Merge "Deprecate simple_cert extension"

etc/keystone-paste.ini

@@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3
 [filter:s3_extension]
 use = egg:keystone#s3_extension
 
-[filter:simple_cert_extension]
-use = egg:keystone#simple_cert_extension
-
 [filter:url_normalize]
 use = egg:keystone#url_normalize
 
@@ -64,7 +61,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service

keystone/common/config.py

@@ -347,26 +347,33 @@ FILE_OPTIONS = {
     'signing': [
         cfg.StrOpt('certfile',
                    default=_CERTFILE,
+                   deprecated_for_removal=True,
                    help='Path of the certfile for token signing. For '
                         'non-production environments, you may be interested '
                         'in using `keystone-manage pki_setup` to generate '
                         'self-signed certificates.'),
         cfg.StrOpt('keyfile',
                    default=_KEYFILE,
+                   deprecated_for_removal=True,
                    help='Path of the keyfile for token signing.'),
         cfg.StrOpt('ca_certs',
+                   deprecated_for_removal=True,
                    default='/etc/keystone/ssl/certs/ca.pem',
                    help='Path of the CA for token signing.'),
         cfg.StrOpt('ca_key',
                    default='/etc/keystone/ssl/private/cakey.pem',
+                   deprecated_for_removal=True,
                    help='Path of the CA key for token signing.'),
         cfg.IntOpt('key_size', default=2048, min=1024,
+                   deprecated_for_removal=True,
                    help='Key size (in bits) for token signing cert '
                         '(auto generated certificate).'),
         cfg.IntOpt('valid_days', default=3650,
+                   deprecated_for_removal=True,
                    help='Days the token signing cert is valid for '
                         '(auto generated certificate).'),
         cfg.StrOpt('cert_subject',
+                   deprecated_for_removal=True,
                    default=('/C=US/ST=Unset/L=Unset/O=Unset/'
                             'CN=www.example.com'),
                    help='Certificate subject (auto generated certificate) for '

keystone/contrib/simple_cert/__init__.py

@@ -10,5 +10,4 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from keystone.contrib.simple_cert.core import *  # noqa
 from keystone.contrib.simple_cert.routers import SimpleCertExtension  # noqa

keystone/contrib/simple_cert/controllers.py

@@ -1,42 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_config import cfg
-import webob
-
-from keystone.common import controller
-from keystone.common import dependency
-from keystone import exception
-
-CONF = cfg.CONF
-
-
-@dependency.requires('token_provider_api')
-class SimpleCert(controller.V3Controller):
-
-    def _get_certificate(self, name):
-        try:
-            with open(name, 'r') as f:
-                body = f.read()
-        except IOError:
-            raise exception.CertificateFilesUnavailable()
-
-        # NOTE(jamielennox): We construct the webob Response ourselves here so
-        # that we don't pass through the JSON encoding process.
-        headers = [('Content-Type', 'application/x-pem-file')]
-        return webob.Response(body=body, headerlist=headers, status="200 OK")
-
-    def get_ca_certificate(self, context):
-        return self._get_certificate(CONF.signing.ca_certs)
-
-    def list_certificates(self, context):
-        return self._get_certificate(CONF.signing.certfile)

keystone/contrib/simple_cert/core.py

@@ -1,31 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.common import extension
-
-EXTENSION_DATA = {
-    'name': 'OpenStack Simple Certificate API',
-    'namespace': 'http://docs.openstack.org/identity/api/ext/'
-                 'OS-SIMPLE-CERT/v1.0',
-    'alias': 'OS-SIMPLE-CERT',
-    'updated': '2014-01-20T12:00:0-00:00',
-    'description': 'OpenStack simple certificate retrieval extension',
-    'links': [
-        {
-            'rel': 'describedby',
-            'type': 'text/html',
-            'href': 'http://developer.openstack.org/'
-                    'api-ref-identity-v2-ext.html',
-        }
-    ]}
-extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
-extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)

keystone/contrib/simple_cert/routers.py

@@ -10,32 +10,24 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import functools
+from oslo_log import log
+from oslo_log import versionutils
 
-from keystone.common import json_home
 from keystone.common import wsgi
-from keystone.contrib.simple_cert import controllers
+from keystone.i18n import _
 
 
-build_resource_relation = functools.partial(
-    json_home.build_v3_extension_resource_relation,
-    extension_name='OS-SIMPLE-CERT', extension_version='1.0')
+LOG = log.getLogger(__name__)
 
 
-class SimpleCertExtension(wsgi.V3ExtensionRouter):
+class SimpleCertExtension(wsgi.Middleware):
 
-    PREFIX = 'OS-SIMPLE-CERT'
-
-    def add_routes(self, mapper):
-        controller = controllers.SimpleCert()
-
-        self._add_resource(
-            mapper, controller,
-            path='/%s/ca' % self.PREFIX,
-            get_action='get_ca_certificate',
-            rel=build_resource_relation(resource_name='ca_certificate'))
-        self._add_resource(
-            mapper, controller,
-            path='/%s/certificates' % self.PREFIX,
-            get_action='list_certificates',
-            rel=build_resource_relation(resource_name='certificates'))
+    def __init__(self, application):
+        super(SimpleCertExtension, self).__init__(application)
+        msg = _("Remove simple_cert from the paste pipeline, the "
+                "PKI and PKIz token providers are now deprecated and "
+                "simple_cert was only used insupport of these token "
+                "providers. Update the [pipeline:api_v3] section in "
+                "keystone-paste.ini accordingly, as it will be removed in the "
+                "O release.")
+        versionutils.report_deprecated_feature(LOG, msg)

keystone/tests/unit/test_contrib_simple_cert.py

@@ -19,8 +19,6 @@ from keystone.tests.unit import test_v3
 
 class BaseTestCase(test_v3.RestfulTestCase):
 
-    EXTENSION_TO_ADD = 'simple_cert_extension'
-
     CA_PATH = '/v3/OS-SIMPLE-CERT/ca'
     CERT_PATH = '/v3/OS-SIMPLE-CERT/certificates'
 

keystone/token/_simple_cert.py

@@ -0,0 +1,91 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# TODO(morganfainberg): Remove this file and extension in the "O" release as
+# it is only used in support of the PKI/PKIz token providers.
+import functools
+
+from oslo_config import cfg
+import webob
+
+from keystone.common import controller
+from keystone.common import dependency
+from keystone.common import extension
+from keystone.common import json_home
+from keystone.common import wsgi
+from keystone import exception
+
+
+CONF = cfg.CONF
+EXTENSION_DATA = {
+    'name': 'OpenStack Simple Certificate API',
+    'namespace': 'http://docs.openstack.org/identity/api/ext/'
+                 'OS-SIMPLE-CERT/v1.0',
+    'alias': 'OS-SIMPLE-CERT',
+    'updated': '2014-01-20T12:00:0-00:00',
+    'description': 'OpenStack simple certificate retrieval extension',
+    'links': [
+        {
+            'rel': 'describedby',
+            'type': 'text/html',
+            'href': 'http://developer.openstack.org/'
+                    'api-ref-identity-v2-ext.html',
+        }
+    ]}
+extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
+extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
+
+build_resource_relation = functools.partial(
+    json_home.build_v3_extension_resource_relation,
+    extension_name='OS-SIMPLE-CERT', extension_version='1.0')
+
+
+class Routers(wsgi.RoutersBase):
+
+    def _construct_url(self, suffix):
+        return "/OS-SIMPLE-CERT/%s" % suffix
+
+    def append_v3_routers(self, mapper, routers):
+        controller = SimpleCert()
+
+        self._add_resource(
+            mapper, controller,
+            path=self._construct_url('ca'),
+            get_action='get_ca_certificate',
+            rel=build_resource_relation(resource_name='ca_certificate'))
+        self._add_resource(
+            mapper, controller,
+            path=self._construct_url('certificates'),
+            get_action='list_certificates',
+            rel=build_resource_relation(resource_name='certificates'))
+
+
+@dependency.requires('token_provider_api')
+class SimpleCert(controller.V3Controller):
+
+    def _get_certificate(self, name):
+        try:
+            with open(name, 'r') as f:
+                body = f.read()
+        except IOError:
+            raise exception.CertificateFilesUnavailable()
+
+        # NOTE(jamielennox): We construct the webob Response ourselves here so
+        # that we don't pass through the JSON encoding process.
+        headers = [('Content-Type', 'application/x-pem-file')]
+        return webob.Response(body=body, headerlist=headers, status="200 OK")
+
+    def get_ca_certificate(self, context):
+        return self._get_certificate(CONF.signing.ca_certs)
+
+    def list_certificates(self, context):
+        return self._get_certificate(CONF.signing.certfile)

keystone/version/service.py

@@ -33,6 +33,7 @@ from keystone.oauth1 import routers as oauth1_routers
 from keystone.policy import routers as policy_routers
 from keystone.resource import routers as resource_routers
 from keystone.revoke import routers as revoke_routers
+from keystone.token import _simple_cert as simple_cert_ext
 from keystone.token import routers as token_routers
 from keystone.trust import routers as trust_routers
 from keystone.version import controllers
@@ -135,7 +136,10 @@ def v3_app_factory(global_conf, **local_conf):
                        resource_routers,
                        revoke_routers,
                        federation_routers,
-                       oauth1_routers]
+                       oauth1_routers,
+                       # TODO(morganfainberg): Remove the simple_cert router
+                       # when PKI and PKIZ tokens are removed.
+                       simple_cert_ext]
 
     if CONF.trust.enabled:
         all_api_routers.append(trust_routers)