A bit more cleanup to remove melange code, and making the auth code work again.

bin/reddwarf-server

@@ -16,8 +16,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-#TODO(jkoelker) Convert this to an entry_point
-
 import gettext
 import optparse
 import os
@@ -35,12 +33,9 @@ possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
 if os.path.exists(os.path.join(possible_topdir, 'reddwarf', '__init__.py')):
     sys.path.insert(0, possible_topdir)
 
-#from melange import ipv4
-#from melange import mac
 from reddwarf import version
 from reddwarf.common import config
 from reddwarf.common import wsgi
-#from melange.db import db_api
 
 
 def create_options(parser):
@@ -65,7 +60,6 @@ if __name__ == '__main__':
     (options, args) = config.parse_options(oparser)
     try:
         conf, app = config.Config.load_paste_app('reddwarf', options, args)
-        #        db_api.configure_db(conf, ipv4.plugin(), mac.plugin())
         server = wsgi.Server()
         server.start(app, options.get('port', conf['bind_port']),
             conf['bind_host'])

etc/reddwarf/reddwarf.conf.sample

@@ -14,9 +14,9 @@ bind_port = 8779
 # SQLAlchemy connection string for the reference implementation
 # registry server. Any valid SQLAlchemy connection string is fine.
 # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
-#sql_connection = sqlite:///melange_test.sqlite
-# sql_connection = mysql://root:root@localhost/melange
-#sql_connection = postgresql://melange:melange@localhost/melange
+sql_connection = sqlite:///reddwarf_test.sqlite
+# sql_connection = mysql://root:root@localhost/reddwarf
+#sql_connection = postgresql://reddwarf:reddwarf@localhost/reddwarf
 
 # Period in seconds after which SQLAlchemy should reestablish its connection
 # to the database.
@@ -28,7 +28,7 @@ bind_port = 8779
 sql_idle_timeout = 3600
 
 #DB Api Implementation
-#db_api_implementation = "reddwarf.db.sqlalchemy.api"
+db_api_implementation = "reddwarf.db.sqlalchemy.api"
 
 # Path to the extensions
 api_extensions_path = reddwarf/extensions
@@ -52,7 +52,7 @@ use = call:reddwarf.common.wsgi:versioned_urlmap
 paste.app_factory = reddwarf.versions:app_factory
 
 [pipeline:reddwarfapi]
-pipeline = reddwarfapp
+pipeline = tokenauth authorization reddwarfapp
 #pipeline = debug extensions reddwarfapp
 
 #[filter:extensions]
@@ -62,14 +62,16 @@ pipeline = reddwarfapp
 paste.filter_factory = keystone.middleware.auth_token:filter_factory
 service_protocol = http
 service_host = 127.0.0.1
-service_port = 808
+service_port = 5000
 auth_host = 127.0.0.1
-auth_port = 5001
+auth_port = 35357
 auth_protocol = http
+auth_uri = http://127.0.0.1:5000/
 admin_token = be19c524ddc92109a224
 
-#[filter:authorization]
-#paste.filter_factory = reddwarf.common.auth:AuthorizationMiddleware.factory
+
+[filter:authorization]
+paste.filter_factory = reddwarf.common.auth:AuthorizationMiddleware.factory
 
 [app:reddwarfapp]
 paste.app_factory = reddwarf.database.service:app_factory

reddwarf/__init__.py

@@ -1,7 +1,6 @@
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
-# Copyright 2010 United States Government as represented by the
-# Administrator of the National Aeronautics and Space Administration.
+# Copyright 2011 OpenStack LLC.
 # All Rights Reserved.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -15,7 +14,6 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-
 """
 :mod:`reddwarf` -- Cloud PaaS Database Platform
 ===================================
@@ -25,8 +23,3 @@
    :synopsis: Platform-As-A-Service Database Cloud
 .. moduleauthor:: Michael Basnight <mbasnight@gmail.com>
 """
-
-import gettext
-
-
-gettext.install("reddwarf", unicode=1)

reddwarf/common/auth.py

@@ -0,0 +1,70 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2011 OpenStack LLC.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import httplib2
+import logging
+import re
+import webob.exc
+import wsgi
+
+
+LOG = logging.getLogger("reddwarf.common.auth")
+
+
+class AuthorizationMiddleware(wsgi.Middleware):
+
+    def __init__(self, application, auth_providers, **local_config):
+        self.auth_providers = auth_providers
+        LOG.debug("Auth middleware providers: %s" % auth_providers)
+        super(AuthorizationMiddleware, self).__init__(application,
+            **local_config)
+
+    def process_request(self, request):
+        roles = request.headers.get('X_ROLE', '').split(',')
+        LOG.debug("Processing auth request with roles: %s" % roles)
+        tenant_id = request.headers.get('X_TENANT', None)
+        LOG.debug("Processing auth request with tenant_id: %s" % tenant_id)
+        for provider in self.auth_providers:
+            provider.authorize(request, tenant_id, roles)
+
+    @classmethod
+    def factory(cls, global_config, **local_config):
+        def _factory(app):
+            LOG.debug("Created auth middleware with config: %s" % local_config)
+            return cls(app, [TenantBasedAuth()],
+                **local_config)
+        return _factory
+
+
+class TenantBasedAuth(object):
+
+    # The paths differ from melange, so the regex must differ as well, reddwarf starts with a tenant_id
+    tenant_scoped_url = re.compile("/(?P<tenant_id>.*?)/.*")
+
+    def authorize(self, request, tenant_id, roles):
+        if 'admin' in [role.lower() for role in roles]:
+            LOG.debug("Authorized admin request: %s" % request)
+            return True
+        match_for_tenant = self.tenant_scoped_url.match(request.path_info)
+        if (match_for_tenant and
+            tenant_id == match_for_tenant.group('tenant_id')):
+            LOG.debug("Authorized tenant '%(tenant_id)s' request: "
+                      "%(request)s" % locals())
+            return True
+        raise webob.exc.HTTPForbidden(_("User with tenant id %s cannot "
+                                        "access this resource") % tenant_id)
+

reddwarf/openstack/__init__.py

@@ -1 +1,16 @@
-__author__ = 'mbasnight'
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2011 OpenStack LLC.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.

reddwarf/openstack/common/__init__.py

@@ -1 +1,16 @@
-__author__ = 'mbasnight'
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2011 OpenStack LLC.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.