Assign X-Auth-Url header in a separate middleware

authtoken middleware's current purpose is to set X-Auth-Url header to a
value read from heat.conf.

Since this value is not really related to anything the keystone
middleware does and is instead read from a config file, it makes sense
to move it from the authtoken middleware into its own middleware

This change is the first step to grouping all X-Auth-Url related logic
into one single middleware as opposed to have it scattered (or possibly
repeated) in auth_token and auth_password. For example, auth_password
also has some logic around it related to multi-cloud, which can be
extracted and moved to auth_url middleware in a later patch, so that all
handling of X-Auth-Url occurs in one place.

Also, by extracting the X-Auth-Url logic, it allows cloud
providers to remove auth_token or auth_password without side-effects.

Closes-Bug: #1259364
Change-Id: Ieb251c18aa091391a28a90c495b61cf41436f8b9
changes/91/60991/12
Anderson Mesquita 9 years ago
parent 589a2cc23b
commit 1e71566169
  1. 8
      etc/heat/api-paste.ini
  2. 48
      heat/common/auth_token.py
  3. 49
      heat/common/auth_url.py
  4. 63
      heat/tests/test_auth_url.py

@ -1,7 +1,7 @@
# heat-api pipeline
[pipeline:heat-api]
pipeline = faultwrap ssl versionnegotiation authtoken context apiv1app
pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app
# heat-api pipeline for standalone heat
# ie. uses alternative auth backend that authenticates users against keystone
@ -78,9 +78,13 @@ paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:sslmiddleware_filter
# Middleware to set auth_url header appropriately
[filter:authurl]
paste.filter_factory = heat.common.auth_url:filter_factory
# Auth middleware that validates token against keystone
[filter:authtoken]
paste.filter_factory = heat.common.auth_token:filter_factory
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
# Auth middleware that validates username/password against keystone
[filter:authpassword]

@ -1,48 +0,0 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2010-2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
from keystoneclient.middleware import auth_token
LOG = logging.getLogger(__name__)
class AuthProtocol(auth_token.AuthProtocol):
"""
Subclass of keystoneclient auth_token middleware which also
sets the 'X-Auth-Url' header to the value specified in the config.
"""
def _build_user_headers(self, token_info):
rval = super(AuthProtocol, self)._build_user_headers(token_info)
rval['X-Auth-Url'] = self.auth_uri
return rval
def filter_factory(global_conf, **local_conf):
"""Returns a WSGI filter app for use with paste.deploy."""
conf = global_conf.copy()
conf.update(local_conf)
def auth_filter(app):
return AuthProtocol(app, conf)
return auth_filter
def app_factory(global_conf, **local_conf):
conf = global_conf.copy()
conf.update(local_conf)
return AuthProtocol(None, conf)

@ -0,0 +1,49 @@
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo.config import cfg
from heat.common import wsgi
from heat.openstack.common import importutils
class AuthUrlFilter(wsgi.Middleware):
def __init__(self, app, conf):
super(AuthUrlFilter, self).__init__(app)
self.conf = conf
self.auth_url = self._get_auth_url()
def _get_auth_url(self):
if 'auth_uri' in self.conf:
return self.conf['auth_uri']
else:
# Import auth_token to have keystone_authtoken settings setup.
auth_token_module = 'keystoneclient.middleware.auth_token'
importutils.import_module(auth_token_module)
return cfg.CONF.keystone_authtoken.auth_uri
def process_request(self, req):
req.headers['X-Auth-Url'] = self.auth_url
return None
def filter_factory(global_conf, **local_conf):
conf = global_conf.copy()
conf.update(local_conf)
def auth_url_filter(app):
return AuthUrlFilter(app, conf)
return auth_url_filter

@ -0,0 +1,63 @@
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import mock
import webob
from heat.common import auth_url
from heat.tests.common import HeatTestCase
class FakeApp(object):
"""This represents a WSGI app protected by our auth middleware."""
def __call__(self, environ, start_response):
"""Assert that headers are correctly set up when finally called."""
resp = webob.Response()
resp.body = 'SUCCESS'
return resp(environ, start_response)
class AuthUrlFilterTest(HeatTestCase):
def setUp(self):
super(AuthUrlFilterTest, self).setUp()
self.app = FakeApp()
self.config = {'auth_uri': 'foobar'}
@mock.patch.object(auth_url.cfg, 'CONF')
def test_adds_default_auth_url_from_keystone_authtoken(self, mock_cfg):
self.config = {}
mock_cfg.keystone_authtoken.auth_uri = 'foobar'
mock_cfg.auth_password.multi_cloud = False
self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
req = webob.Request.blank('/tenant_id/')
self.middleware(req)
self.assertIn('X-Auth-Url', req.headers)
self.assertEqual('foobar', req.headers['X-Auth-Url'])
def test_overwrites_auth_url_from_headers_with_local_config(self):
self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
req = webob.Request.blank('/tenant_id/')
req.headers['X-Auth-Url'] = 'should_be_overwritten'
self.middleware(req)
self.assertEqual('foobar', req.headers['X-Auth-Url'])
def test_reads_auth_url_from_local_config(self):
self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
req = webob.Request.blank('/tenant_id/')
self.middleware(req)
self.assertIn('X-Auth-Url', req.headers)
self.assertEqual('foobar', req.headers['X-Auth-Url'])
Loading…
Cancel
Save