1 files changed, 13 insertions, 79 deletions

diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py
index aeeb8d9..53d3819 100644
--- a/keystonemiddleware/auth_token/_identity.py
+++ b/keystonemiddleware/auth_token/_identity.py
@@ -10,13 +10,9 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import functools
-
 from keystoneauth1 import discover
 from keystoneauth1 import exceptions as ksa_exceptions
 from keystoneauth1 import plugin
-from keystoneclient import exceptions as ksc_exceptions
-from keystoneclient.v2_0 import client as v2_client
 from keystoneclient.v3 import client as v3_client
 from six.moves import urllib
 
@@ -24,17 +20,7 @@ from keystonemiddleware.auth_token import _auth
 from keystonemiddleware.auth_token import _exceptions as ksm_exceptions
 from keystonemiddleware.i18n import _
 
-
-def _convert_fetch_cert_exception(fetch_cert):
-    @functools.wraps(fetch_cert)
-    def wrapper(self):
-        try:
-            text = fetch_cert(self)
-        except ksa_exceptions.HttpError as e:
-            raise ksc_exceptions.CertificateConfigError(e.details)
-        return text
-
-    return wrapper
+ACCESS_RULES_SUPPORT = '1'
 
 
 class _RequestStrategy(object):
@@ -49,45 +35,6 @@ class _RequestStrategy(object):
     def verify_token(self, user_token, allow_expired=False):
         pass
 
-    @_convert_fetch_cert_exception
-    def fetch_signing_cert(self):
-        return self._fetch_signing_cert()
-
-    def _fetch_signing_cert(self):
-        pass
-
-    @_convert_fetch_cert_exception
-    def fetch_ca_cert(self):
-        return self._fetch_ca_cert()
-
-    def _fetch_ca_cert(self):
-        pass
-
-
-class _V2RequestStrategy(_RequestStrategy):
-
-    AUTH_VERSION = (2, 0)
-
-    def __init__(self, adap, **kwargs):
-        super(_V2RequestStrategy, self).__init__(adap, **kwargs)
-        self._client = v2_client.Client(session=adap)
-
-    def verify_token(self, token, allow_expired=False):
-        # NOTE(jamielennox): allow_expired is ignored on V2
-        auth_ref = self._client.tokens.validate_access_info(token)
-
-        if not auth_ref:
-            msg = _('Failed to fetch token data from identity server')
-            raise ksm_exceptions.InvalidToken(msg)
-
-        return {'access': auth_ref}
-
-    def _fetch_signing_cert(self):
-        return self._client.certificates.get_signing_certificate()
-
-    def _fetch_ca_cert(self):
-        return self._client.certificates.get_ca_certificate()
-
 
 class _V3RequestStrategy(_RequestStrategy):
 
@@ -104,7 +51,8 @@ class _V3RequestStrategy(_RequestStrategy):
         auth_ref = self._client.tokens.validate(
             token,
             include_catalog=self._include_service_catalog,
-            allow_expired=allow_expired)
+            allow_expired=allow_expired,
+            access_rules_support=ACCESS_RULES_SUPPORT)
 
         if not auth_ref:
             msg = _('Failed to fetch token data from identity server')
@@ -112,23 +60,16 @@ class _V3RequestStrategy(_RequestStrategy):
 
         return {'token': auth_ref}
 
-    def _fetch_signing_cert(self):
-        return self._client.simple_cert.get_certificates()
-
-    def _fetch_ca_cert(self):
-        return self._client.simple_cert.get_ca_certificates()
-
 
-_REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy]
+_REQUEST_STRATEGIES = [_V3RequestStrategy]
 
 
 class IdentityServer(object):
     """Base class for operations on the Identity API server.
 
     The auth_token middleware needs to communicate with the Identity API server
-    to validate UUID tokens, signing certificates,
-    etc. This class encapsulates the data and methods to perform these
-    operations.
+    to validate tokens. This class encapsulates the data and methods to perform
+    the operations.
 
     """
 
@@ -176,20 +117,19 @@ class IdentityServer(object):
 
     def _get_strategy_class(self):
         if self._requested_auth_version:
-            # A specific version was requested.
-            if discover.version_match(_V3RequestStrategy.AUTH_VERSION,
-                                      self._requested_auth_version):
-                return _V3RequestStrategy
-
-            # The version isn't v3 so we don't know what to do. Just assume V2.
-            return _V2RequestStrategy
+            if not discover.version_match(_V3RequestStrategy.AUTH_VERSION,
+                                          self._requested_auth_interface):
+                self._LOG.info('A version other than v3 was requested: %s',
+                               self._requested_auth_interface)
+            # Return v3, even if the request is unknown
+            return _V3RequestStrategy
 
         # Specific version was not requested then we fall through to
         # discovering available versions from the server
         for klass in _REQUEST_STRATEGIES:
             if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
                 self._LOG.debug('Auth Token confirmed use of %s apis',
-                                self._requested_auth_version)
+                                klass.AUTH_VERSION)
                 return klass
 
         versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES]
@@ -241,11 +181,5 @@ class IdentityServer(object):
         else:
             return auth_ref
 
-    def fetch_signing_cert(self):
-        return self._request_strategy.fetch_signing_cert()
-
-    def fetch_ca_cert(self):
-        return self._request_strategy.fetch_ca_cert()
-
     def invalidate(self):
         return self._adapter.invalidate()