add a trivial admin-only middleware

README.rst

@@ -111,5 +111,5 @@ Still To Do
  * Fixture loading functionality would also be killer tests and dev.
  * LDAP backend.
  * Keystone import.
- * Admin-only interface
+ * (./) Admin-only interface
  * Don't check git checkouts as often, to speed up tests

keystonelight/keystone_compat.py

@@ -186,6 +186,8 @@ class KeystoneController(service.BaseApplication):
         Optionally, also ensure that it is owned by a specific tenant.
 
         """
+        assert context['is_admin']
+
         token_ref = self.token_api.get_token(context=context,
                                              token_id=token_id)
         if belongs_to:
@@ -220,6 +222,8 @@ class KeystoneController(service.BaseApplication):
         """
         token_ref = self.token_api.get_token(context=context,
                                              token_id=context['token_id'])
+        assert token_ref is not None
+
         user_ref = token_ref['user']
         tenant_refs = []
         for tenant_id in user_ref['tenants']:

keystonelight/service.py

@@ -52,6 +52,20 @@ class TokenAuthMiddleware(wsgi.Middleware):
         request.environ['openstack.context'] = context
 
 
+class AdminTokenAuthMiddleware(wsgi.Middleware):
+    """A trivial filter that checks for a pre-defined admin token.
+
+    Sets 'is_admin' to true in the context, expected to be checked by
+    methods that are admin-only.
+
+    """
+    def process_request(self, request):
+        token = request.headers.get('X-Auth-Token')
+        context = request.environ.get('openstack.context', {})
+        context['is_admin'] = (token == self.options['admin_token'])
+        request.environ['openstack.context'] = context
+
+
 class PostParamsMiddleware(wsgi.Middleware):
     """Middleware to allow method arguments to be passed as POST parameters.
 

tests/default.conf

@@ -2,6 +2,7 @@
 catalog_driver = keystonelight.backends.kvs.KvsCatalog
 identity_driver = keystonelight.backends.kvs.KvsIdentity
 token_driver = keystonelight.backends.kvs.KvsToken
+admin_token = ADMIN
 
 [filter:debug]
 paste.filter_factory = keystonelight.wsgi:Debug.factory
@@ -9,6 +10,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
 [filter:token_auth]
 paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
 
+[filter:admin_token_auth]
+paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
+
 [filter:json_body]
 paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
 
@@ -16,4 +20,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
 paste.app_factory = keystonelight.service:app_factory
 
 [pipeline:main]
-pipeline = token_auth json_body debug keystonelight
+pipeline = token_auth admin_token_auth json_body debug keystonelight

tests/keystone_compat_diablo.conf

@@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.kvs.KvsCatalog
 identity_driver = keystonelight.backends.kvs.KvsIdentity
 token_driver = keystonelight.backends.kvs.KvsToken
 public_port = 5000
+admin_token = ADMIN
 
 [filter:debug]
 paste.filter_factory = keystonelight.wsgi:Debug.factory
@@ -10,6 +11,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
 [filter:token_auth]
 paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
 
+[filter:admin_token_auth]
+paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
+
 [filter:json_body]
 paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
 
@@ -17,4 +21,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
 paste.app_factory = keystonelight.keystone_compat:app_factory
 
 [pipeline:main]
-pipeline = token_auth json_body debug keystone
+pipeline = token_auth admin_token_auth json_body debug keystone

tests/keystoneclient_compat_master.conf

@@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.templated.TemplatedCatalog
 identity_driver = keystonelight.backends.kvs.KvsIdentity
 token_driver = keystonelight.backends.kvs.KvsToken
 public_port = 5000
+admin_token = ADMIN
 
 # config for TemplatedCatalog, using camelCase because I don't want to do
 # translations for keystone compat
@@ -25,6 +26,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
 [filter:token_auth]
 paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
 
+[filter:admin_token_auth]
+paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
+
 [filter:json_body]
 paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
 
@@ -32,4 +36,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
 paste.app_factory = keystonelight.keystone_compat:app_factory
 
 [pipeline:main]
-pipeline = token_auth json_body debug keystone
+pipeline = token_auth admin_token_auth json_body debug keystone

tests/test_keystone_compat.py

@@ -40,6 +40,7 @@ class CompatTestCase(test.TestCase):
     # NOTE(termie): stupid hack to deal with the keystone samples being
     #               completely inconsistent
     self.validate_token['access']['user']['roles'][1]['id'] = u'235'
+    self.admin_token = 'ADMIN'
 
     self.auth_response = json.load(open(
         os.path.join(self.sampledir, 'auth.json')))
@@ -129,7 +130,7 @@ class DiabloCompatTestCase(CompatTestCase):
   def test_authenticate_scoped(self):
     # NOTE(termie): the docs arbitrarily changed and inserted a 'u' in front
     #               of one of the user ids, but none of the others
-    raise exc.SkipTest()
+    raise exc.SkipTest('The docs have arbitrarily changed.')
     client = self.client(self.app)
     post_data = json.dumps(
         {'auth': {'passwordCredentials': {'username': self.user_123['id'],
@@ -149,13 +150,7 @@ class DiabloCompatTestCase(CompatTestCase):
     #                      data['access']['serviceCatalog'])
 
   def test_validate_token_scoped(self):
-    client = self.client(self.app, token=self.token_123['id'])
-    resp = client.get('/v2.0/tokens/%s' % self.token_123['id'])
-    data = json.loads(resp.body)
-    self.assertDeepEquals(self.validate_token, data)
-
-  def test_validate_token_scoped(self):
-    client = self.client(self.app, token=self.token_123['id'])
+    client = self.client(self.app, token=self.admin_token)
     resp = client.get('/v2.0/tokens/%s' % self.token_123['id'])
     data = json.loads(resp.body)
     self.assertDeepEquals(self.validate_token, data)