summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.rst2
-rw-r--r--keystonelight/keystone_compat.py4
-rw-r--r--keystonelight/service.py14
-rw-r--r--tests/default.conf6
-rw-r--r--tests/keystone_compat_diablo.conf6
-rw-r--r--tests/keystoneclient_compat_master.conf6
-rw-r--r--tests/test_keystone_compat.py11
7 files changed, 37 insertions, 12 deletions
diff --git a/README.rst b/README.rst
index 600aaa3c..c0faefec 100644
--- a/README.rst
+++ b/README.rst
@@ -111,5 +111,5 @@ Still To Do
* Fixture loading functionality would also be killer tests and dev.
* LDAP backend.
* Keystone import.
- * Admin-only interface
+ * (./) Admin-only interface
* Don't check git checkouts as often, to speed up tests
diff --git a/keystonelight/keystone_compat.py b/keystonelight/keystone_compat.py
index cf99244c..0bb0ed41 100644
--- a/keystonelight/keystone_compat.py
+++ b/keystonelight/keystone_compat.py
@@ -186,6 +186,8 @@ class KeystoneController(service.BaseApplication):
Optionally, also ensure that it is owned by a specific tenant.
"""
+ assert context['is_admin']
+
token_ref = self.token_api.get_token(context=context,
token_id=token_id)
if belongs_to:
@@ -220,6 +222,8 @@ class KeystoneController(service.BaseApplication):
"""
token_ref = self.token_api.get_token(context=context,
token_id=context['token_id'])
+ assert token_ref is not None
+
user_ref = token_ref['user']
tenant_refs = []
for tenant_id in user_ref['tenants']:
diff --git a/keystonelight/service.py b/keystonelight/service.py
index 799bd354..797a3415 100644
--- a/keystonelight/service.py
+++ b/keystonelight/service.py
@@ -52,6 +52,20 @@ class TokenAuthMiddleware(wsgi.Middleware):
request.environ['openstack.context'] = context
+class AdminTokenAuthMiddleware(wsgi.Middleware):
+ """A trivial filter that checks for a pre-defined admin token.
+
+ Sets 'is_admin' to true in the context, expected to be checked by
+ methods that are admin-only.
+
+ """
+ def process_request(self, request):
+ token = request.headers.get('X-Auth-Token')
+ context = request.environ.get('openstack.context', {})
+ context['is_admin'] = (token == self.options['admin_token'])
+ request.environ['openstack.context'] = context
+
+
class PostParamsMiddleware(wsgi.Middleware):
"""Middleware to allow method arguments to be passed as POST parameters.
diff --git a/tests/default.conf b/tests/default.conf
index fa6ac28b..68388b27 100644
--- a/tests/default.conf
+++ b/tests/default.conf
@@ -2,6 +2,7 @@
catalog_driver = keystonelight.backends.kvs.KvsCatalog
identity_driver = keystonelight.backends.kvs.KvsIdentity
token_driver = keystonelight.backends.kvs.KvsToken
+admin_token = ADMIN
[filter:debug]
paste.filter_factory = keystonelight.wsgi:Debug.factory
@@ -9,6 +10,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
+[filter:admin_token_auth]
+paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
+
[filter:json_body]
paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
@@ -16,4 +20,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
paste.app_factory = keystonelight.service:app_factory
[pipeline:main]
-pipeline = token_auth json_body debug keystonelight
+pipeline = token_auth admin_token_auth json_body debug keystonelight
diff --git a/tests/keystone_compat_diablo.conf b/tests/keystone_compat_diablo.conf
index 8318a0ca..d9052631 100644
--- a/tests/keystone_compat_diablo.conf
+++ b/tests/keystone_compat_diablo.conf
@@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.kvs.KvsCatalog
identity_driver = keystonelight.backends.kvs.KvsIdentity
token_driver = keystonelight.backends.kvs.KvsToken
public_port = 5000
+admin_token = ADMIN
[filter:debug]
paste.filter_factory = keystonelight.wsgi:Debug.factory
@@ -10,6 +11,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
+[filter:admin_token_auth]
+paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
+
[filter:json_body]
paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
@@ -17,4 +21,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
paste.app_factory = keystonelight.keystone_compat:app_factory
[pipeline:main]
-pipeline = token_auth json_body debug keystone
+pipeline = token_auth admin_token_auth json_body debug keystone
diff --git a/tests/keystoneclient_compat_master.conf b/tests/keystoneclient_compat_master.conf
index 091071c7..e006e821 100644
--- a/tests/keystoneclient_compat_master.conf
+++ b/tests/keystoneclient_compat_master.conf
@@ -3,6 +3,7 @@ catalog_driver = keystonelight.backends.templated.TemplatedCatalog
identity_driver = keystonelight.backends.kvs.KvsIdentity
token_driver = keystonelight.backends.kvs.KvsToken
public_port = 5000
+admin_token = ADMIN
# config for TemplatedCatalog, using camelCase because I don't want to do
# translations for keystone compat
@@ -25,6 +26,9 @@ paste.filter_factory = keystonelight.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystonelight.service:TokenAuthMiddleware.factory
+[filter:admin_token_auth]
+paste.filter_factory = keystonelight.service:AdminTokenAuthMiddleware.factory
+
[filter:json_body]
paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
@@ -32,4 +36,4 @@ paste.filter_factory = keystonelight.service:JsonBodyMiddleware.factory
paste.app_factory = keystonelight.keystone_compat:app_factory
[pipeline:main]
-pipeline = token_auth json_body debug keystone
+pipeline = token_auth admin_token_auth json_body debug keystone
diff --git a/tests/test_keystone_compat.py b/tests/test_keystone_compat.py
index ab5e3c72..a32477ca 100644
--- a/tests/test_keystone_compat.py
+++ b/tests/test_keystone_compat.py
@@ -40,6 +40,7 @@ class CompatTestCase(test.TestCase):
# NOTE(termie): stupid hack to deal with the keystone samples being
# completely inconsistent
self.validate_token['access']['user']['roles'][1]['id'] = u'235'
+ self.admin_token = 'ADMIN'
self.auth_response = json.load(open(
os.path.join(self.sampledir, 'auth.json')))
@@ -129,7 +130,7 @@ class DiabloCompatTestCase(CompatTestCase):
def test_authenticate_scoped(self):
# NOTE(termie): the docs arbitrarily changed and inserted a 'u' in front
# of one of the user ids, but none of the others
- raise exc.SkipTest()
+ raise exc.SkipTest('The docs have arbitrarily changed.')
client = self.client(self.app)
post_data = json.dumps(
{'auth': {'passwordCredentials': {'username': self.user_123['id'],
@@ -149,13 +150,7 @@ class DiabloCompatTestCase(CompatTestCase):
# data['access']['serviceCatalog'])
def test_validate_token_scoped(self):
- client = self.client(self.app, token=self.token_123['id'])
- resp = client.get('/v2.0/tokens/%s' % self.token_123['id'])
- data = json.loads(resp.body)
- self.assertDeepEquals(self.validate_token, data)
-
- def test_validate_token_scoped(self):
- client = self.client(self.app, token=self.token_123['id'])
+ client = self.client(self.app, token=self.admin_token)
resp = client.get('/v2.0/tokens/%s' % self.token_123['id'])
data = json.loads(resp.body)
self.assertDeepEquals(self.validate_token, data)
generated by cgit (git 2.34.1) at 2024-05-19 17:36:10 +0000