From 21bf6c7fdae14a5e2143c3bad4914e30c982f5d4 Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Tue, 17 Jun 2014 09:25:43 -0400
Subject: [PATCH] Default to PKIZ tokens

Changes the default token format to PKIZ from PKI.

Blueprint: compress-tokens

DocImpact  Changes the default Token Provider to PKIZ
           If only token_format=UUID is set, Keystone
           will not start with a warning about provider
           mismatch

Change-Id: Idf14ab6c6dd3a3cab42c35771416d9096ea4d900
---
 keystone/tests/test_token_provider.py | 41 +++++++----------------
 keystone/token/provider.py            | 48 ++++++++++++---------------
 2 files changed, 34 insertions(+), 55 deletions(-)

diff --git a/keystone/tests/test_token_provider.py b/keystone/tests/test_token_provider.py
index 80596e451..42933789b 100644
--- a/keystone/tests/test_token_provider.py
+++ b/keystone/tests/test_token_provider.py
@@ -726,31 +726,9 @@ class TestTokenProvider(tests.TestCase):
                           self.token_provider_api.get_token_version,
                           'bogus')
 
-    def test_token_format_provider_mismatch(self):
-        self.config_fixture.config(group='signing', token_format='UUID')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.PKI_PROVIDER)
-        self.assertRaises(exception.UnexpectedError, token.provider.Manager)
-
-        self.config_fixture.config(group='signing', token_format='PKI')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.UUID_PROVIDER)
-        self.assertRaises(exception.UnexpectedError, token.provider.Manager)
-
-        # should be OK as token_format and provider aligns
-        self.config_fixture.config(group='signing', token_format='PKI')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.PKI_PROVIDER)
-        token.provider.Manager()
-
-        self.config_fixture.config(group='signing', token_format='UUID')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.UUID_PROVIDER)
-        token.provider.Manager()
-
     def test_default_token_format(self):
         self.assertEqual(token.provider.Manager.get_token_provider(),
-                         token.provider.PKI_PROVIDER)
+                         token.provider.PKIZ_PROVIDER)
 
     def test_uuid_token_format_and_no_provider(self):
         self.config_fixture.config(group='signing', token_format='UUID')
@@ -766,6 +744,10 @@ class TestTokenProvider(tests.TestCase):
                                    provider=token.provider.PKI_PROVIDER)
         token.provider.Manager()
 
+        self.config_fixture.config(group='token',
+                                   provider=token.provider.PKIZ_PROVIDER)
+        token.provider.Manager()
+
     def test_unsupported_token_format(self):
         self.config_fixture.config(group='signing', token_format='CUSTOM')
         self.assertRaises(exception.UnexpectedError,
@@ -799,8 +781,8 @@ class TestTokenProvider(tests.TestCase):
         self.config_fixture.config(group='signing', token_format='CUSTOM')
         self.config_fixture.config(group='token',
                                    provider='my.package.MyProvider')
-        self.assertEqual(token.provider.Manager.get_token_provider(),
-                         'my.package.MyProvider')
+        self.assertRaises(exception.UnexpectedError,
+                          token.provider.Manager.get_token_provider)
 
     def test_provider_token_expiration_validation(self):
         self.assertRaises(exception.TokenNotFound,
@@ -836,10 +818,11 @@ class TestTokenProviderOAuth1(tests.TestCase):
                           self.user_foo['id'], ['oauth1'])
 
 
-class TestPKIProvider(object):
+# NOTE(ayoung): renamed to avoid automatic test detection
+class PKIProviderTests(object):
 
     def setUp(self):
-        super(TestPKIProvider, self).setUp()
+        super(PKIProviderTests, self).setUp()
 
         from keystoneclient.common import cms
         self.cms = cms
@@ -870,7 +853,7 @@ class TestPKIProvider(object):
                           token_data)
 
 
-class TestPKIProviderWithEventlet(TestPKIProvider, tests.TestCase):
+class TestPKIProviderWithEventlet(PKIProviderTests, tests.TestCase):
 
     def setUp(self):
         # force keystoneclient.common.cms to use eventlet's subprocess
@@ -880,7 +863,7 @@ class TestPKIProviderWithEventlet(TestPKIProvider, tests.TestCase):
         super(TestPKIProviderWithEventlet, self).setUp()
 
 
-class TestPKIProviderWithStdlib(TestPKIProvider, tests.TestCase):
+class TestPKIProviderWithStdlib(PKIProviderTests, tests.TestCase):
 
     def setUp(self):
         # force keystoneclient.common.cms to use the stdlib subprocess
diff --git a/keystone/token/provider.py b/keystone/token/provider.py
index b54e08561..dcd2ffc1c 100644
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@@ -43,8 +43,16 @@ VERSIONS = frozenset([V2, V3])
 
 # default token providers
 PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
+PKIZ_PROVIDER = 'keystone.token.providers.pkiz.Provider'
 UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'
 
+_FORMAT_TO_PROVIDER = {
+    'PKI': PKI_PROVIDER,
+    # should not support new options, but PKIZ keeps the option consistent
+    'PKIZ': PKIZ_PROVIDER,
+    'UUID': UUID_PROVIDER
+}
+
 
 class UnsupportedTokenVersionException(Exception):
     """Token version is unrecognizable or unsupported."""
@@ -75,36 +83,24 @@ class Manager(manager.Manager):
         ``provider`` instead.
 
         """
-        if CONF.token.provider is not None:
-            # NOTE(gyee): we are deprecating CONF.signing.token_format. This
-            # code is to ensure the token provider configuration agrees with
-            # CONF.signing.token_format.
-            if (CONF.signing.token_format and
-                    ((CONF.token.provider == PKI_PROVIDER and
-                        CONF.signing.token_format != 'PKI') or
-                        (CONF.token.provider == UUID_PROVIDER and
-                            CONF.signing.token_format != 'UUID'))):
-                raise exception.UnexpectedError(
-                    _('keystone.conf [signing] token_format (deprecated) '
-                      'conflicts with keystone.conf [token] provider'))
-            return CONF.token.provider
-        else:
-            if not CONF.signing.token_format:
-                # No token provider and no format, so use default (PKI)
-                return PKI_PROVIDER
 
-            msg = _('keystone.conf [signing] token_format is deprecated in '
-                    'favor of keystone.conf [token] provider')
-            if CONF.signing.token_format == 'PKI':
-                LOG.warning(msg)
-                return PKI_PROVIDER
-            elif CONF.signing.token_format == 'UUID':
-                LOG.warning(msg)
-                return UUID_PROVIDER
-            else:
+        if CONF.signing.token_format:
+            LOG.warn(_('[signing] token_format is deprecated. '
+                       'Please change to setting the [token] provider '
+                       'configuration value instead'))
+            try:
+
+                mapped = _FORMAT_TO_PROVIDER[CONF.signing.token_format]
+            except KeyError:
                 raise exception.UnexpectedError(
                     _('Unrecognized keystone.conf [signing] token_format: '
                       'expected either \'UUID\' or \'PKI\''))
+            return mapped
+
+        if CONF.token.provider is None:
+            return PKIZ_PROVIDER
+        else:
+            return CONF.token.provider
 
     def __init__(self):
         super(Manager, self).__init__(self.get_token_provider())