11 files changed, 1062 insertions, 0 deletions
diff --git a/keystonemiddleware-moon/doc/.gitignore b/keystonemiddleware-moon/doc/.gitignore
new file mode 100644
index 00000000..edde2181
--- /dev/null
+++ b/keystonemiddleware-moon/doc/.gitignore
@@ -0,0 +1,2 @@
+build/
+source/api/
diff --git a/keystonemiddleware-moon/doc/Makefile b/keystonemiddleware-moon/doc/Makefile
new file mode 100644
index 00000000..84f00bd5
--- /dev/null
+++ b/keystonemiddleware-moon/doc/Makefile
@@ -0,0 +1,90 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS    =
+SPHINXBUILD   = sphinx-build
+SPHINXSOURCE  = source
+PAPER         =
+BUILDDIR      = build
+
+# Internal variables.
+PAPEROPT_a4     = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) $(SPHINXSOURCE)
+
+.PHONY: help clean html dirhtml pickle json htmlhelp qthelp latex changes linkcheck doctest
+
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "  html      to make standalone HTML files"
+	@echo "  dirhtml   to make HTML files named index.html in directories"
+	@echo "  pickle    to make pickle files"
+	@echo "  json      to make JSON files"
+	@echo "  htmlhelp  to make HTML files and a HTML help project"
+	@echo "  qthelp    to make HTML files and a qthelp project"
+	@echo "  latex     to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+	@echo "  changes   to make an overview of all changed/added/deprecated items"
+	@echo "  linkcheck to check all external links for integrity"
+	@echo "  doctest   to run all doctests embedded in the documentation (if enabled)"
+
+clean:
+	-rm -rf $(BUILDDIR)/*
+
+html:
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+dirhtml:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+pickle:
+	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+	@echo
+	@echo "Build finished; now you can process the pickle files."
+
+json:
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+	@echo
+	@echo "Build finished; now you can process the JSON files."
+
+htmlhelp:
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+	@echo
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+qthelp:
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+	@echo
+	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
+	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/keystonemiddleware.qhcp"
+	@echo "To view the help file:"
+	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/keystonemiddleware.qhc"
+
+latex:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo
+	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+	@echo "Run \`make all-pdf' or \`make all-ps' in that directory to" \
+	      "run these through (pdf)latex."
+
+changes:
+	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+	@echo
+	@echo "The overview file is in $(BUILDDIR)/changes."
+
+linkcheck:
+	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+	@echo
+	@echo "Link check complete; look for any errors in the above output " \
+	      "or in $(BUILDDIR)/linkcheck/output.txt."
+
+doctest:
+	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+	@echo "Testing of doctests in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/doctest/output.txt."
diff --git a/keystonemiddleware-moon/doc/ext/__init__.py b/keystonemiddleware-moon/doc/ext/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/keystonemiddleware-moon/doc/ext/__init__.py
diff --git a/keystonemiddleware-moon/doc/ext/apidoc.py b/keystonemiddleware-moon/doc/ext/apidoc.py
new file mode 100644
index 00000000..2575f422
--- /dev/null
+++ b/keystonemiddleware-moon/doc/ext/apidoc.py
@@ -0,0 +1,46 @@
+# Copyright 2014 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and remove this
+# Sphinx extension when https://launchpad.net/bugs/1260495 is fixed.
+
+import os.path as path
+
+from sphinx import apidoc
+
+
+# NOTE(blk-u): pbr will run Sphinx multiple times when it generates
+# documentation. Once for each builder. To run this extension we use the
+# 'builder-inited' hook that fires at the beginning of a Sphinx build.
+# We use ``run_already`` to make sure apidocs are only generated once
+# even if Sphinx is run multiple times.
+run_already = False
+
+
+def run_apidoc(app):
+    global run_already
+    if run_already:
+        return
+    run_already = True
+
+    package_dir = path.abspath(path.join(app.srcdir, '..', '..',
+                                         'keystonemiddleware'))
+    source_dir = path.join(app.srcdir, 'api')
+    apidoc.main(['apidoc', package_dir, '-f',
+                 '-H', 'keystonemiddleware Modules',
+                 '-o', source_dir])
+
+
+def setup(app):
+    app.connect('builder-inited', run_apidoc)
diff --git a/keystonemiddleware-moon/doc/source/audit.rst b/keystonemiddleware-moon/doc/source/audit.rst
new file mode 100644
index 00000000..d23f8168
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/audit.rst
@@ -0,0 +1,81 @@
+..
+      Copyright 2014 IBM Corp
+
+      Licensed under the Apache License, Version 2.0 (the "License"); you may
+      not use this file except in compliance with the License. You may obtain
+      a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+      License for the specific language governing permissions and limitations
+      under the License.
+
+.. _middleware:
+
+=================
+ Audit middleware
+=================
+
+The Keystone middleware library provides an optional WSGI middleware filter
+which allows the ability to audit API requests for each component of OpenStack.
+
+The audit middleware filter utilises environment variables to build the CADF
+event.
+
+.. figure:: ./images/audit.png
+   :width: 100%
+   :align: center
+   :alt: Figure 1: Audit middleware in Nova pipeline
+
+The figure above shows the middleware in Nova's pipeline.
+
+Enabling audit middleware
+=========================
+To enable auditing, oslo.messaging_ should be installed. If not, the middleware
+will log the audit event instead. Auditing can be enabled for a specific
+project by editing the project's api-paste.ini file to include the following
+filter definition:
+
+::
+
+   [filter:audit]
+   paste.filter_factory = keystonemiddleware.audit:filter_factory
+   audit_map_file = /etc/nova/api_audit_map.conf
+
+The filter should be included after Keystone middleware's auth_token middleware
+so it can utilise environment variables set by auth_token. Below is an example
+using Nova's WSGI pipeline::
+
+   [composite:openstack_compute_api_v2]
+   use = call:nova.api.auth:pipeline_factory
+   noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
+   keystone = faultwrap sizelimit authtoken keystonecontext ratelimit audit osapi_compute_app_v2
+   keystone_nolimit = faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v2
+
+.. _oslo.messaging: http://www.github.com/openstack/oslo.messaging
+
+Configure audit middleware
+==========================
+To properly audit api requests, the audit middleware requires an
+api_audit_map.conf to be defined. The project's corresponding
+api_audit_map.conf file is included in the `pyCADF library`_.
+
+The location of the mapping file should be specified explicitly by adding the
+path to the 'audit_map_file' option of the filter definition::
+
+   [filter:audit]
+   paste.filter_factory = keystonemiddleware.audit:filter_factory
+   audit_map_file = /etc/nova/api_audit_map.conf
+
+Additional options can be set::
+
+   [filter:audit]
+   paste.filter_factory = pycadf.middleware.audit:filter_factory
+   audit_map_file = /etc/nova/api_audit_map.conf
+   service_name = test # opt to set HTTP_X_SERVICE_NAME environ variable
+   ignore_req_list = GET,POST # opt to ignore specific requests
+
+.. _pyCADF library: https://github.com/openstack/pycadf/tree/master/etc/pycadf
diff --git a/keystonemiddleware-moon/doc/source/conf.py b/keystonemiddleware-moon/doc/source/conf.py
new file mode 100644
index 00000000..069382be
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/conf.py
@@ -0,0 +1,237 @@
+# -*- coding: utf-8 -*-
+#
+# keystonemiddleware documentation build configuration file, created by
+# sphinx-quickstart on Sun Dec  6 14:19:25 2009.
+#
+# This file is execfile()d with the current directory set to its containing
+# dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+from __future__ import unicode_literals
+
+import os
+import sys
+
+import pbr.version
+
+
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__),
+                '..', '..')))
+
+# NOTE(blk-u): Path for our Sphinx extension, remove when
+# https://launchpad.net/bugs/1260495 is fixed.
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__),
+                '..')))
+
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#sys.path.append(os.path.abspath('.'))
+
+# -- General configuration ----------------------------------------------------
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = ['sphinx.ext.autodoc',
+              'sphinx.ext.todo',
+              'sphinx.ext.coverage',
+              'sphinx.ext.intersphinx',
+              # NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and
+              # remove this Sphinx extension when
+              # https://launchpad.net/bugs/1260495 is fixed.
+              'ext.apidoc',
+              'oslosphinx'
+             ]
+
+todo_include_todos = True
+
+# Add any paths that contain templates here, relative to this directory.
+#templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = 'keystonemiddleware'
+copyright = 'OpenStack Contributors'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+version_info = pbr.version.VersionInfo('keystonemiddleware')
+# The short X.Y version.
+version = version_info.version_string()
+# The full version, including alpha/beta/rc tags.
+release = version_info.release_string()
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of documents that shouldn't be included in the build.
+#unused_docs = []
+
+# List of directories, relative to source directory, that shouldn't be searched
+# for source files.
+exclude_trees = []
+
+# The reST default role (used for this markup: `text`) to use for all
+# documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+# Grouping the document tree for man pages.
+# List of tuples 'sourcefile', 'target', 'title', 'Authors name', 'manual'
+
+man_pages = []
+
+# -- Options for HTML output --------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  Major themes that come with
+# Sphinx are currently 'default' and 'sphinxdoc'.
+#html_theme_path = ["."]
+#html_theme = '_theme'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+#html_static_path = ['static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+git_cmd = "git log --pretty=format:'%ad, commit %h' --date=local -n1"
+html_last_updated_fmt = os.popen(git_cmd).read()
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_use_modindex = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = ''
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'keystonemiddlewaredoc'
+
+
+# -- Options for LaTeX output -------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+#latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+#latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual])
+# .
+latex_documents = [
+    ('index', 'keystonmiddleware.tex',
+     'keystonemiddleware Documentation',
+     'Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss',
+     'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# Additional stuff for the LaTeX preamble.
+#latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_use_modindex = True
+
+keystoneclient = 'http://docs.openstack.org/developer/python-keystoneclient/'
+
+intersphinx_mapping = {'keystoneclient': (keystoneclient, None),
+                       }
diff --git a/keystonemiddleware-moon/doc/source/images/audit.png b/keystonemiddleware-moon/doc/source/images/audit.png
new file mode 100644
index 00000000..5c2b1305
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/images/audit.png
diff --git a/keystonemiddleware-moon/doc/source/images/graphs_authComp.svg b/keystonemiddleware-moon/doc/source/images/graphs_authComp.svg
new file mode 100644
index 00000000..6be629c1
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/images/graphs_authComp.svg
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
+ -->
+<!-- Title: AuthComp Pages: 1 -->
+<svg width="510pt" height="118pt"
+ viewBox="0.00 0.00 510.00 118.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 114)">
+<title>AuthComp</title>
+<polygon fill="white" stroke="white" points="-4,5 -4,-114 507,-114 507,5 -4,5"/>
+<!-- AuthComp -->
+<g id="node2" class="node"><title>AuthComp</title>
+<polygon fill="#fdefe3" stroke="#c00000" points="292,-65 194,-65 194,-25 292,-25 292,-65"/>
+<text text-anchor="middle" x="243" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
+<text text-anchor="middle" x="243" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
+</g>
+<!-- Reject -->
+<!-- AuthComp&#45;&gt;Reject -->
+<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Reject</title>
+<path fill="none" stroke="black" d="M193.933,-51.2787C157.514,-55.939 108.38,-62.2263 73.8172,-66.649"/>
+<polygon fill="black" stroke="black" points="73.0637,-63.2168 63.5888,-67.9578 73.9522,-70.1602 73.0637,-63.2168"/>
+<text text-anchor="middle" x="129" y="-97.4" font-family="Times,serif" font-size="14.00">Reject</text>
+<text text-anchor="middle" x="129" y="-82.4" font-family="Times,serif" font-size="14.00">Unauthenticated</text>
+<text text-anchor="middle" x="129" y="-67.4" font-family="Times,serif" font-size="14.00">Requests</text>
+</g>
+<!-- Service -->
+<g id="node6" class="node"><title>Service</title>
+<polygon fill="#d1ebf1" stroke="#1f477d" points="502,-65 408,-65 408,-25 502,-25 502,-65"/>
+<text text-anchor="middle" x="455" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
+<text text-anchor="middle" x="455" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
+</g>
+<!-- AuthComp&#45;&gt;Service -->
+<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
+<path fill="none" stroke="black" d="M292.17,-45C323.626,-45 364.563,-45 397.52,-45"/>
+<polygon fill="black" stroke="black" points="397.917,-48.5001 407.917,-45 397.917,-41.5001 397.917,-48.5001"/>
+<text text-anchor="middle" x="350" y="-77.4" font-family="Times,serif" font-size="14.00">Forward</text>
+<text text-anchor="middle" x="350" y="-62.4" font-family="Times,serif" font-size="14.00">Authenticated</text>
+<text text-anchor="middle" x="350" y="-47.4" font-family="Times,serif" font-size="14.00">Requests</text>
+</g>
+<!-- Start -->
+<!-- Start&#45;&gt;AuthComp -->
+<g id="edge7" class="edge"><title>Start&#45;&gt;AuthComp</title>
+<path fill="none" stroke="black" d="M59.1526,-21.4745C90.4482,-25.4792 142.816,-32.1802 183.673,-37.4084"/>
+<polygon fill="black" stroke="black" points="183.43,-40.9057 193.793,-38.7034 184.318,-33.9623 183.43,-40.9057"/>
+</g>
+</g>
+</svg>
diff --git a/keystonemiddleware-moon/doc/source/images/graphs_authCompDelegate.svg b/keystonemiddleware-moon/doc/source/images/graphs_authCompDelegate.svg
new file mode 100644
index 00000000..4788829a
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/images/graphs_authCompDelegate.svg
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
+ -->
+<!-- Title: AuthCompDelegate Pages: 1 -->
+<svg width="588pt" height="104pt"
+ viewBox="0.00 0.00 588.00 104.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 100)">
+<title>AuthCompDelegate</title>
+<polygon fill="white" stroke="white" points="-4,5 -4,-100 585,-100 585,5 -4,5"/>
+<!-- AuthComp -->
+<g id="node2" class="node"><title>AuthComp</title>
+<polygon fill="#fdefe3" stroke="#c00000" points="338,-65 240,-65 240,-25 338,-25 338,-65"/>
+<text text-anchor="middle" x="289" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
+<text text-anchor="middle" x="289" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
+</g>
+<!-- Reject -->
+<!-- AuthComp&#45;&gt;Reject -->
+<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Reject</title>
+<path fill="none" stroke="black" d="M239.6,-50.1899C191.406,-55.2531 118.917,-62.8686 73.5875,-67.6309"/>
+<polygon fill="black" stroke="black" points="73.0928,-64.1635 63.5132,-68.6893 73.8242,-71.1252 73.0928,-64.1635"/>
+<text text-anchor="middle" x="152" y="-83.4" font-family="Times,serif" font-size="14.00">Reject Requests</text>
+<text text-anchor="middle" x="152" y="-68.4" font-family="Times,serif" font-size="14.00">Indicated by the Service</text>
+</g>
+<!-- Service -->
+<g id="node6" class="node"><title>Service</title>
+<polygon fill="#d1ebf1" stroke="#1f477d" points="580,-65 486,-65 486,-25 580,-25 580,-65"/>
+<text text-anchor="middle" x="533" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
+<text text-anchor="middle" x="533" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
+</g>
+<!-- AuthComp&#45;&gt;Service -->
+<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
+<path fill="none" stroke="black" d="M338.009,-49.0804C344.065,-49.4598 350.172,-49.7828 356,-50 405.743,-51.8535 418.259,-51.9103 468,-50 470.523,-49.9031 473.101,-49.7851 475.704,-49.6504"/>
+<polygon fill="black" stroke="black" points="476.03,-53.1374 485.807,-49.0576 475.62,-46.1494 476.03,-53.1374"/>
+<text text-anchor="middle" x="412" y="-68.4" font-family="Times,serif" font-size="14.00">Forward Requests</text>
+<text text-anchor="middle" x="412" y="-53.4" font-family="Times,serif" font-size="14.00">with Identiy Status</text>
+</g>
+<!-- Service&#45;&gt;AuthComp -->
+<g id="edge7" class="edge"><title>Service&#45;&gt;AuthComp</title>
+<path fill="none" stroke="black" d="M495.062,-24.9037C486.397,-21.2187 477.064,-17.9304 468,-16 419.314,-5.63183 404.743,-5.9037 356,-16 349.891,-17.2653 343.655,-19.116 337.566,-21.2803"/>
+<polygon fill="black" stroke="black" points="336.234,-18.0426 328.158,-24.9003 338.748,-24.5757 336.234,-18.0426"/>
+<text text-anchor="middle" x="412" y="-33.4" font-family="Times,serif" font-size="14.00">Send Response OR</text>
+<text text-anchor="middle" x="412" y="-18.4" font-family="Times,serif" font-size="14.00">Reject Message</text>
+</g>
+<!-- Start -->
+<!-- Start&#45;&gt;AuthComp -->
+<g id="edge9" class="edge"><title>Start&#45;&gt;AuthComp</title>
+<path fill="none" stroke="black" d="M59.0178,-20.8384C99.2135,-25.0613 175.782,-33.1055 229.492,-38.7482"/>
+<polygon fill="black" stroke="black" points="229.265,-42.2435 239.576,-39.8076 229.997,-35.2818 229.265,-42.2435"/>
+</g>
+</g>
+</svg>
diff --git a/keystonemiddleware-moon/doc/source/index.rst b/keystonemiddleware-moon/doc/source/index.rst
new file mode 100644
index 00000000..9092ec79
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/index.rst
@@ -0,0 +1,46 @@
+Python Middleware for OpenStack Identity API (Keystone)
+=======================================================
+
+This is the middleware provided for integrating with the OpenStack
+Identity API and handling authorization enforcement based upon the
+data within the OpenStack Identity tokens. Also included is middleware that
+provides the ability to create audit events based on API requests.
+
+Contents:
+
+.. toctree::
+   :maxdepth: 1
+
+   middlewarearchitecture
+   audit
+
+Related Identity Projects
+=========================
+
+In addition to creating the Python Middleware for OpenStack Identity
+API, the Keystone team also provides `Identity Service`_, as well as
+`Python Client Library`_.
+
+.. _`Identity Service`: http://docs.openstack.org/developer/keystone/
+.. _`Python Client Library`: http://docs.openstack.org/developer/python-keystoneclient/
+
+Contributing
+============
+
+Code is hosted `on GitHub`_. Submit bugs to the Keystone project on
+`Launchpad`_. Submit code to the ``openstack/keystonemiddleware`` project
+using `Gerrit`_.
+
+.. _on GitHub: https://github.com/openstack/keystonemiddleware
+.. _Launchpad: https://launchpad.net/keystonemiddleware
+.. _Gerrit: http://docs.openstack.org/infra/manual/developers.html#development-workflow
+
+Run tests with ``python setup.py test``.
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`
+
diff --git a/keystonemiddleware-moon/doc/source/middlewarearchitecture.rst b/keystonemiddleware-moon/doc/source/middlewarearchitecture.rst
new file mode 100644
index 00000000..e02aad45
--- /dev/null
+++ b/keystonemiddleware-moon/doc/source/middlewarearchitecture.rst
@@ -0,0 +1,459 @@
+..
+      Copyright 2011-2013 OpenStack Foundation
+      All Rights Reserved.
+
+      Licensed under the Apache License, Version 2.0 (the "License"); you may
+      not use this file except in compliance with the License. You may obtain
+      a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+      License for the specific language governing permissions and limitations
+      under the License.
+
+=======================
+Middleware Architecture
+=======================
+
+Abstract
+========
+
+The Keystone middleware architecture supports a common authentication protocol
+in use between the OpenStack projects. By using keystone as a common
+authentication and authorization mechanism, the OpenStack project can plug in
+to existing authentication and authorization systems in use by existing
+environments.
+
+In this document, we describe the architecture and responsibilities of the
+authentication middleware which acts as the internal API mechanism for
+OpenStack projects based on the WSGI standard.
+
+This documentation describes the implementation in
+:class:`keystonemiddleware.auth_token`
+
+Specification Overview
+======================
+
+'Authentication' is the process of determining that users are who they say they
+are. Typically, 'authentication protocols' such as HTTP Basic Auth, Digest
+Access, public key, token, etc, are used to verify a user's identity. In this
+document, we define an ''authentication component'' as a software module that
+implements an authentication protocol for an OpenStack service. OpenStack is
+using a token based mechanism to represent authentication and authorization.
+
+At a high level, an authentication middleware component is a proxy that
+intercepts HTTP calls from clients and populates HTTP headers in the request
+context for other WSGI middleware or applications to use. The general flow
+of the middleware processing is:
+
+* clear any existing authorization headers to prevent forgery
+* collect the token from the existing HTTP request headers
+* validate the token
+
+  * if valid, populate additional headers representing the identity that has
+    been authenticated and authorized
+  * if invalid, or no token present, reject the request (HTTPUnauthorized)
+    or pass along a header indicating the request is unauthorized (configurable
+    in the middleware)
+  * if the keystone service is unavailable to validate the token, reject
+    the request with HTTPServiceUnavailable.
+
+.. _authComponent:
+
+Authentication Component
+------------------------
+
+Figure 1. Authentication Component
+
+.. image:: images/graphs_authComp.svg
+   :width: 100%
+   :height: 180
+   :alt: An Authentication Component
+
+The middleware may also be configured to operate in a 'delegated mode'.
+In this mode, the decision to reject an unauthenticated client is delegated to
+the OpenStack service, as illustrated in :ref:`authComponentDelegated`.
+
+Here, requests are forwarded to the OpenStack service with an identity status
+message that indicates whether the client's identity has been confirmed or is
+indeterminate. It is the OpenStack service that decides whether or not a reject
+message should be sent to the client.
+
+.. _authComponentDelegated:
+
+Authentication Component (Delegated Mode)
+-----------------------------------------
+
+Figure 2. Authentication Component (Delegated Mode)
+
+.. image:: images/graphs_authCompDelegate.svg
+   :width: 100%
+   :height: 180
+   :alt: An Authentication Component (Delegated Mode)
+
+.. _deployStrategies:
+
+Deployment Strategy
+===================
+
+The middleware is intended to be used inline with OpenStack wsgi components,
+based on the Oslo WSGI middleware class. It is typically deployed
+as a configuration element in a paste configuration pipeline of other
+middleware components, with the pipeline terminating in the service
+application. The middleware conforms to the python WSGI standard [PEP-333]_.
+In initializing the middleware, a configuration item (which acts like a python
+dictionary) is passed to the middleware with relevant configuration options.
+
+Configuration
+-------------
+
+The middleware is configured within the config file of the main application as
+a WSGI component. Example for the auth_token middleware:
+
+.. code-block:: ini
+
+    [app:myService]
+    paste.app_factory = myService:app_factory
+
+    [pipeline:main]
+    pipeline = authtoken myService
+
+    [filter:authtoken]
+    paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+    # Prefix to prepend at the beginning of the path (string
+    # value)
+    #auth_admin_prefix=
+
+    # Host providing the admin Identity API endpoint (string
+    # value)
+    auth_host=127.0.0.1
+
+    # Port of the admin Identity API endpoint (integer value)
+    auth_port=35357
+
+    # Protocol of the admin Identity API endpoint(http or https)
+    # (string value)
+    auth_protocol=https
+
+    # Complete public Identity API endpoint (string value)
+    #auth_uri=<None>
+
+    # API version of the admin Identity API endpoint (string
+    # value)
+    #auth_version=<None>
+
+    # Do not handle authorization requests within the middleware,
+    # but delegate the authorization decision to downstream WSGI
+    # components (boolean value)
+    #delay_auth_decision=false
+
+    # Request timeout value for communicating with Identity API
+    # server. (boolean value)
+    #http_connect_timeout=<None>
+
+    # How many times are we trying to reconnect when communicating
+    # with Identity API Server. (integer value)
+    #http_request_max_retries=3
+
+    # Single shared secret with the Keystone configuration used
+    # for bootstrapping a Keystone installation, or otherwise
+    # bypassing the normal authentication process. (string value)
+    #admin_token=<None>
+
+    # Keystone account username (string value)
+    #admin_user=<None>
+
+    # Keystone account password (string value)
+    admin_password=SuperSekretPassword
+
+    # Keystone service account tenant name to validate user tokens
+    # (string value)
+    #admin_tenant_name=admin
+
+    # Env key for the swift cache (string value)
+    #cache=<None>
+
+    # Required if Keystone server requires client certificate
+    # (string value)
+    #certfile=<None>
+
+    # Required if Keystone server requires client certificate
+    # (string value)
+    #keyfile=<None>
+
+    # A PEM encoded Certificate Authority to use when verifying
+    # HTTPs connections. Defaults to system CAs. (string value)
+    #cafile=<None>
+
+    # Verify HTTPS connections. (boolean value)
+    #insecure=false
+
+    # Directory used to cache files related to PKI tokens (string
+    # value)
+    #signing_dir=<None>
+
+    # If defined, the memcache server(s) to use for caching (list
+    # value)
+    # Deprecated group/name - [DEFAULT]/memcache_servers
+    #memcached_servers=<None>
+
+    # In order to prevent excessive requests and validations, the
+    # middleware uses an in-memory cache for the tokens the
+    # Keystone API returns. This is only valid if memcache_servers
+    # is defined. Set to -1 to disable caching completely.
+    # (integer value)
+    #token_cache_time=300
+
+    # Value only used for unit testing (integer value)
+    #revocation_cache_time=1
+
+    # (optional) if defined, indicate whether token data should be
+    # authenticated or authenticated and encrypted. Acceptable
+    # values are MAC or ENCRYPT.  If MAC, token data is
+    # authenticated (with HMAC) in the cache. If ENCRYPT, token
+    # data is encrypted and authenticated in the cache. If the
+    # value is not one of these options or empty, auth_token will
+    # raise an exception on initialization. (string value)
+    #memcache_security_strategy=<None>
+
+    # (optional, mandatory if memcache_security_strategy is
+    # defined) this string is used for key derivation. (string
+    # value)
+    #memcache_secret_key=<None>
+
+    # (optional) indicate whether to set the X-Service-Catalog
+    # header. If False, middleware will not ask for service
+    # catalog on token validation and will not set the X-Service-
+    # Catalog header. (boolean value)
+    #include_service_catalog=true
+
+    # Used to control the use and type of token binding. Can be
+    # set to: "disabled" to not check token binding. "permissive"
+    # (default) to validate binding information if the bind type
+    # is of a form known to the server and ignore it if not.
+    # "strict" like "permissive" but if the bind type is unknown
+    # the token will be rejected. "required" any form of token
+    # binding is needed to be allowed. Finally the name of a
+    # binding method that must be present in tokens. (string
+    # value)
+    #enforce_token_bind=permissive
+
+For services which have a separate paste-deploy ini file, auth_token middleware
+can be alternatively configured in [keystone_authtoken] section in the main
+config file. For example in Nova, all middleware parameters can be removed
+from ``api-paste.ini``:
+
+.. code-block:: ini
+
+    [filter:authtoken]
+    paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+and set in ``nova.conf``:
+
+.. code-block:: ini
+
+    [DEFAULT]
+    auth_strategy=keystone
+
+    [keystone_authtoken]
+    auth_host = 127.0.0.1
+    auth_port = 35357
+    auth_protocol = http
+    admin_user = admin
+    admin_password = SuperSekretPassword
+    admin_tenant_name = service
+    # Any of the options that could be set in api-paste.ini can be set here.
+
+Note that middleware parameters in paste config take priority, they must be
+removed to use values in [keystone_authtoken] section.
+
+Configuration Options
+---------------------
+
+* ``auth_admin_prefix``: Prefix to prepend at the beginning of the path
+* ``auth_host``: (required) the host providing the keystone service API endpoint
+  for validating and requesting tokens
+* ``auth_port``: (optional, default `35357`) the port used to validate tokens
+* ``auth_protocol``: (optional, default `https`)
+* ``auth_uri``: (optional, defaults to
+  `auth_protocol`://`auth_host`:`auth_port`)
+* ``auth_version``: API version of the admin Identity API endpoint
+* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware
+  will not reject invalid auth requests, but will delegate that decision to
+  downstream WSGI components.
+* ``http_connect_timeout``: (optional) Request timeout value for communicating
+  with Identity API server.
+* ``http_request_max_retries``: (default 3) How many times are we trying to
+  reconnect when communicating with Identity API Server.
+* ``http_handler``: (optional) Allows to pass in the name of a fake
+  http_handler callback function used instead of `httplib.HTTPConnection` or
+  `httplib.HTTPSConnection`. Useful for unit testing where network is not
+  available.
+
+* ``admin_token``: either this or the following three options are required. If
+  set, this is a single shared secret with the keystone configuration used to
+  validate tokens.
+* ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token``
+  is not set, or invalid, then admin_user, admin_password, and
+  admin_tenant_name are defined as a service account which is expected to have
+  been previously configured in Keystone to validate user tokens.
+
+* ``cache``: (optional) Env key for the swift cache
+
+* ``certfile``: (required, if Keystone server requires client cert)
+* ``keyfile``: (required, if Keystone server requires client cert)  This can be
+  the same as the certfile if the certfile includes the private key.
+* ``cafile``: (optional, defaults to use system CA bundle) the path to a PEM
+  encoded CA file/bundle that will be used to verify HTTPS connections.
+* ``insecure``: (optional, default `False`) Don't verify HTTPS connections
+  (overrides `cafile`).
+
+* ``signing_dir``: (optional) Directory used to cache files related to PKI
+  tokens
+
+* ``memcached_servers``: (optional) If defined, the memcache server(s) to use
+  for caching
+* ``token_cache_time``: (default 300) In order to prevent excessive requests
+  and validations, the middleware uses an in-memory cache for the tokens the
+  Keystone API returns. This is only valid if memcache_servers s defined. Set
+  to -1 to disable caching completely.
+* ``memcache_security_strategy``: (optional) if defined, indicate whether token
+  data should be authenticated or authenticated and encrypted. Acceptable
+  values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC)
+  in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+  cache. If the value is not one of these options or empty, auth_token will
+  raise an exception on initialization.
+* ``memcache_secret_key``: (mandatory if memcache_security_strategy is defined)
+   this string is used for key derivation.
+* ``include_service_catalog``: (optional, default `True`) Indicate whether to
+  set the X-Service-Catalog header. If False, middleware will not ask for
+  service catalog on token validation and will not set the X-Service-Catalog
+  header.
+* ``enforce_token_bind``: (default ``permissive``) Used to control the use and
+  type of token binding. Can be set to: "disabled" to not check token binding.
+  "permissive" (default) to validate binding information if the bind type is of
+  a form known to the server and ignore it if not. "strict" like "permissive"
+  but if the bind type is unknown the token will be rejected. "required" any
+  form of token binding is needed to be allowed. Finally the name of a binding
+  method that must be present in tokens.
+
+Caching for improved response
+-----------------------------
+
+In order to prevent excessive requests and validations, the middleware uses an
+in-memory cache for the tokens the keystone API returns. Keep in mind that
+invalidated tokens may continue to work if they are still in the token cache,
+so token_cache_time is configurable. For larger deployments, the middleware
+also supports memcache based caching.
+
+* ``memcached_servers``: (optonal) if defined, the memcache server(s) to use for
+  cacheing. It will be ignored if Swift MemcacheRing is used instead.
+* ``token_cache_time``: (optional, default 300 seconds) Set to -1 to disable
+  caching completely.
+
+When deploying auth_token middleware with Swift, user may elect
+to use Swift MemcacheRing instead of the local Keystone memcache.
+The Swift MemcacheRing object is passed in from the request environment
+and it defaults to 'swift.cache'. However it could be
+different, depending on deployment. To use Swift MemcacheRing, you must
+provide the ``cache`` option.
+
+* ``cache``: (optional) if defined, the environment key where the Swift
+  MemcacheRing object is stored.
+
+Memcached dependencies
+======================
+
+In order to use `memcached`_ it is necessary to install the `python-memcached`_
+library. If data stored in `memcached`_ will need to be encrypted it is also
+necessary to install the `pycrypto`_ library. These libs are not listed in
+the requirements.txt file.
+
+.. _`memcached`: http://memcached.org/
+.. _`python-memcached`: https://pypi.python.org/pypi/python-memcached
+.. _`pycrypto`: https://pypi.python.org/pypi/pycrypto
+
+Memcached and System Time
+=========================
+
+When using `memcached`_ with ``auth_token`` middleware, ensure that the system
+time of memcached hosts is set to UTC. Memcached uses the host's system
+time in determining whether a key has expired, whereas Keystone sets
+key expiry in UTC.  The timezone used by Keystone and memcached must
+match if key expiry is to behave as expected.
+
+Memcache Protection
+===================
+
+When using memcached, we are storing user tokens and token validation
+information into the cache as raw data. Which means that anyone who
+has access to the memcache servers can read and modify data stored
+there. To mitigate this risk, ``auth_token`` middleware provides an
+option to authenticate and optionally encrypt the token data stored in
+the cache.
+
+* ``memcache_security_strategy``: (optional) if defined, indicate
+  whether token data should be authenticated or authenticated and
+  encrypted. Acceptable values are ``MAC`` or ``ENCRYPT``. If ``MAC``,
+  token data is authenticated (with HMAC) in the cache. If
+  ``ENCRYPT``, token data is encrypted and authenticated in the
+  cache. If the value is not one of these options or empty,
+  ``auth_token`` will raise an exception on initialization.
+* ``memcache_secret_key``: (optional, mandatory if
+  ``memcache_security_strategy`` is defined) this string is used for
+  key derivation. If ``memcache_security_strategy`` is defined and
+  ``memcache_secret_key`` is absent, ``auth_token`` will raise an
+  exception on initialization.
+
+Exchanging User Information
+===========================
+
+The middleware expects to find a token representing the user with the header
+``X-Auth-Token`` or ``X-Storage-Token``. `X-Storage-Token` is supported for
+swift/cloud files and for legacy Rackspace use. If the token isn't present and
+the middleware is configured to not delegate auth responsibility, it will
+respond to the HTTP request with HTTPUnauthorized, returning the header
+``WWW-Authenticate`` with the value `Keystone uri='...'` to indicate where to
+request a token. The auth_uri returned is configured  with the middleware.
+
+The authentication middleware extends the HTTP request with the header
+``X-Identity-Status``.  If a request is successfully authenticated, the value
+is set to `Confirmed`. If the middleware is delegating the auth decision to the
+service, then the status is set to `Invalid` if the auth request was
+unsuccessful.
+
+An ``X-Service-Token`` header may also be included with a request. If present,
+and the value of ``X-Auth-Token`` or ``X-Storage-Token`` has not caused the
+request to be denied, then the middleware will attempt to validate the value of
+``X-Service-Token``. If valid, the authentication middleware extends the HTTP
+request with the header ``X-Service-Identity-Status`` having value `Confirmed`
+and also extends the request with additional headers representing the identity
+authenticated and authorised by the token.
+
+If ``X-Service-Token`` is present and its value is invalid and the
+``delay_auth_decision`` option is True then the value of
+``X-Service-Identity-Status`` is set to `Invalid` and no further headers are
+added. Otherwise if ``X-Service-Token`` is present and its value is invalid
+then the middleware will respond to the HTTP request with HTTPUnauthorized,
+regardless of the validity of the ``X-Auth-Token`` or ``X-Storage-Token``
+values.
+
+Extended the request with additional User Information
+-----------------------------------------------------
+
+:py:class:`keystonemiddleware.auth_token.AuthProtocol` extends the
+request with additional information if the user has been authenticated. See the
+"What we add to the request for use by the OpenStack service" section in
+:py:mod:`keystonemiddleware.auth_token` for the list of fields set by
+the auth_token middleware.
+
+
+References
+==========
+
+.. [PEP-333] pep0333 Phillip J Eby.  'Python Web Server Gateway Interface
+    v1.0.''  http://www.python.org/dev/peps/pep-0333/.