heat_keystoneclient migrate create_ec2_keypair to v3 API

Convert create_ec2_keypair to use the v3/credentials API, which
is the v3-compatible way to manage ec2 keypairs.

NOTE: requires the fix for keystone bug #1259584 (now in keystone
master) or signature validation with these credentials will fail.

Change-Id: I9fbc1611c53cd14177b5c0dfe25a96a3922fd1cc
blueprint: keystone-v3-only

heat/common/heat_keystoneclient.py

@@ -13,6 +13,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from collections import namedtuple
+import json
+import uuid
+
 from heat.common import context
 from heat.common import exception
 
@@ -279,8 +283,22 @@ class KeystoneClient(object):
         return self.client_v2.ec2.get(uid, access)
 
     def create_ec2_keypair(self, user_id=None):
-        uid = user_id or self.client_v2.auth_ref.user_id
-        return self.client_v2.ec2.create(uid, self.context.tenant_id)
+        user_id = user_id or self.client_v3.auth_ref.user_id
+        project_id = self.context.tenant_id
+        data_blob = {'access': uuid.uuid4().hex,
+                     'secret': uuid.uuid4().hex}
+        ec2_creds = self.client_v3.credentials.create(
+            user=user_id, type='ec2', data=json.dumps(data_blob),
+            project=project_id)
+
+        # Return a namedtuple for easier access to the blob contents
+        # We return the id as the v3 api provides no way to filter by
+        # access in the blob contents, so it will be much more efficient
+        # if we manage credentials by ID instead
+        AccessKey = namedtuple('AccessKey', ['id', 'access', 'secret'])
+        return AccessKey(id=ec2_creds.id,
+                         access=data_blob['access'],
+                         secret=data_blob['secret'])
 
     def disable_stack_user(self, user_id):
         self.client_v3.users.update(user=user_id, enabled=False)

heat/tests/test_heatclient.py

@@ -12,6 +12,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import json
+import uuid
 import mox
 
 import keystoneclient.exceptions as kc_exception
@@ -449,3 +451,45 @@ class KeystoneClientTest(HeatTestCase):
         self.m.ReplayAll()
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         heat_ks_client.enable_stack_user('atestuser')
+
+    def test_create_ec2_keypair(self):
+
+        """Test creating ec2 credentials."""
+
+        self._stubs_v3()
+
+        ctx = utils.dummy_context()
+        ctx.trust_id = None
+
+        ex_data = {'access': 'dummy_access',
+                   'secret': 'dummy_secret'}
+        ex_data_json = json.dumps(ex_data)
+
+        # stub UUID.hex to match ex_data
+        self.m.StubOutWithMock(uuid, 'uuid4')
+        mock_uuid_access = self.m.CreateMockAnything()
+        mock_uuid_access.hex = 'dummy_access'
+        uuid.uuid4().AndReturn(mock_uuid_access)
+        mock_uuid_secret = self.m.CreateMockAnything()
+        mock_uuid_secret.hex = 'dummy_secret'
+        uuid.uuid4().AndReturn(mock_uuid_secret)
+
+        # mock keystone client credentials functions
+        self.mock_ks_v3_client.credentials = self.m.CreateMockAnything()
+        mock_credential = self.m.CreateMockAnything()
+        mock_credential.id = '123456'
+        mock_credential.user_id = 'atestuser'
+        mock_credential.blob = ex_data_json
+        mock_credential.type = 'ec2'
+
+        # mock keystone client create function
+        self.mock_ks_v3_client.users = self.m.CreateMockAnything()
+        self.mock_ks_v3_client.credentials.create(
+            user='atestuser', type='ec2', data=ex_data_json,
+            project=ctx.tenant_id).AndReturn(mock_credential)
+        self.m.ReplayAll()
+        heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
+        ec2_cred = heat_ks_client.create_ec2_keypair(user_id='atestuser')
+        self.assertEqual('123456', ec2_cred.id)
+        self.assertEqual('dummy_access', ec2_cred.access)
+        self.assertEqual('dummy_secret', ec2_cred.secret)