From c908b287007092843d9fda50039e0941601974e1 Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Mon, 9 Jun 2014 17:18:55 +0100
Subject: [PATCH] ec2token tolerate fully-qualified ec2authtoken auth_uri

If (as is currently done by the puppet-heat manifiests) the ec2authtoken
auth_uri is specified, and it looks like http://127.0.0.1:5000/v2.0/ec2tokens
ec2token authentication will fail, because we always append "ec2tokens" to
the auth_uri.  Instead, only add it when needed.

This probably needs to be combined with a change to the puppet manifiests so
we don't set the ec2authtoken auth_uri, as it's an optional section - we can
derive the correct path with only the auth_uri from the keystone_authtoken
section.

Change-Id: I8c89772b40523b30f1c46b2ca8b68f9e20d5c213
Closes-Bug: #1318599
---
 heat/api/aws/ec2token.py        |  2 ++
 heat/tests/test_api_ec2token.py | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/heat/api/aws/ec2token.py b/heat/api/aws/ec2token.py
index 5cfe00fb3e..fb161ba540 100644
--- a/heat/api/aws/ec2token.py
+++ b/heat/api/aws/ec2token.py
@@ -73,6 +73,8 @@ class EC2Token(wsgi.Middleware):
 
     @staticmethod
     def _conf_get_keystone_ec2_uri(auth_uri):
+        if auth_uri.endswith('ec2tokens'):
+            return auth_uri
         if auth_uri.endswith('/'):
             return '%sec2tokens' % auth_uri
         return '%s/ec2tokens' % auth_uri
diff --git a/heat/tests/test_api_ec2token.py b/heat/tests/test_api_ec2token.py
index 2b8d0d7181..d3bad982cc 100644
--- a/heat/tests/test_api_ec2token.py
+++ b/heat/tests/test_api_ec2token.py
@@ -469,6 +469,28 @@ class Ec2TokenTest(HeatTestCase):
 
         self.m.VerifyAll()
 
+    def test_call_ok_auth_uri_ec2authtoken_long(self):
+        # Prove we tolerate a url which already includes the /ec2tokens path
+        dummy_url = 'http://123:5000/v2.0/ec2tokens'
+        cfg.CONF.set_default('auth_uri', dummy_url, group='ec2authtoken')
+
+        ec2 = ec2token.EC2Token(app='woot', conf={})
+        params = {'AWSAccessKeyId': 'foo', 'Signature': 'xyz'}
+        req_env = {'SERVER_NAME': 'heat',
+                   'SERVER_PORT': '8000',
+                   'PATH_INFO': '/v1'}
+        dummy_req = self._dummy_GET_request(params, req_env)
+
+        ok_resp = json.dumps({'access': {'metadata': {}, 'token': {
+            'id': 123,
+            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        self._stub_http_connection(response=ok_resp,
+                                   params={'AWSAccessKeyId': 'foo'})
+        self.m.ReplayAll()
+        self.assertEqual('woot', ec2.__call__(dummy_req))
+
+        self.m.VerifyAll()
+
     def test_call_ok_auth_uri_ks_authtoken(self):
         # Import auth_token to have keystone_authtoken settings setup.
         importutils.import_module('keystoneclient.middleware.auth_token')