Merge "Deprecate s3_token middleware"
This commit is contained in:
commit
6ed19c228f
|
@ -24,6 +24,9 @@
|
|||
"""
|
||||
S3 TOKEN MIDDLEWARE
|
||||
|
||||
The S3 Token middleware is deprecated as of IceHouse. It's been moved into
|
||||
python-keystoneclient, `keystoneclient.middleware.s3_token`.
|
||||
|
||||
This WSGI component:
|
||||
|
||||
* Get a request from the swift3 middleware with an S3 Authorization
|
||||
|
@ -33,233 +36,23 @@ This WSGI component:
|
|||
|
||||
"""
|
||||
|
||||
import httplib
|
||||
from keystoneclient.middleware import s3_token
|
||||
|
||||
from six.moves import urllib
|
||||
import webob
|
||||
|
||||
from keystone.openstack.common import jsonutils
|
||||
from keystone.openstack.common import log
|
||||
from keystone.openstack.common import versionutils
|
||||
|
||||
|
||||
PROTOCOL_NAME = 'S3 Token Authentication'
|
||||
LOG = log.getLogger(__name__)
|
||||
PROTOCOL_NAME = s3_token.PROTOCOL_NAME
|
||||
split_path = s3_token.split_path
|
||||
ServiceError = s3_token.ServiceError
|
||||
filter_factory = s3_token.filter_factory
|
||||
|
||||
|
||||
# TODO(kun): remove it after oslo merge this.
|
||||
def split_path(path, minsegs=1, maxsegs=None, rest_with_last=False):
|
||||
"""Validate and split the given HTTP request path.
|
||||
|
||||
**Examples**::
|
||||
|
||||
['a'] = split_path('/a')
|
||||
['a', None] = split_path('/a', 1, 2)
|
||||
['a', 'c'] = split_path('/a/c', 1, 2)
|
||||
['a', 'c', 'o/r'] = split_path('/a/c/o/r', 1, 3, True)
|
||||
|
||||
:param path: HTTP Request path to be split
|
||||
:param minsegs: Minimum number of segments to be extracted
|
||||
:param maxsegs: Maximum number of segments to be extracted
|
||||
:param rest_with_last: If True, trailing data will be returned as part
|
||||
of last segment. If False, and there is
|
||||
trailing data, raises ValueError.
|
||||
:returns: list of segments with a length of maxsegs (non-existant
|
||||
segments will return as None)
|
||||
:raises: ValueError if given an invalid path
|
||||
"""
|
||||
if not maxsegs:
|
||||
maxsegs = minsegs
|
||||
if minsegs > maxsegs:
|
||||
raise ValueError('minsegs > maxsegs: %d > %d' % (minsegs, maxsegs))
|
||||
if rest_with_last:
|
||||
segs = path.split('/', maxsegs)
|
||||
minsegs += 1
|
||||
maxsegs += 1
|
||||
count = len(segs)
|
||||
if (segs[0] or count < minsegs or count > maxsegs or
|
||||
'' in segs[1:minsegs]):
|
||||
raise ValueError('Invalid path: %s' % urllib.parse.quote(path))
|
||||
else:
|
||||
minsegs += 1
|
||||
maxsegs += 1
|
||||
segs = path.split('/', maxsegs)
|
||||
count = len(segs)
|
||||
if (segs[0] or count < minsegs or count > maxsegs + 1 or
|
||||
'' in segs[1:minsegs] or
|
||||
(count == maxsegs + 1 and segs[maxsegs])):
|
||||
raise ValueError('Invalid path: %s' % urllib.parse.quote(path))
|
||||
segs = segs[1:maxsegs]
|
||||
segs.extend([None] * (maxsegs - 1 - len(segs)))
|
||||
return segs
|
||||
|
||||
|
||||
class ServiceError(Exception):
|
||||
pass
|
||||
|
||||
|
||||
class S3Token(object):
|
||||
"""Auth Middleware that handles S3 authenticating client calls."""
|
||||
class S3Token(s3_token.S3Token):
|
||||
|
||||
@versionutils.deprecated(
|
||||
versionutils.deprecated.ICEHOUSE,
|
||||
in_favor_of='keystoneclient.middleware.s3_token',
|
||||
remove_in=+1,
|
||||
what='keystone.middleware.s3_token')
|
||||
def __init__(self, app, conf):
|
||||
"""Common initialization code."""
|
||||
self.app = app
|
||||
self.logger = LOG
|
||||
self.logger.debug('Starting the %s component' % PROTOCOL_NAME)
|
||||
self.reseller_prefix = conf.get('reseller_prefix', 'AUTH_')
|
||||
# where to find the auth service (we use this to validate tokens)
|
||||
self.auth_host = conf.get('auth_host')
|
||||
self.auth_port = int(conf.get('auth_port', 35357))
|
||||
self.auth_protocol = conf.get('auth_protocol', 'https')
|
||||
if self.auth_protocol == 'http':
|
||||
self.http_client_class = httplib.HTTPConnection
|
||||
else:
|
||||
self.http_client_class = httplib.HTTPSConnection
|
||||
# SSL
|
||||
self.cert_file = conf.get('certfile')
|
||||
self.key_file = conf.get('keyfile')
|
||||
|
||||
def deny_request(self, code):
|
||||
error_table = {
|
||||
'AccessDenied': (401, 'Access denied'),
|
||||
'InvalidURI': (400, 'Could not parse the specified URI'),
|
||||
}
|
||||
resp = webob.Response(content_type='text/xml')
|
||||
resp.status = error_table[code][0]
|
||||
resp.body = error_table[code][1]
|
||||
resp.body = ('<?xml version="1.0" encoding="UTF-8"?>\r\n'
|
||||
'<Error>\r\n <Code>%s</Code>\r\n '
|
||||
'<Message>%s</Message>\r\n</Error>\r\n' %
|
||||
(code, error_table[code][1]))
|
||||
return resp
|
||||
|
||||
def _json_request(self, creds_json):
|
||||
headers = {'Content-Type': 'application/json'}
|
||||
if self.auth_protocol == 'http':
|
||||
conn = self.http_client_class(self.auth_host, self.auth_port)
|
||||
else:
|
||||
conn = self.http_client_class(self.auth_host,
|
||||
self.auth_port,
|
||||
self.key_file,
|
||||
self.cert_file)
|
||||
try:
|
||||
conn.request('POST', '/v2.0/s3tokens',
|
||||
body=creds_json,
|
||||
headers=headers)
|
||||
response = conn.getresponse()
|
||||
output = response.read()
|
||||
except Exception as e:
|
||||
self.logger.info('HTTP connection exception: %s' % e)
|
||||
resp = self.deny_request('InvalidURI')
|
||||
raise ServiceError(resp)
|
||||
finally:
|
||||
conn.close()
|
||||
|
||||
if response.status < 200 or response.status >= 300:
|
||||
self.logger.debug('Keystone reply error: status=%s reason=%s' %
|
||||
(response.status, response.reason))
|
||||
resp = self.deny_request('AccessDenied')
|
||||
raise ServiceError(resp)
|
||||
|
||||
return (response, output)
|
||||
|
||||
def __call__(self, environ, start_response):
|
||||
"""Handle incoming request. authenticate and send downstream."""
|
||||
req = webob.Request(environ)
|
||||
self.logger.debug('Calling S3Token middleware.')
|
||||
|
||||
try:
|
||||
parts = split_path(req.path, 1, 4, True)
|
||||
version, account, container, obj = parts
|
||||
except ValueError:
|
||||
msg = 'Not a path query, skipping.'
|
||||
self.logger.debug(msg)
|
||||
return self.app(environ, start_response)
|
||||
|
||||
# Read request signature and access id.
|
||||
if 'Authorization' not in req.headers:
|
||||
msg = 'No Authorization header. skipping.'
|
||||
self.logger.debug(msg)
|
||||
return self.app(environ, start_response)
|
||||
|
||||
token = req.headers.get('X-Auth-Token',
|
||||
req.headers.get('X-Storage-Token'))
|
||||
if not token:
|
||||
msg = 'You did not specify a auth or a storage token. skipping.'
|
||||
self.logger.debug(msg)
|
||||
return self.app(environ, start_response)
|
||||
|
||||
auth_header = req.headers['Authorization']
|
||||
try:
|
||||
access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
|
||||
except ValueError:
|
||||
msg = 'You have an invalid Authorization header: %s'
|
||||
self.logger.debug(msg % (auth_header))
|
||||
return self.deny_request('InvalidURI')(environ, start_response)
|
||||
|
||||
# NOTE(chmou): This is to handle the special case with nova
|
||||
# when we have the option s3_affix_tenant. We will force it to
|
||||
# connect to another account than the one
|
||||
# authenticated. Before people start getting worried about
|
||||
# security, I should point that we are connecting with
|
||||
# username/token specified by the user but instead of
|
||||
# connecting to its own account we will force it to go to an
|
||||
# another account. In a normal scenario if that user don't
|
||||
# have the reseller right it will just fail but since the
|
||||
# reseller account can connect to every account it is allowed
|
||||
# by the swift_auth middleware.
|
||||
force_tenant = None
|
||||
if ':' in access:
|
||||
access, force_tenant = access.split(':')
|
||||
|
||||
# Authenticate request.
|
||||
creds = {'credentials': {'access': access,
|
||||
'token': token,
|
||||
'signature': signature}}
|
||||
creds_json = jsonutils.dumps(creds)
|
||||
self.logger.debug('Connecting to Keystone sending this JSON: %s' %
|
||||
creds_json)
|
||||
# NOTE(vish): We could save a call to keystone by having
|
||||
# keystone return token, tenant, user, and roles
|
||||
# from this call.
|
||||
#
|
||||
# NOTE(chmou): We still have the same problem we would need to
|
||||
# change token_auth to detect if we already
|
||||
# identified and not doing a second query and just
|
||||
# pass it through to swiftauth in this case.
|
||||
try:
|
||||
resp, output = self._json_request(creds_json)
|
||||
except ServiceError as e:
|
||||
resp = e.args[0]
|
||||
msg = 'Received error, exiting middleware with error: %s'
|
||||
self.logger.debug(msg % (resp.status))
|
||||
return resp(environ, start_response)
|
||||
|
||||
self.logger.debug('Keystone Reply: Status: %d, Output: %s' % (
|
||||
resp.status, output))
|
||||
|
||||
try:
|
||||
identity_info = jsonutils.loads(output)
|
||||
token_id = str(identity_info['access']['token']['id'])
|
||||
tenant = identity_info['access']['token']['tenant']
|
||||
except (ValueError, KeyError):
|
||||
error = 'Error on keystone reply: %d %s'
|
||||
self.logger.debug(error % (resp.status, str(output)))
|
||||
return self.deny_request('InvalidURI')(environ, start_response)
|
||||
|
||||
req.headers['X-Auth-Token'] = token_id
|
||||
tenant_to_connect = force_tenant or tenant['id']
|
||||
self.logger.debug('Connecting with tenant: %s' % (tenant_to_connect))
|
||||
new_tenant_name = '%s%s' % (self.reseller_prefix, tenant_to_connect)
|
||||
environ['PATH_INFO'] = environ['PATH_INFO'].replace(account,
|
||||
new_tenant_name)
|
||||
return self.app(environ, start_response)
|
||||
|
||||
|
||||
def filter_factory(global_conf, **local_conf):
|
||||
"""Returns a WSGI filter app for use with paste.deploy."""
|
||||
conf = global_conf.copy()
|
||||
conf.update(local_conf)
|
||||
|
||||
def auth_filter(app):
|
||||
return S3Token(app, conf)
|
||||
return auth_filter
|
||||
super(S3Token, self).__init__(app, conf)
|
||||
|
|
Loading…
Reference in New Issue