fSg4-1n08e4zB_TbnFjOg70T4nzPIDUsItqfuRlO_1lzJQoRwthvWEGVzFDYBcXGIOsnByJhRuF9jHfdygxlbrElfkjZ_v50Q7yixpZa-Y_aVi-ut4_ypc8FGuY068kRxg_txo0I7kRZvwsARUjihirrTjEh5oV6LwLnFUT7nxIwv_Nt3BP0tI-dnyax5Pdy4eKV7ONh64SyRs0uaeZbQa44hW3hBsD_09C1cuk6mnbj1pIxqpIsS5f5oIJyxAI5FlnGH2eWiRMkb_ZMhCVepnREc2B_TUfFX3j9hfYzILcqNmvn1A3J03Nqe2ZLAETGKIh3vzIKPM0KeMz7usccpZlSZYZEY9xhHa4ciZkcFKmmyF6aHHDMDWnZHAGpB66hF7evQF8RpH8N0AefSILjXIhDr-VA08oI8pN9Sw_J4LwRRH5mNOut08_h7D9o3U8zwFhPXdvOhrDxWcPwzV-kD7A333xpiEFHcJFxxAxNPT7jDho3XFyvtNjz074pzAZ8WdbyhSduqLYmUAqdBkaBoH8v0GnVOvSFgNHEfXeo2FzrVXnPnZ0Hor2E7aGkoHQ2K3miJDxWG0AWiV5MgFCmQp85UAsWkjCDkpbRKSB2XpvnkPLZ-X67RGDA7RBbpar_az4zXQ-v36R977Wg0V-OP6Qm4vluTikIQhZDwhswmklDo63h2tG3EE8aRtoWzOJ0kDXG-54BqXsp-EeRuHjiKR0-Qe61_7hSrtT73qvL1PaTKQHXo30qTi8A1d3G3mrSX5pubCKREZlaxEeZF0qnqe3Gq0mmcvvB763tW0W69v-s-RDqpRgZnLY1x4BMViY3G8gDiW3cTRsolW2uc0MOVLyz_fal5dtTiSq7TstR2f2eNmoWKwQVmIxW25t-zzywnrqrEbO_VsuJd1bWtQ1vTyKWg3ngtbQfl80c8Xd0wydeAbqJRPVxcMHty3SBcuQd0vfX_h9ofRwuYUcmWwGJJ8SL7mJRwCzcebvLt5SqHwT_LGzgaxZ3aFBBzm5Ww_7faNib7K_nR4sXH7ujkdrPPlZSva8pNYtf1zPY0o6XtJv52T6LwNfIlbdkJvSQxA-XNVOzJ7Vlipvh6Dk_2UC0vmcxS3tiN9-QLmC62G1J-X298BCSOhiw==
\ No newline at end of file diff --git a/examples/pki/cms/auth_v3_token_scoped.json b/examples/pki/cms/auth_v3_token_scoped.json deleted file mode 100644 index 9020745..0000000 --- a/examples/pki/cms/auth_v3_token_scoped.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "token": { - "audit_ids": [ - "SLIXlXQUQZWUi9VJrqdXqA" - ], - "methods": [ - "password" - ], - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "expires_at": "2038-01-18T21:14:07Z", - "project": { - "id": "tenant_id1", - "domain": { - "id": "domain_id1", - "name": "domain_name1" - }, - "enabled": true, - "description": null, - "name": "tenant_name1" - }, - "catalog": [ - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:9292/v1", - "region": "regionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:9292/v1", - "region": "regionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:9292/v1", - "region": "regionOne" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:35357/v3", - "region": "RegionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:35357/v3", - "region": "RegionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:5000/v3", - "region": "RegionOne" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "domain": { - "id": "domain_id1", - "name": "domain_name1" - }, - "name": "user_name1", - "id": "user_id1" - } - } -} diff --git a/examples/pki/cms/auth_v3_token_scoped.pem b/examples/pki/cms/auth_v3_token_scoped.pem deleted file mode 100644 index e83e7a0..0000000 --- a/examples/pki/cms/auth_v3_token_scoped.pem +++ /dev/null @@ -1,100 +0,0 @@ ------BEGIN CMS----- -MIISOAYJKoZIhvcNAQcCoIISKTCCEiUCAQExDTALBglghkgBZQMEAgEwghA9Bgkq -hkiG9w0BBwGgghAuBIIQKnsNCiAgICAidG9rZW4iOiB7DQogICAgICAgICJhdWRp -dF9pZHMiOiBbDQogICAgICAgICAgICAiU0xJWGxYUVVRWldVaTlWSnJxZFhxQSIN -CiAgICAgICAgXSwNCiAgICAgICAgIm1ldGhvZHMiOiBbDQogICAgICAgICAgICAi -cGFzc3dvcmQiDQogICAgICAgIF0sDQogICAgICAgICJyb2xlcyI6IFsNCiAgICAg -ICAgICAgIHsNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAg -ICAgICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgIm5hbWUi -OiAicm9sZTIiDQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJl -eHBpcmVzX2F0IjogIjIwMzgtMDEtMThUMjE6MTQ6MDdaIiwNCiAgICAgICAgInBy -b2plY3QiOiB7DQogICAgICAgICAgICAiaWQiOiAidGVuYW50X2lkMSIsDQogICAg -ICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAgICAgICAgICJpZCI6ICJkb21h -aW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJkb21haW5fbmFtZTEi -DQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVlLA0K -ICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICJu -YW1lIjogInRlbmFudF9uYW1lMSINCiAgICAgICAgfSwNCiAgICAgICAgImNhdGFs -b2ciOiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50 -cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAg -ICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNj -NTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAg -ICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwN -CiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAg -ImludGVyZmFjZSI6ICJpbnRlcm5hbCIsDQogICAgICAgICAgICAgICAgICAgICAg -ICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNjNTM0 -MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAi -cmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwNCiAg -ICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgImlu -dGVyZmFjZSI6ICJwdWJsaWMiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInVy -bCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh -NjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAg -ICAgICAgICBdLA0KICAgICAgICAgICAgICAgICJ0eXBlIjogInZvbHVtZSIsDQog -ICAgICAgICAgICAgICAgIm5hbWUiOiAidm9sdW1lIg0KICAgICAgICAgICAgfSwN -CiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzIjogWw0K -ICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAi -aW50ZXJmYWNlIjogImFkbWluIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1 -cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAg -ICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAg -ICAgICAgICAiaW50ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwNCiAg -ICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAg -ICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogInB1YmxpYyIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAg -ICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6 -ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6 -Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODli -YjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVn -aW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAg -ICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImlu -dGVybmFsIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDov -LzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJi -NjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdp -b25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0sDQogICAgICAgICAgICAgICAg -ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAicHVi -bGljIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJiNjYx -N2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdpb25P -bmUiDQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBdLA0K -ICAgICAgICAgICAgICAgICJ0eXBlIjogImNvbXB1dGUiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogIm5vdmEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAg -ew0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg -ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAi -YWRtaW4iLA0KICAgICAgICAgICAgICAgICAgICAgICAgInVybCI6ICJodHRwOi8v -MTI3LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJy -ZWdpb24iOiAiUmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAg -ICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50 -ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1 -cmwiOiAiaHR0cDovLzEyNy4wLjAuMTozNTM1Ny92MyIsDQogICAgICAgICAgICAg -ICAgICAgICAgICAicmVnaW9uIjogIlJlZ2lvbk9uZSINCiAgICAgICAgICAgICAg -ICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg -ICAgICAgICAgImludGVyZmFjZSI6ICJwdWJsaWMiLA0KICAgICAgICAgICAgICAg -ICAgICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjUwMDAvdjMiLA0KICAg -ICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiDQogICAg -ICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBdLA0KICAgICAgICAg -ICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJrZXlzdG9uZSINCiAgICAgICAgICAgIH0NCiAgICAgICAgXSwNCiAgICAg -ICAgInVzZXIiOiB7DQogICAgICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAg -ICAgICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAg -Im5hbWUiOiAidXNlcl9uYW1lMSIsDQogICAgICAgICAgICAiaWQiOiAidXNlcl9p -ZDEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCBnjEKMAgG -A1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5u -eXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAj -BgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1Nl -bGYgU2lnbmVkAgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQBBvzoh -0iSPMQhuRCAtTG3cPhyewvf554MPjbGQnu8mYmmfyxl7gMmWkTAmyckAsSv4mS6/ -4SQj9WCn4T1lFkhUz7WWjCwt6fWWp3mzF8Nl/kMsJKDwlxDGbPzsyewXIUsw11sz -q/Qxs7qGxQ1vYWnaWQ3hC3oZw7cOswKRJicdP439iVPvfqR9CDbK55sPP+ewZRgQ -YJ3Uc/xDizxepudFJj9+VHKceA37/sVK0ataNe2uHLHwVBYPwOppMckP169QBw8x -QYh9h+kcOAyZ5psiUzCpLKnlMiYDrVcTGxnTeiVHxKXxj/MERNhR1Y4lEr0ZHJ+p -Y6p3FBP2VUCefaRh ------END CMS----- diff --git a/examples/pki/cms/auth_v3_token_scoped.pkiz b/examples/pki/cms/auth_v3_token_scoped.pkiz deleted file mode 100644 index 74f8f63..0000000 --- a/examples/pki/cms/auth_v3_token_scoped.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJy9V0tzozoT3etX3H1qKoBNEhbfgpexMJKNjXloZyDmJWwnNs9f_wnsSWYyuXUzc6uuq7yQQN2n-_RpNd--sZ-iGxD_paLNsPgGEISmIwfm4khgWkdYtiP1yPZWjqqqTqHKtt5qjmwpCU3SIlGIjXQ50ZskiddKUryAtMgMqeEUpTEStqkqEM5Xh3MWG9Ir8abZMlMeYcnT2EhrMkfDOoQHJY0meBJOzAJAyp2hanah0NKogw9wdmEHxDT0tuxlOYtK6UwcPdtvmuS5M6vA4ynMjwk8mHVobDsAD3xsqXJG_LTZ-SaNeCmNVWZIhR3S0NRy5NZy9KmrwXaZ69wylydeBgenDTP-AoiHucEis16EAp_u3mDTYvRUruvQm51CKp2IpmeDs7CcXchmcMJCuB4S9-PmDSosXQbVPBPPHoxx0cGlw8HduJZZfobnIucLtABoM8L5IbY1ZcaqeCaNe7fnBfFxHpW0iQ1ahxnzboh8aLQSGCwHwowLvLYmb0l0KzJXaoaMe08srZjnjpSz_AY_JQZ_AuE1IXxUNiO83XzNRdqxtnq9w920sXK5Qs5xivtIsCZBa_UBF-SkRAJhjhEPUG_32NtOAydoSInLpUazIGePnDiFWTPQRYlwg83oJl58CgVxFZbbMV-AZf8UsrijkqSBcOV-gE78IS_NmPXYN89XRlIunssPVvfUojyqkDptgJXrD0uN1VUmCWjzJGADCiTHZVDiHDuIQ71Ll4YuIIPkJE_EoIQCzvVJcE1uB66Qpreqcw87T6ocQaTwwCp0fv6Opgw8fGNJ4YOyPQXdNXfgT5P3PXfgj5Lnjvrhnn2FgissUodzdyjPD0X1fd-ULFX5tD7A3xXIF-tDBCgvuiHGr3D-GeXgdzgfKXegiEbK_yMaxX8KEXxGzTUEegm8mI4Hf2hxRGjTsMRvCFkIYhEZ0pCcfjjoTT6BXc6K0KPVFYXbhWPLM4_xfN2AZfZUIwdORsjqlPW9ZIJ7u45zvfqKNsBHcfxuUt8KibWx82cQ_wkh-F35fkQIfpf3j7SDT-TLjfLN9Rrn64xh60lp5kG_7bGGeOKkKc6VMhCC6dIzM4DzoMXC9cL4nrTb1XUtmkKqBjX6w31xWIuRca2HQJAu0dzlwC8SLsU6Lt_uQnZHrJtQYIm-XawfBQVGa976MlxpXxETGkJxIsYCGt8HP8GmP8O-NpFf-sUNAStvFZ7BF5oG84h43DEJd79SCbZ_IOEfHYJPPPJIkxtGZf-JhDcfmyv4IOGCqZPb-Wvxo4x3gitGEzYrvEufjwS3A_9muBjOgF-Hi3evsY9pRH-aE07kKrTR-23AGOhiteC7BYO-33m3xtKZjqPTIJyla9ed7VzePS1dsogOs8KbzxRIeWnvGCqQoymb-eYLNvspCBoF-z8j-9iocqC5tj3TG51H9rlR7XFt6I3pbnvdQnJhyPxWB6qCVJvTWz2XbSXBriJHjupiPixFMWY9goW2QYo8vqymyHQmCg0pZhMNfkVrvQFaM1q29Ca1iE97NmBW7BBFKjLUzYuxgeFEs3VTXgfeOxOuHA6GDpgDgyWrlDrS61ukwNGT3CJrK7hnkinOzosrNq2pMvOmNoEZQAJlb6spMlSQzBngBy-KbG9lNuoqsl45jyd9AeeC-HheWe3ZcDV83l82hJcKyxTugoXTmR29W7ggfMi9NIj3U057PbLunu_O-6Pf76PznSIHxJRq4e7OOIWL7KTwPgcP9f2rd7_dRKUwebBCDmgngUi2KFhknc5gFhThttK4Je6NbWFO4GIz0T3rsfJW4mql2yo1yqqtlZnzjLO21O874K2f7p-3F08ISRVMDf_iXbz5PD_K8sTuT0er8oTnKn5NWsdHyHVR99DQbfas-vv01XjSVsATVN47Wg1furyTLmYXI0p8ob7Xl6tjv6sXjplX6K40Nz4WV013XF_UIgmX3fSurGfTwwJ0j4vLEa_um-eE7-4VWqYvq8eX-zbZTFYPl2htaOZRdlYzh4P_A-M3io619--V_wMk2UFA
\ No newline at end of file diff --git a/examples/pki/cms/revocation_list.json b/examples/pki/cms/revocation_list.json deleted file mode 100644 index 2c239e5..0000000 --- a/examples/pki/cms/revocation_list.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "revoked": [ - { - "expires": "2112-08-14T17:58:48Z", - "id": "dc57ea171d2f93e4ff5fa01fe5711f2a" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "4948fb46f88c41af90b65213a48baef7" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "dc57ea171d2f93e4ff5fa01fe5711f2a" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "4948fb46f88c41af90b65213a48baef7" - } - ] -} diff --git a/examples/pki/cms/revocation_list.pem b/examples/pki/cms/revocation_list.pem deleted file mode 100644 index a86d6d3..0000000 --- a/examples/pki/cms/revocation_list.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CMS----- -MIIEGAYJKoZIhvcNAQcCoIIECTCCBAUCAQExCTAHBgUrDgMCGjCCAiUGCSqGSIb3 -DQEHAaCCAhYEggISew0KICAgICJyZXZva2VkIjogWw0KICAgICAgICB7DQogICAg -ICAgICAgICAiZXhwaXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsDQogICAg -ICAgICAgICAiaWQiOiAiZGM1N2VhMTcxZDJmOTNlNGZmNWZhMDFmZTU3MTFmMmEi -DQogICAgICAgIH0sDQogICAgICAgIHsNCiAgICAgICAgICAgICJleHBpcmVzIjog -IjIxMTItMDgtMTRUMTc6NTg6NDhaIiwNCiAgICAgICAgICAgICJpZCI6ICI0OTQ4 -ZmI0NmY4OGM0MWFmOTBiNjUyMTNhNDhiYWVmNyINCiAgICAgICAgfSwNCiAgICAg -ICAgew0KICAgICAgICAgICAgImV4cGlyZXMiOiAiMjExMi0wOC0xNFQxNzo1ODo0 -OFoiLA0KICAgICAgICAgICAgImlkIjogImRjNTdlYTE3MWQyZjkzZTRmZjVmYTAx -ZmU1NzExZjJhIg0KICAgICAgICB9LA0KICAgICAgICB7DQogICAgICAgICAgICAi -ZXhwaXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsDQogICAgICAgICAgICAi -aWQiOiAiNDk0OGZiNDZmODhjNDFhZjkwYjY1MjEzYTQ4YmFlZjciDQogICAgICAg -IH0NCiAgICBdDQp9DQoxggHKMIIBxgIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkG -A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNV -BAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEW -FmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgER -MAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBAGMtzsHJdosl27LoRWYHGknORRWE -K0E9a7Bm4ZDt0XiGn0opGWpXF3Kj+7q86Ph1qcG9vZy20e2V+8n5696//OgMGCZe -QNbkOv70c0pkICMqczv4RaNF+UPetwDdv+p0WV8nLH5dDVc8Pp8B4T6fN6vXHXA2 -GMWxxn8SpF9bvP8S5VCAt7wsvmhWJpJVYe6bOdYzlhR0yLJzv4GvHtPVP+cBz6nS -uJguvt77MfQU97pOaDbvfmsJRUf/L3Fd93KbgLTzFPEhddTs1oD9pSDckncnZwua -9nIDn2iFNB/NfZrbqy+owM0Nt5j1m4dcPX/qm0J9DAhKGeDUbIu+81yL308= ------END CMS----- diff --git a/examples/pki/cms/revocation_list.pkiz b/examples/pki/cms/revocation_list.pkiz deleted file mode 100644 index 600fce0..0000000 --- a/examples/pki/cms/revocation_list.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJx9VEuPszgQvPMr9h6NQgIhk8N3MMaACTaBmJdvCZMxGMhjkgmPX79kRtq9rNYXq0ul6u7qVr-9Tc9EDqZ_QbJ_BW8KwdhiXe5tLxyXz4KCsICXCQstCMHYQRCiHjLgmiL-sgSBjpzwpHPg_ubs8VFTrBC54DCBsYqEsL3T4A0848_DMqmxvIhUu1c8K7tD5jXFgA0M8UAYGnwGdJ8hVUkspAUy1gMZ6mmF7xh6Vw5fRK_Ox1jjKerpaNekzVdkGau8zRe8RR1JeUNZ0SskzYd87218aK5xm-iF00wVkCqoQEUk6kmldgFUe2qHk9BlEVgXNbAvlQ9BdUjDSnkRqVWrgcOnn7eBVUpq2SWXdZfLfDGJjDkL9by1Gy6L6nPfianN5uSa16JNRuXVJ5a4Jww_iCUehEUxYYVBmTCoVR5w1QncNj9-4DaSlH00OUMaScNhSjIqnEUtl0mbM9DzNl7QEfVceiU-q3fs_r-BL_-U_zYQq8FUNm-xSttcDxyiktRuA2ZWVMaTCC2n6qo8TVqFDt4my9ReCHc77YTZC2wCBs2rBc2zRFsChAMWMTIjYlKGfALq37gkMElIr8AReKagiQkEAzU1SYQ7BHIrCUMXdQ37SFffp4yXRyfukQThL_fCYLzpeLpiyodjy8OIIgLef5RhT_B-mawKLXoe27j3GJCmqG9lXTmbTjVhiKZmHs0po-pxuWqU0PlRGn-EhtWzaIvetsD-NxNhcEGbo5OLeNmcj21SA_FKVjjm_h6ADh8UAtR_9npaaxOEMTAnLwBePp4BLmXIWNlG3VbvrrPtiQexUW7rJVjJVTHLKFesvvOb53c2y3nfroKr_4HPWybJU5LKEN9F1blaEoPLEt9um4GU7jwrV4_30NvPxp29rpSZE9w6fjULI9zSqsSXWt34unwcYvmpzz_XiIe0nEtSfz6-gVaWj2__0JzrPF0PCCzvtnI-rXdREidG9V7NbmsBV_6mymo9HLTrEoxi53yWtrEjc_U6DtJ71MbzfWfCehrqqf-qb0q011N5z0mktafnQvrah6d2TEBxvsEi0o7hw_LnxL3Gxs2AJyPULAcZZR0GOHJPZzRX6GXHb1Y-J5pO3aO8k1ulj14d6C75KgSo8sN8zOaD2Y1P9P2F_yg_dwhR69-b9Dc2l4GQ
\ No newline at end of file diff --git a/examples/pki/gen_cmsz.py b/examples/pki/gen_cmsz.py deleted file mode 100644 index 9a8834e..0000000 --- a/examples/pki/gen_cmsz.py +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/python - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import json -import os - -from keystoneclient.common import cms - -CURRENT_DIR = os.path.abspath(os.path.dirname(__file__)) - - -def make_filename(*args): - return os.path.join(CURRENT_DIR, *args) - - -CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem') -SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem') -SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem') -EXAMPLE_TOKENS = ['auth_token_revoked', - 'auth_token_unscoped', - 'auth_token_scoped', - 'auth_token_scoped_expired', - 'auth_v3_token_scoped', - 'auth_v3_token_revoked'] - - -# Helper script to generate the sample data for testing -# the signed tokens using the existing JSON data for the -# MII-prefixed tokens. Uses the keys and certificates -# generated in gen_pki.sh. -def generate_der_form(name): - derfile = make_filename('cms', '%s.der' % name) - with open(derfile, 'w') as f: - derform = cms.cms_sign_data(text, - SIGNING_CERT_FILE_NAME, - SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM) - f.write(derform) - -for name in EXAMPLE_TOKENS: - json_file = make_filename('cms', name + '.json') - pkiz_file = make_filename('cms', name + '.pkiz') - with open(json_file, 'r') as f: - string_data = f.read() - - # validate the JSON - try: - token_data = json.loads(string_data) - except ValueError as v: - raise SystemExit('%s while processing token data from %s: %s' % - (v, json_file, string_data)) - - text = json.dumps(token_data).encode('utf-8') - - # Uncomment to record the token uncompressed, - # useful for debugging - # generate_der_form(name) - - encoded = cms.pkiz_sign(text, - SIGNING_CERT_FILE_NAME, - SIGNING_KEY_FILE_NAME) - - # verify before writing - cms.pkiz_verify(encoded, - SIGNING_CERT_FILE_NAME, - CA_CERT_FILE_NAME) - - with open(pkiz_file, 'w') as f: - f.write(encoded) diff --git a/examples/pki/gen_pki.sh b/examples/pki/gen_pki.sh deleted file mode 100755 index b8b28f9..0000000 --- a/examples/pki/gen_pki.sh +++ /dev/null @@ -1,213 +0,0 @@ -#!/bin/bash - -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# These functions generate the certificates and signed tokens for the tests. - -DIR=`dirname "$0"` -CURRENT_DIR=`cd "$DIR" && pwd` -CERTS_DIR=$CURRENT_DIR/certs -PRIVATE_DIR=$CURRENT_DIR/private -CMS_DIR=$CURRENT_DIR/cms - - -function rm_old { - rm -rf $CERTS_DIR/*.pem - rm -rf $PRIVATE_DIR/*.pem -} - -function cleanup { - rm -rf *.conf > /dev/null 2>&1 - rm -rf index* > /dev/null 2>&1 - rm -rf *.crt > /dev/null 2>&1 - rm -rf newcerts > /dev/null 2>&1 - rm -rf *.pem > /dev/null 2>&1 - rm -rf serial* > /dev/null 2>&1 -} - -function generate_ca_conf { - echo ' -[ req ] -default_bits = 2048 -default_keyfile = cakey.pem -default_md = default - -prompt = no -distinguished_name = ca_distinguished_name - -x509_extensions = ca_extensions - -[ ca_distinguished_name ] -serialNumber = 5 -countryName = US -stateOrProvinceName = CA -localityName = Sunnyvale -organizationName = OpenStack -organizationalUnitName = Keystone -emailAddress = keystone@openstack.org -commonName = Self Signed - -[ ca_extensions ] -basicConstraints = critical,CA:true -' > ca.conf -} - -function generate_ssl_req_conf { - echo ' -[ req ] -default_bits = 2048 -default_keyfile = keystonekey.pem -default_md = default - -prompt = no -distinguished_name = distinguished_name - -[ distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Sunnyvale -organizationName = OpenStack -organizationalUnitName = Keystone -commonName = localhost -emailAddress = keystone@openstack.org -' > ssl_req.conf -} - -function generate_cms_signing_req_conf { - echo ' -[ req ] -default_bits = 2048 -default_keyfile = keystonekey.pem -default_md = default - -prompt = no -distinguished_name = distinguished_name - -[ distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Sunnyvale -organizationName = OpenStack -organizationalUnitName = Keystone -commonName = Keystone -emailAddress = keystone@openstack.org -' > cms_signing_req.conf -} - -function generate_signing_conf { - echo ' -[ ca ] -default_ca = signing_ca - -[ signing_ca ] -dir = . -database = $dir/index.txt -new_certs_dir = $dir/newcerts - -certificate = $dir/certs/cacert.pem -serial = $dir/serial -private_key = $dir/private/cakey.pem - -default_days = 21360 -default_crl_days = 30 -default_md = default - -policy = policy_any - -[ policy_any ] -countryName = supplied -stateOrProvinceName = supplied -localityName = optional -organizationName = supplied -organizationalUnitName = supplied -emailAddress = supplied -commonName = supplied -' > signing.conf -} - -function setup { - touch index.txt - echo '10' > serial - generate_ca_conf - mkdir newcerts -} - -function check_error { - if [ $1 != 0 ] ; then - echo "Failed! rc=${1}" - echo 'Bailing ...' - cleanup - exit $1 - else - echo 'Done' - fi -} - -function generate_ca { - echo 'Generating New CA Certificate ...' - openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes - check_error $? -} - -function ssl_cert_req { - echo 'Generating SSL Certificate Request ...' - generate_ssl_req_conf - openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes - check_error $? - #openssl req -in req.pem -text -noout -} - -function cms_signing_cert_req { - echo 'Generating CMS Signing Certificate Request ...' - generate_cms_signing_req_conf - openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes - check_error $? - #openssl req -in req.pem -text -noout -} - -function issue_certs { - generate_signing_conf - echo 'Issuing SSL Certificate ...' - openssl ca -in ssl_req.pem -config signing.conf -batch - check_error $? - openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem - check_error $? - echo 'Issuing CMS Signing Certificate ...' - openssl ca -in cms_signing_req.pem -config signing.conf -batch - check_error $? - openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem - check_error $? -} - -function create_middleware_cert { - cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem - cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem -} - -function check_openssl { - echo 'Checking openssl availability ...' - which openssl - check_error $? -} - -JSON_FILES="${CMS_DIR}/auth_token_revoked.json ${CMS_DIR}/auth_token_unscoped.json ${CMS_DIR}/auth_token_scoped.json ${CMS_DIR}/auth_token_scoped_expired.json ${CMS_DIR}/revocation_list.json ${CMS_DIR}/auth_v3_token_scoped.json ${CMS_DIR}/auth_v3_token_revoked.json" - -function gen_sample_cms { - for json_file in $JSON_FILES - do - openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem} - done -} - diff --git a/examples/pki/private/cakey.pem b/examples/pki/private/cakey.pem deleted file mode 100644 index 1c93ee1..0000000 --- a/examples/pki/private/cakey.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCl8906EaRpibQF -cCBWfxzLi5x/XpZ9iL6UX92NrSJxcDbaGws7s+GtjgDy8UOEonesRWTeqQEZtHpC -3/UHHOnsA8F6ha/pq9LioqT7RehCnZCLBJwh5Ct+lclpWs15SkjJD2LTDkjox0eA -9nOBx+XDlWyU/GAyqx5Wsvg/Kxr0iod9/4IcJdnSdUjq4v0Cxg/zNk08XPJX+F0b -UDhgdUf7JrAmmS5LA8wphRnbIgtVsf6VN9HrbqtHAJDxh8gEfuwdhEW1df1fBtZ+ -6WMIF3IRSbIsZELFB6sqcyRj7HhMoWMkdEyPb2f8mq61MzTgE6lJGIyTRvEoFie7 -qtGADIofAgMBAAECggEBAJ47X3y2xaU7f0KQHsVafgI2JAnuDl+zusOOhJlJs8Wl -0Sc1EgjjAxOQiqcaE96rap//qqYDTuFLjCenkuItV32KNzizr3+GLZWaruRHS6X4 -xpFG2/gUrsQL3fdudOxpP+01lmzW+f25xRvZ4VilWRabquSDntWxA0R3cOwKFbGD -uuwbTw3pBrRfCk/2IdpQtRrvvkVIFiYT6b/zeCQzhp4RETbC0oxqcEEOIUGmimAV -9cbwafinxCo54cOfX4JAh3j7Mp3eQUymoFk5gnmIeVe0QmpH2VkN7eItrhEvHKOk -On7a5xvQ8s3wqPV5ZawHQcqar/p3QnGkiT6a+8LkIMECgYEA2iJ2DprTGZFRN0M7 -Yj4WLsSC3/GKK8eYsKG3TvMrmPqUDaiWLIvBoc1Le59x9eoF7Mha+WX+cAFL+GTg -1sB+PUZZStpf1R1tGvMldvpQ+5GplUBpuQe4J0n5rCG6+5jkvSr7xO+G1B+C3GFq -KR3iltiW5WJRVwh2k8yGvx3agyUCgYEAwsKFX82F7O+9IVud1JSQWmZMiyEK+DEX -JRnwx4HBuWr+AZqbb0grRRb6x8JTUOD4T7DZGxTaAdfzzRjKU2sBAO8VCgaj2Auv -5nsbvfXvrmDDCqwoaD2PMy+kgFvE0QTh65tzuGXl1IgpIYSC1JwnP6kOeUDbqE+k -UXzfVZzDdvMCgYByk9dfJIPt0h7O4Em4+NO+DQqRhtYE2PqjDM60cZZc7IIICp2X -GHHFA4i6jq3Vde9WyIbAqYpUWtoExzgylTm6BdGxN7NOxf4hQcZUEHepLIHfG85s -mlloibrTZ4RH06+SjZlhgE9Z7JNYHvMcVc5HXc0k/9ep15AxYiUFDjFQ4QKBgG7i -k089U4/X2wWgBNdgkmN1tQTNllJCmNvdzhG41dQ8j0vYe8C7BS+76qJLCGaW/6lX -lfRuRcUg78UI5UDjPloKxR7FMwmxdb+yvdPEr2bH3qQ36nWW/u30pSMTnJYownwD -MLp/AYCk2U4lBNwJ3+rF1ODCRY2pcnOWtg0nSL5zAoGAWRoOinogEnOodJzO7eB3 -TmL6M9QMyrAPBDsCnduJ8yW5mMUNod139YbSDxZPYwTLhK/GiHP/7OvLV5hg0s4s -QKnNaMeEowX7dyEO4ehnbfzysxXPKLRVhWhN6MCUc71NMxqr7QkuCXAjJS6/G21+ -Im3+Xb3Scq+UZghR+jiEZF0= ------END PRIVATE KEY----- diff --git a/examples/pki/private/signing_key.pem b/examples/pki/private/signing_key.pem deleted file mode 100644 index 758c0ff..0000000 --- a/examples/pki/private/signing_key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDM+VrILLl962VH -S8EKWVzdkaOy0OoxGZ63gajM7VTm8AbgtVnYibIOnVZQuz1XbftIGNXPFhYNUypr -LnMXrEEsnxgD4PvU/4bETG+stdricX6d1oKqsNFNR7F7zImiR/OzGhp7dONwccxf -kfX4QHA5Ogso+XMfSdC72SRDszeCeGUcjuo/w2WSLW95SuVvcZLqE/pk3Q2TkCZ1 -8hvNfLoln43QpC469a7srUXATqOJ2mPNvL6E/wOyPefmAoCoG44lFoR3k2jZjBEI -hstJxmH7XgvqErBzpcWd29dms8xz5PNwYdns9CIfb3GaHvQ6r5RTl37/avDrGHOW -KOoD01xLAgMBAAECggEAaIi22qWsh+JYCW9B6NRAPyN6V8Sh2x6UykOO4cwb45b/ -+vOh+YPn0fo9vfhvxTnq0A8SY4WBA5SpanYK7kTEDEyqw7em1y7l/RB6V5t7IMb+ -6uIuS3zXkVEB3AApJSEK0Ql7/gBTydHPh+H5jnzWfujyLhhhtNBBarvH+drZcWio -lWx8RERN4cH+3DZD/xxjH2Ff+X1XMvb8Xcup7MlWi2FtREg7LttLNWNK25iWjciP -QwfWQIrURRJrD2IrOr9V2nuIEvRqRRBoO+pxJT2sC48NJ3hiKV2GtSQe2nRpQJ47 -f9MEsF5KVQOOn+aQ60EKOI0MpNPmpiCZ5hFvBrNuOQKBgQD6vueEdI9eJgz5YN+t -XWdpNippv35RTD8R4bQcE6GqIUXOmtQFS2wPJLn7nisZUsGMNEs36Yl0T9iow63r -5GNAfgzpqN1XZqaSMwAdxKmlBNYpAkVXHhv+1jN+9diDYmoj9T+3Q6Zvk5e/Liyp -6i+TsDppwmmr2utWajhyJ7owFwKBgQDRROncTztGDYLfRcrIoYsPo79KQ8tqwd2a -07Usch2kplTqojCUmmhMMFgV2eZPPiCjnEy2bAYh9I/oj7xG6EwApXTshZdCpivC -rbUV64MakRTUP8IvM6PdI+apkJRsRUi/bSyIbcRlvEoCMNZhfj/5VY6w/jlwrPJj -oBOCXBlB7QKBgQDGEbEeX1i03UfYYh6uep7qbEAaooqsu5cCkBDPMO6+TmQvLPyY -Zhio6bEEQs/2w/lhwBk+xHqw5zXVMiWbtiB03F1k4eBeXxbrW+AWo7gCQ4zMfh+6 -Dm284wVwn9D1D/OaDevT31uEvcjb2ySq3/PPLSEnU8xXVaoa6/NEsX8Q5wKBgQCm -2smULWBXZKJ6n00mVxdnqun0rsVcI6Mrta14+KwGAdEnG5achdivFsTE924YtLKV -gSPxN4RUQokTprc52jHvOf1WMNYAADpYCOSfy55G6nKvIP8VX5lB00Qw4uRUx5FP -gB7H0K2NaGmiAYqNRXqAtOUG3kyyOFMzeAjWIdTJqQKBgQCHzY1c7sS1vv7mPEkr -6CpwoaEbZeFnWoHBA8Rd82psqfYsVJIRwk5Id8zgDSEmoEi8hQ9UrYbrFpLK77xq -EYSxLQHTNlM0G3lyEsv/gJhwYYhdTYiW3Cx3F6Y++jyn9O/+hFMyQvuesAL7DUYE -ptEfvzFprpQUpByXkIpuJub6fg== ------END PRIVATE KEY----- diff --git a/examples/pki/private/ssl_key.pem b/examples/pki/private/ssl_key.pem deleted file mode 100644 index 363ce94..0000000 --- a/examples/pki/private/ssl_key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDL06AaJROwHPgJ -9tcySSBepzJ81jYars2sMvLjyuvdiIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rp -v8dGDIDsxZQVjT/4SLaQUOeDM+9bfkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLY -Wso0SJD0vAi1gmGDlSM/mmhhHTpCDGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1Zrs -lPC5lFvlHD7KBBf6IU2A8Xh/dUa3p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYR -R45pPCVkk6vFsy6P0JwwpnkszB+LcK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4 -YEPirGGrAgMBAAECggEATwvbY0hNwlb5uqOIAXBqpUqiQdexU9fG26lGmSDxKBDv -9o5frcRgBDrMWwvDCgY+HT4CAvB9kJx4/qnpVjkzJp/ZNiJ5VIiehIlbv348rXbh -xkk+bz5dDATCFOXuu1fwL2FhyM5anwhMAav0DyK1VLQ3jGzr9GO6L8hqAn+bQFFu -6ngiODwfhBMl5aRoL9UOBEhccK07znrH0JGRz+3+5Cdz59Xw91Bv210LhNNDL58+ -0JD0N+YztVOQd2bgwo0bQbOEijzmYq+0mjoqAnJh1/++y7PlIPs0AnPgqSnFPx9+ -6FsQEVRgk5Uq3kvPLaP4nT2y6MDZSp+ujYldvJhyQQKBgQDuX2pZIJMZ4aFnkG+K -TmJ5wsLa/u9an0TmvAL9RLtBpVpQNKD8cQ+y8PUZavXDbAIt5NWqZVnTbCR79Dnd -mZKblwcHhtsyA5f89el5KcxY2BREWdHdTnJpNd7XRlUECmzvX1zGj77lA982PhII -yflRBRV3vqLkgC8vfoYgRyRElwKBgQDa5jnLdx/RahfYMOgn1HE5o4hMzLR4Y0Dd -+gELshcUbPqouoP5zOb8WOagVJIgZVOSN+/VqbilVYrqRiNTn2rnoxs+HHRdaJNN -3eXllD4J2HfC2BIj1xSpIdyh2XewAJqw9IToHNB29QUhxOtgwseHciPG6JaKH2ik -kqGKH/EKDQKBgFFAftygiOPCkCTgC9UmANUmOQsy6N2H+pF3tsEj43xt44oBVnqW -A1boYXNnjRwuvdNs9BPf9i1l6E3EItFRXrLgWQoMwryakv0ryYh+YeRKyyW9RBbe -fYs1TJ8unx4Ae79gTxxztQsVNcmkgLs0NWKTjAzEE3w14V+cDhYEie1DAoGBAJdI -V5cLrBzBstsB6eBlDR9lqrRRIUS2a8U9m+1mVlcSfiWQSdehSd4K3tDdwePLw3ch -W4qR8n+pYAlLEe0gFvUhn5lMdwt7U5qUCeehjUKmrRYm2FqWsbu2IFJnBjXIJSC4 -zQXRrC0aZ0KQYpAL7XPpaVp1slyhGmPqxuO78Y0dAoGBAMHo3EIMwu9rfuGwFodr -GFsOZhfJqgo5GDNxxf89Q9WWpMDTCdX+wdBTrN/wsMbBuwIDHrUuRnk6D5CWRjSk -/ikCgHN3kOtrbL8zzqRomGAIIWKYGFEIGe1GHVGo5r//HXHdPxFXygvruQ/xbOA4 -RGvmDiji8vVDq7Shho8I6KuT ------END PRIVATE KEY----- diff --git a/examples/pki/run_all.sh b/examples/pki/run_all.sh deleted file mode 100755 index ba2f0b6..0000000 --- a/examples/pki/run_all.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -x - -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# This script generates the crypto necessary for the SSL tests. - -. gen_pki.sh - -check_openssl -rm_old -cleanup -setup -generate_ca -ssl_cert_req -cms_signing_cert_req -issue_certs -create_middleware_cert -gen_sample_cms -cleanup diff --git a/keystonemiddleware/_common/config.py b/keystonemiddleware/_common/config.py index de701b0..6194df8 100644 --- a/keystonemiddleware/_common/config.py +++ b/keystonemiddleware/_common/config.py @@ -86,7 +86,7 @@ class Config(object): # local oslo.config object or the caller which instantiates # AuthProtocol can pass in an existing oslo.config as the # value of the "oslo_config_config" key in conf. If both are - # set "olso_config_config" is used. + # set "oslo_config_config" is used. if local_config_project and not local_oslo_config: config_files = [local_config_file] if local_config_file else None diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index 6041e9e..0feed6f 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -217,8 +217,8 @@ object is stored. """ -import binascii import copy +import re from keystoneauth1 import access from keystoneauth1 import adapter @@ -226,8 +226,6 @@ from keystoneauth1 import discover from keystoneauth1 import exceptions as ksa_exceptions from keystoneauth1 import loading from keystoneauth1.loading import session as session_loading -from keystoneclient.common import cms -from keystoneclient import exceptions as ksc_exceptions import oslo_cache from oslo_config import cfg from oslo_log import log as logging @@ -242,7 +240,6 @@ from keystonemiddleware.auth_token import _exceptions as ksm_exceptions from keystonemiddleware.auth_token import _identity from keystonemiddleware.auth_token import _opts from keystonemiddleware.auth_token import _request -from keystonemiddleware.auth_token import _signing_dir from keystonemiddleware.auth_token import _user_plugin from keystonemiddleware.i18n import _ @@ -281,6 +278,26 @@ def list_opts(): return [(g, copy.deepcopy(o)) for g, o in AUTH_TOKEN_OPTS] +def _path_matches(request_path, path_pattern): + # The fnmatch module doesn't provide the ability to match * versus **, + # so convert to regex. + token_regex = (r'(?P<tag>{[^}]*})|' # {tag} # nosec + r'(?P<wild>\*(?=$|[^\*]))|' # * + r'(?P<rec_wild>\*\*)|' # ** + r'(?P<literal>[^{}\*])') # anything else + path_regex = '' + for match in re.finditer(token_regex, path_pattern): + token = match.groupdict() + if token['tag'] or token['wild']: + path_regex += r'[^\/]+' + if token['rec_wild']: + path_regex += '.*' + if token['literal']: + path_regex += token['literal'] + path_regex = r'^%s$' % path_regex + return re.match(path_regex, request_path) + + class _BIND_MODE(object): DISABLED = 'disabled' PERMISSIVE = 'permissive' @@ -289,16 +306,6 @@ class _BIND_MODE(object): KERBEROS = 'kerberos' -def _uncompress_pkiz(token): - # TypeError If the signed_text is not zlib compressed binascii.Error if - # signed_text has incorrect base64 padding (py34) - - try: - return cms.pkiz_uncompress(token) - except (TypeError, binascii.Error): - raise ksm_exceptions.InvalidToken(token) - - class BaseAuthProtocol(object): """A base class for AuthProtocol token checking implementations. @@ -315,13 +322,15 @@ class BaseAuthProtocol(object): log=_LOG, enforce_token_bind=_BIND_MODE.PERMISSIVE, service_token_roles=None, - service_token_roles_required=False): + service_token_roles_required=False, + service_type=None): self.log = log self._app = app self._enforce_token_bind = enforce_token_bind self._service_token_roles = set(service_token_roles or []) self._service_token_roles_required = service_token_roles_required self._service_token_warning_emitted = False + self._service_type = service_type @webob.dec.wsgify(RequestClass=_request._AuthTokenRequest) def __call__(self, req): @@ -402,6 +411,8 @@ class BaseAuthProtocol(object): allow_expired=allow_expired) self._validate_token(user_auth_ref, allow_expired=allow_expired) + if user_auth_ref.version != 'v2.0': + self.validate_allowed_request(request, data['token']) if not request.service_token: self._confirm_token_bind(user_auth_ref, request) except ksm_exceptions.InvalidToken: @@ -530,13 +541,57 @@ class BaseAuthProtocol(object): {'bind_type': bind_type, 'identifier': identifier}) self._invalid_user_token() + def validate_allowed_request(self, request, token): + self.log.debug("Validating token access rules against request") + app_cred = token.get('application_credential') + if not app_cred: + return + access_rules = app_cred.get('access_rules') + if access_rules is None: + return + if hasattr(self, '_conf'): + my_service_type = self._conf.get('service_type') + else: + my_service_type = self._service_type + if not my_service_type: + self.log.warning('Cannot validate request with restricted' + ' access rules. Set service_type in' + ' [keystone_authtoken] to allow access rule' + ' validation.') + raise ksm_exceptions.InvalidToken(_('Token authorization failed')) + # token can always be validated regardless of access rules + if (my_service_type == 'identity' and + request.method == 'GET' and + request.path.endswith('/v3/auth/tokens')): + return + catalog = token['catalog'] + # validate service type is in catalog + catalog_svcs = [s for s in catalog if s['type'] == my_service_type] + if len(catalog_svcs) == 0: + self.log.warning('Cannot validate request with restricted' + ' access rules. service_type in' + ' [keystone_authtoken] is not a valid service' + ' type in the catalog.') + raise ksm_exceptions.InvalidToken(_('Token authorization failed')) + if request.service_token: + # The request may not match an allowed request, but the presence + # of the service token indicates this is a chain of requests and + # hence this request was not user-facing + return + for access_rule in access_rules: + method = access_rule['method'] + path = access_rule['path'] + service = access_rule['service'] + if request.method == method and \ + service == my_service_type and \ + _path_matches(request.path, path): + return + raise ksm_exceptions.InvalidToken(_('Token authorization failed')) + class AuthProtocol(BaseAuthProtocol): """Middleware that handles authenticating client calls.""" - _SIGNING_CERT_FILE_NAME = 'signing_cert.pem' - _SIGNING_CA_FILE_NAME = 'cacert.pem' - def __init__(self, app, conf): log = logging.getLogger(conf.get('log_name', __name__)) log.info('Starting Keystone auth_token middleware') @@ -568,9 +623,7 @@ class AuthProtocol(BaseAuthProtocol): self._delay_auth_decision = self._conf.get('delay_auth_decision') self._include_service_catalog = self._conf.get( 'include_service_catalog') - self._hash_algorithms = self._conf.get('hash_algorithms') self._interface = self._conf.get('interface') - self._auth = self._create_auth_plugin() self._session = self._create_session() self._identity_server = self._create_identity_server() @@ -590,9 +643,6 @@ class AuthProtocol(BaseAuthProtocol): self._www_authenticate_uri = \ self._identity_server.www_authenticate_uri - self._signing_directory = _signing_dir.SigningDirectory( - directory_name=self._conf.get('signing_dir'), log=self.log) - self._token_cache = self._token_cache_factory() def process_request(self, request): @@ -674,37 +724,6 @@ class AuthProtocol(BaseAuthProtocol): header_val = 'Keystone uri="%s"' % self._www_authenticate_uri return [('WWW-Authenticate', header_val)] - def _token_hashes(self, token): - """Generate a list of hashes that the current token may be cached as. - - The first element of this list is the preferred algorithm and is what - new cache values should be saved as. - - :param str token: The token being presented by a user. - - :returns: list of str token hashes. - """ - if cms.is_asn1_token(token) or cms.is_pkiz(token): - return list(cms.cms_hash_token(token, mode=algo) - for algo in self._hash_algorithms) - else: - return [token] - - def _cache_get_hashes(self, token_hashes): - """Check if the token is cached already. - - Functions takes a list of hashes that might be in the cache and matches - the first one that is present. If nothing is found in the cache it - returns None. - - :returns: token data if found else None. - """ - for token in token_hashes: - cached = self._token_cache.get(token) - - if cached: - return cached - def fetch_token(self, token, allow_expired=False): """Retrieve a token from either a PKI bundle or the identity server. @@ -713,11 +732,8 @@ class AuthProtocol(BaseAuthProtocol): :raises exc.InvalidToken: if token is rejected """ data = None - token_hashes = None - try: - token_hashes = self._token_hashes(token) - cached = self._cache_get_hashes(token_hashes) + cached = self._token_cache.get(token) if cached: if cached == _CACHE_INVALID_INDICATOR: @@ -733,13 +749,11 @@ class AuthProtocol(BaseAuthProtocol): data = cached else: - data = self._validate_offline(token, token_hashes) - if not data: - data = self._identity_server.verify_token( - token, - allow_expired=allow_expired) + data = self._identity_server.verify_token( + token, + allow_expired=allow_expired) - self._token_cache.set(token_hashes[0], data) + self._token_cache.set(token, data) except (ksa_exceptions.ConnectFailure, ksa_exceptions.DiscoveryFailure, @@ -755,9 +769,7 @@ class AuthProtocol(BaseAuthProtocol): 'The Keystone service is temporarily unavailable.') except ksm_exceptions.InvalidToken: self.log.debug('Token validation failure.', exc_info=True) - if token_hashes: - self._token_cache.set(token_hashes[0], - _CACHE_INVALID_INDICATOR) + self._token_cache.set(token, _CACHE_INVALID_INDICATOR) self.log.warning('Authorization failed for token') raise except ksa_exceptions.EndpointNotFound: @@ -767,34 +779,6 @@ class AuthProtocol(BaseAuthProtocol): return data - def _validate_offline(self, token, token_hashes): - if cms.is_pkiz(token): - token_data = _uncompress_pkiz(token) - inform = cms.PKIZ_CMS_FORM - elif cms.is_asn1_token(token): - token_data = cms.token_to_cms(token) - inform = cms.PKI_ASN1_FORM - else: - # Can't do offline validation for this type of token. - return - - try: - verified = self._cms_verify(token_data, inform) - except ksc_exceptions.CertificateConfigError: - self.log.warning('Fetch certificate config failed, ' - 'fallback to online validation.') - else: - self.log.warning('auth_token middleware received a PKI/Z token. ' - 'This form of token is deprecated and has been ' - 'removed from keystone server and will be ' - 'removed from auth_token middleware in the Rocky ' - 'release. Please contact your administrator ' - 'about upgrading keystone and the token format.') - - data = jsonutils.loads(verified) - - return data - def _validate_token(self, auth_ref, **kwargs): super(AuthProtocol, self)._validate_token(auth_ref, **kwargs) @@ -802,53 +786,6 @@ class AuthProtocol(BaseAuthProtocol): msg = _('Unable to determine service tenancy.') raise ksm_exceptions.InvalidToken(msg) - def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM): - """Verify the signature of the provided data's IAW CMS syntax. - - If either of the certificate files might be missing, fetch them and - retry. - """ - def verify(): - try: - signing_cert_path = self._signing_directory.calc_path( - self._SIGNING_CERT_FILE_NAME) - signing_ca_path = self._signing_directory.calc_path( - self._SIGNING_CA_FILE_NAME) - return cms.cms_verify(data, signing_cert_path, - signing_ca_path, - inform=inform).decode('utf-8') - except (ksc_exceptions.CMSError, - cms.subprocess.CalledProcessError) as err: - self.log.warning('Verify error: %s', err) - msg = _('Token authorization failed') - raise ksm_exceptions.InvalidToken(msg) - - try: - return verify() - except ksc_exceptions.CertificateConfigError: - # the certs might be missing; unconditionally fetch to avoid racing - self._fetch_signing_cert() - self._fetch_ca_cert() - - try: - # retry with certs in place - return verify() - except ksc_exceptions.CertificateConfigError as err: - # if this is still occurring, something else is wrong and we - # need err.output to identify the problem - self.log.error('CMS Verify output: %s', err.output) - raise - - def _fetch_signing_cert(self): - self._signing_directory.write_file( - self._SIGNING_CERT_FILE_NAME, - self._identity_server.fetch_signing_cert()) - - def _fetch_ca_cert(self): - self._signing_directory.write_file( - self._SIGNING_CA_FILE_NAME, - self._identity_server.fetch_ca_cert()) - def _create_auth_plugin(self): # NOTE(jamielennox): Ideally this would use load_from_conf_options # however that is not possible because we have to support the override @@ -885,7 +822,7 @@ class AuthProtocol(BaseAuthProtocol): plugin_opts = loading.get_auth_plugin_conf_options(plugin_loader) self._conf.oslo_conf_obj.register_opts(plugin_opts, group=group) - getter = lambda opt: self._conf.get(opt.dest, group=group) + getter = lambda opt: self._conf.get(opt.dest, group=group) # noqa return plugin_loader.load_from_options_getter(getter) def _create_session(self, **kwargs): diff --git a/keystonemiddleware/auth_token/_auth.py b/keystonemiddleware/auth_token/_auth.py index 29019d9..652918c 100644 --- a/keystonemiddleware/auth_token/_auth.py +++ b/keystonemiddleware/auth_token/_auth.py @@ -41,7 +41,7 @@ class AuthTokenPlugin(plugin.BaseAuthPlugin): log.warning('Configuring admin URI using auth fragments was ' 'deprecated in the Kilo release, and will be ' 'removed in the Newton release, ' - 'use \'identity_uri\ instead.') + "use 'identity_uri' instead.") if ':' in auth_host: # Note(dzyu) it is an IPv6 address, so it needs to be wrapped diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py index aeeb8d9..53d3819 100644 --- a/keystonemiddleware/auth_token/_identity.py +++ b/keystonemiddleware/auth_token/_identity.py @@ -10,13 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. -import functools - from keystoneauth1 import discover from keystoneauth1 import exceptions as ksa_exceptions from keystoneauth1 import plugin -from keystoneclient import exceptions as ksc_exceptions -from keystoneclient.v2_0 import client as v2_client from keystoneclient.v3 import client as v3_client from six.moves import urllib @@ -24,17 +20,7 @@ from keystonemiddleware.auth_token import _auth from keystonemiddleware.auth_token import _exceptions as ksm_exceptions from keystonemiddleware.i18n import _ - -def _convert_fetch_cert_exception(fetch_cert): - @functools.wraps(fetch_cert) - def wrapper(self): - try: - text = fetch_cert(self) - except ksa_exceptions.HttpError as e: - raise ksc_exceptions.CertificateConfigError(e.details) - return text - - return wrapper +ACCESS_RULES_SUPPORT = '1' class _RequestStrategy(object): @@ -49,45 +35,6 @@ class _RequestStrategy(object): def verify_token(self, user_token, allow_expired=False): pass - @_convert_fetch_cert_exception - def fetch_signing_cert(self): - return self._fetch_signing_cert() - - def _fetch_signing_cert(self): - pass - - @_convert_fetch_cert_exception - def fetch_ca_cert(self): - return self._fetch_ca_cert() - - def _fetch_ca_cert(self): - pass - - -class _V2RequestStrategy(_RequestStrategy): - - AUTH_VERSION = (2, 0) - - def __init__(self, adap, **kwargs): - super(_V2RequestStrategy, self).__init__(adap, **kwargs) - self._client = v2_client.Client(session=adap) - - def verify_token(self, token, allow_expired=False): - # NOTE(jamielennox): allow_expired is ignored on V2 - auth_ref = self._client.tokens.validate_access_info(token) - - if not auth_ref: - msg = _('Failed to fetch token data from identity server') - raise ksm_exceptions.InvalidToken(msg) - - return {'access': auth_ref} - - def _fetch_signing_cert(self): - return self._client.certificates.get_signing_certificate() - - def _fetch_ca_cert(self): - return self._client.certificates.get_ca_certificate() - class _V3RequestStrategy(_RequestStrategy): @@ -104,7 +51,8 @@ class _V3RequestStrategy(_RequestStrategy): auth_ref = self._client.tokens.validate( token, include_catalog=self._include_service_catalog, - allow_expired=allow_expired) + allow_expired=allow_expired, + access_rules_support=ACCESS_RULES_SUPPORT) if not auth_ref: msg = _('Failed to fetch token data from identity server') @@ -112,23 +60,16 @@ class _V3RequestStrategy(_RequestStrategy): return {'token': auth_ref} - def _fetch_signing_cert(self): - return self._client.simple_cert.get_certificates() - - def _fetch_ca_cert(self): - return self._client.simple_cert.get_ca_certificates() - -_REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy] +_REQUEST_STRATEGIES = [_V3RequestStrategy] class IdentityServer(object): """Base class for operations on the Identity API server. The auth_token middleware needs to communicate with the Identity API server - to validate UUID tokens, signing certificates, - etc. This class encapsulates the data and methods to perform these - operations. + to validate tokens. This class encapsulates the data and methods to perform + the operations. """ @@ -176,20 +117,19 @@ class IdentityServer(object): def _get_strategy_class(self): if self._requested_auth_version: - # A specific version was requested. - if discover.version_match(_V3RequestStrategy.AUTH_VERSION, - self._requested_auth_version): - return _V3RequestStrategy - - # The version isn't v3 so we don't know what to do. Just assume V2. - return _V2RequestStrategy + if not discover.version_match(_V3RequestStrategy.AUTH_VERSION, + self._requested_auth_interface): + self._LOG.info('A version other than v3 was requested: %s', + self._requested_auth_interface) + # Return v3, even if the request is unknown + return _V3RequestStrategy # Specific version was not requested then we fall through to # discovering available versions from the server for klass in _REQUEST_STRATEGIES: if self._adapter.get_endpoint(version=klass.AUTH_VERSION): self._LOG.debug('Auth Token confirmed use of %s apis', - self._requested_auth_version) + klass.AUTH_VERSION) return klass versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES] @@ -241,11 +181,5 @@ class IdentityServer(object): else: return auth_ref - def fetch_signing_cert(self): - return self._request_strategy.fetch_signing_cert() - - def fetch_ca_cert(self): - return self._request_strategy.fetch_ca_cert() - def invalidate(self): return self._adapter.invalidate() diff --git a/keystonemiddleware/auth_token/_opts.py b/keystonemiddleware/auth_token/_opts.py index 73debbb..15dd4f6 100644 --- a/keystonemiddleware/auth_token/_opts.py +++ b/keystonemiddleware/auth_token/_opts.py @@ -99,13 +99,6 @@ _OPTS = [ cfg.BoolOpt('insecure', default=False, help='Verify HTTPS connections.'), cfg.StrOpt('region_name', help='The region in which the identity server can be found.'), - cfg.StrOpt('signing_dir', - deprecated_for_removal=True, - deprecated_reason='PKI token format is no longer supported.', - deprecated_since='Ocata', - help='Directory used to cache files related to PKI tokens. This' - ' option has been deprecated in the Ocata release and will be' - ' removed in the P release.'), cfg.ListOpt('memcached_servers', deprecated_name='memcache_servers', help='Optionally specify a list of memcached server(s) to' @@ -172,19 +165,6 @@ _OPTS = [ ' unknown the token will be rejected. "required" any form of' ' token binding is needed to be allowed. Finally the name of a' ' binding method that must be present in tokens.'), - cfg.ListOpt('hash_algorithms', default=['md5'], - deprecated_for_removal=True, - deprecated_reason='PKI token format is no longer supported.', - deprecated_since='Ocata', - help='Hash algorithms to use for hashing PKI tokens. This may' - ' be a single algorithm or multiple. The algorithms are those' - ' supported by Python standard hashlib.new(). The hashes will' - ' be tried in the order given, so put the preferred one first' - ' for performance. The result of the first hash will be stored' - ' in the cache. This will typically be set to multiple values' - ' only while migrating from a less secure algorithm to a more' - ' secure one. Once all the old tokens are expired this option' - ' should be set to a single value for better performance.'), cfg.ListOpt('service_token_roles', default=['service'], help='A choice of roles that must be present in a service' ' token. Service tokens are allowed to request that an expired' @@ -198,6 +178,10 @@ _OPTS = [ ' service tokens pass that don\'t pass the service_token_roles' ' check as valid. Setting this true will become the default' ' in a future release and should be enabled if possible.'), + cfg.StrOpt('service_type', + help='The name or type of the service as it appears in the' + ' service catalog. This is used to validate tokens that have' + ' restricted access rules.'), ] diff --git a/keystonemiddleware/auth_token/_request.py b/keystonemiddleware/auth_token/_request.py index 33df7a9..cba28bf 100644 --- a/keystonemiddleware/auth_token/_request.py +++ b/keystonemiddleware/auth_token/_request.py @@ -16,20 +16,16 @@ from oslo_serialization import jsonutils import webob -def _v3_to_v2_catalog(catalog): - """Convert a catalog to v2 format. - - X_SERVICE_CATALOG must be specified in v2 format. If you get a token - that is in v3 convert it. - """ - v2_services = [] +def _normalize_catalog(catalog): + """Convert a catalog to a compatible format.""" + services = [] for v3_service in catalog: # first copy over the entries we allow for the service - v2_service = {'type': v3_service['type']} + service = {'type': v3_service['type']} try: - v2_service['name'] = v3_service['name'] + service['name'] = v3_service['name'] except KeyError: # nosec - # v3 service doesn't have a name, so v2_service doesn't either. + # v3 service doesn't have a name, move on. pass # now convert the endpoints. Because in v3 we specify region per @@ -47,10 +43,10 @@ def _v3_to_v2_catalog(catalog): interface_name = v3_endpoint['interface'].lower() + 'URL' region[interface_name] = v3_endpoint['url'] - v2_service['endpoints'] = list(regions.values()) - v2_services.append(v2_service) + service['endpoints'] = list(regions.values()) + services.append(service) - return v2_services + return services def _is_admin_project(auth_ref): @@ -105,8 +101,8 @@ class _AuthTokenRequest(webob.Request): _SYSTEM_SCOPE_HEADER = 'OpenStack-System-Scope' _SERVICE_CATALOG_HEADER = 'X-Service-Catalog' - _TOKEN_AUTH = 'keystone.token_auth' - _TOKEN_INFO = 'keystone.token_info' + _TOKEN_AUTH = 'keystone.token_auth' # nosec + _TOKEN_INFO = 'keystone.token_info' # nosec _CONFIRMED = 'Confirmed' _INVALID = 'Invalid' @@ -194,7 +190,7 @@ class _AuthTokenRequest(webob.Request): catalog = auth_ref.service_catalog.catalog if auth_ref.version == 'v3': - catalog = _v3_to_v2_catalog(catalog) + catalog = _normalize_catalog(catalog) c = jsonutils.dumps(catalog) self.headers[self._SERVICE_CATALOG_HEADER] = c diff --git a/keystonemiddleware/auth_token/_signing_dir.py b/keystonemiddleware/auth_token/_signing_dir.py deleted file mode 100644 index 698e055..0000000 --- a/keystonemiddleware/auth_token/_signing_dir.py +++ /dev/null @@ -1,90 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import stat -import tempfile - -from oslo_log import log as logging -import six - -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.i18n import _ - -_LOG = logging.getLogger(__name__) - - -class SigningDirectory(object): - - def __init__(self, directory_name=None, log=None): - self._log = log or _LOG - - self._directory_name = directory_name - if self._directory_name: - self._log.info( - 'Using %s as cache directory for signing certificate', - self._directory_name) - self._verify_signing_dir() - - def write_file(self, file_name, new_contents): - - # In Python2, encoding is slow so the following check avoids it if it - # is not absolutely necessary. - if isinstance(new_contents, six.text_type): - new_contents = new_contents.encode('utf-8') - - def _atomic_write(): - with tempfile.NamedTemporaryFile(dir=self._directory_name, - delete=False) as f: - f.write(new_contents) - os.rename(f.name, self.calc_path(file_name)) - - try: - _atomic_write() - except (OSError, IOError): - self._verify_signing_dir() - _atomic_write() - - def read_file(self, file_name): - path = self.calc_path(file_name) - open_kwargs = {'encoding': 'utf-8'} if six.PY3 else {} - with open(path, 'r', **open_kwargs) as f: - return f.read() - - def calc_path(self, file_name): - self._lazy_create_signing_dir() - return os.path.join(self._directory_name, file_name) - - def _lazy_create_signing_dir(self): - if self._directory_name is None: - self._directory_name = tempfile.mkdtemp(prefix='keystone-signing-') - self._log.info( - 'Using %s as cache directory for signing certificate', - self._directory_name) - self._verify_signing_dir() - - def _verify_signing_dir(self): - if os.path.isdir(self._directory_name): - if not os.access(self._directory_name, os.W_OK): - raise exc.ConfigurationError( - _('unable to access signing_dir %s') % - self._directory_name) - uid = os.getuid() - if os.stat(self._directory_name).st_uid != uid: - self._log.warning('signing_dir is not owned by %s', uid) - current_mode = stat.S_IMODE(os.stat(self._directory_name).st_mode) - if current_mode != stat.S_IRWXU: - self._log.warning( - 'signing_dir mode is %(mode)s instead of %(need)s', - {'mode': oct(current_mode), 'need': oct(stat.S_IRWXU)}) - else: - os.makedirs(self._directory_name, stat.S_IRWXU) diff --git a/keystonemiddleware/ec2_token.py b/keystonemiddleware/ec2_token.py index 5fe6096..faa5968 100644 --- a/keystonemiddleware/ec2_token.py +++ b/keystonemiddleware/ec2_token.py @@ -31,7 +31,7 @@ from keystonemiddleware.i18n import _ keystone_ec2_opts = [ cfg.StrOpt('url', - default='http://localhost:5000/v2.0/ec2tokens', + default='http://localhost:5000/v3/ec2tokens', help='URL to get token from ec2 request.'), cfg.StrOpt('keyfile', help='Required if EC2 server requires client certificate.'), @@ -185,13 +185,8 @@ class EC2Token(object): msg = _('Error response from keystone: %s') % response.reason self._logger.debug(msg) return self._ec2_error_response("AuthFailure", msg) - result = response.json() try: - if 'token' in result: - # NOTE(andrey-mp): response from keystone v3 - token_id = response.headers['x-subject-token'] - else: - token_id = result['access']['token']['id'] + token_id = response.headers['x-subject-token'] except (AttributeError, KeyError): msg = _("Failure parsing response from keystone") self._logger.exception(msg) diff --git a/keystonemiddleware/locale/en_GB/LC_MESSAGES/keystonemiddleware.po b/keystonemiddleware/locale/en_GB/LC_MESSAGES/keystonemiddleware.po index 0f043bf..ee8f5c3 100644 --- a/keystonemiddleware/locale/en_GB/LC_MESSAGES/keystonemiddleware.po +++ b/keystonemiddleware/locale/en_GB/LC_MESSAGES/keystonemiddleware.po @@ -3,7 +3,7 @@ msgid "" msgstr "" "Project-Id-Version: keystonemiddleware VERSION\n" "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n" -"POT-Creation-Date: 2018-04-21 04:01+0000\n" +"POT-Creation-Date: 2019-12-21 02:49+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -27,10 +27,6 @@ msgstr "Error response from Keystone: %s" msgid "Failed to fetch token data from identity server" msgstr "Failed to fetch token data from identity server" -#, python-format -msgid "Failed to fetch token revocation list: %d" -msgstr "Failed to fetch token revocation list: %d" - msgid "Failure parsing response from keystone" msgstr "Failure parsing response from Keystone" @@ -46,9 +42,6 @@ msgstr "Invalid version asked for in auth_token plugin" msgid "No compatible apis supported by server" msgstr "No compatible APIs supported by server" -msgid "Revocation list improperly formatted." -msgstr "Revocation list improperly formatted." - msgid "Signature not provided" msgstr "Signature not provided" @@ -58,9 +51,6 @@ msgstr "The request you have made requires authentication." msgid "Token authorization failed" msgstr "Token authorisation failed" -msgid "Token has been revoked" -msgstr "Token has been revoked" - msgid "Unable to determine service tenancy." msgstr "Unable to determine service tenancy." @@ -70,7 +60,3 @@ msgid "" msgstr "" "memcache_secret_key must be defined when a memcache_security_strategy is " "defined" - -#, python-format -msgid "unable to access signing_dir %s" -msgstr "unable to access signing_dir %s" diff --git a/keystonemiddleware/locale/ko_KR/LC_MESSAGES/keystonemiddleware.po b/keystonemiddleware/locale/ko_KR/LC_MESSAGES/keystonemiddleware.po index 02221ae..7a550a9 100644 --- a/keystonemiddleware/locale/ko_KR/LC_MESSAGES/keystonemiddleware.po +++ b/keystonemiddleware/locale/ko_KR/LC_MESSAGES/keystonemiddleware.po @@ -3,7 +3,7 @@ msgid "" msgstr "" "Project-Id-Version: keystonemiddleware VERSION\n" "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n" -"POT-Creation-Date: 2018-02-20 19:27+0000\n" +"POT-Creation-Date: 2019-12-21 02:49+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -27,10 +27,6 @@ msgstr "keystone 오류 응답: %s" msgid "Failed to fetch token data from identity server" msgstr "인증 서버로부터 토큰 데이터를 가져올 수 없습니다" -#, python-format -msgid "Failed to fetch token revocation list: %d" -msgstr "토큰 revocation 목록을 가져올 수 없습니다: %d" - msgid "Failure parsing response from keystone" msgstr "keystone 응답 파싱 실패" diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py index 25fbf73..67b60de 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py @@ -14,9 +14,6 @@ import datetime import os -import shutil -import stat -import tempfile import time import uuid @@ -25,8 +22,6 @@ from keystoneauth1 import exceptions as ksa_exceptions from keystoneauth1 import fixture from keystoneauth1 import loading from keystoneauth1 import session -from keystoneclient.common import cms -from keystoneclient import exceptions as ksc_exceptions import mock import oslo_cache from oslo_log import log as logging @@ -55,9 +50,6 @@ EXPECTED_V2_DEFAULT_ENV_RESPONSE = { 'HTTP_X_USER_NAME': 'user_name1', 'HTTP_X_ROLES': 'role1,role2', 'HTTP_X_IS_ADMIN_PROJECT': 'True', - 'HTTP_X_USER': 'user_name1', # deprecated (diablo-compat) - 'HTTP_X_TENANT': 'tenant_name1', # deprecated (diablo-compat) - 'HTTP_X_ROLE': 'role1,role2', # deprecated (diablo-compat) } EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE = { @@ -90,7 +82,8 @@ BASE_URI = '%s/testadmin' % BASE_HOST FAKE_ADMIN_TOKEN_ID = 'admin_token2' FAKE_ADMIN_TOKEN = jsonutils.dumps( {'access': {'token': {'id': FAKE_ADMIN_TOKEN_ID, - 'expires': '2022-10-03T16:58:01Z'}}}) + 'expires': '%i-10-03T16:58:01Z' % + (1 + time.gmtime().tm_year)}}}) VERSION_LIST_v3 = fixture.DiscoveryList(href=BASE_URI) VERSION_LIST_v2 = fixture.DiscoveryList(v3=False, href=BASE_URI) @@ -285,11 +278,8 @@ class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase): self.fake_app = fake_app or FakeApp self.middleware = None - signing_dir = self._setup_signing_directory() - self.conf = { 'identity_uri': 'https://keystone.example.com:1234/testadmin/', - 'signing_dir': signing_dir, 'auth_version': auth_version, 'www_authenticate_uri': 'https://keystone.example.com:1234', 'admin_user': uuid.uuid4().hex, @@ -302,16 +292,6 @@ class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase): def call_middleware(self, **kwargs): return self.call(self.middleware, **kwargs) - def _setup_signing_directory(self): - directory_name = self.useFixture(fixtures.TempDir()).path - - # Copy the sample certificate files into the temporary directory. - for filename in ['cacert.pem', 'signing_cert.pem', ]: - shutil.copy2(os.path.join(client_fixtures.CERTDIR, filename), - os.path.join(directory_name, filename)) - - return directory_name - def set_middleware(self, expected_env=None, conf=None): """Configure the class ready to call the auth_token middleware. @@ -348,44 +328,6 @@ class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase): self.assertIsNone(self.requests_mock.last_request) -class DiabloAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - """Auth Token middleware should understand Diablo keystone responses.""" - def setUp(self): - # pre-diablo only had Tenant ID, which was also the Name - expected_env = { - 'HTTP_X_TENANT_ID': 'tenant_id1', - 'HTTP_X_TENANT_NAME': 'tenant_id1', - # now deprecated (diablo-compat) - 'HTTP_X_TENANT': 'tenant_id1', - } - - super(DiabloAuthTokenMiddlewareTest, self).setUp( - expected_env=expected_env) - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v2, - status_code=300) - - self.requests_mock.post("%s/v2.0/tokens" % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.token_id = self.examples.VALID_DIABLO_TOKEN - token_response = self.examples.JSON_TOKEN_RESPONSES[self.token_id] - - url = "%s/v2.0/tokens/%s" % (BASE_URI, self.token_id) - self.requests_mock.get(url, text=token_response) - - self.set_middleware() - - def test_valid_diablo_response(self): - resp = self.call_middleware(headers={'X-Auth-Token': self.token_id}) - self.assertIn('keystone.token_info', resp.request.environ) - - class CachePoolTest(BaseAuthTokenMiddlewareTest): def test_use_cache_from_env(self): # If `swift.cache` is set in the environment and `cache` is set in the @@ -569,10 +511,7 @@ class CommonAuthTokenMiddlewareTest(object): """These tests are run once using v2 tokens and again using v3 tokens.""" def test_init_does_not_call_http(self): - conf = { - 'revocation_cache_time': '1' - } - self.create_simple_middleware(conf=conf) + self.create_simple_middleware(conf={}) self.assertLastPath(None) def test_auth_with_no_token_does_not_call_http(self): @@ -619,40 +558,6 @@ class CommonAuthTokenMiddlewareTest(object): self.assert_valid_request_200(self.token_dict['uuid_token_default']) self.assert_valid_last_url(self.token_dict['uuid_token_default']) - def test_valid_signed_request(self): - for _ in range(2): # Do it twice because first result was cached. - self.assert_valid_request_200( - self.token_dict['signed_token_scoped']) - # ensure that signed requests do not generate HTTP traffic - self.assertLastPath(None) - - def test_valid_signed_compressed_request(self): - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - # ensure that signed requests do not generate HTTP traffic - self.assertLastPath(None) - - def test_validate_offline_succeeds_for_unrevoked_token(self): - token = self.middleware._validate_offline( - self.token_dict['signed_token_scoped'], - [self.token_dict['signed_token_scoped_hash']]) - self.assertIsInstance(token, dict) - - def test_verify_signed_compressed_token_succeeds_for_unrevoked_token(self): - token = self.middleware._validate_offline( - self.token_dict['signed_token_scoped_pkiz'], - [self.token_dict['signed_token_scoped_hash']]) - self.assertIsInstance(token, dict) - - def test_validate_offline_token_succeeds_for_unrevoked_token_sha256(self): - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.set_middleware() - token = self.middleware._validate_offline( - self.token_dict['signed_token_scoped'], - [self.token_dict['signed_token_scoped_hash_sha256'], - self.token_dict['signed_token_scoped_hash']]) - self.assertIsInstance(token, dict) - def test_request_invalid_uuid_token(self): # remember because we are testing the middleware we stub the connection # to the keystone server, but this is not what gets returned @@ -664,20 +569,6 @@ class CommonAuthTokenMiddlewareTest(object): self.assertEqual('Keystone uri="https://keystone.example.com:1234"', resp.headers['WWW-Authenticate']) - def test_request_invalid_signed_token(self): - token = self.examples.INVALID_SIGNED_TOKEN - resp = self.call_middleware(headers={'X-Auth-Token': token}, - expected_status=401) - self.assertEqual('Keystone uri="https://keystone.example.com:1234"', - resp.headers['WWW-Authenticate']) - - def test_request_invalid_signed_pkiz_token(self): - token = self.examples.INVALID_SIGNED_PKIZ_TOKEN - resp = self.call_middleware(headers={'X-Auth-Token': token}, - expected_status=401) - self.assertEqual('Keystone uri="https://keystone.example.com:1234"', - resp.headers['WWW-Authenticate']) - def test_request_no_token(self): resp = self.call_middleware(expected_status=401) self.assertEqual('Keystone uri="https://keystone.example.com:1234"', @@ -694,22 +585,11 @@ class CommonAuthTokenMiddlewareTest(object): self.assertEqual('Keystone uri="https://keystone.example.com:1234"', resp.headers['WWW-Authenticate']) - def _get_cached_token(self, token, mode='md5'): - token_id = cms.cms_hash_token(token, mode=mode) - return self.middleware._token_cache.get(token_id) - - def test_memcache(self): - token = self.token_dict['signed_token_scoped'] - self.call_middleware(headers={'X-Auth-Token': token}) - self.assertIsNotNone(self._get_cached_token(token)) - - def test_expired(self): - token = self.token_dict['signed_token_scoped_expired'] - self.call_middleware(headers={'X-Auth-Token': token}, - expected_status=401) + def _get_cached_token(self, token): + return self.middleware._token_cache.get(token) def test_memcache_set_invalid_uuid(self): - invalid_uri = "%s/v2.0/tokens/invalid-token" % BASE_URI + invalid_uri = "%s/v3/tokens/invalid-token" % BASE_URI self.requests_mock.get(invalid_uri, status_code=404) token = 'invalid-token' @@ -720,7 +600,7 @@ class CommonAuthTokenMiddlewareTest(object): def test_memcache_hit_invalid_token(self): token = 'invalid-token' - invalid_uri = '%s/v2.0/tokens/invalid-token' % BASE_URI + invalid_uri = '%s/v3/tokens/invalid-token' % BASE_URI self.requests_mock.get(invalid_uri, status_code=404) # Call once to cache token's invalid state; verify it cached as such @@ -743,7 +623,7 @@ class CommonAuthTokenMiddlewareTest(object): conf.update(extra_conf) self.set_middleware(conf=conf) - token = self.token_dict['signed_token_scoped'] + token = self.token_dict['uuid_token_default'] self.call_middleware(headers={'X-Auth-Token': token}) req = webob.Request.blank('/') @@ -989,7 +869,7 @@ class CommonAuthTokenMiddlewareTest(object): orig_cache_set = cache.set cache.set = mock.Mock(side_effect=orig_cache_set) - token = self.token_dict['signed_token_scoped'] + token = self.token_dict['uuid_token_default'] self.call_middleware(headers={'X-Auth-Token': token}) @@ -1126,144 +1006,6 @@ class CommonAuthTokenMiddlewareTest(object): resp.request.headers['X-Service-Identity-Status']) -class V2CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def __init__(self, *args, **kwargs): - super(V2CertDownloadMiddlewareTest, self).__init__(*args, **kwargs) - self.auth_version = 'v2.0' - self.fake_app = None - self.ca_path = '/v2.0/certificates/ca' - self.signing_path = '/v2.0/certificates/signing' - - def setUp(self): - super(V2CertDownloadMiddlewareTest, self).setUp( - auth_version=self.auth_version, - fake_app=self.fake_app) - self.logger = self.useFixture(fixtures.FakeLogger()) - self.base_dir = tempfile.mkdtemp() - self.addCleanup(shutil.rmtree, self.base_dir) - self.cert_dir = os.path.join(self.base_dir, 'certs') - os.makedirs(self.cert_dir, stat.S_IRWXU) - conf = { - 'signing_dir': self.cert_dir, - 'auth_version': self.auth_version, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v3, - status_code=300) - - self.set_middleware(conf=conf) - - # Usually we supply a signed_dir with pre-installed certificates, - # so invocation of /usr/bin/openssl succeeds. This time we give it - # an empty directory, so it fails. - def test_request_no_token_dummy(self): - cms._ensure_subprocess() - - self.requests_mock.get('%s%s' % (BASE_URI, self.ca_path), - status_code=404) - self.requests_mock.get('%s%s' % (BASE_URI, self.signing_path), - status_code=404) - - token = self.middleware._validate_offline( - self.examples.SIGNED_TOKEN_SCOPED, - [self.examples.SIGNED_TOKEN_SCOPED_HASH]) - - self.assertIsNone(token) - - self.assertIn('Fetch certificate config failed', self.logger.output) - self.assertIn('fallback to online validation', self.logger.output) - - def test_fetch_signing_cert(self): - data = 'FAKE CERT' - url = "%s%s" % (BASE_URI, self.signing_path) - self.requests_mock.get(url, text=data) - self.middleware._fetch_signing_cert() - - signing_cert_path = self.middleware._signing_directory.calc_path( - self.middleware._SIGNING_CERT_FILE_NAME) - with open(signing_cert_path, 'r') as f: - self.assertEqual(f.read(), data) - - self.assertEqual(url, self.requests_mock.last_request.url) - - def test_fetch_signing_ca(self): - data = 'FAKE CA' - url = "%s%s" % (BASE_URI, self.ca_path) - self.requests_mock.get(url, text=data) - self.middleware._fetch_ca_cert() - - ca_file_path = self.middleware._signing_directory.calc_path( - self.middleware._SIGNING_CA_FILE_NAME) - with open(ca_file_path, 'r') as f: - self.assertEqual(f.read(), data) - - self.assertEqual(url, self.requests_mock.last_request.url) - - def test_prefix_trailing_slash(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = '1234' - self.conf['auth_admin_prefix'] = '/newadmin/' - - base_url = '%s/newadmin' % BASE_HOST - ca_url = "%s%s" % (base_url, self.ca_path) - signing_url = "%s%s" % (base_url, self.signing_path) - - self.requests_mock.get(base_url, - json=VERSION_LIST_v3, - status_code=300) - self.requests_mock.get(ca_url, text='FAKECA') - self.requests_mock.get(signing_url, text='FAKECERT') - - self.set_middleware(conf=self.conf) - - self.middleware._fetch_ca_cert() - self.assertEqual(ca_url, self.requests_mock.last_request.url) - - self.middleware._fetch_signing_cert() - self.assertEqual(signing_url, self.requests_mock.last_request.url) - - def test_without_prefix(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = '1234' - self.conf['auth_admin_prefix'] = '' - - ca_url = "%s%s" % (BASE_HOST, self.ca_path) - signing_url = "%s%s" % (BASE_HOST, self.signing_path) - - self.requests_mock.get(BASE_HOST, - json=VERSION_LIST_v3, - status_code=300) - self.requests_mock.get(ca_url, text='FAKECA') - self.requests_mock.get(signing_url, text='FAKECERT') - - self.set_middleware(conf=self.conf) - - self.middleware._fetch_ca_cert() - self.assertEqual(ca_url, self.requests_mock.last_request.url) - - self.middleware._fetch_signing_cert() - self.assertEqual(signing_url, self.requests_mock.last_request.url) - - -class V3CertDownloadMiddlewareTest(V2CertDownloadMiddlewareTest): - - def __init__(self, *args, **kwargs): - super(V3CertDownloadMiddlewareTest, self).__init__(*args, **kwargs) - self.auth_version = 'v3.0' - self.fake_app = v3FakeApp - self.ca_path = '/v3/OS-SIMPLE-CERT/ca' - self.signing_path = '/v3/OS-SIMPLE-CERT/certificates' - - def network_error_response(request, context): raise ksa_exceptions.ConnectFailure("Network connection refused.") @@ -1273,190 +1015,6 @@ def request_timeout_response(request, context): "Request to https://host/token/path timed out") -class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - CommonAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """v2 token specific tests. - - There are some differences between how the auth-token middleware handles - v2 and v3 tokens over and above the token formats, namely: - - - A v3 keystone server will auto scope a token to a user's default project - if no scope is specified. A v2 server assumes that the auth-token - middleware will do that. - - A v2 keystone server may issue a token without a catalog, even with a - tenant - - The tests below were originally part of the generic AuthTokenMiddlewareTest - class, but now, since they really are v2 specific, they are included here. - - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v2AuthTokenMiddlewareTest, self).setUp() - - self.token_dict = { - 'uuid_token_default': self.examples.UUID_TOKEN_DEFAULT, - 'uuid_token_unscoped': self.examples.UUID_TOKEN_UNSCOPED, - 'uuid_token_bind': self.examples.UUID_TOKEN_BIND, - 'uuid_token_unknown_bind': self.examples.UUID_TOKEN_UNKNOWN_BIND, - 'signed_token_scoped': self.examples.SIGNED_TOKEN_SCOPED, - 'signed_token_scoped_pkiz': self.examples.SIGNED_TOKEN_SCOPED_PKIZ, - 'signed_token_scoped_hash': self.examples.SIGNED_TOKEN_SCOPED_HASH, - 'signed_token_scoped_hash_sha256': - self.examples.SIGNED_TOKEN_SCOPED_HASH_SHA256, - 'signed_token_scoped_expired': - self.examples.SIGNED_TOKEN_SCOPED_EXPIRED, - 'uuid_service_token_default': - self.examples.UUID_SERVICE_TOKEN_DEFAULT, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v2, - status_code=300) - - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - for token in (self.examples.UUID_TOKEN_DEFAULT, - self.examples.UUID_TOKEN_UNSCOPED, - self.examples.UUID_TOKEN_BIND, - self.examples.UUID_TOKEN_UNKNOWN_BIND, - self.examples.UUID_TOKEN_NO_SERVICE_CATALOG, - self.examples.UUID_SERVICE_TOKEN_DEFAULT, - self.examples.SIGNED_TOKEN_SCOPED_KEY, - self.examples.SIGNED_TOKEN_SCOPED_PKIZ_KEY,): - url = "%s/v2.0/tokens/%s" % (BASE_URI, token) - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests_mock.get(url, text=text) - - url = '%s/v2.0/tokens/%s' % (BASE_URI, ERROR_TOKEN) - self.requests_mock.get(url, text=network_error_response) - - url = '%s/v2.0/tokens/%s' % (BASE_URI, TIMEOUT_TOKEN) - self.requests_mock.get(url, text=request_timeout_response) - - self.set_middleware() - - def assert_unscoped_default_tenant_auto_scopes(self, token): - """Unscoped v2 requests with a default tenant should ``auto-scope``. - - The implied scope is the user's tenant ID. - - """ - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(FakeApp.SUCCESS, resp.body) - self.assertIn('keystone.token_info', resp.request.environ) - - def assert_valid_last_url(self, token_id): - self.assertLastPath("/v2.0/tokens/%s" % token_id) - - def test_default_tenant_uuid_token(self): - self.assert_unscoped_default_tenant_auto_scopes( - self.examples.UUID_TOKEN_DEFAULT) - - def test_default_tenant_signed_token(self): - self.assert_unscoped_default_tenant_auto_scopes( - self.examples.SIGNED_TOKEN_SCOPED) - - def assert_unscoped_token_receives_401(self, token): - """Unscoped requests with no default tenant ID should be rejected.""" - resp = self.call_middleware(headers={'X-Auth-Token': token}, - expected_status=401) - self.assertEqual('Keystone uri="https://keystone.example.com:1234"', - resp.headers['WWW-Authenticate']) - - def test_unscoped_uuid_token_receives_401(self): - self.assert_unscoped_token_receives_401( - self.examples.UUID_TOKEN_UNSCOPED) - - def test_unscoped_pki_token_receives_401(self): - self.assert_unscoped_token_receives_401( - self.examples.SIGNED_TOKEN_UNSCOPED) - - def test_request_prevent_service_catalog_injection(self): - token = self.examples.UUID_TOKEN_NO_SERVICE_CATALOG - resp = self.call_middleware(headers={'X-Service-Catalog': '[]', - 'X-Auth-Token': token}) - - self.assertFalse(resp.request.headers.get('X-Service-Catalog')) - self.assertEqual(FakeApp.SUCCESS, resp.body) - - def test_user_plugin_token_properties(self): - token = self.examples.UUID_TOKEN_DEFAULT - token_data = self.examples.TOKEN_RESPONSES[token] - service = self.examples.UUID_SERVICE_TOKEN_DEFAULT - - resp = self.call_middleware(headers={'X-Service-Catalog': '[]', - 'X-Auth-Token': token, - 'X-Service-Token': service}) - - self.assertEqual(FakeApp.SUCCESS, resp.body) - - token_auth = resp.request.environ['keystone.token_auth'] - - self.assertTrue(token_auth.has_user_token) - self.assertTrue(token_auth.has_service_token) - - self.assertEqual(token_data.user_id, token_auth.user.user_id) - self.assertEqual(token_data.tenant_id, token_auth.user.project_id) - - self.assertThat(token_auth.user.role_names, matchers.HasLength(2)) - self.assertIn('role1', token_auth.user.role_names) - self.assertIn('role2', token_auth.user.role_names) - - self.assertIsNone(token_auth.user.trust_id) - self.assertIsNone(token_auth.user.user_domain_id) - self.assertIsNone(token_auth.user.project_domain_id) - - self.assertThat(token_auth.service.role_names, matchers.HasLength(2)) - self.assertIn('service', token_auth.service.role_names) - self.assertIn('service_role2', token_auth.service.role_names) - - self.assertIsNone(token_auth.service.trust_id) - - -class CrossVersionAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_valid_uuid_request_forced_to_2_0(self): - """Test forcing auth_token to use lower api version. - - By installing the v3 http hander, auth_token will be get - a version list that looks like a v3 server - from which it - would normally chose v3.0 as the auth version. However, here - we specify v2.0 in the configuration - which should force - auth_token to use that version instead. - - """ - conf = { - 'auth_version': 'v2.0' - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v3, - status_code=300) - - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - token = self.examples.UUID_TOKEN_DEFAULT - url = "%s/v2.0/tokens/%s" % (BASE_URI, token) - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests_mock.get(url, text=text) - - self.set_middleware(conf=conf) - - # This tests will only work is auth_token has chosen to use the - # lower, v2, api version - self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(url, self.requests_mock.last_request.url) - - class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, CommonAuthTokenMiddlewareTest, testresources.ResourcedTestCase): @@ -1468,19 +1026,7 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, This is done by configuring the AuthTokenMiddlewareTest class via its Setup(), passing in v3 style data that will then be used by - the tests themselves. This approach has been used to ensure we - really are running the same tests for both v2 and v3 tokens. - - There a few additional specific test for v3 only: - - - We allow an unscoped token to be validated (as unscoped), where - as for v2 tokens, the auth_token middleware is expected to try and - auto-scope it (and fail if there is no default tenant) - - Domain scoped tokens - - Since we don't specify an auth version for auth_token to use, by - definition we are thefore implicitely testing that it will use - the highest available auth version, i.e. v3.0 + the tests themselves. """ @@ -1497,15 +1043,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, 'uuid_token_bind': self.examples.v3_UUID_TOKEN_BIND, 'uuid_token_unknown_bind': self.examples.v3_UUID_TOKEN_UNKNOWN_BIND, - 'signed_token_scoped': self.examples.SIGNED_v3_TOKEN_SCOPED, - 'signed_token_scoped_pkiz': - self.examples.SIGNED_v3_TOKEN_SCOPED_PKIZ, - 'signed_token_scoped_hash': - self.examples.SIGNED_v3_TOKEN_SCOPED_HASH, - 'signed_token_scoped_hash_sha256': - self.examples.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256, - 'signed_token_scoped_expired': - self.examples.SIGNED_TOKEN_SCOPED_EXPIRED, 'uuid_service_token_default': self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT, } @@ -1600,39 +1137,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, self.examples.v3_UUID_TOKEN_DOMAIN_SCOPED) self.assertLastPath('/v3/auth/tokens') - def test_gives_v2_catalog(self): - self.set_middleware() - req = self.assert_valid_request_200( - self.examples.SIGNED_v3_TOKEN_SCOPED) - - catalog = jsonutils.loads(req.headers['X-Service-Catalog']) - - for service in catalog: - for endpoint in service['endpoints']: - # no point checking everything, just that it's in v2 format - self.assertIn('adminURL', endpoint) - self.assertIn('publicURL', endpoint) - self.assertIn('internalURL', endpoint) - - def test_fallback_to_online_validation_with_signing_error(self): - self.requests_mock.get('%s/v3/OS-SIMPLE-CERT/certificates' % BASE_URI, - status_code=404) - self.assert_valid_request_200(self.token_dict['signed_token_scoped']) - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - - def test_fallback_to_online_validation_with_ca_error(self): - self.requests_mock.get('%s/v3/OS-SIMPLE-CERT/ca' % BASE_URI, - status_code=404) - self.assert_valid_request_200(self.token_dict['signed_token_scoped']) - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - - def test_fallback_to_online_validation_with_revocation_list_error(self): - self.assert_valid_request_200(self.token_dict['signed_token_scoped']) - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - def test_user_plugin_token_properties(self): token = self.examples.v3_UUID_TOKEN_DEFAULT token_data = self.examples.TOKEN_RESPONSES[token] @@ -1734,6 +1238,110 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, e = self.requests_mock.request_history[3].qs.get('allow_expired') self.assertIsNone(e) + def test_app_cred_token_without_access_rules(self): + self.set_middleware(conf={'service_type': 'compute'}) + token = self.examples.v3_APP_CRED_TOKEN + token_data = self.examples.TOKEN_RESPONSES[token] + resp = self.call_middleware(headers={'X-Auth-Token': token}) + self.assertEqual(FakeApp.SUCCESS, resp.body) + token_auth = resp.request.environ['keystone.token_auth'] + self.assertEqual(token_data.application_credential_id, + token_auth.user.application_credential_id) + + def test_app_cred_access_rules_token(self): + self.set_middleware(conf={'service_type': 'compute'}) + token = self.examples.v3_APP_CRED_ACCESS_RULES + token_data = self.examples.TOKEN_RESPONSES[token] + resp = self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=200, + method='GET', path='/v2.1/servers') + token_auth = resp.request.environ['keystone.token_auth'] + self.assertEqual(token_data.application_credential_id, + token_auth.user.application_credential_id) + self.assertEqual(token_data.application_credential_access_rules, + token_auth.user.application_credential_access_rules) + resp = self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', + path='/v2.1/servers/someuuid') + token_auth = resp.request.environ['keystone.token_auth'] + self.assertEqual(token_data.application_credential_id, + token_auth.user.application_credential_id) + self.assertEqual(token_data.application_credential_access_rules, + token_auth.user.application_credential_access_rules) + + def test_app_cred_access_rules_service_request(self): + self.set_middleware(conf={'service_type': 'image'}) + token = self.examples.v3_APP_CRED_ACCESS_RULES + headers = {'X-Auth-Token': token} + self.call_middleware(headers=headers, + expected_status=401, + method='GET', path='/v2/images') + service_token = self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT + headers['X-Service-Token'] = service_token + self.call_middleware(headers=headers, + expected_status=200, + method='GET', path='/v2/images') + + def test_app_cred_no_access_rules_token(self): + self.set_middleware(conf={'service_type': 'compute'}) + token = self.examples.v3_APP_CRED_EMPTY_ACCESS_RULES + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v2.1/servers') + service_token = self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT + headers = { + 'X-Auth-Token': token, + 'X-Service-Token': service_token + } + self.call_middleware(headers=headers, expected_status=401, + method='GET', path='/v2.1/servers') + + def test_app_cred_matching_rules(self): + self.set_middleware(conf={'service_type': 'compute'}) + token = self.examples.v3_APP_CRED_MATCHING_RULES + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=200, + method='GET', path='/v2.1/servers/foobar') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v2.1/servers/foobar/barfoo') + self.set_middleware(conf={'service_type': 'image'}) + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=200, + method='GET', path='/v2/images/foobar') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v2/images/foobar/barfoo') + self.set_middleware(conf={'service_type': 'identity'}) + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=200, + method='GET', + path='/v3/projects/123/users/456/roles/member') + self.set_middleware(conf={'service_type': 'block-storage'}) + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=200, + method='GET', path='/v3/123/types/456') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v3/123/types') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v2/123/types/456') + self.set_middleware(conf={'service_type': 'object-store'}) + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=200, + method='GET', path='/v1/1/2/3') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v1/1/2') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/v2/1/2') + self.call_middleware(headers={'X-Auth-Token': token}, + expected_status=401, + method='GET', path='/info') + class DelayedAuthTests(BaseAuthTokenMiddlewareTest): @@ -1743,7 +1351,7 @@ class DelayedAuthTests(BaseAuthTokenMiddlewareTest): if request.headers.get('X-Subject-Token') == ERROR_TOKEN: msg = 'Network connection refused.' - raise ksc_exceptions.ConnectionRefused(msg) + raise ksa_exceptions.ConnectFailure(msg) # All others just fail context.status_code = 404 @@ -1753,7 +1361,7 @@ class DelayedAuthTests(BaseAuthTokenMiddlewareTest): body = uuid.uuid4().hex www_authenticate_uri = 'http://local.test' conf = {'delay_auth_decision': 'True', - 'auth_version': 'v3.0', + 'auth_version': 'v3', 'www_authenticate_uri': www_authenticate_uri} middleware = self.create_simple_middleware(status='401 Unauthorized', @@ -2057,59 +1665,6 @@ class CommonCompositeAuthTests(object): bind_level='required') -class v2CompositeAuthTests(BaseAuthTokenMiddlewareTest, - CommonCompositeAuthTests, - testresources.ResourcedTestCase): - """Test auth_token middleware with v2 token based composite auth. - - Execute the Composite auth class tests, but with the - auth_token middleware configured to expect v2 tokens back from - a keystone server. - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v2CompositeAuthTests, self).setUp( - expected_env=EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE, - fake_app=CompositeFakeApp) - - uuid_token_default = self.examples.UUID_TOKEN_DEFAULT - uuid_service_token_default = self.examples.UUID_SERVICE_TOKEN_DEFAULT - uuid_token_bind = self.examples.UUID_TOKEN_BIND - uuid_service_token_bind = self.examples.UUID_SERVICE_TOKEN_BIND - self.token_dict = { - 'uuid_token_default': uuid_token_default, - 'uuid_service_token_default': uuid_service_token_default, - 'uuid_token_bind': uuid_token_bind, - 'uuid_service_token_bind': uuid_service_token_bind, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v2, - status_code=300) - - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - for token in (self.examples.UUID_TOKEN_DEFAULT, - self.examples.UUID_SERVICE_TOKEN_DEFAULT, - self.examples.UUID_TOKEN_BIND, - self.examples.UUID_SERVICE_TOKEN_BIND): - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests_mock.get('%s/v2.0/tokens/%s' % (BASE_URI, token), - text=text) - - for invalid_uri in ("%s/v2.0/tokens/invalid-token" % BASE_URI, - "%s/v2.0/tokens/invalid-service-token" % BASE_URI): - self.requests_mock.get(invalid_uri, text='', status_code=404) - - self.token_expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE) - self.service_token_expected_env = dict( - EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE) - self.set_middleware() - - class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest, CommonCompositeAuthTests, testresources.ResourcedTestCase): @@ -2124,7 +1679,7 @@ class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest, def setUp(self): super(v3CompositeAuthTests, self).setUp( - auth_version='v3.0', + auth_version='v3', fake_app=v3CompositeFakeApp) uuid_token_default = self.examples.v3_UUID_TOKEN_DEFAULT @@ -2167,7 +1722,7 @@ class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest, if token_id == ERROR_TOKEN: msg = "Network connection refused." - raise ksc_exceptions.ConnectionRefused(msg) + raise ksa_exceptions.ConnectFailure(msg) elif token_id == TIMEOUT_TOKEN: request_timeout_response(request, context) @@ -2195,7 +1750,7 @@ class OtherTests(BaseAuthTokenMiddlewareTest): self.call_middleware(headers={'X-Auth-Token': uuid.uuid4().hex}, expected_status=503) - self.assertIn('versions [v3.0, v2.0]', self.logger.output) + self.assertIn('versions [v3.0]', self.logger.output) def _assert_auth_version(self, conf_version, identity_server_version): self.set_middleware(conf={'auth_version': conf_version}) @@ -2204,8 +1759,6 @@ class OtherTests(BaseAuthTokenMiddlewareTest): identity_server.auth_version) def test_micro_version(self): - self._assert_auth_version('v2', (2, 0)) - self._assert_auth_version('v2.0', (2, 0)) self._assert_auth_version('v3', (3, 0)) self._assert_auth_version('v3.0', (3, 0)) self._assert_auth_version('v3.1', (3, 0)) @@ -2219,14 +1772,10 @@ class OtherTests(BaseAuthTokenMiddlewareTest): self.requests_mock.get(BASE_URI, json=VERSION_LIST_v3, status_code=300) self._assert_auth_version(None, (3, 0)) - # VERSION_LIST_v2 contains only v2 version elements - self.requests_mock.get(BASE_URI, json=VERSION_LIST_v2, status_code=300) - self._assert_auth_version(None, (2, 0)) - def test_unsupported_auth_version(self): - # If the requested version isn't supported we will use v2 - self._assert_auth_version('v1', (2, 0)) - self._assert_auth_version('v10', (2, 0)) + # If the requested version isn't supported we will use v3 + self._assert_auth_version('v1', (3, 0)) + self._assert_auth_version('v10', (3, 0)) class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest): @@ -2236,9 +1785,7 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest): KEYSTONE_BASE_URL = 'http://keystone.url/prefix' CRUD_URL = 'http://crud.url/prefix' - # NOTE(jamielennox): use the /v2.0 prefix here because this is what's most - # likely to be in the service catalog and we should be able to ignore it. - KEYSTONE_URL = KEYSTONE_BASE_URL + '/v2.0' + KEYSTONE_URL = KEYSTONE_BASE_URL + '/v3' def setUp(self): super(AuthProtocolLoadingTests, self).setUp() diff --git a/keystonemiddleware/tests/unit/auth_token/test_request.py b/keystonemiddleware/tests/unit/auth_token/test_request.py index bd8a7b3..011525f 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_request.py +++ b/keystonemiddleware/tests/unit/auth_token/test_request.py @@ -224,7 +224,7 @@ class CatalogConversionTests(utils.TestCase): auth_ref = access.create(body=token) catalog_data = auth_ref.service_catalog.catalog - catalog = _request._v3_to_v2_catalog(catalog_data) + catalog = _request._normalize_catalog(catalog_data) self.assertEqual(1, len(catalog)) service = catalog[0] @@ -248,7 +248,7 @@ class CatalogConversionTests(utils.TestCase): auth_ref = access.create(body=token) catalog_data = auth_ref.service_catalog.catalog - catalog = _request._v3_to_v2_catalog(catalog_data) + catalog = _request._normalize_catalog(catalog_data) self.assertEqual(1, len(catalog)) service = catalog[0] diff --git a/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py b/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py deleted file mode 100644 index 5664d7d..0000000 --- a/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py +++ /dev/null @@ -1,145 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import shutil -import stat -import uuid - -from keystonemiddleware.auth_token import _signing_dir -from keystonemiddleware.tests.unit import utils - - -class SigningDirectoryTests(utils.BaseTestCase): - - def test_directory_created_when_doesnt_exist(self): - # When _SigningDirectory is created, if the directory doesn't exist - # it's created with the expected permissions. - tmp_name = uuid.uuid4().hex - parent_directory = '/tmp/%s' % tmp_name - directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2) - - # Directories are created by __init__. - _signing_dir.SigningDirectory(directory_name) - self.addCleanup(shutil.rmtree, parent_directory) - - self.assertTrue(os.path.isdir(directory_name)) - self.assertTrue(os.access(directory_name, os.W_OK)) - self.assertEqual(os.stat(directory_name).st_uid, os.getuid()) - self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode), - stat.S_IRWXU) - - def test_use_directory_already_exists(self): - # The directory can already exist. - - tmp_name = uuid.uuid4().hex - parent_directory = '/tmp/%s' % tmp_name - directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2) - os.makedirs(directory_name, stat.S_IRWXU) - self.addCleanup(shutil.rmtree, parent_directory) - - _signing_dir.SigningDirectory(directory_name) - - def test_write_file(self): - # write_file when the file doesn't exist creates the file. - - signing_directory = _signing_dir.SigningDirectory() - - file_name = self.getUniqueString() - contents = self.getUniqueString() - signing_directory.write_file(file_name, contents) - - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - file_path = signing_directory.calc_path(file_name) - with open(file_path) as f: - actual_contents = f.read() - - self.assertEqual(contents, actual_contents) - - def test_replace_file(self): - # write_file when the file already exists overwrites it. - - signing_directory = _signing_dir.SigningDirectory() - - file_name = self.getUniqueString() - orig_contents = self.getUniqueString() - signing_directory.write_file(file_name, orig_contents) - - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - new_contents = self.getUniqueString() - signing_directory.write_file(file_name, new_contents) - - file_path = signing_directory.calc_path(file_name) - with open(file_path) as f: - actual_contents = f.read() - - self.assertEqual(new_contents, actual_contents) - - def test_recreate_directory(self): - # If the original directory is lost, it gets recreated when a file - # is written. - - signing_directory = _signing_dir.SigningDirectory() - original_file_name = self.getUniqueString() - original_contents = self.getUniqueString() - signing_directory.write_file(original_file_name, original_contents) - - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - # Delete the directory. - shutil.rmtree(signing_directory._directory_name) - - new_file_name = self.getUniqueString() - new_contents = self.getUniqueString() - signing_directory.write_file(new_file_name, new_contents) - - actual_contents = signing_directory.read_file(new_file_name) - self.assertEqual(new_contents, actual_contents) - - def test_read_file(self): - # Can read a file that was written. - - signing_directory = _signing_dir.SigningDirectory() - file_name = self.getUniqueString() - contents = self.getUniqueString() - signing_directory.write_file(file_name, contents) - - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - actual_contents = signing_directory.read_file(file_name) - - self.assertEqual(contents, actual_contents) - - def test_read_file_doesnt_exist(self): - # Show what happens when try to read a file that wasn't written. - - signing_directory = _signing_dir.SigningDirectory() - - file_name = self.getUniqueString() - self.assertRaises(IOError, signing_directory.read_file, file_name) - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - def test_calc_path(self): - # calc_path returns the actual filename built from the directory name. - - signing_directory = _signing_dir.SigningDirectory() - - file_name = self.getUniqueString() - actual_path = signing_directory.calc_path(file_name) - - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - expected_path = os.path.join(signing_directory._directory_name, - file_name) - self.assertEqual(expected_path, actual_path) diff --git a/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py b/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py index 8749993..554b2c3 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py +++ b/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py @@ -80,72 +80,6 @@ class BaseUserPluginTests(object): self.assertTokenDataEqual(service_id, service, plugin.service) -class V2UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase): - - def setUp(self): - super(V2UserPluginTests, self).setUp() - - self.service_token = fixture.V2Token() - self.service_token.set_scope() - s = self.service_token.add_service('identity', name='keystone') - - s.add_endpoint(public=BASE_URI, - admin=BASE_URI, - internal=BASE_URI) - - self.configure_middleware(auth_type='v2password', - auth_url='%s/v2.0/' % AUTH_URL, - user_id=self.service_token.user_id, - password=uuid.uuid4().hex, - tenant_id=self.service_token.tenant_id) - - auth_discovery = fixture.DiscoveryList(href=AUTH_URL, v3=False) - self.requests_mock.get(AUTH_URL, json=auth_discovery) - - base_discovery = fixture.DiscoveryList(href=BASE_URI, v3=False) - self.requests_mock.get(BASE_URI, json=base_discovery) - - url = '%s/v2.0/tokens' % AUTH_URL - self.requests_mock.post(url, json=self.service_token) - - def get_role_names(self, token): - return [x['name'] for x in token['access']['user'].get('roles', [])] - - def get_token(self, service=False): - token = fixture.V2Token() - token.set_scope() - token.add_role() - if service: - token.add_role('service') - - request_headers = {'X-Auth-Token': self.service_token.token_id} - - url = '%s/v2.0/tokens/%s' % (BASE_URI, token.token_id) - self.requests_mock.get(url, - request_headers=request_headers, - json=token) - - return token.token_id, token - - def assertTokenDataEqual(self, token_id, token, token_data): - super(V2UserPluginTests, self).assertTokenDataEqual(token_id, - token, - token_data) - - self.assertEqual(token.tenant_id, token_data.project_id) - self.assertIsNone(token_data.user_domain_id) - self.assertIsNone(token_data.project_domain_id) - - def test_trust_scope(self): - token_id, token = self.get_token() - token.set_trust() - - plugin = self.get_plugin(token_id) - self.assertEqual(token.trust_id, plugin.user.trust_id) - self.assertEqual(token.trustee_user_id, plugin.user.trustee_user_id) - self.assertIsNone(plugin.user.trustor_user_id) - - class V3UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase): def setUp(self): diff --git a/keystonemiddleware/tests/unit/client_fixtures.py b/keystonemiddleware/tests/unit/client_fixtures.py index 9f56804..27ba482 100644 --- a/keystonemiddleware/tests/unit/client_fixtures.py +++ b/keystonemiddleware/tests/unit/client_fixtures.py @@ -17,24 +17,12 @@ import uuid import fixtures from keystoneauth1 import fixture -from keystoneclient.common import cms -from keystoneclient import utils from oslo_serialization import jsonutils -import six import testresources TESTDIR = os.path.dirname(os.path.abspath(__file__)) ROOTDIR = os.path.normpath(os.path.join(TESTDIR, '..', '..', '..')) -CERTDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'certs') -CMSDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'cms') -KEYDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'private') - - -def _hash_signed_token_safe(signed_text, **kwargs): - if isinstance(signed_text, six.text_type): - signed_text = signed_text.encode('utf-8') - return utils.hash_signed_token(signed_text, **kwargs) class Examples(fixtures.Fixture): @@ -55,60 +43,14 @@ class Examples(fixtures.Fixture): def setUp(self): super(Examples, self).setUp() - # The data for several tests are signed using openssl and are stored in - # files in the signing subdirectory. In order to keep the values - # consistent between the tests and the signed documents, we read them - # in for use in the tests. - with open(os.path.join(CMSDIR, 'auth_token_scoped.json')) as f: - self.TOKEN_SCOPED_DATA = cms.cms_to_token(f.read()) - - with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f: - self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) - self.SIGNED_TOKEN_SCOPED_HASH = _hash_signed_token_safe( - self.SIGNED_TOKEN_SCOPED) - self.SIGNED_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( - self.SIGNED_TOKEN_SCOPED, mode='sha256') - with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f: - self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f: - self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) - self.SIGNED_v3_TOKEN_SCOPED_HASH = _hash_signed_token_safe( - self.SIGNED_v3_TOKEN_SCOPED) - self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( - self.SIGNED_v3_TOKEN_SCOPED, mode='sha256') - with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f: - self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f: - self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f: - self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f: - self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, - 'auth_token_scoped_expired.pkiz')) as f: - self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read()) - - self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem') - with open(self.SIGNING_CERT_FILE) as f: - self.SIGNING_CERT = f.read() - self.KERBEROS_BIND = 'USER@REALM' self.SERVICE_KERBEROS_BIND = 'SERVICE_USER@SERVICE_REALM' - self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem') - with open(self.SIGNING_KEY_FILE) as f: - self.SIGNING_KEY = f.read() - - self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem') - with open(self.SIGNING_CA_FILE) as f: - self.SIGNING_CA = f.read() - self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df' self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776' self.UUID_TOKEN_BIND = '3fc54048ad64405c98225ce0897af7c5' self.UUID_TOKEN_UNKNOWN_BIND = '8885fdf4d42e4fb9879e6379fa1eaf48' - self.VALID_DIABLO_TOKEN = 'b0cf19b55dbb4f20a6ee18e6c6cf1726' self.v3_UUID_TOKEN_DEFAULT = '5603457654b346fdbb93437bfe76f2f1' self.v3_UUID_TOKEN_UNSCOPED = 'd34835fdaec447e695a0a024d84f8d79' self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' @@ -121,57 +63,11 @@ class Examples(fixtures.Fixture): self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229' self.v3_UUID_SERVICE_TOKEN_BIND = 'be705e4426d0449a89e35ae21c380a05' self.v3_NOT_IS_ADMIN_PROJECT = uuid.uuid4().hex - self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_SCOPED) - self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_UNSCOPED) - self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token( - self.SIGNED_v3_TOKEN_SCOPED) - - self.SIGNED_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_SCOPED_PKIZ) - self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_UNSCOPED_PKIZ) - self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( - self.SIGNED_v3_TOKEN_SCOPED_PKIZ) - - self.INVALID_SIGNED_TOKEN = ( - "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" - "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" - "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" - "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "0000000000000000000000000000000000000000000000000000000000000000" - "1111111111111111111111111111111111111111111111111111111111111111" - "2222222222222222222222222222222222222222222222222222222222222222" - "3333333333333333333333333333333333333333333333333333333333333333" - "4444444444444444444444444444444444444444444444444444444444444444" - "5555555555555555555555555555555555555555555555555555555555555555" - "6666666666666666666666666666666666666666666666666666666666666666" - "7777777777777777777777777777777777777777777777777777777777777777" - "8888888888888888888888888888888888888888888888888888888888888888" - "9999999999999999999999999999999999999999999999999999999999999999" - "0000000000000000000000000000000000000000000000000000000000000000") - - self.INVALID_SIGNED_PKIZ_TOKEN = ( - "PKIZ_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" - "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" - "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" - "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "0000000000000000000000000000000000000000000000000000000000000000" - "1111111111111111111111111111111111111111111111111111111111111111" - "2222222222222222222222222222222222222222222222222222222222222222" - "3333333333333333333333333333333333333333333333333333333333333333" - "4444444444444444444444444444444444444444444444444444444444444444" - "5555555555555555555555555555555555555555555555555555555555555555" - "6666666666666666666666666666666666666666666666666666666666666666" - "7777777777777777777777777777777777777777777777777777777777777777" - "8888888888888888888888888888888888888888888888888888888888888888" - "9999999999999999999999999999999999999999999999999999999999999999" - "0000000000000000000000000000000000000000000000000000000000000000") + + self.v3_APP_CRED_TOKEN = '6f506fa9641448bbaecbd12dd30678a9' + self.v3_APP_CRED_ACCESS_RULES = 'c417747898c44629b08791f2579e40a5' + self.v3_APP_CRED_EMPTY_ACCESS_RULES = 'c75905c307f04fdd9979126582d7aae' + self.v3_APP_CRED_MATCHING_RULES = 'ad49decc7106489d95ca9ed874b6cb66' # JSON responses keyed by token ID self.TOKEN_RESPONSES = {} @@ -195,30 +91,12 @@ class Examples(fixtures.Fixture): SERVICE_ROLE_NAME1 = 'service' SERVICE_ROLE_NAME2 = 'service_role2' + APP_CRED_ID = 'app_cred_id1' + self.SERVICE_TYPE = 'identity' self.UNVERSIONED_SERVICE_URL = 'https://keystone.example.com:1234/' self.SERVICE_URL = self.UNVERSIONED_SERVICE_URL + 'v2.0' - # Old Tokens - - self.TOKEN_RESPONSES[self.VALID_DIABLO_TOKEN] = { - 'access': { - 'token': { - 'id': self.VALID_DIABLO_TOKEN, - 'expires': '2020-01-01T00:00:10.000123Z', - 'tenantId': PROJECT_ID, - }, - 'user': { - 'id': USER_ID, - 'name': USER_NAME, - 'roles': [ - {'name': ROLE_NAME1}, - {'name': ROLE_NAME2}, - ], - }, - }, - } - # Generated V2 Tokens token = fixture.V2Token(token_id=self.UUID_TOKEN_DEFAULT, @@ -246,20 +124,6 @@ class Examples(fixtures.Fixture): token.add_role(ROLE_NAME2) self.TOKEN_RESPONSES[self.UUID_TOKEN_NO_SERVICE_CATALOG] = token - token = fixture.V2Token(token_id=self.SIGNED_TOKEN_SCOPED_KEY, - tenant_id=PROJECT_ID, - tenant_name=PROJECT_NAME, - user_id=USER_ID, - user_name=USER_NAME) - token.add_role(ROLE_NAME1) - token.add_role(ROLE_NAME2) - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = token - - token = fixture.V2Token(token_id=self.SIGNED_TOKEN_UNSCOPED_KEY, - user_id=USER_ID, - user_name=USER_NAME) - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY] = token - token = fixture.V2Token(token_id=self.UUID_TOKEN_BIND, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, @@ -359,7 +223,6 @@ class Examples(fixtures.Fixture): token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) - self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, @@ -437,14 +300,122 @@ class Examples(fixtures.Fixture): svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_NOT_IS_ADMIN_PROJECT] = token - # PKIZ tokens generally link to above tokens - - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = ( - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY]) - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY] = ( - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY]) - self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY] = ( - self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY]) + # Application credential token + token = fixture.V3Token(user_id=USER_ID, + user_name=USER_NAME, + user_domain_id=DOMAIN_ID, + user_domain_name=DOMAIN_NAME, + project_id=PROJECT_ID, + project_name=PROJECT_NAME, + project_domain_id=DOMAIN_ID, + project_domain_name=DOMAIN_NAME, + application_credential_id=APP_CRED_ID) + token.add_role(name=ROLE_NAME1) + token.add_role(name=ROLE_NAME2) + svc = token.add_service(self.SERVICE_TYPE) + svc.add_endpoint('public', self.SERVICE_URL) + svc = token.add_service('compute') + svc.add_endpoint('public', 'https://nova.openstack.example.org/v2.1') + self.TOKEN_RESPONSES[self.v3_APP_CRED_TOKEN] = token + + # Application credential with access_rules token + access_rules = [{ + 'path': '/v2.1/servers', + 'method': 'GET', + 'service': 'compute' + }] + token = fixture.V3Token( + user_id=USER_ID, + user_name=USER_NAME, + user_domain_id=DOMAIN_ID, + user_domain_name=DOMAIN_NAME, + project_id=PROJECT_ID, + project_name=PROJECT_NAME, + project_domain_id=DOMAIN_ID, + project_domain_name=DOMAIN_NAME, + application_credential_id=APP_CRED_ID, + application_credential_access_rules=access_rules) + token.add_role(name=ROLE_NAME1) + token.add_role(name=ROLE_NAME2) + svc = token.add_service(self.SERVICE_TYPE) + svc.add_endpoint('public', self.SERVICE_URL) + svc = token.add_service('compute') + svc.add_endpoint('public', 'https://nova.openstack.example.org') + svc = token.add_service('image') + svc.add_endpoint('public', 'https://glance.openstack.example.org') + self.TOKEN_RESPONSES[self.v3_APP_CRED_ACCESS_RULES] = token + + # Application credential with explicitly empty access_rules + access_rules = [] + token = fixture.V3Token( + user_id=USER_ID, + user_name=USER_NAME, + user_domain_id=DOMAIN_ID, + user_domain_name=DOMAIN_NAME, + project_id=PROJECT_ID, + project_name=PROJECT_NAME, + project_domain_id=DOMAIN_ID, + project_domain_name=DOMAIN_NAME, + application_credential_id=APP_CRED_ID, + application_credential_access_rules=access_rules) + token.add_role(name=ROLE_NAME1) + token.add_role(name=ROLE_NAME2) + svc = token.add_service(self.SERVICE_TYPE) + svc.add_endpoint('public', self.SERVICE_URL) + self.TOKEN_RESPONSES[self.v3_APP_CRED_EMPTY_ACCESS_RULES] = token + + # Application credential with matching rules + access_rules = [ + { + 'path': '/v2.1/servers/{server_id}', + 'method': 'GET', + 'service': 'compute' + }, + { + 'path': '/v2/images/*', + 'method': 'GET', + 'service': 'image' + }, + { + 'path': '**', + 'method': 'GET', + 'service': 'identity' + }, + { + 'path': '/v3/{project_id}/types/{volume_type_id}', + 'method': 'GET', + 'service': 'block-storage' + }, + { + 'path': '/v1/*/*/*', + 'method': 'GET', + 'service': 'object-store' + } + ] + token = fixture.V3Token( + user_id=USER_ID, + user_name=USER_NAME, + user_domain_id=DOMAIN_ID, + user_domain_name=DOMAIN_NAME, + project_id=PROJECT_ID, + project_name=PROJECT_NAME, + project_domain_id=DOMAIN_ID, + project_domain_name=DOMAIN_NAME, + application_credential_id=APP_CRED_ID, + application_credential_access_rules=access_rules) + token.add_role(name=ROLE_NAME1) + token.add_role(name=ROLE_NAME2) + svc = token.add_service(self.SERVICE_TYPE) + svc.add_endpoint('public', self.SERVICE_URL) + svc = token.add_service('compute') + svc.add_endpoint('public', 'https://nova.openstack.example.org') + svc = token.add_service('image') + svc.add_endpoint('public', 'https://glance.openstack.example.org') + svc = token.add_service('block-storage') + svc.add_endpoint('public', 'https://cinder.openstack.example.org') + svc = token.add_service('object-store') + svc.add_endpoint('public', 'https://swift.openstack.example.org') + self.TOKEN_RESPONSES[self.v3_APP_CRED_MATCHING_RULES] = token self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in self.TOKEN_RESPONSES.items()]) diff --git a/keystonemiddleware/tests/unit/test_access_rules.py b/keystonemiddleware/tests/unit/test_access_rules.py new file mode 100644 index 0000000..663b806 --- /dev/null +++ b/keystonemiddleware/tests/unit/test_access_rules.py @@ -0,0 +1,54 @@ +# Copyright 2019 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystonemiddleware.auth_token import _path_matches +from keystonemiddleware.tests.unit import utils + + +class TestAccessRules(utils.BaseTestCase): + + def test_path_matches(self): + good_matches = [ + ('/v2/servers', '/v2/servers'), + ('/v2/servers/123', '/v2/servers/{server_id}'), + ('/v2/servers/123/', '/v2/servers/{server_id}/'), + ('/v2/servers/123', '/v2/servers/*'), + ('/v2/servers/123/', '/v2/servers/*/'), + ('/v2/servers/123', '/v2/servers/**'), + ('/v2/servers/123/', '/v2/servers/**'), + ('/v2/servers/123/456', '/v2/servers/**'), + ('/v2/servers', '**'), + ('/v2/servers/', '**'), + ('/v2/servers/123', '**'), + ('/v2/servers/123/456', '**'), + ('/v2/servers/123/volume/456', '**'), + ('/v2/servers/123/456', '/v2/*/*/*'), + ('/v2/123/servers/466', '/v2/{project_id}/servers/{server_id}'), + ] + for (request, pattern) in good_matches: + self.assertIsNotNone(_path_matches(request, pattern)) + bad_matches = [ + ('/v2/servers/someuuid', '/v2/servers'), + ('/v2/servers//', '/v2/servers/{server_id}'), + ('/v2/servers/123/', '/v2/servers/{server_id}'), + ('/v2/servers/123/456', '/v2/servers/{server_id}'), + ('/v2/servers/123/456', '/v2/servers/*'), + ('/v2/servers', 'v2/servers'), + ('/v2/servers/123/456/789', '/v2/*/*/*'), + ('/v2/servers/123/', '/v2/*/*/*'), + ('/v2/servers/', '/v2/servers/{server_id}'), + ('/v2/servers', '/v2/servers/{server_id}'), + ] + for (request, pattern) in bad_matches: + self.assertIsNone(_path_matches(request, pattern)) diff --git a/keystonemiddleware/tests/unit/test_ec2_token_middleware.py b/keystonemiddleware/tests/unit/test_ec2_token_middleware.py index 5191502..5cd69ff 100644 --- a/keystonemiddleware/tests/unit/test_ec2_token_middleware.py +++ b/keystonemiddleware/tests/unit/test_ec2_token_middleware.py @@ -23,13 +23,12 @@ from keystonemiddleware.tests.unit import utils TOKEN_ID = 'fake-token-id' -GOOD_RESPONSE = {'access': {'token': {'id': TOKEN_ID, - 'tenant': {'id': 'TENANT_ID'}}}} EMPTY_RESPONSE = {} class FakeResponse(object): reason = "Test Reason" + headers = {'x-subject-token': TOKEN_ID} def __init__(self, json, status_code=400): self._json = json @@ -53,9 +52,9 @@ class EC2TokenMiddlewareTestBase(utils.TestCase): TEST_PROTOCOL = 'https' TEST_HOST = 'fakehost' TEST_PORT = 35357 - TEST_URL = '%s://%s:%d/v2.0/ec2tokens' % (TEST_PROTOCOL, - TEST_HOST, - TEST_PORT) + TEST_URL = '%s://%s:%d/v3/ec2tokens' % (TEST_PROTOCOL, + TEST_HOST, + TEST_PORT) def setUp(self): super(EC2TokenMiddlewareTestBase, self).setUp() @@ -74,7 +73,7 @@ class EC2TokenMiddlewareTestBase(utils.TestCase): class EC2TokenMiddlewareTestGood(EC2TokenMiddlewareTestBase): @mock.patch.object( requests, 'request', - return_value=FakeResponse(GOOD_RESPONSE, status_code=200)) + return_value=FakeResponse(EMPTY_RESPONSE, status_code=200)) def test_protocol_old_versions(self, mock_request): req = webob.Request.blank('/test') req.GET['Signature'] = 'test-signature' @@ -85,7 +84,7 @@ class EC2TokenMiddlewareTestGood(EC2TokenMiddlewareTestBase): self.assertEqual(TOKEN_ID, req.headers['X-Auth-Token']) mock_request.assert_called_with( - 'POST', 'http://localhost:5000/v2.0/ec2tokens', + 'POST', 'http://localhost:5000/v3/ec2tokens', data=mock.ANY, headers={'Content-Type': 'application/json'}, verify=True, cert=None) @@ -105,7 +104,7 @@ class EC2TokenMiddlewareTestGood(EC2TokenMiddlewareTestBase): @mock.patch.object( requests, 'request', - return_value=FakeResponse(GOOD_RESPONSE, status_code=200)) + return_value=FakeResponse(EMPTY_RESPONSE, status_code=200)) def test_protocol_v4(self, mock_request): req = webob.Request.blank('/test') auth_str = ( @@ -120,7 +119,7 @@ class EC2TokenMiddlewareTestGood(EC2TokenMiddlewareTestBase): self.assertEqual(TOKEN_ID, req.headers['X-Auth-Token']) mock_request.assert_called_with( - 'POST', 'http://localhost:5000/v2.0/ec2tokens', + 'POST', 'http://localhost:5000/v3/ec2tokens', data=mock.ANY, headers={'Content-Type': 'application/json'}, verify=True, cert=None) diff --git a/keystonemiddleware/tests/unit/test_opts.py b/keystonemiddleware/tests/unit/test_opts.py index 143264c..799bdd0 100644 --- a/keystonemiddleware/tests/unit/test_opts.py +++ b/keystonemiddleware/tests/unit/test_opts.py @@ -53,7 +53,6 @@ class OptsTestCase(utils.TestCase): 'cafile', 'region_name', 'insecure', - 'signing_dir', 'memcached_servers', 'token_cache_time', 'memcache_security_strategy', @@ -66,11 +65,11 @@ class OptsTestCase(utils.TestCase): 'memcache_pool_socket_timeout', 'include_service_catalog', 'enforce_token_bind', - 'hash_algorithms', 'auth_type', 'auth_section', 'service_token_roles', 'service_token_roles_required', + 'service_type', ] opt_names = [o.name for (g, l) in result_of_old_opts for o in l] self.assertThat(opt_names, matchers.HasLength(len(expected_opt_names))) @@ -99,7 +98,6 @@ class OptsTestCase(utils.TestCase): 'cafile', 'region_name', 'insecure', - 'signing_dir', 'memcached_servers', 'token_cache_time', 'memcache_security_strategy', @@ -112,11 +110,11 @@ class OptsTestCase(utils.TestCase): 'memcache_pool_socket_timeout', 'include_service_catalog', 'enforce_token_bind', - 'hash_algorithms', 'auth_type', 'auth_section', 'service_token_roles', 'service_token_roles_required', + 'service_type', ] opt_names = [o.name for (g, l) in result for o in l] self.assertThat(opt_names, matchers.HasLength(len(expected_opt_names))) diff --git a/keystonemiddleware/tests/unit/utils.py b/keystonemiddleware/tests/unit/utils.py index 6a07ec1..8b0944f 100644 --- a/keystonemiddleware/tests/unit/utils.py +++ b/keystonemiddleware/tests/unit/utils.py @@ -82,7 +82,7 @@ if tuple(sys.version_info)[0:2] < (2, 7): class MiddlewareTestCase(BaseTestCase): def create_middleware(self, cb, **kwargs): - raise NotImplemented("implement this in your tests") + raise NotImplementedError("implement this in your tests") def create_simple_middleware(self, status='200 OK', diff --git a/lower-constraints.txt b/lower-constraints.txt index 09c0e2a..8fd4ac7 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -23,7 +23,7 @@ GitPython==2.1.8 hacking==0.10.0 idna==2.6 iso8601==0.1.12 -keystoneauth1==3.4.0 +keystoneauth1==3.12.0 linecache2==1.0.0 mccabe==0.2.1 mock==2.0.0 @@ -57,13 +57,12 @@ pyinotify==0.9.6 pyparsing==2.2.0 pyperclip==1.6.0 python-dateutil==2.7.0 -python-keystoneclient==3.10.0 -python-memcached==1.56 +python-keystoneclient==3.20.0 +python-memcached==1.59 python-mimeparse==1.6.0 python-subunit==1.2.0 pytz==2018.3 PyYAML==3.12 -reno==2.5.0 requests-mock==1.2.0 requests==2.14.2 requestsexceptions==1.4.0 diff --git a/releasenotes/notes/bp-whitelist-extension-for-app-creds-badf088c8ad584bb.yaml b/releasenotes/notes/bp-whitelist-extension-for-app-creds-badf088c8ad584bb.yaml new file mode 100644 index 0000000..a6e68d4 --- /dev/null +++ b/releasenotes/notes/bp-whitelist-extension-for-app-creds-badf088c8ad584bb.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + [`spec <http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html>`_] + The auth_token middleware now has support for accepting or denying incoming + requests based on access rules provided by users in their keystone + application credentials. diff --git a/releasenotes/notes/bug-1649735-3c68f3243e474775.yaml b/releasenotes/notes/bug-1649735-3c68f3243e474775.yaml index 06741d3..a624c39 100644 --- a/releasenotes/notes/bug-1649735-3c68f3243e474775.yaml +++ b/releasenotes/notes/bug-1649735-3c68f3243e474775.yaml @@ -4,5 +4,19 @@ fixes: [`bug 1649735 <https://bugs.launchpad.net/keystone/+bug/1649735>`_] The auth_token middleware no longer attempts to retrieve the revocation list from the Keystone server. The deprecated options - `check_revocations_for_cached` and `check_revocations_for_cached` have been + `revocations_cache_time` and `check_revocations_for_cached` have been removed. + + Keystone no longer issues PKI/PKIZ tokens and now keystonemiddleware's + Support for PKI/PKIZ and associated offline validation has been removed. + This includes the deprecated config options `signing_dir`, and + `hash_algorithms`. + +upgrade: + - > + [`bug 1649735 <https://bugs.launchpad.net/keystone/+bug/1649735>`_] + Keystonemiddleware no longer supports PKI/PKIZ tokens, all + associated offline validation has been removed. The configuration + options `signing_dir`, and `hash_algorithms` have been removed, if + they still exist in your configuration(s), they are now safe to remove. + Please consider utilizing the newer fernet or JWS token formats.
\ No newline at end of file diff --git a/releasenotes/notes/drop-py-2-7-6655f421a9cac0a2.yaml b/releasenotes/notes/drop-py-2-7-6655f421a9cac0a2.yaml new file mode 100644 index 0000000..5560cd6 --- /dev/null +++ b/releasenotes/notes/drop-py-2-7-6655f421a9cac0a2.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Python 2.7 support has been dropped. Last release of keystonemiddleware + to support python 2.7 is OpenStack Train. The minimum version of Python now + supported is Python 3.6.
\ No newline at end of file diff --git a/releasenotes/notes/ec2-v2-removal-6a886210cbc9d3e9.yaml b/releasenotes/notes/ec2-v2-removal-6a886210cbc9d3e9.yaml new file mode 100644 index 0000000..e90fa68 --- /dev/null +++ b/releasenotes/notes/ec2-v2-removal-6a886210cbc9d3e9.yaml @@ -0,0 +1,7 @@ +--- +other: + - | + [`bug 1845539 <https://bugs.launchpad.net/keystone/+bug/1845539>`_] + The ec2 'url' config option now defaults to + https://localhost:5000/v3/ec2tokens with the removal of ec2 v2.0 support. + Keystonemiddleware no longer supports ec2tokens using the v2.0 API. diff --git a/releasenotes/notes/removed-as-of-ussuri-4e1ea485ba8801c9.yaml b/releasenotes/notes/removed-as-of-ussuri-4e1ea485ba8801c9.yaml new file mode 100644 index 0000000..1dafbfb --- /dev/null +++ b/releasenotes/notes/removed-as-of-ussuri-4e1ea485ba8801c9.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - | + [`bug 1845539 <https://bugs.launchpad.net/keystone/+bug/1845539>`_] + [`bug 1777177 <https://bugs.launchpad.net/keystone/+bug/1777177>`_] + keystonemiddleware no longer supports the keystone v2.0 api, all + associated functionality has been removed. diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index ea5e540..9d399ae 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -54,7 +54,6 @@ source_suffix = '.rst' master_doc = 'index' # General information about the project. -project = u'keystonemiddleware Release Notes' copyright = u'2015, Keystone Developers' # Release notes do not need a version number in the title, they @@ -94,7 +93,7 @@ exclude_patterns = [] # show_authors = False # The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' +pygments_style = 'native' # A list of ignored prefixes for module index sorting. # modindex_common_prefix = [] @@ -143,11 +142,6 @@ html_static_path = ['_static'] # directly to the root of the documentation. # html_extra_path = [] -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -# html_last_updated_fmt = '%b %d, %Y' -html_last_updated_fmt = '%Y-%m-%d %H:%M' - # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. # html_use_smartypants = True @@ -191,17 +185,6 @@ htmlhelp_basename = 'keystonemiddlewareReleaseNotesdoc' # -- Options for LaTeX output --------------------------------------------- -latex_elements = { - # The paper size ('letterpaper' or 'a4paper'). - # 'papersize': 'letterpaper', - - # The font size ('10pt', '11pt' or '12pt'). - # 'pointsize': '10pt', - - # Additional stuff for the LaTeX preamble. - # 'preamble': '', -} - # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, # author, documentclass [howto, manual, or own class]). @@ -275,6 +258,6 @@ texinfo_documents = [ locale_dirs = ['locale/'] # -- Options for openstackdocstheme ------------------------------------------- -repository_name = 'openstack/keystonemiddleware' -bug_project = 'keystonemiddleware' -bug_tag = '' +openstackdocs_repo_name = 'openstack/keystonemiddleware' +openstackdocs_bug_project = 'keystonemiddleware' +openstackdocs_bug_tag = '' diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst index 072e2e1..b5063a2 100644 --- a/releasenotes/source/index.rst +++ b/releasenotes/source/index.rst @@ -6,6 +6,9 @@ :maxdepth: 1 unreleased + ussuri + train + stein rocky queens pike diff --git a/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po b/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po index ff2a6ec..56b9910 100644 --- a/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po +++ b/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po @@ -1,14 +1,16 @@ # Andi Chandler <andi@gowling.com>, 2017. #zanata # Andi Chandler <andi@gowling.com>, 2018. #zanata +# Andi Chandler <andi@gowling.com>, 2019. #zanata +# Andi Chandler <andi@gowling.com>, 2020. #zanata msgid "" msgstr "" "Project-Id-Version: keystonemiddleware\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2018-04-21 04:01+0000\n" +"POT-Creation-Date: 2020-06-05 04:54+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"PO-Revision-Date: 2018-04-30 10:08+0000\n" +"PO-Revision-Date: 2020-06-15 05:35+0000\n" "Last-Translator: Andi Chandler <andi@gowling.com>\n" "Language-Team: English (United Kingdom)\n" "Language: en_GB\n" @@ -24,6 +26,12 @@ msgstr "4.12.0" msgid "4.16.0" msgstr "4.16.0" +msgid "4.17.1" +msgstr "4.17.1" + +msgid "4.17.1-3" +msgstr "4.17.1-3" + msgid "4.18.0" msgstr "4.18.0" @@ -33,6 +41,9 @@ msgstr "4.2.0" msgid "4.20.0" msgstr "4.20.0" +msgid "4.22.0" +msgstr "4.22.0" + msgid "4.3.0" msgstr "4.3.0" @@ -45,8 +56,38 @@ msgstr "4.6.0" msgid "5.0.0" msgstr "5.0.0" -msgid "5.0.0-5" -msgstr "5.0.0-5" +msgid "5.1.0" +msgstr "5.1.0" + +msgid "5.2.0" +msgstr "5.2.0" + +msgid "5.2.1" +msgstr "5.2.1" + +msgid "5.2.2" +msgstr "5.2.2" + +msgid "5.3.0" +msgstr "5.3.0" + +msgid "6.0.0" +msgstr "6.0.0" + +msgid "6.0.1" +msgstr "6.0.1" + +msgid "6.1.0" +msgstr "6.1.0" + +msgid "7.0.0" +msgstr "7.0.0" + +msgid "8.0.0" +msgstr "8.0.0" + +msgid "9.0.0" +msgstr "9.0.0" msgid "" "A new configuration option for the s3token middleware called auth_uri can be " @@ -132,9 +173,21 @@ msgstr "Pike Series Release Notes" msgid "Prelude" msgstr "Prelude" +msgid "" +"Python 2.7 support has been dropped. Last release of keystonemiddleware to " +"support python 2.7 is OpenStack Train. The minimum version of Python now " +"supported is Python 3.6." +msgstr "" +"Python 2.7 support has been dropped. Last release of keystonemiddleware to " +"support Python 2.7 is OpenStack Train. The minimum version of Python now " +"supported is Python 3.6." + msgid "Queens Series Release Notes" msgstr "Queens Series Release Notes" +msgid "Rocky Series Release Notes" +msgstr "Rocky Series Release Notes" + msgid "Security Issues" msgstr "Security Issues" @@ -170,6 +223,9 @@ msgstr "" "enforce this behaviour. This will become the default setting in future " "releases." +msgid "Stein Series Release Notes" +msgstr "Stein Series Release Notes" + msgid "" "The ``kwargs_to_fetch_token`` setting was removed from the " "``BaseAuthProtocol`` class. Implementations of auth_token now assume kwargs " @@ -201,9 +257,37 @@ msgstr "" "returned when the user needs to be redirected to the Identity service for " "authentication." +msgid "" +"The lower constraint for python-memcached must be raised to version 1.58 in " +"order to work with Python 3.4 and above." +msgstr "" +"The lower constraint for python-memcached must be raised to version 1.58 in " +"order to work with Python 3.4 and above." + +msgid "Train Series Release Notes" +msgstr "Train Series Release Notes" + msgid "Upgrade Notes" msgstr "Upgrade Notes" +msgid "Ussuri Series Release Notes" +msgstr "Ussuri Series Release Notes" + +msgid "" +"When ``delay_auth_decision`` is enabled and a Keystone failure prevents a " +"final decision about whether a token is valid or invalid, it will be marked " +"invalid and the application will be responsible for a final auth decision. " +"This is similar to what happens when a token is confirmed *not* valid. This " +"allows a Keystone outage to only affect Keystone users in a multi-auth " +"system." +msgstr "" +"When ``delay_auth_decision`` is enabled and a Keystone failure prevents a " +"final decision about whether a token is valid or invalid, it will be marked " +"invalid and the application will be responsible for a final auth decision. " +"This is similar to what happens when a token is confirmed *not* valid. This " +"allows a Keystone outage to only affect Keystone users in a multi-auth " +"system." + msgid "" "With the release of 4.2.0 of keystonemiddleware we no longer recommend using " "the in-process token cache. In-process caching may result in inconsistent " @@ -363,6 +447,19 @@ msgstr "" "look for the given option in local config, then Oslo global config." msgid "" +"[`bug 1649735 <https://bugs.launchpad.net/keystone/+bug/1649735>`_] The " +"auth_token middleware no longer attempts to retrieve the revocation list " +"from the Keystone server. The deprecated options " +"`check_revocations_for_cached` and `check_revocations_for_cached` have been " +"removed." +msgstr "" +"[`bug 1649735 <https://bugs.launchpad.net/keystone/+bug/1649735>`_] The " +"auth_token middleware no longer attempts to retrieve the revocation list " +"from the Keystone server. The deprecated options " +"`check_revocations_for_cached` and `check_revocations_for_cached` have been " +"removed." + +msgid "" "[`bug 1677308 <https://bugs.launchpad.net/keystonemiddleware/" "+bug/1677308>`_] Removes ``pycrypto`` dependency as the library is " "unmaintained, and replaces it with the ``cryptography`` library." @@ -439,6 +536,137 @@ msgstr "" "(Unauthorised) response now is double quoted to follow the RFC requirement." msgid "" +"[`bug 1766731 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1766731>`_] Keystonemiddleware now supports system scoped tokens. When " +"a system-scoped token is parsed by auth_token middleware, it will set the " +"``OpenStack-System-Scope`` header accordingly." +msgstr "" +"[`bug 1766731 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1766731>`_] Keystonemiddleware now supports system scoped tokens. When " +"a system-scoped token is parsed by auth_token middleware, it will set the " +"``OpenStack-System-Scope`` header accordingly." + +msgid "" +"[`bug 1782404 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1782404>`_] Keystonemiddleware incorrectly implemented an abstraction " +"for the memcache client pool that utilized a `queue.Queue` `get` method " +"instead of the supplied `acquire()` context manager. The `acquire()` context " +"manager properly places the client connection back into the pool after " +"`__exit__`." +msgstr "" +"[`bug 1782404 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1782404>`_] Keystonemiddleware incorrectly implemented an abstraction " +"for the memcache client pool that utilized a `queue.Queue` `get` method " +"instead of the supplied `acquire()` context manager. The `acquire()` context " +"manager properly places the client connection back into the pool after " +"`__exit__`." + +msgid "" +"[`bug 1789351 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1789351>`_] Fixed the bug that when initialize `AuthProtocol`, it'll " +"raise \"dictionary changed size during iteration\" error if the input `CONF` " +"object contains deprecated options." +msgstr "" +"[`bug 1789351 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1789351>`_] Fixed the bug that when initialize `AuthProtocol`, it'll " +"raise \"dictionary changed size during iteration\" error if the input `CONF` " +"object contains deprecated options." + +msgid "" +"[`bug 1797584 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1797584>`_] Fixed a bug where the audit code would select the wrong " +"target service if the OpenStack service endpoints were not using unique TCP " +"ports." +msgstr "" +"[`bug 1797584 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1797584>`_] Fixed a bug where the audit code would select the wrong " +"target service if the OpenStack service endpoints were not using unique TCP " +"ports." + +msgid "" +"[`bug 1800017 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1800017>`_] Fix audit middleware service catalog parsing for the " +"scenario where a service does not contain any endpoints. In that case, we " +"should just skip over that service." +msgstr "" +"[`bug 1800017 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1800017>`_] Fix audit middleware service catalog parsing for the " +"scenario where a service does not contain any endpoints. In that case, we " +"should just skip over that service." + +msgid "" +"[`bug 1803940 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1803940>`_] Request ID and global request ID have been added to CADF " +"notifications." +msgstr "" +"[`bug 1803940 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1803940>`_] Request ID and global request ID have been added to CADF " +"notifications." + +msgid "" +"[`bug 1809101 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1809101>`_] Fix req.context of Keystone audit middleware and Glance " +"conflict with each other issue. The audit middleware now stores the admin " +"context to req.environ['audit.context']." +msgstr "" +"[`bug 1809101 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1809101>`_] Fix req.context of Keystone audit middleware and Glance " +"conflict with each other issue. The audit middleware now stores the admin " +"context to req.environ['audit.context']." + +msgid "" +"[`bug 1813739 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1813739>`_] When admin identity endpoint is not created yet, " +"keystonemiddleware emit EndpointNotFound exception. Even after admin " +"identity endpoint created, auth_token middleware could not be notified of " +"update since it does not invalidate existing auth. Add an invalidation step " +"so that endpoint updates can be detected." +msgstr "" +"[`bug 1813739 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1813739>`_] When admin identity endpoint is not created yet, " +"keystonemiddleware emit EndpointNotFound exception. Even after admin " +"identity endpoint created, auth_token middleware could not be notified of " +"update since it does not invalidate existing auth. Add an invalidation step " +"so that endpoint updates can be detected." + +msgid "" +"[`bug 1830002 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1830002>`_] In order to allow an installation to work without deploying " +"an admin Identity endpoint, a new option `interface` has been added, " +"allowing select the Identity endpoint that is being used when verifying auth " +"tokens. It defaults to `admin` in order to replicate the old behaviour, but " +"may be set to `public` or `internal` as needed." +msgstr "" +"[`bug 1830002 <https://bugs.launchpad.net/keystonemiddleware/" +"+bug/1830002>`_] In order to allow an installation to work without deploying " +"an admin Identity endpoint, a new option `interface` has been added, " +"allowing select the Identity endpoint that is being used when verifying auth " +"tokens. It defaults to `admin` in order to replicate the old behaviour, but " +"may be set to `public` or `internal` as needed." + +msgid "" +"[`bug 1845539 <https://bugs.launchpad.net/keystone/+bug/1845539>`_] The ec2 " +"'url' config option now defaults to https://localhost:5000/v3/ec2tokens with " +"the removal of ec2 v2.0 support. Keystonemiddleware no longer supports " +"ec2tokens using the v2.0 API." +msgstr "" +"[`bug 1845539 <https://bugs.launchpad.net/keystone/+bug/1845539>`_] The ec2 " +"'url' config option now defaults to https://localhost:5000/v3/ec2tokens with " +"the removal of ec2 v2.0 support. Keystonemiddleware no longer supports " +"ec2tokens using the v2.0 API." + +msgid "" +"[`bug 1845539 <https://bugs.launchpad.net/keystone/+bug/1845539>`_] [`bug " +"1777177 <https://bugs.launchpad.net/keystone/+bug/1777177>`_] " +"keystonemiddleware no longer supports the keystone v2.0 api, all associated " +"functionality has been removed." +msgstr "" +"[`bug 1845539 <https://bugs.launchpad.net/keystone/+bug/1845539>`_] [`bug " +"1777177 <https://bugs.launchpad.net/keystone/+bug/1777177>`_] " +"keystonemiddleware no longer supports the Keystone v2.0 api, all associated " +"functionality has been removed." + +msgid "" "[`bug/1747655 <https://bugs.launchpad.net/keystonemiddleware/" "+bug/1747655>`_] When keystone is temporarily unavailable, " "keystonemiddleware correctly sends a 503 response to the HTTP client but was " @@ -453,5 +681,16 @@ msgstr "" "was keystone or the service using keystonemiddleware that was unavailable. " "This change identifies keystone in the error response." +msgid "" +"[`spec <http://specs.openstack.org/openstack/keystone-specs/specs/keystone/" +"train/capabilities-app-creds.html>`_] The auth_token middleware now has " +"support for accepting or denying incoming requests based on access rules " +"provided by users in their keystone application credentials." +msgstr "" +"[`spec <http://specs.openstack.org/openstack/keystone-specs/specs/keystone/" +"train/capabilities-app-creds.html>`_] The auth_token middleware now has " +"support for accepting or denying incoming requests based on access rules " +"provided by users in their Keystone application credentials." + msgid "keystonemiddleware Release Notes" msgstr "keystonemiddleware Release Notes" diff --git a/releasenotes/source/stein.rst b/releasenotes/source/stein.rst new file mode 100644 index 0000000..efaceb6 --- /dev/null +++ b/releasenotes/source/stein.rst @@ -0,0 +1,6 @@ +=================================== + Stein Series Release Notes +=================================== + +.. release-notes:: + :branch: stable/stein diff --git a/releasenotes/source/train.rst b/releasenotes/source/train.rst new file mode 100644 index 0000000..5839003 --- /dev/null +++ b/releasenotes/source/train.rst @@ -0,0 +1,6 @@ +========================== +Train Series Release Notes +========================== + +.. release-notes:: + :branch: stable/train diff --git a/releasenotes/source/ussuri.rst b/releasenotes/source/ussuri.rst new file mode 100644 index 0000000..e21e50e --- /dev/null +++ b/releasenotes/source/ussuri.rst @@ -0,0 +1,6 @@ +=========================== +Ussuri Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/ussuri diff --git a/requirements.txt b/requirements.txt index 80b26d4..d3f07ce 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -keystoneauth1>=3.4.0 # Apache-2.0 +keystoneauth1>=3.12.0 # Apache-2.0 oslo.cache>=1.26.0 # Apache-2.0 oslo.config>=5.2.0 # Apache-2.0 oslo.context>=2.19.2 # Apache-2.0 @@ -12,7 +12,7 @@ oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 pbr!=2.1.0,>=2.0.0 # Apache-2.0 pycadf!=2.0.0,>=1.1.0 # Apache-2.0 -python-keystoneclient>=3.10.0 # Apache-2.0 +python-keystoneclient>=3.20.0 # Apache-2.0 requests>=2.14.2 # Apache-2.0 six>=1.10.0 # MIT WebOb>=1.7.1 # MIT @@ -13,8 +13,6 @@ classifier = License :: OSI Approved :: Apache Software License Operating System :: POSIX :: Linux Programming Language :: Python - Programming Language :: Python :: 2 - Programming Language :: Python :: 2.7 Programming Language :: Python :: 3 Programming Language :: Python :: 3.6 Programming Language :: Python :: 3.7 @@ -55,5 +53,3 @@ keywords = _ gettext ngettext l_ lazy_gettext mapping_file = babel.cfg output_file = keystonemiddleware/locale/keystonemiddleware.pot -[wheel] -universal = 1 diff --git a/test-requirements.txt b/test-requirements.txt index 3153d81..3ab58aa 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2,7 +2,7 @@ # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -hacking<0.11,>=0.10.0 +hacking>=3.0,<4.0.0 # Apache-2.0 flake8-docstrings==0.2.1.post1 # MIT coverage!=4.4,>=4.0 # Apache-2.0 @@ -15,9 +15,9 @@ stevedore>=1.20.0 # Apache-2.0 stestr>=2.0.0 # Apache-2.0 testresources>=2.0.0 # Apache-2.0/BSD testtools>=2.2.0 # MIT -python-memcached>=1.56 # PSF +python-memcached>=1.59 # PSF WebTest>=2.0.27 # MIT oslo.messaging>=5.29.0 # Apache-2.0 # Bandit security code scanner -bandit>=1.1.0 # Apache-2.0 +bandit!=1.6.0,>=1.1.0 # Apache-2.0 @@ -1,7 +1,8 @@ [tox] -minversion = 2.5.0 +minversion = 3.1.1 skipsdist = True -envlist = py37,py36,py27,pep8,releasenotes +envlist = py37,pep8,releasenotes +ignore_basepython_conflict = True [testenv] usedevelop = True @@ -9,29 +10,26 @@ setenv = VIRTUAL_ENV={envdir} OS_STDOUT_NOCAPTURE=False OS_STDERR_NOCAPTURE=False deps = - -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} + -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt commands = stestr run {posargs} +basepython = python3 [testenv:pep8] -basepython = python3 commands = flake8 bandit -r keystonemiddleware -x tests -n5 [testenv:bandit] -basepython = python3 # NOTE(browne): This is required for the integration test job of the bandit # project. Please do not remove. commands = bandit -r keystonemiddleware -x tests -n5 [testenv:venv] -basepython = python3 commands = {posargs} [testenv:cover] -basepython = python3 setenv = {[testenv]setenv} PYTHON=coverage run --source keystonemiddleware --parallel-mode @@ -42,7 +40,6 @@ commands = coverage xml -o cover/coverage.xml [testenv:debug] -basepython = python3 commands = oslo_debug_helper -t keystonemiddleware/tests {posargs} @@ -53,19 +50,30 @@ commands = oslo_debug_helper -t keystonemiddleware/tests {posargs} # D103: Missing docstring in public function # D104: Missing docstring in public package # D203: 1 blank line required before class docstring (deprecated in pep257) -ignore = D100,D101,D102,D103,D104,D203 +# W503 line break before binary operator +# W504 line break after binary operator +ignore = D100,D101,D102,D103,D104,D203,W503,W504 show-source = True exclude = .venv,.tox,dist,doc,*egg,build [testenv:docs] -basepython = python3 deps = -r{toxinidir}/doc/requirements.txt commands= doc8 doc/source sphinx-build -W -b html doc/source doc/build/html +[testenv:pdf-docs] +envdir = {toxworkdir}/docs +deps = {[testenv:docs]deps} +whitelist_externals = + make + rm +commands = + rm -rf doc/build/pdf + sphinx-build -W -b latex doc/source doc/build/pdf + make -C doc/build/pdf + [testenv:releasenotes] -basepython = python3 deps = -r{toxinidir}/doc/requirements.txt commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html @@ -79,7 +87,6 @@ extensions = .rst, .yaml max-line-length = 79 [testenv:lower-constraints] -basepython = python3 deps = -c{toxinidir}/lower-constraints.txt -r{toxinidir}/test-requirements.txt |