Support token_format for backward compatibility
The provider property in the [token] section will be unset by default. If provider is not set, we will use token_format in the [signing] section to determine to provider. If provider is set, it must agree with the token_format. fixed bug 1202651 Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04
This commit is contained in:
parent
2667c772a3
commit
43213e5df2
|
@ -161,7 +161,9 @@
|
|||
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
|
||||
|
||||
[signing]
|
||||
# Deprecated in favor of provider in the [token] section
|
||||
#token_format = PKI
|
||||
|
||||
#certfile = /etc/keystone/pki/certs/signing_cert.pem
|
||||
#keyfile = /etc/keystone/pki/private/signing_key.pem
|
||||
#ca_certs = /etc/keystone/pki/certs/cacert.pem
|
||||
|
|
|
@ -415,4 +415,4 @@ def configure():
|
|||
register_str(
|
||||
'provider',
|
||||
group='token',
|
||||
default='keystone.token.providers.pki.Provider')
|
||||
default=None)
|
||||
|
|
|
@ -32,6 +32,10 @@ LOG = logging.getLogger(__name__)
|
|||
V2 = 'v2.0'
|
||||
V3 = 'v3.0'
|
||||
|
||||
# default token providers
|
||||
PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
|
||||
UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'
|
||||
|
||||
|
||||
class UnsupportedTokenVersionException(Exception):
|
||||
"""Token version is unrecognizable or unsupported."""
|
||||
|
@ -47,17 +51,39 @@ class Manager(manager.Manager):
|
|||
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
# FIXME(gyee): we are deprecating CONF.signing.token_format. This code
|
||||
# is to ensure the token provider configuration agrees with
|
||||
# CONF.signing.token_format.
|
||||
if ((CONF.signing.token_format == 'PKI' and
|
||||
not CONF.token.provider.endswith('.pki.Provider')) or
|
||||
(CONF.signing.token_format == 'UUID' and
|
||||
not CONF.token.provider.endswith('uuid.Provider'))):
|
||||
raise ValueError('token_format conflicts with token provider')
|
||||
@classmethod
|
||||
def check_and_get_token_provider(cls):
|
||||
"""Make sure we still support token_format for backward compatibility.
|
||||
|
||||
super(Manager, self).__init__(CONF.token.provider)
|
||||
Return the provider based on token_format if provider property is not
|
||||
set. Otherwise, ignore token_format and return the configured provider
|
||||
instead.
|
||||
|
||||
"""
|
||||
if CONF.token.provider:
|
||||
# FIXME(gyee): we are deprecating CONF.signing.token_format. This
|
||||
# code is to ensure the token provider configuration agrees with
|
||||
# CONF.signing.token_format.
|
||||
if ((CONF.signing.token_format == 'PKI' and
|
||||
CONF.token.provider != PKI_PROVIDER or
|
||||
(CONF.signing.token_format == 'UUID' and
|
||||
CONF.token.provider != UUID_PROVIDER))):
|
||||
raise exception.UnexpectedError(
|
||||
'[signing] token_format conflicts with [token] provider '
|
||||
'in keystone.conf')
|
||||
return CONF.token.provider
|
||||
else:
|
||||
if CONF.signing.token_format == 'PKI':
|
||||
return PKI_PROVIDER
|
||||
elif CONF.signing.token_format == 'UUID':
|
||||
return UUID_PROVIDER
|
||||
else:
|
||||
raise exception.UnexpectedError(
|
||||
'unrecognized token format. Must be either '
|
||||
'\'UUID\' or \'PKI\'')
|
||||
|
||||
def __init__(self):
|
||||
super(Manager, self).__init__(self.check_and_get_token_provider())
|
||||
|
||||
|
||||
class Provider(object):
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from keystone import exception
|
||||
from keystone import test
|
||||
from keystone import token
|
||||
|
||||
|
@ -360,37 +361,75 @@ class TestTokenProvider(test.TestCase):
|
|||
def test_token_format_provider_mismatch(self):
|
||||
self.opt_in_group('signing', token_format='UUID')
|
||||
self.opt_in_group('token',
|
||||
provider='keystone.token.providers.pki.Provider')
|
||||
provider=token.provider.PKI_PROVIDER)
|
||||
try:
|
||||
token.provider.Manager()
|
||||
raise Exception(
|
||||
'expecting ValueError on token provider misconfiguration')
|
||||
except ValueError:
|
||||
except exception.UnexpectedError:
|
||||
pass
|
||||
|
||||
self.opt_in_group('signing', token_format='PKI')
|
||||
self.opt_in_group('token',
|
||||
provider='keystone.token.providers.uuid.Provider')
|
||||
provider=token.provider.UUID_PROVIDER)
|
||||
try:
|
||||
token.provider.Manager()
|
||||
raise Exception(
|
||||
'expecting ValueError on token provider misconfiguration')
|
||||
except ValueError:
|
||||
except exception.UnexpectedError:
|
||||
pass
|
||||
|
||||
# should be OK as token_format and provider aligns
|
||||
self.opt_in_group('signing', token_format='PKI')
|
||||
self.opt_in_group('token',
|
||||
provider='keystone.token.providers.pki.Provider')
|
||||
provider=token.provider.PKI_PROVIDER)
|
||||
token.provider.Manager()
|
||||
|
||||
self.opt_in_group('signing', token_format='UUID')
|
||||
self.opt_in_group('token',
|
||||
provider='keystone.token.providers.uuid.Provider')
|
||||
provider=token.provider.UUID_PROVIDER)
|
||||
token.provider.Manager()
|
||||
|
||||
# custom provider should be OK too
|
||||
self.opt_in_group('signing', token_format='CUSTOM')
|
||||
self.opt_in_group('token',
|
||||
provider='keystone.token.providers.pki.Provider')
|
||||
provider=token.provider.PKI_PROVIDER)
|
||||
token.provider.Manager()
|
||||
|
||||
def test_default_token_format(self):
|
||||
self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
|
||||
token.provider.PKI_PROVIDER)
|
||||
|
||||
def test_uuid_token_format_and_no_provider(self):
|
||||
self.opt_in_group('signing', token_format='UUID')
|
||||
self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
|
||||
token.provider.UUID_PROVIDER)
|
||||
|
||||
def test_unsupported_token_format(self):
|
||||
self.opt_in_group('signing', token_format='CUSTOM')
|
||||
self.assertRaises(exception.UnexpectedError,
|
||||
token.provider.Manager.check_and_get_token_provider)
|
||||
|
||||
def test_provider_override_token_format(self):
|
||||
self.opt_in_group('token',
|
||||
provider='keystone.token.providers.pki.Test')
|
||||
self.assertRaises(exception.UnexpectedError,
|
||||
token.provider.Manager.check_and_get_token_provider)
|
||||
|
||||
self.opt_in_group('signing', token_format='UUID')
|
||||
self.opt_in_group('token',
|
||||
provider=token.provider.UUID_PROVIDER)
|
||||
self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
|
||||
token.provider.UUID_PROVIDER)
|
||||
|
||||
self.opt_in_group('signing', token_format='PKI')
|
||||
self.opt_in_group('token',
|
||||
provider=token.provider.PKI_PROVIDER)
|
||||
self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
|
||||
token.provider.PKI_PROVIDER)
|
||||
|
||||
self.opt_in_group('signing', token_format='CUSTOM')
|
||||
self.opt_in_group('token',
|
||||
provider='my.package.MyProvider')
|
||||
self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
|
||||
'my.package.MyProvider')
|
||||
|
|
Loading…
Reference in New Issue