From 45f696cfe786a7287bbeac33d03e84bf6d4a796e Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@betacloud-solutions.de>
Date: Tue, 20 Sep 2016 16:38:23 +0200
Subject: [PATCH] Use keystone-paste.ini template for keystone

The use of the admin_token_auth middleware presents a security risk
and was removed from [pipeline:api_v3], [pipeline:admin_api],
and [pipeline:public_api].

Change-Id: I3a3ca2e74c0ae341105d3481f97956c6da473046
Closes-bug: #1587747
---
 ansible/roles/keystone/tasks/config.yml       |  8 ++
 .../keystone/templates/keystone-paste.ini.j2  | 83 +++++++++++++++++++
 .../roles/keystone/templates/keystone.json.j2 |  6 ++
 3 files changed, 97 insertions(+)
 create mode 100644 ansible/roles/keystone/templates/keystone-paste.ini.j2

diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index 65ceb1a955..d7840fff6c 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -75,6 +75,14 @@
     - "{{ node_custom_config }}/keystone/wsgi-keystone.conf"
     - "wsgi-keystone.conf.j2"
 
+- name: Copying over keystone-paste.ini
+  merge_configs:
+    sources:
+      - "{{ role_path }}/templates/keystone-paste.ini.j2"
+      - "{{ node_custom_config }}/keystone/keystone-paste.ini"
+      - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/keystone-paste.ini"
+    dest: "{{ node_config_directory }}/keystone/keystone-paste.ini"
+
 - name: Generate the required cron jobs for the node
   local_action: "command python {{ role_path }}/files/fernet_rotate_cron_generator.py -t {{ (fernet_token_expiry | int) // 60 }} -i {{ groups['keystone'].index(inventory_hostname) }} -n {{ (groups['keystone'] | length) }}"
   register: cron_jobs_json
diff --git a/ansible/roles/keystone/templates/keystone-paste.ini.j2 b/ansible/roles/keystone/templates/keystone-paste.ini.j2
new file mode 100644
index 0000000000..0e2ee368e2
--- /dev/null
+++ b/ansible/roles/keystone/templates/keystone-paste.ini.j2
@@ -0,0 +1,83 @@
+# Keystone PasteDeploy configuration file.
+
+[filter:debug]
+use = egg:oslo.middleware#debug
+
+[filter:request_id]
+use = egg:oslo.middleware#request_id
+
+[filter:build_auth_context]
+use = egg:keystone#build_auth_context
+
+[filter:token_auth]
+use = egg:keystone#token_auth
+
+[filter:json_body]
+use = egg:keystone#json_body
+
+[filter:cors]
+use = egg:oslo.middleware#cors
+oslo_config_project = keystone
+
+[filter:ec2_extension]
+use = egg:keystone#ec2_extension
+
+[filter:ec2_extension_v3]
+use = egg:keystone#ec2_extension_v3
+
+[filter:s3_extension]
+use = egg:keystone#s3_extension
+
+[filter:url_normalize]
+use = egg:keystone#url_normalize
+
+[filter:sizelimit]
+use = egg:oslo.middleware#sizelimit
+
+[app:public_service]
+use = egg:keystone#public_service
+
+[app:service_v3]
+use = egg:keystone#service_v3
+
+[app:admin_service]
+use = egg:keystone#admin_service
+
+[pipeline:public_api]
+# The last item in this pipeline must be public_service or an equivalent
+# application. It cannot be a filter.
+pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
+
+[pipeline:admin_api]
+# The last item in this pipeline must be admin_service or an equivalent
+# application. It cannot be a filter.
+pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
+
+[pipeline:api_v3]
+# The last item in this pipeline must be service_v3 or an equivalent
+# application. It cannot be a filter.
+pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
+
+[app:public_version_service]
+use = egg:keystone#public_version_service
+
+[app:admin_version_service]
+use = egg:keystone#admin_version_service
+
+[pipeline:public_version_api]
+pipeline = cors sizelimit url_normalize public_version_service
+
+[pipeline:admin_version_api]
+pipeline = cors sizelimit url_normalize admin_version_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+/v3 = api_v3
+/ = public_version_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
+/v3 = api_v3
+/ = admin_version_api
diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2
index 35bd7bc51d..ba5cc52a05 100644
--- a/ansible/roles/keystone/templates/keystone.json.j2
+++ b/ansible/roles/keystone/templates/keystone.json.j2
@@ -9,6 +9,12 @@
             "owner": "keystone",
             "perm": "0600"
         },
+        {
+            "source": "{{ container_config_directory }}/keystone-paste.ini",
+            "dest": "/etc/keystone/keystone-paste.ini",
+            "owner": "keystone",
+            "perm": "0600"
+        },
         {
             "source": "{{ container_config_directory }}/domains",
             "dest": "/etc/keystone/domains",