Allow trusts to be optional

Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b

9 files changed, 51 insertions, 14 deletions

diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 426e3b24..4380300e 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -91,6 +91,12 @@
 # exist to order to maintain support for your v2 clients.
 # default_domain_id = default
 
+[trust]
+# driver = keystone.trust.backends.sql.Trust
+
+# delegation and impersonation features can be optionally disabled
+# enabled = True
+
 [catalog]
 # dynamic, sql-based backend (supports API/CLI-based management commands)
 # driver = keystone.catalog.backends.sql.Catalog
diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
index ba70735c..66ff6230 100644
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@@ -183,6 +183,8 @@ class AuthInfo(object):
             domain_ref = self._lookup_domain(self.auth['scope']['domain'])
             self._scope_data = (domain_ref['id'], None, None)
         elif 'trust' in self.auth['scope']:
+            if not CONF.trust.enabled:
+                raise exception.Forbidden('Trusts are disabled.')
             trust_ref = self._lookup_trust(self.auth['scope']['trust'])
             #TODO ayoung when trusts support domain, Fill in domain data here
             if 'project_id' in trust_ref:
@@ -287,10 +289,8 @@ class Auth(controller.V3Controller):
                 context, auth_context, auth_info)
             return token_factory.render_token_data_response(
                 token_id, token_data, created=True)
-        except (exception.Unauthorized,
-                exception.AuthMethodNotSupported,
-                exception.AdditionalAuthRequired) as e:
-            raise e
+        except exception.SecurityError:
+            raise
         except Exception as e:
             LOG.exception(e)
             raise exception.Unauthorized(e)
diff --git a/keystone/auth/token_factory.py b/keystone/auth/token_factory.py
index 3d4d38b2..c16d88dd 100644
--- a/keystone/auth/token_factory.py
+++ b/keystone/auth/token_factory.py
@@ -107,7 +107,7 @@ class TokenDataHelper(object):
                        trust):
         user_ref = self.identity_api.get_user(self.context,
                                               user_id)
-        if trust:
+        if CONF.trust.enabled and trust:
             trustor_user_ref = (self.identity_api.get_user(self.context,
                                 trust['trustor_user_id']))
             if not trustor_user_ref['enabled']:
@@ -129,7 +129,7 @@ class TokenDataHelper(object):
 
     def _populate_roles(self, token_data, user_id, domain_id, project_id,
                         trust):
-        if trust:
+        if CONF.trust.enabled and trust:
             token_user_id = trust['trustor_user_id']
             token_project_id = trust['project_id']
             #trusts do not support domains yet
@@ -144,7 +144,7 @@ class TokenDataHelper(object):
                                              token_domain_id,
                                              token_project_id)
             filtered_roles = []
-            if trust:
+            if CONF.trust.enabled and trust:
                 for trust_role in trust['roles']:
                     match_roles = [x for x in roles
                                    if x['id'] == trust_role['id']]
@@ -160,7 +160,7 @@ class TokenDataHelper(object):
 
     def _populate_service_catalog(self, token_data, user_id,
                                   domain_id, project_id, trust):
-        if trust:
+        if CONF.trust.enabled and trust:
             user_id = trust['trustor_user_id']
         if project_id or domain_id:
             try:
@@ -186,7 +186,7 @@ class TokenDataHelper(object):
                        trust=None):
         token_data = {'methods': method_names,
                       'extras': extras}
-        if trust:
+        if CONF.trust.enabled and trust:
             if user_id != trust['trustee_user_id']:
                 raise exception.Forbidden()
 
diff --git a/keystone/common/config.py b/keystone/common/config.py
index e60385cc..ac063314 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -205,6 +205,9 @@ def configure():
     # identity
     register_str('default_domain_id', group='identity', default='default')
 
+    # trust
+    register_bool('enabled', group='trust', default=True)
+
     # ssl
     register_bool('enable', group='ssl', default=False)
     register_str('certfile', group='ssl', default=None)
diff --git a/keystone/common/controller.py b/keystone/common/controller.py
index c7425ae8..39fb8128 100644
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@@ -171,6 +171,7 @@ class V2Controller(wsgi.Application):
                 self.token_api.delete_token(context, token_id)
             except exception.NotFound:
                 pass
+
         #delete tokens generated from trusts
         for trust in self.trust_api.list_trusts_for_trustee(context, user_id):
             self._delete_tokens_for_trust(context, user_id, trust['id'])
diff --git a/keystone/service.py b/keystone/service.py
index 6c7587b2..1a919d6f 100644
--- a/keystone/service.py
+++ b/keystone/service.py
@@ -18,6 +18,7 @@ import routes
 
 from keystone import auth
 from keystone import catalog
+from keystone import config
 from keystone.common import logging
 from keystone.common import wsgi
 from keystone.contrib import ec2
@@ -28,6 +29,7 @@ from keystone import token
 from keystone import trust
 
 
+CONF = config.CONF
 LOG = logging.getLogger(__name__)
 
 DRIVERS = dict(
@@ -83,8 +85,12 @@ def v3_app_factory(global_conf, **local_conf):
     conf.update(local_conf)
     mapper = routes.Mapper()
     v3routers = []
-    for module in [auth, catalog, identity, policy, trust]:
+    for module in [auth, catalog, identity, policy]:
         module.routers.append_v3_routers(mapper, v3routers)
+
+    if CONF.trust.enabled:
+        trust.routers.append_v3_routers(mapper, v3routers)
+
     # Add in the v3 version api
     v3routers.append(routers.VersionV3('admin'))
     v3routers.append(routers.VersionV3('public'))
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
index c6150605..1ae1d4fe 100644
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@@ -179,7 +179,9 @@ class Auth(controller.V2Controller):
 
         user_ref = old_token_ref['user']
         user_id = user_ref['id']
-        if 'trust_id' in auth:
+        if not CONF.trust.enabled and 'trust_id' in auth:
+            raise exception.Forbidden('Trusts are disabled.')
+        elif CONF.trust.enabled and 'trust_id' in auth:
             trust_ref = self.trust_api.get_trust(context, auth['trust_id'])
             if trust_ref is None:
                 raise exception.Forbidden()
@@ -221,7 +223,7 @@ class Auth(controller.V2Controller):
                                context, user_id, tenant_id))
 
         expiry = old_token_ref['expires']
-        if 'trust_id' in auth:
+        if CONF.trust.enabled and 'trust_id' in auth:
             trust_id = auth['trust_id']
             trust_roles = []
             for role in trust_ref['roles']:
@@ -495,7 +497,7 @@ class Auth(controller.V2Controller):
             # be in the default domain. Furthermore, the delegated project
             # must also be in the default domain
             metadata_ref = token_ref['metadata']
-            if 'trust_id' in metadata_ref:
+            if CONF.trust.enabled and 'trust_id' in metadata_ref:
                 trust_ref = self.trust_api.get_trust(context,
                                                      metadata_ref['trust_id'])
                 trustee_user_ref = self.identity_api.get_user(
@@ -635,7 +637,7 @@ class Auth(controller.V2Controller):
                 o['access']['metadata'] = {'is_admin': 0}
         if 'roles' in metadata_ref:
             o['access']['metadata']['roles'] = metadata_ref['roles']
-        if 'trust_id' in metadata_ref:
+        if CONF.trust.enabled and 'trust_id' in metadata_ref:
             o['access']['trust'] = {'trustee_user_id':
                                     metadata_ref['trustee_user_id'],
                                     'id': metadata_ref['trust_id']
diff --git a/tests/test_auth.py b/tests/test_auth.py
index bf43c4af..e8c919f4 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -501,6 +501,7 @@ class AuthWithRemoteUser(AuthTest):
 class AuthWithTrust(AuthTest):
     def setUp(self):
         super(AuthWithTrust, self).setUp()
+        self.opt_in_group('trust', enabled=True)
 
         trust.Manager()
         self.trust_controller = trust.controllers.TrustV3()
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
index e96bd966..993e3a5e 100644
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@@ -1009,8 +1009,26 @@ class TestAuthXML(TestAuthJSON):
     content_type = 'xml'
 
 
+class TestTrustOptional(test_v3.RestfulTestCase):
+    def setUp(self, *args, **kwargs):
+        self.opt_in_group('trust', enabled=False)
+        super(TestTrustOptional, self).setUp(*args, **kwargs)
+
+    def test_trusts_404(self):
+        self.get('/trusts', body={'trust': {}}, expected_status=404)
+        self.post('/trusts', body={'trust': {}}, expected_status=404)
+
+    def test_auth_with_scope_in_trust_403(self):
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            trust_id=uuid.uuid4().hex)
+        self.post('/auth/tokens', body=auth_data, expected_status=403)
+
+
 class TestTrustAuth(TestAuthInfo):
     def setUp(self):
+        self.opt_in_group('trust', enabled=True)
         super(TestTrustAuth, self).setUp(load_sample_data=True)
 
         # create a trustee to delegate stuff to