From b836aa221ca593a61a4ab87fc26d4be228376863 Mon Sep 17 00:00:00 2001 From: Vishakha Agarwal Date: Thu, 16 May 2019 10:03:53 +0530 Subject: [PATCH] Remove [signing] config Since pki-setup was removed in pike.This patch removes the config options that were left for backward compatibility, as PKI is not supported. Partial-Bug: #1829453 Change-Id: I83cd08e57fbc046ad69bd42eb2e5fa1ace6e8a28 --- keystone/api/os_simple_cert.py | 24 ++-- keystone/conf/__init__.py | 2 - keystone/conf/signing.py | 135 ------------------ keystone/exception.py | 6 - keystone/tests/unit/core.py | 4 - .../tests/unit/test_contrib_simple_cert.py | 35 +---- .../removed-as-of-train-92b2942a680eb859.yaml | 10 ++ 7 files changed, 23 insertions(+), 193 deletions(-) delete mode 100644 keystone/conf/signing.py diff --git a/keystone/api/os_simple_cert.py b/keystone/api/os_simple_cert.py index a48003de39..94100d7865 100644 --- a/keystone/api/os_simple_cert.py +++ b/keystone/api/os_simple_cert.py @@ -12,13 +12,12 @@ # This file handles all flask-restful resources for /v3/OS-SIMPLE-CERT -import flask import flask_restful -from six.moves import http_client from keystone.api._shared import json_home_relations import keystone.conf from keystone import exception +from keystone.i18n import _ from keystone.server import flask as ks_flask @@ -28,27 +27,22 @@ CONF = keystone.conf.CONF _build_resource_relation = json_home_relations.os_simple_cert_resource_rel_func -def _get_certificate(name): - try: - with open(name, 'r') as f: - body = f.read() - except IOError: - raise exception.CertificateFilesUnavailable() - resp = flask.make_response(body, http_client.OK) - resp.headers['Content-Type'] = 'application/x-pem-file' - return resp - - class SimpleCertCAResource(flask_restful.Resource): @ks_flask.unenforced_api def get(self): - return _get_certificate(CONF.signing.ca_certs) + raise exception.Gone( + message=_('This API is no longer available due to the removal' + 'of support for PKI tokens. Returning a 410 instead' + 'of removing the API')) class SimpleCertListResource(flask_restful.Resource): @ks_flask.unenforced_api def get(self): - return _get_certificate(CONF.signing.certfile) + raise exception.Gone( + message=_('This API is no longer available due to the removal' + 'of support for PKI tokens. Returning a 410 instead' + 'of removing the API')) class SimpleCertAPI(ks_flask.APIBase): diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py index d2374d63c9..7780a8df41 100644 --- a/keystone/conf/__init__.py +++ b/keystone/conf/__init__.py @@ -48,7 +48,6 @@ from keystone.conf import role from keystone.conf import saml from keystone.conf import security_compliance from keystone.conf import shadow_users -from keystone.conf import signing from keystone.conf import token from keystone.conf import tokenless_auth from keystone.conf import trust @@ -87,7 +86,6 @@ conf_modules = [ saml, security_compliance, shadow_users, - signing, token, tokenless_auth, trust, diff --git a/keystone/conf/signing.py b/keystone/conf/signing.py deleted file mode 100644 index f868269b9c..0000000000 --- a/keystone/conf/signing.py +++ /dev/null @@ -1,135 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_config import cfg -from oslo_log import versionutils - -from keystone.conf import constants -from keystone.conf import utils - - -_DEPRECATED_MSG = utils.fmt(""" -`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. -These options remain for backwards compatibility. -""") - -certfile = cfg.StrOpt( - 'certfile', - default=constants._CERTFILE, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - help=utils.fmt(""" -Absolute path to the public certificate file to use for signing responses to -revocation lists requests. Set this together with `[signing] keyfile`. For -non-production environments, you may be interested in using `keystone-manage -pki_setup` to generate self-signed certificates. -""")) - -keyfile = cfg.StrOpt( - 'keyfile', - default=constants._KEYFILE, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - help=utils.fmt(""" -Absolute path to the private key file to use for signing responses to -revocation lists requests. Set this together with `[signing] certfile`. -""")) - -ca_certs = cfg.StrOpt( - 'ca_certs', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - default='/etc/keystone/ssl/certs/ca.pem', - help=utils.fmt(""" -Absolute path to the public certificate authority (CA) file to use when -creating self-signed certificates with `keystone-manage pki_setup`. Set this -together with `[signing] ca_key`. There is no reason to set this option unless -you are requesting revocation lists in a non-production environment. Use a -`[signing] certfile` issued from a trusted certificate authority instead. -""")) - -ca_key = cfg.StrOpt( - 'ca_key', - default='/etc/keystone/ssl/private/cakey.pem', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - help=utils.fmt(""" -Absolute path to the private certificate authority (CA) key file to use when -creating self-signed certificates with `keystone-manage pki_setup`. Set this -together with `[signing] ca_certs`. There is no reason to set this option -unless you are requesting revocation lists in a non-production environment. -Use a `[signing] certfile` issued from a trusted certificate authority instead. -""")) - -key_size = cfg.IntOpt( - 'key_size', - default=2048, - min=1024, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - help=utils.fmt(""" -Key size (in bits) to use when generating a self-signed token signing -certificate. There is no reason to set this option unless you are requesting -revocation lists in a non-production environment. Use a `[signing] certfile` -issued from a trusted certificate authority instead. -""")) - -valid_days = cfg.IntOpt( - 'valid_days', - default=3650, - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - help=utils.fmt(""" -The validity period (in days) to use when generating a self-signed token -signing certificate. There is no reason to set this option unless you are -requesting revocation lists in a non-production environment. Use a -`[signing] certfile` issued from a trusted certificate authority instead. -""")) - -cert_subject = cfg.StrOpt( - 'cert_subject', - default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'), - deprecated_for_removal=True, - deprecated_reason=_DEPRECATED_MSG, - deprecated_since=versionutils.deprecated.PIKE, - help=utils.fmt(""" -The certificate subject to use when generating a self-signed token signing -certificate. There is no reason to set this option unless you are requesting -revocation lists in a non-production environment. Use a -`[signing] certfile` issued from a trusted certificate authority instead. -""")) - - -GROUP_NAME = __name__.split('.')[-1] -ALL_OPTS = [ - certfile, - keyfile, - ca_certs, - ca_key, - key_size, - valid_days, - cert_subject, -] - - -def register_opts(conf): - conf.register_opts(ALL_OPTS, group=GROUP_NAME) - - -def list_opts(): - return {GROUP_NAME: ALL_OPTS} diff --git a/keystone/exception.py b/keystone/exception.py index 714328e94d..003c9481ec 100644 --- a/keystone/exception.py +++ b/keystone/exception.py @@ -594,12 +594,6 @@ class TrustConsumeMaximumAttempt(UnexpectedError): "acquire lock.") -class CertificateFilesUnavailable(UnexpectedError): - debug_message_format = _("Expected signing certificates are not available " - "on the server. Please check Keystone " - "configuration.") - - class MalformedEndpoint(UnexpectedError): debug_message_format = _("Malformed endpoint URL (%(endpoint)s)," " see ERROR log for details.") diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index 8771866f63..7d002b3064 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -762,10 +762,6 @@ class TestCase(BaseTestCase): group='catalog', driver='sql', template_file=dirs.tests('default_catalog.templates')) - self.config_fixture.config( - group='signing', certfile=signing_certfile, - keyfile=signing_keyfile, - ca_certs='examples/pki/certs/cacert.pem') self.config_fixture.config( group='saml', certfile=signing_certfile, keyfile=signing_keyfile) self.config_fixture.config( diff --git a/keystone/tests/unit/test_contrib_simple_cert.py b/keystone/tests/unit/test_contrib_simple_cert.py index b9e750f0c0..e52acbc10d 100644 --- a/keystone/tests/unit/test_contrib_simple_cert.py +++ b/keystone/tests/unit/test_contrib_simple_cert.py @@ -10,8 +10,6 @@ # License for the specific language governing permissions and limitations # under the License. -import uuid - from six.moves import http_client from keystone.tests.unit import test_v3 @@ -26,38 +24,13 @@ class BaseTestCase(test_v3.RestfulTestCase): class TestSimpleCert(BaseTestCase): def request_cert(self, path): - content_type = 'application/x-pem-file' - response = self.request(app=self.public_app, - method='GET', - path=path, - headers={'Accept': content_type}, - expected_status=http_client.OK) - - self.assertEqual(content_type, response.content_type.lower()) - self.assertIn(b'---BEGIN', response.body) - - # Test the same path with HEAD - self.request( - app=self.public_app, method='HEAD', path=path, - headers={'Accept': content_type}, expected_status=http_client.OK - ) - - return response + self.request(app=self.public_app, + method='GET', + path=path, + expected_status=http_client.GONE) def test_ca_cert(self): self.request_cert(self.CA_PATH) def test_signing_cert(self): self.request_cert(self.CERT_PATH) - - def test_missing_file(self): - # these files do not exist - self.config_fixture.config(group='signing', - ca_certs=uuid.uuid4().hex, - certfile=uuid.uuid4().hex) - - for path in [self.CA_PATH, self.CERT_PATH]: - self.request(app=self.public_app, - method='GET', - path=path, - expected_status=http_client.INTERNAL_SERVER_ERROR) diff --git a/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml b/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml index 3124c9a01d..5d0c7b9e35 100644 --- a/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml +++ b/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml @@ -7,3 +7,13 @@ other: - > [`bug 1829453 `_] The deprecated config option `admin_endpoint` is removed now. + + - > + [`bug 1829453 `_] + The deprecated config options in `signing` are removed now. + +upgrade: + - | + [`bug 1829453 `_] + The os-simple-cert-api will return 410 due to the removal of + config options signing [ca_certs] and signing [cert_file].