The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I8a0588259d7b3fc8bd10504ffba7129b840e2a0d
A response with header Content-Type set to "application/json; charset=UTF-8"
would be omitted but not correctly logged. This patch set correctly omits
and logs a response with the mentioned header.
Co-Authored-By: Tin Lam <tinlam@gmail.com>
Change-Id: I21a185db4ca55ff16dba60f85bb229ffdacc2afa
Closes-Bug: #1656981
This patch adds tests for https://review.openstack.org/#/c/420970/,
with this, we can be more confident that regressions won't easily
happen again in the future.
Change-Id: I40ebc795266b8fe4a191c543f6fadeefac661d2a
Related-Bug: 1656946
During SAML ECP authentication 2 specially formatted HTTP headers
*MUST* be included in the request in order for the SP (Service
Provider) to recognize the client is ECP capable and to start the SAML
ECP flow. One is the PAOS header and the other is the Accept header
which must include the "application/vnd.paos+xml" media type. Media
types in the Accept header are separated by a comma (,). Unfortunately
keystoneauth uses a semicolon (;) as the media type separator. The
HTTP spec reserves the semicolon in the Accept header to attach
parameters to the media type. For example
Accept: type1;params1,type2;params2
Using a semicolon as a media type separator is syntactically invalid
and can cause failures in servers that parse the Accept header. For
example mod_auth_mellon emits this error message and fails to process
the ECP request:
request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False
This indicates only 1 of the 2 required conditions were met.
Change-Id: I6469990a57762fc47b297d7b5b2b4cb4872df4ba
Signed-off-by: John Dennis <jdennis@redhat.com>
Closes-Bug: 1656946
Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.
In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()
[1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html
Change-Id: Ia45006ce1382022e5c776d06fdc3c33e9b4d8c47
Closes-Bug: #1634265
A commonly requested document is what auth plugins are available and
what parameters do they accept. Create an extension that can iterate
through the stevedore namespace and render all its available options.
Change-Id: Id0d0983c9803ce4e0ce201310a1603bc0ff30ca0
When whitelisting content types to debug print from session we chose
application/json and application/text. application/text is not a real
mime type, text is typically text/plain.
Rather than guess at mime types only print application/json to start
with, but make it easy for additional types to be added later.
Change-Id: Ica5fee076cdab8b1d5167161d28af7313fad9477
Related-Bug: 1616105
Currently, logs display the hash values of X-Auth-Token,
Authorization, and X-Subject-Token, but not the value of
the X-Service-Token. This patch set adds the X-Service-Token
to the list of header fields to be hashed for logging purposes.
Change-Id: I4d996a2631f61a2c9bbbc7f959e97c7279be023d
Closes-Bug: #1654847
In Python 3 __ne__ by default delegates to __eq__ and inverts the
result, but in Python 2 they urge you to define __ne__ when you define
__eq__ for it to work properly [1]. There are no implied relationships
among the comparison operators. The truth of x==y does not imply that
x!=y is false. Accordingly, when defining __eq__(), one should also
define __ne__() so that the operators will behave as expected.
[1]https://docs.python.org/2/reference/datamodel.html#object.__ne__
Change-Id: I6ad4b07911f6c8236dfcd048aceebd44cd760fe2
Added support to log 'X-Openstack-Request-Id' or
'X-Compute-Request-Id' in case of Nova for each api call.
If any python-*client which is using session is used from
command line then following log will be logged on console
if --debug flag is used.
DEBUG (session:350) GET call to compute for
http://10.232.48.201:8774/v2.1/servers/detail used
request id req-c54b8f3e-a7e4-4085-a5e3-fd5244ef3ce5
If any python-*client which is using session is used in
applications (e.g. Nova) then following log message will be
logged in service logs.
DEBUG keystoneauth.session
[req-a6929d46-765c-44a9-8370-49ff0f1958ca admin admin] GET call
to network for
http://10.232.48.201:9696/v2.0/security-groups.json?id=040cc729-9086-4f41-8977-acb4ef71c7de used request id req-de6bfe07-22ac-4940-b65e-367cb0e8102d
DocImpact:
To use this feature user need to set 'default_log_levels' in third
party application. For example in nova.conf 'default_log_levels'
should be set as below:
default_log_levels = keystoneauth1=DEBUG
Closes-Bug: #1605488
Change-Id: If0c5a4eb7d51c601ba38149f846ebcd6116d18be
Response bodies are loaded into memory prior to
being logged.
Loading huge response bodies may result in a
MemoryError.
This patch proposes that only JSON and TEXT
responses be logged, i.e when the Content-Type
header is application/json or application/text.
Responses that do not include or have a different
Content-Type header will have their body omitted.
Closes-bug: 1616105
Change-Id: I93b6fff73368c4f58bdebf8566c4948b50980cee
The following file added utf-8 encoding but never used. So we can
removes them at all.
keystoneauth1/tests/unit/extras/kerberos/base.py
Change-Id: I82ee422cd40dd0b7e584b566fb073fc1583396c7
1.As mentioned in [1], we should avoid using
six.iteritems to achieve iterators. We can
use dict.items instead, as it will return
iterators in PY3 as well. And dict.items/keys
will more readable. 2.In py2, the performance
about list should be negligible, see the link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: I9f8f2c35f0d45d866076507a3a167aaafb8382e5
Auth token middleware does a bit of a hack where it passes an Adapter in
as a session to the client. This is useful there because we need to know
much more about the authentication information than we do in most
clients.
We should look at fixing this in auth_token middleware, however for now
we shouldn't issue a deprecation warning when a user passes an Adapter
as a session object because this has always been designed to work - just
not something we recommend.
Change-Id: If7ebe59d5908275e607f32244027c8e6f3d1e157
Closes-Bug: #1647230
Currently, the plugins supported in the generic plugins all have a
reathenticate option, however, this is not passed anywhere in the
generic plugin interface. This adds it to the base class in order to
support this, and provide a more interchangeable interface between
the version-specific plugins and the generic one.
Change-Id: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4
Closes-Bug: #1643782
Following OpenStack Style Guidelines[1]:
[H203] Unit test assertions tend to give better messages for more
specific assertions. As a result, assertIsNotNone(...) is preferred
over assertNotEqual(None, ...) and assertIsNot(None, ...)
[1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises
Change-Id: Iadb27153109b2c4b92df43fc97a5e50eed86f58c
The IDNA library has gotten more strict. The use of `_` in the TLD is
not valid. This change modifies the betamax test-case to use
`keystoneauth-betamax.test` instead of `keystoneauth.betamax_test`
correcting the invalid character in the TLD.
Change-Id: I01c5e6c0145158515d837b216fd066a5a558f498
to better the user experience, mark a few of the open id connect
options as required, users should get back more meaningful
error messages.
as part of the change, there was also a discrepancy between what
the loader used for the authorization code, and what the plugin
was using. deprecate the old loader option (authorization-code)
in favor of the one used by the plugin (code).
Change-Id: I18318ef44f99e4f973176dd99b61770b1151f7a0
Partial-Bug: 1593192
You can pass client_name and client_version to Adapter.__init__ but for
most clients this means overriding Adapter.__init__ and setdefault()-ing
the client_name and version.
As most clients already override the Adapter object it'd be easier if
they could just set these values on the class as they are not going to
change between instances.
Change-Id: I301a7f77c8cf423bc1d45e3dcbb2325f6853b9a9
There are still a lot of places where keystoneclient sessions are being
used and we've made a fair effort to maintain compatibility with these
sessions.
Unfortunately passing client_name and client_version for user_agent
generation is something only present in keystoneauth and passing it to a
keystoneclient session results in failure.
Whilst it would be good to just tell people to fix their code in reality
we'll probably be dealing with this for a while so just check to ensure
it really is a keystoneauth session we are passing parameters to and
warn otherwise.
Change-Id: I4d51ee08cfa9094443aca7128fe5323a95974a4d
The testtools.test module is the unit testing module for testtools and
is an internal module with additional requirements. We should not be
relying on this module.
Copy the tests that were exposed from testtools into here.
Change-Id: I1e09228cff7a0c8136447f07df6864045a6fb849
Now if body contains json, its content type forcibly
changes to application/json, which is not correct in
some case, like json-patch request.
This code fixes this situation and sets application/json
contnent type only if this header hasn't been set before.
Change-Id: I4e0c44d444519f056dfa48c9603dbc3ca6b01822
Closes-bug: #1634110
urllib/requests ConnectionError is a translation of
SocketError. However, when we translate this *yet again* we drop the
message from Requests. That message contains the actual SocketError
details, which are often critical for debugging an issue.
This keeps those details in the error message as we carry this up.
Change-Id: I6b753fddaebdcbcfe62680585a5b6febf62647b3
There are cases from a service where you have to wrap and pass a User
and Service token together to make things work. Add a wrapper that adds
both the user and service token to requests.
This will be something we will handle differently in auth_token
middleware but should still provide for other implementations.
Change-Id: I284f799d1f9e8d33ff032376af02b64cd6bbf510
Allow specifying a service name and version to the session and a client
name and version to the adapter. The way this will work is that
libraries such as keystoneclient will pass client_name and
client_version when creating their adapter. Then when nova or another
service creates a session it will provide the service name and version.
The combination of these will be used to provide a meaningful user
agent.
Change-Id: Ibe516d9b248513579d5e8ca94015c4ae9c00f3f9
Closes-Bug: #1614846
When caching was implemented it was added to the v2 and v3 plugins but
for some reason the generic plugins were missed.
To do generic plugin caching we'll skip even trying to figure out the
inner plugin for now and just load the authentication for the generic.
Closes-Bug: #1616261
Change-Id: Icbb8acde0dca084f4a221f8ebff5503d5bdc219a
fixtures added the mockpatch fixtures from oslotest, so switch
to those in anticipation of deprecating in osloste.
Change-Id: Ied8b9013a4c45f353b0fdf3a84e03a9b1fe048a7
The auth plugin was not loading when called from the CLI due to the
mismatch of variable argument parameter calling convention. This was
due in part to not specfying the parameters properly in the plugin, and
also due to extending from the wrong base class.
Closes-Bug: #1622079
Change-Id: I37a8320b61e7468c173f81348b0a7dd0ee1ad966
Currently the v3fedkerb plugin loads the incorrect parameters. This was
never tested. This patch introduces a test and a future patch will fix
the code and modify the test.
Change-Id: Ia7fb7f1d7db0510df42798b9d668d58070234aff
After patch Ia08538ccf00c9063dc0d284c5ece9a969c15500a the urljoin would
ensure that a URL was always returned from the get_endpoint method even
when the version was not available. This breaks plugin discovery and a
number of other areas.
Change-Id: I04014b6e770c2e9708c5f9c81c3160d51603ad0c
Closes-Bug: #1616720
The Windows Subsystem for Linux is not a complete implementation
of the Linux APIs, and setting TCP_KEEPCNT is currently
unimplmenented. Attempting to use this option will cause HTTP
connections to fail. This change checks if we are running under
WSL, and disables changing TCP_KEEPCNT parameters if so.
Change-Id: Ic8b41dea2a75660d9adbce88a00a0fe703a4d120
Closes-Bug: #1614688
When using a reverse proxy or TLS terminator it can be really hard to
correctly specify a URL in version discovery that is correct for all
situations.
Make it so that a relative URL in a discovery document is joined to the
queried URL to always return a fully qualified URL to the identity
plugins.
Change-Id: Ia08538ccf00c9063dc0d284c5ece9a969c15500a
Closes-Bug: #1614304
Eric Brown