Add s3_token.

Add s3_token middleware originally written by Akira YOSHIYAMA.
Make it works with new swift_auth.
Make not necessary modification to swift3 middleware.
Handle errors when connecting to keystone.
Address termie's comment in reviews.

Change-Id: Icb2ae3fe79296ee6415dd55d146339ab72dd1d46

keystone/middleware/s3_token.py

@@ -0,0 +1,136 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# Copyright 2011,2012 Akira YOSHIYAMA <akirayoshiyama@gmail.com>
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# This source code is based ./auth_token.py and ./ec2_token.py.
+# See them for their copyright.
+
+"""Starting point for routing S3 requests."""
+
+import httplib
+import json
+
+import webob
+
+from swift.common import utils as swift_utils
+
+
+PROTOCOL_NAME = "S3 Token Authentication"
+
+
+class S3Token(object):
+    """Auth Middleware that handles S3 authenticating client calls."""
+
+    def __init__(self, app, conf):
+        """Common initialization code."""
+        self.app = app
+        self.logger = swift_utils.get_logger(conf, log_route='s3_token')
+        self.logger.debug('Starting the %s component' % PROTOCOL_NAME)
+
+        # where to find the auth service (we use this to validate tokens)
+        self.auth_host = conf.get('auth_host')
+        self.auth_port = int(conf.get('auth_port'))
+        self.auth_protocol = conf.get('auth_protocol', 'https')
+
+        # where to tell clients to find the auth service (default to url
+        # constructed based on endpoint we have for the service to use)
+        self.auth_location = conf.get('auth_uri',
+                                      '%s://%s:%s' % (self.auth_protocol,
+                                                      self.auth_host,
+                                                      self.auth_port))
+
+        # Credentials used to verify this component with the Auth service since
+        # validating tokens is a privileged call
+        self.admin_token = conf.get('admin_token')
+
+    def __call__(self, environ, start_response):
+        """Handle incoming request. authenticate and send downstream."""
+        req = webob.Request(environ)
+        parts = swift_utils.split_path(req.path, 1, 4, True)
+        version, account, container, obj = parts
+
+        # Read request signature and access id.
+        if not 'Authorization' in req.headers:
+            return self.app(environ, start_response)
+        token = req.headers.get('X-Auth-Token',
+                                req.headers.get('X-Storage-Token'))
+
+        auth_header = req.headers['Authorization']
+        access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
+
+        # Authenticate the request.
+        creds = {'credentials': {'access': access,
+                                 'token': token,
+                                 'signature': signature,
+                                 'host': req.host,
+                                 'verb': req.method,
+                                 'path': req.path,
+                                 'expire': req.headers['Date'],
+                                 }}
+
+        creds_json = json.dumps(creds)
+        headers = {'Content-Type': 'application/json'}
+        if self.auth_protocol == 'http':
+            conn = httplib.HTTPConnection(self.auth_host, self.auth_port)
+        else:
+            conn = httplib.HTTPSConnection(self.auth_host, self.auth_port)
+
+        conn.request('POST', '/v2.0/s3tokens',
+                     body=creds_json,
+                     headers=headers)
+        resp = conn.getresponse()
+        if resp.status < 200 or resp.status >= 300:
+            raise Exception('Keystone reply error: status=%s reason=%s' % (
+                    resp.status,
+                    resp.reason))
+
+        # NOTE(vish): We could save a call to keystone by having
+        #             keystone return token, tenant, user, and roles
+        #             from this call.
+        #
+        # NOTE(chmou): We still have the same problem we would need to
+        #              change token_auth to detect if we already
+        #              identified and not doing a second query and just
+        #              pass it through to swiftauth in this case.
+        #              identity_info = json.loads(response)
+        output = resp.read()
+        conn.close()
+        identity_info = json.loads(output)
+        try:
+            token_id = str(identity_info['access']['token']['id'])
+            tenant = (identity_info['access']['token']['tenant']['id'],
+                      identity_info['access']['token']['tenant']['name'])
+        except (KeyError, IndexError):
+            self.logger.debug('Error getting keystone reply: %s' %
+                              (str(output)))
+            raise
+
+        req.headers['X-Auth-Token'] = token_id
+        environ['PATH_INFO'] = environ['PATH_INFO'].replace(
+                account, 'AUTH_%s' % tenant[0])
+        return self.app(environ, start_response)
+
+
+def filter_factory(global_conf, **local_conf):
+    """Returns a WSGI filter app for use with paste.deploy."""
+    conf = global_conf.copy()
+    conf.update(local_conf)
+
+    def auth_filter(app):
+        return S3Token(app, conf)
+    return auth_filter