Support token_format for backward compatibility

The provider property in the [token] section will be unset by default. If provider is not set, we will use token_format in the [signing] section to determine to provider. If provider is set, it must agree with the token_format. fixed bug 1202651 Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04
2013-07-18 08:23:52 -07:00 · 2013-07-18 08:23:52 -07:00 · 43213e5df2
parent 2667c772a3
commit 43213e5df2
4 changed files with 85 additions and 18 deletions
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@ -161,7 +161,9 @@
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

 [signing]
+# Deprecated in favor of provider in the [token] section
 #token_format = PKI
+
 #certfile = /etc/keystone/pki/certs/signing_cert.pem
 #keyfile = /etc/keystone/pki/private/signing_key.pem
 #ca_certs = /etc/keystone/pki/certs/cacert.pem
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -415,4 +415,4 @@ def configure():
    register_str(
        'provider',
        group='token',
-        default='keystone.token.providers.pki.Provider')
+        default=None)
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -32,6 +32,10 @@ LOG = logging.getLogger(__name__)
 V2 = 'v2.0'
 V3 = 'v3.0'

+# default token providers
+PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
+UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'
+

 class UnsupportedTokenVersionException(Exception):
    """Token version is unrecognizable or unsupported."""
@ -47,17 +51,39 @@ class Manager(manager.Manager):

    """

-    def __init__(self):
-        # FIXME(gyee): we are deprecating CONF.signing.token_format. This code
-        # is to ensure the token provider configuration agrees with
-        # CONF.signing.token_format.
-        if ((CONF.signing.token_format == 'PKI' and
-                not CONF.token.provider.endswith('.pki.Provider')) or
-                (CONF.signing.token_format == 'UUID' and
-                    not CONF.token.provider.endswith('uuid.Provider'))):
-            raise ValueError('token_format conflicts with token provider')
+    @classmethod
+    def check_and_get_token_provider(cls):
+        """Make sure we still support token_format for backward compatibility.

-        super(Manager, self).__init__(CONF.token.provider)
+        Return the provider based on token_format if provider property is not
+        set. Otherwise, ignore token_format and return the configured provider
+        instead.
+
+        """
+        if CONF.token.provider:
+            # FIXME(gyee): we are deprecating CONF.signing.token_format. This
+            # code is to ensure the token provider configuration agrees with
+            # CONF.signing.token_format.
+            if ((CONF.signing.token_format == 'PKI' and
+                    CONF.token.provider != PKI_PROVIDER or
+                    (CONF.signing.token_format == 'UUID' and
+                        CONF.token.provider != UUID_PROVIDER))):
+                raise exception.UnexpectedError(
+                    '[signing] token_format conflicts with [token] provider '
+                    'in keystone.conf')
+            return CONF.token.provider
+        else:
+            if CONF.signing.token_format == 'PKI':
+                return PKI_PROVIDER
+            elif CONF.signing.token_format == 'UUID':
+                return UUID_PROVIDER
+            else:
+                raise exception.UnexpectedError(
+                    'unrecognized token format. Must be either '
+                    '\'UUID\' or \'PKI\'')
+
+    def __init__(self):
+        super(Manager, self).__init__(self.check_and_get_token_provider())


 class Provider(object):
--- a/tests/test_token_provider.py
+++ b/tests/test_token_provider.py
@ -16,6 +16,7 @@

 import uuid

+from keystone import exception
 from keystone import test
 from keystone import token

@ -360,37 +361,75 @@ class TestTokenProvider(test.TestCase):
    def test_token_format_provider_mismatch(self):
        self.opt_in_group('signing', token_format='UUID')
        self.opt_in_group('token',
-                          provider='keystone.token.providers.pki.Provider')
+                          provider=token.provider.PKI_PROVIDER)
        try:
            token.provider.Manager()
            raise Exception(
                'expecting ValueError on token provider misconfiguration')
-        except ValueError:
+        except exception.UnexpectedError:
            pass

        self.opt_in_group('signing', token_format='PKI')
        self.opt_in_group('token',
-                          provider='keystone.token.providers.uuid.Provider')
+                          provider=token.provider.UUID_PROVIDER)
        try:
            token.provider.Manager()
            raise Exception(
                'expecting ValueError on token provider misconfiguration')
-        except ValueError:
+        except exception.UnexpectedError:
            pass

        # should be OK as token_format and provider aligns
        self.opt_in_group('signing', token_format='PKI')
        self.opt_in_group('token',
-                          provider='keystone.token.providers.pki.Provider')
+                          provider=token.provider.PKI_PROVIDER)
        token.provider.Manager()

        self.opt_in_group('signing', token_format='UUID')
        self.opt_in_group('token',
-                          provider='keystone.token.providers.uuid.Provider')
+                          provider=token.provider.UUID_PROVIDER)
        token.provider.Manager()

        # custom provider should be OK too
        self.opt_in_group('signing', token_format='CUSTOM')
        self.opt_in_group('token',
-                          provider='keystone.token.providers.pki.Provider')
+                          provider=token.provider.PKI_PROVIDER)
        token.provider.Manager()
+
+    def test_default_token_format(self):
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.PKI_PROVIDER)
+
+    def test_uuid_token_format_and_no_provider(self):
+        self.opt_in_group('signing', token_format='UUID')
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.UUID_PROVIDER)
+
+    def test_unsupported_token_format(self):
+        self.opt_in_group('signing', token_format='CUSTOM')
+        self.assertRaises(exception.UnexpectedError,
+                          token.provider.Manager.check_and_get_token_provider)
+
+    def test_provider_override_token_format(self):
+        self.opt_in_group('token',
+                          provider='keystone.token.providers.pki.Test')
+        self.assertRaises(exception.UnexpectedError,
+                          token.provider.Manager.check_and_get_token_provider)
+
+        self.opt_in_group('signing', token_format='UUID')
+        self.opt_in_group('token',
+                          provider=token.provider.UUID_PROVIDER)
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.UUID_PROVIDER)
+
+        self.opt_in_group('signing', token_format='PKI')
+        self.opt_in_group('token',
+                          provider=token.provider.PKI_PROVIDER)
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.PKI_PROVIDER)
+
+        self.opt_in_group('signing', token_format='CUSTOM')
+        self.opt_in_group('token',
+                          provider='my.package.MyProvider')
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         'my.package.MyProvider')