From ed2858add157b9536f157ca08f443a11dd5b1559 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Fri, 19 Dec 2014 16:06:38 +1000 Subject: [PATCH] Allow v3 plugins to opt out of service catalog The identity server supports adding ?nocatalog to auth requests and there are situations where we need to be able to exploit that from the client. Allow passing include_catalog=False to v3 plugins to fetch a plugin without a catalog. Change-Id: I4b2afbfffb71490faed4b7ef0de4d00ee208733a Closes-Bug: #1228317 --- keystoneclient/auth/identity/v3.py | 16 +++++++++++++--- keystoneclient/tests/auth/test_identity_v3.py | 17 +++++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/keystoneclient/auth/identity/v3.py b/keystoneclient/auth/identity/v3.py index 8f723ff0f..b0902256a 100644 --- a/keystoneclient/auth/identity/v3.py +++ b/keystoneclient/auth/identity/v3.py @@ -39,6 +39,8 @@ class Auth(base.BaseIdentityPlugin): :param string project_domain_name: Project's domain name for project. :param bool reauthenticate: Allow fetching a new token if the current one is going to expire. (optional) default True + :param bool include_catalog: Include the service catalog in the returned + token. (optional) default True. """ @utils.positional() @@ -50,7 +52,8 @@ class Auth(base.BaseIdentityPlugin): project_name=None, project_domain_id=None, project_domain_name=None, - reauthenticate=True): + reauthenticate=True, + include_catalog=True): super(Auth, self).__init__(auth_url=auth_url, reauthenticate=reauthenticate) @@ -62,6 +65,7 @@ class Auth(base.BaseIdentityPlugin): self.project_name = project_name self.project_domain_id = project_domain_id self.project_domain_name = project_domain_name + self.include_catalog = include_catalog @property def token_url(self): @@ -112,8 +116,14 @@ class Auth(base.BaseIdentityPlugin): elif self.trust_id: body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}} - _logger.debug('Making authentication request to %s', self.token_url) - resp = session.post(self.token_url, json=body, headers=headers, + # NOTE(jamielennox): we add nocatalog here rather than in token_url + # directly as some federation plugins require the base token_url + token_url = self.token_url + if not self.include_catalog: + token_url += '?nocatalog' + + _logger.debug('Making authentication request to %s', token_url) + resp = session.post(token_url, json=body, headers=headers, authenticated=False, log=False, **rkwargs) try: diff --git a/keystoneclient/tests/auth/test_identity_v3.py b/keystoneclient/tests/auth/test_identity_v3.py index bce4fa75d..c63d0474b 100644 --- a/keystoneclient/tests/auth/test_identity_v3.py +++ b/keystoneclient/tests/auth/test_identity_v3.py @@ -452,3 +452,20 @@ class V3IdentityPlugin(utils.TestCase): self.assertEqual(self.TEST_TOKEN, s.get_token()) self.assertNotIn(password, self.logger.output) + + def test_sends_nocatalog(self): + del self.TEST_RESPONSE_DICT['token']['catalog'] + self.stub_auth(json=self.TEST_RESPONSE_DICT) + + a = v3.Password(self.TEST_URL, + username=self.TEST_USER, + password=self.TEST_PASS, + include_catalog=False) + s = session.Session(auth=a) + + s.get_token() + + auth_url = self.TEST_URL + '/auth/tokens' + self.assertEqual(auth_url, a.token_url) + self.assertEqual(auth_url + '?nocatalog', + self.requests.last_request.url)