Support token_format for backward compatibility

The provider property in the [token] section will be unset by default. If
provider is not set, we will use token_format in the [signing] section to
determine to provider. If provider is set, it must agree with the token_format.

fixed bug 1202651

Change-Id: I15ff67490acbbacc9eefc7eee253400475704b04

4 files changed, 85 insertions, 18 deletions

diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 43884951..509165c5 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -161,7 +161,9 @@
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
 
 [signing]
+# Deprecated in favor of provider in the [token] section
 #token_format = PKI
+
 #certfile = /etc/keystone/pki/certs/signing_cert.pem
 #keyfile = /etc/keystone/pki/private/signing_key.pem
 #ca_certs = /etc/keystone/pki/certs/cacert.pem
diff --git a/keystone/common/config.py b/keystone/common/config.py
index b6efa738..b0a534f8 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -415,4 +415,4 @@ def configure():
     register_str(
         'provider',
         group='token',
-        default='keystone.token.providers.pki.Provider')
+        default=None)
diff --git a/keystone/token/provider.py b/keystone/token/provider.py
index 3bb14e01..554d575c 100644
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@@ -32,6 +32,10 @@ LOG = logging.getLogger(__name__)
 V2 = 'v2.0'
 V3 = 'v3.0'
 
+# default token providers
+PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
+UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'
+
 
 class UnsupportedTokenVersionException(Exception):
     """Token version is unrecognizable or unsupported."""
@@ -47,17 +51,39 @@ class Manager(manager.Manager):
 
     """
 
+    @classmethod
+    def check_and_get_token_provider(cls):
+        """Make sure we still support token_format for backward compatibility.
+
+        Return the provider based on token_format if provider property is not
+        set. Otherwise, ignore token_format and return the configured provider
+        instead.
+
+        """
+        if CONF.token.provider:
+            # FIXME(gyee): we are deprecating CONF.signing.token_format. This
+            # code is to ensure the token provider configuration agrees with
+            # CONF.signing.token_format.
+            if ((CONF.signing.token_format == 'PKI' and
+                    CONF.token.provider != PKI_PROVIDER or
+                    (CONF.signing.token_format == 'UUID' and
+                        CONF.token.provider != UUID_PROVIDER))):
+                raise exception.UnexpectedError(
+                    '[signing] token_format conflicts with [token] provider '
+                    'in keystone.conf')
+            return CONF.token.provider
+        else:
+            if CONF.signing.token_format == 'PKI':
+                return PKI_PROVIDER
+            elif CONF.signing.token_format == 'UUID':
+                return UUID_PROVIDER
+            else:
+                raise exception.UnexpectedError(
+                    'unrecognized token format. Must be either '
+                    '\'UUID\' or \'PKI\'')
+
     def __init__(self):
-        # FIXME(gyee): we are deprecating CONF.signing.token_format. This code
-        # is to ensure the token provider configuration agrees with
-        # CONF.signing.token_format.
-        if ((CONF.signing.token_format == 'PKI' and
-                not CONF.token.provider.endswith('.pki.Provider')) or
-                (CONF.signing.token_format == 'UUID' and
-                    not CONF.token.provider.endswith('uuid.Provider'))):
-            raise ValueError('token_format conflicts with token provider')
-
-        super(Manager, self).__init__(CONF.token.provider)
+        super(Manager, self).__init__(self.check_and_get_token_provider())
 
 
 class Provider(object):
diff --git a/tests/test_token_provider.py b/tests/test_token_provider.py
index 7db07126..31205073 100644
--- a/tests/test_token_provider.py
+++ b/tests/test_token_provider.py
@@ -16,6 +16,7 @@
 
 import uuid
 
+from keystone import exception
 from keystone import test
 from keystone import token
 
@@ -360,37 +361,75 @@ class TestTokenProvider(test.TestCase):
     def test_token_format_provider_mismatch(self):
         self.opt_in_group('signing', token_format='UUID')
         self.opt_in_group('token',
-                          provider='keystone.token.providers.pki.Provider')
+                          provider=token.provider.PKI_PROVIDER)
         try:
             token.provider.Manager()
             raise Exception(
                 'expecting ValueError on token provider misconfiguration')
-        except ValueError:
+        except exception.UnexpectedError:
             pass
 
         self.opt_in_group('signing', token_format='PKI')
         self.opt_in_group('token',
-                          provider='keystone.token.providers.uuid.Provider')
+                          provider=token.provider.UUID_PROVIDER)
         try:
             token.provider.Manager()
             raise Exception(
                 'expecting ValueError on token provider misconfiguration')
-        except ValueError:
+        except exception.UnexpectedError:
             pass
 
         # should be OK as token_format and provider aligns
         self.opt_in_group('signing', token_format='PKI')
         self.opt_in_group('token',
-                          provider='keystone.token.providers.pki.Provider')
+                          provider=token.provider.PKI_PROVIDER)
         token.provider.Manager()
 
         self.opt_in_group('signing', token_format='UUID')
         self.opt_in_group('token',
-                          provider='keystone.token.providers.uuid.Provider')
+                          provider=token.provider.UUID_PROVIDER)
         token.provider.Manager()
 
         # custom provider should be OK too
         self.opt_in_group('signing', token_format='CUSTOM')
         self.opt_in_group('token',
-                          provider='keystone.token.providers.pki.Provider')
+                          provider=token.provider.PKI_PROVIDER)
         token.provider.Manager()
+
+    def test_default_token_format(self):
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.PKI_PROVIDER)
+
+    def test_uuid_token_format_and_no_provider(self):
+        self.opt_in_group('signing', token_format='UUID')
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.UUID_PROVIDER)
+
+    def test_unsupported_token_format(self):
+        self.opt_in_group('signing', token_format='CUSTOM')
+        self.assertRaises(exception.UnexpectedError,
+                          token.provider.Manager.check_and_get_token_provider)
+
+    def test_provider_override_token_format(self):
+        self.opt_in_group('token',
+                          provider='keystone.token.providers.pki.Test')
+        self.assertRaises(exception.UnexpectedError,
+                          token.provider.Manager.check_and_get_token_provider)
+
+        self.opt_in_group('signing', token_format='UUID')
+        self.opt_in_group('token',
+                          provider=token.provider.UUID_PROVIDER)
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.UUID_PROVIDER)
+
+        self.opt_in_group('signing', token_format='PKI')
+        self.opt_in_group('token',
+                          provider=token.provider.PKI_PROVIDER)
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         token.provider.PKI_PROVIDER)
+
+        self.opt_in_group('signing', token_format='CUSTOM')
+        self.opt_in_group('token',
+                          provider='my.package.MyProvider')
+        self.assertEqual(token.provider.Manager.check_and_get_token_provider(),
+                         'my.package.MyProvider')