From 147efb0469734f793e917641649fd24bb9da317f Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen@gazlene.net>
Date: Thu, 14 Feb 2019 01:04:28 +0100
Subject: Add support for app cred access rules header

This header is set to indicate to the keystone server that the client,
usually keystonemiddleware, will validate application credential access
rules. If not provided and the token uses access rules, the server will
return a 401.

bp whitelist-extension-for-app-creds

Change-Id: I64ac952d663e916150fbf7e5a8f70b76dddf3319
---
 keystoneclient/v3/tokens.py | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'keystoneclient')

diff --git a/keystoneclient/v3/tokens.py b/keystoneclient/v3/tokens.py
index 6e6fffd..7e0cb07 100644
--- a/keystoneclient/v3/tokens.py
+++ b/keystoneclient/v3/tokens.py
@@ -57,7 +57,8 @@ class TokenManager(object):
         resp, body = self._client.get(path)
         return body
 
-    def get_token_data(self, token, include_catalog=True, allow_expired=False):
+    def get_token_data(self, token, include_catalog=True, allow_expired=False,
+                       access_rules_support=None):
         """Fetch the data about a token from the identity server.
 
         :param str token: The ID of the token to be fetched.
@@ -65,11 +66,18 @@ class TokenManager(object):
                                      included in the response.
         :param allow_expired: If True the token will be validated and returned
                               if it has already expired.
+        :param access_rules_support: Version number indicating that the client
+                                     is capable of enforcing keystone
+                                     access rules, if unset this client
+                                     does not support access rules.
+        :type access_rules_support: float
 
         :rtype: dict
 
         """
         headers = {'X-Subject-Token': token}
+        if access_rules_support:
+            headers['OpenStack-Identity-Access-Rules'] = access_rules_support
         flags = []
 
         url = '/auth/tokens'
@@ -85,7 +93,8 @@ class TokenManager(object):
         resp, body = self._client.get(url, headers=headers)
         return body
 
-    def validate(self, token, include_catalog=True, allow_expired=False):
+    def validate(self, token, include_catalog=True, allow_expired=False,
+                 access_rules_support=None):
         """Validate a token.
 
         :param token: The token to be validated.
@@ -95,6 +104,11 @@ class TokenManager(object):
         :param allow_expired: If True the token will be validated and returned
                               if it has already expired.
         :type allow_expired: bool
+        :param access_rules_support: Version number indicating that the client
+                                     is capable of enforcing keystone
+                                     access rules, if unset this client
+                                     does not support access rules.
+        :type access_rules_support: float
 
         :rtype: :class:`keystoneclient.access.AccessInfoV3`
 
@@ -102,5 +116,6 @@ class TokenManager(object):
         token_id = _calc_id(token)
         body = self.get_token_data(token_id,
                                    include_catalog=include_catalog,
-                                   allow_expired=allow_expired)
+                                   allow_expired=allow_expired,
+                                   access_rules_support=access_rules_support)
         return access.AccessInfo.factory(auth_token=token_id, body=body)
-- 
cgit v1.2.1