Implemented token creation without catalog response.

Modified the token_factory to create token responses with or without the catalog entry. blueprint catalog-optional Change-Id: Icdc4400f08f4619a19e44129c78240800a3a1e75
2013-06-15 22:29:21 -07:00 · 2013-06-15 22:29:21 -07:00 · 53a03b53e7
parent f6d929db96
commit 53a03b53e7
5 changed files with 60 additions and 9 deletions
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -279,6 +279,8 @@ class Auth(controller.V3Controller):

    def authenticate_for_token(self, context, auth=None):
        """Authenticate user and issue a token."""
+        include_catalog = 'nocatalog' not in context['query_string']
+
        try:
            auth_info = AuthInfo(context, auth=auth)
            auth_context = {'extras': {}, 'method_names': []}
@ -289,6 +291,7 @@ class Auth(controller.V3Controller):
            method_names += auth_context.get('method_names', [])
            # make sure the list is unique
            method_names = list(set(method_names))
+
            (token_id, token_data) = self.token_provider_api.issue_token(
                user_id=auth_context['user_id'],
                method_names=method_names,
@ -296,7 +299,8 @@ class Auth(controller.V3Controller):
                project_id=project_id,
                domain_id=domain_id,
                auth_context=auth_context,
-                trust=trust)
+                trust=trust,
+                include_catalog=include_catalog)
            return render_token_data_response(token_id, token_data,
                                              created=True)
        except exception.TrustNotFound as e:
--- a/keystone/token/providers/uuid.py
+++ b/keystone/token/providers/uuid.py
@ -285,7 +285,7 @@ class V3TokenDataHelper(object):

    def get_token_data(self, user_id, method_names, extras,
                       domain_id=None, project_id=None, expires=None,
-                       trust=None, token=None):
+                       trust=None, token=None, include_catalog=True):
        token_data = {'methods': method_names,
                      'extras': extras}

@ -302,8 +302,9 @@ class V3TokenDataHelper(object):
        self._populate_scope(token_data, domain_id, project_id)
        self._populate_user(token_data, user_id, domain_id, project_id, trust)
        self._populate_roles(token_data, user_id, domain_id, project_id, trust)
-        self._populate_service_catalog(token_data, user_id, domain_id,
-                                       project_id, trust)
+        if include_catalog:
+            self._populate_service_catalog(token_data, user_id, domain_id,
+                                           project_id, trust)
        self._populate_token_dates(token_data, expires=expires, trust=trust)
        return {'token': token_data}

@ -367,6 +368,7 @@ class Provider(token.provider.Provider):
        auth_context = kwargs.get('auth_context')
        trust = kwargs.get('trust')
        metadata_ref = kwargs.get('metadata_ref')
+        include_catalog = kwargs.get('include_catalog')
        # for V2, trust is stashed in metadata_ref
        if (CONF.trust.enabled and not trust and metadata_ref and
                'trust_id' in metadata_ref):
@ -378,7 +380,8 @@ class Provider(token.provider.Provider):
            domain_id=domain_id,
            project_id=project_id,
            expires=expires_at,
-            trust=trust)
+            trust=trust,
+            include_catalog=include_catalog)

        token_id = self._get_token_id(token_data)
        try:
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@ -625,7 +625,7 @@ class AuthWithTrust(AuthTest):
                'project': {
                    'id': self.tenant_baz['id']}}}
        auth_response = (self.auth_v3_controller.authenticate_for_token
-                         ({}, v3_password_data))
+                         ({'query_string': {}}, v3_password_data))
        token = auth_response.headers['X-Subject-Token']

        v3_req_with_trust = {
@ -635,7 +635,7 @@ class AuthWithTrust(AuthTest):
            "scope": {
                "OS-TRUST:trust": {"id": self.new_trust['id']}}}
        token_auth_response = (self.auth_v3_controller.authenticate_for_token
-                               ({}, v3_req_with_trust))
+                               ({'query_string': {}}, v3_req_with_trust))
        return token_auth_response

    def test_create_v3_token_from_trust(self):
@ -664,7 +664,7 @@ class AuthWithTrust(AuthTest):
        self.assertRaises(
            exception.Forbidden,
            self.auth_v3_controller.authenticate_for_token,
-            {}, v3_token_data)
+            {'query_string': {}}, v3_token_data)

    def test_token_from_trust(self):
        auth_response = self.fetch_v2_token_from_trust()
--- a/tests/test_v3.py
+++ b/tests/test_v3.py
@ -451,9 +451,14 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
        return token

    def assertValidScopedTokenResponse(self, r, *args, **kwargs):
+        require_catalog = kwargs.pop('require_catalog', True)
        token = self.assertValidTokenResponse(r, *args, **kwargs)

-        self.assertIn('catalog', token)
+        if require_catalog:
+            self.assertIn('catalog', token)
+        else:
+            self.assertNotIn('catalog', token)
+
        self.assertIn('roles', token)
        self.assertTrue(token['roles'])
        for role in token['roles']:
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@ -845,6 +845,45 @@ class TestAuthJSON(test_v3.RestfulTestCase):
        self.assertValidProjectScopedTokenResponse(r)
        self.assertEqual(r.result['token']['project']['id'], project['id'])

+    def test_default_project_id_scoped_token_with_user_id_no_catalog(self):
+        # create a second project to work with
+        ref = self.new_project_ref(domain_id=self.domain_id)
+        r = self.post('/projects', body={'project': ref})
+        project = self.assertValidProjectResponse(r, ref)
+
+        # grant the user a role on the project
+        self.put(
+            '/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+                'user_id': self.user['id'],
+                'project_id': project['id'],
+                'role_id': self.role['id']})
+
+        # set the user's preferred project
+        body = {'user': {'default_project_id': project['id']}}
+        r = self.patch('/users/%(user_id)s' % {
+            'user_id': self.user['id']},
+            body=body)
+        self.assertValidUserResponse(r)
+
+        # attempt to authenticate without requesting a project
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'])
+        r = self.post('/auth/tokens?nocatalog', body=auth_data)
+        self.assertValidProjectScopedTokenResponse(r, require_catalog=False)
+        self.assertEqual(r.result['token']['project']['id'], project['id'])
+
+    def test_implicit_project_id_scoped_token_with_user_id_no_catalog(self):
+        # attempt to authenticate without requesting a project
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            project_id=self.project['id'])
+        r = self.post('/auth/tokens?nocatalog', body=auth_data)
+        self.assertValidProjectScopedTokenResponse(r, require_catalog=False)
+        self.assertEqual(r.result['token']['project']['id'],
+                         self.project['id'])
+
    def test_default_project_id_scoped_token_with_user_id_401(self):
        # create a second project to work with
        ref = self.new_project_ref(domain_id=self.domain['id'])