From 920a49cfa055733d575282973e23558c33087a4a Mon Sep 17 00:00:00 2001 From: RHE Date: Fri, 24 Nov 2017 13:54:26 +0100 Subject: remove keystone-moon Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd Signed-off-by: RHE --- keystone-moon/keystone/middleware/__init__.py | 16 -- keystone-moon/keystone/middleware/auth.py | 222 ------------------------- keystone-moon/keystone/middleware/core.py | 138 --------------- keystone-moon/keystone/middleware/ec2_token.py | 44 ----- 4 files changed, 420 deletions(-) delete mode 100644 keystone-moon/keystone/middleware/__init__.py delete mode 100644 keystone-moon/keystone/middleware/auth.py delete mode 100644 keystone-moon/keystone/middleware/core.py delete mode 100644 keystone-moon/keystone/middleware/ec2_token.py (limited to 'keystone-moon/keystone/middleware') diff --git a/keystone-moon/keystone/middleware/__init__.py b/keystone-moon/keystone/middleware/__init__.py deleted file mode 100644 index 4325d946..00000000 --- a/keystone-moon/keystone/middleware/__init__.py +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.middleware.auth import * # noqa -from keystone.middleware.core import * # noqa diff --git a/keystone-moon/keystone/middleware/auth.py b/keystone-moon/keystone/middleware/auth.py deleted file mode 100644 index cc7d0ecc..00000000 --- a/keystone-moon/keystone/middleware/auth.py +++ /dev/null @@ -1,222 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_config import cfg -from oslo_context import context as oslo_context -from oslo_log import log -from oslo_log import versionutils - -from keystone.common import authorization -from keystone.common import tokenless_auth -from keystone.common import wsgi -from keystone import exception -from keystone.federation import constants as federation_constants -from keystone.federation import utils -from keystone.i18n import _, _LI, _LW -from keystone.middleware import core -from keystone.models import token_model -from keystone.token.providers import common - -CONF = cfg.CONF -LOG = log.getLogger(__name__) - -__all__ = ('AuthContextMiddleware',) - - -class AuthContextMiddleware(wsgi.Middleware): - """Build the authentication context from the request auth token.""" - - def _build_auth_context(self, request): - - # NOTE(gyee): token takes precedence over SSL client certificates. - # This will preserve backward compatibility with the existing - # behavior. Tokenless authorization with X.509 SSL client - # certificate is effectively disabled if no trusted issuers are - # provided. - - token_id = None - if core.AUTH_TOKEN_HEADER in request.headers: - token_id = request.headers[core.AUTH_TOKEN_HEADER].strip() - - is_admin = request.environ.get(core.CONTEXT_ENV, {}).get('is_admin', - False) - if is_admin: - # NOTE(gyee): no need to proceed any further as we already know - # this is an admin request. - auth_context = {} - return auth_context, token_id, is_admin - - if token_id: - # In this case the client sent in a token. - auth_context, is_admin = self._build_token_auth_context( - request, token_id) - return auth_context, token_id, is_admin - - # No token, maybe the client presented an X.509 certificate. - - if self._validate_trusted_issuer(request.environ): - auth_context = self._build_tokenless_auth_context( - request.environ) - return auth_context, None, False - - LOG.debug('There is either no auth token in the request or ' - 'the certificate issuer is not trusted. No auth ' - 'context will be set.') - - return None, None, False - - def _build_token_auth_context(self, request, token_id): - if CONF.admin_token and token_id == CONF.admin_token: - versionutils.report_deprecated_feature( - LOG, - _LW('build_auth_context middleware checking for the admin ' - 'token is deprecated as of the Mitaka release and will be ' - 'removed in the O release. If your deployment requires ' - 'use of the admin token, update keystone-paste.ini so ' - 'that admin_token_auth is before build_auth_context in ' - 'the paste pipelines, otherwise remove the ' - 'admin_token_auth middleware from the paste pipelines.')) - return {}, True - - context = {'token_id': token_id} - context['environment'] = request.environ - - try: - token_ref = token_model.KeystoneToken( - token_id=token_id, - token_data=self.token_provider_api.validate_token(token_id)) - # TODO(gyee): validate_token_bind should really be its own - # middleware - wsgi.validate_token_bind(context, token_ref) - return authorization.token_to_auth_context(token_ref), False - except exception.TokenNotFound: - LOG.warning(_LW('RBAC: Invalid token')) - raise exception.Unauthorized() - - def _build_tokenless_auth_context(self, env): - """Build the authentication context. - - The context is built from the attributes provided in the env, - such as certificate and scope attributes. - """ - tokenless_helper = tokenless_auth.TokenlessAuthHelper(env) - - (domain_id, project_id, trust_ref, unscoped) = ( - tokenless_helper.get_scope()) - user_ref = tokenless_helper.get_mapped_user( - project_id, - domain_id) - - # NOTE(gyee): if it is an ephemeral user, the - # given X.509 SSL client cert does not need to map to - # an existing user. - if user_ref['type'] == utils.UserType.EPHEMERAL: - auth_context = {} - auth_context['group_ids'] = user_ref['group_ids'] - auth_context[federation_constants.IDENTITY_PROVIDER] = ( - user_ref[federation_constants.IDENTITY_PROVIDER]) - auth_context[federation_constants.PROTOCOL] = ( - user_ref[federation_constants.PROTOCOL]) - if domain_id and project_id: - msg = _('Scoping to both domain and project is not allowed') - raise ValueError(msg) - if domain_id: - auth_context['domain_id'] = domain_id - if project_id: - auth_context['project_id'] = project_id - auth_context['roles'] = user_ref['roles'] - else: - # it's the local user, so token data is needed. - token_helper = common.V3TokenDataHelper() - token_data = token_helper.get_token_data( - user_id=user_ref['id'], - method_names=[CONF.tokenless_auth.protocol], - domain_id=domain_id, - project_id=project_id) - - auth_context = {'user_id': user_ref['id']} - auth_context['is_delegated_auth'] = False - if domain_id: - auth_context['domain_id'] = domain_id - if project_id: - auth_context['project_id'] = project_id - auth_context['roles'] = [role['name'] for role - in token_data['token']['roles']] - return auth_context - - def _validate_trusted_issuer(self, env): - """To further filter the certificates that are trusted. - - If the config option 'trusted_issuer' is absent or does - not contain the trusted issuer DN, no certificates - will be allowed in tokenless authorization. - - :param env: The env contains the client issuer's attributes - :type env: dict - :returns: True if client_issuer is trusted; otherwise False - """ - if not CONF.tokenless_auth.trusted_issuer: - return False - - client_issuer = env.get(CONF.tokenless_auth.issuer_attribute) - if not client_issuer: - msg = _LI('Cannot find client issuer in env by the ' - 'issuer attribute - %s.') - LOG.info(msg, CONF.tokenless_auth.issuer_attribute) - return False - - if client_issuer in CONF.tokenless_auth.trusted_issuer: - return True - - msg = _LI('The client issuer %(client_issuer)s does not match with ' - 'the trusted issuer %(trusted_issuer)s') - LOG.info( - msg, {'client_issuer': client_issuer, - 'trusted_issuer': CONF.tokenless_auth.trusted_issuer}) - - return False - - def process_request(self, request): - - # The request context stores itself in thread-local memory for logging. - request_context = oslo_context.RequestContext( - request_id=request.environ.get('openstack.request_id')) - - if authorization.AUTH_CONTEXT_ENV in request.environ: - msg = _LW('Auth context already exists in the request ' - 'environment; it will be used for authorization ' - 'instead of creating a new one.') - LOG.warning(msg) - return - - auth_context, token_id, is_admin = self._build_auth_context(request) - - request_context.auth_token = token_id - request_context.is_admin = is_admin - - if auth_context is None: - # The client didn't send any auth info, so don't set auth context. - return - - # The attributes of request_context are put into the logs. This is a - # common pattern for all the OpenStack services. In all the other - # projects these are IDs, so set the attributes to IDs here rather than - # the name. - request_context.user = auth_context.get('user_id') - request_context.tenant = auth_context.get('project_id') - request_context.domain = auth_context.get('domain_id') - request_context.user_domain = auth_context.get('user_domain_id') - request_context.project_domain = auth_context.get('project_domain_id') - request_context.update_store() - - LOG.debug('RBAC: auth_context: %s', auth_context) - request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context diff --git a/keystone-moon/keystone/middleware/core.py b/keystone-moon/keystone/middleware/core.py deleted file mode 100644 index 245b9e67..00000000 --- a/keystone-moon/keystone/middleware/core.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_config import cfg -from oslo_log import log -from oslo_serialization import jsonutils - -from keystone.common import wsgi -from keystone import exception -from keystone.i18n import _LW - - -CONF = cfg.CONF -LOG = log.getLogger(__name__) - -# Header used to transmit the auth token -AUTH_TOKEN_HEADER = 'X-Auth-Token' - - -# Header used to transmit the subject token -SUBJECT_TOKEN_HEADER = 'X-Subject-Token' - - -# Environment variable used to pass the request context -CONTEXT_ENV = wsgi.CONTEXT_ENV - - -# Environment variable used to pass the request params -PARAMS_ENV = wsgi.PARAMS_ENV - - -class TokenAuthMiddleware(wsgi.Middleware): - def process_request(self, request): - token = request.headers.get(AUTH_TOKEN_HEADER) - context = request.environ.get(CONTEXT_ENV, {}) - context['token_id'] = token - if SUBJECT_TOKEN_HEADER in request.headers: - context['subject_token_id'] = request.headers[SUBJECT_TOKEN_HEADER] - request.environ[CONTEXT_ENV] = context - - -class AdminTokenAuthMiddleware(wsgi.Middleware): - """A trivial filter that checks for a pre-defined admin token. - - Sets 'is_admin' to true in the context, expected to be checked by - methods that are admin-only. - - """ - - def __init__(self, application): - super(AdminTokenAuthMiddleware, self).__init__(application) - LOG.warning(_LW("The admin_token_auth middleware presents a security " - "risk and should be removed from the " - "[pipeline:api_v3], [pipeline:admin_api], and " - "[pipeline:public_api] sections of your paste ini " - "file.")) - - def process_request(self, request): - token = request.headers.get(AUTH_TOKEN_HEADER) - context = request.environ.get(CONTEXT_ENV, {}) - context['is_admin'] = CONF.admin_token and (token == CONF.admin_token) - request.environ[CONTEXT_ENV] = context - - -class JsonBodyMiddleware(wsgi.Middleware): - """Middleware to allow method arguments to be passed as serialized JSON. - - Accepting arguments as JSON is useful for accepting data that may be more - complex than simple primitives. - - Filters out the parameters `self`, `context` and anything beginning with - an underscore. - - """ - - def process_request(self, request): - # Abort early if we don't have any work to do - params_json = request.body - if not params_json: - return - - # Reject unrecognized content types. Empty string indicates - # the client did not explicitly set the header - if request.content_type not in ('application/json', ''): - e = exception.ValidationError(attribute='application/json', - target='Content-Type header') - return wsgi.render_exception(e, request=request) - - params_parsed = {} - try: - params_parsed = jsonutils.loads(params_json) - except ValueError: - e = exception.ValidationError(attribute='valid JSON', - target='request body') - return wsgi.render_exception(e, request=request) - finally: - if not params_parsed: - params_parsed = {} - - if not isinstance(params_parsed, dict): - e = exception.ValidationError(attribute='valid JSON object', - target='request body') - return wsgi.render_exception(e, request=request) - - params = {} - for k, v in params_parsed.items(): - if k in ('self', 'context'): - continue - if k.startswith('_'): - continue - params[k] = v - - request.environ[PARAMS_ENV] = params - - -class NormalizingFilter(wsgi.Middleware): - """Middleware filter to handle URL normalization.""" - - def process_request(self, request): - """Normalizes URLs.""" - # Removes a trailing slash from the given path, if any. - if (len(request.environ['PATH_INFO']) > 1 and - request.environ['PATH_INFO'][-1] == '/'): - request.environ['PATH_INFO'] = request.environ['PATH_INFO'][:-1] - # Rewrites path to root if no path is given. - elif not request.environ['PATH_INFO']: - request.environ['PATH_INFO'] = '/' diff --git a/keystone-moon/keystone/middleware/ec2_token.py b/keystone-moon/keystone/middleware/ec2_token.py deleted file mode 100644 index 771b74f8..00000000 --- a/keystone-moon/keystone/middleware/ec2_token.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Starting point for routing EC2 requests. - -The EC2 Token Middleware has been deprecated as of Juno. It has been moved into -keystonemiddleware, `keystonemiddleware.ec2_token`. - -""" - -from keystonemiddleware import ec2_token - -from keystone.openstack.common import versionutils - - -class EC2Token(ec2_token.EC2Token): - - @versionutils.deprecated( - versionutils.deprecated.JUNO, - in_favor_of='keystonemiddleware.ec2_token.EC2Token', - remove_in=+2, - what='keystone.middleware.ec2_token.EC2Token') - def __init__(self, *args, **kwargs): - super(EC2Token, self).__init__(*args, **kwargs) - - -filter_factory = ec2_token.filter_factory -app_factory = ec2_token.app_factory -keystone_ec2_opts = ec2_token.keystone_ec2_opts -- cgit 1.2.3-korg