Remove [signing] config
Since pki-setup was removed in pike.This patch removes the config options that were left for backward compatibility, as PKI is not supported. Partial-Bug: #1829453 Change-Id: I83cd08e57fbc046ad69bd42eb2e5fa1ace6e8a28
This commit is contained in:
parent
94a1b57897
commit
b836aa221c
|
@ -12,13 +12,12 @@
|
||||||
|
|
||||||
# This file handles all flask-restful resources for /v3/OS-SIMPLE-CERT
|
# This file handles all flask-restful resources for /v3/OS-SIMPLE-CERT
|
||||||
|
|
||||||
import flask
|
|
||||||
import flask_restful
|
import flask_restful
|
||||||
from six.moves import http_client
|
|
||||||
|
|
||||||
from keystone.api._shared import json_home_relations
|
from keystone.api._shared import json_home_relations
|
||||||
import keystone.conf
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
from keystone.i18n import _
|
||||||
from keystone.server import flask as ks_flask
|
from keystone.server import flask as ks_flask
|
||||||
|
|
||||||
|
|
||||||
|
@ -28,27 +27,22 @@ CONF = keystone.conf.CONF
|
||||||
_build_resource_relation = json_home_relations.os_simple_cert_resource_rel_func
|
_build_resource_relation = json_home_relations.os_simple_cert_resource_rel_func
|
||||||
|
|
||||||
|
|
||||||
def _get_certificate(name):
|
|
||||||
try:
|
|
||||||
with open(name, 'r') as f:
|
|
||||||
body = f.read()
|
|
||||||
except IOError:
|
|
||||||
raise exception.CertificateFilesUnavailable()
|
|
||||||
resp = flask.make_response(body, http_client.OK)
|
|
||||||
resp.headers['Content-Type'] = 'application/x-pem-file'
|
|
||||||
return resp
|
|
||||||
|
|
||||||
|
|
||||||
class SimpleCertCAResource(flask_restful.Resource):
|
class SimpleCertCAResource(flask_restful.Resource):
|
||||||
@ks_flask.unenforced_api
|
@ks_flask.unenforced_api
|
||||||
def get(self):
|
def get(self):
|
||||||
return _get_certificate(CONF.signing.ca_certs)
|
raise exception.Gone(
|
||||||
|
message=_('This API is no longer available due to the removal'
|
||||||
|
'of support for PKI tokens. Returning a 410 instead'
|
||||||
|
'of removing the API'))
|
||||||
|
|
||||||
|
|
||||||
class SimpleCertListResource(flask_restful.Resource):
|
class SimpleCertListResource(flask_restful.Resource):
|
||||||
@ks_flask.unenforced_api
|
@ks_flask.unenforced_api
|
||||||
def get(self):
|
def get(self):
|
||||||
return _get_certificate(CONF.signing.certfile)
|
raise exception.Gone(
|
||||||
|
message=_('This API is no longer available due to the removal'
|
||||||
|
'of support for PKI tokens. Returning a 410 instead'
|
||||||
|
'of removing the API'))
|
||||||
|
|
||||||
|
|
||||||
class SimpleCertAPI(ks_flask.APIBase):
|
class SimpleCertAPI(ks_flask.APIBase):
|
||||||
|
|
|
@ -48,7 +48,6 @@ from keystone.conf import role
|
||||||
from keystone.conf import saml
|
from keystone.conf import saml
|
||||||
from keystone.conf import security_compliance
|
from keystone.conf import security_compliance
|
||||||
from keystone.conf import shadow_users
|
from keystone.conf import shadow_users
|
||||||
from keystone.conf import signing
|
|
||||||
from keystone.conf import token
|
from keystone.conf import token
|
||||||
from keystone.conf import tokenless_auth
|
from keystone.conf import tokenless_auth
|
||||||
from keystone.conf import trust
|
from keystone.conf import trust
|
||||||
|
@ -87,7 +86,6 @@ conf_modules = [
|
||||||
saml,
|
saml,
|
||||||
security_compliance,
|
security_compliance,
|
||||||
shadow_users,
|
shadow_users,
|
||||||
signing,
|
|
||||||
token,
|
token,
|
||||||
tokenless_auth,
|
tokenless_auth,
|
||||||
trust,
|
trust,
|
||||||
|
|
|
@ -1,135 +0,0 @@
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import versionutils
|
|
||||||
|
|
||||||
from keystone.conf import constants
|
|
||||||
from keystone.conf import utils
|
|
||||||
|
|
||||||
|
|
||||||
_DEPRECATED_MSG = utils.fmt("""
|
|
||||||
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike.
|
|
||||||
These options remain for backwards compatibility.
|
|
||||||
""")
|
|
||||||
|
|
||||||
certfile = cfg.StrOpt(
|
|
||||||
'certfile',
|
|
||||||
default=constants._CERTFILE,
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
help=utils.fmt("""
|
|
||||||
Absolute path to the public certificate file to use for signing responses to
|
|
||||||
revocation lists requests. Set this together with `[signing] keyfile`. For
|
|
||||||
non-production environments, you may be interested in using `keystone-manage
|
|
||||||
pki_setup` to generate self-signed certificates.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
keyfile = cfg.StrOpt(
|
|
||||||
'keyfile',
|
|
||||||
default=constants._KEYFILE,
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
help=utils.fmt("""
|
|
||||||
Absolute path to the private key file to use for signing responses to
|
|
||||||
revocation lists requests. Set this together with `[signing] certfile`.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
ca_certs = cfg.StrOpt(
|
|
||||||
'ca_certs',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
default='/etc/keystone/ssl/certs/ca.pem',
|
|
||||||
help=utils.fmt("""
|
|
||||||
Absolute path to the public certificate authority (CA) file to use when
|
|
||||||
creating self-signed certificates with `keystone-manage pki_setup`. Set this
|
|
||||||
together with `[signing] ca_key`. There is no reason to set this option unless
|
|
||||||
you are requesting revocation lists in a non-production environment. Use a
|
|
||||||
`[signing] certfile` issued from a trusted certificate authority instead.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
ca_key = cfg.StrOpt(
|
|
||||||
'ca_key',
|
|
||||||
default='/etc/keystone/ssl/private/cakey.pem',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
help=utils.fmt("""
|
|
||||||
Absolute path to the private certificate authority (CA) key file to use when
|
|
||||||
creating self-signed certificates with `keystone-manage pki_setup`. Set this
|
|
||||||
together with `[signing] ca_certs`. There is no reason to set this option
|
|
||||||
unless you are requesting revocation lists in a non-production environment.
|
|
||||||
Use a `[signing] certfile` issued from a trusted certificate authority instead.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
key_size = cfg.IntOpt(
|
|
||||||
'key_size',
|
|
||||||
default=2048,
|
|
||||||
min=1024,
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
help=utils.fmt("""
|
|
||||||
Key size (in bits) to use when generating a self-signed token signing
|
|
||||||
certificate. There is no reason to set this option unless you are requesting
|
|
||||||
revocation lists in a non-production environment. Use a `[signing] certfile`
|
|
||||||
issued from a trusted certificate authority instead.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
valid_days = cfg.IntOpt(
|
|
||||||
'valid_days',
|
|
||||||
default=3650,
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
help=utils.fmt("""
|
|
||||||
The validity period (in days) to use when generating a self-signed token
|
|
||||||
signing certificate. There is no reason to set this option unless you are
|
|
||||||
requesting revocation lists in a non-production environment. Use a
|
|
||||||
`[signing] certfile` issued from a trusted certificate authority instead.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
cert_subject = cfg.StrOpt(
|
|
||||||
'cert_subject',
|
|
||||||
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_DEPRECATED_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.PIKE,
|
|
||||||
help=utils.fmt("""
|
|
||||||
The certificate subject to use when generating a self-signed token signing
|
|
||||||
certificate. There is no reason to set this option unless you are requesting
|
|
||||||
revocation lists in a non-production environment. Use a
|
|
||||||
`[signing] certfile` issued from a trusted certificate authority instead.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
|
|
||||||
GROUP_NAME = __name__.split('.')[-1]
|
|
||||||
ALL_OPTS = [
|
|
||||||
certfile,
|
|
||||||
keyfile,
|
|
||||||
ca_certs,
|
|
||||||
ca_key,
|
|
||||||
key_size,
|
|
||||||
valid_days,
|
|
||||||
cert_subject,
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
def register_opts(conf):
|
|
||||||
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
|
||||||
|
|
||||||
|
|
||||||
def list_opts():
|
|
||||||
return {GROUP_NAME: ALL_OPTS}
|
|
|
@ -594,12 +594,6 @@ class TrustConsumeMaximumAttempt(UnexpectedError):
|
||||||
"acquire lock.")
|
"acquire lock.")
|
||||||
|
|
||||||
|
|
||||||
class CertificateFilesUnavailable(UnexpectedError):
|
|
||||||
debug_message_format = _("Expected signing certificates are not available "
|
|
||||||
"on the server. Please check Keystone "
|
|
||||||
"configuration.")
|
|
||||||
|
|
||||||
|
|
||||||
class MalformedEndpoint(UnexpectedError):
|
class MalformedEndpoint(UnexpectedError):
|
||||||
debug_message_format = _("Malformed endpoint URL (%(endpoint)s),"
|
debug_message_format = _("Malformed endpoint URL (%(endpoint)s),"
|
||||||
" see ERROR log for details.")
|
" see ERROR log for details.")
|
||||||
|
|
|
@ -762,10 +762,6 @@ class TestCase(BaseTestCase):
|
||||||
group='catalog',
|
group='catalog',
|
||||||
driver='sql',
|
driver='sql',
|
||||||
template_file=dirs.tests('default_catalog.templates'))
|
template_file=dirs.tests('default_catalog.templates'))
|
||||||
self.config_fixture.config(
|
|
||||||
group='signing', certfile=signing_certfile,
|
|
||||||
keyfile=signing_keyfile,
|
|
||||||
ca_certs='examples/pki/certs/cacert.pem')
|
|
||||||
self.config_fixture.config(
|
self.config_fixture.config(
|
||||||
group='saml', certfile=signing_certfile, keyfile=signing_keyfile)
|
group='saml', certfile=signing_certfile, keyfile=signing_keyfile)
|
||||||
self.config_fixture.config(
|
self.config_fixture.config(
|
||||||
|
|
|
@ -10,8 +10,6 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import uuid
|
|
||||||
|
|
||||||
from six.moves import http_client
|
from six.moves import http_client
|
||||||
|
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
|
@ -26,38 +24,13 @@ class BaseTestCase(test_v3.RestfulTestCase):
|
||||||
class TestSimpleCert(BaseTestCase):
|
class TestSimpleCert(BaseTestCase):
|
||||||
|
|
||||||
def request_cert(self, path):
|
def request_cert(self, path):
|
||||||
content_type = 'application/x-pem-file'
|
self.request(app=self.public_app,
|
||||||
response = self.request(app=self.public_app,
|
method='GET',
|
||||||
method='GET',
|
path=path,
|
||||||
path=path,
|
expected_status=http_client.GONE)
|
||||||
headers={'Accept': content_type},
|
|
||||||
expected_status=http_client.OK)
|
|
||||||
|
|
||||||
self.assertEqual(content_type, response.content_type.lower())
|
|
||||||
self.assertIn(b'---BEGIN', response.body)
|
|
||||||
|
|
||||||
# Test the same path with HEAD
|
|
||||||
self.request(
|
|
||||||
app=self.public_app, method='HEAD', path=path,
|
|
||||||
headers={'Accept': content_type}, expected_status=http_client.OK
|
|
||||||
)
|
|
||||||
|
|
||||||
return response
|
|
||||||
|
|
||||||
def test_ca_cert(self):
|
def test_ca_cert(self):
|
||||||
self.request_cert(self.CA_PATH)
|
self.request_cert(self.CA_PATH)
|
||||||
|
|
||||||
def test_signing_cert(self):
|
def test_signing_cert(self):
|
||||||
self.request_cert(self.CERT_PATH)
|
self.request_cert(self.CERT_PATH)
|
||||||
|
|
||||||
def test_missing_file(self):
|
|
||||||
# these files do not exist
|
|
||||||
self.config_fixture.config(group='signing',
|
|
||||||
ca_certs=uuid.uuid4().hex,
|
|
||||||
certfile=uuid.uuid4().hex)
|
|
||||||
|
|
||||||
for path in [self.CA_PATH, self.CERT_PATH]:
|
|
||||||
self.request(app=self.public_app,
|
|
||||||
method='GET',
|
|
||||||
path=path,
|
|
||||||
expected_status=http_client.INTERNAL_SERVER_ERROR)
|
|
||||||
|
|
|
@ -7,3 +7,13 @@ other:
|
||||||
- >
|
- >
|
||||||
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
|
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
|
||||||
The deprecated config option `admin_endpoint` is removed now.
|
The deprecated config option `admin_endpoint` is removed now.
|
||||||
|
|
||||||
|
- >
|
||||||
|
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
|
||||||
|
The deprecated config options in `signing` are removed now.
|
||||||
|
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
|
||||||
|
The os-simple-cert-api will return 410 due to the removal of
|
||||||
|
config options signing [ca_certs] and signing [cert_file].
|
||||||
|
|
Loading…
Reference in New Issue