Merge "Remove deprecated external authentication plugins"
This commit is contained in:
commit
7f76f23bcc
@ -23,7 +23,6 @@ from keystone import auth
|
||||
from keystone.common import dependency
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.openstack.common import versionutils
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
@ -100,81 +99,3 @@ class KerberosDomain(Domain):
|
||||
if auth_type != 'Negotiate':
|
||||
raise exception.Unauthorized(_("auth_type is not Negotiate"))
|
||||
return super(KerberosDomain, self)._authenticate(remote_user, context)
|
||||
|
||||
|
||||
class ExternalDefault(DefaultDomain):
|
||||
"""Deprecated. Please use keystone.auth.external.DefaultDomain instead."""
|
||||
|
||||
@versionutils.deprecated(
|
||||
as_of=versionutils.deprecated.ICEHOUSE,
|
||||
in_favor_of='keystone.auth.external.DefaultDomain',
|
||||
remove_in=+1)
|
||||
def __init__(self):
|
||||
super(ExternalDefault, self).__init__()
|
||||
|
||||
|
||||
class ExternalDomain(Domain):
|
||||
"""Deprecated. Please use keystone.auth.external.Domain instead."""
|
||||
|
||||
@versionutils.deprecated(
|
||||
as_of=versionutils.deprecated.ICEHOUSE,
|
||||
in_favor_of='keystone.auth.external.Domain',
|
||||
remove_in=+1)
|
||||
def __init__(self):
|
||||
super(ExternalDomain, self).__init__()
|
||||
|
||||
|
||||
@dependency.requires('identity_api')
|
||||
class LegacyDefaultDomain(Base):
|
||||
"""Deprecated. Please use keystone.auth.external.DefaultDomain instead.
|
||||
|
||||
This plugin exists to provide compatibility for the unintended behavior
|
||||
described here: https://bugs.launchpad.net/keystone/+bug/1253484
|
||||
|
||||
"""
|
||||
|
||||
@versionutils.deprecated(
|
||||
as_of=versionutils.deprecated.ICEHOUSE,
|
||||
in_favor_of='keystone.auth.external.DefaultDomain',
|
||||
remove_in=+1)
|
||||
def __init__(self):
|
||||
super(LegacyDefaultDomain, self).__init__()
|
||||
|
||||
def _authenticate(self, remote_user, context):
|
||||
"""Use remote_user to look up the user in the identity backend."""
|
||||
# NOTE(dolph): this unintentionally discards half the REMOTE_USER value
|
||||
names = remote_user.split('@')
|
||||
username = names.pop(0)
|
||||
domain_id = CONF.identity.default_domain_id
|
||||
user_ref = self.identity_api.get_user_by_name(username, domain_id)
|
||||
return user_ref
|
||||
|
||||
|
||||
@dependency.requires('identity_api', 'resource_api')
|
||||
class LegacyDomain(Base):
|
||||
"""Deprecated. Please use keystone.auth.external.Domain instead."""
|
||||
|
||||
@versionutils.deprecated(
|
||||
as_of=versionutils.deprecated.ICEHOUSE,
|
||||
in_favor_of='keystone.auth.external.Domain',
|
||||
remove_in=+1)
|
||||
def __init__(self):
|
||||
super(LegacyDomain, self).__init__()
|
||||
|
||||
def _authenticate(self, remote_user, context):
|
||||
"""Use remote_user to look up the user in the identity backend.
|
||||
|
||||
If remote_user contains an `@` assume that the substring before the
|
||||
rightmost `@` is the username, and the substring after the @ is the
|
||||
domain name.
|
||||
"""
|
||||
names = remote_user.rsplit('@', 1)
|
||||
username = names.pop(0)
|
||||
if names:
|
||||
domain_name = names[0]
|
||||
domain_ref = self.resource_api.get_domain_by_name(domain_name)
|
||||
domain_id = domain_ref['id']
|
||||
else:
|
||||
domain_id = CONF.identity.default_domain_id
|
||||
user_ref = self.identity_api.get_user_by_name(username, domain_id)
|
||||
return user_ref
|
||||
|
@ -1588,82 +1588,6 @@ class TestAuthExternalDisabled(test_v3.RestfulTestCase):
|
||||
auth_context)
|
||||
|
||||
|
||||
class TestAuthExternalLegacyDefaultDomain(test_v3.RestfulTestCase):
|
||||
content_type = 'json'
|
||||
|
||||
def auth_plugin_config_override(self):
|
||||
super(TestAuthExternalLegacyDefaultDomain,
|
||||
self).auth_plugin_config_override(
|
||||
external='keystone.auth.plugins.external.LegacyDefaultDomain')
|
||||
|
||||
def test_remote_user_no_realm(self):
|
||||
api = auth.controllers.Auth()
|
||||
context, auth_info, auth_context = self.build_external_auth_request(
|
||||
self.default_domain_user['name'])
|
||||
api.authenticate(context, auth_info, auth_context)
|
||||
self.assertEqual(self.default_domain_user['id'],
|
||||
auth_context['user_id'])
|
||||
|
||||
def test_remote_user_no_domain(self):
|
||||
api = auth.controllers.Auth()
|
||||
context, auth_info, auth_context = self.build_external_auth_request(
|
||||
self.user['name'])
|
||||
self.assertRaises(exception.Unauthorized,
|
||||
api.authenticate,
|
||||
context,
|
||||
auth_info,
|
||||
auth_context)
|
||||
|
||||
|
||||
class TestAuthExternalLegacyDomain(test_v3.RestfulTestCase):
|
||||
content_type = 'json'
|
||||
|
||||
def auth_plugin_config_override(self):
|
||||
super(TestAuthExternalLegacyDomain, self).auth_plugin_config_override(
|
||||
external='keystone.auth.plugins.external.LegacyDomain')
|
||||
|
||||
def test_remote_user_with_realm(self):
|
||||
api = auth.controllers.Auth()
|
||||
remote_user = '%s@%s' % (self.user['name'], self.domain['name'])
|
||||
context, auth_info, auth_context = self.build_external_auth_request(
|
||||
remote_user)
|
||||
|
||||
api.authenticate(context, auth_info, auth_context)
|
||||
self.assertEqual(self.user['id'], auth_context['user_id'])
|
||||
|
||||
# Now test to make sure the user name can, itself, contain the
|
||||
# '@' character.
|
||||
user = {'name': 'myname@mydivision'}
|
||||
self.identity_api.update_user(self.user['id'], user)
|
||||
remote_user = '%s@%s' % (user['name'], self.domain['name'])
|
||||
context, auth_info, auth_context = self.build_external_auth_request(
|
||||
remote_user)
|
||||
|
||||
api.authenticate(context, auth_info, auth_context)
|
||||
self.assertEqual(self.user['id'], auth_context['user_id'])
|
||||
|
||||
def test_project_id_scoped_with_remote_user(self):
|
||||
self.config_fixture.config(group='token', bind=['kerberos'])
|
||||
auth_data = self.build_authentication_request(
|
||||
project_id=self.project['id'])
|
||||
remote_user = '%s@%s' % (self.user['name'], self.domain['name'])
|
||||
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
|
||||
'AUTH_TYPE': 'Negotiate'})
|
||||
r = self.v3_authenticate_token(auth_data)
|
||||
token = self.assertValidProjectScopedTokenResponse(r)
|
||||
self.assertEqual(self.user['name'], token['bind']['kerberos'])
|
||||
|
||||
def test_unscoped_bind_with_remote_user(self):
|
||||
self.config_fixture.config(group='token', bind=['kerberos'])
|
||||
auth_data = self.build_authentication_request()
|
||||
remote_user = '%s@%s' % (self.user['name'], self.domain['name'])
|
||||
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
|
||||
'AUTH_TYPE': 'Negotiate'})
|
||||
r = self.v3_authenticate_token(auth_data)
|
||||
token = self.assertValidUnscopedTokenResponse(r)
|
||||
self.assertEqual(self.user['name'], token['bind']['kerberos'])
|
||||
|
||||
|
||||
class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
content_type = 'json'
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user