Remove the TokenAuth middleware

The entire purpose of this confusingly named middleware is to take token values out of headers and put them into a dictionary. There's no point in this, we have a request class that can abstract this for us. Deprecate the middleware, it's unnecessary. bp: deprecated-as-of-rocky Change-Id: I09310bab6bd728127288ba4c3cf8f884a31e2b98
2017-09-29 15:23:26 +10:00 · 2017-09-29 15:23:26 +10:00 · b39132daa0
commit b39132daa0
parent 03a616d1bf
8 changed files with 54 additions and 34 deletions
--- a/etc/keystone-paste.ini
+++ b/etc/keystone-paste.ini
@ -9,9 +9,6 @@ use = egg:oslo.middleware#request_id
 [filter:build_auth_context]
 use = egg:keystone#build_auth_context

-[filter:token_auth]
-use = egg:keystone#token_auth
-
 [filter:json_body]
 use = egg:keystone#json_body

@ -55,17 +52,17 @@ use = egg:keystone#admin_service
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension public_service

 [pipeline:admin_api]
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension s3_extension admin_service

 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension_v3 s3_extension service_v3

 [app:public_version_service]
 use = egg:keystone#public_version_service
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -309,7 +309,7 @@ class Auth(controller.V3Controller):

    @controller.protected()
    def check_token(self, request):
-        token_id = request.context_dict.get('subject_token_id')
+        token_id = request.subject_token
        window_seconds = authorization.token_validation_window(request)
        token_data = PROVIDERS.token_provider_api.validate_token(
            token_id, window_seconds=window_seconds)
@ -320,12 +320,11 @@ class Auth(controller.V3Controller):

    @controller.protected()
    def revoke_token(self, request):
-        token_id = request.context_dict.get('subject_token_id')
-        return PROVIDERS.token_provider_api.revoke_token(token_id)
+        return PROVIDERS.token_provider_api.revoke_token(request.subject_token)

    @controller.protected()
    def validate_token(self, request):
-        token_id = request.context_dict.get('subject_token_id')
+        token_id = request.subject_token
        window_seconds = authorization.token_validation_window(request)
        include_catalog = 'nocatalog' not in request.params
        token_data = PROVIDERS.token_provider_api.validate_token(
--- a/keystone/common/authorization.py
+++ b/keystone/common/authorization.py
@ -87,13 +87,13 @@ def token_validation_window(request):


 def _handle_subject_token_id(self, request, policy_dict):
-    if request.context_dict.get('subject_token_id') is not None:
+    if request.subject_token is not None:
        window_seconds = token_validation_window(request)

        token_ref = token_model.KeystoneToken(
-            token_id=request.context_dict['subject_token_id'],
+            token_id=request.subject_token,
            token_data=self.token_provider_api.validate_token(
-                request.context_dict['subject_token_id'],
+                request.subject_token,
                window_seconds=window_seconds))
        policy_dict.setdefault('target', {})
        policy_dict['target'].setdefault(self.member_name, {})
--- a/keystone/common/request.py
+++ b/keystone/common/request.py
@ -70,6 +70,10 @@ class Request(webob.Request):
            context['is_admin_project'] = self.context.is_admin_project

        context.setdefault('is_admin', False)
+        context['token_id'] = self.auth_token
+        if self.subject_token:
+            context['subject_token_id'] = self.subject_token
+
        return context

    @property
@ -119,6 +123,14 @@ class Request(webob.Request):

        return initiator

+    @property
+    def auth_token(self):
+        return self.headers.get(authorization.AUTH_TOKEN_HEADER, None)
+
+    @property
+    def subject_token(self):
+        return self.headers.get(authorization.SUBJECT_TOKEN_HEADER, None)
+
    auth_type = environ_getter('AUTH_TYPE', None)
    remote_domain = environ_getter('REMOTE_DOMAIN', None)
    context = environ_getter(context.REQUEST_CONTEXT_ENV, None)
--- a/keystone/middleware/core.py
+++ b/keystone/middleware/core.py
@ -13,9 +13,9 @@
 # under the License.

 from oslo_log import log
+from oslo_log import versionutils
 from oslo_serialization import jsonutils

-from keystone.common import authorization
 from keystone.common import wsgi
 from keystone import exception

@ -24,15 +24,22 @@ LOG = log.getLogger(__name__)


 class TokenAuthMiddleware(wsgi.Middleware):
-    def process_request(self, request):
-        context = request.environ.setdefault(wsgi.CONTEXT_ENV, {})

-        token = request.headers.get(authorization.AUTH_TOKEN_HEADER)
-        context['token_id'] = token
+    @versionutils.deprecated(
+        as_of=versionutils.deprecated.ROCKY,
+        what='TokenAuthMiddleware in the paste-ini pipeline.',
+        remove_in=+2)
+    def __init__(self, *args, **kwargs):
+        super(TokenAuthMiddleware, self).__init__(*args, **kwargs)

-        subject_token = request.headers.get(authorization.SUBJECT_TOKEN_HEADER)
-        if subject_token:
-            context['subject_token_id'] = subject_token
+        LOG.warning('The token_auth middleware functionality has been '
+                    'merged into the main auth middleware '
+                    '(keystone.middleware.auth.AuthContextMiddleware). '
+                    'The [filter:token_auth] block will need to be'
+                    'removed from your paste ini file. Failure to'
+                    'remove these elements from your paste ini file will '
+                    'result in keystone to no longer start/run when the '
+                    '`token_auth` is removed in the Stein release.')


 class JsonBodyMiddleware(wsgi.Middleware):
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -178,7 +178,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
        self._do_test_bootstrap(bootstrap)
        # build validation request
        request = self.make_request(is_admin=True)
-        request.context_dict['subject_token_id'] = token
+        request.headers['X-Subject-Token'] = token
        # Make sure the token we authenticate for is still valid.
        v3_token_controller.validate_token(request)

@ -209,7 +209,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
        self._do_test_bootstrap(bootstrap)
        # build validation request
        request = self.make_request(is_admin=True)
-        request.context_dict['subject_token_id'] = token
+        request.headers['X-Subject-Token'] = token
        # Since the user account was recovered with a different password, we
        # shouldn't be able to validate this token. Bootstrap should have
        # persisted a revocation event because the user's password was updated.
--- a/keystone/tests/unit/test_middleware.py
+++ b/keystone/tests/unit/test_middleware.py
@ -103,17 +103,6 @@ class MiddlewareRequestTestBase(unit.TestCase):
        return self._do_middleware_response(*args, **kwargs).request


-class TokenAuthMiddlewareTest(MiddlewareRequestTestBase):
-
-    MIDDLEWARE_CLASS = middleware.TokenAuthMiddleware
-
-    def test_request(self):
-        headers = {authorization.AUTH_TOKEN_HEADER: 'MAGIC'}
-        req = self._do_middleware_request(headers=headers)
-        context = req.environ[wsgi.CONTEXT_ENV]
-        self.assertEqual('MAGIC', context['token_id'])
-
-
 class JsonBodyMiddlewareTest(MiddlewareRequestTestBase):

    MIDDLEWARE_CLASS = middleware.JsonBodyMiddleware
--- a/releasenotes/notes/remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml
+++ b/releasenotes/notes/remove-token-auth-middleware-5ea3b3734ce1d9e6.yaml
@ -0,0 +1,16 @@
+---
+prelude: >
+  The token_auth middleware functionality has been merged into the main auth
+  middleware (keystone.middleware.auth.AuthContextMiddleware).
+  `admin_token_auth` must be removed from the [pipeline:api_v3],
+  [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini
+  file. The [filter:token_auth] block will also need to be removed from your
+  paste ini file. Failure to remove these elements from your paste ini file
+  will result in keystone to no longer start/run when the `token_auth` is
+  removed in the Stein release.
+upgrade:
+  - Remove token_auth from your keystone paste.ini file. Failure to remove
+    these elements from your paste ini file will result in keystone to no
+    longer start/run when the `token_auth` is removed in the Stein release.
+deprecations:
+  - The keystone.middleware.core:TokenAuthMiddleware is deprecated for removal.