add a trivial admin-only middleware
This commit is contained in:
parent
da28d05dcd
commit
3d79099bac
@ -111,5 +111,5 @@ Still To Do
|
||||
* Fixture loading functionality would also be killer tests and dev.
|
||||
* LDAP backend.
|
||||
* Keystone import.
|
||||
* Admin-only interface
|
||||
* (./) Admin-only interface
|
||||
* Don't check git checkouts as often, to speed up tests
|
||||
|
@ -186,6 +186,8 @@ class KeystoneController(service.BaseApplication):
|
||||
Optionally, also ensure that it is owned by a specific tenant.
|
||||
|
||||
"""
|
||||
assert context['is_admin']
|
||||
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=token_id)
|
||||
if belongs_to:
|
||||
@ -220,6 +222,8 @@ class KeystoneController(service.BaseApplication):
|
||||
"""
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=context['token_id'])
|
||||
assert token_ref is not None
|
||||
|
||||
user_ref = token_ref['user']
|
||||
tenant_refs = []
|
||||
for tenant_id in user_ref['tenants']:
|
||||
|
@ -52,6 +52,20 @@ class TokenAuthMiddleware(wsgi.Middleware):
|
||||
request.environ['openstack.context'] = context
|
||||
|
||||
|
||||
class AdminTokenAuthMiddleware(wsgi.Middleware):
|
||||
"""A trivial filter that checks for a pre-defined admin token.
|
||||
|
||||
Sets 'is_admin' to true in the context, expected to be checked by
|
||||
methods that are admin-only.
|
||||
|
||||
"""
|
||||
def process_request(self, request):
|
||||
token = request.headers.get('X-Auth-Token')
|
||||
context = request.environ.get('openstack.context', {})
|
||||
context['is_admin'] = (token == self.options['admin_token'])
|
||||
request.environ['openstack.context'] = context
|
||||
|
||||
|
||||
class PostParamsMiddleware(wsgi.Middleware):
|
||||
"""Middleware to allow method arguments to be passed as POST parameters.
|
||||
|
||||
|
@ -2,6 +2,7 @@
|
||||
catalog_driver = keystonelight.backends.kvs.KvsCatalog
|
||||
identity_driver = keystonelight.backends.kvs.KvsIdentity
|
||||
token_driver = keystonelight.backends.kvs.KvsToken
|
||||
admin_token = ADMIN
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystonelight.wsgi:Debug.factory
|
||||
@ -9,6 +10,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
|
||||
|
||||
@ -16,4 +20,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
|
||||
paste.app_factory = keystonelight.service:app_factory
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = token_auth json_body debug keystonelight
|
||||
pipeline = token_auth admin_token_auth json_body debug keystonelight
|
||||
|
@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.kvs.KvsCatalog
|
||||
identity_driver = keystonelight.backends.kvs.KvsIdentity
|
||||
token_driver = keystonelight.backends.kvs.KvsToken
|
||||
public_port = 5000
|
||||
admin_token = ADMIN
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystonelight.wsgi:Debug.factory
|
||||
@ -10,6 +11,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
|
||||
|
||||
@ -17,4 +21,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
|
||||
paste.app_factory = keystonelight.keystone_compat:app_factory
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = token_auth json_body debug keystone
|
||||
pipeline = token_auth admin_token_auth json_body debug keystone
|
||||
|
@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.templated.TemplatedCatalog
|
||||
identity_driver = keystonelight.backends.kvs.KvsIdentity
|
||||
token_driver = keystonelight.backends.kvs.KvsToken
|
||||
public_port = 5000
|
||||
admin_token = ADMIN
|
||||
|
||||
# config for TemplatedCatalog, using camelCase because I don't want to do
|
||||
# translations for keystone compat
|
||||
@ -25,6 +26,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
|
||||
|
||||
@ -32,4 +36,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
|
||||
paste.app_factory = keystonelight.keystone_compat:app_factory
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = token_auth json_body debug keystone
|
||||
pipeline = token_auth admin_token_auth json_body debug keystone
|
||||
|
@ -40,6 +40,7 @@ class CompatTestCase(test.TestCase):
|
||||
# NOTE(termie): stupid hack to deal with the keystone samples being
|
||||
# completely inconsistent
|
||||
self.validate_token['access']['user']['roles'][1]['id'] = u'235'
|
||||
self.admin_token = 'ADMIN'
|
||||
|
||||
self.auth_response = json.load(open(
|
||||
os.path.join(self.sampledir, 'auth.json')))
|
||||
@ -129,7 +130,7 @@ class DiabloCompatTestCase(CompatTestCase):
|
||||
def test_authenticate_scoped(self):
|
||||
# NOTE(termie): the docs arbitrarily changed and inserted a 'u' in front
|
||||
# of one of the user ids, but none of the others
|
||||
raise exc.SkipTest()
|
||||
raise exc.SkipTest('The docs have arbitrarily changed.')
|
||||
client = self.client(self.app)
|
||||
post_data = json.dumps(
|
||||
{'auth': {'passwordCredentials': {'username': self.user_123['id'],
|
||||
@ -149,13 +150,7 @@ class DiabloCompatTestCase(CompatTestCase):
|
||||
# data['access']['serviceCatalog'])
|
||||
|
||||
def test_validate_token_scoped(self):
|
||||
client = self.client(self.app, token=self.token_123['id'])
|
||||
resp = client.get('/v2.0/tokens/%s' % self.token_123['id'])
|
||||
data = json.loads(resp.body)
|
||||
self.assertDeepEquals(self.validate_token, data)
|
||||
|
||||
def test_validate_token_scoped(self):
|
||||
client = self.client(self.app, token=self.token_123['id'])
|
||||
client = self.client(self.app, token=self.admin_token)
|
||||
resp = client.get('/v2.0/tokens/%s' % self.token_123['id'])
|
||||
data = json.loads(resp.body)
|
||||
self.assertDeepEquals(self.validate_token, data)
|
||||
|
Loading…
x
Reference in New Issue
Block a user