Remove the TokenAuth middleware

The entire purpose of this confusingly named middleware is to take token
values out of headers and put them into a dictionary. There's no point
in this, we have a request class that can abstract this for us.

Deprecate the middleware, it's unnecessary.

bp: deprecated-as-of-rocky
Change-Id: I09310bab6bd728127288ba4c3cf8f884a31e2b98
This commit is contained in:
Jamie Lennox 2017-09-29 15:23:26 +10:00 committed by Gage Hugo
parent 03a616d1bf
commit b39132daa0
8 changed files with 54 additions and 34 deletions

View File

@ -9,9 +9,6 @@ use = egg:oslo.middleware#request_id
[filter:build_auth_context]
use = egg:keystone#build_auth_context
[filter:token_auth]
use = egg:keystone#token_auth
[filter:json_body]
use = egg:keystone#json_body
@ -55,17 +52,17 @@ use = egg:keystone#admin_service
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension s3_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension_v3 s3_extension service_v3
[app:public_version_service]
use = egg:keystone#public_version_service

View File

@ -309,7 +309,7 @@ class Auth(controller.V3Controller):
@controller.protected()
def check_token(self, request):
token_id = request.context_dict.get('subject_token_id')
token_id = request.subject_token
window_seconds = authorization.token_validation_window(request)
token_data = PROVIDERS.token_provider_api.validate_token(
token_id, window_seconds=window_seconds)
@ -320,12 +320,11 @@ class Auth(controller.V3Controller):
@controller.protected()
def revoke_token(self, request):
token_id = request.context_dict.get('subject_token_id')
return PROVIDERS.token_provider_api.revoke_token(token_id)
return PROVIDERS.token_provider_api.revoke_token(request.subject_token)
@controller.protected()
def validate_token(self, request):
token_id = request.context_dict.get('subject_token_id')
token_id = request.subject_token
window_seconds = authorization.token_validation_window(request)
include_catalog = 'nocatalog' not in request.params
token_data = PROVIDERS.token_provider_api.validate_token(

View File

@ -87,13 +87,13 @@ def token_validation_window(request):
def _handle_subject_token_id(self, request, policy_dict):
if request.context_dict.get('subject_token_id') is not None:
if request.subject_token is not None:
window_seconds = token_validation_window(request)
token_ref = token_model.KeystoneToken(
token_id=request.context_dict['subject_token_id'],
token_id=request.subject_token,
token_data=self.token_provider_api.validate_token(
request.context_dict['subject_token_id'],
request.subject_token,
window_seconds=window_seconds))
policy_dict.setdefault('target', {})
policy_dict['target'].setdefault(self.member_name, {})

View File

@ -70,6 +70,10 @@ class Request(webob.Request):
context['is_admin_project'] = self.context.is_admin_project
context.setdefault('is_admin', False)
context['token_id'] = self.auth_token
if self.subject_token:
context['subject_token_id'] = self.subject_token
return context
@property
@ -119,6 +123,14 @@ class Request(webob.Request):
return initiator
@property
def auth_token(self):
return self.headers.get(authorization.AUTH_TOKEN_HEADER, None)
@property
def subject_token(self):
return self.headers.get(authorization.SUBJECT_TOKEN_HEADER, None)
auth_type = environ_getter('AUTH_TYPE', None)
remote_domain = environ_getter('REMOTE_DOMAIN', None)
context = environ_getter(context.REQUEST_CONTEXT_ENV, None)

View File

@ -13,9 +13,9 @@
# under the License.
from oslo_log import log
from oslo_log import versionutils
from oslo_serialization import jsonutils
from keystone.common import authorization
from keystone.common import wsgi
from keystone import exception
@ -24,15 +24,22 @@ LOG = log.getLogger(__name__)
class TokenAuthMiddleware(wsgi.Middleware):
def process_request(self, request):
context = request.environ.setdefault(wsgi.CONTEXT_ENV, {})
token = request.headers.get(authorization.AUTH_TOKEN_HEADER)
context['token_id'] = token
@versionutils.deprecated(
as_of=versionutils.deprecated.ROCKY,
what='TokenAuthMiddleware in the paste-ini pipeline.',
remove_in=+2)
def __init__(self, *args, **kwargs):
super(TokenAuthMiddleware, self).__init__(*args, **kwargs)
subject_token = request.headers.get(authorization.SUBJECT_TOKEN_HEADER)
if subject_token:
context['subject_token_id'] = subject_token
LOG.warning('The token_auth middleware functionality has been '
'merged into the main auth middleware '
'(keystone.middleware.auth.AuthContextMiddleware). '
'The [filter:token_auth] block will need to be'
'removed from your paste ini file. Failure to'
'remove these elements from your paste ini file will '
'result in keystone to no longer start/run when the '
'`token_auth` is removed in the Stein release.')
class JsonBodyMiddleware(wsgi.Middleware):

View File

@ -178,7 +178,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
self._do_test_bootstrap(bootstrap)
# build validation request
request = self.make_request(is_admin=True)
request.context_dict['subject_token_id'] = token
request.headers['X-Subject-Token'] = token
# Make sure the token we authenticate for is still valid.
v3_token_controller.validate_token(request)
@ -209,7 +209,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
self._do_test_bootstrap(bootstrap)
# build validation request
request = self.make_request(is_admin=True)
request.context_dict['subject_token_id'] = token
request.headers['X-Subject-Token'] = token
# Since the user account was recovered with a different password, we
# shouldn't be able to validate this token. Bootstrap should have
# persisted a revocation event because the user's password was updated.

View File

@ -103,17 +103,6 @@ class MiddlewareRequestTestBase(unit.TestCase):
return self._do_middleware_response(*args, **kwargs).request
class TokenAuthMiddlewareTest(MiddlewareRequestTestBase):
MIDDLEWARE_CLASS = middleware.TokenAuthMiddleware
def test_request(self):
headers = {authorization.AUTH_TOKEN_HEADER: 'MAGIC'}
req = self._do_middleware_request(headers=headers)
context = req.environ[wsgi.CONTEXT_ENV]
self.assertEqual('MAGIC', context['token_id'])
class JsonBodyMiddlewareTest(MiddlewareRequestTestBase):
MIDDLEWARE_CLASS = middleware.JsonBodyMiddleware

View File

@ -0,0 +1,16 @@
---
prelude: >
The token_auth middleware functionality has been merged into the main auth
middleware (keystone.middleware.auth.AuthContextMiddleware).
`admin_token_auth` must be removed from the [pipeline:api_v3],
[pipeline:admin_api], and [pipeline:public_api] sections of your paste ini
file. The [filter:token_auth] block will also need to be removed from your
paste ini file. Failure to remove these elements from your paste ini file
will result in keystone to no longer start/run when the `token_auth` is
removed in the Stein release.
upgrade:
- Remove token_auth from your keystone paste.ini file. Failure to remove
these elements from your paste ini file will result in keystone to no
longer start/run when the `token_auth` is removed in the Stein release.
deprecations:
- The keystone.middleware.core:TokenAuthMiddleware is deprecated for removal.