Add a check to see if a federation token is being used for v2 auth

If a user has a federation environment, and doesn't update nova to use v3 auth in auth_token, then they will automatically be using v2 auth, which causes a fairly useless error to bubble up. We should check if the user is using a fedration token in v2 and provider a better error message. Change-Id: I9c490df8dd38e9fa1f393ebfa1296b64fb0c9527 Closes-Bug: #1419114
2015-02-10 02:51:33 -05:00 · 2015-02-10 02:51:33 -05:00 · 2d119010e1
parent 8ba0c166e5
commit 2d119010e1
2 changed files with 25 additions and 0 deletions
--- a/keystone/tests/test_v3_federation.py
+++ b/keystone/tests/test_v3_federation.py
@ -1392,6 +1392,20 @@ class FederatedTokenTests(FederationTests):
        self.assertRaises(exception.Unauthorized,
                          self._issue_unscoped_token)

+    def test_v2_auth_with_federation_token_fails(self):
+        """Test that using a federation token with v2 auth fails.
+
+        If an admin sets up a federated keystone environment, and a user
+        incorrectly configures a service (like nova) only use v2 auth, the
+        returned message should be informative.
+
+        """
+        r = self._issue_unscoped_token()
+        token_id = r.headers.get('X-Subject-Token')
+        self.assertRaises(exception.Unauthorized,
+                          self.token_provider_api.validate_v2_token,
+                          token_id=token_id)
+
    def load_federation_sample_data(self):
        """Inject additional data."""

--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -494,6 +494,16 @@ class BaseProvider(provider.Provider):
            raise exception.Unauthorized()
        return token_ref

+    def _assert_is_not_federation_token(self, token_ref):
+        """Make sure we aren't using v2 auth on a federation token."""
+        token_data = token_ref.get('token_data')
+        if (token_data and self.get_token_version(token_data) ==
+                token.provider.V3):
+            if 'OS-FEDERATION' in token_data['token']['user']:
+                msg = _('Attempting to use OS-FEDERATION token with V2 '
+                        'Identity Service, use V3 Authentication')
+                raise exception.Unauthorized(msg)
+
    def _assert_default_domain(self, token_ref):
        """Make sure we are operating on default domain only."""
        if (token_ref.get('token_data') and
@ -540,6 +550,7 @@ class BaseProvider(provider.Provider):

    def validate_v2_token(self, token_ref):
        try:
+            self._assert_is_not_federation_token(token_ref)
            self._assert_default_domain(token_ref)
            # FIXME(gyee): performance or correctness? Should we return the
            # cached token or reconstruct it? Obviously if we are going with