Fix barbican client with application credentials/trusts

It seems that keystoneauth1.identity.generic.token doesn't handle properly the application credential/trust tokens passed by the context of the requests. When using app credentials, Octavia failed to retrieve the certificates from barbican. Switching to keystoneauth1.token_endpoint fixes the issue, the auth tokens are correctly passed to the barbican client. Story: 2007619 Task: 39737 Change-Id: Id77ce36f59b71d309f153e5c1d44059f162ee440
2022-08-25 10:33:21 +02:00 · 2022-08-25 10:33:21 +02:00 · ce7f27e3b7
parent 34579fdc5e
commit ce7f27e3b7
3 changed files with 20 additions and 15 deletions
--- a/octavia/certificates/common/auth/barbican_acl.py
+++ b/octavia/certificates/common/auth/barbican_acl.py
@ -17,8 +17,8 @@
 Barbican ACL auth class for Barbican certificate handling
 """
 from barbicanclient import client as barbican_client
-from keystoneauth1.identity.generic import token
 from keystoneauth1 import session
+from keystoneauth1 import token_endpoint

 from oslo_config import cfg
 from oslo_log import log as logging
@ -79,20 +79,21 @@ class BarbicanACLAuth(barbican_common.BarbicanAuth):

    @classmethod
    def get_barbican_client_user_auth(cls, context):
-        # get a normal session
-        ksession = keystone.KeystoneSession()
-        service_auth = ksession.get_auth()
+        barbican_endpoint = CONF.certificates.endpoint
+        if not barbican_endpoint:
+            ksession = keystone.KeystoneSession().get_session()
+            endpoint_data = ksession.get_endpoint_data(
+                service_type='key-manager',
+                region_name=CONF.certificates.region_name,
+                interface=CONF.certificates.endpoint_type)
+            barbican_endpoint = endpoint_data.catalog_url
+
+        auth_token = token_endpoint.Token(barbican_endpoint,
+                                          context.auth_token)

-        # make our own auth and swap it in
-        user_auth = token.Token(auth_url=service_auth.auth_url,
-                                token=context.auth_token,
-                                project_id=context.project_id)
        user_session = session.Session(
-            auth=user_auth,
+            auth=auth_token,
            verify=CONF.certificates.ca_certificates_file)
-
-        # create a special barbican client with our user's session
        return barbican_client.Client(
            session=user_session,
-            region_name=CONF.certificates.region_name,
-            interface=CONF.certificates.endpoint_type)
+            endpoint=barbican_endpoint)
--- a/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py
+++ b/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py
@ -91,5 +91,4 @@ class TestBarbicanACLAuth(base.TestCase):
        bc = acl_auth_object.get_barbican_client_user_auth(mock.Mock())
        self.assertTrue(hasattr(bc, 'containers') and
                        hasattr(bc.containers, 'register_consumer'))
-        self.assertEqual('publicURL', bc.client.interface)
-        self.assertEqual('RegionOne', bc.client.region_name)
+        self.assertEqual('public', bc.client.interface)
--- a/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml
+++ b/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix an authentication error with Barbican when creating a TERMINATED_HTTPS
+    listener with application credential tokens or trust IDs.