When a developer is implementing an Authentication plugin, in some cases
(like an OpenID Connect plugin) it is needed to perform a redirect to
the provider to complete the flow. This was possible in the past (before
moving to Flask) by raising an exception with the proper HTTP code set,
but the framework change made this possibility not available anymore.
Closes-Bug: #1854041
Co-authored-by: Alvaro Lopez Garcia <aloga@ifca.unican.es>
Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.
Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
Some errors were logged without a traceback because they were
logged as a warning instead.
Change-Id: I68595e4e2c37279585f0434a173596e43e047004
Related-Bug: #1965316
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
Version 0.15.0 introduced some "deprecation warning" that cause a fatal
error and break all the unit tests. The new usage is not backwards
compatible, so this commit updates the module imports to accomodate both
versions.
Change-Id: I9ac523ad7637b1ff1c6c49b75add387ca112f980
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.
Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.
Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
Unregister the default Exception from the flask error handler. This
is to allow flask 404 to bubble up outside of test cases normally with
out raising a 500 error.
Change-Id: I2159952acae0234472ee3fea7f387278cbefa6c3
Closes-Bug: #1800124
We should never be disabling an API version now, this change
removes a check for seeing if v3 is disabled. Since we should not
be disabling an API version anymore, this check is not needed.
Also removed one test for checking if an API version is disabled.
Change-Id: I08404bf82f26173c68397e33f9e43fadf34ea15e
Exceptions are now handled in the Flask APP instead of in the
legacy webob Application code (at this point that code was living
in the URL Normalizing Middleware). All Keystone API exceptions
(derived from keystone.exception.Error) are automatically
registered on definition with the
keystone.exception.KEYSTONE_API_EXCEPTIONS set. This set is
processed once the app is created in keystone.server.application
to the flask-friendly handler.
TypeError and generic Exception are registered to an explicit
error handler that converts TypeError to ValidationError (BAD_REQUEST)
and all other Exceptions to UnexpectedError (INTERNAL SERVER ERROR).
These exceptions are then emitted in a "jsonify-ed" manner to the
client.
Two other minor changes were required:
* Unenforced API decorator had it's core functionality split into
a dedicated function that can be called in the case of an error
being raised in a "before_request" function (such as validation
in the JSON Body before request func.
* The JSON Body before request func now explicitly sets the
api to "unenforced_ok" if it is raising an exception. This
prevents the flask "was this API enforced" assertion from failing
because @unenforced_api was never run (the ValidationError was
raised prior to the resource's method being called).
Change-Id: I0d0ef6a774eb86b4769238ed34d7703232ce86c3
Partial-Bug: #1776504
Remove a chunk of the compat code for legacy dispatching. This moves
the logging about the request to it's own before_request function.
Change-Id: I0b1a4ca9a95489e410f055ff47f3399feba3a8f1
Partial-Bug: #1776504
Replace the JSON Body middleware with flask-native before-request
function.
The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.
Test Changes:
* JSON Body middleware has been removed, no testing of the removed code
* JSON Body Before Request Method has been implemented and associated
testing (mirroring the JSON Body middleware code).
* Test entry points no longer looks for JSON Body middleware.
Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
Convert S3 and EC2 auth to flask native dispatching.
Test changes required:
* Eliminate direct reference of the EC2 / S3 controllers, originally
this direct reference was to verify signature checking. Since
signature checking is an @staticmethod now, direct reference of
the API resources covers everything.
* Direct import of keystone.common.controller - due to an oddity in
how our WSGI code work(s) in test, if nothing imports the common
controller module, the tests fail using the oslo import_class
mechanism.
Change-Id: I06e95957b3ea3a55b0da28959548bd5eb628c70b
Partial-Bug: #1776504
Convert the projects API to Flask native dispatching.
Change-Id: I3406284acfb7950b701f6a98a3a173a427415f97
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Partial-Bug: #1776504
Convert /v3/users to use flask native dispatching.
The following test changes were required:
* Application Credentials did not have the plural form
in the JSON Home document. The JSON Home document was
corrected both in code and in tests.
* Application Credentials "patch" test needed to be
refactored to look for METHOD_NOT_ALLOWED instead
of NOT FOUND for invalid/unimplemented methods.
The "assertValidErrorResponse" method was
insufficient and the test now uses the flask
test_client mechanism instead.
Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
Convert OS-INHERIT API to flask native dispatching.
NOTE: A minor test change was needed, the test was mis-constructing the
URI with multiple slashes. The test now properly constructs the URI
using an lstrip when combining the direct_url bits.
Change-Id: I0907eb00cdfb9849342220f9b528f94175e71545
Partial-Bug: #1776504
Convert OS-FEDERATION to flask native dispatching.
NOTE: Two changes occured that impact testing in this patch.
* The JSON Home test now uses assertDictEquals to make it
easier to debug json_home document errors
* It was by general good luck that the overloaded relation
'identity_providers' worked as expected. The relation was
used for both '/OS-FEDERATION/identity_providers' and
the Identity-Provider-Specific WebSSO path. The change
to the JSON Home document and the tests make the
Identity-Provider-Specific WebSSO path now a relation
of 'identity_providers_websso' to more closely align
with 'websso' relation for
'/auth/OS-FEDERATION/websso/{protocol_id}'. While
this constitutes a minor break in our contract (the
output of the json home document) it was required to
ensure consistency and functionality. The alternative
is to not represent '/OS-FEDERATION/identity_providers'
(list endpoint) in the JSON Home document at all, instead
represent only the WebSSO endpoint.
Change-Id: If746c14491322d4a5f88fa0cbb31105f6d38c240
Partial-Bug: #1776504
Convert the /system API (used for granting roles to the system scope) to
Flask native dispatching.
Change-Id: I48b04f2d0e9d858b0c709687beee27227e516843
Partial-Bug: #1776504
Convert Roles and Implied Roles (all paths under /v3/roles) to
flask native dispatching. This change does not convert
/v3/role_inferences to flask native dispatching.
Change-Id: I114380e96c6a2b3c167676fa1525e4470560b541
Partial-Bug: #1776504
Migrate the OS-EP-FILTER API to flask-native dispatching. This does
not migrate the standard catalog "region", "service" or "endpoint"
APIs.
Change-Id: Ia7c2ab211e2f7fb136e5817390751121f97f4340
Partial-Bug: #1776504
Convert limits and registered limits to flask native dispatching.
NOTE: A minor test change was needed. The limit JSON Home data
was incorrectly formatted and did not properly isolate the
singular forms of "limit" and "registered_limit" from the
plural (list) APIs.
Change-Id: Ib3ceeb0a249ccc73c143730fac78d9f54c67174e
Partial-Bug: #1776504
Move the Credentials API to Flask Native dispatching.
This change fixes some circular importing in the
conversion.
Change-Id: I5e2485ba471d09c3454e78ca2c9dfa19aaf0e4e2
Partial-Bug: #1776504
When a path-prefix is moved to flask native dispatching, no longer
allow that path prefix to be registered with the legacy dispatch
middleware. This will ensure the entire Keystone path is moved
and prevent bad behavior due to both dispatchers needing ot handle
a URL.
Change-Id: Ice800abf80a725349d6450b742a2c48238e11e6e
Partial-Bug: #1776504
Do not replace the entire app when wrapping with middleware. It is
important to maintain all the flask-functionality on the app object
and ensure any/all test client calls go through the entire stack of
app and middleware.
Partial-Bug: #1776504
Change-Id: I928d08e96b4c79807ad8c312ba17359c54b67fa0
Move the JSON Home Document and Version Discovery Documents out of
the webob-based mapper and into Flask.
This change removes the keystone.version.controller and
keystone.version.router modules as they have been moved into
keystone.api.discovery.
The keystone.api.discovery module is somewhat specialized as there
are no "resources" and it must handle multiple types of responses
based upon the ACCEPTS header (JSON Home or JSON). In lieu of the
flask-RESTful mechanisms, keystone.api.discovery utilizes bare
flask blueprint and functions. Minor scaffolding work has been done
to ensure the discovery blueprint can be loaded via the loader loop
in keystone.server.flask.application (a stub object in
keystone.api.discovery).
Partial-Bug: #1776504
Change-Id: Ib25380cefdbb7147661bb9853de7872a837322e0
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7