openstack/keystone
Code Issues Proposed changes

Remove [signing] config

Browse Source 
Since pki-setup was removed in pike.This
patch removes the config options that were
left for backward compatibility, as PKI is
not supported.

Partial-Bug: #1829453
Change-Id: I83cd08e57fbc046ad69bd42eb2e5fa1ace6e8a28
This commit is contained in:
Vishakha Agarwal 2019-05-16 10:03:53 +05:30
parent 94a1b57897
commit b836aa221c
7 changed files with 23 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
keystone/api/os_simple_cert.py
View File

@ -12,13 +12,12 @@
# This file handles all flask-restful resources for /v3/OS-SIMPLE-CERT
import flask
import flask_restful
from six.moves import http_client
from keystone.api._shared import json_home_relations
import keystone.conf
from keystone import exception
from keystone.i18n import _
from keystone.server import flask as ks_flask
@ -28,27 +27,22 @@ CONF = keystone.conf.CONF
_build_resource_relation = json_home_relations.os_simple_cert_resource_rel_func
def _get_certificate(name):
try:
with open(name, 'r') as f:
body = f.read()
except IOError:
raise exception.CertificateFilesUnavailable()
resp = flask.make_response(body, http_client.OK)
resp.headers['Content-Type'] = 'application/x-pem-file'
return resp
class SimpleCertCAResource(flask_restful.Resource):
@ks_flask.unenforced_api
def get(self):
return _get_certificate(CONF.signing.ca_certs)
raise exception.Gone(
message=_('This API is no longer available due to the removal'
'of support for PKI tokens. Returning a 410 instead'
'of removing the API'))
class SimpleCertListResource(flask_restful.Resource):
@ks_flask.unenforced_api
def get(self):
return _get_certificate(CONF.signing.certfile)
raise exception.Gone(
message=_('This API is no longer available due to the removal'
'of support for PKI tokens. Returning a 410 instead'
'of removing the API'))
class SimpleCertAPI(ks_flask.APIBase):

2
keystone/conf/__init__.py
View File

@ -48,7 +48,6 @@ from keystone.conf import role
from keystone.conf import saml
from keystone.conf import security_compliance
from keystone.conf import shadow_users
from keystone.conf import signing
from keystone.conf import token
from keystone.conf import tokenless_auth
from keystone.conf import trust
@ -87,7 +86,6 @@ conf_modules = [
saml,
security_compliance,
shadow_users,
signing,
token,
tokenless_auth,
trust,

135
keystone/conf/signing.py
View File

@ -1,135 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import constants
from keystone.conf import utils
_DEPRECATED_MSG = utils.fmt("""
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike.
These options remain for backwards compatibility.
""")
certfile = cfg.StrOpt(
'certfile',
default=constants._CERTFILE,
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
help=utils.fmt("""
Absolute path to the public certificate file to use for signing responses to
revocation lists requests. Set this together with `[signing] keyfile`. For
non-production environments, you may be interested in using `keystone-manage
pki_setup` to generate self-signed certificates.
"""))
keyfile = cfg.StrOpt(
'keyfile',
default=constants._KEYFILE,
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
help=utils.fmt("""
Absolute path to the private key file to use for signing responses to
revocation lists requests. Set this together with `[signing] certfile`.
"""))
ca_certs = cfg.StrOpt(
'ca_certs',
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
default='/etc/keystone/ssl/certs/ca.pem',
help=utils.fmt("""
Absolute path to the public certificate authority (CA) file to use when
creating self-signed certificates with `keystone-manage pki_setup`. Set this
together with `[signing] ca_key`. There is no reason to set this option unless
you are requesting revocation lists in a non-production environment. Use a
`[signing] certfile` issued from a trusted certificate authority instead.
"""))
ca_key = cfg.StrOpt(
'ca_key',
default='/etc/keystone/ssl/private/cakey.pem',
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
help=utils.fmt("""
Absolute path to the private certificate authority (CA) key file to use when
creating self-signed certificates with `keystone-manage pki_setup`. Set this
together with `[signing] ca_certs`. There is no reason to set this option
unless you are requesting revocation lists in a non-production environment.
Use a `[signing] certfile` issued from a trusted certificate authority instead.
"""))
key_size = cfg.IntOpt(
'key_size',
default=2048,
min=1024,
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
help=utils.fmt("""
Key size (in bits) to use when generating a self-signed token signing
certificate. There is no reason to set this option unless you are requesting
revocation lists in a non-production environment. Use a `[signing] certfile`
issued from a trusted certificate authority instead.
"""))
valid_days = cfg.IntOpt(
'valid_days',
default=3650,
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
help=utils.fmt("""
The validity period (in days) to use when generating a self-signed token
signing certificate. There is no reason to set this option unless you are
requesting revocation lists in a non-production environment. Use a
`[signing] certfile` issued from a trusted certificate authority instead.
"""))
cert_subject = cfg.StrOpt(
'cert_subject',
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
deprecated_for_removal=True,
deprecated_reason=_DEPRECATED_MSG,
deprecated_since=versionutils.deprecated.PIKE,
help=utils.fmt("""
The certificate subject to use when generating a self-signed token signing
certificate. There is no reason to set this option unless you are requesting
revocation lists in a non-production environment. Use a
`[signing] certfile` issued from a trusted certificate authority instead.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
certfile,
keyfile,
ca_certs,
ca_key,
key_size,
valid_days,
cert_subject,
]
def register_opts(conf):
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
def list_opts():
return {GROUP_NAME: ALL_OPTS}

6
keystone/exception.py
View File

@ -594,12 +594,6 @@ class TrustConsumeMaximumAttempt(UnexpectedError):
"acquire lock.")
class CertificateFilesUnavailable(UnexpectedError):
debug_message_format = _("Expected signing certificates are not available "
"on the server. Please check Keystone "
"configuration.")
class MalformedEndpoint(UnexpectedError):
debug_message_format = _("Malformed endpoint URL (%(endpoint)s),"
" see ERROR log for details.")

4
keystone/tests/unit/core.py
View File

@ -762,10 +762,6 @@ class TestCase(BaseTestCase):
group='catalog',
driver='sql',
template_file=dirs.tests('default_catalog.templates'))
self.config_fixture.config(
group='signing', certfile=signing_certfile,
keyfile=signing_keyfile,
ca_certs='examples/pki/certs/cacert.pem')
self.config_fixture.config(
group='saml', certfile=signing_certfile, keyfile=signing_keyfile)
self.config_fixture.config(

35
keystone/tests/unit/test_contrib_simple_cert.py
View File

@ -10,8 +10,6 @@
# License for the specific language governing permissions and limitations
# under the License.
import uuid
from six.moves import http_client
from keystone.tests.unit import test_v3
@ -26,38 +24,13 @@ class BaseTestCase(test_v3.RestfulTestCase):
class TestSimpleCert(BaseTestCase):
def request_cert(self, path):
content_type = 'application/x-pem-file'
response = self.request(app=self.public_app,
method='GET',
path=path,
headers={'Accept': content_type},
expected_status=http_client.OK)
self.assertEqual(content_type, response.content_type.lower())
self.assertIn(b'---BEGIN', response.body)
# Test the same path with HEAD
self.request(
app=self.public_app, method='HEAD', path=path,
headers={'Accept': content_type}, expected_status=http_client.OK
)
return response
self.request(app=self.public_app,
method='GET',
path=path,
expected_status=http_client.GONE)
def test_ca_cert(self):
self.request_cert(self.CA_PATH)
def test_signing_cert(self):
self.request_cert(self.CERT_PATH)
def test_missing_file(self):
# these files do not exist
self.config_fixture.config(group='signing',
ca_certs=uuid.uuid4().hex,
certfile=uuid.uuid4().hex)
for path in [self.CA_PATH, self.CERT_PATH]:
self.request(app=self.public_app,
method='GET',
path=path,
expected_status=http_client.INTERNAL_SERVER_ERROR)

10
releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml
View File

@ -7,3 +7,13 @@ other:
- >
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
The deprecated config option `admin_endpoint` is removed now.
- >
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
The deprecated config options in `signing` are removed now.
upgrade:
- |
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
The os-simple-cert-api will return 410 due to the removal of
config options signing [ca_certs] and signing [cert_file].