This was originally staged to be removed in the T release.
Discussions from the Queens PTG resulted in the ability to remove it
sooner since everything else in v2.0 is gone except the ec2 APIs.
This patch just removes the v2.0 authentication API and the tests
that failed as a result. A subsequent patch will go through and start
removing all the plumbing, fixtures, and testing infrastructure that
is no longer needed.
bp removed-as-of-queens
Change-Id: I4c3e35f3565b4b60ae4d00cc2490bd04aba1a800
This commit removes all the v2.0 token APIs with the exception of the
v2.0 authenticate for token API. POST /v2.0/tokens affects so much
stuff that we can do it in a separate patch and hopefully make it
easier for reviewers.
bp removed-as-of-queens
Change-Id: I508e7350c2a2d25c8fb413ea3523633f8939d80f
In testcase, setUp will be called automatically. This patch used to
remove setUp functions that do nothing. Besides, it will keep code clean.
Change-Id: Iadb247fd43df8bb9bb0db54492b1bc2dc23cf065
There are multiple pycadf warnings about invalid uuids when
running keystone tests:
To ensure interoperability, identifiersshould be a valid uuid.
warnings.warn('Invalid uuid. To ensure interoperability, identifiers'
This changes multiple fixtures within default_fixtures to use valid
uuids for their 'id' values. Also changed load_fixtures to build
the fixtures based on the default_fixtures' 'name' value, rather
than 'id'. Replaced many instances of invalid hard-coded ids to use
random uuids, default_fixture ids, or 'default'.
Co-Authored-By: Tin Lam <tinlam@gmail.com>
Change-Id: Ic4fff30c306561b71288712480f073aba1fccbde
Closes-Bug: #1659053
Depends-On: I58bba04c21c2d24fd37850c9ecc6fac99deb3fc4
The token controller had quite a few case statements depending on
which type of authentication was required based on the format of the
authenticate request.
This commit uses the generator pattern to give the
token.controllers.Auth.authenticate() method the right authentication
object based on the format of the request. Each authentication method
just implements an `authenticate()` method that returns a tuple of
information.
Change-Id: I11f508dd55c910b122c4102a96252041f76d6224
This is following the same pattern we applied to the token validation
path by collapsing the v3 and v2.0 paths together. Here we are going
to use issue_v3_token and translate the response to a v2.0 format.
This is going to allow us the ability to simplify the token provider
interface, remove duplicate logic, and isolate specific v2.0 and v3
token-isms into specific areas.
One of the existing test cases changes to assert an Unauthorized
exception when a trustee is disabled, instead of a Forbidden exception.
The switch is because the behavior is consistent with regular users
trying to authenticate with a token when their user is disabled (a 401
is expected). We're making that behavior consistent when a trustee is
disabled.
A subsequent patch will remove issue_v2_token entirely.
Change-Id: I191ce36b2f11f7353e2e3d601af1bda96987613b
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
Regardless of persistence requirements or format, let's perform
token validation one way.
This simplifies the validation path of the token provider API.
Change-Id: Idb5de4459fd8bf83973ed74fccc275a64873c88c
Instead of using validate_v2_token, we can effectively use the
validate_v3_token method and translate the v3 response to a v2 one.
This is a step towards simplifying the token provider API.
Change-Id: Iccb8349e0710288adb107d55437a4ff50d074b1c
The token provider has about 3 different ways to validate a token.
This since all 3 methods validate tokens in a very similar way we
should consolidate the behavior by collapsing the calls.
This is an effort to simplify the token provider API.
Change-Id: I32b94ce6fad29774d32639459fd17691ba427520
The belongsTo query parameter is only supported by the v2.0
token validation API. It would check the ID of the project passed
to the belongsTo parameter against the project a token was scoped to.
This commit corrects the implementation, tests, and adds
documentation. It also moves the check to keystone.token.controller
since belongsTo is a v2-ism and doesn't belong in the
keystone.token.provider.
Closes-Bug: 1627085
Closes-Bug: 1626794
Change-Id: I4a06a498112b81093d7e5ef3142bb1e2d0f78138
This commit introduces two tests that ensures if a trustee of a
trust-scoped token is disabled, keystone will emit a Forbidden
exception. Regardless of the token provider, keystone should have
a consistent behavior. In order to test this, the test had to be
implemented differently for each token provider, specifically for
persistent and non-persistent tokens.
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: Iaf04a26c9f60eb68bbd56b941ff76c893c144cb8
Some tests used incorrect order for the assertIs function. The correct
order expected by testtools is:
assertIs(expected, observed, message='')
For more details, see the testtools docs [1]
[1] http://testtools.readthedocs.io/en/latest/api.html#testtools.TestCase.assertIs
Change-Id: I7184cb566ede3d571c745c93b838131a87c17b75
Since tokens are most often used right after being created,
cache them to bypass redundant validation.
The patch uses dogpile.cache internal functionality so some
calls may look strange
Implements bp pre-cache-tokens
Change-Id: I2e720eed6b0066738181afd1cbf73c5ff4d876f5
Because sharing is caring... and it helps us test credential encryption by
allowing us to reuse the KeyRepository fixture for credentials and fernet.
bp credential-encryption
Change-Id: I50a4e663385a0070ee1fd2c83c2fe5913f5a0ad0
The tests are already using the oslo_utils TimeFixture to manage time. Using
freezegun seems to be redundant.
Change-Id: I1162214ebbeba9276c5c47e094df91a16bb74658
It turns out that the behaviour tests by
test_trust_get_token_fails_if_trustee_disabled is not actually different
between Fernet and UUID if the tokens are properly revoked. The original
test didn't ensure that any time had passed between creating and revoking
a token. This adds a new test showing the different behaviour and modifies
the existing test to works.
Previously this test would fail intermittently when hitting a second
boundary.
If the creation and revocation happen in the same second then Fernet will
indeed respond with a Forbidden. If the revocation happens at least one
second after it will response with the expected Unauthorized.
Change-Id: I31e55e92cd745c34254e96491f97112ff0513baf
We should make AuthWithTrust something that is tested against both the uuid
token provider and the fernet token provider. This helps us move towards making
fernet the default token provider.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Change-Id: I0fd2187421fc677e7d422d4b449eec3056a134e9
Partial-Bug: 1561054
This commit makes it so that the AuthWithRemoteUser class no longer inherits
from other tests cases. Instead it inherits from `object` and I've added
several other classes that setup each token provider to test the cases in
AuthWithRemoteUser.
This helps us move towards making Fernet the default token provider.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I3ae63c8ff50a897ef0ae6e8129abc02e5b93747c
Partial-Bug: 1561054
This makes AuthWithToken inherit directly from `object` and introduces other
test classes with specific test setup for each format to inherit AuthWithToken.
This will make the switch to Fernet as default provider easier.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I87a12160e31b2467af01dc8e7b01cc59d5907675
Partial-Bug: 1561054
The get_user_id function relied on the token model in auth_context -
which amongst other things means it would fail with a tokenless auth
context. This can be replaced with user_id from the request.context.
Normally I try not to mix in cleanups, but whilst doing this and
changing variables in list_trusts a small reshuffle and some whitespace
just made the whole thing actually readable.
Change-Id: I5b64210fc797961b422a0ab9a1b4cee078fe6a0f
In an ongoing effort to rid ourselves of the context_dict push the
request object further into the v2 auth controllers.
Change-Id: I01e4a857da06448b951e4840636c175fe85498c3
Use skip_test_overrides instead of using skipTest for skipping tests
that are not implemented by a particular backend. Then the tests will
let us know that they can be removed when the skipped test is removed.
This change also found one test could be removed.
Change-Id: I3d6aa0719d2365f65cd1b9b6d6f83be4c5bea2bc
The context['query_string'] is just a dictionary copy of the original
params object that comes from a request. Just use the existing params
instead.
Change-Id: I0ecd7a09e36b39a105c150b3affcbbcd26a544c2
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.
Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
revoke_by_expiration is only useful if a token does not have an
audit_id or audit_chain_id. tokens always have an audit ID, so
this function seems redundant. it was also deprecated in the
J release, with no timeline for its removal
Change-Id: Ieb92a70ab782fa8ceb59dc807ea8647587be9e2b
bp: removed-as-of-newton
The fernet token provider was doing some weird things with audit ids that
caused token rescoping to not work because audit ids were never pulled from the
original token. This commit also enables some tests for v2.0 authentication
with the Fernet as the token provider.
Closes-Bug: 1577558
Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
Configuration values can be changed at runtime, therefore the
tests should not use the value that was set at import time
since the value might have been changed.
Change-Id: Ib2baa0da12c5b7f13a3f757fb3faea9da3b0c467
Keystone's tox.ini contains an "ignore" entry for H405 violations:
multi line docstring summary not separated with an empty line.
All violations of H405 should be fixed so that H405 can be removed
from the ignore list.
Change-Id: I1b2aae0cabc20909cf3b0a405d5e31c5d91148b2
Closes-Bug: #1482773
The current wsgi.Application.base_url() function does not work correctly
if Keystone runs on something like "http://1.2.3.4/identity" which is now
a default in devstack.
This patch fixes that by using wsgiref.util to parse environment
variable set in WSGI mode to find the real base url and returns the
correct URL. The following environment variables will be used to
produce the effective base url:
HTTP_HOST
SERVER_NAME
SERVER_PORT
SCRIPT_NAME
Closes-Bug: #1381961
Change-Id: I111c206a8a751ed117c6869f55f8236b29ab88a2
When the Fernet token provider was implemented, it extended the
provider.common.py:BaseProvider class. It also overrode most all common methods
the BaseProvider implemented. Other token providers in Keystone (like the UUID
an PKI providers) just implemente a _get_token_id method because token ids may
be different across providers.
This commit also removes validate_v2_token from Fernet provider This method was
no longer being used so it makes sense to remove the duplicate code.
Change-Id: Iddc77f9cb9b2fd69a3e55c32668b808efe9239a1
Building on the earlier patch that provdided the 'new' url name
restriction, this patch adds the 'strict' open that prevents
authenticating to projects and domains with unsafe names.
A release note and config documentation is also added that covers
both this and the earlier patch.
Partially Implements: blueprint url-safe-naming
Change-Id: Ie69025e7759bae1067e05d9190bede192a5e6830
Back in the Grizzly version of OpenStack, we introduced Trusts
(I5745f4d9a4180b59671a143a55ed87019e98ec76).
At the time, we had an idea that we would do future work with Trusts
and Endpoints in the regard of limiting what went into Tokens. Hence we
have left TODO notes.
Now that we have the endpoint filtering API, the old idea does not make
sense anymore.
This commit removes those invalid TODO comments.
Change-Id: I25c606bb67a5d5b9f2194c8fb2c7df26170f88eb
Replace all hand created project refs with calls to new_project_ref().
In unit tests, rename 'tenant' variables to 'project' where appropriate.
Change-Id: Id6d0462ba527c6950db1d25f19cb25dfaf01a002
Having two places for config stuff is confusing. There should only
be the one place for config stuff, keystone.common.config.
Change-Id: I83cae5d2140639df228025851ceb3f90c21af08a
oslo.log's "debug" option was co-opted to also indicate that the
responses should include more information. A separate config
option should be used instead so that deployers don't mistakenly
expose themselves to security issues.
The debug option still is used for what it does in oslo.log and
how it works on all other projects -- if you're not using a log
config file it sets the base logger to debug.
SecurityImpact
Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6
Closes-Bug: 1479523
Replace all hand created user refs with calls to new_user_ref().
Note: LDAP live testing code will be updated in a follow on patch.
They require more testing before submission.
Change-Id: I73b1d869534ac3a1bcd2404ef1dd3a0d5b7ea518
Lance Bragstad