Merge "Use keystoneauth"

keystonemiddleware/auth_token/__init__.py

@@ -169,8 +169,8 @@ keystone.token_info
     well as basic information about the project and user.
 
 keystone.token_auth
-    A keystoneclient auth plugin that may be used with a
+    A keystoneauth1 auth plugin that may be used with a
-    :py:class:`keystoneclient.session.Session`. This plugin will load the
+    :py:class:`keystoneauth1.session.Session`. This plugin will load the
     authentication data provided to auth_token middleware.
 
 
@@ -210,13 +210,14 @@ import binascii
 import datetime
 import logging
 
-from keystoneclient import access
+from keystoneauth1 import access
-from keystoneclient import adapter
+from keystoneauth1 import adapter
-from keystoneclient import auth
+from keystoneauth1 import discover
+from keystoneauth1 import exceptions as ksa_exceptions
+from keystoneauth1 import loading
+from keystoneauth1.loading import session as session_loading
 from keystoneclient.common import cms
-from keystoneclient import discover
 from keystoneclient import exceptions as ksc_exceptions
-from keystoneclient import session
 from oslo_config import cfg
 from oslo_serialization import jsonutils
 import pkg_resources
@@ -368,7 +369,7 @@ _OPTS = [
                 ' only while migrating from a less secure algorithm to a more'
                 ' secure one. Once all the old tokens are expired this option'
                 ' should be set to a single value for better performance.'),
-]
+] + _auth.OPTS
 
 CONF = cfg.CONF
 CONF.register_opts(_OPTS, group=_base.AUTHTOKEN_GROUP)
@@ -398,7 +399,7 @@ def _conf_values_type_convert(conf):
         return {}
 
     opt_types = {}
-    for o in (_OPTS + _auth.AuthTokenPlugin.get_options()):
+    for o in _OPTS:
         type_dest = (getattr(o, 'type', str), o.dest)
         opt_types[o.dest] = type_dest
         # Also add the deprecated name with the same type and dest.
@@ -506,7 +507,7 @@ class _BaseAuthProtocol(object):
         """Perform the validation steps on the token.
 
         :param auth_ref: The token data
-        :type auth_ref: keystoneclient.access.AccessInfo
+        :type auth_ref: keystoneauth1.access.AccessInfo
 
         :raises exc.InvalidToken: if token is rejected
         """
@@ -519,7 +520,7 @@ class _BaseAuthProtocol(object):
         data = self._fetch_token(token)
 
         try:
-            return data, access.AccessInfo.factory(body=data, auth_token=token)
+            return data, access.create(body=data, auth_token=token)
         except Exception:
             self.log.warning(_LW('Invalid token contents.'), exc_info=True)
             raise ksm_exceptions.InvalidToken(_('Token authorization failed'))
@@ -561,21 +562,11 @@ class _BaseAuthProtocol(object):
         if self._enforce_token_bind == _BIND_MODE.DISABLED:
             return
 
-        try:
-            if auth_ref.version == 'v2.0':
-                bind = auth_ref['token']['bind']
-            elif auth_ref.version == 'v3':
-                bind = auth_ref['bind']
-            else:
-                self._invalid_user_token()
-        except KeyError:
-            bind = {}
-
         # permissive and strict modes don't require there to be a bind
         permissive = self._enforce_token_bind in (_BIND_MODE.PERMISSIVE,
                                                   _BIND_MODE.STRICT)
 
-        if not bind:
+        if not auth_ref.bind:
             if permissive:
                 # no bind provided and none required
                 return
@@ -589,12 +580,12 @@ class _BaseAuthProtocol(object):
         else:
             name = self._enforce_token_bind
 
-        if name and name not in bind:
+        if name and name not in auth_ref.bind:
             self.log.info(_LI('Named bind mode %s not in bind information'),
                           name)
             self._invalid_user_token()
 
-        for bind_type, identifier in six.iteritems(bind):
+        for bind_type, identifier in six.iteritems(auth_ref.bind):
             if bind_type == _BIND_MODE.KERBEROS:
                 if req.auth_type != 'negotiate':
                     self.log.info(_LI('Kerberos credentials required and '
@@ -658,8 +649,8 @@ class AuthProtocol(_BaseAuthProtocol):
 
             self._local_oslo_config.register_opts(
                 _OPTS, group=_base.AUTHTOKEN_GROUP)
-            auth.register_conf_options(self._local_oslo_config,
+            loading.register_auth_conf_options(self._local_oslo_config,
-                                       group=_base.AUTHTOKEN_GROUP)
+                                               group=_base.AUTHTOKEN_GROUP)
 
         super(AuthProtocol, self).__init__(
             app,
@@ -851,8 +842,8 @@ class AuthProtocol(_BaseAuthProtocol):
 
                 self._token_cache.store(token_hashes[0], data)
 
-        except (ksc_exceptions.ConnectionRefused,
+        except (ksa_exceptions.ConnectFailure,
-                ksc_exceptions.RequestTimeout,
+                ksa_exceptions.RequestTimeout,
                 ksm_exceptions.RevocationListError,
                 ksm_exceptions.ServiceError) as e:
             self.log.critical(_LC('Unable to validate token: %s'), e)
@@ -975,17 +966,33 @@ class AuthProtocol(_BaseAuthProtocol):
         # !!! - UNDER NO CIRCUMSTANCES COPY ANY OF THIS CODE - !!!
 
         group = self._conf_get('auth_section') or _base.AUTHTOKEN_GROUP
-        plugin_name = self._conf_get('auth_plugin', group=group)
+
+        # NOTE(jamielennox): auth_plugin was deprecated to auth_type. _conf_get
+        # doesn't handle that deprecation in the case of conf dict options so
+        # we have to manually check the value
+        plugin_name = (self._conf_get('auth_type', group=group)
+                       or self._conf.get('auth_plugin'))
+
+        if not plugin_name:
+            return _auth.AuthTokenPlugin(
+                log=self.log,
+                auth_admin_prefix=self._conf_get('auth_admin_prefix',
+                                                 group=group),
+                auth_host=self._conf_get('auth_host', group=group),
+                auth_port=self._conf_get('auth_port', group=group),
+                auth_protocol=self._conf_get('auth_protocol', group=group),
+                identity_uri=self._conf_get('identity_uri', group=group),
+                admin_token=self._conf_get('admin_token', group=group),
+                admin_user=self._conf_get('admin_user', group=group),
+                admin_password=self._conf_get('admin_password', group=group),
+                admin_tenant_name=self._conf_get('admin_tenant_name',
+                                                 group=group)
+            )
+
+        plugin_loader = loading.get_plugin_loader(plugin_name)
+        plugin_opts = [o._to_oslo_opt() for o in plugin_loader.get_options()]
         plugin_kwargs = dict()
 
-        if plugin_name:
-            plugin_class = auth.get_plugin_class(plugin_name)
-        else:
-            plugin_class = _auth.AuthTokenPlugin
-            # logger object is a required parameter of the default plugin
-            plugin_kwargs['log'] = self.log
-
-        plugin_opts = plugin_class.get_options()
         (self._local_oslo_config or CONF).register_opts(plugin_opts,
                                                         group=group)
 
@@ -995,7 +1002,7 @@ class AuthProtocol(_BaseAuthProtocol):
                 val = opt.type(val)
             plugin_kwargs[opt.dest] = val
 
-        return plugin_class.load_from_options(**plugin_kwargs)
+        return plugin_loader.load_from_options(**plugin_kwargs)
 
     def _determine_project(self):
         """Determine a project name from all available config sources.
@@ -1041,14 +1048,14 @@ class AuthProtocol(_BaseAuthProtocol):
         # same as calling Session.load_from_conf_options(CONF, GROUP)
         # however we can't do that because we have to use _conf_get to
         # support the paste.ini options.
-        sess = session.Session.construct(dict(
+        sess = session_loading.Session().load_from_options(
             cert=self._conf_get('certfile'),
             key=self._conf_get('keyfile'),
             cacert=self._conf_get('cafile'),
             insecure=self._conf_get('insecure'),
             timeout=self._conf_get('http_connect_timeout'),
             user_agent=self._build_useragent_string()
-        ))
+        )
 
         auth_plugin = self._get_auth_plugin()
 

keystonemiddleware/auth_token/_auth.py

@@ -12,10 +12,11 @@
 
 import logging
 
-from keystoneclient import auth
+from keystoneauth1 import discover
-from keystoneclient.auth.identity import v2
+from keystoneauth1.identity import v2
-from keystoneclient.auth import token_endpoint
+from keystoneauth1 import loading
-from keystoneclient import discover
+from keystoneauth1 import plugin
+from keystoneauth1 import token_endpoint
 from oslo_config import cfg
 
 from keystonemiddleware.auth_token import _base
@@ -25,7 +26,7 @@ from keystonemiddleware.i18n import _, _LW
 _LOG = logging.getLogger(__name__)
 
 
-class AuthTokenPlugin(auth.BaseAuthPlugin):
+class AuthTokenPlugin(plugin.BaseAuthPlugin):
 
     def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix,
                  admin_user, admin_password, admin_tenant_name, admin_token,
@@ -104,7 +105,7 @@ class AuthTokenPlugin(auth.BaseAuthPlugin):
                   service or None if not available.
         :rtype: string
         """
-        if interface == auth.AUTH_INTERFACE:
+        if interface == plugin.AUTH_INTERFACE:
             return self._identity_uri
 
         if not version:
@@ -114,7 +115,7 @@ class AuthTokenPlugin(auth.BaseAuthPlugin):
 
         if not self._discover:
             self._discover = discover.Discover(session,
-                                               auth_url=self._identity_uri,
+                                               url=self._identity_uri,
                                                authenticated=False)
 
         if not self._discover.url_for(version):
@@ -142,53 +143,48 @@ class AuthTokenPlugin(auth.BaseAuthPlugin):
     def invalidate(self):
         return self._plugin.invalidate()
 
-    @classmethod
-    def get_options(cls):
-        options = super(AuthTokenPlugin, cls).get_options()
 
-        options.extend([
+OPTS = [
-            cfg.StrOpt('auth_admin_prefix',
+    cfg.StrOpt('auth_admin_prefix',
-                       default='',
+               default='',
-                       help='Prefix to prepend at the beginning of the path. '
+               help='Prefix to prepend at the beginning of the path. '
-                            'Deprecated, use identity_uri.'),
+                    'Deprecated, use identity_uri.'),
-            cfg.StrOpt('auth_host',
+    cfg.StrOpt('auth_host',
-                       default='127.0.0.1',
+               default='127.0.0.1',
-                       help='Host providing the admin Identity API endpoint. '
+               help='Host providing the admin Identity API endpoint. '
-                            'Deprecated, use identity_uri.'),
+                    'Deprecated, use identity_uri.'),
-            cfg.IntOpt('auth_port',
+    cfg.IntOpt('auth_port',
-                       default=35357,
+               default=35357,
-                       help='Port of the admin Identity API endpoint. '
+               help='Port of the admin Identity API endpoint. '
-                            'Deprecated, use identity_uri.'),
+                    'Deprecated, use identity_uri.'),
-            cfg.StrOpt('auth_protocol',
+    cfg.StrOpt('auth_protocol',
-                       default='https',
+               default='https',
-                       help='Protocol of the admin Identity API endpoint '
+               help='Protocol of the admin Identity API endpoint '
-                            '(http or https). Deprecated, use identity_uri.'),
+                    '(http or https). Deprecated, use identity_uri.'),
-            cfg.StrOpt('identity_uri',
+    cfg.StrOpt('identity_uri',
-                       default=None,
+               default=None,
-                       help='Complete admin Identity API endpoint. This '
+               help='Complete admin Identity API endpoint. This '
-                            'should specify the unversioned root endpoint '
+                    'should specify the unversioned root endpoint '
-                            'e.g. https://localhost:35357/'),
+                    'e.g. https://localhost:35357/'),
-            cfg.StrOpt('admin_token',
+    cfg.StrOpt('admin_token',
-                       secret=True,
+               secret=True,
-                       help='This option is deprecated and may be removed in '
+               help='This option is deprecated and may be removed in '
-                            'a future release. Single shared secret with the '
+                    'a future release. Single shared secret with the '
-                            'Keystone configuration used for bootstrapping a '
+                    'Keystone configuration used for bootstrapping a '
-                            'Keystone installation, or otherwise bypassing '
+                    'Keystone installation, or otherwise bypassing '
-                            'the normal authentication process. This option '
+                    'the normal authentication process. This option '
-                            'should not be used, use `admin_user` and '
+                    'should not be used, use `admin_user` and '
-                            '`admin_password` instead.'),
+                    '`admin_password` instead.'),
-            cfg.StrOpt('admin_user',
+    cfg.StrOpt('admin_user',
-                       help='Service username.'),
+               help='Service username.'),
-            cfg.StrOpt('admin_password',
+    cfg.StrOpt('admin_password',
-                       secret=True,
+               secret=True,
-                       help='Service user password.'),
+               help='Service user password.'),
-            cfg.StrOpt('admin_tenant_name',
+    cfg.StrOpt('admin_tenant_name',
-                       default='admin',
+               default='admin',
-                       help='Service tenant name.'),
+               help='Service tenant name.'),
-        ])
+]
-
-        return options
 
 
-auth.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP)
+loading.register_auth_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP)
-AuthTokenPlugin.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP)
+cfg.CONF.register_opts(OPTS, group=_base.AUTHTOKEN_GROUP)

keystonemiddleware/auth_token/_identity.py

@@ -12,8 +12,9 @@
 
 import functools
 
-from keystoneclient import auth
+from keystoneauth1 import discover
-from keystoneclient import discover
+from keystoneauth1 import exceptions as ksa_exceptions
+from keystoneauth1 import plugin
 from keystoneclient import exceptions as ksc_exceptions
 from keystoneclient.v2_0 import client as v2_client
 from keystoneclient.v3 import client as v3_client
@@ -29,7 +30,7 @@ def _convert_fetch_cert_exception(fetch_cert):
     def wrapper(self):
         try:
             text = fetch_cert(self)
-        except ksc_exceptions.HTTPError as e:
+        except ksa_exceptions.HttpError as e:
             raise ksc_exceptions.CertificateConfigError(e.details)
         return text
 
@@ -145,7 +146,7 @@ class IdentityServer(object):
 
     @property
     def auth_uri(self):
-        auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE)
+        auth_uri = self._adapter.get_endpoint(interface=plugin.AUTH_INTERFACE)
 
         # NOTE(jamielennox): This weird stripping of the prefix hack is
         # only relevant to the legacy case. We urljoin '/' to get just the
@@ -204,18 +205,18 @@ class IdentityServer(object):
                       user authentication when an indeterminate
                       response is received. Optional.
         :returns: access info received from identity server on success
-        :rtype: :py:class:`keystoneclient.access.AccessInfo`
+        :rtype: :py:class:`keystoneauth1.access.AccessInfo`
         :raises exc.InvalidToken: if token is rejected
         :raises exc.ServiceError: if unable to authenticate token
 
         """
         try:
             auth_ref = self._request_strategy.verify_token(user_token)
-        except ksc_exceptions.NotFound as e:
+        except ksa_exceptions.NotFound as e:
             self._LOG.warning(_LW('Authorization failed for token'))
             self._LOG.warning(_LW('Identity response: %s'), e.response.text)
             raise ksm_exceptions.InvalidToken(_('Token authorization failed'))
-        except ksc_exceptions.Unauthorized as e:
+        except ksa_exceptions.Unauthorized as e:
             self._LOG.info(_LI('Identity server rejected authorization'))
             self._LOG.warning(_LW('Identity response: %s'), e.response.text)
             if retry:
@@ -224,7 +225,7 @@ class IdentityServer(object):
             msg = _('Identity server rejected authorization necessary to '
                     'fetch token data')
             raise ksm_exceptions.ServiceError(msg)
-        except ksc_exceptions.HttpError as e:
+        except ksa_exceptions.HttpError as e:
             self._LOG.error(
                 _LE('Bad response code while validating token: %s'),
                 e.http_status)
@@ -237,7 +238,7 @@ class IdentityServer(object):
     def fetch_revocation_list(self):
         try:
             data = self._request_strategy.fetch_revocation_list()
-        except ksc_exceptions.HTTPError as e:
+        except ksa_exceptions.HttpError as e:
             msg = _('Failed to fetch token revocation list: %d')
             raise ksm_exceptions.RevocationListError(msg % e.http_status)
         if 'signed' not in data:

keystonemiddleware/auth_token/_request.py

@@ -165,13 +165,13 @@ class _AuthTokenRequest(webob.Request):
         doc info at start of __init__ file for details of headers to be defined
 
         :param auth_ref: The token data
-        :type auth_ref: keystoneclient.access.AccessInfo
+        :type auth_ref: keystoneauth.access.AccessInfo
         """
         if not auth_ref.has_service_catalog():
             self.headers.pop(self._SERVICE_CATALOG_HEADER, None)
             return
 
-        catalog = auth_ref.service_catalog.get_data()
+        catalog = auth_ref.service_catalog.catalog
         if auth_ref.version == 'v3':
             catalog = _v3_to_v2_catalog(catalog)
 

keystonemiddleware/auth_token/_user_plugin.py

@@ -10,7 +10,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from keystoneclient.auth.identity import base as base_identity
+from keystoneauth1.identity import base as base_identity
 
 
 class _TokenData(object):

keystonemiddleware/opts.py

@@ -18,17 +18,15 @@ __all__ = (
 
 import copy
 
-from keystoneclient import auth
+from keystoneauth1 import loading
 
 import keystonemiddleware.auth_token
-from keystonemiddleware.auth_token import _auth
 from keystonemiddleware.auth_token import _base
 
 auth_token_opts = [
     (_base.AUTHTOKEN_GROUP,
      keystonemiddleware.auth_token._OPTS +
-     _auth.AuthTokenPlugin.get_options() +
+     loading.get_auth_common_conf_options())
-     auth.get_common_conf_options())
 ]
 
 

keystonemiddleware/tests/unit/auth_token/test_auth.py

@@ -13,9 +13,9 @@
 import logging
 import uuid
 
-from keystoneclient import auth
+from keystoneauth1 import fixture
-from keystoneclient import fixture
+from keystoneauth1 import plugin as ksa_plugin
-from keystoneclient import session
+from keystoneauth1 import session
 from requests_mock.contrib import fixture as rm_fixture
 import six
 
@@ -32,7 +32,7 @@ class DefaultAuthPluginTests(utils.BaseTestCase):
         if not log:
             log = self.logger
 
-        return _auth.AuthTokenPlugin.load_from_options(
+        return _auth.AuthTokenPlugin(
             auth_host=auth_host,
             auth_port=auth_port,
             auth_protocol=auth_protocol,
@@ -65,9 +65,9 @@ class DefaultAuthPluginTests(utils.BaseTestCase):
                                  auth_port=auth_port,
                                  auth_admin_prefix=auth_admin_prefix)
 
-        self.assertEqual(expected,
+        endpoint = plugin.get_endpoint(self.session,
-                         plugin.get_endpoint(self.session,
+                                       interface=ksa_plugin.AUTH_INTERFACE)
-                                             interface=auth.AUTH_INTERFACE))
+        self.assertEqual(expected, endpoint)
 
     def test_identity_uri_overrides_fragments(self):
         identity_uri = 'http://testhost:8888/admin'
@@ -76,9 +76,9 @@ class DefaultAuthPluginTests(utils.BaseTestCase):
                                  auth_port=9999,
                                  auth_protocol='ftp')
 
-        self.assertEqual(identity_uri,
+        endpoint = plugin.get_endpoint(self.session,
-                         plugin.get_endpoint(self.session,
+                                       interface=ksa_plugin.AUTH_INTERFACE)
-                                             interface=auth.AUTH_INTERFACE))
+        self.assertEqual(identity_uri, endpoint)
 
     def test_with_admin_token(self):
         token = uuid.uuid4().hex

keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py

@@ -23,11 +23,12 @@ import time
 import uuid
 
 import fixtures
-from keystoneclient import auth
+from keystoneauth1 import exceptions as ksa_exceptions
+from keystoneauth1 import fixture
+from keystoneauth1 import loading
+from keystoneauth1 import session
 from keystoneclient.common import cms
 from keystoneclient import exceptions as ksc_exceptions
-from keystoneclient import fixture
-from keystoneclient import session
 import mock
 from oslo_config import cfg
 from oslo_serialization import jsonutils
@@ -549,24 +550,29 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
             headers={'X-Subject-Token': uuid.uuid4().hex},
             json=fixture.V3Token())
 
-        conf = {'auth_uri': auth_url,
+        loading.register_auth_conf_options(self.cfg.conf,
-                'auth_url': auth_url + '/v3',
+                                           group=_base.AUTHTOKEN_GROUP)
-                'auth_plugin': 'v3password',
+
-                'username': 'user',
+        opts = loading.get_auth_plugin_conf_options('v3password')
-                'password': 'pass'}
+        self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP)
+
+        self.cfg.config(auth_url=auth_url + '/v3',
+                        auth_type='v3password',
+                        username='user',
+                        password='pass',
+                        user_domain_id=uuid.uuid4().hex,
+                        group=_base.AUTHTOKEN_GROUP)
 
         self.assertEqual(0, east_mock.call_count)
         self.assertEqual(0, west_mock.call_count)
 
-        east_app = self.create_simple_middleware(conf=dict(region_name='east',
+        east_app = self.create_simple_middleware(conf=dict(region_name='east'))
-                                                           **conf))
         self.call(east_app, headers={'X-Auth-Token': uuid.uuid4().hex})
 
         self.assertEqual(1, east_mock.call_count)
         self.assertEqual(0, west_mock.call_count)
 
-        west_app = self.create_simple_middleware(conf=dict(region_name='west',
+        west_app = self.create_simple_middleware(conf=dict(region_name='west'))
-                                                           **conf))
 
         self.call(west_app, headers={'X-Auth-Token': uuid.uuid4().hex})
 
@@ -1412,7 +1418,7 @@ class V3CertDownloadMiddlewareTest(V2CertDownloadMiddlewareTest):
 
 
 def network_error_response(request, context):
-    raise ksc_exceptions.ConnectionRefused("Network connection refused.")
+    raise ksa_exceptions.ConnectFailure("Network connection refused.")
 
 
 class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
@@ -1682,7 +1688,7 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
 
         if token_id == ERROR_TOKEN:
             msg = "Network connection refused."
-            raise ksc_exceptions.ConnectionRefused(msg)
+            raise ksa_exceptions.ConnectFailure(msg)
 
         try:
             response = self.examples.JSON_TOKEN_RESPONSES[token_id]
@@ -2251,16 +2257,17 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest):
     def test_loading_password_plugin(self):
         # the password options aren't set on config until loading time, but we
         # need them set so we can override the values for testing, so force it
-        opts = auth.get_plugin_options('password')
+        opts = loading.get_auth_plugin_conf_options('password')
         self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP)
 
         project_id = uuid.uuid4().hex
 
         # Register the authentication options
-        auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
+        loading.register_auth_conf_options(self.cfg.conf,
+                                           group=_base.AUTHTOKEN_GROUP)
 
         # configure the authentication options
-        self.cfg.config(auth_plugin='password',
+        self.cfg.config(auth_type='password',
                         username='testuser',
                         password='testpass',
                         auth_url=self.AUTH_URL,
@@ -2279,27 +2286,30 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest):
         return app._identity_server._adapter.auth
 
     def test_invalid_plugin_fails_to_initialize(self):
-        auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
+        loading.register_auth_conf_options(self.cfg.conf,
-        self.cfg.config(auth_plugin=uuid.uuid4().hex,
+                                           group=_base.AUTHTOKEN_GROUP)
+        self.cfg.config(auth_type=uuid.uuid4().hex,
                         group=_base.AUTHTOKEN_GROUP)
 
         self.assertRaises(
-            ksc_exceptions.NoMatchingPlugin,
+            ksa_exceptions.NoMatchingPlugin,
             self.create_simple_middleware)
 
     def test_plugin_loading_mixed_opts(self):
         # some options via override and some via conf
-        opts = auth.get_plugin_options('password')
+        opts = loading.get_auth_plugin_conf_options('password')
         self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP)
 
         username = 'testuser'
         password = 'testpass'
 
         # Register the authentication options
-        auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
+        loading.register_auth_conf_options(self.cfg.conf,
+                                           group=_base.AUTHTOKEN_GROUP)
 
         # configure the authentication options
-        self.cfg.config(auth_plugin='password',
+        self.cfg.config(auth_type='password',
+                        auth_url='http://keystone.test:5000',
                         password=password,
                         project_id=self.project_id,
                         user_domain_id='userdomainid',
@@ -2326,22 +2336,24 @@ class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest):
         username = 'testuser'
         password = 'testpass'
 
-        auth.register_conf_options(self.cfg.conf, group=section)
+        loading.register_auth_conf_options(self.cfg.conf, group=section)
-        opts = auth.get_plugin_options('password')
+        opts = loading.get_auth_plugin_conf_options('password')
         self.cfg.register_opts(opts, group=section)
 
         # Register the authentication options
-        auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
+        loading.register_auth_conf_options(self.cfg.conf,
+                                           group=_base.AUTHTOKEN_GROUP)
 
         # configure the authentication options
         self.cfg.config(auth_section=section, group=_base.AUTHTOKEN_GROUP)
-        self.cfg.config(auth_plugin='password',
+        self.cfg.config(auth_type='password',
+                        auth_url=self.AUTH_URL,
                         password=password,
                         project_id=self.project_id,
                         user_domain_id='userdomainid',
                         group=section)
 
-        conf = {'username': username, 'auth_url': self.AUTH_URL}
+        conf = {'username': username}
 
         body = uuid.uuid4().hex
         app = self.create_simple_middleware(body=body, conf=conf)
@@ -2368,16 +2380,17 @@ class TestAuthPluginUserAgentGeneration(BaseAuthTokenMiddlewareTest):
         self.section = uuid.uuid4().hex
         self.user_domain_id = uuid.uuid4().hex
 
-        auth.register_conf_options(self.cfg.conf, group=self.section)
+        loading.register_auth_conf_options(self.cfg.conf, group=self.section)
-        opts = auth.get_plugin_options('password')
+        opts = loading.get_auth_plugin_conf_options('password')
         self.cfg.register_opts(opts, group=self.section)
 
         # Register the authentication options
-        auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
+        loading.register_auth_conf_options(self.cfg.conf,
+                                           group=_base.AUTHTOKEN_GROUP)
 
         # configure the authentication options
         self.cfg.config(auth_section=self.section, group=_base.AUTHTOKEN_GROUP)
-        self.cfg.config(auth_plugin='password',
+        self.cfg.config(auth_type='password',
                         password=self.password,
                         project_id=self.project_id,
                         user_domain_id=self.user_domain_id,
@@ -2431,14 +2444,15 @@ class TestAuthPluginUserAgentGeneration(BaseAuthTokenMiddlewareTest):
 class TestAuthPluginLocalOsloConfig(BaseAuthTokenMiddlewareTest):
     def test_project_in_local_oslo_configuration(self):
         options = {
-            'auth_plugin': 'password',
+            'auth_type': 'password',
             'auth_uri': uuid.uuid4().hex,
             'password': uuid.uuid4().hex,
         }
 
         content = ("[keystone_authtoken]\n"
-                   "auth_plugin=%(auth_plugin)s\n"
+                   "auth_type=%(auth_type)s\n"
                    "auth_uri=%(auth_uri)s\n"
+                   "auth_url=%(auth_uri)s\n"
                    "password=%(password)s\n" % options)
         conf_file_fixture = self.useFixture(
             createfile.CreateFileWithContent("my_app", content))

keystonemiddleware/tests/unit/auth_token/test_base_middleware.py

@@ -13,7 +13,7 @@
 import datetime
 import uuid
 
-from keystoneclient import fixture
+from keystoneauth1 import fixture
 import mock
 import six
 import testtools

keystonemiddleware/tests/unit/auth_token/test_request.py

@@ -13,8 +13,8 @@
 import itertools
 import uuid
 
-from keystoneclient import access
+from keystoneauth1 import access
-from keystoneclient import fixture
+from keystoneauth1 import fixture
 
 from keystonemiddleware.auth_token import _request
 from keystonemiddleware.tests.unit import utils
@@ -139,7 +139,7 @@ class RequestObjectTests(utils.TestCase):
         token.set_project_scope()
         token_id = uuid.uuid4().hex
 
-        auth_ref = access.AccessInfo.factory(token_id=token_id, body=token)
+        auth_ref = access.create(auth_token=token_id, body=token)
         self.request.set_user_headers(auth_ref)
 
         self._test_v3_headers(token, '')
@@ -149,7 +149,7 @@ class RequestObjectTests(utils.TestCase):
         token.set_project_scope()
         token_id = uuid.uuid4().hex
 
-        auth_ref = access.AccessInfo.factory(token_id=token_id, body=token)
+        auth_ref = access.create(auth_token=token_id, body=token)
         self.request.set_service_headers(auth_ref)
 
         self._test_v3_headers(token, '-Service')
@@ -199,7 +199,7 @@ class RequestObjectTests(utils.TestCase):
 
     def test_token_without_catalog(self):
         token = fixture.V3Token()
-        auth_ref = access.AccessInfo.factory(body=token)
+        auth_ref = access.create(body=token)
         self.request.set_service_catalog_headers(auth_ref)
         self.assertNotIn('X-Service-Catalog', self.request.headers)
 
@@ -222,8 +222,8 @@ class CatalogConversionTests(utils.TestCase):
                                  internal=self.INTERNAL_URL,
                                  region=self.REGION_ONE)
 
-        auth_ref = access.AccessInfo.factory(body=token)
+        auth_ref = access.create(body=token)
-        catalog_data = auth_ref.service_catalog.get_data()
+        catalog_data = auth_ref.service_catalog.catalog
         catalog = _request._v3_to_v2_catalog(catalog_data)
 
         self.assertEqual(1, len(catalog))
@@ -246,8 +246,8 @@ class CatalogConversionTests(utils.TestCase):
         s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO)
         s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE)
 
-        auth_ref = access.AccessInfo.factory(body=token)
+        auth_ref = access.create(body=token)
-        catalog_data = auth_ref.service_catalog.get_data()
+        catalog_data = auth_ref.service_catalog.catalog
         catalog = _request._v3_to_v2_catalog(catalog_data)
 
         self.assertEqual(1, len(catalog))

keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py

@@ -12,8 +12,8 @@
 
 import uuid
 
-from keystoneclient import auth
+from keystoneauth1 import fixture
-from keystoneclient import fixture
+from keystoneauth1 import loading
 
 from keystonemiddleware.auth_token import _base
 from keystonemiddleware.tests.unit.auth_token import base
@@ -26,18 +26,19 @@ AUTH_URL = 'https://keystone.auth.com:1234'
 class BaseUserPluginTests(object):
 
     def configure_middleware(self,
-                             auth_plugin,
+                             auth_type,
                              **kwargs):
-        opts = auth.get_plugin_class(auth_plugin).get_options()
+        opts = loading.get_auth_plugin_conf_options(auth_type)
         self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP)
 
         # Since these tests cfg.config() themselves rather than waiting for
         # auth_token to do it on __init__ we need to register the base auth
         # options (e.g., auth_plugin)
-        auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
+        loading.register_auth_conf_options(self.cfg.conf,
+                                           group=_base.AUTHTOKEN_GROUP)
 
         self.cfg.config(group=_base.AUTHTOKEN_GROUP,
-                        auth_plugin=auth_plugin,
+                        auth_type=auth_type,
                         **kwargs)
 
     def assertTokenDataEqual(self, token_id, token, token_data):
@@ -92,7 +93,7 @@ class V2UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase):
                        admin=BASE_URI,
                        internal=BASE_URI)
 
-        self.configure_middleware(auth_plugin='v2password',
+        self.configure_middleware(auth_type='v2password',
                                   auth_url='%s/v2.0/' % AUTH_URL,
                                   user_id=self.service_token.user_id,
                                   password=uuid.uuid4().hex,
@@ -155,7 +156,7 @@ class V3UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase):
                                  admin=BASE_URI,
                                  internal=BASE_URI)
 
-        self.configure_middleware(auth_plugin='v3password',
+        self.configure_middleware(auth_type='v3password',
                                   auth_url='%s/v3/' % AUTH_URL,
                                   user_id=self.service_token.user_id,
                                   password=uuid.uuid4().hex,

keystonemiddleware/tests/unit/client_fixtures.py

@@ -15,8 +15,8 @@
 import os
 
 import fixtures
+from keystoneauth1 import fixture
 from keystoneclient.common import cms
-from keystoneclient import fixture
 from keystoneclient import utils
 from oslo_serialization import jsonutils
 from oslo_utils import timeutils

keystonemiddleware/tests/unit/test_opts.py

@@ -64,7 +64,7 @@ class OptsTestCase(utils.TestCase):
             'enforce_token_bind',
             'check_revocations_for_cached',
             'hash_algorithms',
-            'auth_plugin',
+            'auth_type',
             'auth_section',
         ]
         opt_names = [o.name for (g, l) in result for o in l]

requirements.txt

@@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 Babel>=1.3
+keystoneauth1>=1.0.0
 oslo.config>=2.7.0 # Apache-2.0
 oslo.context>=0.2.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0