summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/middleware
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/middleware')
-rw-r--r--keystone-moon/keystone/middleware/__init__.py15
-rw-r--r--keystone-moon/keystone/middleware/core.py240
-rw-r--r--keystone-moon/keystone/middleware/ec2_token.py44
3 files changed, 299 insertions, 0 deletions
diff --git a/keystone-moon/keystone/middleware/__init__.py b/keystone-moon/keystone/middleware/__init__.py
new file mode 100644
index 00000000..efbaa7c9
--- /dev/null
+++ b/keystone-moon/keystone/middleware/__init__.py
@@ -0,0 +1,15 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystone.middleware.core import * # noqa
diff --git a/keystone-moon/keystone/middleware/core.py b/keystone-moon/keystone/middleware/core.py
new file mode 100644
index 00000000..bf86cd2b
--- /dev/null
+++ b/keystone-moon/keystone/middleware/core.py
@@ -0,0 +1,240 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_config import cfg
+from oslo_log import log
+from oslo_middleware import sizelimit
+from oslo_serialization import jsonutils
+import six
+
+from keystone.common import authorization
+from keystone.common import wsgi
+from keystone import exception
+from keystone.i18n import _LW
+from keystone.models import token_model
+from keystone.openstack.common import versionutils
+
+CONF = cfg.CONF
+LOG = log.getLogger(__name__)
+
+
+# Header used to transmit the auth token
+AUTH_TOKEN_HEADER = 'X-Auth-Token'
+
+
+# Header used to transmit the subject token
+SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
+
+
+# Environment variable used to pass the request context
+CONTEXT_ENV = wsgi.CONTEXT_ENV
+
+
+# Environment variable used to pass the request params
+PARAMS_ENV = wsgi.PARAMS_ENV
+
+
+class TokenAuthMiddleware(wsgi.Middleware):
+ def process_request(self, request):
+ token = request.headers.get(AUTH_TOKEN_HEADER)
+ context = request.environ.get(CONTEXT_ENV, {})
+ context['token_id'] = token
+ if SUBJECT_TOKEN_HEADER in request.headers:
+ context['subject_token_id'] = (
+ request.headers.get(SUBJECT_TOKEN_HEADER))
+ request.environ[CONTEXT_ENV] = context
+
+
+class AdminTokenAuthMiddleware(wsgi.Middleware):
+ """A trivial filter that checks for a pre-defined admin token.
+
+ Sets 'is_admin' to true in the context, expected to be checked by
+ methods that are admin-only.
+
+ """
+
+ def process_request(self, request):
+ token = request.headers.get(AUTH_TOKEN_HEADER)
+ context = request.environ.get(CONTEXT_ENV, {})
+ context['is_admin'] = (token == CONF.admin_token)
+ request.environ[CONTEXT_ENV] = context
+
+
+class PostParamsMiddleware(wsgi.Middleware):
+ """Middleware to allow method arguments to be passed as POST parameters.
+
+ Filters out the parameters `self`, `context` and anything beginning with
+ an underscore.
+
+ """
+
+ def process_request(self, request):
+ params_parsed = request.params
+ params = {}
+ for k, v in six.iteritems(params_parsed):
+ if k in ('self', 'context'):
+ continue
+ if k.startswith('_'):
+ continue
+ params[k] = v
+
+ request.environ[PARAMS_ENV] = params
+
+
+class JsonBodyMiddleware(wsgi.Middleware):
+ """Middleware to allow method arguments to be passed as serialized JSON.
+
+ Accepting arguments as JSON is useful for accepting data that may be more
+ complex than simple primitives.
+
+ Filters out the parameters `self`, `context` and anything beginning with
+ an underscore.
+
+ """
+ def process_request(self, request):
+ # Abort early if we don't have any work to do
+ params_json = request.body
+ if not params_json:
+ return
+
+ # Reject unrecognized content types. Empty string indicates
+ # the client did not explicitly set the header
+ if request.content_type not in ('application/json', ''):
+ e = exception.ValidationError(attribute='application/json',
+ target='Content-Type header')
+ return wsgi.render_exception(e, request=request)
+
+ params_parsed = {}
+ try:
+ params_parsed = jsonutils.loads(params_json)
+ except ValueError:
+ e = exception.ValidationError(attribute='valid JSON',
+ target='request body')
+ return wsgi.render_exception(e, request=request)
+ finally:
+ if not params_parsed:
+ params_parsed = {}
+
+ if not isinstance(params_parsed, dict):
+ e = exception.ValidationError(attribute='valid JSON object',
+ target='request body')
+ return wsgi.render_exception(e, request=request)
+
+ params = {}
+ for k, v in six.iteritems(params_parsed):
+ if k in ('self', 'context'):
+ continue
+ if k.startswith('_'):
+ continue
+ params[k] = v
+
+ request.environ[PARAMS_ENV] = params
+
+
+class XmlBodyMiddleware(wsgi.Middleware):
+ """De/serialize XML to/from JSON."""
+
+ def print_warning(self):
+ LOG.warning(_LW('XML support has been removed as of the Kilo release '
+ 'and should not be referenced or used in deployment. '
+ 'Please remove references to XmlBodyMiddleware from '
+ 'your configuration. This compatibility stub will be '
+ 'removed in the L release'))
+
+ def __init__(self, *args, **kwargs):
+ super(XmlBodyMiddleware, self).__init__(*args, **kwargs)
+ self.print_warning()
+
+
+class XmlBodyMiddlewareV2(XmlBodyMiddleware):
+ """De/serialize XML to/from JSON for v2.0 API."""
+
+ def __init__(self, *args, **kwargs):
+ pass
+
+
+class XmlBodyMiddlewareV3(XmlBodyMiddleware):
+ """De/serialize XML to/from JSON for v3 API."""
+
+ def __init__(self, *args, **kwargs):
+ pass
+
+
+class NormalizingFilter(wsgi.Middleware):
+ """Middleware filter to handle URL normalization."""
+
+ def process_request(self, request):
+ """Normalizes URLs."""
+ # Removes a trailing slash from the given path, if any.
+ if (len(request.environ['PATH_INFO']) > 1 and
+ request.environ['PATH_INFO'][-1] == '/'):
+ request.environ['PATH_INFO'] = request.environ['PATH_INFO'][:-1]
+ # Rewrites path to root if no path is given.
+ elif not request.environ['PATH_INFO']:
+ request.environ['PATH_INFO'] = '/'
+
+
+class RequestBodySizeLimiter(sizelimit.RequestBodySizeLimiter):
+ @versionutils.deprecated(
+ versionutils.deprecated.KILO,
+ in_favor_of='oslo_middleware.sizelimit.RequestBodySizeLimiter',
+ remove_in=+1,
+ what='keystone.middleware.RequestBodySizeLimiter')
+ def __init__(self, *args, **kwargs):
+ super(RequestBodySizeLimiter, self).__init__(*args, **kwargs)
+
+
+class AuthContextMiddleware(wsgi.Middleware):
+ """Build the authentication context from the request auth token."""
+
+ def _build_auth_context(self, request):
+ token_id = request.headers.get(AUTH_TOKEN_HEADER).strip()
+
+ if token_id == CONF.admin_token:
+ # NOTE(gyee): no need to proceed any further as the special admin
+ # token is being handled by AdminTokenAuthMiddleware. This code
+ # will not be impacted even if AdminTokenAuthMiddleware is removed
+ # from the pipeline as "is_admin" is default to "False". This code
+ # is independent of AdminTokenAuthMiddleware.
+ return {}
+
+ context = {'token_id': token_id}
+ context['environment'] = request.environ
+
+ try:
+ token_ref = token_model.KeystoneToken(
+ token_id=token_id,
+ token_data=self.token_provider_api.validate_token(token_id))
+ # TODO(gyee): validate_token_bind should really be its own
+ # middleware
+ wsgi.validate_token_bind(context, token_ref)
+ return authorization.token_to_auth_context(token_ref)
+ except exception.TokenNotFound:
+ LOG.warning(_LW('RBAC: Invalid token'))
+ raise exception.Unauthorized()
+
+ def process_request(self, request):
+ if AUTH_TOKEN_HEADER not in request.headers:
+ LOG.debug(('Auth token not in the request header. '
+ 'Will not build auth context.'))
+ return
+
+ if authorization.AUTH_CONTEXT_ENV in request.environ:
+ msg = _LW('Auth context already exists in the request environment')
+ LOG.warning(msg)
+ return
+
+ auth_context = self._build_auth_context(request)
+ LOG.debug('RBAC: auth_context: %s', auth_context)
+ request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
diff --git a/keystone-moon/keystone/middleware/ec2_token.py b/keystone-moon/keystone/middleware/ec2_token.py
new file mode 100644
index 00000000..771b74f8
--- /dev/null
+++ b/keystone-moon/keystone/middleware/ec2_token.py
@@ -0,0 +1,44 @@
+# Copyright 2012 OpenStack Foundation
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""
+Starting point for routing EC2 requests.
+
+The EC2 Token Middleware has been deprecated as of Juno. It has been moved into
+keystonemiddleware, `keystonemiddleware.ec2_token`.
+
+"""
+
+from keystonemiddleware import ec2_token
+
+from keystone.openstack.common import versionutils
+
+
+class EC2Token(ec2_token.EC2Token):
+
+ @versionutils.deprecated(
+ versionutils.deprecated.JUNO,
+ in_favor_of='keystonemiddleware.ec2_token.EC2Token',
+ remove_in=+2,
+ what='keystone.middleware.ec2_token.EC2Token')
+ def __init__(self, *args, **kwargs):
+ super(EC2Token, self).__init__(*args, **kwargs)
+
+
+filter_factory = ec2_token.filter_factory
+app_factory = ec2_token.app_factory
+keystone_ec2_opts = ec2_token.keystone_ec2_opts