openstack
/
glance
Code Issues Proposed changes

Merge changes I18f5bf43,Ia94c7596 into stable/diablo 

* changes:
  Fixes keystone auth test failures in python 2.6.
  Fix for bug 901609, when using v2 auth should use /v2.0/tokens path.
This commit is contained in:
Jenkins 2012-01-11 07:38:08 +00:00 committed by Gerrit Code Review
parent d6cebb9ee2 ea52a016b4
commit c44bc3d443
4 changed files with 310 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Authors
View File

@ -19,6 +19,7 @@ Josh Kearney <josh@jk0.org>
Justin Shepherd <jshepher@rackspace.com>
Ken Pepple <ken.pepple@gmail.com>
Kevin L. Mitchell <kevin.mitchell@rackspace.com>
Major Hayden <major@mhtx.net>
Mark McLoughlin <markmc@redhat.com>
Matt Dietz <matt.dietz@rackspace.com>
Mike Lundy <mike@pistoncloud.com>

34
glance/common/auth.py
View File

@ -82,9 +82,21 @@ class KeystoneStrategy(BaseStrategy):
case, we rewrite the url to contain /v2.0/ and retry using the v2
protocol.
"""
def _authenticate(auth_url):
token_url = urlparse.urljoin(auth_url, "tokens")
def check_auth_params():
# Ensure that supplied credential parameters are as required
for required in ('username', 'password', 'auth_url'):
if required not in self.creds:
raise exception.MissingCredentialError(required=required)
# For v2.0 also check tenant is present
if self.creds['auth_url'].rstrip('/').endswith('v2.0'):
if 'tenant' not in self.creds:
raise exception.MissingCredentialError(required='tenant')
def _authenticate(auth_url):
# If OS_AUTH_URL is missing a trailing slash add one
if not auth_url.endswith('/'):
auth_url += '/'
token_url = urlparse.urljoin(auth_url, "tokens")
# 1. Check Keystone version
is_v2 = auth_url.rstrip('/').endswith('v2.0')
if is_v2:
@ -92,11 +104,7 @@ class KeystoneStrategy(BaseStrategy):
else:
self._v1_auth(token_url)
for required in ('username', 'password', 'auth_url'):
if required not in self.creds:
raise Exception(_("'%s' must be included in creds") %
required)
check_auth_params()
auth_url = self.creds['auth_url']
for _ in range(self.MAX_REDIRECTS):
try:
@ -140,8 +148,12 @@ class KeystoneStrategy(BaseStrategy):
raise exception.AuthorizationFailure()
elif resp.status == 305:
raise exception.RedirectException(resp['location'])
elif resp.status == 400:
raise exception.AuthBadRequest()
elif resp.status == 401:
raise exception.NotAuthorized()
elif resp.status == 404:
raise exception.AuthUrlNotFound(url=token_url)
else:
raise Exception(_('Unexpected response: %s' % resp.status))
@ -158,10 +170,6 @@ class KeystoneStrategy(BaseStrategy):
}
}
tenant = creds.get('tenant')
if tenant:
creds['passwordCredentials']['tenantId'] = tenant
headers = {}
headers['Content-Type'] = 'application/json'
req_body = json.dumps(creds)
@ -185,8 +193,12 @@ class KeystoneStrategy(BaseStrategy):
self.auth_token = resp_auth['token']['id']
elif resp.status == 305:
raise RedirectException(resp['location'])
elif resp.status == 400:
raise exception.AuthBadRequest()
elif resp.status == 401:
raise exception.NotAuthorized()
elif resp.status == 404:
raise exception.AuthUrlNotFound(url=token_url)
else:
raise Exception(_('Unexpected response: %s') % resp.status)

16
glance/common/exception.py
View File

@ -182,3 +182,19 @@ class InvalidNotifierStrategy(GlanceException):
class NoServiceEndpoint(GlanceException):
message = _("Response from Keystone does not contain a Glance endpoint.")
class MissingCredentialError(GlanceException):
message = _("Missing required credential: %(required)s")
class AuthBadRequest(GlanceException):
message = _("Connect error/bad request to Auth service at URL %(url)s.")
class AuthUrlNotFound(GlanceException):
message = _("Auth service at URL %(url)s not found.")
class AuthorizationFailure(GlanceException):
message = _("Authorization failed.")

270
glance/tests/unit/test_auth.py Normal file
View File

@ -0,0 +1,270 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2011 OpenStack, LLC
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import json
import stubout
import unittest
import webob
from glance.common import auth
from glance.common import exception
class FakeResponse(object):
"""
Simple class that masks the inconsistency between
webob.Response.status_int and httplib.Response.status
"""
def __init__(self, resp):
self.resp = resp
def __getitem__(self, key):
return self.resp.headers.get(key)
@property
def status(self):
return self.resp.status_int
class TestKeystoneAuthPlugin(unittest.TestCase):
"""Test that the Keystone auth plugin works properly"""
def setUp(self):
self.stubs = stubout.StubOutForTesting()
def tearDown(self):
self.stubs.UnsetAll()
def test_required_creds(self):
"""
Test that plugin created without required
credential pieces raises an exception
"""
bad_creds = [
{}, # missing everything
{
'username': 'user1',
'password': 'pass'
}, # missing auth_url
{
'password': 'pass',
'auth_url': 'http://localhost/v1'
}, # missing username
{
'username': 'user1',
'auth_url': 'http://localhost/v1'
}, # missing password
{
'username': 'user1',
'password': 'pass',
'auth_url': 'http://localhost/v2.0/'
} # v2.0: missing tenant
]
for creds in bad_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.MissingCredentialError:
continue # Expected
self.fail("Failed to raise correct exception when supplying bad "
"credentials: %r" % creds)
def test_invalid_auth_url(self):
"""
Test invalid auth URL returns a 404/400 in authenticate().
'404' if an attempt is made to access an invalid url on a
server, '400' if an attempt is made to access a url on a
non-existent server.
"""
bad_creds = [
{
'username': 'user1',
'auth_url': 'http://localhost/badauthurl/',
'password': 'pass'
}, # v1 Keystone
{
'username': 'user1',
'auth_url': 'http://localhost/badauthurl/v2.0/',
'password': 'pass',
'tenant': 'tenant1'
} # v2 Keystone
]
for creds in bad_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.AuthUrlNotFound:
continue # Expected if web server running
except exception.AuthBadRequest:
continue # Expected if no web server running
self.fail("Failed to raise Exception when supplying bad "
"credentials: %r" % creds)
def test_v1_auth(self):
"""Test v1 auth code paths"""
def fake_do_request(cls, url, method, headers=None, body=None):
if url.find("2.0") != -1:
self.fail("Invalid v1.0 token path (%s)" % url)
headers = headers or {}
resp = webob.Response()
if (headers.get('X-Auth-User') != 'user1' or
headers.get('X-Auth-Key') != 'pass'):
resp.status = 401
else:
resp.status = 200
return FakeResponse(resp), ""
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
unauthorized_creds = [
{
'username': 'wronguser',
'auth_url': 'http://localhost/badauthurl/',
'password': 'pass'
}, # wrong username
{
'username': 'user1',
'auth_url': 'http://localhost/badauthurl/',
'password': 'badpass'
}, # bad password...
]
for creds in unauthorized_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.NotAuthorized:
continue # Expected
self.fail("Failed to raise NotAuthorized when supplying bad "
"credentials: %r" % creds)
good_creds = [
{
'username': 'user1',
'auth_url': 'http://localhost/redirect/',
'password': 'pass'
}
]
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds)
self.assertTrue(plugin.authenticate() is None)
def test_v2_auth(self):
"""Test v2 auth code paths"""
def fake_do_request(cls, url, method, headers=None, body=None):
if (not url.rstrip('/').endswith('v2.0/tokens') or
url.count("2.0") != 1):
self.fail("Invalid v2.0 token path (%s)" % url)
creds = json.loads(body)['auth']
username = creds['passwordCredentials']['username']
password = creds['passwordCredentials']['password']
tenant = creds['tenantName']
resp = webob.Response()
if (username != 'user1' or password != 'pass' or
tenant != 'tenant-ok'):
resp.status = 401
else:
resp.status = 200
# Mock up a token to satisfy v2 auth
body = {
"access": {
"token": {
"expires": "2010-11-23T16:40:53.321584",
"id": "5c7f8799-2e54-43e4-851b-31f81871b6c",
"tenant": {"id": "1", "name": "tenant-ok"}
},
"serviceCatalog": [{
"endpoints": [{
"region": "RegionOne",
"adminURL": "http://localhost:9292",
"internalURL": "http://localhost:9292",
"publicURL": "http://localhost:9292"
}],
"type": "image",
"name": "glance"
}],
"user": {
"id": "2",
"roles": [{
"tenantId": "1",
"id": "1",
"name": "Admin"
}],
"name": "joeadmin"
}
}
}
return FakeResponse(resp), json.dumps(body)
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
unauthorized_creds = [
{
'username': 'wronguser',
'auth_url': 'http://localhost/v2.0',
'password': 'pass',
'tenant': 'tenant-ok'
}, # wrong username
{
'username': 'user1',
'auth_url': 'http://localhost/v2.0',
'password': 'badpass',
'tenant': 'tenant-ok'
}, # bad password...
{
'username': 'user1',
'auth_url': 'http://localhost/v2.0',
'password': 'pass',
'tenant': 'carterhayes'
}, # bad tenant...
]
for creds in unauthorized_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.NotAuthorized:
continue # Expected
self.fail("Failed to raise NotAuthorized when supplying bad "
"credentials: %r" % creds)
good_creds = [
{
'username': 'user1',
'auth_url': 'http://localhost/v2.0/',
'password': 'pass',
'tenant': 'tenant-ok'
}, # auth_url with trailing '/'
{
'username': 'user1',
'auth_url': 'http://localhost/v2.0',
'password': 'pass',
'tenant': 'tenant-ok'
} # auth_url without trailing '/'
]
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds)
self.assertTrue(plugin.authenticate() is None)