| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Change-Id: Ie37ca77d668cd58671ba2013005a61fdf9417c59
|
| |
|
|
| |
Change-Id: I56ed347bbfc1672090120d860616b4280a48e381
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the bandit.yaml and just uses the defaults. As
such there are a few flagged issues that needed correcting.
The hits are now marked with "# nosec" so that they'll be ignored
since the hits were not security-related.
Co-Authored-By: Brant Knudson <bknudson@us.ibm.com>
Co-Authored-By: Eric Brown <browne@vmware.com>
Conflicts:
tox.ini
Change-Id: Ib253a4a21156b6606c356ade46c72c6ace01a1af
(cherry picked from commit 45136e058034a96c33c7afedcc69ad40f5d514d0)
|
| |
|
|
|
|
| |
Change is applicable to stable/liberty branch only.
Change-Id: I6f54d1fa10333935dcbca0ceb0474b643359bdd5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the revocation list includes audit_ids, then when doing offline
validation also validate the token isn't revoked by audit_id.
Backport notes:
- test_auth_token_middleware was refactored with commit 9cbd47b to
check responses differently, so the test changed to use the old
method.
- reno was not supported so the release note is removed.
Closes-Bug: 1490804
Change-Id: I483bc57bd38eb81a0905bcaf94e4ea82604919d6
(cherry picked from commit 96ab58e6863c92575ada57615b19652e502adfd8)
|
| |
|
|
| |
Change-Id: I6765cdd617b19d8f2d8742243a6a40a877233583
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pycadf now issues deprecation warnings on certain events. this
behaviour was causing the the stable/liberty branch to fail, since
we immediately fail any time keystonemiddleware calls a deprecated
function. for the test suite that calls pycadf functions, we should
ignore these errors. Note that this does not happen on the master
branch.
Change-Id: I76cc17b8e4341ee73f343445b3f1b99b64a4977e
Related-Bug: 1504889
|
| |
|
|
| |
Change-Id: I7c4f8a18d7368c1e84de37d6f347459b73ba3add
|
| |
|
|
| |
Change-Id: I4984716b6da5ade417c4dd8d16534f7e52370444
|
| |
|
|
| |
Change-Id: I46546c22959a82d0a5098a2df9a7bbc2ebe34ec3
|
| |
|
|
| |
Change-Id: I013caaea2d742ec2b1a97657b1c41f500d8ca5b4
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The auth_token middleware was marking a token invalid in the cache
on any otherwise-uncaught exception, not only when it has really
determined that the token is invalid. This will fix that by being
better about using the InvalidToken exception only when the token is
really invalid, and only marking invalid in the cache when that
exception occurs.
This fix uncovered a bug in the auth_token unit test
test_composite_auth_delay_invalid_service_and_user_tokens, so that has
been addressed as well. It was attempting to use "invalid-user-token",
which was not initialized, where it meant to use "invalid-token". This
was leading to a NoMockAddress exception. Prior to this fix, the code
turned all unexpected exceptions into InvalidToken exceptions, masking
this issue.
It also uncovered DeprecationWarnings raised in _identity.py for usage
of logging.warn rather than logging.warning in py34. That has also
been fixed. As above, prior to this fix those would have been turned
into InvalidToken exceptions (incorrectly).
Change-Id: I2e487fb02c9171f743ecc1f4f230b29a5e96212d
Closes-Bug: #1488267
(cherry picked from commit 7dcbdf774803a92bfc24704dec5f919ac75ad315)
|
| |\ \ |
|
| | |/
| |
| |
| | |
Change-Id: Ie5145f184eed2fb8db91336a6b79e4e94a7f27cd
|
| |/
|
|
| |
Change-Id: Iff07b0a909a088da2aa4a7a5672d1e43ed25c32c
|
| |
|
|
| |
Change-Id: I29368d7ce903588ecbac0c34478a5cef12176f62
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The auth_token tests were failing randomly (depending on which tests
were run together) because the global config had options left in it
by other tests (options were added as part of auth plugin
initialization and oslo.config provides no way to remove registered
options).
This change makes it so that auth_token gets a fresh config for
every test (other than one test that requires using the global CONF
object).
Closes-Bug: 1494327
Change-Id: I647f7fade01e2a619f4a5d12a4e71897423469c1
|
| |
|
|
|
|
|
| |
There were issues with the docstrings. Warnings were printed
when generating the docs.
Change-Id: Iff917248687984635102aa93ae3d1cef99ad6211
|
| |
|
|
|
|
|
|
|
|
| |
Auth token unit tests were failing because they were faking
ConnectionError whereas keystoneclient raises ConnectionRefused. See
http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/session.py?id=28138b588224c6b0503620ac2e24bd37dad25370#n430
This switches to faking ConnectionRefused.
Change-Id: I635a7255112f654141ae35369ccc6f3aea425740
Closes-Bug: #1492600
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The keystone that is used to validate tokens is determined from the
service catalog. If you have multiple identity entries in your service
catalog then you need to specify the region to use.
Add a region_name option.
Change-Id: I512dbcdc7031f476d691b7ce09b7c6411900ea9e
Closes-Bug: #1405717
|
| | |
| |
| |
| | |
Change-Id: Iab1414a4427d4838bff75cefc41a16f7b3162322
|
| |/
|
|
| |
Change-Id: Idcf3b0b12c49e8009d6a24137b1d016100c334b6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an application doesn't use a global configuration object and load
the middleware with api paste, they are no ways to read the
configuration options from the application configuration file.
This change fixes that, the api paste config will looks like:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
oslo_config_project = aodh
With this, the keystonemiddleware will automatically load
the configuration of the project aodh with a local oslo.config object
instead of the global one.
This allows application to not rely of the global oslo.config object
and continue to use paste and keystonemiddleware.
Closes-bug: #1482078
Related-bug: #1406218
Change-Id: I48c3d6a6a5486c9c035a15a75c025be7f5abaab4
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Mixing "str" and "unicode" can lead to a UnicodeDecodeError. We encode unicode
values before using them with text strings.
The bug occurs if the URL contains a non-ASCII character in the path:
"hého" in "/v1/AUTH_cfa/c/hého" ("/v1/AUTH_cfa/c/h\xc3\xa9ho" in UTF-8) for
example.
The bug occurs on Python 2 in s3_token.py because the tenant id is retrieved
from identity_info['access']['token']['tenant'] and identity_info comes from
resp.json().
The problem is that in Python, the JSON decoder always create Unicode strings.
Example in Python 2:
>>> json.loads('{"key": "value"}') {u'key': u'value'}
There is no issue in Python 3, since all text strings are Unicode.
Change-Id: Ib7fdf60f8369ea9546fcd92f1ac385c777478d10
Closes-Bug: #1428706
Co-Authored-By: Victor Stinner <vstinner@redhat.com>
|
| | |
| |
| |
| | |
Change-Id: I513632975a0997da78d8c2a16a8a7db3c8ee0fff
|
| | |
| |
| |
| | |
Change-Id: I67c69cbc4cf027b6e23d7bfe93f16435821d70d0
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Move the standard parts of token validation onto the base class. To make
this work in a way that is useful for both keystone and auth_token we
need to fetch and validate the tokens and then enforce what to do with
the request at a higher level.
Change-Id: I01ec6798b6c029c0013f4bcf73697c92a3063f4b
|
| | | |
| | |
| | |
| | | |
Change-Id: I8ec29f1a09f74a7aae442eaa255d3061697a0f5c
|
| | | |
| | |
| | |
| | | |
Change-Id: I1c9a1e391615fd931233b176c3844ee369e39fbe
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The requirements job was failing since it doesn't allow duplicate
requirements like we have in test-requirements.txt and
test-requirements-py3.txt. test-requirements-py3.txt can now be
removed since python-memcached supports python3.
Also, updated the requirements using the update-requirements
script from commit ae4aa204367b97170a808ad6ef7261959c7efae1 .
Change-Id: Icfc7cedd3fe7ac48bb04f9acbb73d0b8d0190721
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Move the code for offline validation into a method so that it's
easier to tell what this block of code is doing.
Change-Id: Idd0a6c016c7b8878234e479b173f98c53d5aad4b
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
:: is used to introduce a formatted section and isn't needed for
a list.
Change-Id: Ic1f2b38c9de87eb041ab0ec937a66391899e34e5
|
| |\ \ \ \
| |/ / / |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The identity server access log should be able to log which user-agent
made the request using the following string format:
"{project}/{project_version}
keystonemiddleware.auth_token/{keystonemiddleware_version}"
This format is documented in rfc7231:
https://tools.ietf.org/html/rfc7231#section-5.5.3
The {project} value will be retrieved from the oslo_config configuration
option/attribute named 'project' or from a 'project' paste.deploy option
for services that don't use oslo_config (e.g. Swift). If neither is
found then we will only log
"keystonemiddleware.auth_token/{keystonemiddleware_version}".
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Closes-Bug: #1450666
Change-Id: Ic87861d2f9fefb3fe78cc93adc73acad9a837b39
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The setup.cfg refers to Programming Language of Python 3.3 whereas
jenkins is setup only to test Python 3.4. This patch updates setup.cfg
and removes py33 from tox.ini.
TrivialFix
Change-Id: I6e4b01bf4997a99fd0ac0c2602d87321c076d2ad
|
| |\ \ \ \
| |_|/ /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The basic expiry validation and token bind checking will be common to
base classes. Move these to the base class.
Change-Id: I165b27b7ffcc09cdd00063e6f67624d4ac188a82
|
| |\ \ \ \
| |/ / / |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Split the validate process into two distinct parts. The fetch process
will retrieve the token data, either from PKI or from the identity
server. It is also responsible for caching this information.
The validate process then looks at the data returned and decides whether
it is allowed for this request. A simplification for later is that token
binding is performed in addition to the validate step because this
really should be performed once per request and not once per token.
Because of this we are no longer caching the validation of a request,
only the actual request data. We therefore remove some tests that were
testing that the validation of a token was cached.
Change-Id: Icbd44f5edbeadb1a52cccf2a481a1e861b0de120
|
| |/ /
| |
| |
| |
| |
| |
| | |
Sphinx was always using (k)eystonemiddleware for the prefix so the index
wasn't very useful.
Change-Id: Id1f86c92dfea0faf72484df12764b01b6c8f2d08
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Webob sets the Content-Type of responses to 'text/html' if nothing else
is set. There are a number of bugs out for webob with this but it seems
unlikely it will be fixed upstream.
We don't want auth_token middleware automatically setting content-types
on application responses so create our own response object with an empty
default_content_type so it's not set.
Change-Id: I947f384e170a8d2685b71e1a6611c6241e827196
Closes-Bug: #1466499
|
| | |
| |
| |
| |
| |
| |
| | |
This is the user plugin object that is passed down to the services. Add
helpers for setting and retrieving it from a request.
Change-Id: I39173ad5025b7bafc9d41da42180be5cea9df6b5
|
| | |
| |
| |
| |
| |
| |
| | |
Add helpers to extract the user_token and the service_token from the
request.
Change-Id: Icd9b87dc2b570eb4cab56fc0cc7fc2b59a57e965
|
