openstack/deb-python-keystonemiddleware
Code Issues Proposed changes

Refactor auth_uri handling

Browse Source 
The auth_uri setting is the value that's returned on auth failure
in the WWW-Authenticate header. It's not actually used by auth_token
to communicate with the identity server, so the IdentityServer
class doesn't need to know what the setting is for the auth_token
middleware. IdentityServer only needs to know how to provide the
default auth uri (based on how IdentityServer is configured) to the
auth_token middleware in case auth_uri isn't specified.

This change is moving things around to clarify how the auth_uri is
used.

Change-Id: I97aeef5721a044422929c72e9e53898822bcdabf
This commit is contained in:
Brant Knudson
2015-02-08 11:31:56 -06:00
parent 1c16d18ff6
commit 5cfdb6f17f
2 changed files with 27 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
keystonemiddleware/auth_token.py
View File

@@ -711,6 +711,18 @@ class AuthProtocol(object):
self._identity_server = self._create_identity_server() self._identity_server = self._create_identity_server()
self._auth_uri = self._conf_get('auth_uri')
if not self._auth_uri:
self._LOG.warning(
_LW('Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint'))
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
# signing # signing
self._signing_dirname = self._conf_get('signing_dir') self._signing_dirname = self._conf_get('signing_dir')
if self._signing_dirname is None: if self._signing_dirname is None:
@@ -891,7 +903,7 @@ class AuthProtocol(object):
@property @property
def _reject_auth_headers(self): def _reject_auth_headers(self):
header_val = 'Keystone uri=\'%s\'' % self._identity_server.auth_uri header_val = 'Keystone uri=\'%s\'' % self._auth_uri
return [('WWW-Authenticate', header_val)] return [('WWW-Authenticate', header_val)]
def _reject_request(self, env, start_response): def _reject_request(self, env, start_response):
@@ -1356,7 +1368,6 @@ class AuthProtocol(object):
self._LOG, self._LOG,
adap, adap,
include_service_catalog=self._include_service_catalog, include_service_catalog=self._include_service_catalog,
auth_uri=self._conf_get('auth_uri'),
requested_auth_version=auth_version) requested_auth_version=auth_version)
def _token_cache_factory(self): def _token_cache_factory(self):
@@ -1453,34 +1464,28 @@ class _IdentityServer(object):
""" """
def __init__(self, log, adap, include_service_catalog=None, auth_uri=None, def __init__(self, log, adap, include_service_catalog=None,
requested_auth_version=None): requested_auth_version=None):
self._LOG = log self._LOG = log
self._adapter = adap self._adapter = adap
self._include_service_catalog = include_service_catalog self._include_service_catalog = include_service_catalog
self._requested_auth_version = requested_auth_version self._requested_auth_version = requested_auth_version
if auth_uri is None:
self._LOG.warning(
_LW('Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint'))
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
auth_uri = adap.get_endpoint(interface=auth.AUTH_INTERFACE)
# NOTE(jamielennox): This weird stripping of the prefix hack is
# only relevant to the legacy case. We urljoin '/' to get just the
# base URI as this is the original behaviour.
if isinstance(adap.auth, _AuthTokenPlugin):
auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/')
self.auth_uri = auth_uri
# Built on-demand with self._request_strategy. # Built on-demand with self._request_strategy.
self._request_strategy_obj = None self._request_strategy_obj = None
@property
def auth_uri(self):
auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE)
# NOTE(jamielennox): This weird stripping of the prefix hack is
# only relevant to the legacy case. We urljoin '/' to get just the
# base URI as this is the original behaviour.
if isinstance(self._adapter.auth, _AuthTokenPlugin):
auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/')
return auth_uri
@property @property
def auth_version(self): def auth_version(self):
return self._request_strategy.AUTH_VERSION return self._request_strategy.AUTH_VERSION

2
keystonemiddleware/tests/test_auth_token_middleware.py
View File

@@ -663,7 +663,7 @@ class CommonAuthTokenMiddlewareTest(object):
self.set_middleware(conf=conf) self.set_middleware(conf=conf)
expected_auth_uri = 'http://[2001:2013:1:f101::1]:1234' expected_auth_uri = 'http://[2001:2013:1:f101::1]:1234'
self.assertEqual(expected_auth_uri, self.assertEqual(expected_auth_uri,
self.middleware._identity_server.auth_uri) self.middleware._auth_uri)
def assert_valid_request_200(self, token, with_catalog=True): def assert_valid_request_200(self, token, with_catalog=True):
req = webob.Request.blank('/') req = webob.Request.blank('/')