From b36f4da1925f7be9e0eadb057753241450135364 Mon Sep 17 00:00:00 2001 From: Thomas Herve Date: Wed, 12 Aug 2015 16:18:11 +0200 Subject: [PATCH] Revert failing tests and use v3 for ec2 tokens Domain users are not supported anymore on v2, so we need to use v3 by default when authenticating ec2 access. Change-Id: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4 Closes-Bug: #1484086 --- heat/api/aws/ec2token.py | 19 +++++---- heat/tests/api/aws/test_api_ec2token.py | 41 ++++++++----------- .../functional/test_notifications.py | 3 -- .../scenario/test_ceilometer_alarm.py | 2 - .../scenario/test_server_cfn_init.py | 3 -- 5 files changed, 29 insertions(+), 39 deletions(-) diff --git a/heat/api/aws/ec2token.py b/heat/api/aws/ec2token.py index ace6b00dc9..79562cb14f 100644 --- a/heat/api/aws/ec2token.py +++ b/heat/api/aws/ec2token.py @@ -77,7 +77,7 @@ class EC2Token(wsgi.Middleware): def _conf_get_auth_uri(self): auth_uri = self._conf_get('auth_uri') if auth_uri: - return auth_uri + return auth_uri.replace('v2.0', 'v3') else: # First we check the [clients_keystone] section, and if it is not # set we look in [keystone_authtoken] @@ -89,7 +89,9 @@ class EC2Token(wsgi.Middleware): # Import auth_token to have keystone_authtoken settings setup. # We can use the auth_uri from the keystone_authtoken section importutils.import_module('keystonemiddleware.auth_token') - return cfg.CONF.keystone_authtoken['auth_uri'] + auth_uri = cfg.CONF.keystone_authtoken['auth_uri'] + if auth_uri: + return auth_uri.replace('v2.0', 'v3') @staticmethod def _conf_get_keystone_ec2_uri(auth_uri): @@ -226,10 +228,11 @@ class EC2Token(wsgi.Middleware): cert=self.ssl_options['cert']) result = response.json() try: - token_id = result['access']['token']['id'] - tenant = result['access']['token']['tenant']['name'] - tenant_id = result['access']['token']['tenant']['id'] - LOG.info(_LI("AWS authentication successful.")) + token_id = response.headers['X-Subject-Token'] + tenant = result['token']['project']['name'] + tenant_id = result['token']['project']['id'] + roles = [role['name'] + for role in result['token'].get('roles', [])] except (AttributeError, KeyError): LOG.info(_LI("AWS authentication failure.")) # Try to extract the reason for failure so we can return the @@ -245,6 +248,8 @@ class EC2Token(wsgi.Middleware): raise exception.HeatSignatureError() else: raise exception.HeatAccessDeniedError() + else: + LOG.info(_LI("AWS authentication successful.")) # Authenticated! ec2_creds = {'ec2Credentials': {'access': access, @@ -255,8 +260,6 @@ class EC2Token(wsgi.Middleware): req.headers['X-Tenant-Id'] = tenant_id req.headers['X-Auth-URL'] = auth_uri - metadata = result['access'].get('metadata', {}) - roles = metadata.get('roles', []) req.headers['X-Roles'] = ','.join(roles) return self.application diff --git a/heat/tests/api/aws/test_api_ec2token.py b/heat/tests/api/aws/test_api_ec2token.py index 9a5d0f7cfa..ffcda3d3df 100644 --- a/heat/tests/api/aws/test_api_ec2token.py +++ b/heat/tests/api/aws/test_api_ec2token.py @@ -228,7 +228,7 @@ class Ec2TokenTest(common.HeatTestCase): self.assertEqual('xyz', ec2.__call__(dummy_req)) def _stub_http_connection(self, headers=None, params=None, response=None, - req_url='http://123:5000/v2.0/ec2tokens', + req_url='http://123:5000/v3/ec2tokens', verify=True, cert=None): headers = headers or {} @@ -236,6 +236,7 @@ class Ec2TokenTest(common.HeatTestCase): class DummyHTTPResponse(object): text = response + headers = {'X-Subject-Token': 123} def json(self): return json.loads(self.text) @@ -268,9 +269,8 @@ class Ec2TokenTest(common.HeatTestCase): 'HTTP_AUTHORIZATION': auth_str} dummy_req = self._dummy_GET_request(environ=req_env) - ok_resp = json.dumps({'access': {'token': { - 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}}) + ok_resp = json.dumps({'token': { + 'project': {'name': 'tenant', 'id': 'abcd1234'}}}) self._stub_http_connection(headers={'Authorization': auth_str}, response=ok_resp) self.m.ReplayAll() @@ -293,12 +293,12 @@ class Ec2TokenTest(common.HeatTestCase): 'HTTP_AUTHORIZATION': auth_str} dummy_req = self._dummy_GET_request(environ=req_env) - ok_resp = json.dumps({'access': { + ok_resp = json.dumps({ 'token': { 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'} - }, - 'metadata': {'roles': ['aa', 'bb', 'cc']}}}) + 'project': {'name': 'tenant', 'id': 'abcd1234'}, + 'roles': [{'name': 'aa'}, {'name': 'bb'}, {'name': 'cc'}]} + }) self._stub_http_connection(headers={'Authorization': auth_str}, response=ok_resp) self.m.ReplayAll() @@ -384,9 +384,8 @@ class Ec2TokenTest(common.HeatTestCase): 'PATH_INFO': '/v1'} dummy_req = self._dummy_GET_request(params, req_env) - ok_resp = json.dumps({'access': {'metadata': {}, 'token': { - 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}}) + ok_resp = json.dumps({'token': { + 'project': {'name': 'tenant', 'id': 'abcd1234'}}}) self._stub_http_connection(response=ok_resp, params={'AWSAccessKeyId': 'foo'}) self.m.ReplayAll() @@ -407,9 +406,8 @@ class Ec2TokenTest(common.HeatTestCase): 'PATH_INFO': '/v1'} dummy_req = self._dummy_GET_request(params, req_env) - ok_resp = json.dumps({'access': {'metadata': {}, 'token': { - 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}}) + ok_resp = json.dumps({'token': { + 'project': {'name': 'tenant', 'id': 'abcd1234'}}}) err_msg = "EC2 access key not found." err_resp = json.dumps({'error': {'message': err_msg}}) @@ -511,9 +509,8 @@ class Ec2TokenTest(common.HeatTestCase): 'PATH_INFO': '/v1'} dummy_req = self._dummy_GET_request(params, req_env) - ok_resp = json.dumps({'access': {'metadata': {}, 'token': { - 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}}) + ok_resp = json.dumps({'token': { + 'project': {'name': 'tenant', 'id': 'abcd1234'}}}) self._stub_http_connection(response=ok_resp, params={'AWSAccessKeyId': 'foo'}) self.m.ReplayAll() @@ -533,9 +530,8 @@ class Ec2TokenTest(common.HeatTestCase): 'PATH_INFO': '/v1'} dummy_req = self._dummy_GET_request(params, req_env) - ok_resp = json.dumps({'access': {'metadata': {}, 'token': { - 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}}) + ok_resp = json.dumps({'token': { + 'project': {'name': 'tenant', 'id': 'abcd1234'}}}) self._stub_http_connection(response=ok_resp, params={'AWSAccessKeyId': 'foo'}) self.m.ReplayAll() @@ -556,9 +552,8 @@ class Ec2TokenTest(common.HeatTestCase): 'PATH_INFO': '/v1'} dummy_req = self._dummy_GET_request(params, req_env) - ok_resp = json.dumps({'access': {'metadata': {}, 'token': { - 'id': 123, - 'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}}) + ok_resp = json.dumps({'token': { + 'project': {'name': 'tenant', 'id': 'abcd1234'}}}) self._stub_http_connection(response=ok_resp, params={'AWSAccessKeyId': 'foo'}) self.m.ReplayAll() diff --git a/heat_integrationtests/functional/test_notifications.py b/heat_integrationtests/functional/test_notifications.py index f24d2c2e37..3b8e0030f9 100644 --- a/heat_integrationtests/functional/test_notifications.py +++ b/heat_integrationtests/functional/test_notifications.py @@ -16,8 +16,6 @@ from oslo_messaging._drivers import common from oslo_messaging import transport import requests -from testtools import testcase - from heat_integrationtests.common import test from heat_integrationtests.functional import functional_base @@ -164,7 +162,6 @@ outputs: for n in BASIC_NOTIFICATIONS: self.assertIn(n, handler.notifications) - @testcase.skip('Skipped until keystone fixed #1484086') def test_asg_notifications(self): stack_identifier = self.stack_create(template=self.asg_template) diff --git a/heat_integrationtests/scenario/test_ceilometer_alarm.py b/heat_integrationtests/scenario/test_ceilometer_alarm.py index e5e141b000..e0523aa6f1 100644 --- a/heat_integrationtests/scenario/test_ceilometer_alarm.py +++ b/heat_integrationtests/scenario/test_ceilometer_alarm.py @@ -11,7 +11,6 @@ # under the License. from oslo_log import log as logging -from testtools import testcase from heat_integrationtests.common import test from heat_integrationtests.scenario import scenario_base @@ -35,7 +34,6 @@ class CeilometerAlarmTest(scenario_base.ScenarioTestsBase): actual)) return actual == expected - @testcase.skip('Skipped until keystone fixed #1484086') def test_alarm(self): """Confirm we can create an alarm and trigger it.""" diff --git a/heat_integrationtests/scenario/test_server_cfn_init.py b/heat_integrationtests/scenario/test_server_cfn_init.py index 00a360b055..267b44b8ea 100644 --- a/heat_integrationtests/scenario/test_server_cfn_init.py +++ b/heat_integrationtests/scenario/test_server_cfn_init.py @@ -12,8 +12,6 @@ import json -from testtools import testcase - from heat_integrationtests.common import exceptions from heat_integrationtests.scenario import scenario_base @@ -95,7 +93,6 @@ class CfnInitIntegrationTest(scenario_base.ScenarioTestsBase): self._log_console_output(servers=[server]) raise e - @testcase.skip('Skipped until keystone fixed #1484086') def test_server_cfn_init(self): """ Check cfn-init and cfn-signal availability on the created server.