diff options
-rw-r--r-- | README.rst | 2 | ||||
-rw-r--r-- | keystonelight/keystone_compat.py | 4 | ||||
-rw-r--r-- | keystonelight/service.py | 14 | ||||
-rw-r--r-- | tests/default.conf | 6 | ||||
-rw-r--r-- | tests/keystone_compat_diablo.conf | 6 | ||||
-rw-r--r-- | tests/keystoneclient_compat_master.conf | 6 | ||||
-rw-r--r-- | tests/test_keystone_compat.py | 11 |
7 files changed, 37 insertions, 12 deletions
@@ -111,5 +111,5 @@ Still To Do * Fixture loading functionality would also be killer tests and dev. * LDAP backend. * Keystone import. - * Admin-only interface + * (./) Admin-only interface * Don't check git checkouts as often, to speed up tests diff --git a/keystonelight/keystone_compat.py b/keystonelight/keystone_compat.py index cf99244c..0bb0ed41 100644 --- a/keystonelight/keystone_compat.py +++ b/keystonelight/keystone_compat.py @@ -186,6 +186,8 @@ class KeystoneController(service.BaseApplication): Optionally, also ensure that it is owned by a specific tenant. """ + assert context['is_admin'] + token_ref = self.token_api.get_token(context=context, token_id=token_id) if belongs_to: @@ -220,6 +222,8 @@ class KeystoneController(service.BaseApplication): """ token_ref = self.token_api.get_token(context=context, token_id=context['token_id']) + assert token_ref is not None + user_ref = token_ref['user'] tenant_refs = [] for tenant_id in user_ref['tenants']: diff --git a/keystonelight/service.py b/keystonelight/service.py index 799bd354..797a3415 100644 --- a/keystonelight/service.py +++ b/keystonelight/service.py @@ -52,6 +52,20 @@ class TokenAuthMiddleware(wsgi.Middleware): request.environ['openstack.context'] = context +class AdminTokenAuthMiddleware(wsgi.Middleware): + """A trivial filter that checks for a pre-defined admin token. + + Sets 'is_admin' to true in the context, expected to be checked by + methods that are admin-only. + + """ + def process_request(self, request): + token = request.headers.get('X-Auth-Token') + context = request.environ.get('openstack.context', {}) + context['is_admin'] = (token == self.options['admin_token']) + request.environ['openstack.context'] = context + + class PostParamsMiddleware(wsgi.Middleware): """Middleware to allow method arguments to be passed as POST parameters. diff --git a/tests/default.conf b/tests/default.conf index fa6ac28b..68388b27 100644 --- a/tests/default.conf +++ b/tests/default.conf @@ -2,6 +2,7 @@ catalog_driver = keystonelight.backends.kvs.KvsCatalog identity_driver = keystonelight.backends.kvs.KvsIdentity token_driver = keystonelight.backends.kvs.KvsToken +admin_token = ADMIN [filter:debug] paste.filter_factory = keystonelight.wsgi:Debug.factory @@ -9,6 +10,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory +[filter:admin_token_auth] +paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory + [filter:json_body] paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory @@ -16,4 +20,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory paste.app_factory = keystonelight.service:app_factory [pipeline:main] -pipeline = token_auth json_body debug keystonelight +pipeline = token_auth admin_token_auth json_body debug keystonelight diff --git a/tests/keystone_compat_diablo.conf b/tests/keystone_compat_diablo.conf index 8318a0ca..d9052631 100644 --- a/tests/keystone_compat_diablo.conf +++ b/tests/keystone_compat_diablo.conf @@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.kvs.KvsCatalog identity_driver = keystonelight.backends.kvs.KvsIdentity token_driver = keystonelight.backends.kvs.KvsToken public_port = 5000 +admin_token = ADMIN [filter:debug] paste.filter_factory = keystonelight.wsgi:Debug.factory @@ -10,6 +11,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory +[filter:admin_token_auth] +paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory + [filter:json_body] paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory @@ -17,4 +21,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory paste.app_factory = keystonelight.keystone_compat:app_factory [pipeline:main] -pipeline = token_auth json_body debug keystone +pipeline = token_auth admin_token_auth json_body debug keystone diff --git a/tests/keystoneclient_compat_master.conf b/tests/keystoneclient_compat_master.conf index 091071c7..e006e821 100644 --- a/tests/keystoneclient_compat_master.conf +++ b/tests/keystoneclient_compat_master.conf @@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.templated.TemplatedCatalog identity_driver = keystonelight.backends.kvs.KvsIdentity token_driver = keystonelight.backends.kvs.KvsToken public_port = 5000 +admin_token = ADMIN # config for TemplatedCatalog, using camelCase because I don't want to do # translations for keystone compat @@ -25,6 +26,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory +[filter:admin_token_auth] +paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory + [filter:json_body] paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory @@ -32,4 +36,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory paste.app_factory = keystonelight.keystone_compat:app_factory [pipeline:main] -pipeline = token_auth json_body debug keystone +pipeline = token_auth admin_token_auth json_body debug keystone diff --git a/tests/test_keystone_compat.py b/tests/test_keystone_compat.py index ab5e3c72..a32477ca 100644 --- a/tests/test_keystone_compat.py +++ b/tests/test_keystone_compat.py @@ -40,6 +40,7 @@ class CompatTestCase(test.TestCase): # NOTE(termie): stupid hack to deal with the keystone samples being # completely inconsistent self.validate_token['access']['user']['roles'][1]['id'] = u'235' + self.admin_token = 'ADMIN' self.auth_response = json.load(open( os.path.join(self.sampledir, 'auth.json'))) @@ -129,7 +130,7 @@ class DiabloCompatTestCase(CompatTestCase): def test_authenticate_scoped(self): # NOTE(termie): the docs arbitrarily changed and inserted a 'u' in front # of one of the user ids, but none of the others - raise exc.SkipTest() + raise exc.SkipTest('The docs have arbitrarily changed.') client = self.client(self.app) post_data = json.dumps( {'auth': {'passwordCredentials': {'username': self.user_123['id'], @@ -149,13 +150,7 @@ class DiabloCompatTestCase(CompatTestCase): # data['access']['serviceCatalog']) def test_validate_token_scoped(self): - client = self.client(self.app, token=self.token_123['id']) - resp = client.get('/v2.0/tokens/%s' % self.token_123['id']) - data = json.loads(resp.body) - self.assertDeepEquals(self.validate_token, data) - - def test_validate_token_scoped(self): - client = self.client(self.app, token=self.token_123['id']) + client = self.client(self.app, token=self.admin_token) resp = client.get('/v2.0/tokens/%s' % self.token_123['id']) data = json.loads(resp.body) self.assertDeepEquals(self.validate_token, data) |