We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.
Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.
Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.
Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
The mock library is a third party lib that attempted to bridge the gap
between Python 2 and Python 3 mocking. Now that we have moved to py3
only, there is no need to use a third party lib and we can use the
standard built-in mocking support.
Change-Id: I8bbcedb7ad3f0bc2e06dfa13878a97411ee1dc6d
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
Keystone actually validates each token twice for every API request.
Regardless of caching being configured, we have an opportunity to try
and spend less time doing something we've already done.
The first the token is validated is actually done through a
keystonemiddleware hook. The second time is to populate a context
object that we can use for things like policy decisions.
Closes-Bug: 1819036
Change-Id: Ifd7f6f0a1dcd33ad17646cae383132cfc2462f03
Fixes X.509 tokenless auth by properly populating the request context
with the necessary credential information. Since Stein release, RBAC
has been using the credential information from the Keystone request
context instead of the authentication context. Therefore, we'll need
to populate the request context with the necessary credential
information from the X.509 tokenless authentication context.
Closes-Bug: 1811605
Change-Id: I170a91e9ac36990d1e7ec4165dd0337b8f06a938
Fixes incorrect parameters passed into
keystone.federation.utils.transform_to_group_ids() which resulted
in HTTP 500 internal error.
Added an additional test case to test mapping with group domain name
in it as this scenario was never tested before.
Change-Id: I4112e5968cd0d52444b686a3777da56203ae95ad
Closes-Bug: 1814589
This removes common.controller, common.extension, common.router, and
common.wsgi. Relevant code from common.wsgi (used by AuthContext) was
moved into keystone.server.flask.request_processing.middleware.auth_context.
keystone.api.discovery now uses keystone.flask.base_url
test_middleware and test_exception were modified to reflect the changes
to the remaining code from keystone.common.wsgi
keystone.common.authorization only holds a couple constants for auth
work now.
Routes is removed from requirements.txt
Release-Note for migration to flask added.
Change-Id: I81563b6a49c8f12ecade058a9483f3b6f070dc72
Closes-Bug: #1776504
Move AuthContextMiddleware to keystone.server.flask.request_processing
to be more in line with the other internally defined middleware.
Change-Id: I25b6a88f4b0dc3af306360ee4e5ec0abfe3cf812
Partial-Bug: #1776504
Replace the JSON Body middleware with flask-native before-request
function.
The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.
Test Changes:
* JSON Body middleware has been removed, no testing of the removed code
* JSON Body Before Request Method has been implemented and associated
testing (mirroring the JSON Body middleware code).
* Test entry points no longer looks for JSON Body middleware.
Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
The entire purpose of this confusingly named middleware is to take token
values out of headers and put them into a dictionary. There's no point
in this, we have a request class that can abstract this for us.
Deprecate the middleware, it's unnecessary.
bp: deprecated-as-of-rocky
Change-Id: I09310bab6bd728127288ba4c3cf8f884a31e2b98
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
common/authorization.py seems to be the canonical local for all our
information relating to auth parameters. The header definitions should
really be there as well.
Change-Id: I20d5cc94a55dd8936b5fe376ebbabd69909bb4dd
I'm guessing these two links were maintained as part of a larger
refactor some time ago, however there's really no reason to maintain
these references in multiple places. Remove them.
Change-Id: I9a3a6a3b59e0591a47d52512742995d56958e6bf
This change removes the function assertRaisesRegexp from within
keystone to help reduce any confusion about what is really being
called within the appropriate test. The test was changed to use
assertRaisesRegex() which is aliased in six for python 2 and 3.
assertRaisesRegexp in this change was a part of keystone itself
rather than the function of the same name from python 2, and was
causing confusion with recent changed regarding deprecation
and python 3 changing the name to assertRaisesRegex.
Change-Id: I63c84ff432e08866253cfb14ad3bb8db4a665589
Officially deprecate the admin_token_auth in the paste-ini. The
functionality has been merged into auth_context_middleware. This allows
for a smoother removal of the admin-token functionality down the line.
The AdminTokenAuthMiddleware now does nothing if in the pipeline
except emitting a log.error.
This also removes the ADMIN token from the paste-pipeline itself
implements bp: removed-as-of-pike
Co-authored-by: Morgan Fainberg <morgan.fainberg@gmail.com>
Change-Id: I57586ccfa0ad1309cc806d95377dc1ecad015914
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
Reuse the validation logic that is already present in auth_token
middleware. Once this is present keystone can start to reuse the same
helpers that are created from auth_token middleware that the other
services rely on.
For now there is still some redundancy, like for example bind checking
is now enforced in auth_token middleware and in keystone. These can be
removed in later commits because they will require test changes.
My intention after this is to start to more directly integrate this with
oslo.policy and start to standardize the way auth is handled from
auth_token middleware to enforcement. Doing this work here means that we
get keystone to try out policy changes first.
Change-Id: I6592ea2865863c9ace1304b06d73a917c3a1b114
Keystone's tox.ini contains an "ignore" entry for H405 violations:
multi line docstring summary not separated with an empty line.
All violations of H405 should be fixed so that H405 can be removed
from the ignore list.
Change-Id: I1b2aae0cabc20909cf3b0a405d5e31c5d91148b2
Closes-Bug: #1482773
The Unicode type is 'unicode' in Python 2 and 'str' on Python 3.
This patch replaces unicode with six.text_type to make Keystone
compatible with Python 2 and Python 3. To protect against regression
two py34 problems were fixed and test_middleware.py was added
to tox.ini.
Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com>
bp python3
Change-Id: I4a5cf86ca1aa5f4d305696c2b39cdbc7e2cbc71e
Currently the middleware tests are performed by creating a fake request
object and then running the perform_request method. This doesn't take
into account if we were to use a more complex request class than the one
that is stubbed out.
By using webtest to make these requests we allow them to perform the
full webob traversal that they would in a real web request situation.
Change-Id: I37c0b48a8d564dcd4aee59b86e50f374f5b60531
Wrong usage of "an" in the message:
"backend DB for mapping an user or a group"
Should be :
"backend DB for mapping a user or a group"
Change-Id: I3934b2749481cb9adab2bc460991f00ef32ac9fa
Replace all hand created project refs with calls to new_project_ref().
In unit tests, rename 'tenant' variables to 'project' where appropriate.
Change-Id: Id6d0462ba527c6950db1d25f19cb25dfaf01a002
Remove federation as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.
Some instances of federation constants were removed because
they were causing a circular dependency, these can be refactored in
a later patch.
DocImpact: You should no longer run the migrations for this extension
Implements: bp move-extensions
Co-Authored-By: Nithya Renganathan <narengan@us.ibm.com>
Change-Id: If5857a6ee4c7c527929069b25beab40f4c5d87e2
Replace all hand created user refs with calls to new_user_ref().
Note: LDAP live testing code will be updated in a follow on patch.
They require more testing before submission.
Change-Id: I73b1d869534ac3a1bcd2404ef1dd3a0d5b7ea518
dict.copy() only performs a shallow copy of a dictionary. So by
modifying it after a copy you're still modifying the original dict.
Change this to do a deep copy so we don't mutate the fixtures.
I had not come across anywhere where this caused a problem, just
something I saw.
Change-Id: I9a1284a9bab2a9d0be74abac9931c4a81f583d6d
In several test files, the keystone.tests.unit import was aliased as
tests. This made it difficult to do global renames.
Change-Id: I1e4798c76d53f265b921ef26e2a0141fc504ce69
Implemented middleware to map an incoming trusted SSL client certificate
into Keystone auth credential so we can perform authorization without
having to issue a token.
TODO: to submit a separate patch to devstack to enable this feature.
Co-authored-by: guang-yee <guang.yee@hp.com>
SecurityImapct
DocImpact
implements bp keystone-tokenless-authz-with-x509-ssl-client-cert
Change-Id: Icc7305ca9d96f8e9cdc95ccde57de650801c6544
Keystone modules used different sources of the CONF global so were
inconsistent. All modules should use CONF from oslo_config.cfg.
Change-Id: I60c8d2c577d37b9b8a367b46596154ce6c49fff4
The existing test files are all moved under keystone.tests.unit,
except the existing keystone.tests.unit are left in place.
The .testr.conf is updated so that unit tests are run by default
in tox envs, and a tox env can override the tests to run by
setting OS_TEST_PATH.
This is so functional tests can sit in keystone.tests.functional.
Change-Id: I065d3f56e22f344abdadd92b3b384b002b02d989