Merge "Deprecate simple_cert extension"
This commit is contained in:
commit
c54662be78
|
@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3
|
||||||
[filter:s3_extension]
|
[filter:s3_extension]
|
||||||
use = egg:keystone#s3_extension
|
use = egg:keystone#s3_extension
|
||||||
|
|
||||||
[filter:simple_cert_extension]
|
|
||||||
use = egg:keystone#simple_cert_extension
|
|
||||||
|
|
||||||
[filter:url_normalize]
|
[filter:url_normalize]
|
||||||
use = egg:keystone#url_normalize
|
use = egg:keystone#url_normalize
|
||||||
|
|
||||||
|
@ -64,7 +61,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
|
||||||
[pipeline:api_v3]
|
[pipeline:api_v3]
|
||||||
# The last item in this pipeline must be service_v3 or an equivalent
|
# The last item in this pipeline must be service_v3 or an equivalent
|
||||||
# application. It cannot be a filter.
|
# application. It cannot be a filter.
|
||||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
|
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
|
||||||
|
|
||||||
[app:public_version_service]
|
[app:public_version_service]
|
||||||
use = egg:keystone#public_version_service
|
use = egg:keystone#public_version_service
|
||||||
|
|
|
@ -347,26 +347,33 @@ FILE_OPTIONS = {
|
||||||
'signing': [
|
'signing': [
|
||||||
cfg.StrOpt('certfile',
|
cfg.StrOpt('certfile',
|
||||||
default=_CERTFILE,
|
default=_CERTFILE,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help='Path of the certfile for token signing. For '
|
help='Path of the certfile for token signing. For '
|
||||||
'non-production environments, you may be interested '
|
'non-production environments, you may be interested '
|
||||||
'in using `keystone-manage pki_setup` to generate '
|
'in using `keystone-manage pki_setup` to generate '
|
||||||
'self-signed certificates.'),
|
'self-signed certificates.'),
|
||||||
cfg.StrOpt('keyfile',
|
cfg.StrOpt('keyfile',
|
||||||
default=_KEYFILE,
|
default=_KEYFILE,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help='Path of the keyfile for token signing.'),
|
help='Path of the keyfile for token signing.'),
|
||||||
cfg.StrOpt('ca_certs',
|
cfg.StrOpt('ca_certs',
|
||||||
|
deprecated_for_removal=True,
|
||||||
default='/etc/keystone/ssl/certs/ca.pem',
|
default='/etc/keystone/ssl/certs/ca.pem',
|
||||||
help='Path of the CA for token signing.'),
|
help='Path of the CA for token signing.'),
|
||||||
cfg.StrOpt('ca_key',
|
cfg.StrOpt('ca_key',
|
||||||
default='/etc/keystone/ssl/private/cakey.pem',
|
default='/etc/keystone/ssl/private/cakey.pem',
|
||||||
|
deprecated_for_removal=True,
|
||||||
help='Path of the CA key for token signing.'),
|
help='Path of the CA key for token signing.'),
|
||||||
cfg.IntOpt('key_size', default=2048, min=1024,
|
cfg.IntOpt('key_size', default=2048, min=1024,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help='Key size (in bits) for token signing cert '
|
help='Key size (in bits) for token signing cert '
|
||||||
'(auto generated certificate).'),
|
'(auto generated certificate).'),
|
||||||
cfg.IntOpt('valid_days', default=3650,
|
cfg.IntOpt('valid_days', default=3650,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help='Days the token signing cert is valid for '
|
help='Days the token signing cert is valid for '
|
||||||
'(auto generated certificate).'),
|
'(auto generated certificate).'),
|
||||||
cfg.StrOpt('cert_subject',
|
cfg.StrOpt('cert_subject',
|
||||||
|
deprecated_for_removal=True,
|
||||||
default=('/C=US/ST=Unset/L=Unset/O=Unset/'
|
default=('/C=US/ST=Unset/L=Unset/O=Unset/'
|
||||||
'CN=www.example.com'),
|
'CN=www.example.com'),
|
||||||
help='Certificate subject (auto generated certificate) for '
|
help='Certificate subject (auto generated certificate) for '
|
||||||
|
|
|
@ -10,5 +10,4 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from keystone.contrib.simple_cert.core import * # noqa
|
|
||||||
from keystone.contrib.simple_cert.routers import SimpleCertExtension # noqa
|
from keystone.contrib.simple_cert.routers import SimpleCertExtension # noqa
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import webob
|
|
||||||
|
|
||||||
from keystone.common import controller
|
|
||||||
from keystone.common import dependency
|
|
||||||
from keystone import exception
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('token_provider_api')
|
|
||||||
class SimpleCert(controller.V3Controller):
|
|
||||||
|
|
||||||
def _get_certificate(self, name):
|
|
||||||
try:
|
|
||||||
with open(name, 'r') as f:
|
|
||||||
body = f.read()
|
|
||||||
except IOError:
|
|
||||||
raise exception.CertificateFilesUnavailable()
|
|
||||||
|
|
||||||
# NOTE(jamielennox): We construct the webob Response ourselves here so
|
|
||||||
# that we don't pass through the JSON encoding process.
|
|
||||||
headers = [('Content-Type', 'application/x-pem-file')]
|
|
||||||
return webob.Response(body=body, headerlist=headers, status="200 OK")
|
|
||||||
|
|
||||||
def get_ca_certificate(self, context):
|
|
||||||
return self._get_certificate(CONF.signing.ca_certs)
|
|
||||||
|
|
||||||
def list_certificates(self, context):
|
|
||||||
return self._get_certificate(CONF.signing.certfile)
|
|
|
@ -1,31 +0,0 @@
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
from keystone.common import extension
|
|
||||||
|
|
||||||
EXTENSION_DATA = {
|
|
||||||
'name': 'OpenStack Simple Certificate API',
|
|
||||||
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
|
||||||
'OS-SIMPLE-CERT/v1.0',
|
|
||||||
'alias': 'OS-SIMPLE-CERT',
|
|
||||||
'updated': '2014-01-20T12:00:0-00:00',
|
|
||||||
'description': 'OpenStack simple certificate retrieval extension',
|
|
||||||
'links': [
|
|
||||||
{
|
|
||||||
'rel': 'describedby',
|
|
||||||
'type': 'text/html',
|
|
||||||
'href': 'http://developer.openstack.org/'
|
|
||||||
'api-ref-identity-v2-ext.html',
|
|
||||||
}
|
|
||||||
]}
|
|
||||||
extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
|
||||||
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
|
|
@ -10,32 +10,24 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import functools
|
from oslo_log import log
|
||||||
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.common import json_home
|
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
from keystone.contrib.simple_cert import controllers
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
build_resource_relation = functools.partial(
|
LOG = log.getLogger(__name__)
|
||||||
json_home.build_v3_extension_resource_relation,
|
|
||||||
extension_name='OS-SIMPLE-CERT', extension_version='1.0')
|
|
||||||
|
|
||||||
|
|
||||||
class SimpleCertExtension(wsgi.V3ExtensionRouter):
|
class SimpleCertExtension(wsgi.Middleware):
|
||||||
|
|
||||||
PREFIX = 'OS-SIMPLE-CERT'
|
def __init__(self, application):
|
||||||
|
super(SimpleCertExtension, self).__init__(application)
|
||||||
def add_routes(self, mapper):
|
msg = _("Remove simple_cert from the paste pipeline, the "
|
||||||
controller = controllers.SimpleCert()
|
"PKI and PKIz token providers are now deprecated and "
|
||||||
|
"simple_cert was only used insupport of these token "
|
||||||
self._add_resource(
|
"providers. Update the [pipeline:api_v3] section in "
|
||||||
mapper, controller,
|
"keystone-paste.ini accordingly, as it will be removed in the "
|
||||||
path='/%s/ca' % self.PREFIX,
|
"O release.")
|
||||||
get_action='get_ca_certificate',
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
rel=build_resource_relation(resource_name='ca_certificate'))
|
|
||||||
self._add_resource(
|
|
||||||
mapper, controller,
|
|
||||||
path='/%s/certificates' % self.PREFIX,
|
|
||||||
get_action='list_certificates',
|
|
||||||
rel=build_resource_relation(resource_name='certificates'))
|
|
||||||
|
|
|
@ -19,8 +19,6 @@ from keystone.tests.unit import test_v3
|
||||||
|
|
||||||
class BaseTestCase(test_v3.RestfulTestCase):
|
class BaseTestCase(test_v3.RestfulTestCase):
|
||||||
|
|
||||||
EXTENSION_TO_ADD = 'simple_cert_extension'
|
|
||||||
|
|
||||||
CA_PATH = '/v3/OS-SIMPLE-CERT/ca'
|
CA_PATH = '/v3/OS-SIMPLE-CERT/ca'
|
||||||
CERT_PATH = '/v3/OS-SIMPLE-CERT/certificates'
|
CERT_PATH = '/v3/OS-SIMPLE-CERT/certificates'
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,91 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
# TODO(morganfainberg): Remove this file and extension in the "O" release as
|
||||||
|
# it is only used in support of the PKI/PKIz token providers.
|
||||||
|
import functools
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
import webob
|
||||||
|
|
||||||
|
from keystone.common import controller
|
||||||
|
from keystone.common import dependency
|
||||||
|
from keystone.common import extension
|
||||||
|
from keystone.common import json_home
|
||||||
|
from keystone.common import wsgi
|
||||||
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
|
CONF = cfg.CONF
|
||||||
|
EXTENSION_DATA = {
|
||||||
|
'name': 'OpenStack Simple Certificate API',
|
||||||
|
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
||||||
|
'OS-SIMPLE-CERT/v1.0',
|
||||||
|
'alias': 'OS-SIMPLE-CERT',
|
||||||
|
'updated': '2014-01-20T12:00:0-00:00',
|
||||||
|
'description': 'OpenStack simple certificate retrieval extension',
|
||||||
|
'links': [
|
||||||
|
{
|
||||||
|
'rel': 'describedby',
|
||||||
|
'type': 'text/html',
|
||||||
|
'href': 'http://developer.openstack.org/'
|
||||||
|
'api-ref-identity-v2-ext.html',
|
||||||
|
}
|
||||||
|
]}
|
||||||
|
extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
||||||
|
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
||||||
|
|
||||||
|
build_resource_relation = functools.partial(
|
||||||
|
json_home.build_v3_extension_resource_relation,
|
||||||
|
extension_name='OS-SIMPLE-CERT', extension_version='1.0')
|
||||||
|
|
||||||
|
|
||||||
|
class Routers(wsgi.RoutersBase):
|
||||||
|
|
||||||
|
def _construct_url(self, suffix):
|
||||||
|
return "/OS-SIMPLE-CERT/%s" % suffix
|
||||||
|
|
||||||
|
def append_v3_routers(self, mapper, routers):
|
||||||
|
controller = SimpleCert()
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, controller,
|
||||||
|
path=self._construct_url('ca'),
|
||||||
|
get_action='get_ca_certificate',
|
||||||
|
rel=build_resource_relation(resource_name='ca_certificate'))
|
||||||
|
self._add_resource(
|
||||||
|
mapper, controller,
|
||||||
|
path=self._construct_url('certificates'),
|
||||||
|
get_action='list_certificates',
|
||||||
|
rel=build_resource_relation(resource_name='certificates'))
|
||||||
|
|
||||||
|
|
||||||
|
@dependency.requires('token_provider_api')
|
||||||
|
class SimpleCert(controller.V3Controller):
|
||||||
|
|
||||||
|
def _get_certificate(self, name):
|
||||||
|
try:
|
||||||
|
with open(name, 'r') as f:
|
||||||
|
body = f.read()
|
||||||
|
except IOError:
|
||||||
|
raise exception.CertificateFilesUnavailable()
|
||||||
|
|
||||||
|
# NOTE(jamielennox): We construct the webob Response ourselves here so
|
||||||
|
# that we don't pass through the JSON encoding process.
|
||||||
|
headers = [('Content-Type', 'application/x-pem-file')]
|
||||||
|
return webob.Response(body=body, headerlist=headers, status="200 OK")
|
||||||
|
|
||||||
|
def get_ca_certificate(self, context):
|
||||||
|
return self._get_certificate(CONF.signing.ca_certs)
|
||||||
|
|
||||||
|
def list_certificates(self, context):
|
||||||
|
return self._get_certificate(CONF.signing.certfile)
|
|
@ -33,6 +33,7 @@ from keystone.oauth1 import routers as oauth1_routers
|
||||||
from keystone.policy import routers as policy_routers
|
from keystone.policy import routers as policy_routers
|
||||||
from keystone.resource import routers as resource_routers
|
from keystone.resource import routers as resource_routers
|
||||||
from keystone.revoke import routers as revoke_routers
|
from keystone.revoke import routers as revoke_routers
|
||||||
|
from keystone.token import _simple_cert as simple_cert_ext
|
||||||
from keystone.token import routers as token_routers
|
from keystone.token import routers as token_routers
|
||||||
from keystone.trust import routers as trust_routers
|
from keystone.trust import routers as trust_routers
|
||||||
from keystone.version import controllers
|
from keystone.version import controllers
|
||||||
|
@ -135,7 +136,10 @@ def v3_app_factory(global_conf, **local_conf):
|
||||||
resource_routers,
|
resource_routers,
|
||||||
revoke_routers,
|
revoke_routers,
|
||||||
federation_routers,
|
federation_routers,
|
||||||
oauth1_routers]
|
oauth1_routers,
|
||||||
|
# TODO(morganfainberg): Remove the simple_cert router
|
||||||
|
# when PKI and PKIZ tokens are removed.
|
||||||
|
simple_cert_ext]
|
||||||
|
|
||||||
if CONF.trust.enabled:
|
if CONF.trust.enabled:
|
||||||
all_api_routers.append(trust_routers)
|
all_api_routers.append(trust_routers)
|
||||||
|
|
Loading…
Reference in New Issue