Merge "make federation part of keystone core"

etc/keystone-paste.ini

@@ -76,7 +76,7 @@ pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_aut
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3
+pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3
 
 [app:public_version_service]
 paste.app_factory = keystone.service:public_version_app_factory

keystone/backends.py

@@ -16,6 +16,7 @@ from keystone import catalog
 from keystone.common import cache
 from keystone.contrib import endpoint_filter
 from keystone.contrib import endpoint_policy
+from keystone.contrib import federation
 from keystone import credential
 from keystone import identity
 from keystone import policy
@@ -42,6 +43,7 @@ def load_backends():
         credential_api=credential.Manager(),
         endpoint_filter_api=endpoint_filter.Manager(),
         endpoint_policy_api=endpoint_policy.Manager(),
+        federation_api=federation.Manager(),
         id_generator_api=identity.generator.Manager(),
         id_mapping_api=identity.MappingManager(),
         identity_api=_IDENTITY_API,

keystone/common/sql/migration_helpers.py

@@ -34,7 +34,7 @@ from keystone.i18n import _
 
 
 CONF = config.CONF
-DEFAULT_EXTENSIONS = ['revoke']
+DEFAULT_EXTENSIONS = ['revoke', 'federation']
 
 
 def get_default_domain():

keystone/tests/test_versions.py

@@ -111,9 +111,32 @@ _build_trust_relation = functools.partial(
     json_home.build_v3_extension_resource_relation, extension_name='OS-TRUST',
     extension_version='1.0')
 
+_build_federation_rel = functools.partial(
+    json_home.build_v3_extension_resource_relation,
+    extension_name='OS-FEDERATION',
+    extension_version='1.0')
+
 TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
     'OS-TRUST', '1.0', 'trust_id')
 
+IDP_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
+    'OS-FEDERATION', '1.0', 'idp_id')
+
+PROTOCOL_ID_PARAM_RELATION = json_home.build_v3_extension_parameter_relation(
+    'OS-FEDERATION', '1.0', 'protocol_id')
+
+MAPPING_ID_PARAM_RELATION = json_home.build_v3_extension_parameter_relation(
+    'OS-FEDERATION', '1.0', 'mapping_id')
+
+SP_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
+    'OS-FEDERATION', '1.0', 'sp_id')
+
+BASE_IDP_PROTOCOL = '/OS-FEDERATION/identity_providers/{idp_id}/protocols'
+
+# TODO(stevemar): Use BASE_IDP_PROTOCOL when bug 1420125 is resolved.
+FEDERATED_AUTH_URL = ('/OS-FEDERATION/identity_providers/{identity_provider}'
+                      '/protocols/{protocol}/auth')
+
 V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
     json_home.build_v3_resource_relation('auth_tokens'): {
         'href': '/auth/tokens'},
@@ -287,6 +310,47 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
         'href-template': '/users/{user_id}/projects',
         'href-vars': {'user_id': json_home.Parameters.USER_ID, }},
     json_home.build_v3_resource_relation('users'): {'href': '/users'},
+    _build_federation_rel(resource_name='domains'): {
+        'href': '/OS-FEDERATION/domains'},
+    _build_federation_rel(resource_name='projects'): {
+        'href': '/OS-FEDERATION/projects'},
+    _build_federation_rel(resource_name='saml2'): {
+        'href': '/auth/OS-FEDERATION/saml2'},
+    _build_federation_rel(resource_name='metadata'): {
+        'href': '/OS-FEDERATION/saml2/metadata'},
+    _build_federation_rel(resource_name='identity_providers'): {
+        'href': '/OS-FEDERATION/identity_providers'},
+    _build_federation_rel(resource_name='service_providers'): {
+        'href': '/OS-FEDERATION/service_providers'},
+    _build_federation_rel(resource_name='mappings'): {
+        'href': '/OS-FEDERATION/mappings'},
+    _build_federation_rel(resource_name='identity_provider'):
+    {
+        'href-template': '/OS-FEDERATION/identity_providers/{idp_id}',
+        'href-vars': {'idp_id': IDP_ID_PARAMETER_RELATION, }},
+    _build_federation_rel(resource_name='service_provider'):
+    {
+        'href-template': '/OS-FEDERATION/service_providers/{sp_id}',
+        'href-vars': {'sp_id': SP_ID_PARAMETER_RELATION, }},
+    _build_federation_rel(resource_name='mapping'):
+    {
+        'href-template': '/OS-FEDERATION/mappings/{mapping_id}',
+        'href-vars': {'mapping_id': MAPPING_ID_PARAM_RELATION, }},
+    _build_federation_rel(resource_name='identity_provider_protocol'): {
+        'href-template': BASE_IDP_PROTOCOL + '/{protocol_id}',
+        'href-vars': {
+            'idp_id': IDP_ID_PARAMETER_RELATION,
+            'protocol_id': PROTOCOL_ID_PARAM_RELATION, }},
+    _build_federation_rel(resource_name='identity_provider_protocols'): {
+        'href-template': BASE_IDP_PROTOCOL,
+        'href-vars': {
+            'idp_id': IDP_ID_PARAMETER_RELATION}},
+    # TODO(stevemar): Update href-vars when bug 1420125 is resolved.
+    _build_federation_rel(resource_name='identity_provider_protocol_auth'): {
+        'href-template': FEDERATED_AUTH_URL,
+        'href-vars': {
+            'identity_provider': IDP_ID_PARAMETER_RELATION,
+            'protocol': PROTOCOL_ID_PARAM_RELATION, }},
 }
 
 

requirements.txt

@@ -27,6 +27,7 @@ oslo.middleware>=0.3.0                  # Apache-2.0
 oslo.serialization>=1.2.0               # Apache-2.0
 oslo.utils>=1.2.0                       # Apache-2.0
 oauthlib>=0.6
+pysaml2
 dogpile.cache>=0.5.3
 jsonschema>=2.0.0,<3.0.0
 pycadf>=0.6.0

test-requirements.txt

@@ -19,10 +19,6 @@ pymongo>=2.5
 python-ldap>=2.4
 ldappool>=1.0 # MPL
 
-# Required for federation extension (although used only for federating multiple
-# Keystones)
-pysaml2
-
 # Testing
 # computes code coverage percentages
 coverage>=3.6