Default to PKIZ tokens

Changes the default token format to PKIZ from PKI. Blueprint: compress-tokens DocImpact Changes the default Token Provider to PKIZ If only token_format=UUID is set, Keystone will not start with a warning about provider mismatch Change-Id: Idf14ab6c6dd3a3cab42c35771416d9096ea4d900
2014-06-17 09:25:43 -04:00 · 2014-06-17 09:25:43 -04:00 · 21bf6c7fda
parent d9193cecc6
commit 21bf6c7fda
2 changed files with 34 additions and 55 deletions
--- a/keystone/tests/test_token_provider.py
+++ b/keystone/tests/test_token_provider.py
@ -726,31 +726,9 @@ class TestTokenProvider(tests.TestCase):
                          self.token_provider_api.get_token_version,
                          'bogus')

-    def test_token_format_provider_mismatch(self):
-        self.config_fixture.config(group='signing', token_format='UUID')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.PKI_PROVIDER)
-        self.assertRaises(exception.UnexpectedError, token.provider.Manager)
-
-        self.config_fixture.config(group='signing', token_format='PKI')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.UUID_PROVIDER)
-        self.assertRaises(exception.UnexpectedError, token.provider.Manager)
-
-        # should be OK as token_format and provider aligns
-        self.config_fixture.config(group='signing', token_format='PKI')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.PKI_PROVIDER)
-        token.provider.Manager()
-
-        self.config_fixture.config(group='signing', token_format='UUID')
-        self.config_fixture.config(group='token',
-                                   provider=token.provider.UUID_PROVIDER)
-        token.provider.Manager()
-
    def test_default_token_format(self):
        self.assertEqual(token.provider.Manager.get_token_provider(),
-                         token.provider.PKI_PROVIDER)
+                         token.provider.PKIZ_PROVIDER)

    def test_uuid_token_format_and_no_provider(self):
        self.config_fixture.config(group='signing', token_format='UUID')
@ -766,6 +744,10 @@ class TestTokenProvider(tests.TestCase):
                                   provider=token.provider.PKI_PROVIDER)
        token.provider.Manager()

+        self.config_fixture.config(group='token',
+                                   provider=token.provider.PKIZ_PROVIDER)
+        token.provider.Manager()
+
    def test_unsupported_token_format(self):
        self.config_fixture.config(group='signing', token_format='CUSTOM')
        self.assertRaises(exception.UnexpectedError,
@ -799,8 +781,8 @@ class TestTokenProvider(tests.TestCase):
        self.config_fixture.config(group='signing', token_format='CUSTOM')
        self.config_fixture.config(group='token',
                                   provider='my.package.MyProvider')
-        self.assertEqual(token.provider.Manager.get_token_provider(),
-                         'my.package.MyProvider')
+        self.assertRaises(exception.UnexpectedError,
+                          token.provider.Manager.get_token_provider)

    def test_provider_token_expiration_validation(self):
        self.assertRaises(exception.TokenNotFound,
@ -836,10 +818,11 @@ class TestTokenProviderOAuth1(tests.TestCase):
                          self.user_foo['id'], ['oauth1'])


-class TestPKIProvider(object):
+# NOTE(ayoung): renamed to avoid automatic test detection
+class PKIProviderTests(object):

    def setUp(self):
-        super(TestPKIProvider, self).setUp()
+        super(PKIProviderTests, self).setUp()

        from keystoneclient.common import cms
        self.cms = cms
@ -870,7 +853,7 @@ class TestPKIProvider(object):
                          token_data)


-class TestPKIProviderWithEventlet(TestPKIProvider, tests.TestCase):
+class TestPKIProviderWithEventlet(PKIProviderTests, tests.TestCase):

    def setUp(self):
        # force keystoneclient.common.cms to use eventlet's subprocess
@ -880,7 +863,7 @@ class TestPKIProviderWithEventlet(TestPKIProvider, tests.TestCase):
        super(TestPKIProviderWithEventlet, self).setUp()


-class TestPKIProviderWithStdlib(TestPKIProvider, tests.TestCase):
+class TestPKIProviderWithStdlib(PKIProviderTests, tests.TestCase):

    def setUp(self):
        # force keystoneclient.common.cms to use the stdlib subprocess
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -43,8 +43,16 @@ VERSIONS = frozenset([V2, V3])

 # default token providers
 PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
+PKIZ_PROVIDER = 'keystone.token.providers.pkiz.Provider'
 UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'

+_FORMAT_TO_PROVIDER = {
+    'PKI': PKI_PROVIDER,
+    # should not support new options, but PKIZ keeps the option consistent
+    'PKIZ': PKIZ_PROVIDER,
+    'UUID': UUID_PROVIDER
+}
+

 class UnsupportedTokenVersionException(Exception):
    """Token version is unrecognizable or unsupported."""
@ -75,36 +83,24 @@ class Manager(manager.Manager):
        ``provider`` instead.

        """
-        if CONF.token.provider is not None:
-            # NOTE(gyee): we are deprecating CONF.signing.token_format. This
-            # code is to ensure the token provider configuration agrees with
-            # CONF.signing.token_format.
-            if (CONF.signing.token_format and
-                    ((CONF.token.provider == PKI_PROVIDER and
-                        CONF.signing.token_format != 'PKI') or
-                        (CONF.token.provider == UUID_PROVIDER and
-                            CONF.signing.token_format != 'UUID'))):
-                raise exception.UnexpectedError(
-                    _('keystone.conf [signing] token_format (deprecated) '
-                      'conflicts with keystone.conf [token] provider'))
-            return CONF.token.provider
-        else:
-            if not CONF.signing.token_format:
-                # No token provider and no format, so use default (PKI)
-                return PKI_PROVIDER

-            msg = _('keystone.conf [signing] token_format is deprecated in '
-                    'favor of keystone.conf [token] provider')
-            if CONF.signing.token_format == 'PKI':
-                LOG.warning(msg)
-                return PKI_PROVIDER
-            elif CONF.signing.token_format == 'UUID':
-                LOG.warning(msg)
-                return UUID_PROVIDER
-            else:
+        if CONF.signing.token_format:
+            LOG.warn(_('[signing] token_format is deprecated. '
+                       'Please change to setting the [token] provider '
+                       'configuration value instead'))
+            try:
+
+                mapped = _FORMAT_TO_PROVIDER[CONF.signing.token_format]
+            except KeyError:
                raise exception.UnexpectedError(
                    _('Unrecognized keystone.conf [signing] token_format: '
                      'expected either \'UUID\' or \'PKI\''))
+            return mapped
+
+        if CONF.token.provider is None:
+            return PKIZ_PROVIDER
+        else:
+            return CONF.token.provider

    def __init__(self):
        super(Manager, self).__init__(self.get_token_provider())