Merge "Add service token to user token plugin"

2016-10-20 07:40:09 +00:00 · 2016-10-20 07:40:09 +00:00 · ac091e73c5
parent b5800c1673 6e545d2c0c
commit ac091e73c5
3 changed files with 57 additions and 14 deletions
--- a/keystonemiddleware/auth_token/init.py
+++ b/keystonemiddleware/auth_token/init.py
@ -530,6 +530,8 @@ class AuthProtocol(BaseAuthProtocol):
            'include_service_catalog')
        self._hash_algorithms = self._conf.get('hash_algorithms')

+        self._auth = self._create_auth_plugin()
+        self._session = self._create_session()
        self._identity_server = self._create_identity_server()

        self._auth_uri = self._conf.get('auth_uri')
@ -610,6 +612,10 @@ class AuthProtocol(BaseAuthProtocol):
            if self._include_service_catalog:
                request.set_service_catalog_headers(request.token_auth.user)

+        if request.token_auth:
+            request.token_auth._auth = self._auth
+            request.token_auth._session = self._session
+
        if request.service_token and request.service_token_valid:
            request.set_service_headers(request.token_auth.service)

@ -813,7 +819,7 @@ class AuthProtocol(BaseAuthProtocol):
            self._SIGNING_CA_FILE_NAME,
            self._identity_server.fetch_ca_cert())

-    def _get_auth_plugin(self):
+    def _create_auth_plugin(self):
        # NOTE(jamielennox): Ideally this would use load_from_conf_options
        # however that is not possible because we have to support the override
        # pattern we use in _conf.get. This function therefore does a manual
@ -852,25 +858,24 @@ class AuthProtocol(BaseAuthProtocol):
        getter = lambda opt: self._conf.get(opt.dest, group=group)
        return plugin_loader.load_from_options_getter(getter)

-    def _create_identity_server(self):
+    def _create_session(self, **kwargs):
        # NOTE(jamielennox): Loading Session here should be exactly the
        # same as calling Session.load_from_conf_options(CONF, GROUP)
        # however we can't do that because we have to use _conf.get to
        # support the paste.ini options.
-        sess = session_loading.Session().load_from_options(
-            cert=self._conf.get('certfile'),
-            key=self._conf.get('keyfile'),
-            cacert=self._conf.get('cafile'),
-            insecure=self._conf.get('insecure'),
-            timeout=self._conf.get('http_connect_timeout'),
-            user_agent=self._conf.user_agent,
-        )
+        kwargs.setdefault('cert', self._conf.get('certfile'))
+        kwargs.setdefault('key', self._conf.get('keyfile'))
+        kwargs.setdefault('cacert', self._conf.get('cafile'))
+        kwargs.setdefault('insecure', self._conf.get('insecure'))
+        kwargs.setdefault('timeout', self._conf.get('http_connect_timeout'))
+        kwargs.setdefault('user_agent', self._conf.user_agent)

-        auth_plugin = self._get_auth_plugin()
+        return session_loading.Session().load_from_options(**kwargs)

+    def _create_identity_server(self):
        adap = adapter.Adapter(
-            sess,
-            auth=auth_plugin,
+            self._session,
+            auth=self._auth,
            service_type='identity',
            interface='admin',
            region_name=self._conf.get('region_name'),
--- a/keystonemiddleware/auth_token/_user_plugin.py
+++ b/keystonemiddleware/auth_token/_user_plugin.py
@ -31,12 +31,17 @@ class UserAuthPlugin(base_identity.BaseIdentityPlugin):
    authentication plugin when communicating via a session.
    """

-    def __init__(self, user_auth_ref, serv_auth_ref):
+    def __init__(self, user_auth_ref, serv_auth_ref, session=None, auth=None):
        super(UserAuthPlugin, self).__init__(reauthenticate=False)

        self.user = user_auth_ref
        self.service = serv_auth_ref

+        # NOTE(jamielennox): adding a service token requires the original
+        # session and auth plugin from auth_token
+        self._session = session
+        self._auth = auth
+
    @property
    def has_user_token(self):
        """Did this authentication request contained a user auth token."""
@ -64,3 +69,14 @@ class UserAuthPlugin(base_identity.BaseIdentityPlugin):
            msg.append('service: %s' % _log_format(self.service))

        return ' '.join(msg)
+
+    def get_headers(self, session, **kwargs):
+        headers = super(UserAuthPlugin, self).get_headers(session, **kwargs)
+
+        if headers is not None and self._session:
+            token = self._session.get_token(auth=self._auth)
+
+            if token:
+                headers['X-Service-Token'] = token
+
+        return headers
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@ -1295,6 +1295,28 @@ class CommonAuthTokenMiddlewareTest(object):
        r = m(env, _start_response)
        self.assertEqual(text, r)

+    def test_auth_plugin_service_token(self):
+        url = 'http://test.url'
+        text = uuid.uuid4().hex
+        self.requests_mock.get(url, text=text)
+
+        token = self.token_dict['uuid_token_default']
+        resp = self.call_middleware(headers={'X-Auth-Token': token})
+
+        self.assertEqual(200, resp.status_int)
+        self.assertEqual(FakeApp.SUCCESS, resp.body)
+
+        s = session.Session(auth=resp.request.environ['keystone.token_auth'])
+
+        resp = s.get(url)
+
+        self.assertEqual(text, resp.text)
+        self.assertEqual(200, resp.status_code)
+
+        headers = self.requests_mock.last_request.headers
+
+        self.assertEqual(FAKE_ADMIN_TOKEN_ID, headers['X-Service-Token'])
+

 class V2CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest,
                                   testresources.ResourcedTestCase):