Commit Graph

297 Commits (049e2e6b9bd72570f852f9b86dba758588fde939)

Author SHA1 Message Date
Eric Brown 049e2e6b9b Use https for * references
The pages now support https and our references to
the site should by default be one signed by the organization.

Change-Id: I8a0588259d7b3fc8bd10504ffba7129b840e2a0d
6 years ago
Jenkins 9365dbeb6d Merge "Correctly Omit Response Body in Debug Mode" 6 years ago
Jenkins 8a7bd461f4 Merge "Log request-id for each api call" 6 years ago
Samuel Pilla ed6ae95fa2 Correctly Omit Response Body in Debug Mode
A response with header Content-Type set to "application/json; charset=UTF-8"
would be omitted but not correctly logged. This patch set correctly omits
and logs a response with the mentioned header.

Co-Authored-By: Tin Lam <>
Change-Id: I21a185db4ca55ff16dba60f85bb229ffdacc2afa
Closes-Bug: #1656981
6 years ago
Rodrigo Duarte Sousa 01e0122a14 Add test for header in Saml2 plugin
This patch adds tests for,
with this, we can be more confident that regressions won't easily
happen again in the future.

Change-Id: I40ebc795266b8fe4a191c543f6fadeefac661d2a
Related-Bug: 1656946
6 years ago
John Dennis b1301e606d Use comma as separator in ECP Accept HTTP header
During SAML ECP authentication 2 specially formatted HTTP headers
*MUST* be included in the request in order for the SP (Service
Provider) to recognize the client is ECP capable and to start the SAML
ECP flow. One is the PAOS header and the other is the Accept header
which must include the "application/vnd.paos+xml" media type. Media
types in the Accept header are separated by a comma (,). Unfortunately
keystoneauth uses a semicolon (;) as the media type separator. The
HTTP spec reserves the semicolon in the Accept header to attach
parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid
and can cause failures in servers that parse the Accept header. For
example mod_auth_mellon emits this error message and fails to process
the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

Change-Id: I6469990a57762fc47b297d7b5b2b4cb4872df4ba
Signed-off-by: John Dennis <>
Closes-Bug: 1656946
6 years ago
Luong Anh Tuan 7e11cab57b Replace yaml.load() with yaml.safe_load()
Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()


Change-Id: Ia45006ce1382022e5c776d06fdc3c33e9b4d8c47
Closes-Bug: #1634265
6 years ago
Jenkins 06e0aeb8f1 Merge "Add a full listing of all auth plugins and there options" 6 years ago
Jamie Lennox c21ef89a88 Add a full listing of all auth plugins and there options
A commonly requested document is what auth plugins are available and
what parameters do they accept. Create an extension that can iterate
through the stevedore namespace and render all its available options.

Change-Id: Id0d0983c9803ce4e0ce201310a1603bc0ff30ca0
6 years ago
Jamie Lennox d73fd3ee84 Only log application/json in session to start
When whitelisting content types to debug print from session we chose
application/json and application/text. application/text is not a real
mime type, text is typically text/plain.

Rather than guess at mime types only print application/json to start
with, but make it easy for additional types to be added later.

Change-Id: Ica5fee076cdab8b1d5167161d28af7313fad9477
Related-Bug: 1616105
6 years ago
Tin Lam 9d3ae3ef94 X-Serivce-Token should be hashed in the log
Currently, logs display the hash values of X-Auth-Token,
Authorization, and X-Subject-Token, but not the value of
the X-Service-Token.  This patch set adds the X-Service-Token
to the list of header fields to be hashed for logging purposes.

Change-Id: I4d996a2631f61a2c9bbbc7f959e97c7279be023d
Closes-Bug: #1654847
6 years ago
Jenkins f387043138 Merge "Add __ne__ built-in function" 6 years ago
howardlee 7666acbb1e Add __ne__ built-in function
In Python 3 __ne__ by default delegates to __eq__ and inverts the
result, but in Python 2 they urge you to define __ne__ when you define
__eq__ for it to work properly [1]. There are no implied relationships
among the comparison operators. The truth of x==y does not imply that
x!=y is false. Accordingly, when defining __eq__(), one should also
define __ne__() so that the operators will behave as expected.


Change-Id: I6ad4b07911f6c8236dfcd048aceebd44cd760fe2
6 years ago
Abhishek Kekane af658d0686 Log request-id for each api call
Added support to log 'X-Openstack-Request-Id' or
'X-Compute-Request-Id' in case of Nova for each api call.

If any python-*client which is using session is used from
command line then following log will be logged on console
if --debug flag is used.

DEBUG (session:350) GET call to compute for used
request id req-c54b8f3e-a7e4-4085-a5e3-fd5244ef3ce5

If any python-*client which is using session  is used in
applications (e.g. Nova) then following log message will be
logged in service logs.

DEBUG keystoneauth.session
[req-a6929d46-765c-44a9-8370-49ff0f1958ca admin admin] GET call
to network for used request id req-de6bfe07-22ac-4940-b65e-367cb0e8102d

To use this feature user need to set 'default_log_levels' in third
party application. For example in nova.conf 'default_log_levels'
should be set as below:

default_log_levels = keystoneauth1=DEBUG

Closes-Bug: #1605488
Change-Id: If0c5a4eb7d51c601ba38149f846ebcd6116d18be
6 years ago
Samuel de Medeiros Queiroz f345559a06 Prevent MemoryError when logging response bodies
Response bodies are loaded into memory prior to
being logged.

Loading huge response bodies may result in a

This patch proposes that only JSON and TEXT
responses be logged, i.e when the Content-Type
header is application/json or application/text.

Responses that do not include or have a different
Content-Type header will have their body omitted.

Closes-bug: 1616105

Change-Id: I93b6fff73368c4f58bdebf8566c4948b50980cee
6 years ago
Cao Xuan Hoang a142082b10 Removes unnecessary utf-8 encoding
The following file added utf-8 encoding but never used. So we can
removes them at all.


Change-Id: I82ee422cd40dd0b7e584b566fb073fc1583396c7
7 years ago
Jenkins 459f3c0926 Merge "Replace six.iteritems() with .items()" 7 years ago
gengchc2 a00b8d844d Replace six.iteritems() with .items()
1.As mentioned in [1], we should avoid using
six.iteritems to achieve iterators. We can
use dict.items instead, as it will return
iterators in PY3 as well. And dict.items/keys
will more readable. 2.In py2, the performance
about list should be negligible, see the link [2].

Change-Id: I9f8f2c35f0d45d866076507a3a167aaafb8382e5
7 years ago
Jamie Lennox c5bac3a32c Don't issue deprecation warning when nesting adapters
Auth token middleware does a bit of a hack where it passes an Adapter in
as a session to the client. This is useful there because we need to know
much more about the authentication information than we do in most

We should look at fixing this in auth_token middleware, however for now
we shouldn't issue a deprecation warning when a user passes an Adapter
as a session object because this has always been designed to work - just
not something we recommend.

Change-Id: If7ebe59d5908275e607f32244027c8e6f3d1e157
Closes-Bug: #1647230
7 years ago
Juan Antonio Osorio Robles 08539ec4d6 Add reauthenticate to generic plugins
Currently, the plugins supported in the generic plugins all have a
reathenticate option, however, this is not passed anywhere in the
generic plugin interface. This adds it to the base class in order to
support this, and provide a more interchangeable interface between
the version-specific plugins and the generic one.

Change-Id: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4
Closes-Bug: #1643782
7 years ago
Jenkins b6f8648177 Merge "Using assertIsNotNone() instead of assertNotEqual(None)" 7 years ago
Cao Xuan Hoang b55a286462 Using assertIsNotNone() instead of assertNotEqual(None)
Following OpenStack Style Guidelines[1]:
[H203] Unit test assertions tend to give better messages for more
specific assertions. As a result, assertIsNotNone(...) is preferred
over assertNotEqual(None, ...) and assertIsNot(None, ...)


Change-Id: Iadb27153109b2c4b92df43fc97a5e50eed86f58c
7 years ago
melissaml f2242de6fe Fix a typo in

Change-Id: I6e7ea9bafd59a0915d3f88df595a0653af2a0f1e
7 years ago
Morgan Fainberg 6858ccdd0f Correct betamax fixture for more strict IDNA
The IDNA library has gotten more strict. The use of `_` in the TLD is
not valid. This change modifies the betamax test-case to use
`keystoneauth-betamax.test` instead of `keystoneauth.betamax_test`
correcting the invalid character in the TLD.

Change-Id: I01c5e6c0145158515d837b216fd066a5a558f498
7 years ago
Jenkins 42a6bf8dfc Merge "mark a few oidc parameters as required" 7 years ago
Jenkins e308aae67d Merge "Add a service token wrapper" 7 years ago
Steve Martinelli 827895281b mark a few oidc parameters as required
to better the user experience, mark a few of the open id connect
options as required, users should get back more meaningful
error messages.

as part of the change, there was also a discrepancy between what
the loader used for the authorization code, and what the plugin
was using. deprecate the old loader option (authorization-code)
in favor of the one used by the plugin (code).

Change-Id: I18318ef44f99e4f973176dd99b61770b1151f7a0
Partial-Bug: 1593192
7 years ago
Jenkins 946278d98c Merge "Show deprecation warning and limit features for KSC session" 7 years ago
Jamie Lennox 57f8d2cde5 Allow setting client_name, client_version on adapter
You can pass client_name and client_version to Adapter.__init__ but for
most clients this means overriding Adapter.__init__ and setdefault()-ing
the client_name and version.

As most clients already override the Adapter object it'd be easier if
they could just set these values on the class as they are not going to
change between instances.

Change-Id: I301a7f77c8cf423bc1d45e3dcbb2325f6853b9a9
7 years ago
Jamie Lennox 6c71469783 Show deprecation warning and limit features for KSC session
There are still a lot of places where keystoneclient sessions are being
used and we've made a fair effort to maintain compatibility with these

Unfortunately passing client_name and client_version for user_agent
generation is something only present in keystoneauth and passing it to a
keystoneclient session results in failure.

Whilst it would be good to just tell people to fix their code in reality
we'll probably be dealing with this for a while so just check to ensure
it really is a keystoneauth session we are passing parameters to and
warn otherwise.

Change-Id: I4d51ee08cfa9094443aca7128fe5323a95974a4d
7 years ago
Jamie Lennox 31b9d125b0 Don't use private testtools.test module
The testtools.test module is the unit testing module for testtools and
is an internal module with additional requirements. We should not be
relying on this module.

Copy the tests that were exposed from testtools into here.

Change-Id: I1e09228cff7a0c8136447f07df6864045a6fb849
7 years ago
Mike Fedosin ab39cf0667 Prevent changing content type in request
Now if body contains json, its content type forcibly
changes to application/json, which is not correct in
some case, like json-patch request.

This code fixes this situation and sets application/json
contnent type only if this header hasn't been set before.

Change-Id: I4e0c44d444519f056dfa48c9603dbc3ca6b01822
Closes-bug: #1634110
7 years ago
Jenkins 626886b4aa Merge "be more explicit about connection errors" 7 years ago
Jenkins 04ea2a8181 Merge "Fix a typo in" 7 years ago
Sean Dague 7d26de17f5 be more explicit about connection errors
urllib/requests ConnectionError is a translation of
SocketError. However, when we translate this *yet again* we drop the
message from Requests. That message contains the actual SocketError
details, which are often critical for debugging an issue.

This keeps those details in the error message as we carry this up.

Change-Id: I6b753fddaebdcbcfe62680585a5b6febf62647b3
7 years ago
melissaml 729e4cd846 Fix a typo in
Removed redundant 'the'

Change-Id: I4e72aeb4580ef197a9fd214b26879408e5a63a9e
7 years ago
gecong1973 e1bf1f0e83 Fix a typo in

Change-Id: Ifffcea354e785a7fc5720e15d3bd259be559f13e
7 years ago
Jenkins 8185d4ffe9 Merge "Implement caching for the generic plugins." 7 years ago
Jamie Lennox e69cff8654 Add a service token wrapper
There are cases from a service where you have to wrap and pass a User
and Service token together to make things work. Add a wrapper that adds
both the user and service token to requests.

This will be something we will handle differently in auth_token
middleware but should still provide for other implementations.

Change-Id: I284f799d1f9e8d33ff032376af02b64cd6bbf510
7 years ago
Jamie Lennox eb5571a6ca Allow specifying client and service info to user_agent
Allow specifying a service name and version to the session and a client
name and version to the adapter. The way this will work is that
libraries such as keystoneclient will pass client_name and
client_version when creating their adapter. Then when nova or another
service creates a session it will provide the service name and version.
The combination of these will be used to provide a meaningful user

Change-Id: Ibe516d9b248513579d5e8ca94015c4ae9c00f3f9
Closes-Bug: #1614846
7 years ago
Jamie Lennox 01b7c87285 Implement caching for the generic plugins.
When caching was implemented it was added to the v2 and v3 plugins but
for some reason the generic plugins were missed.

To do generic plugin caching we'll skip even trying to figure out the
inner plugin for now and just load the authentication for the generic.

Closes-Bug: #1616261
Change-Id: Icbb8acde0dca084f4a221f8ebff5503d5bdc219a
7 years ago
lilintan c563c8b24e Use mockpatch fixtures from fixtures
fixtures added the mockpatch fixtures from oslotest, so switch
to those in anticipation of deprecating in osloste.

Change-Id: Ied8b9013a4c45f353b0fdf3a84e03a9b1fe048a7
7 years ago
Adam Young 1306c8b0e1 Fix parameters for Kerberos Auth Plugin
The auth plugin was not loading when called from the CLI due to the
mismatch of variable argument parameter calling convention.  This was
due in part to not specfying the parameters properly in the plugin, and
also due to extending from the wrong base class.

Closes-Bug: #1622079

Change-Id: I37a8320b61e7468c173f81348b0a7dd0ee1ad966
7 years ago
Adam Young c5aeaf6aff Test that v3fedkerb plugin loads
Currently the v3fedkerb plugin loads the incorrect parameters. This was
never tested. This patch introduces a test and a future patch will fix
the code and modify the test.

Change-Id: Ia7fb7f1d7db0510df42798b9d668d58070234aff
7 years ago
Ji-Wei 2d3e376a2c Raise NotImplementedError instead of NotImplemented
NotImplementedError is the name of the exception
NotImplemented is the name of a constant

This patch fix it.

Change-Id: Icfbc0603d03e2001d1494027c492059687e15fa7
Closes-Bug: #1339855
7 years ago
Jamie Lennox b7b887c519 get_endpoint should return None when no version found
After patch Ia08538ccf00c9063dc0d284c5ece9a969c15500a the urljoin would
ensure that a URL was always returned from the get_endpoint method even
when the version was not available. This breaks plugin discovery and a
number of other areas.

Change-Id: I04014b6e770c2e9708c5f9c81c3160d51603ad0c
Closes-Bug: #1616720
7 years ago
Jenkins 5f34cb14d4 Merge "Disables TCP_KEEPCNT when using Windows Subsystem for Linux" 7 years ago
Alex Oughton e3009ab365 Disables TCP_KEEPCNT when using Windows Subsystem for Linux
The Windows Subsystem for Linux is not a complete implementation
of the Linux APIs, and setting TCP_KEEPCNT is currently
unimplmenented. Attempting to use this option will cause HTTP
connections to fail. This change checks if we are running under
WSL, and disables changing TCP_KEEPCNT parameters if so.

Change-Id: Ic8b41dea2a75660d9adbce88a00a0fe703a4d120
Closes-Bug: #1614688
7 years ago
Jamie Lennox fe7ea40ea5 Allow identity plugins to discover relative version urls
When using a reverse proxy or TLS terminator it can be really hard to
correctly specify a URL in version discovery that is correct for all

Make it so that a relative URL in a discovery document is joined to the
queried URL to always return a fully qualified URL to the identity

Change-Id: Ia08538ccf00c9063dc0d284c5ece9a969c15500a
Closes-Bug: #1614304
7 years ago
Alexey Stepanov 837118393c add status code 308 to _REDIRECT_STATUSES
add status code 308 to _REDIRECT_STATUSES as designed by rfc7238
Closes-bug: 1610914

Change-Id: I81ce137dad07e76a0f0c227dc8b263eec64fff7a
7 years ago