Merge changes I18f5bf43,Ia94c7596 into stable/diablo
* changes: Fixes keystone auth test failures in python 2.6. Fix for bug 901609, when using v2 auth should use /v2.0/tokens path.
This commit is contained in:
commit
c44bc3d443
1
Authors
1
Authors
|
@ -19,6 +19,7 @@ Josh Kearney <josh@jk0.org>
|
|||
Justin Shepherd <jshepher@rackspace.com>
|
||||
Ken Pepple <ken.pepple@gmail.com>
|
||||
Kevin L. Mitchell <kevin.mitchell@rackspace.com>
|
||||
Major Hayden <major@mhtx.net>
|
||||
Mark McLoughlin <markmc@redhat.com>
|
||||
Matt Dietz <matt.dietz@rackspace.com>
|
||||
Mike Lundy <mike@pistoncloud.com>
|
||||
|
|
|
@ -82,9 +82,21 @@ class KeystoneStrategy(BaseStrategy):
|
|||
case, we rewrite the url to contain /v2.0/ and retry using the v2
|
||||
protocol.
|
||||
"""
|
||||
def _authenticate(auth_url):
|
||||
token_url = urlparse.urljoin(auth_url, "tokens")
|
||||
def check_auth_params():
|
||||
# Ensure that supplied credential parameters are as required
|
||||
for required in ('username', 'password', 'auth_url'):
|
||||
if required not in self.creds:
|
||||
raise exception.MissingCredentialError(required=required)
|
||||
# For v2.0 also check tenant is present
|
||||
if self.creds['auth_url'].rstrip('/').endswith('v2.0'):
|
||||
if 'tenant' not in self.creds:
|
||||
raise exception.MissingCredentialError(required='tenant')
|
||||
|
||||
def _authenticate(auth_url):
|
||||
# If OS_AUTH_URL is missing a trailing slash add one
|
||||
if not auth_url.endswith('/'):
|
||||
auth_url += '/'
|
||||
token_url = urlparse.urljoin(auth_url, "tokens")
|
||||
# 1. Check Keystone version
|
||||
is_v2 = auth_url.rstrip('/').endswith('v2.0')
|
||||
if is_v2:
|
||||
|
@ -92,11 +104,7 @@ class KeystoneStrategy(BaseStrategy):
|
|||
else:
|
||||
self._v1_auth(token_url)
|
||||
|
||||
for required in ('username', 'password', 'auth_url'):
|
||||
if required not in self.creds:
|
||||
raise Exception(_("'%s' must be included in creds") %
|
||||
required)
|
||||
|
||||
check_auth_params()
|
||||
auth_url = self.creds['auth_url']
|
||||
for _ in range(self.MAX_REDIRECTS):
|
||||
try:
|
||||
|
@ -140,8 +148,12 @@ class KeystoneStrategy(BaseStrategy):
|
|||
raise exception.AuthorizationFailure()
|
||||
elif resp.status == 305:
|
||||
raise exception.RedirectException(resp['location'])
|
||||
elif resp.status == 400:
|
||||
raise exception.AuthBadRequest()
|
||||
elif resp.status == 401:
|
||||
raise exception.NotAuthorized()
|
||||
elif resp.status == 404:
|
||||
raise exception.AuthUrlNotFound(url=token_url)
|
||||
else:
|
||||
raise Exception(_('Unexpected response: %s' % resp.status))
|
||||
|
||||
|
@ -158,10 +170,6 @@ class KeystoneStrategy(BaseStrategy):
|
|||
}
|
||||
}
|
||||
|
||||
tenant = creds.get('tenant')
|
||||
if tenant:
|
||||
creds['passwordCredentials']['tenantId'] = tenant
|
||||
|
||||
headers = {}
|
||||
headers['Content-Type'] = 'application/json'
|
||||
req_body = json.dumps(creds)
|
||||
|
@ -185,8 +193,12 @@ class KeystoneStrategy(BaseStrategy):
|
|||
self.auth_token = resp_auth['token']['id']
|
||||
elif resp.status == 305:
|
||||
raise RedirectException(resp['location'])
|
||||
elif resp.status == 400:
|
||||
raise exception.AuthBadRequest()
|
||||
elif resp.status == 401:
|
||||
raise exception.NotAuthorized()
|
||||
elif resp.status == 404:
|
||||
raise exception.AuthUrlNotFound(url=token_url)
|
||||
else:
|
||||
raise Exception(_('Unexpected response: %s') % resp.status)
|
||||
|
||||
|
|
|
@ -182,3 +182,19 @@ class InvalidNotifierStrategy(GlanceException):
|
|||
|
||||
class NoServiceEndpoint(GlanceException):
|
||||
message = _("Response from Keystone does not contain a Glance endpoint.")
|
||||
|
||||
|
||||
class MissingCredentialError(GlanceException):
|
||||
message = _("Missing required credential: %(required)s")
|
||||
|
||||
|
||||
class AuthBadRequest(GlanceException):
|
||||
message = _("Connect error/bad request to Auth service at URL %(url)s.")
|
||||
|
||||
|
||||
class AuthUrlNotFound(GlanceException):
|
||||
message = _("Auth service at URL %(url)s not found.")
|
||||
|
||||
|
||||
class AuthorizationFailure(GlanceException):
|
||||
message = _("Authorization failed.")
|
||||
|
|
|
@ -0,0 +1,270 @@
|
|||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# Copyright 2011 OpenStack, LLC
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import json
|
||||
import stubout
|
||||
import unittest
|
||||
import webob
|
||||
|
||||
from glance.common import auth
|
||||
from glance.common import exception
|
||||
|
||||
|
||||
class FakeResponse(object):
|
||||
"""
|
||||
Simple class that masks the inconsistency between
|
||||
webob.Response.status_int and httplib.Response.status
|
||||
"""
|
||||
def __init__(self, resp):
|
||||
self.resp = resp
|
||||
|
||||
def __getitem__(self, key):
|
||||
return self.resp.headers.get(key)
|
||||
|
||||
@property
|
||||
def status(self):
|
||||
return self.resp.status_int
|
||||
|
||||
|
||||
class TestKeystoneAuthPlugin(unittest.TestCase):
|
||||
"""Test that the Keystone auth plugin works properly"""
|
||||
|
||||
def setUp(self):
|
||||
self.stubs = stubout.StubOutForTesting()
|
||||
|
||||
def tearDown(self):
|
||||
self.stubs.UnsetAll()
|
||||
|
||||
def test_required_creds(self):
|
||||
"""
|
||||
Test that plugin created without required
|
||||
credential pieces raises an exception
|
||||
"""
|
||||
bad_creds = [
|
||||
{}, # missing everything
|
||||
{
|
||||
'username': 'user1',
|
||||
'password': 'pass'
|
||||
}, # missing auth_url
|
||||
{
|
||||
'password': 'pass',
|
||||
'auth_url': 'http://localhost/v1'
|
||||
}, # missing username
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/v1'
|
||||
}, # missing password
|
||||
{
|
||||
'username': 'user1',
|
||||
'password': 'pass',
|
||||
'auth_url': 'http://localhost/v2.0/'
|
||||
} # v2.0: missing tenant
|
||||
]
|
||||
for creds in bad_creds:
|
||||
try:
|
||||
plugin = auth.KeystoneStrategy(creds)
|
||||
plugin.authenticate()
|
||||
except exception.MissingCredentialError:
|
||||
continue # Expected
|
||||
self.fail("Failed to raise correct exception when supplying bad "
|
||||
"credentials: %r" % creds)
|
||||
|
||||
def test_invalid_auth_url(self):
|
||||
"""
|
||||
Test invalid auth URL returns a 404/400 in authenticate().
|
||||
'404' if an attempt is made to access an invalid url on a
|
||||
server, '400' if an attempt is made to access a url on a
|
||||
non-existent server.
|
||||
"""
|
||||
bad_creds = [
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/badauthurl/',
|
||||
'password': 'pass'
|
||||
}, # v1 Keystone
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/badauthurl/v2.0/',
|
||||
'password': 'pass',
|
||||
'tenant': 'tenant1'
|
||||
} # v2 Keystone
|
||||
]
|
||||
|
||||
for creds in bad_creds:
|
||||
try:
|
||||
plugin = auth.KeystoneStrategy(creds)
|
||||
plugin.authenticate()
|
||||
except exception.AuthUrlNotFound:
|
||||
continue # Expected if web server running
|
||||
except exception.AuthBadRequest:
|
||||
continue # Expected if no web server running
|
||||
self.fail("Failed to raise Exception when supplying bad "
|
||||
"credentials: %r" % creds)
|
||||
|
||||
def test_v1_auth(self):
|
||||
"""Test v1 auth code paths"""
|
||||
def fake_do_request(cls, url, method, headers=None, body=None):
|
||||
if url.find("2.0") != -1:
|
||||
self.fail("Invalid v1.0 token path (%s)" % url)
|
||||
headers = headers or {}
|
||||
|
||||
resp = webob.Response()
|
||||
|
||||
if (headers.get('X-Auth-User') != 'user1' or
|
||||
headers.get('X-Auth-Key') != 'pass'):
|
||||
resp.status = 401
|
||||
else:
|
||||
resp.status = 200
|
||||
|
||||
return FakeResponse(resp), ""
|
||||
|
||||
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
|
||||
|
||||
unauthorized_creds = [
|
||||
{
|
||||
'username': 'wronguser',
|
||||
'auth_url': 'http://localhost/badauthurl/',
|
||||
'password': 'pass'
|
||||
}, # wrong username
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/badauthurl/',
|
||||
'password': 'badpass'
|
||||
}, # bad password...
|
||||
]
|
||||
|
||||
for creds in unauthorized_creds:
|
||||
try:
|
||||
plugin = auth.KeystoneStrategy(creds)
|
||||
plugin.authenticate()
|
||||
except exception.NotAuthorized:
|
||||
continue # Expected
|
||||
self.fail("Failed to raise NotAuthorized when supplying bad "
|
||||
"credentials: %r" % creds)
|
||||
|
||||
good_creds = [
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/redirect/',
|
||||
'password': 'pass'
|
||||
}
|
||||
]
|
||||
|
||||
for creds in good_creds:
|
||||
plugin = auth.KeystoneStrategy(creds)
|
||||
self.assertTrue(plugin.authenticate() is None)
|
||||
|
||||
def test_v2_auth(self):
|
||||
"""Test v2 auth code paths"""
|
||||
def fake_do_request(cls, url, method, headers=None, body=None):
|
||||
if (not url.rstrip('/').endswith('v2.0/tokens') or
|
||||
url.count("2.0") != 1):
|
||||
self.fail("Invalid v2.0 token path (%s)" % url)
|
||||
|
||||
creds = json.loads(body)['auth']
|
||||
username = creds['passwordCredentials']['username']
|
||||
password = creds['passwordCredentials']['password']
|
||||
tenant = creds['tenantName']
|
||||
resp = webob.Response()
|
||||
|
||||
if (username != 'user1' or password != 'pass' or
|
||||
tenant != 'tenant-ok'):
|
||||
resp.status = 401
|
||||
else:
|
||||
resp.status = 200
|
||||
# Mock up a token to satisfy v2 auth
|
||||
body = {
|
||||
"access": {
|
||||
"token": {
|
||||
"expires": "2010-11-23T16:40:53.321584",
|
||||
"id": "5c7f8799-2e54-43e4-851b-31f81871b6c",
|
||||
"tenant": {"id": "1", "name": "tenant-ok"}
|
||||
},
|
||||
"serviceCatalog": [{
|
||||
"endpoints": [{
|
||||
"region": "RegionOne",
|
||||
"adminURL": "http://localhost:9292",
|
||||
"internalURL": "http://localhost:9292",
|
||||
"publicURL": "http://localhost:9292"
|
||||
}],
|
||||
"type": "image",
|
||||
"name": "glance"
|
||||
}],
|
||||
"user": {
|
||||
"id": "2",
|
||||
"roles": [{
|
||||
"tenantId": "1",
|
||||
"id": "1",
|
||||
"name": "Admin"
|
||||
}],
|
||||
"name": "joeadmin"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return FakeResponse(resp), json.dumps(body)
|
||||
|
||||
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
|
||||
|
||||
unauthorized_creds = [
|
||||
{
|
||||
'username': 'wronguser',
|
||||
'auth_url': 'http://localhost/v2.0',
|
||||
'password': 'pass',
|
||||
'tenant': 'tenant-ok'
|
||||
}, # wrong username
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/v2.0',
|
||||
'password': 'badpass',
|
||||
'tenant': 'tenant-ok'
|
||||
}, # bad password...
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/v2.0',
|
||||
'password': 'pass',
|
||||
'tenant': 'carterhayes'
|
||||
}, # bad tenant...
|
||||
]
|
||||
|
||||
for creds in unauthorized_creds:
|
||||
try:
|
||||
plugin = auth.KeystoneStrategy(creds)
|
||||
plugin.authenticate()
|
||||
except exception.NotAuthorized:
|
||||
continue # Expected
|
||||
self.fail("Failed to raise NotAuthorized when supplying bad "
|
||||
"credentials: %r" % creds)
|
||||
|
||||
good_creds = [
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/v2.0/',
|
||||
'password': 'pass',
|
||||
'tenant': 'tenant-ok'
|
||||
}, # auth_url with trailing '/'
|
||||
{
|
||||
'username': 'user1',
|
||||
'auth_url': 'http://localhost/v2.0',
|
||||
'password': 'pass',
|
||||
'tenant': 'tenant-ok'
|
||||
} # auth_url without trailing '/'
|
||||
]
|
||||
|
||||
for creds in good_creds:
|
||||
plugin = auth.KeystoneStrategy(creds)
|
||||
self.assertTrue(plugin.authenticate() is None)
|
Loading…
Reference in New Issue