summaryrefslogtreecommitdiffstats
path: root/keystone/middleware
Commit message (Collapse)AuthorAgeFilesLines
* remove swift dependency of s3 middlewareKun Huang2013-08-021-4/+52
| | | | | | | | | | In middleware/s3_token.py, here only use swift for a logger and path split functionality. We should remove swift dependency by using new codes. fixes bug #1178738 Change-Id: Icc2648720e220a873d1fb8e9961d777ceabef70b
* Revert environment module usage in middleware.Jamie Lennox2013-06-262-6/+6
| | | | | | | | | Devstack is pulling s3_token into the swift pipeline and so depending on keystone.environment is breaking devstack installs. Fixes bug 1193112 Change-Id: Ifd89e542f79a2bee00113e7df676d30da0f05e59
* Isolate eventlet code into environment.Jamie Lennox2013-06-182-8/+8
| | | | | | | | | | | | | | | | | | The environment module will be configured once, during code initialization. Subsequently all other possibly-evented modules will retrieve from environment and transparently obtain either the eventlet or standard library modules. If eventlet, httplib, subprocess or other environment dependant module is referenced outside of the environment module it should be considered a bug. The changes to tests are required to ensure that test is imported first to setup the environment. Hopefully these can all be replaced with an __init__.py in a post-nose keystone. Implements: blueprint extract-eventlet Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
* import only modules (flake8 H302)Dolph Mathews2013-05-241-2/+2
| | | | Change-Id: I0fa6fc6bf9d51b60fa987a0040168f3f0ef78a4a
* Satisfy flake8 import rules F401 and F403Dolph Mathews2013-05-231-0/+1
| | | | | | | | - Removed unused imports - Ignore wildcard and unused imports from core modules (and avoid wildcard imports otherwise) to __init__ modules Change-Id: Ie2e5f61ae37481f5d248788cfd83dc92ffddbd91
* Merge "Rework S3Token middleware tests."Jenkins2013-03-221-8/+7
|\
| * Rework S3Token middleware tests.Chmouel Boudjnah2013-02-251-8/+7
| | | | | | | | | | | | | | - Split between good and bad tests. - Add more tests to get to 100% coverage. Change-Id: Iffd00c2b557e54b122f29f8b0ec7f7ab7a92d16e
* | Wrap config module and require manual setup (bug 1143998)Dolph Mathews2013-03-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This moves keystone.config to keystone.common.config, which requires .configure() to be called manually in order for options to be registered. keystone.config preserves the existing behavior of automatically registering options when imported. keystone.middleware.auth_token and it's dependencies within keystone no longer cause config options to be automatically registered. This is an alternative to https://review.openstack.org/#/c/24251/ Change-Id: If9eb5799bf77595ecb71f2000f8b6d1610ea9700
* | xml_body returns backtrace on XMLSyntaxErrorDavid Höppner2013-03-141-1/+8
|/ | | | | | | | Protected against XMLSyntaxError that can occur in from_xml. Return a validation error (400) instead of an internal server error (500). Change-Id: Ic5160f4f6c810e96b74dbf9563547ac739a54c5e Fixes: bug #1101043
* bug 1131840: fix auth and token data for XML translationGuang Yee2013-02-261-0/+3
| | | | Change-Id: I4408b3e6e0752ca75bc36399f5148890820e9a89
* v3 token APIGuang Yee2013-02-201-0/+7
| | | | | | | | | | | | | | Also implemented the following: blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) What's missing? * domain scoping (will be implemented by Henry?) Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
* Fix spelling mistakesJoe Gordon2013-02-121-1/+1
| | | | | | | git ls-files | misspellings -f - Source: https://github.com/lyda/misspell-check Change-Id: Icbd2412aa65bc8135e5dcd83ee69e94f5a42f7a2
* Fixes 'not in' operator usageZhongyue Luo2013-02-042-2/+2
| | | | Change-Id: I50a5bbe4800fc88b631701a6be0a0f9feec597d0
* Limit the size of HTTP requests.Dan Prince2013-01-211-0/+21
| | | | | | | | | | | Adds a new RequestBodySizeLimiter middleware to guard against really large HTTP requests. The default max request size is 112k although this limit is configurable via the 'max_request_body_size' config parameter. Fixes LP Bug #1099025. Change-Id: Id51be3d9a0d829d63d55a92dca61a39a17629785
* Remove swift auth.Chmouel Boudjnah2012-12-121-295/+0
| | | | | | - This has been moved since last release to swift main repository. Change-Id: I11fc4001fbc4a1d78823d41450cdfcc97677c420
* Import auth_token middleware from keystoneclientHenry Nash2012-11-191-832/+11
| | | | | | | | | Although the master auth_token file is now in keystoneclient, it will take some time to get all the paste files to point to it there rather than here. Hence, we import it back here to provide backward compatibility for a release or so, after which we will remove it from the server. Change-Id: Iccdb7839a611cdda233e4ea96f68c64d6d82f49c
* Use the right subprocess based on os monkeypatchVishvananda Ishaya2012-11-091-2/+1
| | | | | | | | | | | | This works around the following eventlet bug: https://bitbucket.org/which_linden/eventlet/issue/92 by using the green version of Popen if os has been monkeypatched. It also has the side effect of making the ssl calls not block the reactor for workers that use eventlet. Change-Id: I1457237f52310f0536fbcdcaa42174b17e8edbf5
* Merge "fixes bug 1074172"Jenkins2012-11-081-3/+35
|\
| * fixes bug 1074172Joe Heck2012-11-071-3/+35
| | | | | | | | | | | | | | | | | | updated diablo token based on output from diablo/stable keystone added expiry to example tokens for test_auth_middleware added a stack based HTTP response to test_auth_middleware to verify sequencing Change-Id: I738b0e9c1a0e62ad86adb95ec0b73f621513f7d4
* | HACKING compliance: consistent use of 'except'Dolph Mathews2012-11-053-6/+6
| | | | | | | | Change-Id: I8301043965e08ffdec63441e612628d9a60876b7
* | auth_token hash pkiAdam Young2012-11-011-2/+3
|/ | | | | | | | | key PKI tokens on hash in memcached when accessed by auth_token middelware Bug 1073343 Change-Id: I32e5481f82fd110c855d7e1138c3d43c73099bbb
* Move 'opentack.context' and 'openstack.params' definitions to ↵Alvaro Lopez Garcia2012-10-291-2/+2
| | | | | | keystone.common.wsgi Change-Id: Idc4f6765cba20e7baadb61e355076695f36d66ea
* replacing PKI token detection from content length to content prefix. (bug ↵Dan Radez2012-10-111-1/+1
| | | | | | 1060389) Change-Id: I68b0e4126f2e339c04271fd982f5f5dab198c630
* Backslash continuation cleanupZhongyue Luo2012-09-191-4/+4
| | | | | | | Removed unnecessary backslash continuations Added backslash continuation rules to HACKING.rst Change-Id: Id91da5b7e9be4d4587dded95fe7a0415240213ec
* Check for expected cfg impl (bug 1043479)Dolph Mathews2012-08-291-1/+1
| | | | Change-Id: Id2ac85d4ac61713c0ca8e2c10e68cbdeeadff4cb
* Fix auth_token middleware to fetch revocation list as admin.Adam Young2012-08-231-2/+6
| | | | | | | | | | | | Make the revocation list into a JSON document and get the Vary header. This will also allow the revocation list to carry additional information in the future, to include sufficient information for the calling application to figure out how to get the certificates it requires. Bug 1038309 Change-Id: I4a41cbd8a7352e5b5f951027d6f2063b169bce89
* allow middleware configuration from app configAlan Pevec2012-08-221-20/+76
| | | | | | | | | | | | | | | | | From markmc's proposal: http://lists.openstack.org/pipermail/openstack-dev/2012-July/000277.html For backward compatiblity, configuration from paste-deploy INI is used if it exists. If not, section [keystone_authtoken] in global configuration is expected, with the same parameter names. Requires application using global cfg.CONF object (nova and glance since folsom-2) and before there's openstack.common library, attempts to use copy/pasted <application>.openstack.common.cfg DocImpact Change-Id: If6aa22280f4ce2cc698d99a130b5792dab808363
* PKI Token revocationMaru Newby2012-08-161-10/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | Co-authored-by: Adam Young <ayoung@redhat.com> Token revocations are captured in the backends, During upgrade, all previous tickets are defaulted to valid. Revocation list returned as a signed document and can be fetched in an admin context via HTTP Change config values for enable diable PKI In the auth_token middleware, the revocation list is fetched prior to validating tokens. Any tokens that are on the revocation list will be treated as invalid. Added in PKI token tests that check the same logic as the UUID tests. Sample data for the tests is read out of the signing directory. dropped number on sql scripts to pass tests. Also fixes 1031373 Bug 1037683 Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23
* Use user home dir as default for cacheAdam Young2012-08-011-2/+9
| | | | | | | | | | | | | | | | This is a better and safer default, as it and minimizes the possibility that the cache directory will be prepopulated or unwritable, while still providing a reasonable value for the individual developer Creates a better exception for failure to create the cache dir Logs the name of the cache dir actually used. Bug 1031022 Change-Id: Ia3718107e436ceb034e3a89318ac05265d66d6f1
* Set default signing_dir based on os USER.Dan Prince2012-07-301-1/+2
| | | | | | | | | | | | Updates the Keystone auth_token middleware so that it sets the default signing_dir name base on the OS username obtained from the environment. This should help resolve potential permissions issues which can occur when multiple OpenStack services attempt to use the same signing directory name. Fixes LP Bug #1031022. Change-Id: I53bceed27f60721b8f61ffec2d1e91ec2ea464ed
* Test for Cert by nameAdam Young2012-07-301-2/+2
| | | | | | | | Fixes a typo in checking if cert file exists. Bug 1030912 Change-Id: Iea783aaa6bc425a17799d40cd6b378d90ebe6faf
* Cryptographically Signed tokensAdam Young2012-07-261-35/+152
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Uses CMS to create tokens that can be verified without network calls. Tokens encapsulate authorization information. This includes user name and roles in JSON. The JSON document info is cryptographically signed with a private key from Keystone, in accordance with the Cryptographic Message Syntax (CMS) in DER format and then Base64 encoded. The header, footer, and line breaks are stripped to minimize the size, and slashes which are invalid in Base64 are converted to hyphens. Since signed tokens are not validated against the Keystone server, they continue to be valid until the expiration time. This means that even if a user has their roles revoked or their account disabled, those changes will not take effect until their token times out. The prototype for this is Kerberos, which has the same limitation, and has funtioned sucessfully with it for decades. It is possible to set the token time out for much shorter than the default of 8 hours, but that may mean that users tokens will time out prior to completion of long running tasks. This should be a drop in replacement for the current token production code. Although the signed token is longer than the older format, the token is still a unique stream of Alpha-Numeric characters. The auth token middle_ware is capable of handling both uuid and signed tokens. To start with, the PKI functionality is disabled. This will keep from breaking the existing deployments. However, it can be enabled with the config value: [signing] disable_pki = False The 'id_hash' column is added to the SQL schema because SQL alchemy insists on each table having a primary key. However primary keys are limited to roughly 250 Characters (768 Bytes, but there is more than 1 varchar per byte) so the ID field cannot be used as the primary key anymore. id_hash is a hash of the id column, and should be used for lookups as it is indexed. middleware/auth_token.py needs to stand alone in the other services, and uses keystone.common.cms in order to verify tokens. Token needs to have all of the data from the original authenticate code contained in the signed document, as the authenticate RPC will no longer be called in mand cases. The datetime of expiry is signed in the token. The certificates are accessible via web APIs. On the remote service side, certificates needed to authenitcate tokens are stored in /tmp/keystone-signing by default. Remote systems use Paste API to read configuration values. Certificates are retrieved only if they are not on the local system. When authenticating in Keystone systems, it still does the Database checks for token presence. This allows Keystone to continue to enforce Timeout and disabled users. The service catalog has been added to the signed token. Although this greatly increases the size of the token, it makes it consistant with what is fetched during the token authenticate checks This change also fixes time variations in expiry test. Although unrelated to the above changes, it was making testing very frustrating. For the database Upgrade scripts, we now only bring 'token' up to V1 in 001 script. This makes it possible to use the same 002 script for both upgrade and initializing a new database. Upon upgrade, the current UUID tokens are retained in the id_hash and id fields. The mechanisms to verify uuid tokens work the same as before. On downgrade, token_ids are dropped. Takes into account changes for "Raise unauthorized if tenant disabled" Bug 1003962 Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
* Merge "Admin Auth URI prefix"Jenkins2012-07-131-1/+3
|\
| * Admin Auth URI prefixayoung2012-07-121-1/+3
| | | | | | | | | | | | | | | | | | | | | | Allows the prepending of a prefix to the URI used for admin tasks. This allows URIs like https://hostname/keystone/main/v2.0 PEP8 fix Added To Unit test to ensure auth_prefix is checked Bug: 994860 Change-Id: I851e059e8b17c1bc02ab93d8b09a3fb47b9d3fee
* | Prevent service catalog injection in auth_token.Dan Prince2012-07-121-0/+1
|/ | | | | | | | | | | | | Updates the auth_token middleware to explicitly prevent X-Service-Catalog headers from being injected into responses. In general Keystone would override these with its own service catalog... however since X-Service-Catalog is optional and not all implementations/calls return it is good to be safe and just remove incoming X-Service-Catalog headers if they are set. Fixes LP Bug #1023998. Change-Id: I9497937abd1b434b42b40bc943a508dd7f1a3585
* Keystone should use openstack.common.jsonutilsZhongyue Luo2012-06-283-12/+13
| | | | | | | | | | | Implements blueprint use-common-jsonutils 1. Edit openstack-common.conf and import keystone/openstack/common/jsonutils.py 2. Remove json package imports and replace with jsonutils Client code in vendor/ hasn't been changed Change-Id: I57c670fde9f2c2241eddab1b012e8d5e6a72deb7
* Removed unused importDolph Mathews2012-06-211-2/+0
| | | | Change-Id: I9fec34122ca28ac9d2d9866cfe6ab203998d177d
* Reorder imports by full module pathZhongyue Luo2012-06-202-3/+3
| | | | | | | | Fixes bug #1013441 Sort imports by lexicographical order of full module path Change-Id: I60231d87618466426dc7bfac7bb0644a0dbd079a
* Pass serviceCatalog in auth_token middlewareAnthony Young2012-06-191-1/+13
| | | | | | | * This will allow for chained requests (novaclient -> nova -> cinder) * Fixes bug 1010237 Change-Id: Iab126cb1f2fb01ca7da24fa9fe97ec81ee96e455
* 400 on unrecognized content type (bug 1012282)Dolph Mathews2012-06-191-7/+11
| | | | | | | | | | Unrecognized content type: http://paste.openstack.org/raw/18537/ Malformed JSON: http://paste.openstack.org/raw/18536/ Change-Id: I76afbf9300bcb1c11bed74eddbe4972c451c5877
* PEP8 fixesDolph Mathews2012-06-185-23/+28
| | | | Change-Id: I0989396691eb31d9008c016e64f2c197f8c7e48c
* fix importing of optional modules in auth_tokenPádraig Brady2012-06-071-1/+1
| | | | | | | | | | | | | * keystone/middleware/auth_token.py: Catch the correct exception so that the memcache and iso8601 modules can be optional as intended. * tests/test_auth_token_middleware.py: Test the ImportError path * keystone/test.py: Add a new mixin class to support disabling importing of a module. Bug: 1003715 Change-Id: I87cc2f3bc79b17a52ea672bac7e0ebcf9e1fce57
* Merge "Use X_USER_NAME and X_ROLES headers."Jenkins2012-06-061-3/+3
|\
| * Use X_USER_NAME and X_ROLES headers.Chmouel Boudjnah2012-05-221-3/+3
| | | | | | | | | | | | | | | | - Don't use deprecated headers X_USER and X_ROLE but the newest one X_USER_NAME and X_ROLES. - Fixes bug 999447. Change-Id: I12752c7668863cbb47ee4b6e484cc494133443e8
* | Merge "Update swift_auth documentation."Jenkins2012-05-291-4/+3
|\ \
| * | Update swift_auth documentation.Chmouel Boudjnah2012-05-231-4/+3
| |/ | | | | | | | | | | | | | | - Make it consistent between the source documentation and the rst documentation. - Note about the default being https. Change-Id: Ic78ef79198eee9b514bb52fce12d7224e9ab65ae
* | Merge "Add ACL check using <tenant_id>:<user> format."Jenkins2012-05-291-3/+5
|\ \
| * | Add ACL check using <tenant_id>:<user> format.Lin Hua Cheng2012-05-221-3/+5
| |/ | | | | | | | | | | | | | | | | | | | | Fixes bug 999998. Swift auth middleware uses a new format for expressing a container ACL for a user: <tenant_name>:<user>. This fix add supports for checking ACL using the old format of <tenant_id>:<user>. Change-Id: I44985b191afb174605c35041741056ae1e78fa77
* | Merge "Make sure we parse delay_auth_decision as boolean."Jenkins2012-05-291-1/+2
|\ \
| * | Make sure we parse delay_auth_decision as boolean.Chmouel Boudjnah2012-05-151-1/+2
| | | | | | | | | | | | | | | | | | | | | - Fixes bug 995222. - Documentation had already a false which is correct, updating the bug. Change-Id: I08625d8fa07c05b25c851c1df327cbdf660bd614
generated by cgit (git 2.34.1) at 2024-06-23 18:05:45 +0000