Merge "Deprecate simple_cert extension"
This commit is contained in:
commit
c54662be78
|
@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3
|
|||
[filter:s3_extension]
|
||||
use = egg:keystone#s3_extension
|
||||
|
||||
[filter:simple_cert_extension]
|
||||
use = egg:keystone#simple_cert_extension
|
||||
|
||||
[filter:url_normalize]
|
||||
use = egg:keystone#url_normalize
|
||||
|
||||
|
@ -64,7 +61,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
|
|||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
use = egg:keystone#public_version_service
|
||||
|
|
|
@ -347,26 +347,33 @@ FILE_OPTIONS = {
|
|||
'signing': [
|
||||
cfg.StrOpt('certfile',
|
||||
default=_CERTFILE,
|
||||
deprecated_for_removal=True,
|
||||
help='Path of the certfile for token signing. For '
|
||||
'non-production environments, you may be interested '
|
||||
'in using `keystone-manage pki_setup` to generate '
|
||||
'self-signed certificates.'),
|
||||
cfg.StrOpt('keyfile',
|
||||
default=_KEYFILE,
|
||||
deprecated_for_removal=True,
|
||||
help='Path of the keyfile for token signing.'),
|
||||
cfg.StrOpt('ca_certs',
|
||||
deprecated_for_removal=True,
|
||||
default='/etc/keystone/ssl/certs/ca.pem',
|
||||
help='Path of the CA for token signing.'),
|
||||
cfg.StrOpt('ca_key',
|
||||
default='/etc/keystone/ssl/private/cakey.pem',
|
||||
deprecated_for_removal=True,
|
||||
help='Path of the CA key for token signing.'),
|
||||
cfg.IntOpt('key_size', default=2048, min=1024,
|
||||
deprecated_for_removal=True,
|
||||
help='Key size (in bits) for token signing cert '
|
||||
'(auto generated certificate).'),
|
||||
cfg.IntOpt('valid_days', default=3650,
|
||||
deprecated_for_removal=True,
|
||||
help='Days the token signing cert is valid for '
|
||||
'(auto generated certificate).'),
|
||||
cfg.StrOpt('cert_subject',
|
||||
deprecated_for_removal=True,
|
||||
default=('/C=US/ST=Unset/L=Unset/O=Unset/'
|
||||
'CN=www.example.com'),
|
||||
help='Certificate subject (auto generated certificate) for '
|
||||
|
|
|
@ -10,5 +10,4 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from keystone.contrib.simple_cert.core import * # noqa
|
||||
from keystone.contrib.simple_cert.routers import SimpleCertExtension # noqa
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
import webob
|
||||
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone import exception
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
@dependency.requires('token_provider_api')
|
||||
class SimpleCert(controller.V3Controller):
|
||||
|
||||
def _get_certificate(self, name):
|
||||
try:
|
||||
with open(name, 'r') as f:
|
||||
body = f.read()
|
||||
except IOError:
|
||||
raise exception.CertificateFilesUnavailable()
|
||||
|
||||
# NOTE(jamielennox): We construct the webob Response ourselves here so
|
||||
# that we don't pass through the JSON encoding process.
|
||||
headers = [('Content-Type', 'application/x-pem-file')]
|
||||
return webob.Response(body=body, headerlist=headers, status="200 OK")
|
||||
|
||||
def get_ca_certificate(self, context):
|
||||
return self._get_certificate(CONF.signing.ca_certs)
|
||||
|
||||
def list_certificates(self, context):
|
||||
return self._get_certificate(CONF.signing.certfile)
|
|
@ -1,31 +0,0 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from keystone.common import extension
|
||||
|
||||
EXTENSION_DATA = {
|
||||
'name': 'OpenStack Simple Certificate API',
|
||||
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
||||
'OS-SIMPLE-CERT/v1.0',
|
||||
'alias': 'OS-SIMPLE-CERT',
|
||||
'updated': '2014-01-20T12:00:0-00:00',
|
||||
'description': 'OpenStack simple certificate retrieval extension',
|
||||
'links': [
|
||||
{
|
||||
'rel': 'describedby',
|
||||
'type': 'text/html',
|
||||
'href': 'http://developer.openstack.org/'
|
||||
'api-ref-identity-v2-ext.html',
|
||||
}
|
||||
]}
|
||||
extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
||||
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
|
@ -10,32 +10,24 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import functools
|
||||
from oslo_log import log
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone.common import json_home
|
||||
from keystone.common import wsgi
|
||||
from keystone.contrib.simple_cert import controllers
|
||||
from keystone.i18n import _
|
||||
|
||||
|
||||
build_resource_relation = functools.partial(
|
||||
json_home.build_v3_extension_resource_relation,
|
||||
extension_name='OS-SIMPLE-CERT', extension_version='1.0')
|
||||
LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
class SimpleCertExtension(wsgi.V3ExtensionRouter):
|
||||
class SimpleCertExtension(wsgi.Middleware):
|
||||
|
||||
PREFIX = 'OS-SIMPLE-CERT'
|
||||
|
||||
def add_routes(self, mapper):
|
||||
controller = controllers.SimpleCert()
|
||||
|
||||
self._add_resource(
|
||||
mapper, controller,
|
||||
path='/%s/ca' % self.PREFIX,
|
||||
get_action='get_ca_certificate',
|
||||
rel=build_resource_relation(resource_name='ca_certificate'))
|
||||
self._add_resource(
|
||||
mapper, controller,
|
||||
path='/%s/certificates' % self.PREFIX,
|
||||
get_action='list_certificates',
|
||||
rel=build_resource_relation(resource_name='certificates'))
|
||||
def __init__(self, application):
|
||||
super(SimpleCertExtension, self).__init__(application)
|
||||
msg = _("Remove simple_cert from the paste pipeline, the "
|
||||
"PKI and PKIz token providers are now deprecated and "
|
||||
"simple_cert was only used insupport of these token "
|
||||
"providers. Update the [pipeline:api_v3] section in "
|
||||
"keystone-paste.ini accordingly, as it will be removed in the "
|
||||
"O release.")
|
||||
versionutils.report_deprecated_feature(LOG, msg)
|
||||
|
|
|
@ -19,8 +19,6 @@ from keystone.tests.unit import test_v3
|
|||
|
||||
class BaseTestCase(test_v3.RestfulTestCase):
|
||||
|
||||
EXTENSION_TO_ADD = 'simple_cert_extension'
|
||||
|
||||
CA_PATH = '/v3/OS-SIMPLE-CERT/ca'
|
||||
CERT_PATH = '/v3/OS-SIMPLE-CERT/certificates'
|
||||
|
||||
|
|
|
@ -0,0 +1,91 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# TODO(morganfainberg): Remove this file and extension in the "O" release as
|
||||
# it is only used in support of the PKI/PKIz token providers.
|
||||
import functools
|
||||
|
||||
from oslo_config import cfg
|
||||
import webob
|
||||
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone.common import extension
|
||||
from keystone.common import json_home
|
||||
from keystone.common import wsgi
|
||||
from keystone import exception
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
EXTENSION_DATA = {
|
||||
'name': 'OpenStack Simple Certificate API',
|
||||
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
||||
'OS-SIMPLE-CERT/v1.0',
|
||||
'alias': 'OS-SIMPLE-CERT',
|
||||
'updated': '2014-01-20T12:00:0-00:00',
|
||||
'description': 'OpenStack simple certificate retrieval extension',
|
||||
'links': [
|
||||
{
|
||||
'rel': 'describedby',
|
||||
'type': 'text/html',
|
||||
'href': 'http://developer.openstack.org/'
|
||||
'api-ref-identity-v2-ext.html',
|
||||
}
|
||||
]}
|
||||
extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
||||
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
||||
|
||||
build_resource_relation = functools.partial(
|
||||
json_home.build_v3_extension_resource_relation,
|
||||
extension_name='OS-SIMPLE-CERT', extension_version='1.0')
|
||||
|
||||
|
||||
class Routers(wsgi.RoutersBase):
|
||||
|
||||
def _construct_url(self, suffix):
|
||||
return "/OS-SIMPLE-CERT/%s" % suffix
|
||||
|
||||
def append_v3_routers(self, mapper, routers):
|
||||
controller = SimpleCert()
|
||||
|
||||
self._add_resource(
|
||||
mapper, controller,
|
||||
path=self._construct_url('ca'),
|
||||
get_action='get_ca_certificate',
|
||||
rel=build_resource_relation(resource_name='ca_certificate'))
|
||||
self._add_resource(
|
||||
mapper, controller,
|
||||
path=self._construct_url('certificates'),
|
||||
get_action='list_certificates',
|
||||
rel=build_resource_relation(resource_name='certificates'))
|
||||
|
||||
|
||||
@dependency.requires('token_provider_api')
|
||||
class SimpleCert(controller.V3Controller):
|
||||
|
||||
def _get_certificate(self, name):
|
||||
try:
|
||||
with open(name, 'r') as f:
|
||||
body = f.read()
|
||||
except IOError:
|
||||
raise exception.CertificateFilesUnavailable()
|
||||
|
||||
# NOTE(jamielennox): We construct the webob Response ourselves here so
|
||||
# that we don't pass through the JSON encoding process.
|
||||
headers = [('Content-Type', 'application/x-pem-file')]
|
||||
return webob.Response(body=body, headerlist=headers, status="200 OK")
|
||||
|
||||
def get_ca_certificate(self, context):
|
||||
return self._get_certificate(CONF.signing.ca_certs)
|
||||
|
||||
def list_certificates(self, context):
|
||||
return self._get_certificate(CONF.signing.certfile)
|
|
@ -33,6 +33,7 @@ from keystone.oauth1 import routers as oauth1_routers
|
|||
from keystone.policy import routers as policy_routers
|
||||
from keystone.resource import routers as resource_routers
|
||||
from keystone.revoke import routers as revoke_routers
|
||||
from keystone.token import _simple_cert as simple_cert_ext
|
||||
from keystone.token import routers as token_routers
|
||||
from keystone.trust import routers as trust_routers
|
||||
from keystone.version import controllers
|
||||
|
@ -135,7 +136,10 @@ def v3_app_factory(global_conf, **local_conf):
|
|||
resource_routers,
|
||||
revoke_routers,
|
||||
federation_routers,
|
||||
oauth1_routers]
|
||||
oauth1_routers,
|
||||
# TODO(morganfainberg): Remove the simple_cert router
|
||||
# when PKI and PKIZ tokens are removed.
|
||||
simple_cert_ext]
|
||||
|
||||
if CONF.trust.enabled:
|
||||
all_api_routers.append(trust_routers)
|
||||
|
|
Loading…
Reference in New Issue