[composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican_api

# Use this pipeline for Barbican API - versions no authentication
[pipeline:barbican_version]
pipeline = cors versionapp

# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:barbican_api]
# pipeline = cors unauthenticated-context apiapp
pipeline = {{ options.barbican_api_pipeline }}

#Use this pipeline to activate a repoze.profile middleware and HTTP port,
#  to provide profiling information for the REST API processing.
[pipeline:barbican-profile]
pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp

#Use this pipeline for keystone auth
[pipeline:barbican-api-keystone]
# pipeline = cors keystone_authtoken context apiapp
pipeline = {{ options.barbican_api_keystone_pipeline }}

#Use this pipeline for keystone auth with audit feature
[pipeline:barbican-api-keystone-audit]
# pipeline = keystone_authtoken context audit apiapp
pipeline = {{ options.barbican_api_keystone_audit_pipeline }}

[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app

[app:versionapp]
paste.app_factory = barbican.api.app:create_version_app

[filter:simple]
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory

[filter:unauthenticated-context]
paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory

[filter:context]
paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory

[filter:audit]
paste.filter_factory = keystonemiddleware.audit:filter_factory
audit_map_file = /etc/barbican/api_audit_map.conf

[filter:keystone_authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
signing_dir = /var/lib/barbican/keystone-signing
auth_host = {{ identity_service.auth_host }}
#need ability to re-auth a token, thus admin url
auth_port = {{ identity_service.auth_port }}
auth_protocol = {{ identity_service.auth_protocol }}
admin_tenant_name = {{ identity_service.service_tenant }}
admin_user = {{ identity_service.service_username }}
admin_password = {{ identity_service.service_password }}
auth_version = v2.0
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true

[filter:keystone_v3_authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
signing_dir = /var/lib/barbican/keystone-signing
username = {{ identity_service.service_username }}
password= {{ identity_service.service_password }}
# These are hardcoded as it is not passed in the relation but is needed for v3 auth
user_domain_name = default
project_domain_name = default
auth_plugin = password
auth_url = {{ identity_service.auth_protocol }}://{{ identity_service.auth_host }}:{{ identity_service.auth_port }}/v3
auth_uri = {{ identity_service.service_protocol}}://{{ identity_service.service_host }}:{{ identity_service.service_port }}/
project_name = {{ identity_service.service_tenant }}
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true

[filter:profile]
use = egg:repoze.profile
log_filename = myapp.profile
cachegrind_filename = cachegrind.out.myapp
discard_first_request = true
path = /__profile__
flush_at_shutdown = true
unwind = false

[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = barbican