diff options
Diffstat (limited to 'keystonemiddleware/auth_token/_identity.py')
-rw-r--r-- | keystonemiddleware/auth_token/_identity.py | 92 |
1 files changed, 13 insertions, 79 deletions
diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py index aeeb8d9..53d3819 100644 --- a/keystonemiddleware/auth_token/_identity.py +++ b/keystonemiddleware/auth_token/_identity.py @@ -10,13 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. -import functools - from keystoneauth1 import discover from keystoneauth1 import exceptions as ksa_exceptions from keystoneauth1 import plugin -from keystoneclient import exceptions as ksc_exceptions -from keystoneclient.v2_0 import client as v2_client from keystoneclient.v3 import client as v3_client from six.moves import urllib @@ -24,17 +20,7 @@ from keystonemiddleware.auth_token import _auth from keystonemiddleware.auth_token import _exceptions as ksm_exceptions from keystonemiddleware.i18n import _ - -def _convert_fetch_cert_exception(fetch_cert): - @functools.wraps(fetch_cert) - def wrapper(self): - try: - text = fetch_cert(self) - except ksa_exceptions.HttpError as e: - raise ksc_exceptions.CertificateConfigError(e.details) - return text - - return wrapper +ACCESS_RULES_SUPPORT = '1' class _RequestStrategy(object): @@ -49,45 +35,6 @@ class _RequestStrategy(object): def verify_token(self, user_token, allow_expired=False): pass - @_convert_fetch_cert_exception - def fetch_signing_cert(self): - return self._fetch_signing_cert() - - def _fetch_signing_cert(self): - pass - - @_convert_fetch_cert_exception - def fetch_ca_cert(self): - return self._fetch_ca_cert() - - def _fetch_ca_cert(self): - pass - - -class _V2RequestStrategy(_RequestStrategy): - - AUTH_VERSION = (2, 0) - - def __init__(self, adap, **kwargs): - super(_V2RequestStrategy, self).__init__(adap, **kwargs) - self._client = v2_client.Client(session=adap) - - def verify_token(self, token, allow_expired=False): - # NOTE(jamielennox): allow_expired is ignored on V2 - auth_ref = self._client.tokens.validate_access_info(token) - - if not auth_ref: - msg = _('Failed to fetch token data from identity server') - raise ksm_exceptions.InvalidToken(msg) - - return {'access': auth_ref} - - def _fetch_signing_cert(self): - return self._client.certificates.get_signing_certificate() - - def _fetch_ca_cert(self): - return self._client.certificates.get_ca_certificate() - class _V3RequestStrategy(_RequestStrategy): @@ -104,7 +51,8 @@ class _V3RequestStrategy(_RequestStrategy): auth_ref = self._client.tokens.validate( token, include_catalog=self._include_service_catalog, - allow_expired=allow_expired) + allow_expired=allow_expired, + access_rules_support=ACCESS_RULES_SUPPORT) if not auth_ref: msg = _('Failed to fetch token data from identity server') @@ -112,23 +60,16 @@ class _V3RequestStrategy(_RequestStrategy): return {'token': auth_ref} - def _fetch_signing_cert(self): - return self._client.simple_cert.get_certificates() - - def _fetch_ca_cert(self): - return self._client.simple_cert.get_ca_certificates() - -_REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy] +_REQUEST_STRATEGIES = [_V3RequestStrategy] class IdentityServer(object): """Base class for operations on the Identity API server. The auth_token middleware needs to communicate with the Identity API server - to validate UUID tokens, signing certificates, - etc. This class encapsulates the data and methods to perform these - operations. + to validate tokens. This class encapsulates the data and methods to perform + the operations. """ @@ -176,20 +117,19 @@ class IdentityServer(object): def _get_strategy_class(self): if self._requested_auth_version: - # A specific version was requested. - if discover.version_match(_V3RequestStrategy.AUTH_VERSION, - self._requested_auth_version): - return _V3RequestStrategy - - # The version isn't v3 so we don't know what to do. Just assume V2. - return _V2RequestStrategy + if not discover.version_match(_V3RequestStrategy.AUTH_VERSION, + self._requested_auth_interface): + self._LOG.info('A version other than v3 was requested: %s', + self._requested_auth_interface) + # Return v3, even if the request is unknown + return _V3RequestStrategy # Specific version was not requested then we fall through to # discovering available versions from the server for klass in _REQUEST_STRATEGIES: if self._adapter.get_endpoint(version=klass.AUTH_VERSION): self._LOG.debug('Auth Token confirmed use of %s apis', - self._requested_auth_version) + klass.AUTH_VERSION) return klass versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES] @@ -241,11 +181,5 @@ class IdentityServer(object): else: return auth_ref - def fetch_signing_cert(self): - return self._request_strategy.fetch_signing_cert() - - def fetch_ca_cert(self): - return self._request_strategy.fetch_ca_cert() - def invalidate(self): return self._adapter.invalidate() |