From a97b293501fa504dd154fc921809a40bc2a34049 Mon Sep 17 00:00:00 2001
From: guang-yee <guang.yee@hp.com>
Date: Fri, 11 Oct 2013 14:08:57 -0700
Subject: [PATCH] Opt-out of service catalog

Introducing a config option 'include_service_catalog' to indicate whether
service catalog is needed. If the 'include_service_catalog' option is set to
False, middleware will not ask for service catalog on token validation and will
not set the X-Service-Catalog header.

This option is backward compatible as it is default to True.

DocImpact
Fixed bug 1228317

Change-Id: Id8c410a7ae0443ac425d20cb9c6a24ee5bb2cb8d
---
 doc/source/middlewarearchitecture.rst         |  6 ++++++
 keystoneclient/middleware/auth_token.py       | 21 ++++++++++++++-----
 .../tests/test_auth_token_middleware.py       | 10 +++++++++
 3 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst
index caeff218c..6b089046f 100644
--- a/doc/source/middlewarearchitecture.rst
+++ b/doc/source/middlewarearchitecture.rst
@@ -141,6 +141,8 @@ a WSGI component. Example for the auth_token middleware::
     ;Uncomment next 2 lines if Keystone server is validating client cert
     ;certfile = <path to middleware public cert>
     ;keyfile = <path to middleware private cert>
+    ;Uncomment next line to opt-out of service catalog
+    ;include_service_catalog = False
 
 For services which have separate paste-deploy ini file, auth_token middleware
 can be alternatively configured in [keystone_authtoken] section in the main
@@ -197,6 +199,10 @@ Configuration Options
   encoded CA file/bundle that will be used to verify HTTPS connections.
 * ``insecure``: (optional, default `False`) Don't verify HTTPS connections
   (overrides `cafile`).
+* ``include_service_catalog``: (optional, default `True`) Indicate whether to
+  set the X-Service-Catalog header. If False, middleware will not ask for
+  service catalog on token validation and will not set the X-Service-Catalog
+  header.
 
 Caching for improved response
 -----------------------------
diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
index 1a13d8004..332f8ac58 100644
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -291,7 +291,13 @@ opts = [
                default=None,
                secret=True,
                help='(optional, mandatory if memcache_security_strategy is'
-               ' defined) this string is used for key derivation.')
+               ' defined) this string is used for key derivation.'),
+    cfg.BoolOpt('include_service_catalog',
+                default=True,
+                help='(optional) indicate whether to set the X-Service-Catalog'
+                ' header. If False, middleware will not ask for service'
+                ' catalog on token validation and will not set the'
+                ' X-Service-Catalog header.')
 ]
 CONF.register_opts(opts, group='keystone_authtoken')
 
@@ -461,6 +467,9 @@ class AuthProtocol(object):
         self.http_request_max_retries = \
             self._conf_get('http_request_max_retries')
 
+        self.include_service_catalog = self._conf_get(
+            'include_service_catalog')
+
     def _assert_valid_memcache_protection_config(self):
         if self._memcache_security_strategy:
             if self._memcache_security_strategy not in ('MAC', 'ENCRYPT'):
@@ -921,11 +930,9 @@ class AuthProtocol(object):
         self.LOG.debug("Received request from user: %s with project_id : %s"
                        " and roles: %s ", user_id, project_id, roles)
 
-        try:
+        if self.include_service_catalog and catalog_key in catalog_root:
             catalog = catalog_root[catalog_key]
             rval['X-Service-Catalog'] = jsonutils.dumps(catalog)
-        except KeyError:
-            pass
 
         return rval
 
@@ -1090,9 +1097,13 @@ class AuthProtocol(object):
         if self.auth_version == 'v3.0':
             headers = {'X-Auth-Token': self.get_admin_token(),
                        'X-Subject-Token': safe_quote(user_token)}
+            path = '/v3/auth/tokens'
+            if not self.include_service_catalog:
+                # NOTE(gyee): only v3 API support this option
+                path = path + '?nocatalog'
             response, data = self._json_request(
                 'GET',
-                '/v3/auth/tokens',
+                path,
                 additional_headers=headers)
         else:
             headers = {'X-Auth-Token': self.get_admin_token()}
diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py
index 875844f1b..ff6b11503 100644
--- a/keystoneclient/tests/test_auth_token_middleware.py
+++ b/keystoneclient/tests/test_auth_token_middleware.py
@@ -418,6 +418,8 @@ class CommonAuthTokenMiddlewareTest(object):
         self.assertEqual(self.response_status, 200)
         if with_catalog:
             self.assertTrue(req.headers.get('X-Service-Catalog'))
+        else:
+            self.assertNotIn('X-Service-Catalog', req.headers)
         self.assertEqual(body, ['SUCCESS'])
         self.assertTrue('keystone.token_info' in req.environ)
 
@@ -845,6 +847,14 @@ class CommonAuthTokenMiddlewareTest(object):
 
         self.assertEqual(mock_obj.call_count, times_retry)
 
+    def test_nocatalog(self):
+        conf = {
+            'include_service_catalog': False
+        }
+        self.set_middleware(conf=conf)
+        self.assert_valid_request_200(self.token_dict['uuid_token_default'],
+                                      with_catalog=False)
+
 
 class CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest):
     def setUp(self):