Merge "Extract SigningDirectory into file"

2015-02-25 00:55:42 +00:00 · 2015-02-25 00:55:42 +00:00 · 249d9ddb8e
parent 4b6fb39fd1 ca1cf28bee
commit 249d9ddb8e
4 changed files with 225 additions and 183 deletions
--- a/keystonemiddleware/auth_token/init.py
+++ b/keystonemiddleware/auth_token/init.py
@ -175,8 +175,6 @@ import contextlib
 import datetime
 import logging
 import os
 import stat
 import tempfile
 from keystoneclient import access
 from keystoneclient import adapter
@ -196,6 +194,7 @@ from six.moves import urllib
 from keystonemiddleware import _memcache_crypt as memcache_crypt
 from keystonemiddleware.auth_token import _exceptions as exc
 from keystonemiddleware.auth_token import _signing_dir
 from keystonemiddleware.i18n import _, _LC, _LE, _LI, _LW
 from keystonemiddleware.openstack.common import memorycache
@ -845,7 +844,7 @@ class AuthProtocol(object):
            self._auth_uri = self._identity_server.auth_uri
-        self._signing_directory = _SigningDirectory(
+        self._signing_directory = _signing_dir.SigningDirectory(
            directory_name=self._conf_get('signing_dir'), log=self._LOG)
        self._token_cache = self._token_cache_factory()
@ -1780,65 +1779,6 @@ class _Revocations(object):
            raise exc.InvalidToken(_('Token has been revoked'))
 class _SigningDirectory(object):
    def __init__(self, directory_name=None, log=None):
        self._log = log or _LOG
        if directory_name is None:
            directory_name = tempfile.mkdtemp(prefix='keystone-signing-')
        self._log.info(
            _LI('Using %s as cache directory for signing certificate'),
            directory_name)
        self._directory_name = directory_name
        self._verify_signing_dir()
    def write_file(self, file_name, new_contents):
        # In Python2, encoding is slow so the following check avoids it if it
        # is not absolutely necessary.
        if isinstance(new_contents, six.text_type):
            new_contents = new_contents.encode('utf-8')
        def _atomic_write():
            with tempfile.NamedTemporaryFile(dir=self._directory_name,
                                             delete=False) as f:
                f.write(new_contents)
            os.rename(f.name, self.calc_path(file_name))
        try:
            _atomic_write()
        except (OSError, IOError):
            self._verify_signing_dir()
            _atomic_write()
    def read_file(self, file_name):
        path = self.calc_path(file_name)
        open_kwargs = {'encoding': 'utf-8'} if six.PY3 else {}
        with open(path, 'r', **open_kwargs) as f:
            return f.read()
    def calc_path(self, file_name):
        return os.path.join(self._directory_name, file_name)
    def _verify_signing_dir(self):
        if os.path.isdir(self._directory_name):
            if not os.access(self._directory_name, os.W_OK):
                raise exc.ConfigurationError(
                    _('unable to access signing_dir %s') %
                    self._directory_name)
            uid = os.getuid()
            if os.stat(self._directory_name).st_uid != uid:
                self._log.warning(_LW('signing_dir is not owned by %s'), uid)
            current_mode = stat.S_IMODE(os.stat(self._directory_name).st_mode)
            if current_mode != stat.S_IRWXU:
                self._log.warning(
                    _LW('signing_dir mode is %(mode)s instead of %(need)s'),
                    {'mode': oct(current_mode), 'need': oct(stat.S_IRWXU)})
        else:
            os.makedirs(self._directory_name, stat.S_IRWXU)
 class _TokenCache(object):
    """Encapsulates the auth_token token cache functionality.
--- a/keystonemiddleware/auth_token/_signing_dir.py
+++ b/keystonemiddleware/auth_token/_signing_dir.py
@ -0,0 +1,83 @@
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 import logging
 import os
 import stat
 import tempfile
 import six
 from keystonemiddleware.auth_token import _exceptions as exc
 from keystonemiddleware.i18n import _, _LI, _LW
 _LOG = logging.getLogger(__name__)
 class SigningDirectory(object):
    def __init__(self, directory_name=None, log=None):
        self._log = log or _LOG
        if directory_name is None:
            directory_name = tempfile.mkdtemp(prefix='keystone-signing-')
        self._log.info(
            _LI('Using %s as cache directory for signing certificate'),
            directory_name)
        self._directory_name = directory_name
        self._verify_signing_dir()
    def write_file(self, file_name, new_contents):
        # In Python2, encoding is slow so the following check avoids it if it
        # is not absolutely necessary.
        if isinstance(new_contents, six.text_type):
            new_contents = new_contents.encode('utf-8')
        def _atomic_write():
            with tempfile.NamedTemporaryFile(dir=self._directory_name,
                                             delete=False) as f:
                f.write(new_contents)
            os.rename(f.name, self.calc_path(file_name))
        try:
            _atomic_write()
        except (OSError, IOError):
            self._verify_signing_dir()
            _atomic_write()
    def read_file(self, file_name):
        path = self.calc_path(file_name)
        open_kwargs = {'encoding': 'utf-8'} if six.PY3 else {}
        with open(path, 'r', **open_kwargs) as f:
            return f.read()
    def calc_path(self, file_name):
        return os.path.join(self._directory_name, file_name)
    def _verify_signing_dir(self):
        if os.path.isdir(self._directory_name):
            if not os.access(self._directory_name, os.W_OK):
                raise exc.ConfigurationError(
                    _('unable to access signing_dir %s') %
                    self._directory_name)
            uid = os.getuid()
            if os.stat(self._directory_name).st_uid != uid:
                self._log.warning(_LW('signing_dir is not owned by %s'), uid)
            current_mode = stat.S_IMODE(os.stat(self._directory_name).st_mode)
            if current_mode != stat.S_IRWXU:
                self._log.warning(
                    _LW('signing_dir mode is %(mode)s instead of %(need)s'),
                    {'mode': oct(current_mode), 'need': oct(stat.S_IRWXU)})
        else:
            os.makedirs(self._directory_name, stat.S_IRWXU)
--- a/keystonemiddleware/tests/auth_token/test_signing_dir.py
+++ b/keystonemiddleware/tests/auth_token/test_signing_dir.py
@ -0,0 +1,138 @@
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 import os
 import shutil
 import stat
 import uuid
 import testtools
 from keystonemiddleware.auth_token import _signing_dir
 class SigningDirectoryTests(testtools.TestCase):
    def test_directory_created_when_doesnt_exist(self):
        # When _SigningDirectory is created, if the directory doesn't exist
        # it's created with the expected permissions.
        tmp_name = uuid.uuid4().hex
        parent_directory = '/tmp/%s' % tmp_name
        directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2)
        # Directories are created by __init__.
        _signing_dir.SigningDirectory(directory_name)
        self.addCleanup(shutil.rmtree, parent_directory)
        self.assertTrue(os.path.isdir(directory_name))
        self.assertTrue(os.access(directory_name, os.W_OK))
        self.assertEqual(os.stat(directory_name).st_uid, os.getuid())
        self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode),
                         stat.S_IRWXU)
    def test_use_directory_already_exists(self):
        # The directory can already exist.
        tmp_name = uuid.uuid4().hex
        parent_directory = '/tmp/%s' % tmp_name
        directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2)
        os.makedirs(directory_name, stat.S_IRWXU)
        self.addCleanup(shutil.rmtree, parent_directory)
        _signing_dir.SigningDirectory(directory_name)
    def test_write_file(self):
        # write_file when the file doesn't exist creates the file.
        signing_directory = _signing_dir.SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        contents = self.getUniqueString()
        signing_directory.write_file(file_name, contents)
        file_path = signing_directory.calc_path(file_name)
        with open(file_path) as f:
            actual_contents = f.read()
        self.assertEqual(contents, actual_contents)
    def test_replace_file(self):
        # write_file when the file already exists overwrites it.
        signing_directory = _signing_dir.SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        orig_contents = self.getUniqueString()
        signing_directory.write_file(file_name, orig_contents)
        new_contents = self.getUniqueString()
        signing_directory.write_file(file_name, new_contents)
        file_path = signing_directory.calc_path(file_name)
        with open(file_path) as f:
            actual_contents = f.read()
        self.assertEqual(new_contents, actual_contents)
    def test_recreate_directory(self):
        # If the original directory is lost, it gets recreated when a file
        # is written.
        signing_directory = _signing_dir.SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        # Delete the directory.
        shutil.rmtree(signing_directory._directory_name)
        file_name = self.getUniqueString()
        contents = self.getUniqueString()
        signing_directory.write_file(file_name, contents)
        actual_contents = signing_directory.read_file(file_name)
        self.assertEqual(contents, actual_contents)
    def test_read_file(self):
        # Can read a file that was written.
        signing_directory = _signing_dir.SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        contents = self.getUniqueString()
        signing_directory.write_file(file_name, contents)
        actual_contents = signing_directory.read_file(file_name)
        self.assertEqual(contents, actual_contents)
    def test_read_file_doesnt_exist(self):
        # Show what happens when try to read a file that wasn't written.
        signing_directory = _signing_dir.SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        self.assertRaises(IOError, signing_directory.read_file, file_name)
    def test_calc_path(self):
        # calc_path returns the actual filename built from the directory name.
        signing_directory = _signing_dir.SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        actual_path = signing_directory.calc_path(file_name)
        expected_path = os.path.join(signing_directory._directory_name,
                                     file_name)
        self.assertEqual(expected_path, actual_path)
--- a/keystonemiddleware/tests/unit/test_auth_token.py
+++ b/keystonemiddleware/tests/unit/test_auth_token.py
@ -14,9 +14,7 @@
 import datetime
 import json
 import os
 import shutil
 import stat
 import uuid
 import mock
@ -24,13 +22,14 @@ import testtools
 from keystonemiddleware import auth_token
 from keystonemiddleware.auth_token import _exceptions as exc
 from keystonemiddleware.auth_token import _signing_dir
 class RevocationsTests(testtools.TestCase):
    def _check_with_list(self, revoked_list, token_ids):
        directory_name = '/tmp/%s' % uuid.uuid4().hex
-        signing_directory = auth_token._SigningDirectory(directory_name)
+        signing_directory = _signing_dir.SigningDirectory(directory_name)
        self.addCleanup(shutil.rmtree, directory_name)
        identity_server = mock.Mock()
@ -64,121 +63,3 @@ class RevocationsTests(testtools.TestCase):
        token_ids = [token_id]
        self.assertRaises(exc.InvalidToken,
                          self._check_with_list, revoked_tokens, token_ids)
 class SigningDirectoryTests(testtools.TestCase):
    def test_directory_created_when_doesnt_exist(self):
        # When _SigningDirectory is created, if the directory doesn't exist
        # it's created with the expected permissions.
        tmp_name = uuid.uuid4().hex
        parent_directory = '/tmp/%s' % tmp_name
        directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2)
        # Directories are created by __init__.
        auth_token._SigningDirectory(directory_name)
        self.addCleanup(shutil.rmtree, parent_directory)
        self.assertTrue(os.path.isdir(directory_name))
        self.assertTrue(os.access(directory_name, os.W_OK))
        self.assertEqual(os.stat(directory_name).st_uid, os.getuid())
        self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode),
                         stat.S_IRWXU)
    def test_use_directory_already_exists(self):
        # The directory can already exist.
        tmp_name = uuid.uuid4().hex
        parent_directory = '/tmp/%s' % tmp_name
        directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2)
        os.makedirs(directory_name, stat.S_IRWXU)
        self.addCleanup(shutil.rmtree, parent_directory)
        auth_token._SigningDirectory(directory_name)
    def test_write_file(self):
        # write_file when the file doesn't exist creates the file.
        signing_directory = auth_token._SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        contents = self.getUniqueString()
        signing_directory.write_file(file_name, contents)
        file_path = signing_directory.calc_path(file_name)
        with open(file_path) as f:
            actual_contents = f.read()
        self.assertEqual(contents, actual_contents)
    def test_replace_file(self):
        # write_file when the file already exists overwrites it.
        signing_directory = auth_token._SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        orig_contents = self.getUniqueString()
        signing_directory.write_file(file_name, orig_contents)
        new_contents = self.getUniqueString()
        signing_directory.write_file(file_name, new_contents)
        file_path = signing_directory.calc_path(file_name)
        with open(file_path) as f:
            actual_contents = f.read()
        self.assertEqual(new_contents, actual_contents)
    def test_recreate_directory(self):
        # If the original directory is lost, it gets recreated when a file
        # is written.
        signing_directory = auth_token._SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        # Delete the directory.
        shutil.rmtree(signing_directory._directory_name)
        file_name = self.getUniqueString()
        contents = self.getUniqueString()
        signing_directory.write_file(file_name, contents)
        actual_contents = signing_directory.read_file(file_name)
        self.assertEqual(contents, actual_contents)
    def test_read_file(self):
        # Can read a file that was written.
        signing_directory = auth_token._SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        contents = self.getUniqueString()
        signing_directory.write_file(file_name, contents)
        actual_contents = signing_directory.read_file(file_name)
        self.assertEqual(contents, actual_contents)
    def test_read_file_doesnt_exist(self):
        # Show what happens when try to read a file that wasn't written.
        signing_directory = auth_token._SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        self.assertRaises(IOError, signing_directory.read_file, file_name)
    def test_calc_path(self):
        # calc_path returns the actual filename built from the directory name.
        signing_directory = auth_token._SigningDirectory()
        self.addCleanup(shutil.rmtree, signing_directory._directory_name)
        file_name = self.getUniqueString()
        actual_path = signing_directory.calc_path(file_name)
        expected_path = os.path.join(signing_directory._directory_name,
                                     file_name)
        self.assertEqual(expected_path, actual_path)