Fixes:
keystoneclient.middleware.auth_token: INFO: Starting keystone auth_token middlewa
re
keystoneclient.middleware.auth_token: INFO: Using /opt/stack/keystone/examples/pk
i/certs as cache directory for signing certificate
keystoneclient.middleware.auth_token: DEBUG: Authenticating user token
keystoneclient.middleware.auth_token: DEBUG: Removing headers from request enviro
nment: X-Identity-Status,X-Tenant-Id,X-Tenant-Name,X-User-Id,X-User-Name,X-Roles,
X-Service-Catalog,X-User,X-Tenant,X-Role
keystoneclient.middleware.auth_token: DEBUG: Keystone did not return json-encoded
body
keystoneclient.middleware.auth_token: DEBUG: Marking token invalid-token as unaut
horized in memcache
keystoneclient.middleware.auth_token: DEBUG: Token validation failure.
Traceback (most recent call last):
File "/opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py"
, line 574, in _validate_user_token
data = self.verify_uuid_token(user_token, retry)
File "/opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py"
, line 824, in verify_uuid_token
self._cache_store_invalid(user_token)
File "/opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py"
, line 794, in _cache_store_invalid
self._cache_store(token, 'invalid')
File "/opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py"
, line 771, in _cache_store
timeout=self.token_cache_time)
TypeError: set() got an unexpected keyword argument 'timeout'
keystoneclient.middleware.auth_token: DEBUG: Marking token invalid-token as unaut
horized in memcache
This can be reproduced on devstack.
Fixes bug 1102520
Change-Id: Ib9e110d60df40e30d74c3059bd25e459a95f9850
updated diablo token based on output from diablo/stable keystone
added expiry to example tokens for test_auth_middleware
added a stack based HTTP response to test_auth_middleware to verify
sequencing
Change-Id: I738b0e9c1a0e62ad86adb95ec0b73f621513f7d4
- Two tests shared the same name, so the first one was not executed
- Module-level variable name out of date
Change-Id: I206aa9589cb95a2fb40b9f0cf5e2bc1323b837ee
- HACKING: "When defining global constants, define them before functions
and classes"
- Statically initializing other module variables to None
Change-Id: I8d01e179262a8b16dbe49edef8e23260970c84a0
Make the revocation list into a JSON document and get the Vary header.
This will also allow the revocation list to carry additional
information in the future, to include sufficient information for the
calling application to figure out how to get the certificates it
requires.
Bug 1038309
Change-Id: I4a41cbd8a7352e5b5f951027d6f2063b169bce89
Co-authored-by: Adam Young <ayoung@redhat.com>
Token revocations are captured in the backends,
During upgrade, all previous tickets are defaulted to valid.
Revocation list returned as a signed document and can be fetched in an admin context via HTTP
Change config values for enable diable PKI
In the auth_token middleware, the revocation list is fetched prior
to validating tokens. Any tokens that are on the revocation list
will be treated as invalid.
Added in PKI token tests that check the same logic as the UUID tests.
Sample data for the tests is read out of the signing directory.
dropped number on sql scripts to pass tests.
Also fixes 1031373
Bug 1037683
Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23
Updates the auth_token middleware to explicitly prevent
X-Service-Catalog headers from being injected into responses.
In general Keystone would override these with its own service
catalog... however since X-Service-Catalog is optional and
not all implementations/calls return it is good to be safe and
just remove incoming X-Service-Catalog headers if they are set.
Fixes LP Bug #1023998.
Change-Id: I9497937abd1b434b42b40bc943a508dd7f1a3585
Allows the prepending of a prefix to the URI used for admin tasks. This allows URIs like
https://hostname/keystone/main/v2.0
PEP8 fix
Added To Unit test to ensure auth_prefix is checked
Bug: 994860
Change-Id: I851e059e8b17c1bc02ab93d8b09a3fb47b9d3fee
* keystone/middleware/auth_token.py: Catch the
correct exception so that the memcache and iso8601
modules can be optional as intended.
* tests/test_auth_token_middleware.py: Test
the ImportError path
* keystone/test.py: Add a new mixin class to
support disabling importing of a module.
Bug: 1003715
Change-Id: I87cc2f3bc79b17a52ea672bac7e0ebcf9e1fce57
Tokens validation responses contain user information. The API docs
seem to indicate token["user"]["name"] contains the username but
currently the auth_token.py middleware checks for
token["user"]["username"]. This updates that check and the tests.
Fixes bug 955563
Change-Id: Ib2fbf6fcea87f7066394cf14c18158f1e5eeaf06
- Store the unix time from iso8601.parse_date to compare against
time.time.
- on a WSGI environement the import don't get passed to the methods from
__init__ use a self. variable.
- Fixes bug 951603.
- Add unit tests.
- Add iso8601 to test-requires.
Change-Id: Ia8af8b203d1310d5ae6868c3a14dfdf68d6e5331
