Assign X-Auth-Url header in a separate middleware
authtoken middleware's current purpose is to set X-Auth-Url header to a value read from heat.conf. Since this value is not really related to anything the keystone middleware does and is instead read from a config file, it makes sense to move it from the authtoken middleware into its own middleware This change is the first step to grouping all X-Auth-Url related logic into one single middleware as opposed to have it scattered (or possibly repeated) in auth_token and auth_password. For example, auth_password also has some logic around it related to multi-cloud, which can be extracted and moved to auth_url middleware in a later patch, so that all handling of X-Auth-Url occurs in one place. Also, by extracting the X-Auth-Url logic, it allows cloud providers to remove auth_token or auth_password without side-effects. Closes-Bug: #1259364 Change-Id: Ieb251c18aa091391a28a90c495b61cf41436f8b9
This commit is contained in:
parent
589a2cc23b
commit
1e71566169
|
@ -1,7 +1,7 @@
|
||||||
|
|
||||||
# heat-api pipeline
|
# heat-api pipeline
|
||||||
[pipeline:heat-api]
|
[pipeline:heat-api]
|
||||||
pipeline = faultwrap ssl versionnegotiation authtoken context apiv1app
|
pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app
|
||||||
|
|
||||||
# heat-api pipeline for standalone heat
|
# heat-api pipeline for standalone heat
|
||||||
# ie. uses alternative auth backend that authenticates users against keystone
|
# ie. uses alternative auth backend that authenticates users against keystone
|
||||||
|
@ -78,9 +78,13 @@ paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
|
||||||
paste.filter_factory = heat.common.wsgi:filter_factory
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
||||||
heat.filter_factory = heat.api.openstack:sslmiddleware_filter
|
heat.filter_factory = heat.api.openstack:sslmiddleware_filter
|
||||||
|
|
||||||
|
# Middleware to set auth_url header appropriately
|
||||||
|
[filter:authurl]
|
||||||
|
paste.filter_factory = heat.common.auth_url:filter_factory
|
||||||
|
|
||||||
# Auth middleware that validates token against keystone
|
# Auth middleware that validates token against keystone
|
||||||
[filter:authtoken]
|
[filter:authtoken]
|
||||||
paste.filter_factory = heat.common.auth_token:filter_factory
|
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
|
||||||
|
|
||||||
# Auth middleware that validates username/password against keystone
|
# Auth middleware that validates username/password against keystone
|
||||||
[filter:authpassword]
|
[filter:authpassword]
|
||||||
|
|
|
@ -1,48 +0,0 @@
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
||||||
|
|
||||||
# Copyright 2010-2012 OpenStack Foundation
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
# implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
import logging
|
|
||||||
from keystoneclient.middleware import auth_token
|
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
class AuthProtocol(auth_token.AuthProtocol):
|
|
||||||
"""
|
|
||||||
Subclass of keystoneclient auth_token middleware which also
|
|
||||||
sets the 'X-Auth-Url' header to the value specified in the config.
|
|
||||||
"""
|
|
||||||
def _build_user_headers(self, token_info):
|
|
||||||
rval = super(AuthProtocol, self)._build_user_headers(token_info)
|
|
||||||
rval['X-Auth-Url'] = self.auth_uri
|
|
||||||
return rval
|
|
||||||
|
|
||||||
|
|
||||||
def filter_factory(global_conf, **local_conf):
|
|
||||||
"""Returns a WSGI filter app for use with paste.deploy."""
|
|
||||||
conf = global_conf.copy()
|
|
||||||
conf.update(local_conf)
|
|
||||||
|
|
||||||
def auth_filter(app):
|
|
||||||
return AuthProtocol(app, conf)
|
|
||||||
return auth_filter
|
|
||||||
|
|
||||||
|
|
||||||
def app_factory(global_conf, **local_conf):
|
|
||||||
conf = global_conf.copy()
|
|
||||||
conf.update(local_conf)
|
|
||||||
return AuthProtocol(None, conf)
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
# Copyright 2013 OpenStack Foundation
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
# implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
from oslo.config import cfg
|
||||||
|
|
||||||
|
from heat.common import wsgi
|
||||||
|
from heat.openstack.common import importutils
|
||||||
|
|
||||||
|
|
||||||
|
class AuthUrlFilter(wsgi.Middleware):
|
||||||
|
|
||||||
|
def __init__(self, app, conf):
|
||||||
|
super(AuthUrlFilter, self).__init__(app)
|
||||||
|
self.conf = conf
|
||||||
|
self.auth_url = self._get_auth_url()
|
||||||
|
|
||||||
|
def _get_auth_url(self):
|
||||||
|
if 'auth_uri' in self.conf:
|
||||||
|
return self.conf['auth_uri']
|
||||||
|
else:
|
||||||
|
# Import auth_token to have keystone_authtoken settings setup.
|
||||||
|
auth_token_module = 'keystoneclient.middleware.auth_token'
|
||||||
|
importutils.import_module(auth_token_module)
|
||||||
|
return cfg.CONF.keystone_authtoken.auth_uri
|
||||||
|
|
||||||
|
def process_request(self, req):
|
||||||
|
req.headers['X-Auth-Url'] = self.auth_url
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
|
def filter_factory(global_conf, **local_conf):
|
||||||
|
conf = global_conf.copy()
|
||||||
|
conf.update(local_conf)
|
||||||
|
|
||||||
|
def auth_url_filter(app):
|
||||||
|
return AuthUrlFilter(app, conf)
|
||||||
|
return auth_url_filter
|
|
@ -0,0 +1,63 @@
|
||||||
|
# Copyright 2013 OpenStack Foundation
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
# implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
import mock
|
||||||
|
import webob
|
||||||
|
|
||||||
|
from heat.common import auth_url
|
||||||
|
from heat.tests.common import HeatTestCase
|
||||||
|
|
||||||
|
|
||||||
|
class FakeApp(object):
|
||||||
|
"""This represents a WSGI app protected by our auth middleware."""
|
||||||
|
|
||||||
|
def __call__(self, environ, start_response):
|
||||||
|
"""Assert that headers are correctly set up when finally called."""
|
||||||
|
resp = webob.Response()
|
||||||
|
resp.body = 'SUCCESS'
|
||||||
|
return resp(environ, start_response)
|
||||||
|
|
||||||
|
|
||||||
|
class AuthUrlFilterTest(HeatTestCase):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(AuthUrlFilterTest, self).setUp()
|
||||||
|
self.app = FakeApp()
|
||||||
|
self.config = {'auth_uri': 'foobar'}
|
||||||
|
|
||||||
|
@mock.patch.object(auth_url.cfg, 'CONF')
|
||||||
|
def test_adds_default_auth_url_from_keystone_authtoken(self, mock_cfg):
|
||||||
|
self.config = {}
|
||||||
|
mock_cfg.keystone_authtoken.auth_uri = 'foobar'
|
||||||
|
mock_cfg.auth_password.multi_cloud = False
|
||||||
|
self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
|
||||||
|
req = webob.Request.blank('/tenant_id/')
|
||||||
|
self.middleware(req)
|
||||||
|
self.assertIn('X-Auth-Url', req.headers)
|
||||||
|
self.assertEqual('foobar', req.headers['X-Auth-Url'])
|
||||||
|
|
||||||
|
def test_overwrites_auth_url_from_headers_with_local_config(self):
|
||||||
|
self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
|
||||||
|
req = webob.Request.blank('/tenant_id/')
|
||||||
|
req.headers['X-Auth-Url'] = 'should_be_overwritten'
|
||||||
|
self.middleware(req)
|
||||||
|
self.assertEqual('foobar', req.headers['X-Auth-Url'])
|
||||||
|
|
||||||
|
def test_reads_auth_url_from_local_config(self):
|
||||||
|
self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
|
||||||
|
req = webob.Request.blank('/tenant_id/')
|
||||||
|
self.middleware(req)
|
||||||
|
self.assertIn('X-Auth-Url', req.headers)
|
||||||
|
self.assertEqual('foobar', req.headers['X-Auth-Url'])
|
Loading…
Reference in New Issue