The eventlet server implementation was removed during Newton, and have
not been used by any other implementations for a while.
Change-Id: I01f9adfc3e610d820c1834209d36c10568cccf41
The fix is to copy the missing check from class AuthProtocol
of keystonemiddleware.
Closes-bug: 1999068
Change-Id: I4fd7bf6b194c38815c2a9cdbab92a07315397eab
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This change adds application credential access rules to the token model
and ensures that only clients (that is, keystonemiddleware) that support
access rule enforcement are allowed to validate tokens containing
access rules.
Depends-on: https://review.openstack.org/633369
bp whitelist-extension-for-app-creds
Change-Id: I301651369cf03e06550bc29eb534506674e56a1f
Keystone actually validates each token twice for every API request.
Regardless of caching being configured, we have an opportunity to try
and spend less time doing something we've already done.
The first the token is validated is actually done through a
keystonemiddleware hook. The second time is to populate a context
object that we can use for things like policy decisions.
Closes-Bug: 1819036
Change-Id: Ifd7f6f0a1dcd33ad17646cae383132cfc2462f03
Fixes X.509 tokenless auth by properly populating the request context
with the necessary credential information. Since Stein release, RBAC
has been using the credential information from the Keystone request
context instead of the authentication context. Therefore, we'll need
to populate the request context with the necessary credential
information from the X.509 tokenless authentication context.
Closes-Bug: 1811605
Change-Id: I170a91e9ac36990d1e7ec4165dd0337b8f06a938
The oslo.policy library actually accepts context objects as a first
class citizen, instead of a hand-built `creds` dictionary. This is a
perferred approach because it's easier for services to use
oslo.context to generate a context object that they can automatically
pass to oslo.policy for enforcement instead of inspecting the context
object and building a dictionary manually to pass to oslo.policy.
This commit makes allows keystone to partake in this by pulling the
keystone request object, which is a subclass of oslo.context's
RequestContext object, and uses it in enforcement. Additionally,
we're overriding the to_policy_values() method of oslo.context
in order to make sure we port keystone-specific values to the policy
dict representation of a context object. This ensures we have values
present that we rely on with our default policies.
This commit also bumps the lower requirement for oslo.policy to
make sure we're always using a version that understands context
objects.
Change-Id: I63e713f4aebf3e8cf5189a6060569d2828bc364d
This removes common.controller, common.extension, common.router, and
common.wsgi. Relevant code from common.wsgi (used by AuthContext) was
moved into keystone.server.flask.request_processing.middleware.auth_context.
keystone.api.discovery now uses keystone.flask.base_url
test_middleware and test_exception were modified to reflect the changes
to the remaining code from keystone.common.wsgi
keystone.common.authorization only holds a couple constants for auth
work now.
Routes is removed from requirements.txt
Release-Note for migration to flask added.
Change-Id: I81563b6a49c8f12ecade058a9483f3b6f070dc72
Closes-Bug: #1776504
Move AuthContextMiddleware to keystone.server.flask.request_processing
to be more in line with the other internally defined middleware.
Change-Id: I25b6a88f4b0dc3af306360ee4e5ec0abfe3cf812
Partial-Bug: #1776504