Fix barbican client with application credentials/trusts

It seems that keystoneauth1.identity.generic.token doesn't handle
properly the application credential/trust tokens passed by the context
of the requests. When using app credentials, Octavia failed to retrieve
the certificates from barbican.
Switching to keystoneauth1.token_endpoint fixes the issue, the
auth tokens are correctly passed to the barbican client.

Story: 2007619
Task: 39737

Change-Id: Id77ce36f59b71d309f153e5c1d44059f162ee440
(cherry picked from commit ce7f27e3b7ef6a94501ce975fb0e9dadcffb822b)

octavia/certificates/common/auth/barbican_acl.py

@@ -17,8 +17,8 @@
 Barbican ACL auth class for Barbican certificate handling
 """
 from barbicanclient import client as barbican_client
-from keystoneauth1.identity.generic import token
 from keystoneauth1 import session
+from keystoneauth1 import token_endpoint
 
 from oslo_config import cfg
 from oslo_log import log as logging
@@ -79,20 +79,21 @@ class BarbicanACLAuth(barbican_common.BarbicanAuth):
 
     @classmethod
     def get_barbican_client_user_auth(cls, context):
-        # get a normal session
+        barbican_endpoint = CONF.certificates.endpoint
-        ksession = keystone.KeystoneSession()
+        if not barbican_endpoint:
-        service_auth = ksession.get_auth()
+            ksession = keystone.KeystoneSession().get_session()
+            endpoint_data = ksession.get_endpoint_data(
+                service_type='key-manager',
+                region_name=CONF.certificates.region_name,
+                interface=CONF.certificates.endpoint_type)
+            barbican_endpoint = endpoint_data.catalog_url
+
+        auth_token = token_endpoint.Token(barbican_endpoint,
+                                          context.auth_token)
 
-        # make our own auth and swap it in
-        user_auth = token.Token(auth_url=service_auth.auth_url,
-                                token=context.auth_token,
-                                project_id=context.project_id)
         user_session = session.Session(
-            auth=user_auth,
+            auth=auth_token,
             verify=CONF.certificates.ca_certificates_file)
-
-        # create a special barbican client with our user's session
         return barbican_client.Client(
             session=user_session,
-            region_name=CONF.certificates.region_name,
+            endpoint=barbican_endpoint)
-            interface=CONF.certificates.endpoint_type)

octavia/tests/unit/certificates/common/auth/test_barbican_acl.py

@@ -91,5 +91,4 @@ class TestBarbicanACLAuth(base.TestCase):
         bc = acl_auth_object.get_barbican_client_user_auth(mock.Mock())
         self.assertTrue(hasattr(bc, 'containers') and
                         hasattr(bc.containers, 'register_consumer'))
-        self.assertEqual('publicURL', bc.client.interface)
+        self.assertEqual('public', bc.client.interface)
-        self.assertEqual('RegionOne', bc.client.region_name)

releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix an authentication error with Barbican when creating a TERMINATED_HTTPS
+    listener with application credential tokens or trust IDs.