When a developer is implementing an Authentication plugin, in some cases
(like an OpenID Connect plugin) it is needed to perform a redirect to
the provider to complete the flow. This was possible in the past (before
moving to Flask) by raising an exception with the proper HTTP code set,
but the framework change made this possibility not available anymore.
Closes-Bug: #1854041
Co-authored-by: Alvaro Lopez Garcia <aloga@ifca.unican.es>
Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc
The eventlet server implementation was removed during Newton, and have
not been used by any other implementations for a while.
Change-Id: I01f9adfc3e610d820c1834209d36c10568cccf41
The fix is to copy the missing check from class AuthProtocol
of keystonemiddleware.
Closes-bug: 1999068
Change-Id: I4fd7bf6b194c38815c2a9cdbab92a07315397eab
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.
Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
Some errors were logged without a traceback because they were
logged as a warning instead.
Change-Id: I68595e4e2c37279585f0434a173596e43e047004
Related-Bug: #1965316
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This change adds application credential access rules to the token model
and ensures that only clients (that is, keystonemiddleware) that support
access rule enforcement are allowed to validate tokens containing
access rules.
Depends-on: https://review.openstack.org/633369
bp whitelist-extension-for-app-creds
Change-Id: I301651369cf03e06550bc29eb534506674e56a1f
When calling certain group or user APIs, keystone logic would attempt
to figure out the domain to scope responses to. This was specific to
enabling domain-specific driver support, where each domain is backed
by a different identity store. This functionality is turned off by
default. Since system-scoped tokens are not associated to a domain
(unlike project-scoped tokens or domain-scoped tokens), the logic to
determine a domain from a system-scoped token was breaking and
returning an erroneous HTTP 401 Unauthorized when system users
attempted to list users or groups.
This commit adds support for domain detection with system-scoped
tokens.
Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
Closes-Bug: 1843609
This reverts commit e1d31eda34.
In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.
This change was merged to master but never released, so I submit that
it is safe to revert.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: I2cefe9363842101ac6b55947352b91fe9def7cc1
Werkzeug is pickier about how Content-Type is handled in general.
In this case we are now explicitly checking for either Content-Type
being '' or being non-existant in addition to Content-Type being set
to json for decoding the body.
Change-Id: Ia5a7750cff833aa90f7fc446f396c270343fc590
Version 0.15.0 introduced some "deprecation warning" that cause a fatal
error and break all the unit tests. The new usage is not backwards
compatible, so this commit updates the module imports to accomodate both
versions.
Change-Id: I9ac523ad7637b1ff1c6c49b75add387ca112f980
This allows domain_ids to match across distinct Keystone
deployments The domain_id is used to create unique
identifiers with the mapping backend. When this
option is used, mapped user identifiers can be
consistant across different Keystone servers.
closes-bug: 1794527
Change-Id: I100bca162e71a9d394ed5787b976b13b1e57987f
Keystone actually validates each token twice for every API request.
Regardless of caching being configured, we have an opportunity to try
and spend less time doing something we've already done.
The first the token is validated is actually done through a
keystonemiddleware hook. The second time is to populate a context
object that we can use for things like policy decisions.
Closes-Bug: 1819036
Change-Id: Ifd7f6f0a1dcd33ad17646cae383132cfc2462f03
Expose the access rules config driver as a manager. The unit tests are
light because the main functionality is tested for the driver directly.
bp whitelist-extension-for-app-creds
Change-Id: I8988dadfe5f82d9b9d6563246b692add8ea4f22f
Fixes X.509 tokenless auth by properly populating the request context
with the necessary credential information. Since Stein release, RBAC
has been using the credential information from the Keystone request
context instead of the authentication context. Therefore, we'll need
to populate the request context with the necessary credential
information from the X.509 tokenless authentication context.
Closes-Bug: 1811605
Change-Id: I170a91e9ac36990d1e7ec4165dd0337b8f06a938
The oslo.policy library actually accepts context objects as a first
class citizen, instead of a hand-built `creds` dictionary. This is a
perferred approach because it's easier for services to use
oslo.context to generate a context object that they can automatically
pass to oslo.policy for enforcement instead of inspecting the context
object and building a dictionary manually to pass to oslo.policy.
This commit makes allows keystone to partake in this by pulling the
keystone request object, which is a subclass of oslo.context's
RequestContext object, and uses it in enforcement. Additionally,
we're overriding the to_policy_values() method of oslo.context
in order to make sure we port keystone-specific values to the policy
dict representation of a context object. This ensures we have values
present that we rely on with our default policies.
This commit also bumps the lower requirement for oslo.policy to
make sure we're always using a version that understands context
objects.
Change-Id: I63e713f4aebf3e8cf5189a6060569d2828bc364d
When HTTP OPTIONS method was used, keystone was incorrectly classifying
the request to require enforcement. OPTIONS is handled automatically
by flask and needs no additional implementation. It is now explicitly
exempted from the "unenforced api" assertion.
Change-Id: Ifdb850c1fbc10c05108466ad68d808f3f5c20b37
closes-bug: #1801778
Before flask, the code that checked for a local developer environment
config file lived in keystone/server/wsgi.py, and checked for configs at
../../.. relative to itself. Now it lives in
keystone/server/flask/core.py but still checks the same directory depth,
leaving it one short. This patch adds another directory level to the
possible_topdir path so that the wsgi application will correctly look in
keystone/etc instead of keystone/keystone/etc.
Change-Id: If1c8d7c9bb1ea7d2642ab5c5e7f92adec33bf1f2
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.
Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.
Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
Unregister the default Exception from the flask error handler. This
is to allow flask 404 to bubble up outside of test cases normally with
out raising a 500 error.
Change-Id: I2159952acae0234472ee3fea7f387278cbefa6c3
Closes-Bug: #1800124
We should never be disabling an API version now, this change
removes a check for seeing if v3 is disabled. Since we should not
be disabling an API version anymore, this check is not needed.
Also removed one test for checking if an API version is disabled.
Change-Id: I08404bf82f26173c68397e33f9e43fadf34ea15e
This removes common.controller, common.extension, common.router, and
common.wsgi. Relevant code from common.wsgi (used by AuthContext) was
moved into keystone.server.flask.request_processing.middleware.auth_context.
keystone.api.discovery now uses keystone.flask.base_url
test_middleware and test_exception were modified to reflect the changes
to the remaining code from keystone.common.wsgi
keystone.common.authorization only holds a couple constants for auth
work now.
Routes is removed from requirements.txt
Release-Note for migration to flask added.
Change-Id: I81563b6a49c8f12ecade058a9483f3b6f070dc72
Closes-Bug: #1776504
Instead of populating with __UNUSED__ or other silly string, make
direct use of "collection_key" or "member_key" raise a ValueError
if they are unset and referenced.
Change-Id: Idf4f4df9d933317fff96a474cdf23d758ebdfa8c
Partial-Bug: #1776504
Address a few nits in docstrings and comments from the flask conversion
patches.
Change-Id: I058d50168c8e5fa566bd98d7dba101ae9e4f1684
Partial-Bug: #1776504
Move AuthContextMiddleware to keystone.server.flask.request_processing
to be more in line with the other internally defined middleware.
Change-Id: I25b6a88f4b0dc3af306360ee4e5ec0abfe3cf812
Partial-Bug: #1776504
Normalizing filter has been converted to a flask-native style
middleware instead of leaning on the old application logic from
Webob. We also now strip all trailing slashes, not just a single
traling slash.
Test Changes:
* test_url_middleware now tests the new middleware directly instead
of leaning on webob and fake requests.
Change-Id: I5f82817b61a9284b97cf6443105107150d4a1757
Partial-Bug: #1776504
For internally defined middleware (URL Normalizer and AuthContext)
Do not use stevedore to load, apply directly. This also cleans up
a lingering entry in the setup.cfg for token_auth.
Test Changes:
* entry points test no longer looks for url_normalize and
build_auth_context
Change-Id: I58d3c23ad4f70668ada4eae94a94d3f5fe750b3b
Partial-Bug: #1776504
Use the flask.request properties instead of direct environ lookups,
as this is more representative of what is happening in the application.
Change-Id: Ic16c5ea26b2f526b51ef167e6f6977c72df1d06a
Partial-Bug: #1776504
Exceptions are now handled in the Flask APP instead of in the
legacy webob Application code (at this point that code was living
in the URL Normalizing Middleware). All Keystone API exceptions
(derived from keystone.exception.Error) are automatically
registered on definition with the
keystone.exception.KEYSTONE_API_EXCEPTIONS set. This set is
processed once the app is created in keystone.server.application
to the flask-friendly handler.
TypeError and generic Exception are registered to an explicit
error handler that converts TypeError to ValidationError (BAD_REQUEST)
and all other Exceptions to UnexpectedError (INTERNAL SERVER ERROR).
These exceptions are then emitted in a "jsonify-ed" manner to the
client.
Two other minor changes were required:
* Unenforced API decorator had it's core functionality split into
a dedicated function that can be called in the case of an error
being raised in a "before_request" function (such as validation
in the JSON Body before request func.
* The JSON Body before request func now explicitly sets the
api to "unenforced_ok" if it is raising an exception. This
prevents the flask "was this API enforced" assertion from failing
because @unenforced_api was never run (the ValidationError was
raised prior to the resource's method being called).
Change-Id: I0d0ef6a774eb86b4769238ed34d7703232ce86c3
Partial-Bug: #1776504
Remove a chunk of the compat code for legacy dispatching. This moves
the logging about the request to it's own before_request function.
Change-Id: I0b1a4ca9a95489e410f055ff47f3399feba3a8f1
Partial-Bug: #1776504
Replace the JSON Body middleware with flask-native before-request
function.
The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.
Test Changes:
* JSON Body middleware has been removed, no testing of the removed code
* JSON Body Before Request Method has been implemented and associated
testing (mirroring the JSON Body middleware code).
* Test entry points no longer looks for JSON Body middleware.
Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
Convert S3 and EC2 auth to flask native dispatching.
Test changes required:
* Eliminate direct reference of the EC2 / S3 controllers, originally
this direct reference was to verify signature checking. Since
signature checking is an @staticmethod now, direct reference of
the API resources covers everything.
* Direct import of keystone.common.controller - due to an oddity in
how our WSGI code work(s) in test, if nothing imports the common
controller module, the tests fail using the oslo import_class
mechanism.
Change-Id: I06e95957b3ea3a55b0da28959548bd5eb628c70b
Partial-Bug: #1776504
Convert the projects API to Flask native dispatching.
Change-Id: I3406284acfb7950b701f6a98a3a173a427415f97
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Partial-Bug: #1776504
Convert /v3/users to use flask native dispatching.
The following test changes were required:
* Application Credentials did not have the plural form
in the JSON Home document. The JSON Home document was
corrected both in code and in tests.
* Application Credentials "patch" test needed to be
refactored to look for METHOD_NOT_ALLOWED instead
of NOT FOUND for invalid/unimplemented methods.
The "assertValidErrorResponse" method was
insufficient and the test now uses the flask
test_client mechanism instead.
Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
* Superfluous call to setup token authentication has been removed from
keystone.server.flask.core
* Base SAML assertion function has been extracted from
keystone.api.auth and moved to keystone.api._shared.saml
Change-Id: Idfa62bf1aea81ef5b4c6f564397e6a0d3ae60417
Partial-Bug: #1776504
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
When the API Prefix is used in a Flask API, it is possible the flask
view argument specification will bleed through to the self link instead
of a properly formated url.
The add_self_reference_links mechanism in keystone.server.flask.common
now substitutes out the self link to the {} substitution and applies
a .format() utilizing the view args to the URI in the self link.
Change-Id: Ic5c89c285ed964de7411b273567bb97fcf43da06
closes-bug: #1794552
Previously domain_id normalization was done (in webob) resulting
in possibly one of four results (ref['domain_id'] is changed):
* Domain ID present in ref -> no change to ref
* Domain ID not present, domain scoped token ->
ref['domain_id'] = scope domain id
* Domain ID not present, "admin" token -> raise ValidationError
* Domain ID not present, project scoped token -> default domain
[Deprecated functionality]
In flask, only the first case worked. This change corrects the behavior
and adds a test to ensure proper data is extracted from oslo.context.
Change-Id: Iacb502a2aa3fe633f74c7e19e13c46f4f85e55db
Closes-Bug: #1793027