Deprecate simple_cert extension

Updated the relevant config options for Token signing and deprecated the simple_signing_cert extension that is only used for support of the PKI/PKIz providers. This patch makes the public facing Router used in the PASTE-INI emit a deprecation warning and moves the login into the token subsection and always attaches it to the V3 Service object this is part of the effort to move all extensions (deprecated or not) into core. Change-Id: I15a58c07d769045ad61e9d600dbf943987993353 bp: deprecated-as-of-mitaka
2016-01-31 18:16:21 -06:00 · 2016-01-31 18:16:21 -06:00 · 6caf4a7eaa
parent f473352e1a
commit 6caf4a7eaa
9 changed files with 118 additions and 103 deletions
--- a/etc/keystone-paste.ini
+++ b/etc/keystone-paste.ini
@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3
 [filter:s3_extension]
 use = egg:keystone#s3_extension

-[filter:simple_cert_extension]
-use = egg:keystone#simple_cert_extension
-
 [filter:url_normalize]
 use = egg:keystone#url_normalize

@ -64,7 +61,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3

 [app:public_version_service]
 use = egg:keystone#public_version_service
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -347,26 +347,33 @@ FILE_OPTIONS = {
    'signing': [
        cfg.StrOpt('certfile',
                   default=_CERTFILE,
+                   deprecated_for_removal=True,
                   help='Path of the certfile for token signing. For '
                        'non-production environments, you may be interested '
                        'in using `keystone-manage pki_setup` to generate '
                        'self-signed certificates.'),
        cfg.StrOpt('keyfile',
                   default=_KEYFILE,
+                   deprecated_for_removal=True,
                   help='Path of the keyfile for token signing.'),
        cfg.StrOpt('ca_certs',
+                   deprecated_for_removal=True,
                   default='/etc/keystone/ssl/certs/ca.pem',
                   help='Path of the CA for token signing.'),
        cfg.StrOpt('ca_key',
                   default='/etc/keystone/ssl/private/cakey.pem',
+                   deprecated_for_removal=True,
                   help='Path of the CA key for token signing.'),
        cfg.IntOpt('key_size', default=2048, min=1024,
+                   deprecated_for_removal=True,
                   help='Key size (in bits) for token signing cert '
                        '(auto generated certificate).'),
        cfg.IntOpt('valid_days', default=3650,
+                   deprecated_for_removal=True,
                   help='Days the token signing cert is valid for '
                        '(auto generated certificate).'),
        cfg.StrOpt('cert_subject',
+                   deprecated_for_removal=True,
                   default=('/C=US/ST=Unset/L=Unset/O=Unset/'
                            'CN=www.example.com'),
                   help='Certificate subject (auto generated certificate) for '
--- a/keystone/contrib/simple_cert/init.py
+++ b/keystone/contrib/simple_cert/init.py
@ -10,5 +10,4 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-from keystone.contrib.simple_cert.core import *  # noqa
 from keystone.contrib.simple_cert.routers import SimpleCertExtension  # noqa
--- a/keystone/contrib/simple_cert/controllers.py
+++ b/keystone/contrib/simple_cert/controllers.py
@ -1,42 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_config import cfg
-import webob
-
-from keystone.common import controller
-from keystone.common import dependency
-from keystone import exception
-
-CONF = cfg.CONF
-
-
-@dependency.requires('token_provider_api')
-class SimpleCert(controller.V3Controller):
-
-    def _get_certificate(self, name):
-        try:
-            with open(name, 'r') as f:
-                body = f.read()
-        except IOError:
-            raise exception.CertificateFilesUnavailable()
-
-        # NOTE(jamielennox): We construct the webob Response ourselves here so
-        # that we don't pass through the JSON encoding process.
-        headers = [('Content-Type', 'application/x-pem-file')]
-        return webob.Response(body=body, headerlist=headers, status="200 OK")
-
-    def get_ca_certificate(self, context):
-        return self._get_certificate(CONF.signing.ca_certs)
-
-    def list_certificates(self, context):
-        return self._get_certificate(CONF.signing.certfile)
--- a/keystone/contrib/simple_cert/core.py
+++ b/keystone/contrib/simple_cert/core.py
@ -1,31 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.common import extension
-
-EXTENSION_DATA = {
-    'name': 'OpenStack Simple Certificate API',
-    'namespace': 'http://docs.openstack.org/identity/api/ext/'
-                 'OS-SIMPLE-CERT/v1.0',
-    'alias': 'OS-SIMPLE-CERT',
-    'updated': '2014-01-20T12:00:0-00:00',
-    'description': 'OpenStack simple certificate retrieval extension',
-    'links': [
-        {
-            'rel': 'describedby',
-            'type': 'text/html',
-            'href': 'http://developer.openstack.org/'
-                    'api-ref-identity-v2-ext.html',
-        }
-    ]}
-extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
-extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
--- a/keystone/contrib/simple_cert/routers.py
+++ b/keystone/contrib/simple_cert/routers.py
@ -10,32 +10,24 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-import functools
+from oslo_log import log
+from oslo_log import versionutils

-from keystone.common import json_home
 from keystone.common import wsgi
-from keystone.contrib.simple_cert import controllers
+from keystone.i18n import _


-build_resource_relation = functools.partial(
-    json_home.build_v3_extension_resource_relation,
-    extension_name='OS-SIMPLE-CERT', extension_version='1.0')
+LOG = log.getLogger(__name__)


-class SimpleCertExtension(wsgi.V3ExtensionRouter):
+class SimpleCertExtension(wsgi.Middleware):

-    PREFIX = 'OS-SIMPLE-CERT'
-
-    def add_routes(self, mapper):
-        controller = controllers.SimpleCert()
-
-        self._add_resource(
-            mapper, controller,
-            path='/%s/ca' % self.PREFIX,
-            get_action='get_ca_certificate',
-            rel=build_resource_relation(resource_name='ca_certificate'))
-        self._add_resource(
-            mapper, controller,
-            path='/%s/certificates' % self.PREFIX,
-            get_action='list_certificates',
-            rel=build_resource_relation(resource_name='certificates'))
+    def __init__(self, application):
+        super(SimpleCertExtension, self).__init__(application)
+        msg = _("Remove simple_cert from the paste pipeline, the "
+                "PKI and PKIz token providers are now deprecated and "
+                "simple_cert was only used insupport of these token "
+                "providers. Update the [pipeline:api_v3] section in "
+                "keystone-paste.ini accordingly, as it will be removed in the "
+                "O release.")
+        versionutils.report_deprecated_feature(LOG, msg)
--- a/keystone/tests/unit/test_contrib_simple_cert.py
+++ b/keystone/tests/unit/test_contrib_simple_cert.py
@ -19,8 +19,6 @@ from keystone.tests.unit import test_v3

 class BaseTestCase(test_v3.RestfulTestCase):

-    EXTENSION_TO_ADD = 'simple_cert_extension'
-
    CA_PATH = '/v3/OS-SIMPLE-CERT/ca'
    CERT_PATH = '/v3/OS-SIMPLE-CERT/certificates'

--- a/keystone/token/_simple_cert.py
+++ b/keystone/token/_simple_cert.py
@ -0,0 +1,91 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# TODO(morganfainberg): Remove this file and extension in the "O" release as
+# it is only used in support of the PKI/PKIz token providers.
+import functools
+
+from oslo_config import cfg
+import webob
+
+from keystone.common import controller
+from keystone.common import dependency
+from keystone.common import extension
+from keystone.common import json_home
+from keystone.common import wsgi
+from keystone import exception
+
+
+CONF = cfg.CONF
+EXTENSION_DATA = {
+    'name': 'OpenStack Simple Certificate API',
+    'namespace': 'http://docs.openstack.org/identity/api/ext/'
+                 'OS-SIMPLE-CERT/v1.0',
+    'alias': 'OS-SIMPLE-CERT',
+    'updated': '2014-01-20T12:00:0-00:00',
+    'description': 'OpenStack simple certificate retrieval extension',
+    'links': [
+        {
+            'rel': 'describedby',
+            'type': 'text/html',
+            'href': 'http://developer.openstack.org/'
+                    'api-ref-identity-v2-ext.html',
+        }
+    ]}
+extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
+extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
+
+build_resource_relation = functools.partial(
+    json_home.build_v3_extension_resource_relation,
+    extension_name='OS-SIMPLE-CERT', extension_version='1.0')
+
+
+class Routers(wsgi.RoutersBase):
+
+    def _construct_url(self, suffix):
+        return "/OS-SIMPLE-CERT/%s" % suffix
+
+    def append_v3_routers(self, mapper, routers):
+        controller = SimpleCert()
+
+        self._add_resource(
+            mapper, controller,
+            path=self._construct_url('ca'),
+            get_action='get_ca_certificate',
+            rel=build_resource_relation(resource_name='ca_certificate'))
+        self._add_resource(
+            mapper, controller,
+            path=self._construct_url('certificates'),
+            get_action='list_certificates',
+            rel=build_resource_relation(resource_name='certificates'))
+
+
+@dependency.requires('token_provider_api')
+class SimpleCert(controller.V3Controller):
+
+    def _get_certificate(self, name):
+        try:
+            with open(name, 'r') as f:
+                body = f.read()
+        except IOError:
+            raise exception.CertificateFilesUnavailable()
+
+        # NOTE(jamielennox): We construct the webob Response ourselves here so
+        # that we don't pass through the JSON encoding process.
+        headers = [('Content-Type', 'application/x-pem-file')]
+        return webob.Response(body=body, headerlist=headers, status="200 OK")
+
+    def get_ca_certificate(self, context):
+        return self._get_certificate(CONF.signing.ca_certs)
+
+    def list_certificates(self, context):
+        return self._get_certificate(CONF.signing.certfile)
--- a/keystone/version/service.py
+++ b/keystone/version/service.py
@ -33,6 +33,7 @@ from keystone.oauth1 import routers as oauth1_routers
 from keystone.policy import routers as policy_routers
 from keystone.resource import routers as resource_routers
 from keystone.revoke import routers as revoke_routers
+from keystone.token import _simple_cert as simple_cert_ext
 from keystone.token import routers as token_routers
 from keystone.trust import routers as trust_routers
 from keystone.version import controllers
@ -135,7 +136,10 @@ def v3_app_factory(global_conf, **local_conf):
                       resource_routers,
                       revoke_routers,
                       federation_routers,
-                       oauth1_routers]
+                       oauth1_routers,
+                       # TODO(morganfainberg): Remove the simple_cert router
+                       # when PKI and PKIZ tokens are removed.
+                       simple_cert_ext]

    if CONF.trust.enabled:
        all_api_routers.append(trust_routers)