The existing discovery mechanism is geared around allowing users to
create appropriate client objects. It does not provide any means to
query version responses to determine the URLs of available versions.
This patch adds url_for (similar to the functions available on service
catalog) and data_for functions that can do lower level queries for
URLs and version response data.
Because of the client creation functionality the existing discover.py
cannot be imported from within keystoneclient due to cyclical dependency
resolution. The querying functions are therefore added to a private
keystoneclient file and exposed to the original Discover object via
inheritance. This private object can then be used within the
keystoneclient library.
Blueprint: endpoint-version-query
Change-Id: I7e1891536289c57ad3fbe8ef1c6e50b7344d83d5
Some of the client fixtures used for testing were invalid. v2
tokens must have 'access'/'token'/'expires', and v3 tokens must
have 'token'/'expires_at'.
Change-Id: I2614c7deed47c9758c2031418110108308634296
Related-Bug: #1174499
Trusts and service catalog had a few malformed docstrings
that caused warnings when building docs.
Change-Id: Iea8612c3aaebea54c00b02c73c77f0c9e79f86bc
Partial-Bug: #1315523
The auth_token middleware would fail if it couldn't fetch the
revocation list. If the system is configured for UUID tokens then
the revocation list may not be available.
With this fix, the revocation list will only be checked for
cached tokens if the new check_revocations_for_cached option
is set to True.
Also, this change prevents the revocation list from being
checked twice for a PKI token that's validate off-line.
Change-Id: I5408bbe12aefda608ebcb81cf3c7ef068b2bf2f6
Closes-Bug: #1312858
assertDictEqual isn't used, and the assertIsInstance message
should be consistent across versions. This leaves nothing in
AdjustedBaseAuthTokenMiddlewareTest so remove it.
Change-Id: I7d338c9b66c77ff81a79d1a1d5c8ebcc3dd300a2
The sync includes change that drastically enhances performance on Python
2.6 with fresh simplejson library installed.
The latest commit in oslo-incubator:
- 732bdb6297eb9de81667f7713ebcb1ccc2ee45a7
Change-Id: Ib3dc0b713ed90396919feba018772243b3b9c90f
Closes-Bug: 1314129
There was code in _verify_uuid_token that was not covered by unit
tests. This change increases the coverage.
Change-Id: I63e171a0a8e63ae599c967adc9ff09670063b807
Related-Bug: #1174499
Trusts now have a "remaining_uses" field that tracks how many times
a trust can still issue a token. It is decremented by 1 each time a
trust related authentication occurs (call to /auth/tokens), until it
reaches 0 and no token can be issued through this trust anymore. If
set to null (default value), trusts can be used indefinitely to
authenticate.
This is the client side of the implementation.
Closes-Bug: #1250617
Implements: bp trusts-chained-delegation
Change-Id: Ib035a9772b7f035c3a9af102e8e15a860a96a96d
The auth_token middleware didn't log when a token is rejected
because it's in the revocation list. This adds a log message so
that it's easier to debug problems.
Change-Id: I1388ed04641d209ba2083a1096488edc22267ebe
We need to ensure that tokens won't stay in cache after they have been
revoked.
Changed default revocation_cache_time 300 -> 10 seconds.
revocation_cache_time has to be << than token_cache_time to make token
cache efficient.
Fixes bug #1287301
Change-Id: I14c0eacac3b431c06e40385c891a6636736e5b4a
This token is used for auth_token testing and is a valid v3 token other
than the catalog which is in v2 format.
Convert the catalog to V3 format. Whilst there pretty print the token so
we can more easily see what's happening.
Change-Id: I893ea6e76f3fcc20b13b331911d7b8288b98991d
Need to make sure that binary and text are both handled correctly for cms calls.
Blueprint: compress-tokens
Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
The admin_token option shouldn't be used with the auth_token
middleware. It's used to specify a token to be used to perform
operations on the identity server, so would typically be set
to the admin token. The admin token should only be used to
initially set up the Keystone server, and then the admin token
functionality should be disabled. If this recommended setup is
used then the auth_token middleware shouldn't be using the
admin token / auth_token.
In preparing for removal of the admin_token option, the option
is now deprecated. A warning will be logged if it's set.
DocImpact
Change-Id: I5bc4f4a6ad7984892151c8011ccd92f166aba4c2
Closes-Bug: #1306981
When the keystone CLI wound up logging something and --debug
wasn't set, a message was printed that 'No handlers could be
found for logger <whatever>'. This is because Python logging
was only configured when the --debug option was set.
This change makes it so that logging is always configured. If
--debug is used then the level is DEBUG and if it's not used
then the level is WARNING.
Change-Id: Ib01d1072acff0d6ede468b0ecab4f871459014ee
Closes-Bug: #936404
A token generator that can be used by other clients to generate
consistent tokens in there test code.
Change-Id: I05d2632b4c8290c2b1015996769340f0bea16f93
blueprint: share-tokens
Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep
cms.is_ans1_token() around for backwards compatibility.
Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb
Closes-bug: 1306874
There are a number of places where we expect a certain format of
response. If it's not found we often end up raising a KeyError when
accessing data.
Create a new Exception type that is raised when a HTTP response is not
appropriate for parsing and use it within authentication calls.
Closes-Bug: #1307306
Change-Id: I3cf2db07a8e76ee17702130e9efb0edf640d293a
With the move to the apiclient exceptions from oslo the basic HTTP error
class was renamed. This was not reflected in all places in the code.
It was also not picked up by the tests because the apiclient tests
weren't running due to a missing __init__.py file. Because this should
be backwards compatible it was added to the list in exceptions, the
check that this is available is in the (now running) apiclient tests.
Blueprint: common-client-library-2
Change-Id: I307c1083f29e3207cc86aa938043270e5c32b4bb
We need to allow for people adding other stuff to the tokens however it
shouldn't be available in the standard case where for example a misspelt
variable would be propagated.
This is in line with how v3 is going to handle this same scenario.
Change-Id: I1aad17893574ebc7c3a6b84f4d6ba1cd27932158
Closes-Bug: #1307278
