diff --git a/.coveragerc b/.coveragerc index f024452c7..2f17ab1b3 100644 --- a/.coveragerc +++ b/.coveragerc @@ -1,7 +1,7 @@ [run] branch = True source = keystoneclient -omit = keystoneclient/tests/*,keystoneclient/openstack/* +omit = keystoneclient/tests/* [report] -ignore-errors = True +ignore_errors = True diff --git a/.gitignore b/.gitignore index 9f14a9f52..f24746a37 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ .coverage -.testrepository +.stestr/ subunit.log .venv *,cover @@ -21,4 +21,6 @@ doc/source/api .project .pydevproject # Temporary files created during test, but not removed -examples/pki/certs/tmp* \ No newline at end of file +examples/pki/certs/tmp* +# Files created by releasenotes build +releasenotes/build diff --git a/.gitreview b/.gitreview index 56224f5de..e26745728 100644 --- a/.gitreview +++ b/.gitreview @@ -1,4 +1,4 @@ [gerrit] -host=review.openstack.org +host=review.opendev.org port=29418 project=openstack/python-keystoneclient.git diff --git a/.stestr.conf b/.stestr.conf new file mode 100644 index 000000000..73c0a5172 --- /dev/null +++ b/.stestr.conf @@ -0,0 +1,4 @@ +[DEFAULT] +test_path=${OS_TEST_PATH:-./keystoneclient/tests/unit} +top_dir=./ + diff --git a/.testr.conf b/.testr.conf deleted file mode 100644 index 9355c2748..000000000 --- a/.testr.conf +++ /dev/null @@ -1,4 +0,0 @@ -[DEFAULT] -test_command=${PYTHON:-python} -m subunit.run discover -t ./ ./keystoneclient/tests $LISTOPT $IDOPTION -test_id_option=--load-list $IDFILE -test_list_option=--list diff --git a/.zuul.yaml b/.zuul.yaml new file mode 100644 index 000000000..8b2b1a6d1 --- /dev/null +++ b/.zuul.yaml @@ -0,0 +1,31 @@ +- job: + name: keystoneclient-devstack-functional + parent: devstack-minimal + timeout: 4200 + required-projects: + - openstack/keystone + - openstack/python-keystoneclient + run: playbooks/run-ds-tox.yaml + post-run: playbooks/tox-post.yaml + vars: + devstack_localrc: + USE_PYTHON3: true + devstack_services: + key: true + tox_envlist: functional + zuul_work_dir: src/opendev.org/openstack/python-keystoneclient + +- project: + templates: + - openstack-cover-jobs + - openstack-python3-jobs + - publish-openstack-docs-pti + - check-requirements + - lib-forward-testing-python3 + - release-notes-jobs-python3 + check: + jobs: + - keystoneclient-devstack-functional + gate: + jobs: + - keystoneclient-devstack-functional diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 7ebb65ee0..604d3ac77 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -1,13 +1,15 @@ If you would like to contribute to the development of OpenStack, you must follow the steps documented at: - http://wiki.openstack.org/HowToContribute#If_you.27re_a_developer + https://docs.openstack.org/infra/manual/developers.html -Once those steps have been completed, changes to OpenStack -should be submitted for review via the Gerrit tool, following -the workflow documented at: +If you already have a good understanding of how the system works +and your OpenStack accounts are set up, you can skip to the +development workflow section of this documentation to learn how +changes to OpenStack should be submitted for review via the +Gerrit tool: - http://wiki.openstack.org/GerritWorkflow + https://docs.openstack.org/infra/manual/developers.html#development-workflow Pull requests submitted through GitHub will be ignored. diff --git a/HACKING.rst b/HACKING.rst index 0dfef9905..6ea94ff6f 100644 --- a/HACKING.rst +++ b/HACKING.rst @@ -2,7 +2,7 @@ Keystone Style Commandments =========================== - Step 1: Read the OpenStack Style Commandments - http://docs.openstack.org/developer/hacking/ + https://docs.openstack.org/hacking/latest/ - Step 2: Read on Exceptions @@ -17,7 +17,7 @@ Testing python-keystoneclient uses testtools and testr for its unittest suite and its test runner. Basic workflow around our use of tox and testr can -be found at http://wiki.openstack.org/testr. If you'd like to learn more +be found at https://wiki.openstack.org/testr. If you'd like to learn more in depth: https://testtools.readthedocs.org/ diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index 29c067650..000000000 --- a/MANIFEST.in +++ /dev/null @@ -1,7 +0,0 @@ -include README.rst -include AUTHORS HACKING LICENSE -include ChangeLog -include run_tests.sh tox.ini -recursive-include doc * -recursive-include tests * -recursive-include tools * diff --git a/README.rst b/README.rst index 153b500cd..6b27711a8 100644 --- a/README.rst +++ b/README.rst @@ -1,19 +1,44 @@ -Python bindings to the OpenStack Identity API (Keystone) -======================================================== +======================== +Team and repository tags +======================== -This is a client for the OpenStack Identity API, implemented by Keystone. -There's a Python API (the ``keystoneclient`` module), and a command-line script -(``keystone``). +.. image:: https://governance.openstack.org/tc/badges/python-keystoneclient.svg + :target: https://governance.openstack.org/tc/reference/tags/index.html -Development takes place via the usual OpenStack processes as outlined in the -`OpenStack wiki `_. The master -repository is on `GitHub `_. +.. Change things from this point on -This code is a fork of `Rackspace's python-novaclient -`_ which is in turn a fork of -`Jacobian's python-cloudservers -`_. ``python-keystoneclient`` -is licensed under the Apache License like the rest of OpenStack. +Python bindings to the OpenStack Identity API (Keystone) +======================================================== + +.. image:: https://img.shields.io/pypi/v/python-keystoneclient.svg + :target: https://pypi.org/project/python-keystoneclient/ + :alt: Latest Version + +This is a client for the OpenStack Identity API, implemented by the Keystone +team; it contains a Python API (the ``keystoneclient`` module) for +OpenStack's Identity Service. For command line interface support, use +`OpenStackClient`_. + +* `PyPi`_ - package installation +* `Online Documentation`_ +* `Launchpad project`_ - release management +* `Blueprints`_ - feature specifications +* `Bugs`_ - issue tracking +* `Source`_ +* `Specs`_ +* `How to Contribute`_ +* `Release Notes`_ + +.. _PyPi: https://pypi.org/project/python-keystoneclient +.. _Online Documentation: https://docs.openstack.org/python-keystoneclient/latest/ +.. _Launchpad project: https://launchpad.net/python-keystoneclient +.. _Blueprints: https://blueprints.launchpad.net/python-keystoneclient +.. _Bugs: https://bugs.launchpad.net/python-keystoneclient +.. _Source: https://opendev.org/openstack/python-keystoneclient +.. _OpenStackClient: https://pypi.org/project/python-openstackclient +.. _How to Contribute: https://docs.openstack.org/infra/manual/developers.html +.. _Specs: https://specs.openstack.org/openstack/keystone-specs/ +.. _Release Notes: https://docs.openstack.org/releasenotes/python-keystoneclient .. contents:: Contents: :local: @@ -23,181 +48,15 @@ Python API By way of a quick-start:: - # use v2.0 auth with http://example.com:5000/v2.0 - >>> from keystoneclient.v2_0 import client - >>> keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT, auth_url=AUTH_URL) - >>> keystone.tenants.list() - >>> tenant = keystone.tenants.create(tenant_name="test", description="My new tenant!", enabled=True) - >>> tenant.delete() - - -Command-line API ----------------- - -Installing this package gets you a shell command, ``keystone``, that you can -use to interact with OpenStack's Identity API. - -You'll need to provide your OpenStack tenant, username and password. You can do -this with the ``--os-tenant-name``, ``--os-username`` and ``--os-password`` -params, but it's easier to just set them as environment variables:: - - export OS_TENANT_NAME=project - export OS_USERNAME=user - export OS_PASSWORD=pass - -You will also need to define the authentication url with ``--os-auth-url`` and -the version of the API with ``--os-identity-api-version``. Or set them as an -environment variables as well:: - - export OS_AUTH_URL=http://example.com:5000/v2.0 - export OS_IDENTITY_API_VERSION=2.0 - -Alternatively, to bypass username/password authentication, you can provide a -pre-established token. In Keystone, this approach is necessary to bootstrap the -service with an administrative user, tenant & role (to do so, provide the -client with the value of your ``admin_token`` defined in ``keystone.conf`` in -addition to the URL of your admin API deployment, typically on port 35357):: - - export OS_SERVICE_TOKEN=thequickbrownfox-jumpsover-thelazydog - export OS_SERVICE_ENDPOINT=http://example.com:35357/v2.0 - -Since the Identity service can return multiple regions in the service catalog, -you can specify the one you want with ``--os-region-name`` (or ``export -OS_REGION_NAME``):: - - export OS_REGION_NAME=north - -.. WARNING:: - - If a region is not specified and multiple regions are returned by the - Identity service, the client may not access the same region consistently. - -If you need to connect to a server that is TLS-enabled (the auth URL begins -with 'https') and it uses a certificate from a private CA or a self-signed -certificate you will need to specify the path to an appropriate CA certificate -to use to validate the server certificate with ``--os-cacert`` or an -environment variable:: - - export OS_CACERT=/etc/ssl/my-root-cert.pem - -Certificate verification can be turned off using ``--insecure``. This should -be used with caution. - -You'll find complete documentation on the shell by running ``keystone help``:: - - usage: keystone [--version] [--timeout ] - [--os-username ] - [--os-password ] - [--os-tenant-name ] - [--os-tenant-id ] [--os-auth-url ] - [--os-region-name ] - [--os-identity-api-version ] - [--os-token ] - [--os-endpoint ] - [--os-cacert ] [--insecure] - [--os-cert ] [--os-key ] [--os-cache] - [--force-new-token] [--stale-duration ] - ... - - Command-line interface to the OpenStack Identity API. - - Positional arguments: - - catalog - ec2-credentials-create - Create EC2-compatible credentials for user per tenant - ec2-credentials-delete - Delete EC2-compatible credentials - ec2-credentials-get - Display EC2-compatible credentials - ec2-credentials-list - List EC2-compatible credentials for a user - endpoint-create Create a new endpoint associated with a service - endpoint-delete Delete a service endpoint - endpoint-get - endpoint-list List configured service endpoints - password-update Update own password - role-create Create new role - role-delete Delete role - role-get Display role details - role-list List all roles - service-create Add service to Service Catalog - service-delete Delete service from Service Catalog - service-get Display service from Service Catalog - service-list List all services in Service Catalog - tenant-create Create new tenant - tenant-delete Delete tenant - tenant-get Display tenant details - tenant-list List all tenants - tenant-update Update tenant name, description, enabled status - token-get - user-create Create new user - user-delete Delete user - user-get Display user details. - user-list List users - user-password-update - Update user password - user-role-add Add role to user - user-role-list List roles granted to a user - user-role-remove Remove role from user - user-update Update user's name, email, and enabled status - discover Discover Keystone servers, supported API versions and - extensions. - bootstrap Grants a new role to a new user on a new tenant, after - creating each. - bash-completion Prints all of the commands and options to stdout. - help Display help about this program or one of its - subcommands. - - Optional arguments: - --version Shows the client version and exits - --timeout Set request timeout (in seconds) - --os-username - Name used for authentication with the OpenStack - Identity service. Defaults to env[OS_USERNAME] - --os-password - Password used for authentication with the OpenStack - Identity service. Defaults to env[OS_PASSWORD] - --os-tenant-name - Tenant to request authorization on. Defaults to - env[OS_TENANT_NAME] - --os-tenant-id - Tenant to request authorization on. Defaults to - env[OS_TENANT_ID] - --os-auth-url - Specify the Identity endpoint to use for - authentication. Defaults to env[OS_AUTH_URL] - --os-region-name - Defaults to env[OS_REGION_NAME] - --os-identity-api-version - Defaults to env[OS_IDENTITY_API_VERSION] or 2.0 - --os-token - Specify an existing token to use instead of retrieving - one via authentication (e.g. with username & - password). Defaults to env[OS_SERVICE_TOKEN] - --os-endpoint - Specify an endpoint to use instead of retrieving one - from the service catalog (via authentication). - Defaults to env[OS_SERVICE_ENDPOINT] - --os-cacert - Specify a CA bundle file to use in verifying a TLS - (https) server certificate. Defaults to env[OS_CACERT] - --insecure Explicitly allow keystoneclient to perform "insecure" - TLS (https) requests. The server's certificate will - not be verified against any certificate authorities. - This option should be used with caution. - --os-cert - Defaults to env[OS_CERT] - --os-key Defaults to env[OS_KEY] - --os-cache Use the auth token cache. Defaults to env[OS_CACHE] - --force-new-token If the keyring is available and in use, token will - always be stored and fetched from the keyring until - the token has expired. Use this option to request a - new token and replace the existing one in the keyring. - --stale-duration - Stale duration (in seconds) used to determine whether - a token has expired when retrieving it from keyring. - This is useful in mitigating process or network - delays. Default is 30 seconds. - - See "keystone help COMMAND" for help on a specific command. + >>> from keystoneauth1.identity import v3 + >>> from keystoneauth1 import session + >>> from keystoneclient.v3 import client + >>> auth = v3.Password(auth_url="http://example.com:5000/v3", username="admin", + ... password="password", project_name="admin", + ... user_domain_id="default", project_domain_id="default") + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) + >>> keystone.projects.list() + [...] + >>> project = keystone.projects.create(name="test", description="My new Project!", domain="default", enabled=True) + >>> project.delete() diff --git a/babel.cfg b/babel.cfg deleted file mode 100644 index efceab818..000000000 --- a/babel.cfg +++ /dev/null @@ -1 +0,0 @@ -[python: **.py] diff --git a/bindep.txt b/bindep.txt new file mode 100644 index 000000000..fde5b372e --- /dev/null +++ b/bindep.txt @@ -0,0 +1,21 @@ +# This is a cross-platform list tracking distribution packages needed by tests; +# see https://docs.openstack.org/infra/bindep/ for additional information. + +gettext +libssl-dev [platform:dpkg] +openssl-devel [platform:rpm] + +dbus-devel [platform:rpm] +dbus-glib-devel [platform:rpm] +libdbus-1-dev [platform:dpkg] +libdbus-glib-1-dev [platform:dpkg] +libffi-dev [platform:dpkg] +libffi-devel [platform:rpm] +libsasl2-dev [platform:dpkg] +libxml2-dev [platform:dpkg] +libxslt1-dev [platform:dpkg] +python3-all-dev [platform:dpkg] + +cyrus-sasl-devel [platform:rpm] +libxml2-devel [platform:rpm] +python3-devel [platform:rpm] diff --git a/doc/ext/apidoc.py b/doc/ext/apidoc.py deleted file mode 100644 index 60ad23e80..000000000 --- a/doc/ext/apidoc.py +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2014 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and remove this -# Sphinx extension when https://launchpad.net/bugs/1260495 is fixed. - -import os.path as path - -from sphinx import apidoc - - -# NOTE(blk-u): pbr will run Sphinx multiple times when it generates -# documentation. Once for each builder. To run this extension we use the -# 'builder-inited' hook that fires at the beginning of a Sphinx build. -# We use ``run_already`` to make sure apidocs are only generated once -# even if Sphinx is run multiple times. -run_already = False - - -def run_apidoc(app): - global run_already - if run_already: - return - run_already = True - - package_dir = path.abspath(path.join(app.srcdir, '..', '..', - 'keystoneclient')) - source_dir = path.join(app.srcdir, 'api') - apidoc.main(['apidoc', package_dir, '-f', - '-H', 'keystoneclient Modules', - '-o', source_dir]) - - -def setup(app): - app.connect('builder-inited', run_apidoc) diff --git a/doc/requirements.txt b/doc/requirements.txt new file mode 100644 index 000000000..6c96d9ac2 --- /dev/null +++ b/doc/requirements.txt @@ -0,0 +1,7 @@ +# These are needed for docs generation +openstackdocstheme>=2.2.1 # Apache-2.0 +sphinx>=2.0.0 # BSD +sphinxcontrib-apidoc>=0.2.0 # BSD +reno>=3.1.0 # Apache-2.0 +lxml>=3.4.1 # BSD +fixtures>=3.0.0 # Apache-2.0/BSD diff --git a/doc/source/authentication-plugins.rst b/doc/source/authentication-plugins.rst deleted file mode 100644 index 41f04d821..000000000 --- a/doc/source/authentication-plugins.rst +++ /dev/null @@ -1,193 +0,0 @@ -====================== -Authentication Plugins -====================== - -Introduction -============ - -Authentication plugins provide a generic means by which to extend the -authentication mechanisms known to OpenStack clients. - -In the vast majority of cases the authentication plugins used will be those -written for use with the OpenStack Identity Service (Keystone), however this is -not the only possible case, and the mechanisms by which authentication plugins -are used and implemented should be generic enough to cover completely -customized authentication solutions. - -The subset of authentication plugins intended for use with an OpenStack -Identity server (such as Keystone) are called Identity Plugins. - - -Available Plugins -================= - -Keystoneclient ships with a number of plugins and particularly Identity -Plugins. - -V2 Identity Plugins -------------------- - -Standard V2 identity plugins are defined in the module: -:py:mod:`keystoneclient.auth.identity.v2` - -They include: - -- :py:class:`~keystoneclient.auth.identity.v2.Password`: Authenticate against - a V2 identity service using a username and password. -- :py:class:`~keystoneclient.auth.identity.v2.Token`: Authenticate against a - V2 identity service using an existing token. - -V3 Identity Plugins -------------------- - -Standard V3 identity plugins are defined in the module -:py:mod:`keystoneclient.auth.identity.v3`. - -V3 Identity plugins are slightly different from their V2 counterparts as a V3 -authentication request can contain multiple authentication methods. To handle -this V3 defines a number of different -:py:class:`~keystoneclient.auth.identity.v3.AuthMethod` classes: - -- :py:class:`~keystoneclient.auth.identity.v3.PasswordMethod`: Authenticate - against a V3 identity service using a username and password. -- :py:class:`~keystoneclient.auth.identity.v3.TokenMethod`: Authenticate against - a V2 identity service using an existing token. - -The :py:class:`~keystoneclient.auth.identity.v3.AuthMethod` objects are then -passed to the :py:class:`~keystoneclient.auth.identity.v3.Auth` plugin:: - - >>> from keystoneclient import session - >>> from keystoneclient.auth.identity import v3 - >>> password = v3.PasswordMethod(username='user', - ... password='password') - >>> auth = v3.Auth(auth_url='http://my.keystone.com:5000/v3', - ... auth_methods=[password], - ... project_id='projectid') - >>> sess = session.Session(auth=auth) - -As in the majority of cases you will only want to use one -:py:class:`~keystoneclient.auth.identity.v3.AuthMethod` there are also helper -authentication plugins for the various -:py:class:`~keystoneclient.auth.identity.v3.AuthMethod` which can be used more -like the V2 plugins: - -- :py:class:`~keystoneclient.auth.identity.v3.Password`: Authenticate using - only a :py:class:`~keystoneclient.auth.identity.v3.PasswordMethod`. -- :py:class:`~keystoneclient.auth.identity.v3.Token`: Authenticate using only a - :py:class:`~keystoneclient.auth.identity.v3.TokenMethod`. - -:: - - >>> auth = v3.Password(auth_url='http://my.keystone.com:5000/v3', - ... username='username', - ... password='password', - ... project_id='projectid') - >>> sess = session.Session(auth=auth) - -This will have exactly the same effect as using the single -:py:class:`~keystoneclient.auth.identity.v3.PasswordMethod` above. - - -Simple Plugins --------------- - -In addition to the Identity plugins a simple plugin that will always use the -same provided token and endpoint is available. This is useful in situations -where you have an ``ADMIN_TOKEN`` or in testing when you specifically know the -endpoint you want to communicate with. - -It can be found at :py:class:`keystoneclient.auth.token_endpoint.Token`. - - -V3 OAuth 1.0a Plugins ---------------------- - -There also exists a plugin for OAuth 1.0a authentication. We provide a helper -authentication plugin at: -:py:class:`~keystoneclient.v3.contrib.oauth1.auth.OAuth`. -The plugin requires the OAuth consumer's key and secret, as well as the OAuth -access token's key and secret. For example:: - - >>> from keystoneclient.v3.contrib.oauth1 import auth - >>> from keystoneclient import session - >>> from keystoneclient.v3 import client - >>> a = auth.OAuth('http://my.keystone.com:5000/v3', - ... consumer_key=consumer_id, - ... consumer_secret=consumer_secret, - ... access_key=access_token_key, - ... access_secret=access_token_secret) - >>> s = session.Session(auth=a) - - -Creating Authentication Plugins -=============================== - -Creating an Identity Plugin ---------------------------- - -If you have implemented a new authentication mechanism into the Identity -service then you will be able to reuse a lot of the infrastructure available -for the existing Identity mechanisms. As the V2 identity API is essentially -frozen, it is expected that new plugins are for the V3 API. - -To implement a new V3 plugin that can be combined with others you should -implement the base :py:class:`keystoneclient.auth.identity.v3.AuthMethod` class -and implement the -:py:meth:`~keystoneclient.auth.identity.v3.AuthMethod.get_auth_data` function. -If your Plugin cannot be used in conjunction with existing -:py:class:`keystoneclient.auth.identity.v3.AuthMethod` then you should just -override :py:class:`keystoneclient.auth.identity.v3.Auth` directly. - -The new :py:class:`~keystoneclient.auth.identity.v3.AuthMethod` should take all -the required parameters via -:py:meth:`~keystoneclient.auth.identity.v3.AuthMethod.__init__` and return from -:py:meth:`~keystoneclient.auth.identity.v3.AuthMethod.get_auth_data` a tuple -with the unique identifier of this plugin (e.g. *password*) and a dictionary -containing the payload of values to send to the authentication server. The -session, calling auth object and request headers are also passed to this -function so that the plugin may use or manipulate them. - -You should also provide a class that inherits from -:py:class:`keystoneclient.auth.identity.v3.Auth` with an instance of your new -:py:class:`~keystoneclient.auth.identity.v3.AuthMethod` as the `auth_methods` -parameter to :py:class:`keystoneclient.auth.identity.v3.Auth`. - -By convention (and like above) these are named `PluginType` and -`PluginTypeMethod` (for example -:py:class:`~keystoneclient.auth.identity.v3.Password` and -:py:class:`~keystoneclient.auth.identity.v3.PasswordMethod`). - - -Creating a Custom Plugin ------------------------- - -To implement an entirely new plugin you should implement the base class -:py:class:`keystoneclient.auth.base.BaseAuthPlugin` and provide the -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.get_endpoint`, -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.get_token` and -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.invalidate` functions. - -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.get_token` is called to -retrieve the string token from a plugin. It is intended that a plugin will -cache a received token and so if the token is still valid then it should be -re-used rather than fetching a new one. A session object is provided with which -the plugin can contact it's server. (Note: use `authenticated=False` when -making those requests or it will end up being called recursively). The return -value should be the token as a string. - -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.get_endpoint` is called to -determine a base URL for a particular service's requests. The keyword arguments -provided to the function are those that are given by the `endpoint_filter` -variable in :py:meth:`keystoneclient.session.Session.request`. A session object -is also provided so that the plugin may contact an external source to determine -the endpoint. Again this will be generally be called once per request and so -it is up to the plugin to cache these responses if appropriate. The return -value should be the base URL to communicate with. - -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.invalidate` should also be -implemented to clear the current user credentials so that on the next -:py:meth:`~keystoneclient.auth.base.BaseAuthPlugin.get_token` call a new token -can be retrieved. - -The most simple example of a plugin is the -:py:class:`keystoneclient.auth.token_endpoint.Token` plugin. diff --git a/doc/source/conf.py b/doc/source/conf.py index 6ab9142e6..9c984584d 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -1,5 +1,3 @@ -# -*- coding: utf-8 -*- -# # python-keystoneclient documentation build configuration file, created by # sphinx-quickstart on Sun Dec 6 14:19:25 2009. # @@ -12,23 +10,13 @@ # All configuration values have a default; values that are commented out # serve to show the default. -from __future__ import unicode_literals - import os import sys -import pbr.version - sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..'))) -# NOTE(blk-u): Path for our Sphinx extension, remove when -# https://launchpad.net/bugs/1260495 is fixed. -sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), - '..'))) - - # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. @@ -39,15 +27,11 @@ # Add any Sphinx extension module names here, as strings. They can be # extensions # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = ['sphinx.ext.autodoc', +extensions = ['sphinxcontrib.apidoc', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.intersphinx', - 'oslosphinx', - # NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and - # remove this Sphinx extension when - # https://launchpad.net/bugs/1260495 is fixed. - 'ext.apidoc', + 'openstackdocstheme', ] todo_include_todos = True @@ -65,18 +49,8 @@ master_doc = 'index' # General information about the project. -project = 'python-keystoneclient' copyright = 'OpenStack Contributors' -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -version_info = pbr.version.VersionInfo('python-keystoneclient') -# The short X.Y version. -version = version_info.version_string() -# The full version, including alpha/beta/rc tags. -release = version_info.release_string() - # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None @@ -110,18 +84,15 @@ #show_authors = False # The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' +pygments_style = 'native' # A list of ignored prefixes for module index sorting. -#modindex_common_prefix = [] +modindex_common_prefix = ['keystoneclient.'] # Grouping the document tree for man pages. # List of tuples 'sourcefile', 'target', 'title', 'Authors name', 'manual' -man_pages = [ - ('man/keystone', 'keystone', 'Client for OpenStack Identity API', - ['OpenStack Contributors'], 1), -] +#man_pages = [] # -- Options for HTML output -------------------------------------------------- @@ -129,6 +100,7 @@ # Sphinx are currently 'default' and 'sphinxdoc'. #html_theme_path = ["."] #html_theme = '_theme' +html_theme = 'openstackdocs' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the @@ -159,11 +131,6 @@ # so a file named "default.css" will overwrite the builtin "default.css". #html_static_path = ['static'] -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -git_cmd = "git log --pretty=format:'%ad, commit %h' --date=local -n1" -html_last_updated_fmt = os.popen(git_cmd).read() - # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. #html_use_smartypants = True @@ -198,6 +165,14 @@ # Output file base name for HTML help builder. htmlhelp_basename = 'python-keystoneclientdoc' +# -- sphinxcontrib.apidoc configuration -------------------------------------- + +apidoc_module_dir = '../../keystoneclient' +apidoc_output_dir = 'api' +apidoc_excluded_paths = [ + 'fixture', + 'tests', +] # -- Options for LaTeX output ------------------------------------------------- @@ -211,10 +186,9 @@ # (source start file, target name, title, author, documentclass [howto/manual]) # . latex_documents = [ - ('index', 'python-keystoneclient.tex', + ('index', 'doc-python-keystoneclient.tex', 'python-keystoneclient Documentation', - 'Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss', - 'manual'), + 'OpenStack', 'manual'), ] # The name of an image file (relative to this directory) to place at the top of @@ -234,6 +208,27 @@ # If false, no module index is generated. #latex_use_modindex = True - -# Example configuration for intersphinx: refer to the Python standard library. -#intersphinx_mapping = {'python': ('http://docs.python.org/', None)} +# Disable usage of xindy https://bugzilla.redhat.com/show_bug.cgi?id=1643664 +latex_use_xindy = False + +latex_domain_indices = False + +latex_elements = { + 'makeindex': '', + 'printindex': '', + 'preamble': r'\setcounter{tocdepth}{3}', + 'maxlistdepth': 10, +} + +keystoneauth_url = 'https://docs.openstack.org/keystoneauth/latest/' +intersphinx_mapping = { + 'python': ('https://docs.python.org/', None), + 'osloconfig': ('https://docs.openstack.org/oslo.config/latest/', None), + 'keystoneauth1': (keystoneauth_url, None), +} + +# -- Options for openstackdocstheme ------------------------------------------- +openstackdocs_repo_name = 'openstack/python-keystoneclient' +openstackdocs_bug_project = 'python-keystoneclient' +openstackdocs_bug_tag = '' +openstackdocs_pdf_link = True diff --git a/doc/source/images/graphs_authComp.svg b/doc/source/images/graphs_authComp.svg deleted file mode 100644 index 6be629c12..000000000 --- a/doc/source/images/graphs_authComp.svg +++ /dev/null @@ -1,48 +0,0 @@ - - - - - - -AuthComp - - -AuthComp - -Auth -Component - - - -AuthComp->Reject - - -Reject -Unauthenticated -Requests - - -Service - -OpenStack -Service - - -AuthComp->Service - - -Forward -Authenticated -Requests - - - -Start->AuthComp - - - - - diff --git a/doc/source/images/graphs_authCompDelegate.svg b/doc/source/images/graphs_authCompDelegate.svg deleted file mode 100644 index 4788829a4..000000000 --- a/doc/source/images/graphs_authCompDelegate.svg +++ /dev/null @@ -1,53 +0,0 @@ - - - - - - -AuthCompDelegate - - -AuthComp - -Auth -Component - - - -AuthComp->Reject - - -Reject Requests -Indicated by the Service - - -Service - -OpenStack -Service - - -AuthComp->Service - - -Forward Requests -with Identiy Status - - -Service->AuthComp - - -Send Response OR -Reject Message - - - -Start->AuthComp - - - - - diff --git a/doc/source/index.rst b/doc/source/index.rst index d75547c60..f1114b67c 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -1,38 +1,50 @@ +======================================================== Python bindings to the OpenStack Identity API (Keystone) ======================================================== This is a client for OpenStack Identity API. There's a Python API for :doc:`Identity API v3 ` and :doc:`v2 ` (the -:mod:`keystoneclient` modules), and a command-line script (installed as -:doc:`keystone `). +:mod:`keystoneclient` modules). Contents: .. toctree:: :maxdepth: 1 - man/keystone + using-api-v3 using-sessions using-api-v2 - using-api-v3 + api/modules - authentication-plugins - middlewarearchitecture +Related Identity Projects +========================= + +In addition to creating the Python client library, the Keystone team also +provides `Identity Service`_, as well as `WSGI Middleware`_. + +.. _`Identity Service`: https://docs.openstack.org/keystone/latest/ +.. _`WSGI Middleware`: https://docs.openstack.org/keystonemiddleware/latest/ + +Release Notes +============= + + +Read also the `Keystoneclient Release Notes +`_. - api/modules Contributing ============ -Code is hosted `on GitHub`_. Submit bugs to the Keystone project on +Code is hosted `on OpenDev`_. Submit bugs to the Keystone project on `Launchpad`_. Submit code to the ``openstack/python-keystoneclient`` project using `Gerrit`_. -.. _on GitHub: https://github.com/openstack/python-keystoneclient +.. _on OpenDev: https://opendev.org/openstack/python-keystoneclient .. _Launchpad: https://launchpad.net/python-keystoneclient -.. _Gerrit: http://wiki.openstack.org/GerritWorkflow +.. _Gerrit: https://docs.openstack.org/infra/manual/developers.html#development-workflow -Run tests with ``python setup.py test``. +Run tests with ``tox``. Indices and tables ================== diff --git a/doc/source/man/keystone.rst b/doc/source/man/keystone.rst deleted file mode 100644 index d96d89f7e..000000000 --- a/doc/source/man/keystone.rst +++ /dev/null @@ -1,150 +0,0 @@ -======================================== -:program:`keystone` command line utility -======================================== - -.. program:: keystone -.. highlight:: bash - -SYNOPSIS -======== - -:program:`keystone` [options] [command-options] - -:program:`keystone help` - -:program:`keystone help` - - -DESCRIPTION -=========== - -The :program:`keystone` command line utility interacts with services providing -OpenStack Identity API (e.g. Keystone). - -To communicate with the API, you will need to be authenticated - and the -:program:`keystone` provides multiple options for this. - -While bootstrapping keystone the authentication is accomplished with a -shared secret token and the location of the Identity API endpoint. The -shared secret token is configured in keystone.conf as "admin_token". - -You can specify those values on the command line with :option:`--os-token` -and :option:`--os-endpoint`, or set them in environment variables: - -.. envvar:: OS_SERVICE_TOKEN - - Your keystone administrative token - -.. envvar:: OS_SERVICE_ENDPOINT - - Your Identity API endpoint - -The command line options will override any environment variables set. - -If you already have accounts, you can use your OpenStack username and -password. You can do this with the :option:`--os-username`, -:option:`--os-password`. - -Keystone allows a user to be associated with one or more projects which are -historically called tenants. To specify the project for which you want to -authorize against, you may optionally specify a :option:`--os-tenant-id` or -:option:`--os-tenant-name`. - -Instead of using options, it is easier to just set them as environment -variables: - -.. envvar:: OS_USERNAME - - Your Keystone username. - -.. envvar:: OS_PASSWORD - - Your Keystone password. - -.. envvar:: OS_TENANT_NAME - - Name of Keystone project. - -.. envvar:: OS_TENANT_ID - - ID of Keystone Tenant. - -.. envvar:: OS_AUTH_URL - - The OpenStack API server URL. - -.. envvar:: OS_IDENTITY_API_VERSION - - The OpenStack Identity API version. - -.. envvar:: OS_CACERT - - The location for the CA truststore (PEM formatted) for this client. - -.. envvar:: OS_CERT - - The location for the keystore (PEM formatted) containing the public - key of this client. This keystore can also optionally contain the - private key of this client. - -.. envvar:: OS_KEY - - The location for the keystore (PEM formatted) containing the private - key of this client. This value can be empty if the private key is - included in the OS_CERT file. - -For example, in Bash you'd use:: - - export OS_USERNAME=yourname - export OS_PASSWORD=yadayadayada - export OS_TENANT_NAME=myproject - export OS_AUTH_URL=http(s)://example.com:5000/v2.0/ - export OS_IDENTITY_API_VERSION=2.0 - export OS_CACERT=/etc/keystone/yourca.pem - export OS_CERT=/etc/keystone/yourpublickey.pem - export OS_KEY=/etc/keystone/yourprivatekey.pem - - -OPTIONS -======= - -To get a list of available commands and options run:: - - keystone help - -To get usage and options of a command:: - - keystone help - - -EXAMPLES -======== - -Get information about endpoint-create command:: - - keystone help endpoint-create - -View endpoints of OpenStack services:: - - keystone catalog - -Create a 'service' project:: - - keystone tenant-create --name=service - -Create service user for nova:: - - keystone user-create --name=nova \ - --tenant_id= \ - --email=nova@nothing.com - -View roles:: - - keystone role-list - - -BUGS -==== - -Keystone client is hosted in Launchpad so you can view current bugs at -https://bugs.launchpad.net/python-keystoneclient/. diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst deleted file mode 100644 index 47ae5316d..000000000 --- a/doc/source/middlewarearchitecture.rst +++ /dev/null @@ -1,428 +0,0 @@ -.. - Copyright 2011-2013 OpenStack Foundation - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -======================= -Middleware Architecture -======================= - -Abstract -======== - -The Keystone middleware architecture supports a common authentication protocol -in use between the OpenStack projects. By using keystone as a common -authentication and authorization mechanism, the OpenStack project can plug in -to existing authentication and authorization systems in use by existing -environments. - -In this document, we describe the architecture and responsibilities of the -authentication middleware which acts as the internal API mechanism for -OpenStack projects based on the WSGI standard. - -This documentation describes the implementation in -:class:`keystoneclient.middleware.auth_token` - -Specification Overview -====================== - -'Authentication' is the process of determining that users are who they say they -are. Typically, 'authentication protocols' such as HTTP Basic Auth, Digest -Access, public key, token, etc, are used to verify a user's identity. In this -document, we define an ''authentication component'' as a software module that -implements an authentication protocol for an OpenStack service. OpenStack is -using a token based mechanism to represent authentication and authorization. - -At a high level, an authentication middleware component is a proxy that -intercepts HTTP calls from clients and populates HTTP headers in the request -context for other WSGI middleware or applications to use. The general flow -of the middleware processing is: - -* clear any existing authorization headers to prevent forgery -* collect the token from the existing HTTP request headers -* validate the token - - * if valid, populate additional headers representing the identity that has - been authenticated and authorized - * if invalid, or no token present, reject the request (HTTPUnauthorized) - or pass along a header indicating the request is unauthorized (configurable - in the middleware) - * if the keystone service is unavailable to validate the token, reject - the request with HTTPServiceUnavailable. - -.. _authComponent: - -Authentication Component ------------------------- - -Figure 1. Authentication Component - -.. image:: images/graphs_authComp.svg - :width: 100% - :height: 180 - :alt: An Authentication Component - -The middleware may also be configured to operate in a 'delegated mode'. -In this mode, the decision to reject an unauthenticated client is delegated to -the OpenStack service, as illustrated in :ref:`authComponentDelegated`. - -Here, requests are forwarded to the OpenStack service with an identity status -message that indicates whether the client's identity has been confirmed or is -indeterminate. It is the OpenStack service that decides whether or not a reject -message should be sent to the client. - -.. _authComponentDelegated: - -Authentication Component (Delegated Mode) ------------------------------------------ - -Figure 2. Authentication Component (Delegated Mode) - -.. image:: images/graphs_authCompDelegate.svg - :width: 100% - :height: 180 - :alt: An Authentication Component (Delegated Mode) - -.. _deployStrategies: - -Deployment Strategy -=================== - -The middleware is intended to be used inline with OpenStack wsgi components, -based on the Oslo WSGI middleware class. It is typically deployed -as a configuration element in a paste configuration pipeline of other -middleware components, with the pipeline terminating in the service -application. The middleware conforms to the python WSGI standard [PEP-333]_. -In initializing the middleware, a configuration item (which acts like a python -dictionary) is passed to the middleware with relevant configuration options. - -Configuration -------------- - -The middleware is configured within the config file of the main application as -a WSGI component. Example for the auth_token middleware:: - - [app:myService] - paste.app_factory = myService:app_factory - - [pipeline:main] - pipeline = authtoken myService - - [filter:authtoken] - paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory - - # Prefix to prepend at the beginning of the path (string - # value) - #auth_admin_prefix= - - # Host providing the admin Identity API endpoint (string - # value) - auth_host=127.0.0.1 - - # Port of the admin Identity API endpoint (integer value) - auth_port=35357 - - # Protocol of the admin Identity API endpoint(http or https) - # (string value) - auth_protocol=https - - # Complete public Identity API endpoint (string value) - #auth_uri= - - # API version of the admin Identity API endpoint (string - # value) - #auth_version= - - # Do not handle authorization requests within the middleware, - # but delegate the authorization decision to downstream WSGI - # components (boolean value) - #delay_auth_decision=false - - # Request timeout value for communicating with Identity API - # server. (boolean value) - #http_connect_timeout= - - # How many times are we trying to reconnect when communicating - # with Identity API Server. (integer value) - #http_request_max_retries=3 - - # Single shared secret with the Keystone configuration used - # for bootstrapping a Keystone installation, or otherwise - # bypassing the normal authentication process. (string value) - #admin_token= - - # Keystone account username (string value) - #admin_user= - - # Keystone account password (string value) - admin_password=SuperSekretPassword - - # Keystone service account tenant name to validate user tokens - # (string value) - #admin_tenant_name=admin - - # Env key for the swift cache (string value) - #cache= - - # Required if Keystone server requires client certificate - # (string value) - #certfile= - - # Required if Keystone server requires client certificate - # (string value) - #keyfile= - - # A PEM encoded Certificate Authority to use when verifying - # HTTPs connections. Defaults to system CAs. (string value) - #cafile= - - # Verify HTTPS connections. (boolean value) - #insecure=false - - # Directory used to cache files related to PKI tokens (string - # value) - #signing_dir= - - # If defined, the memcache server(s) to use for caching (list - # value) - # Deprecated group/name - [DEFAULT]/memcache_servers - #memcached_servers= - - # In order to prevent excessive requests and validations, the - # middleware uses an in-memory cache for the tokens the - # Keystone API returns. This is only valid if memcache_servers - # is defined. Set to -1 to disable caching completely. - # (integer value) - #token_cache_time=300 - - # Value only used for unit testing (integer value) - #revocation_cache_time=1 - - # (optional) if defined, indicate whether token data should be - # authenticated or authenticated and encrypted. Acceptable - # values are MAC or ENCRYPT. If MAC, token data is - # authenticated (with HMAC) in the cache. If ENCRYPT, token - # data is encrypted and authenticated in the cache. If the - # value is not one of these options or empty, auth_token will - # raise an exception on initialization. (string value) - #memcache_security_strategy= - - # (optional, mandatory if memcache_security_strategy is - # defined) this string is used for key derivation. (string - # value) - #memcache_secret_key= - - # (optional) indicate whether to set the X-Service-Catalog - # header. If False, middleware will not ask for service - # catalog on token validation and will not set the X-Service- - # Catalog header. (boolean value) - #include_service_catalog=true - - # Used to control the use and type of token binding. Can be - # set to: "disabled" to not check token binding. "permissive" - # (default) to validate binding information if the bind type - # is of a form known to the server and ignore it if not. - # "strict" like "permissive" but if the bind type is unknown - # the token will be rejected. "required" any form of token - # binding is needed to be allowed. Finally the name of a - # binding method that must be present in tokens. (string - # value) - #enforce_token_bind=permissive - -For services which have a separate paste-deploy ini file, auth_token middleware -can be alternatively configured in [keystone_authtoken] section in the main -config file. For example in Nova, all middleware parameters can be removed -from api-paste.ini:: - - [filter:authtoken] - paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory - -and set in nova.conf:: - - [DEFAULT] - ... - auth_strategy=keystone - - [keystone_authtoken] - auth_host = 127.0.0.1 - auth_port = 35357 - auth_protocol = http - admin_user = admin - admin_password = SuperSekretPassword - admin_tenant_name = service - # Any of the options that could be set in api-paste.ini can be set here. - -Note that middleware parameters in paste config take priority, they must be -removed to use values in [keystone_authtoken] section. - -Configuration Options ---------------------- - -* ``auth_admin_prefix``: Prefix to prepend at the beginning of the path -* ``auth_host``: (required) the host providing the keystone service API endpoint - for validating and requesting tokens -* ``auth_port``: (optional, default `35357`) the port used to validate tokens -* ``auth_protocol``: (optional, default `https`) -* ``auth_uri``: (optional, defaults to - `auth_protocol`://`auth_host`:`auth_port`) -* ``auth_version``: API version of the admin Identity API endpoint -* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware - will not reject invalid auth requests, but will delegate that decision to - downstream WSGI components. -* ``http_connect_timeout``: (optional) Request timeout value for communicating - with Identity API server. -* ``http_request_max_retries``: (default 3) How many times are we trying to - reconnect when communicating with Identity API Server. -* ``http_handler``: (optional) Allows to pass in the name of a fake - http_handler callback function used instead of `httplib.HTTPConnection` or - `httplib.HTTPSConnection`. Useful for unit testing where network is not - available. - -* ``admin_token``: either this or the following three options are required. If - set, this is a single shared secret with the keystone configuration used to - validate tokens. -* ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token`` - is not set, or invalid, then admin_user, admin_password, and - admin_tenant_name are defined as a service account which is expected to have - been previously configured in Keystone to validate user tokens. - -* ``cache``: (optional) Env key for the swift cache - -* ``certfile``: (required, if Keystone server requires client cert) -* ``keyfile``: (required, if Keystone server requires client cert) This can be - the same as the certfile if the certfile includes the private key. -* ``cafile``: (optional, defaults to use system CA bundle) the path to a PEM - encoded CA file/bundle that will be used to verify HTTPS connections. -* ``insecure``: (optional, default `False`) Don't verify HTTPS connections - (overrides `cafile`). - -* ``signing_dir``: (optional) Directory used to cache files related to PKI - tokens - -* ``memcached_servers``: (optional) If defined, the memcache server(s) to use - for caching -* ``token_cache_time``: (default 300) In order to prevent excessive requests - and validations, the middleware uses an in-memory cache for the tokens the - Keystone API returns. This is only valid if memcache_servers s defined. Set - to -1 to disable caching completely. -* ``memcache_security_strategy``: (optional) if defined, indicate whether token - data should be authenticated or authenticated and encrypted. Acceptable - values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) - in the cache. If ENCRYPT, token data is encrypted and authenticated in the - cache. If the value is not one of these options or empty, auth_token will - raise an exception on initialization. -* ``memcache_secret_key``: (mandatory if memcache_security_strategy is defined) - this string is used for key derivation. -* ``include_service_catalog``: (optional, default `True`) Indicate whether to - set the X-Service-Catalog header. If False, middleware will not ask for - service catalog on token validation and will not set the X-Service-Catalog - header. -* ``enforce_token_bind``: (default ``permissive``) Used to control the use and - type of token binding. Can be set to: "disabled" to not check token binding. - "permissive" (default) to validate binding information if the bind type is of - a form known to the server and ignore it if not. "strict" like "permissive" - but if the bind type is unknown the token will be rejected. "required" any - form of token binding is needed to be allowed. Finally the name of a binding - method that must be present in tokens. - -Caching for improved response ------------------------------ - -In order to prevent excessive requests and validations, the middleware uses an -in-memory cache for the tokens the keystone API returns. Keep in mind that -invalidated tokens may continue to work if they are still in the token cache, -so token_cache_time is configurable. For larger deployments, the middleware -also supports memcache based caching. - -* ``memcached_servers``: (optonal) if defined, the memcache server(s) to use for - cacheing. It will be ignored if Swift MemcacheRing is used instead. -* ``token_cache_time``: (optional, default 300 seconds) Set to -1 to disable - caching completely. - -When deploying auth_token middleware with Swift, user may elect -to use Swift MemcacheRing instead of the local Keystone memcache. -The Swift MemcacheRing object is passed in from the request environment -and it defaults to 'swift.cache'. However it could be -different, depending on deployment. To use Swift MemcacheRing, you must -provide the ``cache`` option. - -* ``cache``: (optional) if defined, the environment key where the Swift - MemcacheRing object is stored. - -Memcached and System Time -========================= - -When using `memcached`_ with ``auth_token`` middleware, ensure that the system -time of memcached hosts is set to UTC. Memcached uses the host's system -time in determining whether a key has expired, whereas Keystone sets -key expiry in UTC. The timezone used by Keystone and memcached must -match if key expiry is to behave as expected. - -.. _`memcached`: http://memcached.org/ - -Memcache Protection -=================== - -When using memcached, we are storing user tokens and token validation -information into the cache as raw data. Which means that anyone who -has access to the memcache servers can read and modify data stored -there. To mitigate this risk, ``auth_token`` middleware provides an -option to authenticate and optionally encrypt the token data stored in -the cache. - -* ``memcache_security_strategy``: (optional) if defined, indicate - whether token data should be authenticated or authenticated and - encrypted. Acceptable values are ``MAC`` or ``ENCRYPT``. If ``MAC``, - token data is authenticated (with HMAC) in the cache. If - ``ENCRYPT``, token data is encrypted and authenticated in the - cache. If the value is not one of these options or empty, - ``auth_token`` will raise an exception on initialization. -* ``memcache_secret_key``: (optional, mandatory if - ``memcache_security_strategy`` is defined) this string is used for - key derivation. If ``memcache_security_strategy`` is defined and - ``memcache_secret_key`` is absent, ``auth_token`` will raise an - exception on initialization. - -Exchanging User Information -=========================== - -The middleware expects to find a token representing the user with the header -``X-Auth-Token`` or ``X-Storage-Token``. `X-Storage-Token` is supported for -swift/cloud files and for legacy Rackspace use. If the token isn't present and -the middleware is configured to not delegate auth responsibility, it will -respond to the HTTP request with HTTPUnauthorized, returning the header -``WWW-Authenticate`` with the value `Keystone uri='...'` to indicate where to -request a token. The auth_uri returned is configured with the middleware. - -The authentication middleware extends the HTTP request with the header -``X-Identity-Status``. If a request is successfully authenticated, the value -is set to `Confirmed`. If the middleware is delegating the auth decision to the -service, then the status is set to `Invalid` if the auth request was -unsuccessful. - -Extended the request with additional User Information ------------------------------------------------------ - -:py:class:`keystoneclient.middleware.auth_token.AuthProtocol` extends the -request with additional information if the user has been authenticated. See the -"What we add to the request for use by the OpenStack service" section in -:py:mod:`keystoneclient.middleware.auth_token` for the list of fields set by -the auth_token middleware. - - -References -========== - -.. [PEP-333] pep0333 Phillip J Eby. 'Python Web Server Gateway Interface - v1.0.'' http://www.python.org/dev/peps/pep-0333/. diff --git a/doc/source/using-api-v2.rst b/doc/source/using-api-v2.rst index 192e683c6..7b0815f49 100644 --- a/doc/source/using-api-v2.rst +++ b/doc/source/using-api-v2.rst @@ -1,6 +1,6 @@ -================= -The Client v2 API -================= +======================= +Using the V2 client API +======================= Introduction ============ @@ -13,7 +13,7 @@ The main concepts in the Identity v2 API are: * services * endpoints -The client v2 API lets you query and make changes through +The V2 client API lets you query and make changes through managers. For example, to manipulate tenants, you interact with a ``keystoneclient.v2_0.tenants.TenantManager`` object. @@ -26,8 +26,8 @@ attribute of the ``Client`` class is a tenant manager:: >>> keystone.tenants.list() # List tenants You create a valid ``keystoneclient.v2_0.client.Client`` object by passing -authentication data to the constructor. Authentication and examples of common -tasks are provided below. +a :class:`~keystoneauth1.session.Session` to the constructor. Authentication +and examples of common tasks are provided below. You can generally expect that when the client needs to propagate an exception it will raise an instance of subclass of @@ -36,7 +36,7 @@ it will raise an instance of subclass of Authenticating ============== -There are two ways to authenticate against Keystone: +There are two ways to authenticate against keystone: * against the admin endpoint with the admin token * against the public endpoint with a username and password @@ -45,39 +45,47 @@ endpoint and using the admin token (sometimes referred to as the service token). The token is specified as the ``admin_token`` configuration option in your keystone.conf config file, which is typically in /etc/keystone:: + >>> from keystoneauth1.identity import v2 + >>> from keystoneauth1 import session >>> from keystoneclient.v2_0 import client >>> token = '012345SECRET99TOKEN012345' >>> endpoint = 'http://192.168.206.130:35357/v2.0' - >>> keystone = client.Client(token=token, endpoint=endpoint) + >>> auth = v2.Token(auth_url=endpoint, token=token) + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) If you have a username and password, authentication is done against the public endpoint. You must also specify a tenant that is associated with the user:: + >>> from keystoneauth1.identity import v2 + >>> from keystoneauth1 import session >>> from keystoneclient.v2_0 import client >>> username='adminUser' - >>> password='secreetword' + >>> password='secretword' >>> tenant_name='openstackDemo' >>> auth_url='http://192.168.206.130:5000/v2.0' - >>> keystone = client.Client(username=username, password=password, - ... tenant_name=tenant_name, auth_url=auth_url) + >>> auth = v2.Password(username=username, password=password, + ... tenant_name=tenant_name, auth_url=auth_url) + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) Creating tenants ================ -This example will create a tenant named *openStackDemo*:: +This example will create a tenant named *openstackDemo*:: >>> from keystoneclient.v2_0 import client >>> keystone = client.Client(...) >>> keystone.tenants.create(tenant_name="openstackDemo", ... description="Default Tenant", enabled=True) - + Creating users ============== This example will create a user named *adminUser* with a password *secretword* -in the opoenstackDemo tenant. We first need to retrieve the tenant:: +in the openstackDemo tenant. We first need to retrieve the tenant:: >>> from keystoneclient.v2_0 import client >>> keystone = client.Client(...) diff --git a/doc/source/using-api-v3.rst b/doc/source/using-api-v3.rst index 13274462f..4f305e81f 100644 --- a/doc/source/using-api-v3.rst +++ b/doc/source/using-api-v3.rst @@ -1,23 +1,25 @@ -================= -The Client v3 API -================= +======================= +Using the V3 Client API +======================= Introduction ============ The main concepts in the Identity v3 API are: - * credentials - * domains - * endpoints - * groups - * policies - * projects - * role assignments - * roles - * services - * trusts - * users + * :py:mod:`~keystoneclient.v3.credentials` + * :py:mod:`~keystoneclient.v3.domain_configs` + * :py:mod:`~keystoneclient.v3.domains` + * :py:mod:`~keystoneclient.v3.endpoints` + * :py:mod:`~keystoneclient.v3.groups` + * :py:mod:`~keystoneclient.v3.policies` + * :py:mod:`~keystoneclient.v3.projects` + * :py:mod:`~keystoneclient.v3.regions` + * :py:mod:`~keystoneclient.v3.role_assignments` + * :py:mod:`~keystoneclient.v3.roles` + * :py:mod:`~keystoneclient.v3.services` + * :py:mod:`~keystoneclient.v3.tokens` + * :py:mod:`~keystoneclient.v3.users` The :py:mod:`keystoneclient.v3.client` API lets you query and make changes through ``managers``. For example, to manipulate a project (formerly @@ -77,14 +79,59 @@ examples of common tasks are provided below. You can generally expect that when the client needs to propagate an exception it will raise an instance of subclass of -``keystoneclient.exceptions.ClientException`` (see -:py:class:`keystoneclient.openstack.common.apiclient.exceptions.ClientException`) +:class:`keystoneclient.exceptions.ClientException`. -Authenticating -============== +Authenticating Using Sessions +============================= -You can authenticate against Keystone using a username, a user domain -name (which will default to 'Default' if it is not specified) and a +Instantiate a :py:class:`keystoneclient.v3.client.Client` using a +:py:class:`~keystoneauth1.session.Session` to provide the authentication +plugin, SSL/TLS certificates, and other data:: + + >>> from keystoneauth1.identity import v3 + >>> from keystoneauth1 import session + >>> from keystoneclient.v3 import client + >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3', + ... user_id='myuserid', + ... password='mypassword', + ... project_id='myprojectid') + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) + +For more information on Sessions refer to: `Using Sessions`_. + +.. _`Using Sessions`: using-sessions.html + +Getting Metadata Responses +========================== + +Instantiating :py:class:`keystoneclient.v3.client.Client` using +`include_metadata=True` will cause manager response to return +:py:class:`keystoneclient.base.Response` instead of just the data. +The metadata property will be available directly to the +:py:class:`keystoneclient.base.Response` and the response data will +be available as property `data` to it. + + >>> from keystoneauth1.identity import v3 + >>> from keystoneauth1 import session + >>> from keystoneclient.v3 import client + >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3', + ... user_id='myuserid', + ... password='mypassword', + ... project_id='myprojectid') + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess, include_metadata=True) + >>> resp = keystone.projects.list() + >>> resp.request_ids[0] + req-1234-5678-... + >>> resp.data + [, , ...] + +Non-Session Authentication (deprecated) +======================================= + +The *deprecated* way to authenticate is to pass the username, the user's domain +name (which will default to 'Default' if it is not specified), and a password:: >>> from keystoneclient import client @@ -96,6 +143,11 @@ password:: ... username=username, password=password, ... user_domain_name=user_domain_name) +A :py:class:`~keystoneauth1.session.Session` should be passed to the Client +instead. Using a Session you're not limited to authentication using a username +and password but can take advantage of other more secure authentication +methods. + You may optionally specify a domain or project (along with its project domain name), to obtain a scoped token:: @@ -111,23 +163,3 @@ domain name), to obtain a scoped token:: ... user_domain_name=user_domain_name, ... project_name=project_name, ... project_domain_name=project_domain_name) - -Using Sessions -============== - -It's also possible to instantiate a :py:class:`keystoneclient.v3.client.Client` -class by using :py:class:`keystoneclient.session.Session`.:: - - >>> from keystoneclient.auth.identity import v3 - >>> from keystoneclient import session - >>> from keystoneclient.v3 import client - >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3', - ... user_id='myuserid', - ... password='mypassword', - ... project_id='myprojectid') - >>> sess = session.Session(auth=auth) - >>> keystone = client.Client(session=sess) - -For more information on Sessions refer to: `Using Sessions`_. - -.. _`Using Sessions`: using-sessions.html diff --git a/doc/source/using-sessions.rst b/doc/source/using-sessions.rst index 099dc7017..a5a5a58da 100644 --- a/doc/source/using-sessions.rst +++ b/doc/source/using-sessions.rst @@ -5,7 +5,7 @@ Using Sessions Introduction ============ -The :py:class:`keystoneclient.session.Session` class was introduced into +The :py:class:`keystoneauth1.session.Session` class was introduced into keystoneclient as an attempt to bring a unified interface to the various OpenStack clients that share common authentication and request parameters between a variety of services. @@ -55,14 +55,15 @@ service and fetch a new one. An example from keystoneclient:: - >>> from keystoneclient.auth.identity import v3 - >>> from keystoneclient import session + >>> from keystoneauth1.identity import v3 + >>> from keystoneauth1 import session >>> from keystoneclient.v3 import client - >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v2.0', + >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3', ... username='myuser', ... password='mypassword', - ... project_id='proj') + ... project_id='proj', + ... user_domain_id='domain') >>> sess = session.Session(auth=auth, ... verify='/path/to/ca.cert') >>> ks = client.Client(session=sess) @@ -75,13 +76,13 @@ fashion by passing the Session object to the client's constructor. Migrating keystoneclient to use a Session ----------------------------------------- -By using a session with a keystonclient Client we define that you have opted in -to new behaviour defined by the session. For example authentication is now -on-demand rather than on creation. To allow this change in behaviour there are -a number of functions that have changed behaviour or are no longer available. +By using a session with a keystoneclient Client we presume that you have opted +in to new behavior defined by the session. For example authentication is now +on-demand rather than on creation. To allow this change in behavior there are +a number of functions that have changed behavior or are no longer available. For example the -:py:meth:`keystoneclient.httpclient.HTTPClient.authenticate` command used +:py:meth:`keystoneclient.httpclient.HTTPClient.authenticate` method used to be able to always re-authenticate the current client and fetch a new token. As this is now controlled by the Session and not the client this has changed, however the function will still exist to provide compatibility with older @@ -188,11 +189,12 @@ While authentication plugins will endeavour to maintain a consistent set of arguments for an ``endpoint_filter`` the concept of an authentication plugin is purposefully generic and a specific mechanism may not know how to interpret certain arguments and ignore them. For example the -:py:class:`keystoneclient.auth.token_endpoint.Token` plugin (which is used when -you want to always use a specific endpoint and token combination) will always -return the same endpoint regardless of the parameters to ``endpoint_filter`` or -a custom OpenStack authentication mechanism may not have the concept of -multiple ``interface`` options and choose to ignore that parameter. +:py:class:`keystoneauth1.identity.generic.token.Token` plugin (which is used +when you want to always use a specific endpoint and token combination) will +always return the same endpoint regardless of the parameters to +``endpoint_filter`` or a custom OpenStack authentication mechanism may not have +the concept of multiple ``interface`` options and choose to ignore that +parameter. There is some expectation on the user that they understand the limitations of the authentication system they are using. diff --git a/examples/pki/certs/cacert.pem b/examples/pki/certs/cacert.pem index 952bdaea3..6519671a5 100644 --- a/examples/pki/certs/cacert.pem +++ b/examples/pki/certs/cacert.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID1jCCAr6gAwIBAgIJAJOtRP2+wrM/MA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD -VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55 -dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG -CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs -ZiBTaWduZWQwIBcNMTMwOTEzMTYyNTQyWhgPMjA3MjAzMDcxNjI1NDJaMIGeMQow -CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1 -bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl -MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML -U2VsZiBTaWduZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl8906 -EaRpibQFcCBWfxzLi5x/XpZ9iL6UX92NrSJxcDbaGws7s+GtjgDy8UOEonesRWTe -qQEZtHpC3/UHHOnsA8F6ha/pq9LioqT7RehCnZCLBJwh5Ct+lclpWs15SkjJD2LT -Dkjox0eA9nOBx+XDlWyU/GAyqx5Wsvg/Kxr0iod9/4IcJdnSdUjq4v0Cxg/zNk08 -XPJX+F0bUDhgdUf7JrAmmS5LA8wphRnbIgtVsf6VN9HrbqtHAJDxh8gEfuwdhEW1 -df1fBtZ+6WMIF3IRSbIsZELFB6sqcyRj7HhMoWMkdEyPb2f8mq61MzTgE6lJGIyT -RvEoFie7qtGADIofAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADggEBAJRMdEwAdN+crqI9dBLYlbBbnQ8xr9mk+REMdz9+SKhDCNdVisWU -iLEZvK/aozrsRsDi81JjS4Tz0wXo8zsPPoDnXgDYEicNPTKifbPKgHdDIGFOwBKn -y2cF6fHEn8n3KIBrDCNY6rHcYGZ7lbq/8eF0GoYQboPiuYesvVpynPmIK5/Mmire -EuuZALAe1IFqqFt+l6tiJU2JWUFjLkFARMOD14qFZm+SInl64toi08j6gdou+NMW -7GEMbVHwNTafM/TgFN5j0yP9SAnYubckLSyH6hwR+rM8dztP5769joxQfnc9O/Bn -TBD9KFpeQv6VJWLAxiIKcQCRTTDJLZZ0MQI= +MIID4TCCAsmgAwIBAgIUD+MH2KCtZgLgFWNghxF+xZQZx98wDQYJKoZIhvcNAQEL +BQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG +A1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3RhY2sxETAPBgNVBAsMCEtl +eXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQw +EgYDVQQDDAtTZWxmIFNpZ25lZDAgFw0yMjAzMDcxNTM1MThaGA8yMDgwMDgyOTE1 +MzUxOFowgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTES +MBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3RhY2sxETAPBgNVBAsM +CEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVuc3RhY2sub3Jn +MRQwEgYDVQQDDAtTZWxmIFNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAL/+AsUcqyF2b/3gaHGtUZx+mReX2QMv+gXmW2KUj1CTmSTxGXCaeoJ5 +N7PA6BeBD/HJVqTgCo/oNuHmOgtYrgRngyWpABItt9ONRmTCr2AvA23AZIjfUdwR +ZceRHf67H6N1NOttr8IFkuQFhTAKuRHJGcXNqNMJrNv2v5ha3GNeAhxZd965ok9B +GSd+hvibjZ2mDBZ8kiJ9BGf53TDie/zg+q5CkgqLArgR30pGCe+ZLXPLrhekpyet +BR3guKTV2PMCeIh7Yg/uTJMe22qZ87M6Q1DosSKC/1l+/1ArBve6msc8JEElnc32 +HJ7NuTTJreZKEvPmUI2oTcdvokWXtRsCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAmdWRPzpI5pAoVn9GX1KNgiN/e9oCpnHYIofV +fX7i70OBYOwBoyQhFqniHtGH4uqYIxGJdbDtHzsSYCSV1mGqHhK+kStLy4MULUUV +cNM5yDYDPEtjgJy7G90z/ksX5WuXQgktx9N8emdI6yH8C1b6sHMtHcfnb6O0waMH +HQ9QpZFQapwuIjeWU0zRDFZkdEAkx6wfVuoMhHOjy1WRAuIOL2ELa6h0GL2d+bmw +x4Xpyi4X7pgixz3l/9Kfc6VdVrEy4H2bhldUeZ0WjzvMdYaw953+C/5YAfFYanCH +en9BebSKQMv8QI0OrNyTefMXuxWvcKSOWjQVfRk1ckz6aIrfSw== -----END CERTIFICATE----- diff --git a/examples/pki/certs/middleware.pem b/examples/pki/certs/middleware.pem deleted file mode 100644 index 7d593efd7..000000000 --- a/examples/pki/certs/middleware.pem +++ /dev/null @@ -1,50 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgZAxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDL06AaJROwHPgJ9tcySSBepzJ81jYars2sMvLjyuvd -iIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rpv8dGDIDsxZQVjT/4SLaQUOeDM+9b -fkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLYWso0SJD0vAi1gmGDlSM/mmhhHTpC -DGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1ZrslPC5lFvlHD7KBBf6IU2A8Xh/dUa3 -p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYRR45pPCVkk6vFsy6P0JwwpnkszB+L -cK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4YEPirGGrAgMBAAEwDQYJKoZIhvcN -AQEFBQADggEBAAjU7YomUx/U56p1KWHvr1B7oczHF8fPHYbuk5c/N81WOJeSRy+P -5ZGZ2UPjvqqXByv+78YWMKGY1BZ/2doeWuydr0sdSxEwmIUBYxFpujuYY+0AjS/n -mMr1ZijK7TJssteKM7/MClzghUhPweDZrAg3ff1hbhK5QSy+9UPxUqLH44tfYSVC -/BzM6se0p5ToM0bwdsa8TofaBRE1L1IW/Hg4VIGOoKs0R0uLm7+Oot2me2cEuZ6h -Wls6MED8ND1Nz8EAKwndkeDu2iMM+qx/YFp6K8BQ5E5nXd2rbUZUlQMp1WbUlZ87 -KvC98aT0UYIq6uo1Lx/dQvJs7faAkYd4lmE= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDL06AaJROwHPgJ -9tcySSBepzJ81jYars2sMvLjyuvdiIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rp -v8dGDIDsxZQVjT/4SLaQUOeDM+9bfkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLY -Wso0SJD0vAi1gmGDlSM/mmhhHTpCDGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1Zrs -lPC5lFvlHD7KBBf6IU2A8Xh/dUa3p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYR -R45pPCVkk6vFsy6P0JwwpnkszB+LcK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4 -YEPirGGrAgMBAAECggEATwvbY0hNwlb5uqOIAXBqpUqiQdexU9fG26lGmSDxKBDv -9o5frcRgBDrMWwvDCgY+HT4CAvB9kJx4/qnpVjkzJp/ZNiJ5VIiehIlbv348rXbh -xkk+bz5dDATCFOXuu1fwL2FhyM5anwhMAav0DyK1VLQ3jGzr9GO6L8hqAn+bQFFu -6ngiODwfhBMl5aRoL9UOBEhccK07znrH0JGRz+3+5Cdz59Xw91Bv210LhNNDL58+ -0JD0N+YztVOQd2bgwo0bQbOEijzmYq+0mjoqAnJh1/++y7PlIPs0AnPgqSnFPx9+ -6FsQEVRgk5Uq3kvPLaP4nT2y6MDZSp+ujYldvJhyQQKBgQDuX2pZIJMZ4aFnkG+K -TmJ5wsLa/u9an0TmvAL9RLtBpVpQNKD8cQ+y8PUZavXDbAIt5NWqZVnTbCR79Dnd -mZKblwcHhtsyA5f89el5KcxY2BREWdHdTnJpNd7XRlUECmzvX1zGj77lA982PhII -yflRBRV3vqLkgC8vfoYgRyRElwKBgQDa5jnLdx/RahfYMOgn1HE5o4hMzLR4Y0Dd -+gELshcUbPqouoP5zOb8WOagVJIgZVOSN+/VqbilVYrqRiNTn2rnoxs+HHRdaJNN -3eXllD4J2HfC2BIj1xSpIdyh2XewAJqw9IToHNB29QUhxOtgwseHciPG6JaKH2ik -kqGKH/EKDQKBgFFAftygiOPCkCTgC9UmANUmOQsy6N2H+pF3tsEj43xt44oBVnqW -A1boYXNnjRwuvdNs9BPf9i1l6E3EItFRXrLgWQoMwryakv0ryYh+YeRKyyW9RBbe -fYs1TJ8unx4Ae79gTxxztQsVNcmkgLs0NWKTjAzEE3w14V+cDhYEie1DAoGBAJdI -V5cLrBzBstsB6eBlDR9lqrRRIUS2a8U9m+1mVlcSfiWQSdehSd4K3tDdwePLw3ch -W4qR8n+pYAlLEe0gFvUhn5lMdwt7U5qUCeehjUKmrRYm2FqWsbu2IFJnBjXIJSC4 -zQXRrC0aZ0KQYpAL7XPpaVp1slyhGmPqxuO78Y0dAoGBAMHo3EIMwu9rfuGwFodr -GFsOZhfJqgo5GDNxxf89Q9WWpMDTCdX+wdBTrN/wsMbBuwIDHrUuRnk6D5CWRjSk -/ikCgHN3kOtrbL8zzqRomGAIIWKYGFEIGe1GHVGo5r//HXHdPxFXygvruQ/xbOA4 -RGvmDiji8vVDq7Shho8I6KuT ------END PRIVATE KEY----- diff --git a/examples/pki/certs/signing_cert.pem b/examples/pki/certs/signing_cert.pem index 63ab2478d..6428be8d0 100644 --- a/examples/pki/certs/signing_cert.pem +++ b/examples/pki/certs/signing_cert.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDpTCCAo0CAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgY8xCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMREwDwYDVQQDEwhLZXlzdG9uZTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMz5WsgsuX3rZUdLwQpZXN2Ro7LQ6jEZnreBqMztVObw -BuC1WdiJsg6dVlC7PVdt+0gY1c8WFg1TKmsucxesQSyfGAPg+9T/hsRMb6y12uJx -fp3Wgqqw0U1HsXvMiaJH87MaGnt043BxzF+R9fhAcDk6Cyj5cx9J0LvZJEOzN4J4 -ZRyO6j/DZZItb3lK5W9xkuoT+mTdDZOQJnXyG818uiWfjdCkLjr1ruytRcBOo4na -Y828voT/A7I95+YCgKgbjiUWhHeTaNmMEQiGy0nGYfteC+oSsHOlxZ3b12azzHPk -83Bh2ez0Ih9vcZoe9DqvlFOXfv9q8OsYc5Yo6gPTXEsCAwEAATANBgkqhkiG9w0B -AQUFAAOCAQEAmaYE98kOQWu6DV84ZcZP/OdT8eeu3vdB247nRj+6+GYItN/Gzqt4 -HVvz7c+FVTolCcAQQ+z3XGswI9fIJ78Hb0p9CgnLprc3L7Xtk60Im59Xlf3tcurn -r/ZnSDcjRBXKiEDrSM0VrhAnc0GoSeb6aDWopec+1hWOWfBVAg9R8yJgU9sUgO3O -0gimGyrw8eubmNhckSQLJTunUTsrkcBjuSg63wAD9OqCiX6c2eoQr+0YBp2eV2/n -aOiJXWNLbeueMKSYiJNyyvM/dlON7/56cdwDTzKzgD34TImouM5VKipUwCX1ovLu -ITLzALzpqFFzc8ugV9pMgUKtDbZoPp9EEA== +MIIDpTCCAo0CAREwDQYJKoZIhvcNAQELBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQK +DAlPcGVuU3RhY2sxETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr +ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDDAtTZWxmIFNpZ25lZDAgFw0y +MjAzMDcxNTM1MThaGA8yMDgwMDgyOTE1MzUxOFowgY8xCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3Rh +Y2sxETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv +cGVuc3RhY2sub3JnMREwDwYDVQQDDAhLZXlzdG9uZTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAJ7Gc/CGy82PWOmlGD+C8d6Kw3Q1ZodOz9EduhXecfLN ++zHXd9Qd35f5hHf4c8j0yAxI8qfeabjnOefEkoHC4W+DTTsUwq1x7FvAPHbTncSH +zePqBE8wKp4pfFuZAhMxP55nTJC/N8t1M1lUqYTANgTCAystyOJuLuMc03UBqO8b +OGzCJsAdcsBPpdYkfycrWv5ZosdaHf3OmakPtWymjSPQ8/lM4x5Fm5GaoYUqb9mo +busMp0te7MMkzWYilSqZBWHx7dsGR7HoN4zMqalttC0inJGc0wnusNrkeb3ieuXw +U6T3V3pE3yTTuHy6HcZZd/8m3O/L9F1odzDnUH10PjkCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAiSaPtpERflBUDYtRrAPVEyM3K9DJyZ8pv1vQxCU/h4ZNttVWsRdC +gqdZg8nYSLj81ZwU1OATQhjXjGn9/mYAIzbm+HH1TMJDWqmnkSblAHGPZmswKmga +/Cns8PsgsLcMV9BA38lyBhVtgBn4QgsG9EUvscZvVUnxevgqg3a/tlfpPf7fvbmC +Efcq3liI/l+wxv4O3ET3V6rBZsmTUMNrIIhqFcicynUy3NIIRO3mL92se9X81Jpj +YxHtMt+RakM0P7yRYL2hjgQW2srssGlMt9U/OIEZQKJVBH85qYuoBAcXC7Y6xRy1 +LvQc4IKf3X4hmqZC7jhBIQAAbaDZTn8peg== -----END CERTIFICATE----- diff --git a/examples/pki/certs/ssl_cert.pem b/examples/pki/certs/ssl_cert.pem index cdd2e4c02..00d33a7bb 100644 --- a/examples/pki/certs/ssl_cert.pem +++ b/examples/pki/certs/ssl_cert.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgZAxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDL06AaJROwHPgJ9tcySSBepzJ81jYars2sMvLjyuvd -iIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rpv8dGDIDsxZQVjT/4SLaQUOeDM+9b -fkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLYWso0SJD0vAi1gmGDlSM/mmhhHTpC -DGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1ZrslPC5lFvlHD7KBBf6IU2A8Xh/dUa3 -p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYRR45pPCVkk6vFsy6P0JwwpnkszB+L -cK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4YEPirGGrAgMBAAEwDQYJKoZIhvcN -AQEFBQADggEBAAjU7YomUx/U56p1KWHvr1B7oczHF8fPHYbuk5c/N81WOJeSRy+P -5ZGZ2UPjvqqXByv+78YWMKGY1BZ/2doeWuydr0sdSxEwmIUBYxFpujuYY+0AjS/n -mMr1ZijK7TJssteKM7/MClzghUhPweDZrAg3ff1hbhK5QSy+9UPxUqLH44tfYSVC -/BzM6se0p5ToM0bwdsa8TofaBRE1L1IW/Hg4VIGOoKs0R0uLm7+Oot2me2cEuZ6h -Wls6MED8ND1Nz8EAKwndkeDu2iMM+qx/YFp6K8BQ5E5nXd2rbUZUlQMp1WbUlZ87 -KvC98aT0UYIq6uo1Lx/dQvJs7faAkYd4lmE= +MIIDpjCCAo4CARAwDQYJKoZIhvcNAQELBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQK +DAlPcGVuU3RhY2sxETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr +ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDDAtTZWxmIFNpZ25lZDAgFw0y +MjAzMDcxNTM1MThaGA8yMDgwMDgyOTE1MzUxOFowgZAxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3Rh +Y2sxETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv +cGVuc3RhY2sub3JnMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQD1i9+ydZSypNAkkVXdzIqZ8E62cqH7i0JGVGBuGdH8 +ZVF3MDcbi8VwqfNRWoWn9mrJUp5HYDV9t5WXz25Ej4EnqlJ3WLZvC1e+ldDIInmi +ULic3iIAgrWbumU3XNLHska/smoVJuLIuFUxEfRpwGOpguOzAO1M6BKCSwr+TBLY +JZxc3F7v1vtwNhisyE5S2H6Q49K0UXHTPjp+fLZAHQ5+Yxqwf0KAJqAD3vMo8Ewx +XlgJu8pQyjjxwtrwnN2WHYoJGt/OOdkLBbzdupWH9CGcxeVc5hSJ1hEKuYS8AOZI +eH6q2MKwT+QiepBsVfuy1JFt4raLht/RcX/WR8lIAzoFAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAArxwP6I5XXIl3Dhkkt6gegRNc1vYWPEIDkKqggnvntZAOZwavVQ +kiydT09io82SjD3qv/PQFH+N1KkTCIgYreHQpCQaWMvkpCD2iEcu9R75p4rnZMR2 +NwIlj4BHvXIo9ET5dkhUUxzUGK7eIymNEoMWMF6OGlQhK1FV3Tvjum0sqLOyKOgr +NFxDv7qFzoKfqjY3lfb9yqO7xC1t3CZSOsBLIaUQ9SBoRJ11UNYGq9ZXHNF3cCbC +PyE1TgVjNEvWBBRY0ofGoPmdqrTe2oZ6rAFKf0aWJ1qIq+umePp9R8ZwWLonbxQ4 +0nqaUI5AOAdsRpUJHGvW0mmMALYjHT+tF8U= -----END CERTIFICATE----- diff --git a/examples/pki/cms/auth_token_revoked.json b/examples/pki/cms/auth_token_revoked.json index 3da8f8bb3..eab40a0bc 100644 --- a/examples/pki/cms/auth_token_revoked.json +++ b/examples/pki/cms/auth_token_revoked.json @@ -2,6 +2,7 @@ "access": { "token": { "expires": "2038-01-18T21:14:07Z", + "issued_at": "2002-01-18T21:14:07Z", "id": "placeholder", "tenant": { "id": "tenant_id1", @@ -73,9 +74,11 @@ "id": "revoked_user_id1", "roles": [ { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role1" }, { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role2" } ], diff --git a/examples/pki/cms/auth_token_revoked.pem b/examples/pki/cms/auth_token_revoked.pem index a685a457b..b0312a9b0 100644 --- a/examples/pki/cms/auth_token_revoked.pem +++ b/examples/pki/cms/auth_token_revoked.pem @@ -1,75 +1,79 @@ -----BEGIN CMS----- -MIINnQYJKoZIhvcNAQcCoIINjjCCDYoCAQExCTAHBgUrDgMCGjCCC6oGCSqGSIb3 -DQEHAaCCC5sEgguXew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMzgtMDEtMThUMjE6MTQ6MDda -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUxIiwNCiAg -ICAgICAgICAgICJyb2xlc19saW5rcyI6IFsNCiAgICAgICAgICAgICAgICAicm9s -ZTEiLA0KICAgICAgICAgICAgICAgICJyb2xlMiINCiAgICAgICAgICAgIF0sDQog -ICAgICAgICAgICAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsDQogICAgICAgICAg -ICAicm9sZXMiOiBbDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg -ICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAg -ICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIi -DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAg -ICJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUxIg0KICAgICAgICB9DQogICAgfQ0K -fQ0KMYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjAN -BgkqhkiG9w0BAQEFAASCAQAxJMbNZf0/IWg/+/ciWQr9yuW9M48hQdaHcN+t6qvZ -OlPev8N1tP8pNTupW9LXt0N8ZU/8AzPLPeRXHqd4lzuDV6ttesfLL3Ag410o4Elb -Aum11Y1kDGlbwnaYoD9m07FML1ZfOWJ81Z0CITVGGRX90e+jlYjtnmdshmi2saVl -r/Sae6ta52gjptaZE9tOu42uXlfhWNuC0/W7lRuWbWSHZENZWtTHHz2Q+v/HxORf -jY3kwSaVEkx9faQ9Npy6J+rSQg+lIMRAYw/rFWedEsP9MzHKBcKTXid0yIQ2ox1r -1Em3WapL1FDpwJtHaaL92WTEQulpxJUcmzPgEd5H78+Q +MIIOVQYJKoZIhvcNAQcCoIIORjCCDkICAQExDTALBglghkgBZQMEAgEwggxaBgkq +hkiG9w0BBwGgggxLBIIMR3sNCiAgICAiYWNjZXNzIjogew0KICAgICAgICAidG9r +ZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMDM4LTAxLTE4VDIxOjE0 +OjA3WiIsDQogICAgICAgICAgICAiaXNzdWVkX2F0IjogIjIwMDItMDEtMThUMjE6 +MTQ6MDdaIiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAg +ICAgICAgICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5h +bnRfaWQxIiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAg +ICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAg +ICAibmFtZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAg +IH0sDQogICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsN +CiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAg +ICAgICAgICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0K +ICAgICAgICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcu +MC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDov +LzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2 +MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0 +cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODli +YjY2MTdhIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAg +XSwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAg +ICAgICAgICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAg +ICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0K +ICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAg +ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRw +Oi8vMTI3LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +InJlZ2lvbiI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +ImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAg +ICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4w +LjE6OTI5Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAg +ICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAg +ICAgICAgICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAg +ICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtd +LA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg +ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJo +dHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZj +Zjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjog +InJlZ2lvbk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxV +UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1 +ZThhNjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1 +YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNj +NTM0MzVlOGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0K +ICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29t +cHV0ZSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAg +ICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50 +c19saW5rcyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQog +ICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJh +ZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4w +LjE6MzUzNTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGlj +VVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAg +ICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAi +dHlwZSI6ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5 +c3RvbmUiDQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2Vy +Ijogew0KICAgICAgICAgICAgInVzZXJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUx +IiwNCiAgICAgICAgICAgICJyb2xlc19saW5rcyI6IFsNCiAgICAgICAgICAgICAg +ICAicm9sZTEiLA0KICAgICAgICAgICAgICAgICJyb2xlMiINCiAgICAgICAgICAg +IF0sDQogICAgICAgICAgICAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsDQogICAg +ICAgICAgICAicm9sZXMiOiBbDQogICAgICAgICAgICAgICAgew0KICAgICAgICAg +ICAgICAgICAgICAiaWQiOiAiZjAzZmRhOGY4YTMyNDliMmE3MGZiMWYxNzZhN2I2 +MzEiLA0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAg +ICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAg +ICAgICAgImlkIjogImYwM2ZkYThmOGEzMjQ5YjJhNzBmYjFmMTc2YTdiNjMxIiwN +CiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAg +ICAgICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInJl +dm9rZWRfdXNlcm5hbWUxIg0KICAgICAgICB9DQogICAgfQ0KfQ0KMYIBzjCCAcoC +AQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTES +MBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3RhY2sxETAPBgNVBAsM +CEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVuc3RhY2sub3Jn +MRQwEgYDVQQDDAtTZWxmIFNpZ25lZAIBETALBglghkgBZQMEAgEwDQYJKoZIhvcN +AQEBBQAEggEAGUm9+Jb4P4dO23cAg39q0vVDFPkiPxgxakKE+g4d7VSI7Krt5ypB +iXo4mHbLqM28zrxgCBxnq2ZhhGzk/qhVWadYWUQQ9FjUBna06Cbd5clGpP8Kp2yk ++SRydFZAw9jUviditNhZA7Nhl8Qzu6T9TB+jPI2y1PY/XXebN97dQqmc+QMGVfzz +ssU+89ASfki8vEDJWxn2RtxjaXPKeWFUw/qrvj1RkDdI3d22dOTR9p0q7Y9CKLam +Y1DkosGbBqUF8hTtJMXIfHTLh5Zp+zz1dlsY0FR9kxLKxKya9OG3ACyidL7ewM9r +pEz2NQztAoi3Guxj6793G0Sfgb0ZCTGcaA== -----END CMS----- diff --git a/examples/pki/cms/auth_token_revoked.pkiz b/examples/pki/cms/auth_token_revoked.pkiz index 9fbe8ea2e..aff7b74ff 100644 --- a/examples/pki/cms/auth_token_revoked.pkiz +++ b/examples/pki/cms/auth_token_revoked.pkiz @@ -1 +1 @@ -PKIZ_eJylVtly4jgUfddXzHuqK9jGED_Mgze8BInYeEF-8wJeBYTF29ePbEh3p9OZycxQRZUtS_eee87Rlb59oz9J1Qz0hwzXw8s3AA1DZxpsPh8CI6tjJFqxfKBjnSLL0pMli5bayo6oS6l7UlIoawUd31qavH7V1kbEAcVSdTGkg4mrpunG3nZmhllUxRzMV7k0N_b0eR8cMespeGNnkSbsjeKQ-tw5j8jiAoK1MTNkk43Ylol8N1_KYh74fBlrwjHa2_3bZOzbl9DnPbdsaGAxD3V7EiuHGix7tUPdtFkW4hU6hynqY3bJ4XbZ4wkuAgLZIMcsZGBv9ch3p9jBTUAQWSlVjgvMAugkmZE3qbE3q4Ct6igfEXWBnxwjln-JyA0VzT4JNuYV--07FGCA8X9QgAHGDxQSg0l7xIy3duQRySHR7WaVP9XQMbgxgTxtV0XKoR7XSaHWABV2jgjuA2IWuHd7pEAmcLIMFRLBLJ6ufDNHBW4Rq-Y7b3KmQSfbjVQN5Br7oAaR7l2oEsOHKiJ2E7HVNdHRLtKqa3iTMtps6EL9JttdtX2kLa6YdXPwb2X7hS8ewKLsBsL-qxLgs8jvA39OLnjPbtmtHGNg9yNhpLpgP6nGgMS7BrpUD4hAzAhn-nCKOxp5cUl26yal-4HCZO4L-Toh6qcWB18kazDXZDQX1f5n6cE_aT9kjom3D33hetP-TnQpXAf5Aa1zgFTFhM-ixVccaA0cXeH6iUWawYKgoGAIKpADJ7D3qpWmslALiqBIeUwMFhUqh29GaxLfpHyhL22m39b7u3LB33qdoDraSEyifWw0G7Y9RuTSg1EOhhGWMm1fAw-0K43wWI-PObt-c-FndgdfkLCn_DCoE1iYT5tfLT-osP5q9_ldcPAx-lebittARaxBUhh0wBQ262GxzcfanQPfrmi9x0QvPyVw4AIMBN4X15S40W10L1RbXTpSB46TjMJoYJ9eoKJeoJO5sFBn0LFmUElCcINNs5HFNRkg085Ds2W0jCoY3-0u8d1B3h8b7G3-QriCYRDenFYGG1TEpGoS7d5UNJ6JtGb4dgxufEyG4LSMXehbrbGf3PbC_WND-1wR-FkdaXRv5KYw1J5s6NGW35DFRDjTJO_6JaCa0gXuW0sbnjujmvwC2awSIpwC396NAW-GG9fcA3j9zwfmvfN29Lyk5ZkfXDoicYzR-kMJTMx63c8Lg00wKFJuOK-_Geo7T2_lfp8D7pPupDDCztFkMT40aaprYqpK0NBK-t9C69DIIlY8y1qojcpA69zIFlYAHdDUxvTcXl1CsdRExlVlCcrWRG3VQrSkFHmSGDuyh5iI8HxCFhS-uoaSOM4FcgZNh5OqqEIT7KMTtNVGacZMS7XJlsGm6hONti9HraAMv99M6MXEFG3sgx_b1hOjIdD-FmhJhC7oVRdKxphJbOHSZb1zkEtO6CfXwKfXH5oMSA1ePDdTRcwOjWL9fFdSJckS6bVHFfF1IvDP-CWbCmXy9NpVu_BpqcRivc16oLGr4hK_vmoz1BDkvSxetosqVk-l6J5X-elhpsFty70GHNfuNX6VQnbGwedWP0pnp9wFMTBTn1wV_hryDJ7He69j2piEh31eh4yyeDTnVnOUqwekOJskWmXPiGm6R-UlY4xz-ZjMe0C6bus-TBfLy45cLuHM19gyW1Df1s5JbjUu1XU3FphSW7XS6UnvrDYL42XW7YvwyD-fOhBCxpuHZbEsrSeTeY6cR3W5TY66RQ4MmmvZUYXRflFI5uuWEecPjMA9If-BMIFQZVOb04E_O0ai7my7iTy3iyjLPXa6O678kDwyBSTepGIrln2AO_U4mzlzS-TU7WP1_DJr_vwTjHdVFSk_7q1_AfJ_mjc= \ No newline at end of file +PKIZ_eJylVkt3ozgT3etXzD6nTwBjJ17MQjyMRSzZYAxIOwMJIB524gePX_8Jk0xn0n2me77xxlCC4ureW1X69k38NNNC5A8db4ebbwAjhHaQ2k8HhrJrTKAT6wcRczxd1w1Jh47Z6h5caunuzUixbnFd10rJ0rev1hZFE2A45hLuRbBQzTRlT8-dnVGFlPEE5-tce0C1e90r_gXxQyrWjvGEyCxwX2joiHWYA8xhg3OpwVupXS-cDnuHlhiHhsiHfKXDnIVZsw_tMu7QDOmowwZWVx5sV56p-gZqwZqb0prDSZCjE9LtI9OHB-0mshacBdk1stwyHtckFkyzqHZGZJV_oYF9Aiy4BaS49svhi_tghJZYwwNTKVTKAm9vCcS9XA5bEdsqo2pxSRbzCxiC7w8ULCQ8rsomscprlAsk1lSOrHb-sm3ES4KXmh2p4hs0dLPImtdDMhBMTrmAVsTW_BjVbj8EhxgN3PM-mPq7orkh2i9dKTYO11VvdqRTmxWHF8GXCkgfK6sJbVc9lShnFVZYThUs497pSbBTqUcbVpFqbZQ55WLFSzKUD4jskinlFdyg6nbHguQYKdNNVO3ykYupxMJh3-0_ogADjP8fhSYDWrVHKvtbb5TvkCzdZp0_XrGHJrd96mq75umE9PSacPNKuJuTivassjntdz0gBpaZl2WEaxVVqLoO7Jxw2hLFzF98aVBHSOY2kVJekiV5iazysh9dGoVCHSA0ncbWbtS-mp-SQesBXiVME3yJ1yLh8u-qgX8p2xTzohv4-lACDFL8FyXAzzNr8u-RW3Rg7aGB3d8i7DNf-0DOmLLLwQBVFMaZbW9fqkUVXqhYGPwv6v9TwjHR0C-YJR-jckQH_ll7Z0B3wdtHhVhIYVw4oCKceFjCvV-uLVMB2GKc8XRKK6QQbk7oWJnvhKo3uHHl1_tgfvGU6bvEApHldwL5Cfi-jW81XmVSsoSzVffYYh4PKIR05mxtiCamzxW8VX9qdfArr_9KDfBv9vvjdu05uMkj-htbatfBOLE8P4n_t1sTXZyTQaVkWTbvKvFIkZskdP-yO_jwe1TNlSHjSh8b5l8Jx0QitiiioLx85Qx8JQ2LEiVeLLaDROxHRXZfFAGfJfmVIj9J3oBE9PZ9QH5VhTI2YCNqpRP3f7M9-D3fizlQu8dkWeRfrP8GWFj2iTW_MEHg-KLfsxC9z8Xh-vNAsUvRXN6G2ZiEYk68q_DRHMQY8_tQaY9RdR7nQ2d3kdJ-DJ7xOreTzxMMCJ8rkXIu2WIux4rffRpltxe-y1gWI8G0EVYuqJdVwly9mM7OlHI7I71oqnxRYS9WqJeIxorbr70xFr2ReeZHqd8G8VDOFTZIxSxTZTzLcI-kdYA66sWiPlDLhGVJJWwrmviPQ9YWk8nadaiWky_sdixkw8GiCCfficSC6JdQatN0-SRONlqbIg1AT9eOhq7V3HzCMLWgvDM1F2vEM1cYFuN9hnXfx63eQ1tLia_B1IMF0bCLGmBCaviOszSb0kuC6eU5ZGJ071qTQ2d8-ODpu3kjZoGXiEPHvjddDB9vifUWI7BV_Gk8ca-ilbe2B7mWFq9ZkVvzRtJ0xwwW1bl8Dokk2n3pWLdE_S1RN73GVdyChQG345ewp8ukjCya7pSyjiq_gOnwtdjStqc1bNAew--nM3E406Czg0ATZMAFn0pmu102GdE2eWhrLybzSqvOEc8n8LJlq0g9L06bbtIfD1acv21OyvLk6kb3Bp4QtCYpT6PzDLZP8n5Wwf1dc7w7blCXcsuzZEWPC3y_UFf1RZVbQ1XWj538TKM7PF89WkDG98-hu9laucfd3RVqao5fpSe-Wbjqw7qfxcfkGDMyu3cbVWXO9m55ThBaeQQnC1p6BKiBVOuHh24fsocHLV3fvzqlVlPJC-zjYfase-fr9IyuxdWfNefEhnpyj9y7N_rcsOeFaGOgxmdovBYUBqbjPhQPrSvL-LHbrifzqzQld_3GOLGNUt_Npe40zarJpFyJOb905oi60SsEslMv7oOYuA9v_Cl5aJhHZhMEX7B9-BPcjtMmMb4frf8Hm6bNOA== \ No newline at end of file diff --git a/examples/pki/cms/auth_token_scoped.json b/examples/pki/cms/auth_token_scoped.json index 698e01d9c..4ea301694 100644 --- a/examples/pki/cms/auth_token_scoped.json +++ b/examples/pki/cms/auth_token_scoped.json @@ -2,6 +2,7 @@ "access": { "token": { "expires": "2038-01-18T21:14:07Z", + "issued_at": "2002-01-18T21:14:07Z", "id": "placeholder", "tenant": { "id": "tenant_id1", @@ -73,9 +74,11 @@ "id": "user_id1", "roles": [ { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role1" }, { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role2" } ], diff --git a/examples/pki/cms/auth_token_scoped.pem b/examples/pki/cms/auth_token_scoped.pem index 4a5b3a246..2974358ba 100644 --- a/examples/pki/cms/auth_token_scoped.pem +++ b/examples/pki/cms/auth_token_scoped.pem @@ -1,75 +1,79 @@ -----BEGIN CMS----- -MIINhwYJKoZIhvcNAQcCoIINeDCCDXQCAQExCTAHBgUrDgMCGjCCC5QGCSqGSIb3 -DQEHAaCCC4UEgguBew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMzgtMDEtMThUMjE6MTQ6MDda -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAg -ICAgInJvbGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xlMSIsDQog -ICAgICAgICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAgICAgICAg -ICAgICJpZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMiOiBbDQog -ICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJy -b2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAg -ICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAg -ICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJf -bmFtZTEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHKMIIBxgIBATCBpDCBnjEK -MAgGA1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlT -dW5ueXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUx -JTAjBgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMT -C1NlbGYgU2lnbmVkAgERMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBAGFaC8Po -svBez6wHfGxgqtX+Zk7kFH0xu/JA7fWp8L5e1k1q+wsSII/P6rATOXR8BSPwifat -mKRan9kzerLeb3A5g07VphvHfVkDEVaeihi33bpt7140ELSKu/ogWQPtasjBM9Eb -M9pS4N5NCtZ0erE5DgX//IRfrHFdZuhIbwlmei72692PV7Q70t/rbaH8ofIrH7Rz -Z1Kuvj0+7tELgd52wy5YnU0e879OEj+2qUk30TvqRG9jdKxLSanmR/8dSA2eNNgO -oHrtXc4EmpWFbP6yVxNwK3dQ6OvU4virV1YW5+De2ApLt+IeojaVPGnDPfsRvY5x -t0eIwpDqkgvkRP8= +MIIOPwYJKoZIhvcNAQcCoIIOMDCCDiwCAQExDTALBglghkgBZQMEAgEwggxEBgkq +hkiG9w0BBwGgggw1BIIMMXsNCiAgICAiYWNjZXNzIjogew0KICAgICAgICAidG9r +ZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMDM4LTAxLTE4VDIxOjE0 +OjA3WiIsDQogICAgICAgICAgICAiaXNzdWVkX2F0IjogIjIwMDItMDEtMThUMjE6 +MTQ6MDdaIiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAg +ICAgICAgICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5h +bnRfaWQxIiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAg +ICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAg +ICAibmFtZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAg +IH0sDQogICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsN +CiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAg +ICAgICAgICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0K +ICAgICAgICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcu +MC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDov +LzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2 +MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0 +cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODli +YjY2MTdhIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAg +XSwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAg +ICAgICAgICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAg +ICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0K +ICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAg +ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRw +Oi8vMTI3LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +InJlZ2lvbiI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +ImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAg +ICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4w +LjE6OTI5Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAg +ICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAg +ICAgICAgICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAg +ICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtd +LA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg +ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJo +dHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZj +Zjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjog +InJlZ2lvbk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxV +UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1 +ZThhNjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1 +YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNj +NTM0MzVlOGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0K +ICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29t +cHV0ZSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAg +ICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50 +c19saW5rcyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQog +ICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJh +ZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4w +LjE6MzUzNTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGlj +VVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAg +ICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAi +dHlwZSI6ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5 +c3RvbmUiDQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2Vy +Ijogew0KICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAg +ICAgICAgICAgInJvbGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xl +MSIsDQogICAgICAgICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAg +ICAgICAgICAgICJpZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMi +OiBbDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAiaWQi +OiAiZjAzZmRhOGY4YTMyNDliMmE3MGZiMWYxNzZhN2I2MzEiLA0KICAgICAgICAg +ICAgICAgICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAgICAgICAgICAgICB9LA0K +ICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgImlkIjogImYw +M2ZkYThmOGEzMjQ5YjJhNzBmYjFmMTc2YTdiNjMxIiwNCiAgICAgICAgICAgICAg +ICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAgICAgfQ0KICAgICAg +ICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJfbmFtZTEiDQogICAg +ICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCBnjEKMAgGA1UEBRMBNTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEjAQ +BgNVBAoMCU9wZW5TdGFjazERMA8GA1UECwwIS2V5c3RvbmUxJTAjBgkqhkiG9w0B +CQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMMC1NlbGYgU2lnbmVk +AgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQBYn04AtTif863EsRze +H4qwhQwcDMEy9+tqm6Pof1ysl7wnqtyeJbUaEmljzYOeiYvcI9tOAj/beTpxbU3A +6vo0XkPt82Fdn3tPu2Rbr5cmCWkqRUAazEXBwfwPFBeA01Th2yxtTNUeiZJyjbcO +6DfeXeQSQWkblB375+2RQNGOuEbU1JwC8sErk8eTetA419fh+tn5m3h/FhHRiWGo +2NWy9HRx0OjCnnjNtIWY++QbVLQS7lty/f3E1c3l8ebGhBXleEmWbpp1zUi9e5oK +0NlVB+nwiw9qkzAgX5ForSaFGkGlHjjAtoIs/i3DgP+3ET/pZkislu6NpiXfklY4 +o35g -----END CMS----- diff --git a/examples/pki/cms/auth_token_scoped.pkiz b/examples/pki/cms/auth_token_scoped.pkiz index 34d7706e1..a3177c16a 100644 --- a/examples/pki/cms/auth_token_scoped.pkiz +++ b/examples/pki/cms/auth_token_scoped.pkiz @@ -1 +1 @@ -PKIZ_eJylVst2ozgU3OsrZp_Tx4CNY5biaRFLGMx7ZyDGYMBObJ5fPwInpyedzkxmhhUIqVS36t4r_fhBH1HREPlDwrvx4wfACK1bM9CfziE6NjGBZiyd6dg1lyRxuZCgqXSSDddi6rzKKZa0cTxeaNLuRduhaA5kU1nDPR2MVkqaeo_PvX4MOFLEc5wZmfiIKvpehZeAc-XAt46RJlQoP6fe_JpFpXoD4Q4tkaRzEdexkedkGwlmocefYk24RJU1vE8OPOu293jXObUUGGb7tcXE8rkBm0HpSb9oNzmssX1ekCHmNvOg2wwBE-RhibkwCzjM4sEciOcsAjtow5KUhlxkQR5wANvJEWVtiiq9CLmiibKJUR96ySXi-G1U3lnR3ZnQ1-vA6z6wACON_8MCjDR-shDZoOwuAevubGlick7WVmtkqwbbaD5tIC06I0_nZAiaJFcaQHIrI2UwhKWeB4MzEBmzoX08klwsAy5YGJ6ekTzoCKdkB5e5UlDm2ReLUVxUhQ2I1u6NOjH-KKLSaiOuqJM1OURaUe_vVka-Txeu77a9uVZFmloHnJOBf2vbL3rxAOenfhTsvzoBvkL-CPy1uOCjuqfesNGo7mfByuIWeEkxAZZuHa7FZmQEYla40pfXuKfI6i057NqU1gOlyb4t5JukVL5McfBNscbkYqbkot7_1XrwT96PO8elW-09ob57_yb0SahH-wGNc6RUxCV_jNTvZKA5alTj3YojGuJAmFMyJcmJjRk8uIWhKRzWwjzMUz4oEUdyZR7cE61NPJ3qRb5VTL-N93fhgr_N9ZI0kS-yifa50fhcd4nK2wAmO1hW2Ei0fY060K400eNcPp5bzXsWfpXu4BsWDlQflvQCh7NF-2vKjy7svtt9fgcOPqN_t6k4LZZhA5Ic0QFd8HfjYouPtTcNPKug8V6S9elLAUctwCjg2-KGCjdlG62F4nktXmgGTpNQjlo8pDcsKzdsHx2cK0tsm0ssJ3twp013K9U6GSnTzkN3O9IwinD6tvrEc0Z7fxbY-3xVqME4iO-Zdgp9ksdl0SbaW1PReDbS2vHfJbzrwYzgNIzD3jM7VDH3Wnj72dI-l4fesYk0WhuZLoyxJz492rI7s7gUrnSTD_0SUE_pAue9pY3vPSqYXyi7A7X1MDVV-71CRzCcgRHlQwN5B6w-deKenp8Fzt4dm0DvGny1C41zsnQKoxAuoUzrxWcFHCCxp8c8jAMJ0PO_Tfdmm4aLTsohElPiitCxoe100gD1-3dgw8K1sXltJTOQXdNESqvLpq3sABahBllHETusO3O3jqqCoylcYAu1CpwmPyltsY01t3bmFr07XDvFhts78NUGknIrnn3C0Fqgdjotav96WzmJ6jF8Df1iSDTawhyxGYHiO1AdzfUKYMtslXTaSVbamx16XYlUcgkpYEgjUj5cbyAR09PL8ZRpQsuINHwVQLij9yBp74o5-3C9beMjRm4RGubu5K2F9HGJocPh_HJ7OM-zk36Nb-eHw2sxnGZ74rvrAqi2wSpx1jJyNWd7CHM1LftoqJiSh-nGUy32Js_OzhI1jmuXPJJmF9hh5aytDpquHbdgGGbIvIVPr71BcFdDy7fk2ZFJ92m33szIIMlu-IIEf-UzJFJOwolZRZ1hz-ONETD7_AwstzFmO7fpltxy63KH5wd0qXbBIt7HrOs-YWgF-_PT7CF9KnouPykraZg9YN1WOdW_7O0ckPm5UMNs268OL8QpD24qFNvu8eHFEjtI2uct79Qmn3P8cWWacap2kXw1ZCHP4Gzj16QE2-r1YrVQqwweOk_ybmMdDF83-GVNIJjuogqRf95L_wRcTpJ3 \ No newline at end of file +PKIZ_eJylVkmTmzgUvutXzN2VCotxm0MObMbQSG52ixtLG5DBdrttC_j1I3An6XRSk8wMVS6jJ_H0vfe97dMn9qiGaaG_NOiPi08AWpa1KbH9eEys6pYjxc21I5M9Dhp7ck1xjU4LlLVahme9hJpJNE3d56bmv5i-lYlAd421kjIhKY2yxNxzb1dYQE0uwnpTqw_WwbulQnS1yLFke6dcRHwSezu8ddm-UgNIFAprjkKf6zYrt4fBsUP6kSL-WDuaUifbiqZbu8l7a2FpVg91OHcCpXMCYx7pVgc2xOA2RBHj2nq1NPuUaONBm2bmiiRxdctMr8nve1wSS1V2cO_I2uiKY_sVJPEk4PJD1Iw3pvEdWmGOByRuKzR76E8K2JpvRlOYWU3Wrq7FSr6CUfh2YJ9sEcnbhhZmc8tqhsSU-Mzs5J1P2UfML4fkhIVIx1uvykz5MCoDsfhaM2jMr_IpO3jDKBxlOPYuaSxF4Z5OiNK1x-X68eYMRo_6OXWIcmX-mgM05IIj4s4ZMIdJ0kIhqbEAeTi4A4rDOQ4wTVrUbvSmxoTtBEVl1SMiu0mE5gYmqJrdJ3FxygTpKWvD-u4LiUu2o93dP6IAI4z_jkLlAW67E-YjP7jTdyzWHt3UyxsMLHGyU5t3G1KKaMC3ghg3RLwatXhIWpvgIRwA0iGfBFWFiNpiAc83sV0jgjskGPUu4kZ2GGUezYTmWqzRLjOba3qP0mzL2AGMUyk3wzv3rfxajFyP8FoWNPEH-YEpXP_IGviXtEmQ7PvRX1-ZACMV_4cJ8GvNKv9nzt33YBNYo3f_yGHv_ZXGfJUIYQ1GqCwxLok_3XRgWXjFbGOMf5b_7xTeFY31IjH5U9bc0YF_5t4d0V2hvxSQaQkJYRHQIoICyMEhajamIQBoJiQhpYRbS0DEEPE9M98cOp_g5m10SGP5GgjSG8UMkRn1DPkriCIbTjneVlyxVhZOv-wgyUcUjDpjsdFZEdNkAfrzX4Y6-F2s_44N8G_s_dlcWwYTPay-JWv1NgZOzsuv7P88FdHVpRhZKtYNfWOJZAJPi633LdzB13jPWlkYNTravWB-U3hXxGSrfRY3148-Ax-dBlmKoiBn5lhM9jMj4QdGwHtKfsfIL5RTULDansbod1nIQ12hLFd6tv4h7MGfxT3rAwfvVKz39YfQP4Nk2wyFKV8T5sD7h9GQbK23vji-v28o03o3KQiMSRnIWbVhDeUHBKxQsJYWfi0a43tvNdz71sfnQtSPXQu8daU-E7rmO2XN_u5MTFnY7nFQtSyQBkhcCRO7QgOrn2TVwiAXAA4KVkRh97EOTsgYzLe0_npzC3XUJqYxT0hVwcHiwCa2ehzkLBesLmHhiVoWoqxg_9xQ30w58MV7R4Lv9ky3d-yAvAtMTcmPtCzXplIaKrTMPfs9Q_dINQXrkeuuDGrw0H2lQHMngWlQOwoHw4HK3lT40NBUqLmc0RlEcdUSRaqSB1qE-KyVpIIFHTPPh6pigulwBe1AVJusQRyO0Rl6BtXppNgxaOV8ozowGqjBb_MRG49soHg4ZjOQlIveLWsjJRsVHe6KnFbuk8EIoWpNqJQOOqEQvSa1GqRxcWXDicYUGFSlePVI57pSHanuvp_YDFV1FTZ8GcrR8fnhBZ6Ka4w_z1waumEnBQICw9PlSQwpmuOXQEtDY1bOTjj9LPl8uh4cdbkwrm2OWkvkdNecc8q88Qq03ivo7FKXPokgTtSDB88PHJnrPsGz2usVbDw-n8O63D4f3dNgPKk7a_biR4EmIrWSU4srF7vhtnDD54cdmMmZX1mv-7amy94ZxKBOLw9pcsj4gX19SR_oSrDzM5JO9SyfyVJcbZ6e02A2S-OLTC4FkJf-jddP9bBYPl1m5Voqs3WnWhDXnVq-SMre4j9_3qsCryp28xwfnzDPZaQ4s5GkWyzkGNyiy9Z9sG_4Obsttd3jUhXFonIWc_9Y53m3ibLSDg2P1fIjuZ1Z3WnDTVPBLjy2p8H98gVME7OB9O_T89-mTsWe \ No newline at end of file diff --git a/examples/pki/cms/auth_token_scoped_expired.json b/examples/pki/cms/auth_token_scoped_expired.json index 04ec9f301..d9ea0e92f 100644 --- a/examples/pki/cms/auth_token_scoped_expired.json +++ b/examples/pki/cms/auth_token_scoped_expired.json @@ -2,6 +2,7 @@ "access": { "token": { "expires": "2010-06-02T14:47:34Z", + "issued_at": "2002-01-18T21:14:07Z", "id": "placeholder", "tenant": { "id": "tenant_id1", @@ -73,9 +74,11 @@ "id": "user_id1", "roles": [ { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role1" }, { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role2" } ], diff --git a/examples/pki/cms/auth_token_scoped_expired.pem b/examples/pki/cms/auth_token_scoped_expired.pem index c3de8bbe2..9c4bdb9e1 100644 --- a/examples/pki/cms/auth_token_scoped_expired.pem +++ b/examples/pki/cms/auth_token_scoped_expired.pem @@ -1,75 +1,79 @@ -----BEGIN CMS----- -MIINhwYJKoZIhvcNAQcCoIINeDCCDXQCAQExCTAHBgUrDgMCGjCCC5QGCSqGSIb3 -DQEHAaCCC4UEgguBew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMTAtMDYtMDJUMTQ6NDc6MzRa -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAg -ICAgInJvbGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xlMSIsDQog -ICAgICAgICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAgICAgICAg -ICAgICJpZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMiOiBbDQog -ICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJy -b2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAg -ICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAg -ICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJf -bmFtZTEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHKMIIBxgIBATCBpDCBnjEK -MAgGA1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlT -dW5ueXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUx -JTAjBgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMT -C1NlbGYgU2lnbmVkAgERMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBALYxBjRE -hecjo98fUdki3cwcpGU8zY8XHQa4x15WGkPxkI1HwSYaId/WjrOWP2CxmT3vVe7Z -lqV2a0YmdPx9zdDm09VmoiZr3HxYaNzXztT817dECYINCgz33EnansIyPHG2hjOR -4Gt7R26MXf+AIRiCNuCFZPnHI1pfCbwuky9/iBokvE9mThA+bVrUPZd/2+jp4s3B -n3+fbC+FCoZ5t522wGgEtVyMNvC90Wvvuf2mx7baXNo4/0ZG8C86lT+qmMe22zlf -+DxmJl149p419zdv6rzTU7p2OeTBnkdw1GsEqKyvtHYxzAjLYjiJo6jyaERXBaLm -/J7ZRSBmhHoLuWk= +MIIOPwYJKoZIhvcNAQcCoIIOMDCCDiwCAQExDTALBglghkgBZQMEAgEwggxEBgkq +hkiG9w0BBwGgggw1BIIMMXsNCiAgICAiYWNjZXNzIjogew0KICAgICAgICAidG9r +ZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMDEwLTA2LTAyVDE0OjQ3 +OjM0WiIsDQogICAgICAgICAgICAiaXNzdWVkX2F0IjogIjIwMDItMDEtMThUMjE6 +MTQ6MDdaIiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAg +ICAgICAgICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5h +bnRfaWQxIiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAg +ICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAg +ICAibmFtZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAg +IH0sDQogICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsN +CiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAg +ICAgICAgICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0K +ICAgICAgICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcu +MC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDov +LzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2 +MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0 +cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODli +YjY2MTdhIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAg +XSwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAg +ICAgICAgICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAg +ICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0K +ICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAg +ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRw +Oi8vMTI3LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +InJlZ2lvbiI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +ImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAg +ICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4w +LjE6OTI5Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAg +ICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAg +ICAgICAgICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAg +ICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtd +LA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg +ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJo +dHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZj +Zjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjog +InJlZ2lvbk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxV +UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1 +ZThhNjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1 +YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNj +NTM0MzVlOGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0K +ICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29t +cHV0ZSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAg +ICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50 +c19saW5rcyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQog +ICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJh +ZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4w +LjE6MzUzNTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGlj +VVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAg +ICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAi +dHlwZSI6ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5 +c3RvbmUiDQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2Vy +Ijogew0KICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAg +ICAgICAgICAgInJvbGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xl +MSIsDQogICAgICAgICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAg +ICAgICAgICAgICJpZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMi +OiBbDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAiaWQi +OiAiZjAzZmRhOGY4YTMyNDliMmE3MGZiMWYxNzZhN2I2MzEiLA0KICAgICAgICAg +ICAgICAgICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAgICAgICAgICAgICB9LA0K +ICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgImlkIjogImYw +M2ZkYThmOGEzMjQ5YjJhNzBmYjFmMTc2YTdiNjMxIiwNCiAgICAgICAgICAgICAg +ICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAgICAgfQ0KICAgICAg +ICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJfbmFtZTEiDQogICAg +ICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCBnjEKMAgGA1UEBRMBNTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEjAQ +BgNVBAoMCU9wZW5TdGFjazERMA8GA1UECwwIS2V5c3RvbmUxJTAjBgkqhkiG9w0B +CQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMMC1NlbGYgU2lnbmVk +AgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCFiZDCR4kvDWvNVo3l +306T6uMi+CuLklTr9msrA4rhRDROZ6N8y/0TrpnBInhJC9A5OGnRgiAPFrg3ksLP +ONqqtdQSgNLnzVjauJzVvejzOIYtnp6quQzxy+B1xS/QX+8ODgxz8PcvFszWDvBx +qDi/q3XAU2fvdRkq96WBGkqjAOb1pxHA1WbOklcjAm/PL5qgcFc+aryiVvPVBjFy +1KfOZjncXtDBB0Bz5+7MxAxej7LhRZ/eqlK2A/mn2vIlvPKLTGdfuQ10aIBtJ5lW +cP2miCjk179e2OU71eJdpJk1bFBXNoNbeu7dhI6/W65SKo/EbEgLO07NXW4qqcVQ +vnt9 -----END CMS----- diff --git a/examples/pki/cms/auth_token_scoped_expired.pkiz b/examples/pki/cms/auth_token_scoped_expired.pkiz index 766b4cddb..5824b4efb 100644 --- a/examples/pki/cms/auth_token_scoped_expired.pkiz +++ b/examples/pki/cms/auth_token_scoped_expired.pkiz @@ -1 +1 @@ -PKIZ_eJylVtlyozgUfddXzHuqK2xOzCObMdiSzW7pzUCMwchLbNavH4GT6kmnM5OZcZWrQEhH555z75V-_GA_1TAt9IcGveHlB4CWNW8cbC9OxNrXCVKcRDuxsWuhaeqTpCmO0Wq-Mlez4FXPoGYO44lkat7F9KxYBLpjzJUtG4ynRpZFzy-dvccCKhMR5qtcfbaO7PlIzlgIdbxx97EpH63ilEXiNY_p7AaIZz1Zmi3EQsvHUZAvNSUn0eSQmPI5Prr9-2QcubdtNAmDQ8OAlXw7d7lEP9Vg2Rsd6qRmWSgV9E8S6hNhKeJ22WMOF4RCgeRYgDzsnR5FgYR93BCK6Eovc1xgAUA_3Vt5k1lHuyRCWcf5yKgjUXqOhck6pndWbHeObOwKR-0HFmCg8X9YgIHGTxYqj2l7xnzo-drI5JTO3WaVT2voW-K4gSa1qyITUY_rtDBqgAo3RxT3hNoF7oMe6ZAn_n6PCpViAUuryM5RgVskGPku5K4MlHvZqOUgrnUkNYjn4Y05MXwoY-o2sVBW6RztYrOstncr482GLZzfbXtz7RibswoLQQ7-rW2_6DUBsDh0g2D_1QnwFfJH4K_FBR_VPXQr3xrU_SwYLW84SssRkIYVmav1wAgkvHxlD69Jx5Bnt3TnNRmrB0aTf1s4qVNqfJni4JtiDcnFjcnFvP-r9eCfvB92Tmh43EZydff-TeiDXA32AxbnQKlM6GQfz76Tgc6gUQW9qYBMSwCkYGQoKpAPOdiH5co0BGiSghTZBFNLQIUh4nuiNWlkM73Qt4rpt_H-Llzwt7lOUR1vVD41PzeajdCeY3rrwWgHz8tLjbWvQQfWlUZ6QjhJRLd-z8Kv0h18w8Ke6cOjThZgLjW_pvzggvfd7vM7cPAZ_btNJWigrtQgLSw2YMsbb1jsThLzTYPILVm853R--FLAQQswCPi2uGbCjdnGaqF8matnloHjJKuwGugrN6hj9rcD6DtPSE-eYO9uwZ02243OqnSgzDoP223PwijJ-O52aRQM9v4ssPf5M7kCwyC8Z9qBbFCR0LJJzbemYk742GyGb2dy14MbwFkYu23ktNaRu9fC28eG9bmCRPs6Nllt5LY8xJ5u2NGW35klVL6yTT70S8A8ZQuC95Y2PHdWyf1COeyZrbuxqfrvFTqAwRwMKB8ayDvg8VMn7tj5WcL83bER9K7BV7uwOEdLxzBK-Ux0Vi8bXobYUjt2zCsJ1gA7_5ts6zQZkVqtUCw1Q6GqBL7iB63WK_b9HftKGfrQuTaag_XQcSyjsXXHNzwAVcVU-MBQW2gHYljFx1JgKVxC12oMZZy8MJpynZhhFYguuztcW8NX1nfgqw8041a-bBDHaoHZGTRW89fbykGd7ckr2ZR9arIWFqj1AJTcgapYtI8Auk5jZONOutHcfBK11JqhM2GAhEVkfLjeKEjNDpf9ITflhlNZ-DOgKB67B2niTXTXpH1IYeWIT09VZWNhm5pu_7LFotenk40hKN5tMWmeLuGz5F_p9Lw8CZct2Exj5Vhc1ig3oPTgy6G0cGOnnYclRPPLjp6a5elZauAxWJk7U3pep74japd2cbW6ykoJIP5aWuX7hwdztjNlszcnrfuwmnC8LJSzZ11Osktpha621jm0Jdw6epycXy3yWK5odqWiC66rXBCk-CJeBffxOaJazV2mNJhOt4l2eFXI3o0Wt2oBV3SWRiePSlr56B_UY9dRTz2YEvCb9bK-zFdQrRHO5cuZqx5fIiHT1CZ3-SQq7Cpz7MNRvjxORbSpQnmy7B7YRZI_16hsr-B6Pb2IF9vVHjxzkSbJLjhEi9h4DOIVBeNd1ED6z3vpnxbOkgI= \ No newline at end of file +PKIZ_eJylVtuSmzgQfddX7PtUKiDsGfOQBy4yhrHEcLd4MzAGZLA99pjb16_Ak2QySW2yu66iDC3RnO5zulufPvGfigyT_KVhb3z4BLBpmnZOrcdjbBZNShQn1Y7c9jho_JdqioM6zVdWah6c9RxrBtM0dZ8amvdieGYiAd1BK2XLjSxHeU6F594qKCRVKuHSLtUH8-A2WxheTXbM-doplYgYR-6Obhy-rpQAM6XFpdBiT-jspdNj_9gR_dgS8ViuNaWMN0W73VhV2pv3pmb2WEft2lcgv_pQRwKwmSPZDAtRaV5MzTrF2rjRahNjyeKoaBLDrdLbmhBH8yI5ODdkdXilkXUBcTQZhPQQVuMXt9ENWmaMG-bCBlZ77E0O-LNYjaHwsKqkXl6zpXwFo_Ftwz7eEJbWVZsZVZOUHIkxFxOjk3dey1_ieTnEJwpDnW7cIjHkw-gMRNKl5NB4XuVTcnCH0TjaaOS-bqN5GOzbCdF25QqpfmzWA-pJP2vXTLnyfM0AGVK4lmi3HqhAWVxjGJcUYhEPzkCiYEZ92sY1qW29KinjK35WmOWIyKpiWDVggqpZfRxlpwTOn5I6KG-5mAvxZoy7-0cUYITx31GoIqB1d6Ji6Pk3-o7Zym3tctFg35SmOLVZZ7NcIgNtMoYawtyS1HSIa4vRIRgA0bEY-0VBmFpTSGd2ZJWE0Y5AVO5CYWSHU-a2Cayu2YrsEqO6bm8qTTacHcA5nadGcOO-li_ZyPUIr-aiiT7YD9zh6kfWwL-kbY7Zvh_z9ZUJMFLxf5gAv_asin-W3H0PbN8cs_tHCXufr20kFjEMSjBC5YXxGnvTlw68Cq-UL4z65_X_zuHN0dgvYkM8JdUNHfhn7p0R3RV7C0gME8aMK6AmjPhYwENY2QaCABsxi1k-p7UJCUMSvVXmW0JnE9y0Dg_bSL76cP5GMUdkhD1HfgFhaOGpxutCyFbK_bpfdJilIwpOHbq3dd7ENBlib_ZLqYPfaf13bIB_E-_P4VoymOjh_S1eqc0onFSUL_z_PDXR5Ws2spStqvaNJZZAsc027je5g696T2oZjh7X2q1hfnN4c8Rty30SVdePOQMfk4Z5iRI_5eGY3PYzI8EHRsB7Sn7HyC-ctyDjvX0bkd9VoYh1peW10vPnH2QP_kz3fA4c3FO22pcfpH8G8aYaMkO-xjyBtxfDId6Yb3NxvH8_UKbn3eTAR5MzkPJuwwfKDwh4o-AjLfjaNMb73qyE96NPTGHYj1MLvE2lPoFd9Z2yan9LJm25bPfUL2oupAEzZ06ZVZCB90-2rLGfQkD9jDdR3H3sgxMyDvOtrL9-ucY6qWMDzWJWFHgw-XSOzJ76Ka8Fs4u5PEnNJcob9s8D9S2Ug5i9TyT4Hs_09Y5vkHe-oSnpsc3zlaHkSMWmsefXM3aOraZQPXScJWqRiJ1LCzRnMhiotcJgQGus7A1FDJCmYs0RUIeY4qg5CVUl9bWQiEk9n2dcdDw8D6uKAabNBbZ8Sa2Sigg0ImfsolZvJ8dr1Bbrb1T7qMIa_nY-4scjCygujfgZaJ5KbpPUoZKMjg43R-ta7uMBBVg1J1RKh9cBDC9xqfrbKLvyw4nGHaBWbenysZ3pSnFsdef9iQ2pqqPwwxdShifbKSSRDulneAkzL_1s95acEXAHC8PNXUdeP_Qrz9qeXvW6znWfvOrq4irIun8XtKKPVnfijJEHMs9DT9RWUmE9KjynDFjbJfPxS7Mx0iWWFs9RWj46L3Z3V587XM1PWwNCXoTJ2UNDv1d9vvuz9tLXV_kxDWYYgqHYd8_N6XzoH2b-xWpw0y_gJtAsxErjRb5G4RbKz_YBO2VeLXPDpyxSbVs8N2ZTBVgCiztMAyErXrdbb7N_Me8fcjVnq9dBsKTF4alod0-SuyzE3LNe81ZdFU6TCv48WWXN-hB7O_B8DmemaSyebLh7CO6kaJFerYooCIa2zek7UjVGq6ck30Okq4_3s0OV2WpyLwkwwsqXL2A6MSOifz89_w1E1sSW \ No newline at end of file diff --git a/examples/pki/cms/auth_token_unscoped.json b/examples/pki/cms/auth_token_unscoped.json index 41566888a..844cebd5d 100644 --- a/examples/pki/cms/auth_token_unscoped.json +++ b/examples/pki/cms/auth_token_unscoped.json @@ -2,6 +2,7 @@ "access": { "token": { "expires": "2112-08-17T15:35:34Z", + "issued_at": "2002-01-18T21:14:07Z", "id": "01e032c996ef4406b144335915a41e79" }, "serviceCatalog": {}, @@ -11,9 +12,11 @@ "id": "c9c89e3be3ee453fbf00c7966f6d3fbd", "roles": [ { + "id": "359da42d31c04437a32812aeb79e9c0b", "name": "role1" }, { + "id": "581af19726fa4af5bda745789ab2bf2b", "name": "role2" } ], diff --git a/examples/pki/cms/auth_token_unscoped.pem b/examples/pki/cms/auth_token_unscoped.pem index 6855221fc..bfb97968f 100644 --- a/examples/pki/cms/auth_token_unscoped.pem +++ b/examples/pki/cms/auth_token_unscoped.pem @@ -1,25 +1,29 @@ -----BEGIN CMS----- -MIIERgYJKoZIhvcNAQcCoIIENzCCBDMCAQExCTAHBgUrDgMCGjCCAlMGCSqGSIb3 -DQEHAaCCAkQEggJAew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIxMTItMDgtMTdUMTU6MzU6MzRa -IiwNCiAgICAgICAgICAgICJpZCI6ICIwMWUwMzJjOTk2ZWY0NDA2YjE0NDMzNTkx -NWE0MWU3OSINCiAgICAgICAgfSwNCiAgICAgICAgInNlcnZpY2VDYXRhbG9nIjog -e30sDQogICAgICAgICJ1c2VyIjogew0KICAgICAgICAgICAgInVzZXJuYW1lIjog -InVzZXJfbmFtZTEiLA0KICAgICAgICAgICAgInJvbGVzX2xpbmtzIjogW10sDQog -ICAgICAgICAgICAiaWQiOiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2NmY2ZDNm -YmQiLA0KICAgICAgICAgICAgInJvbGVzIjogWw0KICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTEiDQogICAgICAgICAg -ICAgICAgfSwNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAg -ICJuYW1lIjogInJvbGUyIg0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAg -IF0sDQogICAgICAgICAgICAibmFtZSI6ICJ1c2VyX25hbWUxIg0KICAgICAgICB9 -DQogICAgfQ0KfQ0KMYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAH -BgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQAXNWXYv3q2EcEjigKDJEOvnKBGTHeV -o9iwYmtdJ2kKtbuZiSGOcWymxNtv//IPMmNDWZ/uwDZt37YdPwCMRJa79h6dastD -5slEZGMxgFekm/1yqpV2F7xGqGIED2rNTeBlVnYS6ZOL8hCqekPb1OqXZ3vDaHtQ -rrBzNP8RbWS4MyUoVZtSEYANjJVp/zou/pYASml9iNPPKrl2xRgYuzaAirVIiTZt -QZY4LQYnHdVBLTZ0fQQugohTba789ix0U79ReQrIOqnBD3OnmN0uRovu5s1HYyre -c67FixOpNgA4IBFsqYG2feP6ZF1zCmAaRYX4LpprZLGzg/aPHxqjXGsT +MIIE/gYJKoZIhvcNAQcCoIIE7zCCBOsCAQExDTALBglghkgBZQMEAgEwggMDBgkq +hkiG9w0BBwGgggL0BIIC8HsNCiAgICAiYWNjZXNzIjogew0KICAgICAgICAidG9r +ZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMTEyLTA4LTE3VDE1OjM1 +OjM0WiIsDQogICAgICAgICAgICAiaXNzdWVkX2F0IjogIjIwMDItMDEtMThUMjE6 +MTQ6MDdaIiwNCiAgICAgICAgICAgICJpZCI6ICIwMWUwMzJjOTk2ZWY0NDA2YjE0 +NDMzNTkxNWE0MWU3OSINCiAgICAgICAgfSwNCiAgICAgICAgInNlcnZpY2VDYXRh +bG9nIjoge30sDQogICAgICAgICJ1c2VyIjogew0KICAgICAgICAgICAgInVzZXJu +YW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAgICAgInJvbGVzX2xpbmtzIjog +W10sDQogICAgICAgICAgICAiaWQiOiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2 +NmY2ZDNmYmQiLA0KICAgICAgICAgICAgInJvbGVzIjogWw0KICAgICAgICAgICAg +ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgImlkIjogIjM1OWRhNDJkMzFjMDQ0 +MzdhMzI4MTJhZWI3OWU5YzBiIiwNCiAgICAgICAgICAgICAgICAgICAgIm5hbWUi +OiAicm9sZTEiDQogICAgICAgICAgICAgICAgfSwNCiAgICAgICAgICAgICAgICB7 +DQogICAgICAgICAgICAgICAgICAgICJpZCI6ICI1ODFhZjE5NzI2ZmE0YWY1YmRh +NzQ1Nzg5YWIyYmYyYiIsDQogICAgICAgICAgICAgICAgICAgICJuYW1lIjogInJv +bGUyIg0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIF0sDQogICAgICAg +ICAgICAibmFtZSI6ICJ1c2VyX25hbWUxIg0KICAgICAgICB9DQogICAgfQ0KfQ0K +MYIBzjCCAcoCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYD +VQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3RhY2sx +ETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVu +c3RhY2sub3JnMRQwEgYDVQQDDAtTZWxmIFNpZ25lZAIBETALBglghkgBZQMEAgEw +DQYJKoZIhvcNAQEBBQAEggEAYIiuAmAxllZ5FdGlJWu0bxAsxwFb114lZAq2/mju +v2Hu9505N4TbkJJI++ojNwv1extCAL0H7jmM2nbPovPa0R6RVDRgh1R03E+uLNld +rBXyiTeZh2OrbmoXdHAXdJRnBkLIfjDXISY5qN/yJhsr3g6djekGnkWzZfwtwjyb +qBbVVB9oK9p5svd85jiOcGlcBxuBhWeqwZiYTzyDtJ2SuwtvBaIDQICyS9VtGI+F +NzqtdUHw/vxsQqOq6tR4Qf32wtZnUS+komQWX3uJXwYpSZHomuGPbs0XolGXYm8D +fM/7R9AH6CUlmBmq/WVQdEMMv9VADaP9yHuGvM8w3f6ZvA== -----END CMS----- diff --git a/examples/pki/cms/auth_token_unscoped.pkiz b/examples/pki/cms/auth_token_unscoped.pkiz index 13c5e40cc..34f93f46f 100644 --- a/examples/pki/cms/auth_token_unscoped.pkiz +++ b/examples/pki/cms/auth_token_unscoped.pkiz @@ -1 +1 @@ -PKIZ_eJx9VMmSozgQvfMVfa-oMAbbVRzmIAlZCFvQGLHewAs72MaY5esHuzt65tSKUEiZkS_z5RL5-TkfiAk1fiBmv4RPgVGq7kCg75qQps-jAawjamYd4QiBwUHAwgPiQIOJc1cThkg-67lDkH0jNo1lQbWwBqJZaQc4SXB2HvU0kIzyKLPMzOAXred_HV4DyVUD_5DGRKlp3iRnWWwp0kUhlh5lnNEN1dos9NM-8vXyOM4yoiPjeNxzsNpzLLsqXpo5e13Ry-gLfA0R3QizYc88p2eTnpu8kEIvEA0VSEGO55dNBi8Gw8PibCObtq7sEchO_szqd1DhWClt6BuXmJRd9It27Nt9Qqt1GnvOLP8GlEoXeMuS2e_oYywNb6YC3T6-_m_8dshxdpmdzPV4g14501p_xsQZab08_WEx44S_RHnnOL-56bGV6TlTUDlT6DmiwY0qqIKeESYLJg-kMA8LJoVZiHTl4otDkmi7ub1wSCgEHMGrimCd4x0DCQFLB8MDgwbHewYKIrwVKUOuywY0AR0mhgtBwkFhQHagPQaB6lqWhvuSn7x1d_bDuZXOgHNgvWwFCBqOHKUPvTU_kW0eTfjAwPc7EhoYtSV3fZQPz7hyBp2DHCbFLS0yovQiRBb2hG31KM--IcbSurTI29H0djSun8fqOGxVYP9ixThaGmVMgsSRyjqu3AIk-CAwcCTQbk3Q04gB8c-IzhMKgeUAONcCbO8atS73i3mAGF0iWEaZWKcHN11FAj1_r8a1F5ZGKDWGyD468ZlOstqwRb1jnp5-5fK-M-cJvXSTbE6Vxqs4Sg9dUQdNcSuE_Cfc3JzH-fqxLruP-wpoqpNGV9iP8lMuzsmGtUkY1PCeUyJHQ7Nl2vfJslSkKOoJWpOw21fD1JDztsjbyx27Hw95icVWut-JOC6a_SUK-k1AmpUrNtpjm3T5osNNEn608g1lsSOgZBVvppgUhx2vm-5ate56rZynjSgam_tr6J7awn9y4n5Lth48bJRdy6Wx8m52ju7IE1Z-G92-ldZegIXrbm6gHJuBT63Ss1g3be9i5-ZTVotYxMm5WNrPXaB2_PpzsPt_hPdKwYb633r5FzKfcIU= \ No newline at end of file +PKIZ_eJxdVNmWqjoQfecr7nuvs5pBW30MIWKiCSKT5A1QZqQdEOTrb7DPHVmLIVWVqr03Vfn1S1w6MjH7A1JnWvySKMZGa4dk23KcPxMG7AS2wlaVEILZDAIbDdAFGz3zbkZGoTnZo5kJnavp4FiTDBttQCSMfImyzIzPL5KHKqsTjRZWoS_w5fCMVL_DZZsJ33eiMYUHhzQ82sIPComWoKeF3FNHHqy1_aJuOzCj7ZnSFjsICn7M--hI6uSFvzDEwo9eOxfMdi7SfAMpklVSRdxyUOA7huSbw3dgTwOvpyMpLbdSeRDKzABqWCLxpiNzq4EFSBYxmmQ5ZDVVSlT_dWrqknssP5nre6wmbwqp02f44o_8iH9Tmr5JFwZKPdGSfhvSuFk_uIvesJNmdedHlsZm3UU_WsTHKVFTV9Mm3NB5OGZz7rJCEo-au7ZCVV5woUc4JnNW8oY19sgbUuFiQkCesemP0-ZAuxdR8CMgHb25xE3BRQTTgPbMsEemopGW2UCbdR2WiahSl9TEb2RvlM6kEXnF6lBTQV_aQcHrL2ilN6PBuqFupVGBInQPOS_9QhTRmOFpllHnYUkEUlK8kTXzXIoD7w3nzdvFRerL09_4W6T_a5QelRUNsf6aGioJoSQ6rc8iu8_4bIAlwHrGfB14LnC9AY6A_KxDF9S-S-17D-3Q8G0bo54YtoscierABIqH9IEST_O7-FKrYSD4HXCPwDt4i_p6n5h-52kH0aX3Ablg_5P47koQPerzkcmxOheieD3u_z0Xlb7O-Y0f6_Fkrjru6c8pUfKTqIs1cpHowe5R9q5koP7h8mBo8Jp9c5GQC0boP4MEmJ5V17wqzFUv64L-WgLAEROnxy40lpf0Fg28fjkQr5bP1g0-Qt-trp_4RXab1bDZlQvFPkffLGmr62wLSLTYS9b2MhKrIzeowvOwgP35VOcfVbq7nLEefJzqb1nfpgf1dh0sdWM-QmW3WJwrvzBhh9bFl0R2kU3U3eqYwodf6ddV2OfzzAwWt0fqJI62dwS7fUn0wd2q22tM5LzxcyqjjMNZt46kpJtbY5PjW218jXuv1s3ncAZhvFAeymKFu2I8xOuxSZf-vH76-_IKeLy0WKvq7Hgbv6A0dJ-seV45vZufmqwrsZ68hlxvo2ZBFrkV55blvzbp_nOZmZes3LycHQkPVlzKz9N2OXxJS00ui6s_aPNNIDjeWsvY-vuP9mOuIel96iFm_HMC_gm2VKmF \ No newline at end of file diff --git a/examples/pki/cms/auth_v3_token_revoked.json b/examples/pki/cms/auth_v3_token_revoked.json index c5dc01a9a..f2ddf29c2 100644 --- a/examples/pki/cms/auth_v3_token_revoked.json +++ b/examples/pki/cms/auth_v3_token_revoked.json @@ -4,57 +4,107 @@ { "endpoints": [ { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" + "id": "3b5e554bcf114f2483e8a1be7a0506d1", + "interface": "admin", + "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", + "region": "regionOne" + }, + { + "id": "54abd2dc463c4ba4a72915498f8ecad1", + "interface": "internal", + "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", + "region": "regionOne" + }, + { + "id": "70a7efa4b1b941968357cc43ae1419ee", + "interface": "public", + "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", + "region": "regionOne" } ], - "endpoints_links": [], + "id": "5707c3fc0a294703a3c638e9cf6a6c3a", "type": "volume", "name": "volume" }, { "endpoints": [ { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" + "id": "92217a3b95394492859bc49fd474382f", + "interface": "admin", + "url": "http://127.0.0.1:9292/v1", + "region": "regionOne" + }, + { + "id": "f20563bdf66f4efa8a1f11d99b672be1", + "interface": "internal", + "url": "http://127.0.0.1:9292/v1", + "region": "regionOne" + }, + { + "id": "375f9ba459a447738fb60fe5fc26e9aa", + "interface": "public", + "url": "http://127.0.0.1:9292/v1", + "region": "regionOne" } ], - "endpoints_links": [], + "id": "15c21aae6b274a8da52e0a068e908aac", "type": "image", "name": "glance" }, { "endpoints": [ { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" + "id": "edbd9f50f66746ae9ed11dc3b1ae35da", + "interface": "admin", + "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", + "region": "regionOne" + }, + { + "id": "9e03c46c80a34a159cb39f5cb0498b92", + "interface": "internal", + "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", + "region": "regionOne" + }, + { + "id": "1df0b44d92634d59bd0e0d60cf7ce432", + "interface": "public", + "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", + "region": "regionOne" } ], - "endpoints_links": [], + "id": "2f404fdb89154c589efbc10726b029ec", "type": "compute", "name": "nova" }, { "endpoints": [ { - "adminURL": "http://127.0.0.1:35357/v3", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v3", - "publicURL": "http://127.0.0.1:5000/v3" + "id": "a4501e141a4b4e14bf282e7bffd81dc5", + "interface": "admin", + "url": "http://127.0.0.1:35357/v3", + "region": "RegionOne" + }, + { + "id": "3d17e3227bfc4483b58de5eaa584e360", + "interface": "internal", + "url": "http://127.0.0.1:35357/v3", + "region": "RegionOne" + }, + { + "id": "8cd4b957090f4ca5842a22e9a74099cd", + "interface": "public", + "url": "http://127.0.0.1:5000/v3", + "region": "RegionOne" } ], - "endpoints_links": [], + "id": "c5d926d566424e4fba4f80c37916cde5", "type": "identity", "name": "keystone" } ], + "issued_at": "2002-01-18T21:14:07Z", "expires_at": "2038-01-18T21:14:07Z", + "audit_ids": ["ZzzZ2ZZYqT8OzfUVvrjEITQ", "cCCCCCctTzO1-XUk5STybw"], "project": { "enabled": true, "description": null, @@ -75,9 +125,11 @@ }, "roles": [ { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role1" }, { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role2" } ], diff --git a/examples/pki/cms/auth_v3_token_revoked.pem b/examples/pki/cms/auth_v3_token_revoked.pem index 94a077ba8..0b1ecbf4a 100644 --- a/examples/pki/cms/auth_v3_token_revoked.pem +++ b/examples/pki/cms/auth_v3_token_revoked.pem @@ -1,76 +1,125 @@ -----BEGIN CMS----- -MIINrQYJKoZIhvcNAQcCoIINnjCCDZoCAQExCTAHBgUrDgMCGjCCC7oGCSqGSIb3 -DQEHAaCCC6sEggunew0KICAgICJ0b2tlbiI6IHsNCiAgICAgICAgImNhdGFsb2ci -OiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50cyI6 -IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAg -ICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNm -YmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0 -YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx -LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIg0KICAgICAgICAgICAg -ICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAi -ZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAgICAgInR5cGUiOiAi -dm9sdW1lIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJ2b2x1bWUiDQogICAg -ICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJlbmRw -b2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdpb25PbmUi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6 -Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAgICAi -cHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSINCiAgICAgICAg -ICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAgICAgICAgICJ0eXBl -IjogImltYWdlIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJnbGFuY2UiDQog -ICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJl -bmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAg -ICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQv -djEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAu -MTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJiNjYxN2EiLA0K -ICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3 -YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQog -ICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAg -ICAgICAgICJ0eXBlIjogImNvbXB1dGUiLA0KICAgICAgICAgICAgICAgICJuYW1l -IjogIm5vdmEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdp -b24iOiAiUmVnaW9uT25lIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRl -cm5hbFVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAg -ICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1 -MDAwL3YzIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAg -XSwNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAg -ICAgICAgICAgICAgInR5cGUiOiAiaWRlbnRpdHkiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogImtleXN0b25lIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0K -ICAgICAgICAiZXhwaXJlc19hdCI6ICIyMDM4LTAxLTE4VDIxOjE0OjA3WiIsDQog -ICAgICAgICJwcm9qZWN0Ijogew0KICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVl -LA0KICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAg -ICJuYW1lIjogInRlbmFudF9uYW1lMSIsDQogICAgICAgICAgICAiaWQiOiAidGVu -YW50X2lkMSIsDQogICAgICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAgICAg -ICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6 -ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQogICAg -ICAgICJ1c2VyIjogew0KICAgICAgICAgICAgIm5hbWUiOiAicmV2b2tlZF91c2Vy -bmFtZTEiLA0KICAgICAgICAgICAgImlkIjogInJldm9rZWRfdXNlcl9pZDEiLA0K -ICAgICAgICAgICAgImRvbWFpbiI6IHsNCiAgICAgICAgICAgICAgICAiaWQiOiAi -ZG9tYWluX2lkMSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAiZG9tYWluX25h -bWUxIg0KICAgICAgICAgICAgfQ0KICAgICAgICB9LA0KICAgICAgICAicm9sZXMi -OiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgIm5hbWUiOiAicm9s -ZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAg -ICAgICJuYW1lIjogInJvbGUyIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0K -ICAgICAgICAibWV0aG9kcyI6IFsNCiAgICAgICAgICAgICJwYXNzd29yZCINCiAg -ICAgICAgXQ0KICAgIH0NCn0NCjGCAcowggHGAgEBMIGkMIGeMQowCAYDVQQFEwE1 -MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTES -MBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMGCSqGSIb3 -DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2VsZiBTaWdu -ZWQCAREwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAwFCjl3GSGrlil3cLwS11 -1gtc6K3gBSMbc7LviIFk4KDRBvHWEHT1fs/Q4T0Y12P97Uaxh47f2sNgdbsDKSE8 -K/KCeMy+0I7Eo3iDoXKcIRPux1sXFhOX36qLPpY4eWd3Q77MiUPng+78qA3AMPPl -wEcfb2OaYsWmVi9jGsDfAvksF/WO5dg+G9m2l+zcboIJswsKbBJnM5bn8EDHk7bg -YuMnOzqZsoymr6sehOPQ8QTV6kIj1w/gmtkaIH2QtBo78hCqjZ+cFeYy4zDk2HJg -Mf7PDm0hx1G0hJMVxdNzkWoFvLreTzRselsrXrx8Gejof92JyKuBjZq0kBpphOHG -6w== +MIIW/gYJKoZIhvcNAQcCoIIW7zCCFusCAQExDTALBglghkgBZQMEAgEwghUDBgkq +hkiG9w0BBwGgghT0BIIU8HsNCiAgICAidG9rZW4iOiB7DQogICAgICAgICJjYXRh +bG9nIjogWw0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJlbmRwb2lu +dHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAg +ICAgICAgICJpZCI6ICIzYjVlNTU0YmNmMTE0ZjI0ODNlOGExYmU3YTA1MDZkMSIs +DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImFkbWluIiwN +CiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAu +MTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAg +ICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAg +ICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAg +ICAgICAgICAgICAgICAgICAgICAiaWQiOiAiNTRhYmQyZGM0NjNjNGJhNGE3Mjkx +NTQ5OGY4ZWNhZDEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFj +ZSI6ICJpbnRlcm5hbCIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjog +Imh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZj +Zjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjog +InJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwNCiAgICAgICAgICAg +ICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgImlkIjogIjcwYTdl +ZmE0YjFiOTQxOTY4MzU3Y2M0M2FlMTQxOWVlIiwNCiAgICAgICAgICAgICAgICAg +ICAgICAgICJpbnRlcmZhY2UiOiAicHVibGljIiwNCiAgICAgICAgICAgICAgICAg +ICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2Zi +Y2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAg +ICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9 +DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAiaWQiOiAiNTcw +N2MzZmMwYTI5NDcwM2EzYzYzOGU5Y2Y2YTZjM2EiLA0KICAgICAgICAgICAgICAg +ICJ0eXBlIjogInZvbHVtZSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAidm9s +dW1lIg0KICAgICAgICAgICAgfSwNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAg +ICAgICAiZW5kcG9pbnRzIjogWw0KICAgICAgICAgICAgICAgICAgICB7DQogICAg +ICAgICAgICAgICAgICAgICAgICAiaWQiOiAiOTIyMTdhM2I5NTM5NDQ5Mjg1OWJj +NDlmZDQ3NDM4MmYiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFj +ZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0 +dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAg +ICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwN +CiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAg +ImlkIjogImYyMDU2M2JkZjY2ZjRlZmE4YTFmMTFkOTliNjcyYmUxIiwNCiAgICAg +ICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAiaW50ZXJuYWwiLA0KICAg +ICAgICAgICAgICAgICAgICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjky +OTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdp +b25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0sDQogICAgICAgICAgICAgICAg +ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpZCI6ICIzNzVmOWJhNDU5 +YTQ0NzczOGZiNjBmZTVmYzI2ZTlhYSIsDQogICAgICAgICAgICAgICAgICAgICAg +ICAiaW50ZXJmYWNlIjogInB1YmxpYyIsDQogICAgICAgICAgICAgICAgICAgICAg +ICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg +ICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAg +ICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAg +ImlkIjogIjE1YzIxYWFlNmIyNzRhOGRhNTJlMGEwNjhlOTA4YWFjIiwNCiAgICAg +ICAgICAgICAgICAidHlwZSI6ICJpbWFnZSIsDQogICAgICAgICAgICAgICAgIm5h +bWUiOiAiZ2xhbmNlIg0KICAgICAgICAgICAgfSwNCiAgICAgICAgICAgIHsNCiAg +ICAgICAgICAgICAgICAiZW5kcG9pbnRzIjogWw0KICAgICAgICAgICAgICAgICAg +ICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaWQiOiAiZWRiZDlmNTBmNjY3 +NDZhZTllZDExZGMzYjFhZTM1ZGEiLA0KICAgICAgICAgICAgICAgICAgICAgICAg +ImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAgICAgICAi +dXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQz +NWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJy +ZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAg +ICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaWQi +OiAiOWUwM2M0NmM4MGEzNGExNTljYjM5ZjVjYjA0OThiOTIiLA0KICAgICAgICAg +ICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJpbnRlcm5hbCIsDQogICAgICAg +ICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92 +MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAg +ICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAgICAg +ICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAg +ICAgICAgICAgICAgICAiaWQiOiAiMWRmMGI0NGQ5MjYzNGQ1OWJkMGUwZDYwY2Y3 +Y2U0MzIiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJw +dWJsaWMiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInVybCI6ICJodHRwOi8v +MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 +NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv +bk9uZSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s +DQogICAgICAgICAgICAgICAgImlkIjogIjJmNDA0ZmRiODkxNTRjNTg5ZWZiYzEw +NzI2YjAyOWVjIiwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJjb21wdXRlIiwN +CiAgICAgICAgICAgICAgICAibmFtZSI6ICJub3ZhIg0KICAgICAgICAgICAgfSwN +CiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzIjogWw0K +ICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAi +aWQiOiAiYTQ1MDFlMTQxYTRiNGUxNGJmMjgyZTdiZmZkODFkYzUiLA0KICAgICAg +ICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAgICAg +ICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcv +djMiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25P +bmUiDQogICAgICAgICAgICAgICAgICAgIH0sDQogICAgICAgICAgICAgICAgICAg +IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpZCI6ICIzZDE3ZTMyMjdiZmM0 +NDgzYjU4ZGU1ZWFhNTg0ZTM2MCIsDQogICAgICAgICAgICAgICAgICAgICAgICAi +aW50ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAgICAgICAgICAgICAgICAg +ICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTozNTM1Ny92MyIsDQogICAgICAgICAg +ICAgICAgICAgICAgICAicmVnaW9uIjogIlJlZ2lvbk9uZSINCiAgICAgICAgICAg +ICAgICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAg +ICAgICAgICAgICAgImlkIjogIjhjZDRiOTU3MDkwZjRjYTU4NDJhMjJlOWE3NDA5 +OWNkIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAicHVi +bGljIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEy +Ny4wLjAuMTo1MDAwL3YzIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdp +b24iOiAiUmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAg +ICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAiaWQiOiAiYzVkOTI2ZDU2NjQy +NGU0ZmJhNGY4MGMzNzkxNmNkZTUiLA0KICAgICAgICAgICAgICAgICJ0eXBlIjog +ImlkZW50aXR5IiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJrZXlzdG9uZSIN +CiAgICAgICAgICAgIH0NCiAgICAgICAgXSwNCiAgICAgICAgImlzc3VlZF9hdCI6 +ICIyMDAyLTAxLTE4VDIxOjE0OjA3WiIsDQogICAgICAgICJleHBpcmVzX2F0Ijog +IjIwMzgtMDEtMThUMjE6MTQ6MDdaIiwNCiAgICAgICAgImF1ZGl0X2lkcyI6IFsi +Wnp6WjJaWllxVDhPemZVVnZyakVJVFEiLCAiY0NDQ0NDY3RUek8xLVhVazVTVHli +dyJdLA0KICAgICAgICAicHJvamVjdCI6IHsNCiAgICAgICAgICAgICJlbmFibGVk +IjogdHJ1ZSwNCiAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6IG51bGwsDQogICAg +ICAgICAgICAibmFtZSI6ICJ0ZW5hbnRfbmFtZTEiLA0KICAgICAgICAgICAgImlk +IjogInRlbmFudF9pZDEiLA0KICAgICAgICAgICAgImRvbWFpbiI6IHsNCiAgICAg +ICAgICAgICAgICAiaWQiOiAiZG9tYWluX2lkMSIsDQogICAgICAgICAgICAgICAg +Im5hbWUiOiAiZG9tYWluX25hbWUxIg0KICAgICAgICAgICAgfQ0KICAgICAgICB9 +LA0KICAgICAgICAidXNlciI6IHsNCiAgICAgICAgICAgICJuYW1lIjogInJldm9r +ZWRfdXNlcm5hbWUxIiwNCiAgICAgICAgICAgICJpZCI6ICJyZXZva2VkX3VzZXJf +aWQxIiwNCiAgICAgICAgICAgICJkb21haW4iOiB7DQogICAgICAgICAgICAgICAg +ImlkIjogImRvbWFpbl9pZDEiLA0KICAgICAgICAgICAgICAgICJuYW1lIjogImRv +bWFpbl9uYW1lMSINCiAgICAgICAgICAgIH0NCiAgICAgICAgfSwNCiAgICAgICAg +InJvbGVzIjogWw0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJpZCI6 +ICJmMDNmZGE4ZjhhMzI0OWIyYTcwZmIxZjE3NmE3YjYzMSIsDQogICAgICAgICAg +ICAgICAgIm5hbWUiOiAicm9sZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAg +ICAgew0KICAgICAgICAgICAgICAgICJpZCI6ICJmMDNmZGE4ZjhhMzI0OWIyYTcw +ZmIxZjE3NmE3YjYzMSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIi +DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJtZXRob2RzIjog +Ww0KICAgICAgICAgICAgInBhc3N3b3JkIg0KICAgICAgICBdDQogICAgfQ0KfQ0K +MYIBzjCCAcoCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYD +VQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlPcGVuU3RhY2sx +ETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVu +c3RhY2sub3JnMRQwEgYDVQQDDAtTZWxmIFNpZ25lZAIBETALBglghkgBZQMEAgEw +DQYJKoZIhvcNAQEBBQAEggEAh4ESJgQ+2tuZrQdOUGXKi5uO56bbX5c15WdhPcHA +gXK4TUXC8Gb0pTyAGXXWkHwErf+7NHrZbA5Y8zqTor8qjig+tT8Ywh82lzY+mXOE +HgnkKNoGUmgv1auJuECjysLHX6T5c0AUOxPSBvCQtvmGl33/riX5/gM+D/Dkptul +iEOGXZc/S8qoOJE/SoJnFhimbJ7BuECKO8euTXeQrpKVyAULTm0RSQogWMTlXHzk +hY71+Qn0dpp4ZCQTKaFO2u6aYQ2fjJ3BlH8UK0edIUJ4cHqKfMm/TCiIHQ/jbEOp +cy83wzZMoDNK+7r/fxdUz7CJA1r2LrbWJMOhDVgKIYE6TA== -----END CMS----- diff --git a/examples/pki/cms/auth_v3_token_revoked.pkiz b/examples/pki/cms/auth_v3_token_revoked.pkiz index 67823fd3d..cf27adff0 100644 --- a/examples/pki/cms/auth_v3_token_revoked.pkiz +++ b/examples/pki/cms/auth_v3_token_revoked.pkiz @@ -1 +1 @@ -PKIZ_eJylVsmSozgQvesr5l7R0Symyhz6wG5oS5jFgLixtDEY7PLC-vUjYXd31Sw1PTOOcNgIZerle7no0yfykTXDRL8p0KMPnwA0zdWywNbXU2zuuwxJTqacyNpiUhRZXCqSow2KL63kYntRC6gYFVnfLQ3FOxuemfJAdbSVlNBFSSuK6PpttJiUu9VpaT6bq2uZrawuaYIqV-7PcSjscTPU8fzsjiAPt1dTsQ4px-6TcFHapfxiNsI-Dbfkv1TGhnjDYd1G3Lw2mGVfmE19MKsT-XU7kIb6a1qLr7GqlTuPvvxpnBtBi0OBeW_s1hmHxiSSmSQUW0A9pcfgmipvPB_dOm30NtffOkb73NCvKZdRlCkJlThna3A3iLt0Fdxiz6ThEGO3T7m6zVfw--Z9bLAEaeD5NHbFOuUrt7fLZQegb_LrSmqhshjsquDRhLu80jpUuSVq8BQ3VoWn7YRUyMb-fo8qucEcXtihVaIKDwBxWrlWpDJrgiON6Y7IqmOu7tKD2D5QvaYkrIzyo79HASiM_4MCUBg_UKyCMjXqKggseJdpz-Qr6Xk9LgdYZfSAfl1pz7aa8agUOegtOYAMk4srck6DKuRDBk5BbRsaB424iqtCwI3JoUrjsWeJEVXj6AqZ8ZC5Ea8kkdj6rm_Qxiu5S4juGSteye8lG0ms-i2nMn6X7Y4sv5L8qCg_4N_K9p6vwwhs36SE_WclwN95fuf4A3LBO3Z9U4Azu38mLAnZfcxtZ4ekIg-ZIVJEE4i44TVtbhP1HLKsuFbeV2PaiBz-IMXBr5FFk8uhIbVU-7fSg4-1n08e4zB_TbnFjOg70T4nzPIDUsItqfuRlO_1lzJQoRwthvWEGVzFDYBcXGIOsnByJhRuF9jHfdygxlbrElfkjZ_v50Q7yixpZa-Y_aVi-ut4_ypc8FGuY068kRxg_txo0I7kRZvwsARUjihirrTjEh5oV6LwLnFUT7nxIwv_Nt3BP0tI-dnyax5Pdy4eKV7ONh64SyRs0uaeZbQa44hW3hBsD_09C1cuk6mnbj1pIxqpIsS5f5oIJyxAI5FlnGH2eWiRMkb_ZMhCVepnREc2B_TUfFX3j9hfYzILcqNmvn1A3J03Nqe2ZLAETGKIh3vzIKPM0KeMz7usccpZlSZYZEY9xhHa4ciZkcFKmmyF6aHHDMDWnZHAGpB66hF7evQF8RpH8N0AefSILjXIhDr-VA08oI8pN9Sw_J4LwRRH5mNOut08_h7D9o3U8zwFhPXdvOhrDxWcPwzV-kD7A333xpiEFHcJFxxAxNPT7jDho3XFyvtNjz074pzAZ8WdbyhSduqLYmUAqdBkaBoH8v0GnVOvSFgNHEfXeo2FzrVXnPnZ0Hor2E7aGkoHQ2K3miJDxWG0AWiV5MgFCmQp85UAsWkjCDkpbRKSB2XpvnkPLZ-X67RGDA7RBbpar_az4zXQ-v36R977Wg0V-OP6Qm4vluTikIQhZDwhswmklDo63h2tG3EE8aRtoWzOJ0kDXG-54BqXsp-EeRuHjiKR0-Qe61_7hSrtT73qvL1PaTKQHXo30qTi8A1d3G3mrSX5pubCKREZlaxEeZF0qnqe3Gq0mmcvvB763tW0W69v-s-RDqpRgZnLY1x4BMViY3G8gDiW3cTRsolW2uc0MOVLyz_fal5dtTiSq7TstR2f2eNmoWKwQVmIxW25t-zzywnrqrEbO_VsuJd1bWtQ1vTyKWg3ngtbQfl80c8Xd0wydeAbqJRPVxcMHty3SBcuQd0vfX_h9ofRwuYUcmWwGJJ8SL7mJRwCzcebvLt5SqHwT_LGzgaxZ3aFBBzm5Ww_7faNib7K_nR4sXH7ujkdrPPlZSva8pNYtf1zPY0o6XtJv52T6LwNfIlbdkJvSQxA-XNVOzJ7Vlipvh6Dk_2UC0vmcxS3tiN9-QLmC62G1J-X298BCSOhiw== \ No newline at end of file +PKIZ_eJydWEt3ozgT3etXfPucPgPCpOPFLHgZ47FEwDws7QxODELYTvzA8OunsJ3uPDrT6a9z-uSE4FLdqntvlfLtG_wzHdej_7PIrP_hGyKeR4qGTf7ZcK845tQIcmsDzx5sy7LHgWUEzsmKjLG5ip_tFbFcYVnWNnCt2ZM78zIN2YEzNhbwcBM7q9WT-dBOlAzvZVZ6t954V2ZpoizcYZW38PNoV-buqMu15TGvg3I-a1bIW0-OmZt0ntisUm1XLtKg9Euj5MLoeB0WvssGLCIttWVJakcjLi9Jyk604wXFHkakc8qpZZRZPdrzGZxiTdoMnySZTYZTy_zu1bLqg3s1awjmFYuK2nedjohAZ2JSINqZNROjmkQ5ZtGypIKcvLKBD-hFlsbnbPJ6uOORVz4myg4OkA9jc5vXSTfHIwWdowuvId1qT2xnT6IiJsK5JVFwS-zl4hxsbUJWW8m0Ht6rrNahRJD6YTkabrl9gcLd4Z6l8tC_AAXdcusMq8qwWixS_RFq9CZDdC7Y9UNzfH548taXVCF4CQU-n7YcT1Q-6z8YyhzTdjE3lUU6PJwhZOtkl1lvcS_d5MBSXXkXVLB5WGTucP3SNcRTvcrd4TZbh69aqSt8PqlZSuWlA6Mq62Gd65G02QXWZjkOG4BwdySRp02FcSDW4OSLlUY7dlwK50hFWNKaAR_g5C7uqE1UHhUFFdA5zAZ-OikRFUAKfCkgtGbd47pUeCI5lsesGh6AH33614J6HROJpFGssJrWiESOwoWn-DaVQJATq2ONRYZKbF69ItMBatLyeiSuZOshyxxqhgBPH13N6-ZcvMU4VHJ7c5x2TkvbQXOGFm0GtMvxVGOnaccUJngNrCwZJipQOehoGgPfWcMhJR84zwT8KloWl6JdoZQXmvN0uc2wfp_V8Rk2ehEPjcKC1UHLXaJQAV_upKAuiEdUJxoFei8qntKiJ9wj8KEnWQ8D5TUvGL5yfpwAcaT4Vbs-6xb6ars-6xb6j3aB9h2Np6B71zsxUSkkqrAPwSkGiDbAgQ5CG6Xk0K7eXUBdeu5eqQwSXqaqvAjnqj4Ra6BQAR0QELz1o0BDBCIRDF9dIf2UQh8czDpavPeEHwF7TYDVvUgA_b8aeCkq-lnVClLyeg38Ca11RITXVxf4XamkqxRqQyA71llNFD_lFbVzBdyq5eWvaY1e8_qLtNaBXG1P6x4a-h1Vf9q819CIdawOawpaoG5Sg0MXqPd4kgJVUw_TblJCb99Q9XdMRZ9T9WtFRe_NgnZJDdQtaF_IKFBAxp0P06inNY8g7c7DPJIFu5IPvWbfIlULjt9iJ1EiiBgVLI0xE54GCh1w11FJHTdgPBj5bqwTu4AXyPsRt87c0aHHf60J2HzYZBjaOCb9gMn6OqH3hWJpuF-kg3Ow5XyyuzCyUJZj43ba3p2IyPsaQUudW9_ONUStISazwQer-qpTod_2Pw1LbsuaRib0n2nU5iBjULDtnMC9OgSTGR6Agbif9_8qMphUzQdo6DNsX4WG_tSFX6D5aQwLB1EQrckA3KWD_oL7SsEE0blI4Luh-FFR-v1i8R_URn_mwkFP7QOZ3WHwSTA2gADzTdCIgOaTfrRhWKIEFyvwAxCXcDR2ofoVyuC68lx0EWFdoremOaq4MEtqhxWkDj4ZVgAL2mhK4gYQHDwTUwm233prdXmeTMuxbK7UFbDGNMt5-M6JJzW1DQVWvtK3-ykVQsYrHey-ZJ3TwJbmgUiM1k8T8d6Js3qI2Y8JnRz42Dz2nLgsnfuzvaF3Y7vgrrqFFn7F2jqonYpoC4RpPxYqflWoN5BqR6GRceqnEklhMjERShKFvecNSL9c1Lzm9qrnufoyRD7Oi4szg_R36Gsc6Ckca-DE3Xu29p44-4yuBAcwM2LYi70-MxiowYBgT_XdUNI0KVgUDxB1YZwL44-c-HWm6G2qIBDbALqSj04sfz3eAII3YDhQ-tFGO0MnLsgXO6pvBy2LvLZ3YNBA44PQuPVxDYAdKZSQ9nY5rt7gZ11ypjO3Y9BE0AJUYGO_NzFQLwH7B1bWtEI8it-78TOfy27p9qm-nJh0fO5dV_3wmKWj7cuV6MeW9nNjl7BgnjGChanXvl8_JIfnZ5cF9HIoernm8Dk_LnBSzbX-tMn1xddT68M757sDuq7xxTKFOvQXj-vQ8OT29kFu2lRueZ4Eg0jb1knCcV5vR7MkDC_0pjaC6WcHmCrJeHtPZipL0p0aq6HO1vn5Wge0hWteIvloWCwv87OFVrdT0MM0cgYosT3ov6P4wtBS2EIeI9cy8k2zWo1dY-WYxHMr-P9Agk1jGcxOgmDkNDAbg11jBcxG8MB1mkkSd86UGJVrqLFjmcQKFOfkCCMwVzQxjTyyEqpmta4vQUCgxBkxjfO7yCrIJNJMmUmqgNqeSeg0dnM-aeo0xfRHSyNHEov8uPLCjXdihCxFUFU916BNdWJkfaD1JdC0Hra8c2JieueTjBOZxjjZ8dKMFunywFO4V8NhyGzY6J9mYBvFprGD15dwxzQDA-7TjtGOxMIPR9FjE37XlON2OLSOB7sjD972Dj3vk-d2KBcPs-i21Uf3T1YNbT7l2DUf13g_cx-GOztaP5Uj9n3HlcmoCOybMtQmpSKD5BQhO1wbnuf8VQxq81BFdydp7pVVfCrNm25YBtSST48zfdt8V7ARb2Ot3DaMTjl_rr2tk_ylofomW_jOatpsRxv_xr9ZVVYs75RsIBUdVHqzte-8gzmYPVZW87zOHruTtDb5Kdb8h0X2qHkomd3WT8Pd6GCnj3KCT-U8NZXn440q0yM7TXLn4K6G08aLk0qtd_e3M3pj4XEi56UbYWMNV1823R3Nm6ySHdnj1nkw_MhV8NPqefKPqdLh-AFnnXW_N-82BSmq2VgeqvvWHAyCv_9G5z-CONT--QeRfwEmaLr4 \ No newline at end of file diff --git a/examples/pki/cms/auth_v3_token_scoped.json b/examples/pki/cms/auth_v3_token_scoped.json index 082c1b11c..0fd000a0d 100644 --- a/examples/pki/cms/auth_v3_token_scoped.json +++ b/examples/pki/cms/auth_v3_token_scoped.json @@ -5,13 +5,17 @@ ], "roles": [ { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role1" }, { + "id": "f03fda8f8a3249b2a70fb1f176a7b631", "name": "role2" } ], + "issued_at": "2002-01-18T21:14:07Z", "expires_at": "2038-01-18T21:14:07Z", + "audit_ids": ["VcxU2JYqT8OzfUVvrjEITQ", "qNUTIJntTzO1-XUk5STybw"], "project": { "id": "tenant_id1", "domain": { @@ -26,84 +30,100 @@ { "endpoints": [ { + "id": "3b5e554bcf114f2483e8a1be7a0506d1", "interface": "admin", "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne" }, { + "id": "54abd2dc463c4ba4a72915498f8ecad1", "interface": "internal", "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne" }, { + "id": "70a7efa4b1b941968357cc43ae1419ee", "interface": "public", "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne" } ], + "id": "5707c3fc0a294703a3c638e9cf6a6c3a", "type": "volume", "name": "volume" }, { "endpoints": [ { + "id": "92217a3b95394492859bc49fd474382f", "interface": "admin", "url": "http://127.0.0.1:9292/v1", "region": "regionOne" }, { + "id": "f20563bdf66f4efa8a1f11d99b672be1", "interface": "internal", "url": "http://127.0.0.1:9292/v1", "region": "regionOne" }, { + "id": "375f9ba459a447738fb60fe5fc26e9aa", "interface": "public", "url": "http://127.0.0.1:9292/v1", "region": "regionOne" } ], + "id": "15c21aae6b274a8da52e0a068e908aac", "type": "image", "name": "glance" }, { "endpoints": [ { + "id": "edbd9f50f66746ae9ed11dc3b1ae35da", "interface": "admin", "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne" }, { + "id": "9e03c46c80a34a159cb39f5cb0498b92", "interface": "internal", "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne" }, { + "id": "1df0b44d92634d59bd0e0d60cf7ce432", "interface": "public", "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne" } ], + "id": "2f404fdb89154c589efbc10726b029ec", "type": "compute", "name": "nova" }, { "endpoints": [ { + "id": "a4501e141a4b4e14bf282e7bffd81dc5", "interface": "admin", "url": "http://127.0.0.1:35357/v3", "region": "RegionOne" }, { + "id": "3d17e3227bfc4483b58de5eaa584e360", "interface": "internal", "url": "http://127.0.0.1:35357/v3", "region": "RegionOne" }, { + "id": "8cd4b957090f4ca5842a22e9a74099cd", "interface": "public", "url": "http://127.0.0.1:5000/v3", "region": "RegionOne" } ], + "id": "c5d926d566424e4fba4f80c37916cde5", "type": "identity", "name": "keystone" } diff --git a/examples/pki/cms/auth_v3_token_scoped.pem b/examples/pki/cms/auth_v3_token_scoped.pem index e11cf0347..ae3f4f37c 100644 --- a/examples/pki/cms/auth_v3_token_scoped.pem +++ b/examples/pki/cms/auth_v3_token_scoped.pem @@ -1,98 +1,125 @@ -----BEGIN CMS----- -MIIR5gYJKoZIhvcNAQcCoIIR1zCCEdMCAQExCTAHBgUrDgMCGjCCD/MGCSqGSIb3 -DQEHAaCCD+QEgg/gew0KICAgICJ0b2tlbiI6IHsNCiAgICAgICAgIm1ldGhvZHMi -OiBbDQogICAgICAgICAgICAicGFzc3dvcmQiDQogICAgICAgIF0sDQogICAgICAg -ICJyb2xlcyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJyb2xlMSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQogICAg -ICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICB9DQogICAg -ICAgIF0sDQogICAgICAgICJleHBpcmVzX2F0IjogIjIwMzgtMDEtMThUMjE6MTQ6 -MDdaIiwNCiAgICAgICAgInByb2plY3QiOiB7DQogICAgICAgICAgICAiaWQiOiAi -dGVuYW50X2lkMSIsDQogICAgICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAg -ICAgICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAg -ImVuYWJsZWQiOiB0cnVlLA0KICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVs -bCwNCiAgICAgICAgICAgICJuYW1lIjogInRlbmFudF9uYW1lMSINCiAgICAgICAg -fSwNCiAgICAgICAgImNhdGFsb2ciOiBbDQogICAgICAgICAgICB7DQogICAgICAg -ICAgICAgICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0K -ICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQog +MIIW7gYJKoZIhvcNAQcCoIIW3zCCFtsCAQExDTALBglghkgBZQMEAgEwghTzBgkq +hkiG9w0BBwGgghTkBIIU4HsNCiAgICAidG9rZW4iOiB7DQogICAgICAgICJtZXRo +b2RzIjogWw0KICAgICAgICAgICAgInBhc3N3b3JkIg0KICAgICAgICBdLA0KICAg +ICAgICAicm9sZXMiOiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAg +ImlkIjogImYwM2ZkYThmOGEzMjQ5YjJhNzBmYjFmMTc2YTdiNjMxIiwNCiAgICAg +ICAgICAgICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAgICAgICAgIH0sDQogICAg +ICAgICAgICB7DQogICAgICAgICAgICAgICAgImlkIjogImYwM2ZkYThmOGEzMjQ5 +YjJhNzBmYjFmMTc2YTdiNjMxIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJy +b2xlMiINCiAgICAgICAgICAgIH0NCiAgICAgICAgXSwNCiAgICAgICAgImlzc3Vl +ZF9hdCI6ICIyMDAyLTAxLTE4VDIxOjE0OjA3WiIsDQogICAgICAgICJleHBpcmVz +X2F0IjogIjIwMzgtMDEtMThUMjE6MTQ6MDdaIiwNCiAgICAgICAgImF1ZGl0X2lk +cyI6IFsiVmN4VTJKWXFUOE96ZlVWdnJqRUlUUSIsICJxTlVUSUpudFR6TzEtWFVr +NVNUeWJ3Il0sDQogICAgICAgICJwcm9qZWN0Ijogew0KICAgICAgICAgICAgImlk +IjogInRlbmFudF9pZDEiLA0KICAgICAgICAgICAgImRvbWFpbiI6IHsNCiAgICAg +ICAgICAgICAgICAiaWQiOiAiZG9tYWluX2lkMSIsDQogICAgICAgICAgICAgICAg +Im5hbWUiOiAiZG9tYWluX25hbWUxIg0KICAgICAgICAgICAgfSwNCiAgICAgICAg +ICAgICJlbmFibGVkIjogdHJ1ZSwNCiAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6 +IG51bGwsDQogICAgICAgICAgICAibmFtZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAg +ICAgIH0sDQogICAgICAgICJjYXRhbG9nIjogWw0KICAgICAgICAgICAgew0KICAg +ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg +IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpZCI6ICIzYjVlNTU0YmNmMTE0 +ZjI0ODNlOGExYmU3YTA1MDZkMSIsDQogICAgICAgICAgICAgICAgICAgICAgICAi +aW50ZXJmYWNlIjogImFkbWluIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1 +cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4 +YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdp +b24iOiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAgICAg +ICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaWQiOiAi +NTRhYmQyZGM0NjNjNGJhNGE3MjkxNTQ5OGY4ZWNhZDEiLA0KICAgICAgICAgICAg +ICAgICAgICAgICAgImludGVyZmFjZSI6ICJpbnRlcm5hbCIsDQogICAgICAgICAg +ICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82 +NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAg +ICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAg +ICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg +ICAgICAgICAgImlkIjogIjcwYTdlZmE0YjFiOTQxOTY4MzU3Y2M0M2FlMTQxOWVl +IiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAicHVibGlj +IiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4w +LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN +CiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0K +ICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAg +ICAgICAgICAgICAiaWQiOiAiNTcwN2MzZmMwYTI5NDcwM2EzYzYzOGU5Y2Y2YTZj +M2EiLA0KICAgICAgICAgICAgICAgICJ0eXBlIjogInZvbHVtZSIsDQogICAgICAg +ICAgICAgICAgIm5hbWUiOiAidm9sdW1lIg0KICAgICAgICAgICAgfSwNCiAgICAg +ICAgICAgIHsNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzIjogWw0KICAgICAg +ICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaWQiOiAi +OTIyMTdhM2I5NTM5NDQ5Mjg1OWJjNDlmZDQ3NDM4MmYiLA0KICAgICAgICAgICAg +ICAgICAgICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAg +ICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQog +ICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAg +ICAgICAgICAgICAgICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAg +ICAgICAgICAgICAgICAgICAgICAgImlkIjogImYyMDU2M2JkZjY2ZjRlZmE4YTFm +MTFkOTliNjcyYmUxIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZh +Y2UiOiAiaW50ZXJuYWwiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInVybCI6 +ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAg +ICAgICAgInJlZ2lvbiI6ICJyZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAg +IH0sDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAg +ICAgICJpZCI6ICIzNzVmOWJhNDU5YTQ0NzczOGZiNjBmZTVmYzI2ZTlhYSIsDQog +ICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogInB1YmxpYyIsDQog ICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAg -ICAgICAgICAgICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJpbnRlcm5hbCIsDQogICAg +OTI5Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJl +Z2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAg +IF0sDQogICAgICAgICAgICAgICAgImlkIjogIjE1YzIxYWFlNmIyNzRhOGRhNTJl +MGEwNjhlOTA4YWFjIiwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJpbWFnZSIs +DQogICAgICAgICAgICAgICAgIm5hbWUiOiAiZ2xhbmNlIg0KICAgICAgICAgICAg +fSwNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzIjog +Ww0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAg +ICAiaWQiOiAiZWRiZDlmNTBmNjY3NDZhZTllZDExZGMzYjFhZTM1ZGEiLA0KICAg +ICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAg ICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3 -Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAg -ICAgICAgICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAg -ICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJwdWJsaWMiLA0KICAgICAgICAg -ICAgICAgICAgICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEv -NjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdpb25PbmUiDQogICAgICAgICAgICAg -ICAgICAgIH0NCiAgICAgICAgICAgICAgICBdLA0KICAgICAgICAgICAgICAgICJ0 -eXBlIjogInZvbHVtZSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAidm9sdW1l -Ig0KICAgICAgICAgICAgfSwNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAg -ICAiZW5kcG9pbnRzIjogWw0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAg -ICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImFkbWluIiwNCiAgICAgICAg -ICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3Yx -IiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25l -Ig0KICAgICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImludGVybmFs -IiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4w -LjAuMTo5MjkyL3YxIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24i -OiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAg -ICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNl -IjogInB1YmxpYyIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0 -dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAg -ICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfQ0K -ICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1h -Z2UiLA0KICAgICAgICAgICAgICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAg -ICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50 -cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAg -ICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2Zi -Y2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAg -ICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9 -LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAg -ICAiaW50ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAgICAgICAgICAgICAg -ICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJj -YzUzNDM1ZThhNjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAg -ICAgInJlZ2lvbiI6ICJyZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0s +NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAg +ICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAg +ICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAg +ICAgICAgICAgICAgICAgICAiaWQiOiAiOWUwM2M0NmM4MGEzNGExNTljYjM5ZjVj +YjA0OThiOTIiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6 +ICJpbnRlcm5hbCIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0 +dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNm +ODliYjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAi +cmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAg +ICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaWQiOiAiMWRmMGI0 +NGQ5MjYzNGQ1OWJkMGUwZDYwY2Y3Y2U0MzIiLA0KICAgICAgICAgICAgICAgICAg +ICAgICAgImludGVyZmFjZSI6ICJwdWJsaWMiLA0KICAgICAgICAgICAgICAgICAg +ICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNm +YmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAg +ICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAg +fQ0KICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgImlkIjogIjJm +NDA0ZmRiODkxNTRjNTg5ZWZiYzEwNzI2YjAyOWVjIiwNCiAgICAgICAgICAgICAg +ICAidHlwZSI6ICJjb21wdXRlIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJu +b3ZhIg0KICAgICAgICAgICAgfSwNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAg +ICAgICAiZW5kcG9pbnRzIjogWw0KICAgICAgICAgICAgICAgICAgICB7DQogICAg +ICAgICAgICAgICAgICAgICAgICAiaWQiOiAiYTQ1MDFlMTQxYTRiNGUxNGJmMjgy +ZTdiZmZkODFkYzUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFj +ZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0 +dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjMiLA0KICAgICAgICAgICAgICAgICAgICAg +ICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0s DQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAg -ICJpbnRlcmZhY2UiOiAicHVibGljIiwNCiAgICAgICAgICAgICAgICAgICAgICAg -ICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUz -NDM1ZThhNjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAg -InJlZ2lvbiI6ICJyZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0NCiAg -ICAgICAgICAgICAgICBdLA0KICAgICAgICAgICAgICAgICJ0eXBlIjogImNvbXB1 -dGUiLA0KICAgICAgICAgICAgICAgICJuYW1lIjogIm5vdmEiDQogICAgICAgICAg -ICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMi -OiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAg -ICAgICJpbnRlcmZhY2UiOiAiYWRtaW4iLA0KICAgICAgICAgICAgICAgICAgICAg -ICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAg +ICJpZCI6ICIzZDE3ZTMyMjdiZmM0NDgzYjU4ZGU1ZWFhNTg0ZTM2MCIsDQogICAg +ICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImludGVybmFsIiwNCiAg +ICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMToz +NTM1Ny92MyIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogIlJl +Z2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwNCiAgICAgICAgICAgICAg +ICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgImlkIjogIjhjZDRiOTU3 +MDkwZjRjYTU4NDJhMjJlOWE3NDA5OWNkIiwNCiAgICAgICAgICAgICAgICAgICAg +ICAgICJpbnRlcmZhY2UiOiAicHVibGljIiwNCiAgICAgICAgICAgICAgICAgICAg +ICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YzIiwNCiAgICAgICAg ICAgICAgICAgICAgICAgICJyZWdpb24iOiAiUmVnaW9uT25lIg0KICAgICAgICAg -ICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAg -ICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAg -ICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTozNTM1Ny92 -MyIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogIlJlZ2lvbk9u -ZSINCiAgICAgICAgICAgICAgICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAg -ew0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6ICJwdWJsaWMi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAu -MC4xOjUwMDAvdjMiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6 -ICJSZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAg -ICAgICBdLA0KICAgICAgICAgICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwNCiAg -ICAgICAgICAgICAgICAibmFtZSI6ICJrZXlzdG9uZSINCiAgICAgICAgICAgIH0N -CiAgICAgICAgXSwNCiAgICAgICAgInVzZXIiOiB7DQogICAgICAgICAgICAiZG9t -YWluIjogew0KICAgICAgICAgICAgICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAg -ICAgICAgICAgICAgICAibmFtZSI6ICJkb21haW5fbmFtZTEiDQogICAgICAgICAg -ICB9LA0KICAgICAgICAgICAgIm5hbWUiOiAidXNlcl9uYW1lMSIsDQogICAgICAg -ICAgICAiaWQiOiAidXNlcl9pZDEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHK -MIIBxgIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgT -AkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8G -A1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFj -ay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgERMAcGBSsOAwIaMA0GCSqGSIb3 -DQEBAQUABIIBAMq7ffe3ft88hD0EXJfWqkoEGcnal6NmTuLAiCOeQjDxR5TEIx0x -HanKHWAG7Ko/97KgKAAFwOq3hhnbbKbKq7Z3brUNPXNRwBd3RusUrsLQOWwwKAsF -acD8a4XXx6oC8dTsuFivDtMNb1JvBRIWcZXznOtn/bkFcvVhOQ+Af93c9xPBUpMq -1667DbVKWRJEsMrcf5r7wYRQBtAKZU3CAjbNDighdTJWwF7TIWZycnF3OHYmu5J2 -wvcuB8ex+xRvf1lw1qnb3lC43A4M1KqhnHPpWUrpmAFnzAcYwc7ts2iCqD/UwVBP -YcXU8kk8bY6leNJKR9xjHcIfW8SnREZVbXA= +ICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAg +ICAiaWQiOiAiYzVkOTI2ZDU2NjQyNGU0ZmJhNGY4MGMzNzkxNmNkZTUiLA0KICAg +ICAgICAgICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwNCiAgICAgICAgICAgICAg +ICAibmFtZSI6ICJrZXlzdG9uZSINCiAgICAgICAgICAgIH0NCiAgICAgICAgXSwN +CiAgICAgICAgInVzZXIiOiB7DQogICAgICAgICAgICAiZG9tYWluIjogew0KICAg +ICAgICAgICAgICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAg +ICAibmFtZSI6ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9LA0KICAgICAg +ICAgICAgIm5hbWUiOiAidXNlcl9uYW1lMSIsDQogICAgICAgICAgICAiaWQiOiAi +dXNlcl9pZDEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCB +njEKMAgGA1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQH +DAlTdW5ueXZhbGUxEjAQBgNVBAoMCU9wZW5TdGFjazERMA8GA1UECwwIS2V5c3Rv +bmUxJTAjBgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNV +BAMMC1NlbGYgU2lnbmVkAgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASC +AQAKyFuKuktH9YR3TfKG4NAEBXDkEAkWA+fVWREyEnYoCYE2YDiqrVRwpFqR6p0V +PGRUPcDLTtPw+6p+ywNbP3F3AU0LNqjs3zl8HxvHij91CzZOQIykUcX4ToLJhBAD +shZzSucjk5y9zTLN4bl+AX/NJ/GYT2chFVjYJUW+sbIVoT5u0V9K602OV9OAyvpY +a0YzFmnEzplkg2U0qzZjx5b143ASQnaCtaf4rK7HCOIz11I6aaL3yhGSxnqE6yyA +9FdYOwB14E1GWeLVx0xeM8D/qMesqANsk0WQ19LnvKB7ry5EnDCGeBRYTMR+u0B2 +gnCYSRs9m+gg1rL889d53c/q -----END CMS----- diff --git a/examples/pki/cms/auth_v3_token_scoped.pkiz b/examples/pki/cms/auth_v3_token_scoped.pkiz index d687c03b7..3365dfe51 100644 --- a/examples/pki/cms/auth_v3_token_scoped.pkiz +++ b/examples/pki/cms/auth_v3_token_scoped.pkiz @@ -1 +1 @@ -PKIZ_eJy9V8lyo0gQvddXzN3RYUCgNoc-FItYTCGBEEvdWCwWscjWwvL1UyDJ3W577J6YiFGEDlUFmS_zvcxKvn0jP0FWNPMvEa3HxTeANE1X2kB_bLCWnWMTWrHYkD1JEkXRSkVoyZ3oQFVINy9SikSlEEWhTxVx_aystWgGJEtWYUg2u52cprH71OtUxBzLKNfmmnrIY1U_h5VbJOJljRX-GHjlSSualDx7AoFHl-NCq-xz5C32Ucmfxj201g6aqO_x-KKo7yKGzkKP24ae1Wk1NZ6VUbXIQaS4u9FAouo0XrfEEJdF3iZf5jBPFJcY4yifmfY6LR_P7TJmzD70BSr0-BMYX45q9xCJ42E5GdNqe7R-Shb8Hktyvh0N1_qZOBvGc292yMn5Ea-1OSBQ-ojpCGSdN0Th-68I4oo_YEfLt-4E-Yh9u4kY-2Kk19vANweQMHyPRT0xRJhjP2tDXy9jms-mpIlajyTEGg7sDEdmXUnrloVMLQs48_IpRwUIfDuLFL7-HRo5ZAgyekQzGfe4Xazw-6i2X8NIfP0ALgxkVKLCudE_dKiIT0hkW6OQ50spnpk5z6D1A2MqGoMLswoqszAdRKHBLZeKzACk4AIXKRdUGmMW8iy40kc8lXGFs4C55CPw7GPosROauHLrkYHROSDZLTFTnqMdf8K3RNZuH134bxLVbpf5wxk52swo4IiO5CGdmUNwTgr5DMzCzgmwAVd6EQybwZQQjZ0sMwuhCpiAXXp6bhZBZzLy5J2IicK-XgWeWV4QVOWJCKYnyTtMQrkhyicEPfaSfcRwq6jaTHog8qXjqp3CClWbArHUnI1B7s1-TByB6DSsOcSMMQs6YwiooMAVYnAeMIhGgzWY3oYNnKDFlVktpTIHQUGOnCS7yPSCBleL4kplm3j6IfTQu-TdkIJb8vxJrjYXK9c6ICpMxkIbC0d9o486UhankZ3RKPgngXyqD0fj0KQP7QD-DecfUQ6-5nzXE48j5_8fjRwiXkca_4QZ8FmMvzMTenSGmVckU-u7ViN3Tir507L9J1bAa9mKIy3sH6nvV_GBD2LMsELvo0vHuSaRvba4S7gOw70KDHwpmi_Qgc_gfYDuKjrSeMULQvAVxK8Qgv-SwBEh-Lfl-7tGwE0kAcMfY9Wl8AcXTMi4XDwjd2f1vsWDPy1hNPZLJyZFhd4UFbhVlVYtdtF4bb8vqPVnBQXGivqgoIg3RJs9SW7_8T1xRTDOB-37hJV_fleAn41j0yIJvovxNcRaoIOq2wf9W4mDEc7mjYDo6aZO1LK9qQ-TQSNRSurplT53wL5GQhlb2m20uc5Ev3Tf17Fm2nNuLc2acnCblYDPlLvLcAF_fZmOGbd_O9rcppfRu36dlWgebB1FhHHTpqmqwFQWkKbsyP8JWU0rwkByLWshtzKNrEMrWtNakVvd3QyygeBOAZDeyKKARIuSO7mAlpCargBjR3RNOqo4LiHNlsBfIwEq07MZ0p2ZUEalSZEEvwBky63UTpYNuc0M7JdDohD6HLlEInodKMk8qUM78H7K2oURMQSi-mLJqMisNMgbJGiTJ9ghY8O4B5wLTuglJ-xZIiTOhDZYPLasBLOmlaxABz9HXFkQLEimVRnmJ3OlLmcvbKSdqMYrmzCrm95WXJ12CpbiH4Ln1O5ZzC2aZ6DndyU-zU7DXS1QL_Ndjdd-JsAIqbs9v3To5N5fB9zLshOf-uql6beRHX3H4Xy_hxWW6AqsHh-d7_NktVXtxxXTR2yhoe3cWAcs_bxqnxTBqRUha-onmROWuZpIXC05Em0v1vaB1bI50P2ZKjyrfXi33B4XFO47K4lXsKyFx7vW2Id3ZyKK9OUQMH7ztHPNY-vcQ38ZZliW5ORlDQYlpPYnVmg1NNNgWvIzt33g7oXy0LVwkMU8rNSu3g6ORWFa9GAxHL1NWqSxkdqqeL4HK0GEBs73RVma-_uGClnlMehWZR49Gdvvq8UiiqvZ1jZ0-OMHmD4xZFP6-bnxN6RCLsw= \ No newline at end of file +PKIZ_eJylWEl34rwS3etXvH2fPu0BElh6wthBcmw8IO2wnWDLNiRh8PDrXwlId4bu70u_lyxycKBUt-reWyW-f4cf3bId8h8DL8WL7wg7Ds5b6t7tmFOcMqL5mbGDZ2vTMEzbNzTf6oxQm-ub6MXcYMPmhmHsfNtYPttLJ1WR6VtzbQ0Pt5G12Tx1D70rpcqhTkvnxpnvyzSJpbU9rbIeXs_2ZWbPhkzNT1njl6tlu0HO1j2ldjw4fLdJ1H25TvzSK7WScW1gTVB4Nh3REPfErEvcWCq2WYkT2pGBFURxFIQHq1wYWpk2swNbwimG26dKV-OlO10Y-q3T1JUI7jS0xQqraFg0nm0NmPtjyt0CkUFvKJ81OMwUGuYl4bhzyhY-MC7SJDpnkzXTPQud8jGW9nBA_TDXn7ImHlbKTELn6Nxp8bA5YNM64LCIMLducOjfYDNfn4NtdcjqqaaqgCeyCk5pMnsSdUKiUD9x29MDTerjSqkrvHTEaUeayPUFwvVD9fT87AJRKxFLxgVtupoZoupBnyeR-ODT-bXhSuL_6TZ4hEM-Qcvt-IhoMpZWyvnh9Q1BnSmkX690aZ1Mj-L0dBvv0_kZP6eroEjt6fa1ayKDKrOnT3DKm1aOJbZyG5qQa_qzKgVol3rEfXrJbpfPgxZ55eSEQ0ddcO2IjVHn8Y1KBnrKuXUiPChJQ4EPcPIQDcTEMguLgnDonEJHXuKWiHAghXLhArRm-5o2EKxmSn1Kq-mRXQp6rYszUB7XJIwk2pAG4dCSGHckzyQ1EKSjTaTSUJOxyao3ZDpCwXrWzPiVbAJynUFBEeAR0eWsac-VXc8DKTN3p8Vg9aQftWdo4W5EhkxZqLRbDFSinDXAypIqWAYq-wNJIuA7bRmk5AHnKYd_hXlxKdoVSnmhOUvyp1QZ36dNdIaNXklEwgD44PfMxhLh8Gu7BbFBPLzqSOiPhahYQgpmWuUjqBBUe4aBsoYVVLlyfh6XqV3z37XrT91CX23Xn7qF_qFdoH1LZQno3nY6yisJh5XiQXCiAEQT4EAHoY11zaBdwl2cbTDO7CvPQcK5ENKZ3ldP4JEKCuXQAQ7Bey_0VYQhElbgdyhqLyHQB0uhAyk-Cec14BY0AQp-lQD6XzXwWlT0q6oVpOQIDfwNrccIc0dUF_hdyXioJGJCIDMa0wZLXsIqYmYSuFXPyt_TGr3l9RdpPQZy9YLWAhr6N6r-snmnJSEdaBM0BLRA7LgBhy6Q8HicAFUTRyGDW0Jv31H135iK_kzVrxUVfTQLMsQNULcgopChL4GMBw-mkaA1CyHtwVFYWBf0Sj70ln3rRC6Y8h47DmOO-aygSaRQ7qig0BGzLRk3UQvGoyDPjsbYLOAN-OOI26b27CjwX2tSp03Qpgq0cY7FgElFndDHQtEkOKyT0TlYvnL3F0YWUj7Xbhb9pMM8EzWCllo3npmpiBhTBS9Hn6zqq06F_rX_SVAys25IqEP_qUpMBjIGBZtWB-41IJjM8AAMxP5z_68ig5nYfoKG_oTtq9DQ37rwKzQviWDhwBIiDR6BuwzQX3DfmlOOx4zH8FeTvLAoPbFY_AO10d-5sC-ofcTLiQI-CcYGEGC-cRJi0HwsRpsCSxRnfAN-AOLilkovVL9CGV1XnosuQmVco_emOasY10tiBhWkDj4ZVAAL2qjX2PYhOHimQmqw_d7Zyvl5MuXzur1Sl6eK3Oar4IMTuw0xNQlWvtIzxZQKIOPNGOy-pIPVwpbmgEi03kti_tGJ02aq0J8TOj6yuX4SnLgsnYezvaEPY7tgtiy2r69Y2wC1kxHpgTD950JFbwr1DlJjSSTUOjGVcAKTifKgxmEgPG-ExXLRsIaZG8Fz-XWIfJ4XF2cG6e_R1zggKByp4MTDR7YKT1z-ia5Y8WFmRLAXOyIzGKj-CCuO7NlBTZK4oGE0QsSGcc61v3Lit5mi96mCQEwN6Io_O3H9-_EGEJwRVXxJjDYyaGNsg3wVS_ZMv6eh0wsHBg20HgiNGZ_XANiRghrSfsrn1Tv8dIjPdGZmBJrwe4AKbBR7EwX1YrB_YGVDKsTC6KMbv7BVPeS2SPX1xHhgK-fTqi9ajP6fVV8ciq6nypkS9--39ivzzqe7l3V_e97YizwByLPpE4P5gMSAcGrGH2ZRv6zrLjaL-4eGxfGW9esqduPZdTZG4zi26juoV_RQTbpFXMTrIQ5RPK_LvHfP2l6vyJAncSXuQj-vQqbz-6vQVp5i6uioh4ukllFxwWw3a7_dsFFncM3RNyTWtSjUwqgzBs29vIZpWMch9vet4VMz9n0HWa1r-qG1xLpma3Jk6R12IzU-pttaoQlc_wKntbTzm--str7P4JoTqbAWK_vOCrV7dIm8Dw3rUD-sCNxax1DlqHXeXYcrHcbPr_ZG-kkEyiAQgkjHVHW3OPBba3M-ybTaQ8iSrnFm5IlBQAaIrHf3Z43om-q5qEobTVtJB_wzTVtCHfQyJe6ErBKVzTaj52ktJzfLb5v18ZmC1e32cXCI5qRZzslkMg823voBTYYq2m8GfXVblmo0dM3LjN3xqVkYCzr6sV1KyTqii1l6WDem8cKauebfL3da5hH1YX0kB3S3s8JH95Yrw_PIcQ-yjZenh4leSlL5GLTsx2EXLshhkdaPVjtbG_2tGo-Ml930B6tGP4y9h0aBP1TLYtZNb8udfW9NW0t2T1M6dLvxMdzcDMroZlOOlIexdFw6M4Ybgp-rKB-k7Y2fHb4hecCPk-Tbg_zUV3f7LNaH2_HtbLr99qwVnTxedF1u3DkvvgwjZpJr_SLQ_Uh6Zg-LZnFaqgnaNo8_3Nq_XZh-86yufGsepL68H-fDj6bFE6dcNhN0_rLDIuavLz7-Cz0ItdI= \ No newline at end of file diff --git a/examples/pki/cms/revocation_list.json b/examples/pki/cms/revocation_list.json index 2c239e53e..766c69c94 100644 --- a/examples/pki/cms/revocation_list.json +++ b/examples/pki/cms/revocation_list.json @@ -1,20 +1 @@ -{ - "revoked": [ - { - "expires": "2112-08-14T17:58:48Z", - "id": "dc57ea171d2f93e4ff5fa01fe5711f2a" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "4948fb46f88c41af90b65213a48baef7" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "dc57ea171d2f93e4ff5fa01fe5711f2a" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "4948fb46f88c41af90b65213a48baef7" - } - ] -} +{"revoked": [{"expires": "2112-08-14T17:58:48Z", "id": "db98ed2af6c6707bec6dc6c6892789a0"}, {"expires": "2112-08-14T17:58:48Z", "id": "15ce05fd491b79791068ed80a9c7f5e7"}, {"expires": "2112-08-14T17:58:48Z", "id": "db98ed2af6c6707bec6dc6c6892789a0"}, {"expires": "2112-08-14T17:58:48Z", "id": "15ce05fd491b79791068ed80a9c7f5e7"}]} \ No newline at end of file diff --git a/examples/pki/cms/revocation_list.pem b/examples/pki/cms/revocation_list.pem index a86d6d34e..e37f9de4a 100644 --- a/examples/pki/cms/revocation_list.pem +++ b/examples/pki/cms/revocation_list.pem @@ -1,24 +1,20 @@ -----BEGIN CMS----- -MIIEGAYJKoZIhvcNAQcCoIIECTCCBAUCAQExCTAHBgUrDgMCGjCCAiUGCSqGSIb3 -DQEHAaCCAhYEggISew0KICAgICJyZXZva2VkIjogWw0KICAgICAgICB7DQogICAg -ICAgICAgICAiZXhwaXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsDQogICAg -ICAgICAgICAiaWQiOiAiZGM1N2VhMTcxZDJmOTNlNGZmNWZhMDFmZTU3MTFmMmEi -DQogICAgICAgIH0sDQogICAgICAgIHsNCiAgICAgICAgICAgICJleHBpcmVzIjog -IjIxMTItMDgtMTRUMTc6NTg6NDhaIiwNCiAgICAgICAgICAgICJpZCI6ICI0OTQ4 -ZmI0NmY4OGM0MWFmOTBiNjUyMTNhNDhiYWVmNyINCiAgICAgICAgfSwNCiAgICAg -ICAgew0KICAgICAgICAgICAgImV4cGlyZXMiOiAiMjExMi0wOC0xNFQxNzo1ODo0 -OFoiLA0KICAgICAgICAgICAgImlkIjogImRjNTdlYTE3MWQyZjkzZTRmZjVmYTAx -ZmU1NzExZjJhIg0KICAgICAgICB9LA0KICAgICAgICB7DQogICAgICAgICAgICAi -ZXhwaXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsDQogICAgICAgICAgICAi -aWQiOiAiNDk0OGZiNDZmODhjNDFhZjkwYjY1MjEzYTQ4YmFlZjciDQogICAgICAg -IH0NCiAgICBdDQp9DQoxggHKMIIBxgIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkG -A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNV -BAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEW -FmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgER -MAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBAGMtzsHJdosl27LoRWYHGknORRWE -K0E9a7Bm4ZDt0XiGn0opGWpXF3Kj+7q86Ph1qcG9vZy20e2V+8n5696//OgMGCZe -QNbkOv70c0pkICMqczv4RaNF+UPetwDdv+p0WV8nLH5dDVc8Pp8B4T6fN6vXHXA2 -GMWxxn8SpF9bvP8S5VCAt7wsvmhWJpJVYe6bOdYzlhR0yLJzv4GvHtPVP+cBz6nS -uJguvt77MfQU97pOaDbvfmsJRUf/L3Fd93KbgLTzFPEhddTs1oD9pSDckncnZwua -9nIDn2iFNB/NfZrbqy+owM0Nt5j1m4dcPX/qm0J9DAhKGeDUbIu+81yL308= +MIIDVwYJKoZIhvcNAQcCoIIDSDCCA0QCAQExDTALBglghkgBZQMEAgEwggFcBgkq +hkiG9w0BBwGgggFNBIIBSXsicmV2b2tlZCI6IFt7ImV4cGlyZXMiOiAiMjExMi0w +OC0xNFQxNzo1ODo0OFoiLCAiaWQiOiAiZGI5OGVkMmFmNmM2NzA3YmVjNmRjNmM2 +ODkyNzg5YTAifSwgeyJleHBpcmVzIjogIjIxMTItMDgtMTRUMTc6NTg6NDhaIiwg +ImlkIjogIjE1Y2UwNWZkNDkxYjc5NzkxMDY4ZWQ4MGE5YzdmNWU3In0sIHsiZXhw +aXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsICJpZCI6ICJkYjk4ZWQyYWY2 +YzY3MDdiZWM2ZGM2YzY4OTI3ODlhMCJ9LCB7ImV4cGlyZXMiOiAiMjExMi0wOC0x +NFQxNzo1ODo0OFoiLCAiaWQiOiAiMTVjZTA1ZmQ0OTFiNzk3OTEwNjhlZDgwYTlj +N2Y1ZTcifV19MYIBzjCCAcoCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRIwEAYDVQQKDAlP +cGVuU3RhY2sxETAPBgNVBAsMCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlz +dG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDDAtTZWxmIFNpZ25lZAIBETALBglg +hkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAVsD6Zy+bXz9D9ZJ32CbG4ggTisgs +4vZw9xemVMQ9J8+3iLWE2Z+NrqO1T4Q81iu9cKZ/zTFuu99B5X9ZHE57QLrOd+Jb +Ld3E8HYVj8ZpGQfXAcq3ybIkT2SeEddQmW+MlHHkkfu41D1dQ8jgkIcbLjpeRCFk +GA5Zj6Xdnozos/qMLqd1o4ufJ+dQAeFH/fviLkS5fiTPK6GmhqkwBQgffkOHTo/S +xZQeq7GhFKijg5p60AZRc1Q+WlrmkY9W0FrX7bt6iJodWBc2YSEZ5Mr7BpvIu5JH +rg282z/D4Xwj+USzn7jvqZFlmkG9o6s6YKjsrIpnPFH92EWv0+D5NuOuOA== -----END CMS----- diff --git a/examples/pki/cms/revocation_list.pkiz b/examples/pki/cms/revocation_list.pkiz index 600fce027..566d33180 100644 --- a/examples/pki/cms/revocation_list.pkiz +++ b/examples/pki/cms/revocation_list.pkiz @@ -1 +1 @@ -PKIZ_eJx9VEuPszgQvPMr9h6NQgIhk8N3MMaACTaBmJdvCZMxGMhjkgmPX79kRtq9rNYXq0ul6u7qVr-9Tc9EDqZ_QbJ_BW8KwdhiXe5tLxyXz4KCsICXCQstCMHYQRCiHjLgmiL-sgSBjpzwpHPg_ubs8VFTrBC54DCBsYqEsL3T4A0848_DMqmxvIhUu1c8K7tD5jXFgA0M8UAYGnwGdJ8hVUkspAUy1gMZ6mmF7xh6Vw5fRK_Ox1jjKerpaNekzVdkGau8zRe8RR1JeUNZ0SskzYd87218aK5xm-iF00wVkCqoQEUk6kmldgFUe2qHk9BlEVgXNbAvlQ9BdUjDSnkRqVWrgcOnn7eBVUpq2SWXdZfLfDGJjDkL9by1Gy6L6nPfianN5uSa16JNRuXVJ5a4Jww_iCUehEUxYYVBmTCoVR5w1QncNj9-4DaSlH00OUMaScNhSjIqnEUtl0mbM9DzNl7QEfVceiU-q3fs_r-BL_-U_zYQq8FUNm-xSttcDxyiktRuA2ZWVMaTCC2n6qo8TVqFDt4my9ReCHc77YTZC2wCBs2rBc2zRFsChAMWMTIjYlKGfALq37gkMElIr8AReKagiQkEAzU1SYQ7BHIrCUMXdQ37SFffp4yXRyfukQThL_fCYLzpeLpiyodjy8OIIgLef5RhT_B-mawKLXoe27j3GJCmqG9lXTmbTjVhiKZmHs0po-pxuWqU0PlRGn-EhtWzaIvetsD-NxNhcEGbo5OLeNmcj21SA_FKVjjm_h6ADh8UAtR_9npaaxOEMTAnLwBePp4BLmXIWNlG3VbvrrPtiQexUW7rJVjJVTHLKFesvvOb53c2y3nfroKr_4HPWybJU5LKEN9F1blaEoPLEt9um4GU7jwrV4_30NvPxp29rpSZE9w6fjULI9zSqsSXWt34unwcYvmpzz_XiIe0nEtSfz6-gVaWj2__0JzrPF0PCCzvtnI-rXdREidG9V7NbmsBV_6mymo9HLTrEoxi53yWtrEjc_U6DtJ71MbzfWfCehrqqf-qb0q011N5z0mktafnQvrah6d2TEBxvsEi0o7hw_LnxL3Gxs2AJyPULAcZZR0GOHJPZzRX6GXHb1Y-J5pO3aO8k1ulj14d6C75KgSo8sN8zOaD2Y1P9P2F_yg_dwhR69-b9Dc2l4GQ \ No newline at end of file +PKIZ_eJx9VElzszgUvPMr5p5KBbPY5vAdtGAsYokAYr0ZbIvdSXDM8usHO1Uzl6lRlQ6v1dVPr6vrvb4uB5oWYX8h6j-KV4kSgvmQ2O_XlBT3nAE3R9cFczFCYB4QcM0RcbCHIvjGgiKrWvBwsJD_ZfkkUyXsmntwXMBANoXY2efJntI4vR-VsCbVVURqX6ZxMRxju8knsiaITJSb04ED7cBNWQqxqTpVoDmVq0Ul6QmyP1P0INp1UtVaGrlTEiVKMicqxacyjaiSWvRRaw4nquTgpqDINg4IbkgbarnVLD-gpVOCklbmSEt5cJA8sp07svm6cvBVdnbX8oBAeYzcUnoSeVilHKzS1pUdvivZXKsONwdWFU2KxZDwpmJKskp5Xl78QSxjNuc9_MzbcJYec5KKjJSTG8XiRrkXUJ6vGRdrhosjKQdB2ubpB2m90uEPUbtIq7RiVT5ITLGbZE7r5S6A0GmVa05kDqSTe7L_fwMf_kn_bSAZWcQaisM2xa5OI7KMlOuUA8WxwtrBsHAiqqZV2Ehsso04lkch9u9LJuAoCAQcwU-MYFeZ7xQIC6wCE3oUMm4eKKh_68X6MKSjhGZgQ8FCCAQHNYPUI4MJEhy67t4cGn6K9J9znBaZFYxmBdxf7pWjwBjSSOfSydpVx9n0KNg-ldFIia-Eeq5696wNRpuDCor6q6hLyxhkiFwz2rW35hwzOVP0RnKtp9L8FJr0e97m4w4D_7cT5WjFmsxKRKA0XdaGNRCPZrkF_d4BAzlKFMj_5HqJNQRuAODiBbA6rf6eRvvnxNOEXlRFvHdXtj-D2MuMDbqiuOSiVyTx85Y18dtloKfvw9Y6COXzJ_HkTQxFddXXd9pjQ0uJNxW5v2p2t9K4n939bRN_buvM2zZSl43GpXcKOgb7g9eN5bU8A4Ovpvpjm96TUC0SdI5rkhQfAmsNAKBlX4aRjtDz1bw3JfzxEs-rlyC587XbvrHI-6k20ZK7S3cmcCP4-qCX330gf90ocs9fRD31H4bl95O2t-_QkyAks7u5mNRDFgc4q7W2eVnj8cVudd_ZyuxedvOIKkdd3nLTWn26qmeFZqeKaRbKUer7oxdoU54lAAHDeNeDGd38aisaK94dV3k3akrnd8ohu9gfK_pHeu4hk-F_d9Lf2fB_ww== \ No newline at end of file diff --git a/examples/pki/gen_cmsz.py b/examples/pki/gen_cmsz.py index 6840c08e5..35a6a8f8c 100644 --- a/examples/pki/gen_cmsz.py +++ b/examples/pki/gen_cmsz.py @@ -12,9 +12,10 @@ # License for the specific language governing permissions and limitations # under the License. -import json import os +from oslo_serialization import jsonutils + from keystoneclient.common import cms from keystoneclient import utils @@ -44,7 +45,7 @@ def generate_revocation_list(): 'id': id, "expires": "2112-08-14T17:58:48Z" }) - revoked_json = json.dumps({"revoked": revoked_list}) + revoked_json = jsonutils.dumps({"revoked": revoked_list}) with open(make_filename('cms', 'revocation_list.json'), 'w') as f: f.write(revoked_json) encoded = cms.pkiz_sign(revoked_json, @@ -83,6 +84,7 @@ def generate_der_form(name): SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM) f.write(derform) + for name in EXAMPLE_TOKENS: json_file = make_filename('cms', name + '.json') pkiz_file = make_filename('cms', name + '.pkiz') @@ -91,12 +93,12 @@ def generate_der_form(name): # validate the JSON try: - token_data = json.loads(string_data) + token_data = jsonutils.loads(string_data) except ValueError as v: raise SystemExit('%s while processing token data from %s: %s' % (v, json_file, string_data)) - text = json.dumps(token_data).encode('utf-8') + text = jsonutils.dumps(token_data).encode('utf-8') # Uncomment to record the token uncompressed, # useful for debugging diff --git a/examples/pki/gen_pki.sh b/examples/pki/gen_pki.sh index b8b28f9dc..f3a3fddb0 100755 --- a/examples/pki/gen_pki.sh +++ b/examples/pki/gen_pki.sh @@ -42,7 +42,7 @@ function generate_ca_conf { [ req ] default_bits = 2048 default_keyfile = cakey.pem -default_md = default +default_md = sha256 prompt = no distinguished_name = ca_distinguished_name @@ -69,7 +69,7 @@ function generate_ssl_req_conf { [ req ] default_bits = 2048 default_keyfile = keystonekey.pem -default_md = default +default_md = sha256 prompt = no distinguished_name = distinguished_name @@ -90,7 +90,7 @@ function generate_cms_signing_req_conf { [ req ] default_bits = 2048 default_keyfile = keystonekey.pem -default_md = default +default_md = sha256 prompt = no distinguished_name = distinguished_name @@ -122,7 +122,7 @@ private_key = $dir/private/cakey.pem default_days = 21360 default_crl_days = 30 -default_md = default +default_md = sha256 policy = policy_any @@ -157,14 +157,14 @@ function check_error { function generate_ca { echo 'Generating New CA Certificate ...' - openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes + openssl req -x509 -newkey rsa:2048 -sha256 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes check_error $? } function ssl_cert_req { echo 'Generating SSL Certificate Request ...' generate_ssl_req_conf - openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes + openssl req -newkey rsa:2048 -sha256 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes check_error $? #openssl req -in req.pem -text -noout } @@ -172,7 +172,7 @@ function ssl_cert_req { function cms_signing_cert_req { echo 'Generating CMS Signing Certificate Request ...' generate_cms_signing_req_conf - openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes + openssl req -newkey rsa:2048 -sha256 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes check_error $? #openssl req -in req.pem -text -noout } @@ -191,11 +191,6 @@ function issue_certs { check_error $? } -function create_middleware_cert { - cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem - cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem -} - function check_openssl { echo 'Checking openssl availability ...' which openssl diff --git a/examples/pki/private/cakey.pem b/examples/pki/private/cakey.pem index 1c93ee18c..9c204c500 100644 --- a/examples/pki/private/cakey.pem +++ b/examples/pki/private/cakey.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCl8906EaRpibQF -cCBWfxzLi5x/XpZ9iL6UX92NrSJxcDbaGws7s+GtjgDy8UOEonesRWTeqQEZtHpC -3/UHHOnsA8F6ha/pq9LioqT7RehCnZCLBJwh5Ct+lclpWs15SkjJD2LTDkjox0eA -9nOBx+XDlWyU/GAyqx5Wsvg/Kxr0iod9/4IcJdnSdUjq4v0Cxg/zNk08XPJX+F0b -UDhgdUf7JrAmmS5LA8wphRnbIgtVsf6VN9HrbqtHAJDxh8gEfuwdhEW1df1fBtZ+ -6WMIF3IRSbIsZELFB6sqcyRj7HhMoWMkdEyPb2f8mq61MzTgE6lJGIyTRvEoFie7 -qtGADIofAgMBAAECggEBAJ47X3y2xaU7f0KQHsVafgI2JAnuDl+zusOOhJlJs8Wl -0Sc1EgjjAxOQiqcaE96rap//qqYDTuFLjCenkuItV32KNzizr3+GLZWaruRHS6X4 -xpFG2/gUrsQL3fdudOxpP+01lmzW+f25xRvZ4VilWRabquSDntWxA0R3cOwKFbGD -uuwbTw3pBrRfCk/2IdpQtRrvvkVIFiYT6b/zeCQzhp4RETbC0oxqcEEOIUGmimAV -9cbwafinxCo54cOfX4JAh3j7Mp3eQUymoFk5gnmIeVe0QmpH2VkN7eItrhEvHKOk -On7a5xvQ8s3wqPV5ZawHQcqar/p3QnGkiT6a+8LkIMECgYEA2iJ2DprTGZFRN0M7 -Yj4WLsSC3/GKK8eYsKG3TvMrmPqUDaiWLIvBoc1Le59x9eoF7Mha+WX+cAFL+GTg -1sB+PUZZStpf1R1tGvMldvpQ+5GplUBpuQe4J0n5rCG6+5jkvSr7xO+G1B+C3GFq -KR3iltiW5WJRVwh2k8yGvx3agyUCgYEAwsKFX82F7O+9IVud1JSQWmZMiyEK+DEX -JRnwx4HBuWr+AZqbb0grRRb6x8JTUOD4T7DZGxTaAdfzzRjKU2sBAO8VCgaj2Auv -5nsbvfXvrmDDCqwoaD2PMy+kgFvE0QTh65tzuGXl1IgpIYSC1JwnP6kOeUDbqE+k -UXzfVZzDdvMCgYByk9dfJIPt0h7O4Em4+NO+DQqRhtYE2PqjDM60cZZc7IIICp2X -GHHFA4i6jq3Vde9WyIbAqYpUWtoExzgylTm6BdGxN7NOxf4hQcZUEHepLIHfG85s -mlloibrTZ4RH06+SjZlhgE9Z7JNYHvMcVc5HXc0k/9ep15AxYiUFDjFQ4QKBgG7i -k089U4/X2wWgBNdgkmN1tQTNllJCmNvdzhG41dQ8j0vYe8C7BS+76qJLCGaW/6lX -lfRuRcUg78UI5UDjPloKxR7FMwmxdb+yvdPEr2bH3qQ36nWW/u30pSMTnJYownwD -MLp/AYCk2U4lBNwJ3+rF1ODCRY2pcnOWtg0nSL5zAoGAWRoOinogEnOodJzO7eB3 -TmL6M9QMyrAPBDsCnduJ8yW5mMUNod139YbSDxZPYwTLhK/GiHP/7OvLV5hg0s4s -QKnNaMeEowX7dyEO4ehnbfzysxXPKLRVhWhN6MCUc71NMxqr7QkuCXAjJS6/G21+ -Im3+Xb3Scq+UZghR+jiEZF0= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC//gLFHKshdm/9 +4GhxrVGcfpkXl9kDL/oF5ltilI9Qk5kk8RlwmnqCeTezwOgXgQ/xyVak4AqP6Dbh +5joLWK4EZ4MlqQASLbfTjUZkwq9gLwNtwGSI31HcEWXHkR3+ux+jdTTrba/CBZLk +BYUwCrkRyRnFzajTCazb9r+YWtxjXgIcWXfeuaJPQRknfob4m42dpgwWfJIifQRn ++d0w4nv84PquQpIKiwK4Ed9KRgnvmS1zy64XpKcnrQUd4Lik1djzAniIe2IP7kyT +HttqmfOzOkNQ6LEigv9Zfv9QKwb3uprHPCRBJZ3N9hyezbk0ya3mShLz5lCNqE3H +b6JFl7UbAgMBAAECggEAVCmMm03S8utRcrBB+LsqkHiqsb3+AriwWI+/tbo8DO12 +78vFBCij1bg/o8vHsi4AiFRjaAlSd/0queJLxZeNSR77TbIE9vMVp2ZB2n/Bk19o +mF8Dc0C6SMdTn6VMydLLrsL9fMrrhhkdaFnHJeU9db97Tcu22zRdk1taZ/ZEsEXN +5Ij4GSaylemUsdi2GKWCydDje3M60rGRWiVlMAsgyLhGRjBS0dfi2VRSbjE/Mi+d +vrHGWyKfh/Dgmt5XdljubZE6fbogXtksBl/dvHytQIyYddSTYHWJoCHb0DhBV25V +/m5SNTRoBeRtTy9s7UdMxTR9mpPscWCAonCZVh3nQQKBgQDqwE80+CaYInrNlZIM +6rX3sdHgcnlP8a2gSRfkmpTQbf5os6jHBwBp3UAqTpKZd6mjrbXXel4Hj8ccZMW9 +SqReQJiJwENxhvT5Bz7YGERZbVGvchXeeQBjhOy8D+Smv85I+F+cP/7efutrzFgf +M5mwlic5z58ijJlloGzgP4GquwKBgQDRXuJFzfbjY7DS0vgoz5Gh8GTfB/EPZkNL +ULt22Zz6coMpZ+en8HBrc7gSlAjvf3C4MAon344VIaW6bK1tx4amuJVK3gbbk7Kg +9YOkXUg60WaBeX9zed+eljV3LIcgRJ10Zu5rJ8ZCLgp1DTF1kh7afmqyufU5828b +vOOpN+5pIQKBgQC7qpGnntn7tVTHFVN00A44vgcyj1E7/9D12nknYAyns8c2nKnI +smg6OY4aREYeOfN7zlsYr9KL6P0cTdNmyE0urCVFulYwY9tjWc97oarCcwpiX6nr ++H+/D3zRu0Lnq16WJzkICIEQDhbWTr4D85Rh/yfMp5ZoYE4hWGaxvxNCEQKBgQCL +bD4N8fworGhB3E95DdCTIDxr8SPr91N0wgw0NvG8Lal+Vz0CrrCOPX8kkAPrSNhN +L2Bz8QDyvXdZT6ml4yqdt2ljc7rpWc+oNBY3zA6fbHZwXfIrecsaFjkAZVyOdmLL +8wdtwAzcYUCBdgmrm2SEZ46x+fd9Ychplj2coCxZQQKBgEtdtXU93fZ6vUUTN6Rj +DbWQPxktPClfBvxEr7jfdMLO33UziVQU9ZoXpj5fplWFtjLw09W1bNa6VYKGkcVK +ZYCHni/J440p7v9NvHZHX8kqYkFvzs0djFXzkLTzSKk6ErDMjvWUcQq7IvB3JLNo +xrS0SJBTBskGUKX/1OEP69B1 -----END PRIVATE KEY----- diff --git a/examples/pki/private/signing_key.pem b/examples/pki/private/signing_key.pem index 758c0ffe1..ddf3066d5 100644 --- a/examples/pki/private/signing_key.pem +++ b/examples/pki/private/signing_key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDM+VrILLl962VH -S8EKWVzdkaOy0OoxGZ63gajM7VTm8AbgtVnYibIOnVZQuz1XbftIGNXPFhYNUypr -LnMXrEEsnxgD4PvU/4bETG+stdricX6d1oKqsNFNR7F7zImiR/OzGhp7dONwccxf -kfX4QHA5Ogso+XMfSdC72SRDszeCeGUcjuo/w2WSLW95SuVvcZLqE/pk3Q2TkCZ1 -8hvNfLoln43QpC469a7srUXATqOJ2mPNvL6E/wOyPefmAoCoG44lFoR3k2jZjBEI -hstJxmH7XgvqErBzpcWd29dms8xz5PNwYdns9CIfb3GaHvQ6r5RTl37/avDrGHOW -KOoD01xLAgMBAAECggEAaIi22qWsh+JYCW9B6NRAPyN6V8Sh2x6UykOO4cwb45b/ -+vOh+YPn0fo9vfhvxTnq0A8SY4WBA5SpanYK7kTEDEyqw7em1y7l/RB6V5t7IMb+ -6uIuS3zXkVEB3AApJSEK0Ql7/gBTydHPh+H5jnzWfujyLhhhtNBBarvH+drZcWio -lWx8RERN4cH+3DZD/xxjH2Ff+X1XMvb8Xcup7MlWi2FtREg7LttLNWNK25iWjciP -QwfWQIrURRJrD2IrOr9V2nuIEvRqRRBoO+pxJT2sC48NJ3hiKV2GtSQe2nRpQJ47 -f9MEsF5KVQOOn+aQ60EKOI0MpNPmpiCZ5hFvBrNuOQKBgQD6vueEdI9eJgz5YN+t -XWdpNippv35RTD8R4bQcE6GqIUXOmtQFS2wPJLn7nisZUsGMNEs36Yl0T9iow63r -5GNAfgzpqN1XZqaSMwAdxKmlBNYpAkVXHhv+1jN+9diDYmoj9T+3Q6Zvk5e/Liyp -6i+TsDppwmmr2utWajhyJ7owFwKBgQDRROncTztGDYLfRcrIoYsPo79KQ8tqwd2a -07Usch2kplTqojCUmmhMMFgV2eZPPiCjnEy2bAYh9I/oj7xG6EwApXTshZdCpivC -rbUV64MakRTUP8IvM6PdI+apkJRsRUi/bSyIbcRlvEoCMNZhfj/5VY6w/jlwrPJj -oBOCXBlB7QKBgQDGEbEeX1i03UfYYh6uep7qbEAaooqsu5cCkBDPMO6+TmQvLPyY -Zhio6bEEQs/2w/lhwBk+xHqw5zXVMiWbtiB03F1k4eBeXxbrW+AWo7gCQ4zMfh+6 -Dm284wVwn9D1D/OaDevT31uEvcjb2ySq3/PPLSEnU8xXVaoa6/NEsX8Q5wKBgQCm -2smULWBXZKJ6n00mVxdnqun0rsVcI6Mrta14+KwGAdEnG5achdivFsTE924YtLKV -gSPxN4RUQokTprc52jHvOf1WMNYAADpYCOSfy55G6nKvIP8VX5lB00Qw4uRUx5FP -gB7H0K2NaGmiAYqNRXqAtOUG3kyyOFMzeAjWIdTJqQKBgQCHzY1c7sS1vv7mPEkr -6CpwoaEbZeFnWoHBA8Rd82psqfYsVJIRwk5Id8zgDSEmoEi8hQ9UrYbrFpLK77xq -EYSxLQHTNlM0G3lyEsv/gJhwYYhdTYiW3Cx3F6Y++jyn9O/+hFMyQvuesAL7DUYE -ptEfvzFprpQUpByXkIpuJub6fg== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCexnPwhsvNj1jp +pRg/gvHeisN0NWaHTs/RHboV3nHyzfsx13fUHd+X+YR3+HPI9MgMSPKn3mm45znn +xJKBwuFvg007FMKtcexbwDx2053Eh83j6gRPMCqeKXxbmQITMT+eZ0yQvzfLdTNZ +VKmEwDYEwgMrLcjibi7jHNN1AajvGzhswibAHXLAT6XWJH8nK1r+WaLHWh39zpmp +D7Vspo0j0PP5TOMeRZuRmqGFKm/ZqG7rDKdLXuzDJM1mIpUqmQVh8e3bBkex6DeM +zKmpbbQtIpyRnNMJ7rDa5Hm94nrl8FOk91d6RN8k07h8uh3GWXf/Jtzvy/RdaHcw +51B9dD45AgMBAAECggEAVYj/6LIVlTYGZkiEmaKHfqYuyaoDBB3XIwbquuFNbcq9 +6onzihhV3l+Tl7YHWllUdBnQb9MIDY6zyUJC0xkTramEr7Ftd1cKSBt192Xldnza +1E+75pVCQFaFIit5zLEZXtKzkr8Q5dDLyvIrKNMLxuBmKJrPv/wv0jYzTLOKONUO +BRxEb2c13lvq/RqT4xpxU8wadk/tC4N1tvLGdUnq/+1+GcmswwChBPnYafY+pzF3 +ylyoQUtirIZ0TAkSBwZZGkZC137OPs6CmbBqxLcPT2swUSQpUSAglwG7PklRAW1u +2Qin1gka7J3l6erIYfeJ87C7day+3+uGtlYxplMRIQKBgQDJobPdn/YZakdI4ZaH +YNL67qtO5A410vb0Sm6UXWASAyfRq7nMG1CyWvlfTpPTeao9bBD0oKKIteW7RTo5 +mSozpKOt2Rgb3auyOkuswFbSxRuufgRDayUnyYMaHfhfp/pHEpXg/aiwNckiZ6Mi +iOwIlLN+ytyzadfXZSrlPtVpvQKBgQDJlnD1hnOtWRgWeB4uUXzJPa9MJBK7JLRW ++FSMrUxssw14vScmLO3kV/pN1J++FMkq7Y5ZmOpy34sGc3iMaM+H4JuNCvP5SwtG +626rOm5enH2sKd4BubiZcln5zrjgw/RV/a7aQQep4cQpaEgNoyTAu6BuU0fid6xc +jVQJAXnILQKBgQDII7YB2vHRMGkpsqJUJovFgHqSiFSCoLF4sxkoM7dUqcUwniCC +tOpY32yAaeLaGv4ckdQSvhAXW1Z5mLG+0oXNVTMTMVZ48oOnGa5b/18vP2/GuFdL +BGORJrj3h6AucvI+8ffLqH10yy6m8/A+K2L+8Xtp87s2a21P5J+7ha8YkQKBgB4m +fBqc02xX6PxjVtBCq9FFgpR2yL5ozPg9CBhKSyXu2dL3J4XULnh6mBtP89xwK25a +PXI1Jsurl5WNa7hEbNW7yEgeHUNp7/PZfqHpiVxpN3qqgGPtrSh2K/Lq8kfbxw2d +dat7EnRcKgSvbidsATE6XtJhblz23TayhKEcMWS5AoGBAItYfoHpgnQXk1gXal6e +incHFVTgrUQlDKZ5UQn5/HvK1Gb3mAtPbLWJZ2Ej70lW5BQnBrCLI8188Z6PJY3w +8KJ4T2KOu+9qClnezLy2A+bZ+MU+XZrVv+65vjJ5oGhARmRLmYlasBmxwUEEKqlO +ovIe7UVLD9CyaB+MFxFpFwE6 -----END PRIVATE KEY----- diff --git a/examples/pki/private/ssl_key.pem b/examples/pki/private/ssl_key.pem index 363ce94bd..d339ea213 100644 --- a/examples/pki/private/ssl_key.pem +++ b/examples/pki/private/ssl_key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDL06AaJROwHPgJ -9tcySSBepzJ81jYars2sMvLjyuvdiIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rp -v8dGDIDsxZQVjT/4SLaQUOeDM+9bfkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLY -Wso0SJD0vAi1gmGDlSM/mmhhHTpCDGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1Zrs -lPC5lFvlHD7KBBf6IU2A8Xh/dUa3p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYR -R45pPCVkk6vFsy6P0JwwpnkszB+LcK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4 -YEPirGGrAgMBAAECggEATwvbY0hNwlb5uqOIAXBqpUqiQdexU9fG26lGmSDxKBDv -9o5frcRgBDrMWwvDCgY+HT4CAvB9kJx4/qnpVjkzJp/ZNiJ5VIiehIlbv348rXbh -xkk+bz5dDATCFOXuu1fwL2FhyM5anwhMAav0DyK1VLQ3jGzr9GO6L8hqAn+bQFFu -6ngiODwfhBMl5aRoL9UOBEhccK07znrH0JGRz+3+5Cdz59Xw91Bv210LhNNDL58+ -0JD0N+YztVOQd2bgwo0bQbOEijzmYq+0mjoqAnJh1/++y7PlIPs0AnPgqSnFPx9+ -6FsQEVRgk5Uq3kvPLaP4nT2y6MDZSp+ujYldvJhyQQKBgQDuX2pZIJMZ4aFnkG+K -TmJ5wsLa/u9an0TmvAL9RLtBpVpQNKD8cQ+y8PUZavXDbAIt5NWqZVnTbCR79Dnd -mZKblwcHhtsyA5f89el5KcxY2BREWdHdTnJpNd7XRlUECmzvX1zGj77lA982PhII -yflRBRV3vqLkgC8vfoYgRyRElwKBgQDa5jnLdx/RahfYMOgn1HE5o4hMzLR4Y0Dd -+gELshcUbPqouoP5zOb8WOagVJIgZVOSN+/VqbilVYrqRiNTn2rnoxs+HHRdaJNN -3eXllD4J2HfC2BIj1xSpIdyh2XewAJqw9IToHNB29QUhxOtgwseHciPG6JaKH2ik -kqGKH/EKDQKBgFFAftygiOPCkCTgC9UmANUmOQsy6N2H+pF3tsEj43xt44oBVnqW -A1boYXNnjRwuvdNs9BPf9i1l6E3EItFRXrLgWQoMwryakv0ryYh+YeRKyyW9RBbe -fYs1TJ8unx4Ae79gTxxztQsVNcmkgLs0NWKTjAzEE3w14V+cDhYEie1DAoGBAJdI -V5cLrBzBstsB6eBlDR9lqrRRIUS2a8U9m+1mVlcSfiWQSdehSd4K3tDdwePLw3ch -W4qR8n+pYAlLEe0gFvUhn5lMdwt7U5qUCeehjUKmrRYm2FqWsbu2IFJnBjXIJSC4 -zQXRrC0aZ0KQYpAL7XPpaVp1slyhGmPqxuO78Y0dAoGBAMHo3EIMwu9rfuGwFodr -GFsOZhfJqgo5GDNxxf89Q9WWpMDTCdX+wdBTrN/wsMbBuwIDHrUuRnk6D5CWRjSk -/ikCgHN3kOtrbL8zzqRomGAIIWKYGFEIGe1GHVGo5r//HXHdPxFXygvruQ/xbOA4 -RGvmDiji8vVDq7Shho8I6KuT +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1i9+ydZSypNAk +kVXdzIqZ8E62cqH7i0JGVGBuGdH8ZVF3MDcbi8VwqfNRWoWn9mrJUp5HYDV9t5WX +z25Ej4EnqlJ3WLZvC1e+ldDIInmiULic3iIAgrWbumU3XNLHska/smoVJuLIuFUx +EfRpwGOpguOzAO1M6BKCSwr+TBLYJZxc3F7v1vtwNhisyE5S2H6Q49K0UXHTPjp+ +fLZAHQ5+Yxqwf0KAJqAD3vMo8EwxXlgJu8pQyjjxwtrwnN2WHYoJGt/OOdkLBbzd +upWH9CGcxeVc5hSJ1hEKuYS8AOZIeH6q2MKwT+QiepBsVfuy1JFt4raLht/RcX/W +R8lIAzoFAgMBAAECggEAQbeB0z1s4rMBkgfjt0z6+2A5cNMVT0FiJ3iFpnH6pVZo +i0G4PgMWgKS7nlZf1yg4RFF8UxYIuvDbdJnrpSXTJ06Ka66uhOHARh3KlwXDEBIS +lslMyF4zRM6KMFsDfrbUAJI7mhWiNJ5BDrUDeRookkGZt1rUJ/UknwJ+mri5gmdo +UYyHuelIcVZfX6mkDCKrVHCCNbdnUgWOkXtPi25n4lqjolwEeBx5y4cu4z6tkqxM +2hcnKUyj0YKScnhnTqprkbiMpPST4y8I190Q3Eo0Q8w9hvgEUa1xezfVzICScUjG +VXid7aRyq7sXGmCMWyMUAvc4+5/qanreEU1686CrMQKBgQD7FDKV1pcWGJMoL5VI +xiJ8jpDpnRIL940732ODjCQRgH4K9u40OmZ36W880q6o5ZXLLoWQIYZf5Hs1lq7f +3djqHFqqXtW7P7JU3mW5n/ejbMHlxra4uoTkjR6wUF+g2kW2y4ysI/t8HxSeaVjO +E4cJfoaNufgmgpeKa1QnLrMpqwKBgQD6W+qgx7w2dBXSkYBDhjDoRrCwmqOuWKwG +DMTDrlbu2j7hag6Xdy92CqjGAYXfhny4bpCkFLRjyrDZS4a/cObGKYYG4jVXTYfj +5cqLUiLmQFrZiK0uA7ek+qMp06FJX45iyECJlXX4gNU8e/WMfujlFLwjZ+72znQE +iTMW5xxbDwKBgEBa1vRtAmDZf66HM75peqFucVpPtjZ3By5XfcxT+VK7GpN442lj +pqwJm0d9wOLtpc1kaTuePDEMAUClFMGwvU6UYfDVSfcqxmzWbEB97h1nXPOmUWNb ++4ARY9JRZ5F1IPVPiwj8WBNibAiGfAqmGrCmS5q8FgzY4DrMc89vOuDtAoGBAJfe +aB6t6ssxcgdwwdi0LzjHoOkQdVgObBOjbTyypgNwGpLMrhtNblnxr12lkNr+Duwm +DdGqyZ57VvoJaaz5xNPSXn4QfIEAA/3H6CzJX2hDA5lP4pW2JZGLhKybtwv2Tj43 +8YZERvK+3Bs7qsFWPtqv0Ey+AGRw6knSHE65VScbAoGBAPUwAUmBZ6F22M6ftNL7 +G/qZJsP6OmDSyvJDN9SXiLvbpXQVd6RrZrni6xzwKWAFncFMVo+HWmeAavM8zxsc +a/XVSVvRj0kwg94HotHCF7/nHqYIqyF7hLZipdIphVGXx+c8dbKeVg0fgTnLRkzx +tbxgs3HWa6pgQvxtVAN4Jl3W -----END PRIVATE KEY----- diff --git a/examples/pki/run_all.sh b/examples/pki/run_all.sh index ba2f0b6e3..2438ec7c8 100755 --- a/examples/pki/run_all.sh +++ b/examples/pki/run_all.sh @@ -26,6 +26,5 @@ generate_ca ssl_cert_req cms_signing_cert_req issue_certs -create_middleware_cert gen_sample_cms cleanup diff --git a/keystoneclient/__init__.py b/keystoneclient/__init__.py index a3c0408b8..e8ef58ebc 100644 --- a/keystoneclient/__init__.py +++ b/keystoneclient/__init__.py @@ -15,28 +15,27 @@ """The python bindings for the OpenStack Identity (Keystone) project. -See :py:class:`keystoneclient.v3.client.Client` for the Identity V3 client. +A Client object will allow you to communicate with the Identity server. The +recommended way to get a Client object is to use +:py:func:`keystoneclient.client.Client()`. :py:func:`~.Client()` uses version +discovery to create a V3 or V2 client depending on what versions the Identity +server supports and what version is requested. -See :py:class:`keystoneclient.v2_0.client.Client` for the Identity V2.0 client. +Identity V2 and V3 clients can also be created directly. See +:py:class:`keystoneclient.v3.client.Client` for the V3 client and +:py:class:`keystoneclient.v2_0.client.Client` for the V2 client. """ +import importlib +import sys import pbr.version -from keystoneclient import access -from keystoneclient import client -from keystoneclient import exceptions -from keystoneclient import generic -from keystoneclient import httpclient -from keystoneclient import service_catalog -from keystoneclient import v2_0 -from keystoneclient import v3 - __version__ = pbr.version.VersionInfo('python-keystoneclient').version_string() -__all__ = [ +__all__ = ( # Modules 'generic', 'v2_0', @@ -48,4 +47,32 @@ 'exceptions', 'httpclient', 'service_catalog', -] +) + + +class _LazyImporter(object): + def __init__(self, module): + self._module = module + + def __getattr__(self, name): + # NB: this is only called until the import has been done. + # These submodules are part of the API without explicit importing, but + # expensive to load, so we load them on-demand rather than up-front. + lazy_submodules = [ + 'access', + 'client', + 'exceptions', + 'generic', + 'httpclient', + 'service_catalog', + 'v2_0', + 'v3', + ] + if name in lazy_submodules: + return importlib.import_module('keystoneclient.%s' % name) + + # Return module attributes like __all__ etc. + return getattr(self._module, name) + + +sys.modules[__name__] = _LazyImporter(sys.modules[__name__]) diff --git a/keystoneclient/_discover.py b/keystoneclient/_discover.py index 7ea396f91..a27236cdc 100644 --- a/keystoneclient/_discover.py +++ b/keystoneclient/_discover.py @@ -22,15 +22,15 @@ """ import logging +import re from keystoneclient import exceptions -from keystoneclient import utils +from keystoneclient.i18n import _ _LOGGER = logging.getLogger(__name__) -@utils.positional() def get_version_data(session, url, authenticated=None): """Retrieve raw version data from a url.""" headers = {'Accept': 'application/json'} @@ -39,49 +39,52 @@ def get_version_data(session, url, authenticated=None): try: body_resp = resp.json() - except ValueError: + except ValueError: # nosec(cjschaef): raise a DiscoveryFailure below pass else: # In the event of querying a root URL we will get back a list of # available versions. try: return body_resp['versions']['values'] - except (KeyError, TypeError): + except (KeyError, TypeError): # nosec(cjschaef): attempt to return + # versions dict or query the endpoint or raise a DiscoveryFailure pass # Most servers don't have a 'values' element so accept a simple # versions dict if available. try: return body_resp['versions'] - except KeyError: + except KeyError: # nosec(cjschaef): query the endpoint or raise a + # DiscoveryFailure pass # Otherwise if we query an endpoint like /v2.0 then we will get back # just the one available version. try: return [body_resp['version']] - except KeyError: + except KeyError: # nosec(cjschaef): raise a DiscoveryFailure pass err_text = resp.text[:50] + '...' if len(resp.text) > 50 else resp.text - msg = 'Invalid Response - Bad version data returned: %s' % err_text + msg = _('Invalid Response - Bad version data returned: %s') % err_text raise exceptions.DiscoveryFailure(msg) def normalize_version_number(version): """Turn a version representation into a tuple.""" - # trim the v from a 'v2.0' or similar try: version = version.lstrip('v') - except AttributeError: + except AttributeError: # nosec(cjschaef): 'version' is not a str, try a + # different type or raise a TypeError pass # if it's an integer or a numeric as a string then normalize it # to a string, this ensures 1 decimal point try: num = float(version) - except Exception: + except Exception: # nosec(cjschaef): 'version' is not a float, try a + # different type or raise a TypeError pass else: version = str(num) @@ -89,21 +92,22 @@ def normalize_version_number(version): # if it's a string (or an integer) from above break it on . try: return tuple(map(int, version.split('.'))) - except Exception: + except Exception: # nosec(cjschaef): 'version' is not str (or an int), + # try a different type or raise a TypeError pass # last attempt, maybe it's a list or iterable. try: return tuple(map(int, version)) - except Exception: + except Exception: # nosec(cjschaef): 'version' is not an expected type, + # raise a TypeError pass - raise TypeError('Invalid version specified: %s' % version) + raise TypeError(_('Invalid version specified: %s') % version) def version_match(required, candidate): - """Test that an available version is a suitable match for a required - version. + """Test that an available version satisfies the required version. To be suitable a version must be of the same major version as required and be at least a match in minor/patch level. @@ -113,7 +117,8 @@ def version_match(required, candidate): :param tuple required: the version that must be met. :param tuple candidate: the version to test against required. - :returns bool: True if candidate is suitable False otherwise. + :returns: True if candidate is suitable False otherwise. + :rtype: bool """ # major versions must be the same (e.g. even though v2 is a lower # version than v3 we can't use it if v2 was requested) @@ -133,7 +138,6 @@ class Discover(object): DEPRECATED_STATUSES = ('deprecated',) EXPERIMENTAL_STATUSES = ('experimental',) - @utils.positional() def __init__(self, session, url, authenticated=None): self._data = get_version_data(session, url, authenticated=authenticated) @@ -150,8 +154,9 @@ def raw_version_data(self, allow_experimental=False, :param bool allow_deprecated: Allow deprecated version endpoints. :param bool allow_unknown: Allow endpoints with an unrecognised status. - :returns list: The endpoints returned from the server that match the - criteria. + :returns: The endpoints returned from the server that match the + criteria. + :rtype: list """ versions = [] for v in self._data: @@ -182,14 +187,18 @@ def version_data(self, **kwargs): Return version data in a structured way. - :returns list(dict): A list of version data dictionaries sorted by - version number. Each data element in the returned - list is a dictionary consisting of at least: + :returns: A list of version data dictionaries sorted by version number. + Each data element in the returned list is a dictionary + consisting of at least: :version tuple: The normalized version of the endpoint. :url str: The url for the endpoint. :raw_status str: The status as provided by the server + :rtype: list(dict) """ + if kwargs.pop('unstable', None): + kwargs.setdefault('allow_experimental', True) + kwargs.setdefault('allow_unknown', True) data = self.raw_version_data(**kwargs) versions = [] @@ -238,9 +247,10 @@ def data_for(self, version, **kwargs): same major release as there should be no compatibility issues with using a version newer than the one asked for. - :returns dict: the endpoint data for a URL that matches the required - version (the format is described in version_data) - or None if no match. + :returns: the endpoint data for a URL that matches the required version + (the format is described in version_data) or None if no + match. + :rtype: dict """ version = normalize_version_number(version) version_data = self.version_data(**kwargs) @@ -258,7 +268,62 @@ def url_for(self, version, **kwargs): same major release as there should be no compatibility issues with using a version newer than the one asked for. - :returns str: The url for the specified version or None if no match. + :returns: The url for the specified version or None if no match. + :rtype: str """ data = self.data_for(version, **kwargs) return data['url'] if data else None + + +class _VersionHacks(object): + """A container to abstract the list of version hacks. + + This could be done as simply a dictionary but is abstracted like this to + make for easier testing. + """ + + def __init__(self): + self._discovery_data = {} + + def add_discover_hack(self, service_type, old, new=''): + """Add a new hack for a service type. + + :param str service_type: The service_type in the catalog. + :param re.RegexObject old: The pattern to use. + :param str new: What to replace the pattern with. + """ + hacks = self._discovery_data.setdefault(service_type, []) + hacks.append((old, new)) + + def get_discover_hack(self, service_type, url): + """Apply the catalog hacks and figure out an unversioned endpoint. + + :param str service_type: the service_type to look up. + :param str url: The original url that came from a service_catalog. + + :returns: Either the unversioned url or the one from the catalog + to try. + """ + for old, new in self._discovery_data.get(service_type, []): + new_string, number_of_subs_made = old.subn(new, url) + if number_of_subs_made > 0: + return new_string + + return url + + +_VERSION_HACKS = _VersionHacks() +_VERSION_HACKS.add_discover_hack('identity', re.compile('/v2.0/?$'), '/') + + +def get_catalog_discover_hack(service_type, url): + """Apply the catalog hacks and figure out an unversioned endpoint. + + This function is internal to keystoneclient. + + :param str service_type: the service_type to look up. + :param str url: The original url that came from a service_catalog. + + :returns: Either the unversioned url or the one from the catalog to try. + """ + return _VERSION_HACKS.get_discover_hack(service_type, url) diff --git a/keystoneclient/access.py b/keystoneclient/access.py index dfd7e9a2d..a93da0a1e 100644 --- a/keystoneclient/access.py +++ b/keystoneclient/access.py @@ -16,8 +16,11 @@ import datetime +import warnings -from keystoneclient.openstack.common import timeutils +from oslo_utils import timeutils + +from keystoneclient.i18n import _ from keystoneclient import service_catalog @@ -33,35 +36,53 @@ class AccessInfo(dict): """ @classmethod - def factory(cls, resp=None, body=None, region_name=None, **kwargs): - """Create AccessInfo object given a successful auth response & body - or a user-provided dict. + def factory(cls, resp=None, body=None, region_name=None, auth_token=None, + **kwargs): + """Factory function to create a new AccessInfo object. + + Create AccessInfo object given a successful auth response & body + or a user-provided dict. + + .. warning:: + + Use of the region_name argument is deprecated as of the 1.7.0 + release and may be removed in the 2.0.0 release. + """ - # FIXME(jamielennox): Passing region_name is deprecated. Provide an - # appropriate warning. + if region_name: + warnings.warn( + 'Use of the region_name argument is deprecated as of the ' + '1.7.0 release and may be removed in the 2.0.0 release.', + DeprecationWarning) if body is not None or len(kwargs): if AccessInfoV3.is_valid(body, **kwargs): - token = None - if resp: - token = resp.headers['X-Subject-Token'] + if resp and not auth_token: + auth_token = resp.headers['X-Subject-Token'] + # NOTE(jamielennox): these return AccessInfo because they + # already have auth_token installed on them. if body: if region_name: body['token']['region_name'] = region_name - return AccessInfoV3(token, **body['token']) + return AccessInfoV3(auth_token, **body['token']) else: - return AccessInfoV3(token, **kwargs) + return AccessInfoV3(auth_token, **kwargs) elif AccessInfoV2.is_valid(body, **kwargs): if body: if region_name: body['access']['region_name'] = region_name - return AccessInfoV2(**body['access']) + auth_ref = AccessInfoV2(**body['access']) else: - return AccessInfoV2(**kwargs) + auth_ref = AccessInfoV2(**kwargs) else: - raise NotImplementedError('Unrecognized auth response') + raise NotImplementedError(_('Unrecognized auth response')) else: - return AccessInfoV2(**kwargs) + auth_ref = AccessInfoV2(**kwargs) + + if auth_token: + auth_ref.auth_token = auth_token + + return auth_ref def __init__(self, *args, **kwargs): super(AccessInfo, self).__init__(*args, **kwargs) @@ -73,9 +94,10 @@ def _region_name(self): return self.get('region_name') def will_expire_soon(self, stale_duration=None): - """Determines if expiration is about to occur. + """Determine if expiration is about to occur. - :return: boolean : true if expiration is within the given duration + :returns: true if expiration is within the given duration + :rtype: boolean """ stale_duration = (STALE_TOKEN_DURATION if stale_duration is None @@ -89,15 +111,17 @@ def will_expire_soon(self, stale_duration=None): @classmethod def is_valid(cls, body, **kwargs): - """Determines if processing v2 or v3 token given a successful - auth body or a user-provided dict. + """Determine if processing valid v2 or v3 token. + + Validates from the auth body or a user-provided dict. - :return: boolean : true if auth body matches implementing class + :returns: true if auth body matches implementing class + :rtype: boolean """ raise NotImplementedError() def has_service_catalog(self): - """Returns true if the authorization token has a service catalog. + """Return true if the authorization token has a service catalog. :returns: boolean """ @@ -105,16 +129,28 @@ def has_service_catalog(self): @property def auth_token(self): - """Returns the token_id associated with the auth request, to be used - in headers for authenticating OpenStack API requests. + """Return the token_id associated with the auth request. + + To be used in headers for authenticating OpenStack API requests. :returns: str """ - raise NotImplementedError() + return self['auth_token'] + + @auth_token.setter + def auth_token(self, value): + self['auth_token'] = value + + @auth_token.deleter + def auth_token(self): + try: + del self['auth_token'] + except KeyError: # nosec(cjschaef): 'auth_token' is not in the dict + pass @property def expires(self): - """Returns the token expiration (as datetime object) + """Return the token expiration (as datetime object). :returns: datetime """ @@ -122,7 +158,7 @@ def expires(self): @property def issued(self): - """Returns the token issue time (as datetime object) + """Return the token issue time (as datetime object). :returns: datetime """ @@ -130,7 +166,8 @@ def issued(self): @property def username(self): - """Returns the username associated with the authentication request. + """Return the username associated with the auth request. + Follows the pattern defined in the V2 API of first looking for 'name', returning that if available, and falling back to 'username' if name is unavailable. @@ -141,7 +178,7 @@ def username(self): @property def user_id(self): - """Returns the user id associated with the authentication request. + """Return the user id associated with the auth request. :returns: str """ @@ -149,8 +186,7 @@ def user_id(self): @property def user_domain_id(self): - """Returns the domain id of the user associated with the authentication - request. + """Return the user's domain id associated with the auth request. For v2, it always returns 'default' which may be different from the Keystone configuration. @@ -161,8 +197,7 @@ def user_domain_id(self): @property def user_domain_name(self): - """Returns the domain name of the user associated with the - authentication request. + """Return the user's domain name associated with the auth request. For v2, it always returns 'Default' which may be different from the Keystone configuration. @@ -173,8 +208,7 @@ def user_domain_name(self): @property def role_ids(self): - """Returns a list of role ids of the user associated with the - authentication request. + """Return a list of user's role ids associated with the auth request. :returns: a list of strings of role ids """ @@ -182,8 +216,7 @@ def role_ids(self): @property def role_names(self): - """Returns a list of role names of the user associated with the - authentication request. + """Return a list of user's role names associated with the auth request. :returns: a list of strings of role names """ @@ -191,7 +224,7 @@ def role_names(self): @property def domain_name(self): - """Returns the domain name associated with the authentication token. + """Return the domain name associated with the auth request. :returns: str or None (if no domain associated with the token) """ @@ -199,7 +232,7 @@ def domain_name(self): @property def domain_id(self): - """Returns the domain id associated with the authentication token. + """Return the domain id associated with the auth request. :returns: str or None (if no domain associated with the token) """ @@ -207,7 +240,7 @@ def domain_id(self): @property def project_name(self): - """Returns the project name associated with the authentication request. + """Return the project name associated with the auth request. :returns: str or None (if no project associated with the token) """ @@ -220,10 +253,15 @@ def tenant_name(self): @property def scoped(self): - """Returns true if the authorization token was scoped to a tenant - (project), and contains a populated service catalog. + """Return true if the auth token was scoped. + + Return true if scoped to a tenant(project) or domain, + and contains a populated service catalog. - This is deprecated, use project_scoped instead. + .. warning:: + + This is deprecated as of the 1.7.0 release in favor of + project_scoped and may be removed in the 2.0.0 release. :returns: bool """ @@ -231,8 +269,7 @@ def scoped(self): @property def project_scoped(self): - """Returns true if the authorization token was scoped to a tenant - (project). + """Return true if the auth token was scoped to a tenant(project). :returns: bool """ @@ -240,7 +277,7 @@ def project_scoped(self): @property def domain_scoped(self): - """Returns true if the authorization token was scoped to a domain. + """Return true if the auth token was scoped to a domain. :returns: bool """ @@ -248,7 +285,7 @@ def domain_scoped(self): @property def trust_id(self): - """Returns the trust id associated with the authentication token. + """Return the trust id associated with the auth request. :returns: str or None (if no trust associated with the token) """ @@ -256,8 +293,9 @@ def trust_id(self): @property def trust_scoped(self): - """Returns true if the authorization token was scoped as delegated in a - trust, via the OS-TRUST v3 extension. + """Return true if the auth token was scoped from a delegated trust. + + The trust delegation is via the OS-TRUST v3 extension. :returns: bool """ @@ -265,7 +303,7 @@ def trust_scoped(self): @property def trustee_user_id(self): - """Returns the trustee user id associated with a trust. + """Return the trustee user id associated with a trust. :returns: str or None (if no trust associated with the token) """ @@ -273,7 +311,7 @@ def trustee_user_id(self): @property def trustor_user_id(self): - """Returns the trustor user id associated with a trust. + """Return the trustor user id associated with a trust. :returns: str or None (if no trust associated with the token) """ @@ -281,9 +319,9 @@ def trustor_user_id(self): @property def project_id(self): - """Returns the project ID associated with the authentication - request, or None if the authentication request wasn't scoped to a - project. + """Return the project ID associated with the auth request. + + This returns None if the auth token wasn't scoped to a project. :returns: str or None (if no project associated with the token) """ @@ -296,8 +334,7 @@ def tenant_id(self): @property def project_domain_id(self): - """Returns the domain id of the project associated with the - authentication request. + """Return the project's domain id associated with the auth request. For v2, it returns 'default' if a project is scoped or None which may be different from the keystone configuration. @@ -308,8 +345,7 @@ def project_domain_id(self): @property def project_domain_name(self): - """Returns the domain name of the project associated with the - authentication request. + """Return the project's domain name associated with the auth request. For v2, it returns 'Default' if a project is scoped or None which may be different from the keystone configuration. @@ -320,13 +356,16 @@ def project_domain_name(self): @property def auth_url(self): - """Returns a tuple of URLs from publicURL and adminURL for the service + """Return a tuple of identity URLs. + + The identity URLs are from publicURL and adminURL for the service 'identity' from the service catalog associated with the authorization request. If the authentication request wasn't scoped to a tenant (project), this property will return None. DEPRECATED: this doesn't correctly handle region name. You should fetch - it from the service catalog yourself. + it from the service catalog yourself. This may be removed in the 2.0.0 + release. :returns: tuple of urls """ @@ -334,12 +373,15 @@ def auth_url(self): @property def management_url(self): - """Returns the first adminURL for 'identity' from the service catalog + """Return the first adminURL of the identity endpoint. + + The identity endpoint is from the service catalog associated with the authorization request, or None if the authentication request wasn't scoped to a tenant (project). DEPRECATED: this doesn't correctly handle region name. You should fetch - it from the service catalog yourself. + it from the service catalog yourself. This may be removed in the 2.0.0 + release. :returns: tuple of urls """ @@ -347,7 +389,7 @@ def management_url(self): @property def version(self): - """Returns the version of the auth token from identity service. + """Return the version of the auth token from identity service. :returns: str """ @@ -369,11 +411,46 @@ def oauth_consumer_id(self): """ raise NotImplementedError() + @property + def is_federated(self): + """Return true if federation was used to get the token. + + :returns: boolean + """ + raise NotImplementedError() + + @property + def audit_id(self): + """Return the audit ID if present. + + :returns: str or None. + """ + raise NotImplementedError() + + @property + def audit_chain_id(self): + """Return the audit chain ID if present. + + In the event that a token was rescoped then this ID will be the + :py:attr:`audit_id` of the initial token. Returns None if no value + present. + + :returns: str or None. + """ + raise NotImplementedError() + + @property + def initial_audit_id(self): + """The audit ID of the initially requested token. + + This is the :py:attr:`audit_chain_id` if present or the + :py:attr:`audit_id`. + """ + return self.audit_chain_id or self.audit_id + class AccessInfoV2(AccessInfo): - """An object for encapsulating a raw v2 auth token from identity - service. - """ + """An object for encapsulating raw v2 auth token from identity service.""" def __init__(self, *args, **kwargs): super(AccessInfo, self).__init__(*args, **kwargs) @@ -395,9 +472,12 @@ def is_valid(cls, body, **kwargs): def has_service_catalog(self): return 'serviceCatalog' in self - @property + @AccessInfo.auth_token.getter def auth_token(self): - return self['token']['id'] + try: + return super(AccessInfoV2, self).auth_token + except KeyError: + return self['token']['id'] @property def expires(self): @@ -443,7 +523,8 @@ def domain_id(self): def project_name(self): try: tenant_dict = self['token']['tenant'] - except KeyError: + except KeyError: # nosec(cjschaef): no 'token' key or 'tenant' key in + # token, return the name of the tenant or None pass else: return tenant_dict.get('name') @@ -451,20 +532,31 @@ def project_name(self): # pre grizzly try: return self['user']['tenantName'] - except KeyError: + except KeyError: # nosec(cjschaef): no 'user' key or 'tenantName' in + # 'user', attempt 'tenantId' or return None pass # pre diablo, keystone only provided a tenantId try: return self['token']['tenantId'] - except KeyError: + except KeyError: # nosec(cjschaef): no 'token' key or 'tenantName' or + # 'tenantId' could be found, return None pass @property def scoped(self): - if ('serviceCatalog' in self - and self['serviceCatalog'] - and 'tenant' in self['token']): + """Deprecated as of the 1.7.0 release. + + Use project_scoped instead. It may be removed in the + 2.0.0 release. + """ + warnings.warn( + 'scoped is deprecated as of the 1.7.0 release in favor of ' + 'project_scoped and may be removed in the 2.0.0 release.', + DeprecationWarning) + if ('serviceCatalog' in self and + self['serviceCatalog'] and + 'tenant' in self['token']): return True return False @@ -497,7 +589,8 @@ def trustor_user_id(self): def project_id(self): try: tenant_dict = self['token']['tenant'] - except KeyError: + except KeyError: # nosec(cjschaef): no 'token' key or 'tenant' dict, + # attempt to return 'tenantId' or return None pass else: return tenant_dict.get('id') @@ -505,13 +598,15 @@ def project_id(self): # pre grizzly try: return self['user']['tenantId'] - except KeyError: + except KeyError: # nosec(cjschaef): no 'user' key or 'tenantId' in + # 'user', attempt to retrieve from 'token' or return None pass # pre diablo try: return self['token']['tenantId'] - except KeyError: + except KeyError: # nosec(cjschaef): no 'token' key or 'tenantId' + # could be found, return None pass @property @@ -526,8 +621,15 @@ def project_domain_name(self): @property def auth_url(self): - # FIXME(jamielennox): this is deprecated in favour of retrieving it - # from the service catalog. Provide a warning. + """Deprecated as of the 1.7.0 release. + + Use service_catalog.get_urls() instead. It may be removed in the + 2.0.0 release. + """ + warnings.warn( + 'auth_url is deprecated as of the 1.7.0 release in favor of ' + 'service_catalog.get_urls() and may be removed in the 2.0.0 ' + 'release.', DeprecationWarning) if self.service_catalog: return self.service_catalog.get_urls(service_type='identity', endpoint_type='publicURL', @@ -537,8 +639,15 @@ def auth_url(self): @property def management_url(self): - # FIXME(jamielennox): this is deprecated in favour of retrieving it - # from the service catalog. Provide a warning. + """Deprecated as of the 1.7.0 release. + + Use service_catalog.get_urls() instead. It may be removed in the + 2.0.0 release. + """ + warnings.warn( + 'management_url is deprecated as of the 1.7.0 release in favor of ' + 'service_catalog.get_urls() and may be removed in the 2.0.0 ' + 'release.', DeprecationWarning) if self.service_catalog: return self.service_catalog.get_urls(service_type='identity', endpoint_type='adminURL', @@ -554,11 +663,27 @@ def oauth_access_token_id(self): def oauth_consumer_id(self): return None + @property + def is_federated(self): + return False + + @property + def audit_id(self): + try: + return self['token'].get('audit_ids', [])[0] + except IndexError: + return None + + @property + def audit_chain_id(self): + try: + return self['token'].get('audit_ids', [])[1] + except IndexError: + return None + class AccessInfoV3(AccessInfo): - """An object for encapsulating a raw v3 auth token from identity - service. - """ + """An object encapsulating raw v3 auth token from identity service.""" def __init__(self, token, *args, **kwargs): super(AccessInfo, self).__init__(*args, **kwargs) @@ -568,7 +693,7 @@ def __init__(self, token, *args, **kwargs): token=token, region_name=self._region_name) if token: - self.update(auth_token=token) + self.auth_token = token @classmethod def is_valid(cls, body, **kwargs): @@ -583,8 +708,8 @@ def has_service_catalog(self): return 'catalog' in self @property - def auth_token(self): - return self['auth_token'] + def is_federated(self): + return 'OS-FEDERATION' in self['user'] @property def expires(self): @@ -600,11 +725,21 @@ def user_id(self): @property def user_domain_id(self): - return self['user']['domain']['id'] + try: + return self['user']['domain']['id'] + except KeyError: + if self.is_federated: + return None + raise @property def user_domain_name(self): - return self['user']['domain']['name'] + try: + return self['user']['domain']['name'] + except KeyError: + if self.is_federated: + return None + raise @property def role_ids(self): @@ -656,6 +791,15 @@ def project_name(self): @property def scoped(self): + """Deprecated as of the 1.7.0 release. + + Use project_scoped instead. It may be removed in the + 2.0.0 release. + """ + warnings.warn( + 'scoped is deprecated as of the 1.7.0 release in favor of ' + 'project_scoped and may be removed in the 2.0.0 release.', + DeprecationWarning) return ('catalog' in self and self['catalog'] and 'project' in self) @property @@ -684,8 +828,15 @@ def trustor_user_id(self): @property def auth_url(self): - # FIXME(jamielennox): this is deprecated in favour of retrieving it - # from the service catalog. Provide a warning. + """Deprecated as of the 1.7.0 release. + + Use service_catalog.get_urls() instead. It may be removed in the + 2.0.0 release. + """ + warnings.warn( + 'auth_url is deprecated as of the 1.7.0 release in favor of ' + 'service_catalog.get_urls() and may be removed in the 2.0.0 ' + 'release.', DeprecationWarning) if self.service_catalog: return self.service_catalog.get_urls(service_type='identity', endpoint_type='public', @@ -695,8 +846,15 @@ def auth_url(self): @property def management_url(self): - # FIXME(jamielennox): this is deprecated in favour of retrieving it - # from the service catalog. Provide a warning. + """Deprecated as of the 1.7.0 release. + + Use service_catalog.get_urls() instead. It may be removed in the + 2.0.0 release. + """ + warnings.warn( + 'management_url is deprecated as of the 1.7.0 release in favor of ' + 'service_catalog.get_urls() and may be removed in the 2.0.0 ' + 'release.', DeprecationWarning) if self.service_catalog: return self.service_catalog.get_urls(service_type='identity', endpoint_type='admin', @@ -712,3 +870,17 @@ def oauth_access_token_id(self): @property def oauth_consumer_id(self): return self.get('OS-OAUTH1', {}).get('consumer_id') + + @property + def audit_id(self): + try: + return self.get('audit_ids', [])[0] + except IndexError: + return None + + @property + def audit_chain_id(self): + try: + return self.get('audit_ids', [])[1] + except IndexError: + return None diff --git a/keystoneclient/adapter.py b/keystoneclient/adapter.py index 1018b02b9..94cd81dc6 100644 --- a/keystoneclient/adapter.py +++ b/keystoneclient/adapter.py @@ -10,8 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient.openstack.common import jsonutils -from keystoneclient import utils +import warnings + +from oslo_serialization import jsonutils class Adapter(object): @@ -22,51 +23,153 @@ class Adapter(object): state such as the service type and region_name that are only relevant to a particular client that is using the session. An adapter provides a wrapper of client local data around the global session object. + + :param session: The session object to wrap. + :type session: keystoneclient.session.Session + :param str service_type: The default service_type for URL discovery. + :param str service_name: The default service_name for URL discovery. + :param str interface: The default interface for URL discovery. + :param str region_name: The default region_name for URL discovery. + :param str endpoint_override: Always use this endpoint URL for requests + for this client. + :param tuple version: The version that this API targets. + :param auth: An auth plugin to use instead of the session one. + :type auth: keystoneclient.auth.base.BaseAuthPlugin + :param str user_agent: The User-Agent string to set. + :param int connect_retries: the maximum number of retries that should + be attempted for connection errors. + Default None - use session default which + is don't retry. + :param logger: A logging object to use for requests that pass through this + adapter. + :type logger: logging.Logger """ - @utils.positional() def __init__(self, session, service_type=None, service_name=None, - interface=None, region_name=None, auth=None, - user_agent=None): - """Create a new adapter. - - :param Session session: The session object to wrap. - :param str service_type: The default service_type for URL discovery. - :param str service_name: The default service_name for URL discovery. - :param str interface: The default interface for URL discovery. - :param str region_name: The default region_name for URL discovery. - :param auth.BaseAuthPlugin auth: An auth plugin to use instead of the - session one. - :param str user_agent: The User-Agent string to set. - """ - + interface=None, region_name=None, endpoint_override=None, + version=None, auth=None, user_agent=None, + connect_retries=None, logger=None): + warnings.warn( + 'keystoneclient.adapter.Adapter is deprecated as of the 2.1.0 ' + 'release in favor of keystoneauth1.adapter.Adapter. It will be ' + 'removed in future releases.', DeprecationWarning) + + # NOTE(jamielennox): when adding new parameters to adapter please also + # add them to the adapter call in httpclient.HTTPClient.__init__ self.session = session self.service_type = service_type self.service_name = service_name self.interface = interface self.region_name = region_name + self.endpoint_override = endpoint_override + self.version = version self.user_agent = user_agent self.auth = auth + self.connect_retries = connect_retries + self.logger = logger - def request(self, url, method, **kwargs): - endpoint_filter = kwargs.setdefault('endpoint_filter', {}) - + def _set_endpoint_filter_kwargs(self, kwargs): if self.service_type: - endpoint_filter.setdefault('service_type', self.service_type) + kwargs.setdefault('service_type', self.service_type) if self.service_name: - endpoint_filter.setdefault('service_name', self.service_name) + kwargs.setdefault('service_name', self.service_name) if self.interface: - endpoint_filter.setdefault('interface', self.interface) + kwargs.setdefault('interface', self.interface) if self.region_name: - endpoint_filter.setdefault('region_name', self.region_name) + kwargs.setdefault('region_name', self.region_name) + if self.version: + kwargs.setdefault('version', self.version) + + def request(self, url, method, **kwargs): + endpoint_filter = kwargs.setdefault('endpoint_filter', {}) + self._set_endpoint_filter_kwargs(endpoint_filter) + + if self.endpoint_override: + kwargs.setdefault('endpoint_override', self.endpoint_override) if self.auth: kwargs.setdefault('auth', self.auth) if self.user_agent: kwargs.setdefault('user_agent', self.user_agent) + if self.connect_retries is not None: + kwargs.setdefault('connect_retries', self.connect_retries) + if self.logger: + kwargs.setdefault('logger', self.logger) return self.session.request(url, method, **kwargs) + def get_token(self, auth=None): + """Return a token as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin + on the session. (optional) + :type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin` + + :raises keystoneclient.exceptions.AuthorizationFailure: if a new token + fetch fails. + + :returns: A valid token. + :rtype: string + """ + return self.session.get_token(auth or self.auth) + + def get_endpoint(self, auth=None, **kwargs): + """Get an endpoint as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin on + the session. (optional) + :type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin` + + :raises keystoneclient.exceptions.MissingAuthPlugin: if a plugin is not + available. + + :returns: An endpoint if available or None. + :rtype: string + """ + if self.endpoint_override: + return self.endpoint_override + + self._set_endpoint_filter_kwargs(kwargs) + return self.session.get_endpoint(auth or self.auth, **kwargs) + + def invalidate(self, auth=None): + """Invalidate an authentication plugin.""" + return self.session.invalidate(auth or self.auth) + + def get_user_id(self, auth=None): + """Return the authenticated user_id as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin + on the session. (optional) + :type auth: keystoneclient.auth.base.BaseAuthPlugin + + :raises keystoneclient.exceptions.AuthorizationFailure: + if a new token fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: + if a plugin is not available. + + :returns: Current `user_id` or None if not supported by plugin. + :rtype: string + """ + return self.session.get_user_id(auth or self.auth) + + def get_project_id(self, auth=None): + """Return the authenticated project_id as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin + on the session. (optional) + :type auth: keystoneclient.auth.base.BaseAuthPlugin + + :raises keystoneclient.exceptions.AuthorizationFailure: + if a new token fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: + if a plugin is not available. + + :returns: Current `project_id` or None if not supported by plugin. + :rtype: string + """ + return self.session.get_project_id(auth or self.auth) + def get(self, url, **kwargs): return self.request(url, 'GET', **kwargs) @@ -101,7 +204,8 @@ def request(self, *args, **kwargs): try: kwargs['json'] = kwargs.pop('body') - except KeyError: + except KeyError: # nosec(cjschaef): kwargs doesn't contain a 'body' + # key, while 'json' is an optional argument for Session.request pass resp = super(LegacyJsonAdapter, self).request(*args, **kwargs) @@ -110,7 +214,8 @@ def request(self, *args, **kwargs): if resp.text: try: body = jsonutils.loads(resp.text) - except ValueError: + except ValueError: # nosec(cjschaef): return None for body as + # expected pass return resp, body diff --git a/keystoneclient/apiclient/__init__.py b/keystoneclient/apiclient/__init__.py deleted file mode 100644 index 344b66169..000000000 --- a/keystoneclient/apiclient/__init__.py +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import warnings - -from keystoneclient import exceptions - -# NOTE(akurilin): Module 'keystoneclient.apiclient' contains only exceptions -# which are deprecated, so this module must also be deprecated which helps -# to report 'deprecated' status of exceptions for next kind of imports -# from keystoneclient.apiclient import exceptions - -warnings.warn("The 'keystoneclient.apiclient' module is deprecated since " - "v.0.7.1. Use 'keystoneclient.exceptions' instead of this " - "module.", DeprecationWarning) - -__all__ = [ - 'exceptions', -] diff --git a/keystoneclient/apiclient/exceptions.py b/keystoneclient/apiclient/exceptions.py deleted file mode 100644 index 982820830..000000000 --- a/keystoneclient/apiclient/exceptions.py +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2010 Jacob Kaplan-Moss -# Copyright 2011 Nebula, Inc. -# Copyright 2013 Alessio Ababilov -# Copyright 2013 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Exception definitions. - -Deprecated since v0.7.1. Use 'keystoneclient.exceptions' instead of -this module. -""" - -import warnings - -from keystoneclient.exceptions import * # noqa - - -warnings.warn("The 'keystoneclient.apiclient.exceptions' module is deprecated " - "since v.0.7.1. Use 'keystoneclient.exceptions' instead of this " - "module.", DeprecationWarning) diff --git a/keystoneclient/auth/__init__.py b/keystoneclient/auth/__init__.py index 932420722..c9acef819 100644 --- a/keystoneclient/auth/__init__.py +++ b/keystoneclient/auth/__init__.py @@ -10,17 +10,21 @@ # License for the specific language governing permissions and limitations # under the License. +# flake8: noqa: F405 from keystoneclient.auth.base import * # noqa from keystoneclient.auth.cli import * # noqa from keystoneclient.auth.conf import * # noqa -__all__ = [ +__all__ = ( # auth.base 'AUTH_INTERFACE', 'BaseAuthPlugin', + 'get_available_plugin_names', + 'get_available_plugin_classes', 'get_plugin_class', + 'IDENTITY_AUTH_HEADER_NAME', 'PLUGIN_NAMESPACE', # auth.cli @@ -32,4 +36,4 @@ 'get_plugin_options', 'load_from_conf_options', 'register_conf_options', -] +) diff --git a/keystoneclient/auth/base.py b/keystoneclient/auth/base.py index 66e6a1867..b6753cdf1 100644 --- a/keystoneclient/auth/base.py +++ b/keystoneclient/auth/base.py @@ -10,47 +10,91 @@ # License for the specific language governing permissions and limitations # under the License. -import abc import os -import six +from debtcollector import removals +from keystoneauth1 import plugin import stevedore from keystoneclient import exceptions + # NOTE(jamielennox): The AUTH_INTERFACE is a special value that can be # requested from get_endpoint. If a plugin receives this as the value of # 'interface' it should return the initial URL that was passed to the plugin. -AUTH_INTERFACE = object() +AUTH_INTERFACE = plugin.AUTH_INTERFACE PLUGIN_NAMESPACE = 'keystoneclient.auth.plugin' +IDENTITY_AUTH_HEADER_NAME = 'X-Auth-Token' + + +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) +def get_available_plugin_names(): + """Get the names of all the plugins that are available on the system. + + This is particularly useful for help and error text to prompt a user for + example what plugins they may specify. + + :returns: A list of names. + :rtype: frozenset + """ + mgr = stevedore.ExtensionManager(namespace=PLUGIN_NAMESPACE, + invoke_on_load=False) + return frozenset(mgr.names()) + + +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) +def get_available_plugin_classes(): + """Retrieve all the plugin classes available on the system. + + :returns: A dict with plugin entrypoint name as the key and the plugin + class as the value. + :rtype: dict + """ + mgr = stevedore.ExtensionManager(namespace=PLUGIN_NAMESPACE, + propagate_map_exceptions=True, + invoke_on_load=False) + return dict(mgr.map(lambda ext: (ext.entry_point.name, ext.plugin))) + +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) def get_plugin_class(name): """Retrieve a plugin class by its entrypoint name. :param str name: The name of the object to get. :returns: An auth plugin class. + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` - :raises exceptions.NoMatchingPlugin: if a plugin cannot be created. + :raises keystoneclient.exceptions.NoMatchingPlugin: if a plugin cannot be + created. """ try: mgr = stevedore.DriverManager(namespace=PLUGIN_NAMESPACE, name=name, invoke_on_load=False) except RuntimeError: - msg = 'The plugin %s could not be found' % name - raise exceptions.NoMatchingPlugin(msg) + raise exceptions.NoMatchingPlugin(name) return mgr.driver -@six.add_metaclass(abc.ABCMeta) class BaseAuthPlugin(object): """The basic structure of an authentication plugin.""" - @abc.abstractmethod def get_token(self, session, **kwargs): """Obtain a token. @@ -63,9 +107,60 @@ def get_token(self, session, **kwargs): Returning None will indicate that no token was able to be retrieved. + This function is misplaced as it should only be required for auth + plugins that use the 'X-Auth-Token' header. However due to the way + plugins evolved this method is required and often called to trigger an + authentication request on a new plugin. + + When implementing a new plugin it is advised that you implement this + method, however if you don't require the 'X-Auth-Token' header override + the `get_headers` method instead. + :param session: A session object so the plugin can make HTTP calls. - :return string: A token to use. + :type session: keystoneclient.session.Session + + :return: A token to use. + :rtype: string """ + return None + + def get_headers(self, session, **kwargs): + """Fetch authentication headers for message. + + This is a more generalized replacement of the older get_token to allow + plugins to specify different or additional authentication headers to + the OpenStack standard 'X-Auth-Token' header. + + How the authentication headers are obtained is up to the plugin. If the + headers are still valid they may be re-used, retrieved from cache or + the plugin may invoke an authentication request against a server. + + The default implementation of get_headers calls the `get_token` method + to enable older style plugins to continue functioning unchanged. + Subclasses should feel free to completely override this function to + provide the headers that they want. + + There are no required kwargs. They are passed directly to the auth + plugin and they are implementation specific. + + Returning None will indicate that no token was able to be retrieved and + that authorization was a failure. Adding no authentication data can be + achieved by returning an empty dictionary. + + :param session: The session object that the auth_plugin belongs to. + :type session: keystoneclient.session.Session + + :returns: Headers that are set to authenticate a message or None for + failure. Note that when checking this value that the empty + dict is a valid, non-failure response. + :rtype: dict + """ + token = self.get_token(session) + + if not token: + return None + + return {IDENTITY_AUTH_HEADER_NAME: token} def get_endpoint(self, session, **kwargs): """Return an endpoint for the client. @@ -80,12 +175,27 @@ def get_endpoint(self, session, **kwargs): - ``interface``: what visibility the endpoint should have. - ``region_name``: the region the endpoint exists in. - :param Session session: The session object that the auth_plugin - belongs to. + :param session: The session object that the auth_plugin belongs to. + :type session: keystoneclient.session.Session + + :returns: The base URL that will be used to talk to the required + service or None if not available. + :rtype: string + """ + return None + + def get_connection_params(self, session, **kwargs): + """Return any additional connection parameters required for the plugin. - :returns string: The base URL that will be used to talk to the - required service or None if not available. + :param session: The session object that the auth_plugin belongs to. + :type session: keystoneclient.session.Session + + :returns: Headers that are set to authenticate a message or None for + failure. Note that when checking this value that the empty + dict is a valid, non-failure response. + :rtype: dict """ + return {} def invalidate(self): """Invalidate the current authentication data. @@ -96,20 +206,52 @@ def invalidate(self): returned to indicate that the token may have been revoked or is otherwise now invalid. - :returns bool: True if there was something that the plugin did to - invalidate. This means that it makes sense to try again. - If nothing happens returns False to indicate give up. + :returns: True if there was something that the plugin did to + invalidate. This means that it makes sense to try again. If + nothing happens returns False to indicate give up. + :rtype: bool """ return False + def get_user_id(self, session, **kwargs): + """Return a unique user identifier of the plugin. + + Wherever possible the user id should be inferred from the token however + there are certain URLs and other places that require access to the + currently authenticated user id. + + :param session: A session object so the plugin can make HTTP calls. + :type session: keystoneclient.session.Session + + :returns: A user identifier or None if one is not available. + :rtype: str + """ + return None + + def get_project_id(self, session, **kwargs): + """Return the project id that we are authenticated to. + + Wherever possible the project id should be inferred from the token + however there are certain URLs and other places that require access to + the currently authenticated project id. + + :param session: A session object so the plugin can make HTTP calls. + :type session: keystoneclient.session.Session + + :returns: A project identifier or None if one is not available. + :rtype: str + """ + return None + @classmethod def get_options(cls): """Return the list of parameters associated with the auth plugin. This list may be used to generate CLI or config arguments. - :returns list: A list of Param objects describing available plugin - parameters. + :returns: A list of Param objects describing available plugin + parameters. + :rtype: List """ return [] @@ -130,14 +272,13 @@ def register_argparse_arguments(cls, parser): Given a plugin class convert it's options into argparse arguments and add them to a parser. - :param AuthPlugin plugin: an auth plugin class. - :param argparse.ArgumentParser: the parser to attach argparse options. + :param parser: the parser to attach argparse options. + :type parser: argparse.ArgumentParser """ - - # NOTE(jamielennox): ideally oslo.config would be smart enough to + # NOTE(jamielennox): ideally oslo_config would be smart enough to # handle all the Opt manipulation that goes on in this file. However it # is currently not. Options are handled in as similar a way as - # possible to oslo.config such that when available we should be able to + # possible to oslo_config such that when available we should be able to # transition. for opt in cls.get_options(): @@ -148,14 +289,12 @@ def register_argparse_arguments(cls, parser): args.append('--os-%s' % o.name) envs.append('OS_%s' % o.name.replace('-', '_').upper()) - default = opt.default - if default is None: - # select the first ENV that is not false-y or return None - env_vars = (os.environ.get(e) for e in envs) - default = six.next(six.moves.filter(None, env_vars), None) + # select the first ENV that is not false-y or return None + env_vars = (os.environ.get(e) for e in envs) + default = next(filter(None, env_vars), None) parser.add_argument(*args, - default=default, + default=default or opt.default, metavar=opt.metavar, help=opt.help, dest='os_%s' % opt.dest) @@ -166,24 +305,23 @@ def load_from_argparse_arguments(cls, namespace, **kwargs): Convert the results of a parse into the specified plugin. - :param AuthPlugin plugin: an auth plugin class. - :param Namespace namespace: The result from CLI parsing. + :param namespace: The result from CLI parsing. + :type namespace: argparse.Namespace :returns: An auth plugin, or None if a name is not provided. + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` """ - for opt in cls.get_options(): - val = getattr(namespace, 'os_%s' % opt.dest) - if val is not None: - val = opt.type(val) - kwargs.setdefault(opt.dest, val) + def _getter(opt): + return getattr(namespace, 'os_%s' % opt.dest) - return cls.load_from_options(**kwargs) + return cls.load_from_options_getter(_getter, **kwargs) @classmethod def register_conf_options(cls, conf, group): - """Register the oslo.config options that are needed for a plugin. + """Register the oslo_config options that are needed for a plugin. - :param conf: An oslo.config conf object. + :param conf: A config object. + :type conf: oslo_config.cfg.ConfigOpts :param string group: The group name that options should be read from. """ plugin_opts = cls.get_options() @@ -195,15 +333,39 @@ def load_from_conf_options(cls, conf, group, **kwargs): Convert the options already registered into a real plugin. - :param conf: An oslo.config conf object. + :param conf: A config object. + :type conf: oslo_config.cfg.ConfigOpts :param string group: The group name that options should be read from. - :returns plugin: An authentication Plugin. + :returns: An authentication Plugin. + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` + """ + def _getter(opt): + return conf[group][opt.dest] + + return cls.load_from_options_getter(_getter, **kwargs) + + @classmethod + def load_from_options_getter(cls, getter, **kwargs): + """Load a plugin from a getter function returning appropriate values. + + To handle cases other than the provided CONF and CLI loading you can + specify a custom loader function that will be queried for the option + value. + + The getter is a function that takes one value, an + :py:class:`oslo_config.cfg.Opt` and returns a value to load with. + + :param getter: A function that returns a value for the given opt. + :type getter: callable + + :returns: An authentication Plugin. + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` """ plugin_opts = cls.get_options() for opt in plugin_opts: - val = conf[group][opt.dest] + val = getter(opt) if val is not None: val = opt.type(val) kwargs.setdefault(opt.dest, val) diff --git a/keystoneclient/auth/cli.py b/keystoneclient/auth/cli.py index 8bbed2ae7..d18baec7e 100644 --- a/keystoneclient/auth/cli.py +++ b/keystoneclient/auth/cli.py @@ -13,24 +13,35 @@ import argparse import os +from debtcollector import removals + from keystoneclient.auth import base -def register_argparse_arguments(parser, argv): +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) +def register_argparse_arguments(parser, argv, default=None): """Register CLI options needed to create a plugin. The function inspects the provided arguments so that it can also register the options required for that specific plugin if available. :param argparse.ArgumentParser: the parser to attach argparse options to. - :param list argv: the arguments provided to the appliation. + :param List argv: the arguments provided to the application. + :param str/class default: a default plugin name or a plugin object to use + if one isn't specified by the CLI. default: None. :returns: The plugin class that will be loaded or None if not provided. + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` - :raises exceptions.NoMatchingPlugin: if a plugin cannot be created. + :raises keystoneclient.exceptions.NoMatchingPlugin: if a plugin cannot be + created. """ in_parser = argparse.ArgumentParser(add_help=False) - env_plugin = os.environ.get('OS_AUTH_PLUGIN') + env_plugin = os.environ.get('OS_AUTH_PLUGIN', default) for p in (in_parser, parser): p.add_argument('--os-auth-plugin', metavar='', @@ -38,19 +49,27 @@ def register_argparse_arguments(parser, argv): help='The auth plugin to load') options, _args = in_parser.parse_known_args(argv) - name = options.os_auth_plugin - if not name: + if not options.os_auth_plugin: return None - msg = 'Options specific to the %s plugin.' % name - group = parser.add_argument_group('Authentication Options', msg) + if isinstance(options.os_auth_plugin, type): + msg = 'Default Authentication options' + plugin = options.os_auth_plugin + else: + msg = 'Options specific to the %s plugin.' % options.os_auth_plugin + plugin = base.get_plugin_class(options.os_auth_plugin) - plugin = base.get_plugin_class(name) + group = parser.add_argument_group('Authentication Options', msg) plugin.register_argparse_arguments(group) return plugin +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) def load_from_argparse_arguments(namespace, **kwargs): """Retrieve the created plugin from the completed argparse results. @@ -60,11 +79,17 @@ def load_from_argparse_arguments(namespace, **kwargs): :param Namespace namespace: The result from CLI parsing. :returns: An auth plugin, or None if a name is not provided. + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` - :raises exceptions.NoMatchingPlugin: if a plugin cannot be created. + :raises keystoneclient.exceptions.NoMatchingPlugin: if a plugin cannot be + created. """ if not namespace.os_auth_plugin: return None - plugin = base.get_plugin_class(namespace.os_auth_plugin) + if isinstance(namespace.os_auth_plugin, type): + plugin = namespace.os_auth_plugin + else: + plugin = base.get_plugin_class(namespace.os_auth_plugin) + return plugin.load_from_argparse_arguments(namespace, **kwargs) diff --git a/keystoneclient/auth/conf.py b/keystoneclient/auth/conf.py index c3d13dbc8..ca3cbcf8c 100644 --- a/keystoneclient/auth/conf.py +++ b/keystoneclient/auth/conf.py @@ -10,10 +10,10 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo.config import cfg +from debtcollector import removals +from oslo_config import cfg from keystoneclient.auth import base -from keystoneclient import exceptions _AUTH_PLUGIN_OPT = cfg.StrOpt('auth_plugin', help='Name of the plugin to load') @@ -21,34 +21,49 @@ _AUTH_SECTION_OPT = cfg.StrOpt('auth_section', help=_section_help) +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) def get_common_conf_options(): - """Get the oslo.config options common for all auth plugins. + """Get the oslo_config options common for all auth plugins. These may be useful without being registered for config file generation or to manipulate the options before registering them yourself. The options that are set are: - :auth_plugin: The name of the pluign to load. + :auth_plugin: The name of the plugin to load. :auth_section: The config file section to load options from. - :returns: A list of oslo.config options. + :returns: A list of oslo_config options. """ return [_AUTH_PLUGIN_OPT, _AUTH_SECTION_OPT] +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) def get_plugin_options(name): - """Get the oslo.config options for a specific plugin. + """Get the oslo_config options for a specific plugin. This will be the list of config options that is registered and loaded by the specified plugin. - :returns: A list of oslo.config options. + :returns: A list of oslo_config options. """ return base.get_plugin_class(name).get_options() +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) def register_conf_options(conf, group): - """Register the oslo.config options that are needed for a plugin. + """Register the oslo_config options that are needed for a plugin. This only registers the basic options shared by all plugins. Options that are specific to a plugin are loaded just before they are read. @@ -61,7 +76,8 @@ def register_conf_options(conf, group): taken. If section is not provided then the auth plugin options will be taken from the same group as provided in the parameters. - :param oslo.config.Cfg conf: config object to register with. + :param conf: config object to register with. + :type conf: oslo_config.cfg.ConfigOpts :param string group: The ini group to register options in. """ conf.register_opt(_AUTH_SECTION_OPT, group=group) @@ -77,21 +93,29 @@ def register_conf_options(conf, group): conf.register_opt(_AUTH_PLUGIN_OPT, group=group) +@removals.remove( + message='keystoneclient auth plugins are deprecated. Use keystoneauth.', + version='2.1.0', + removal_version='3.0.0' +) def load_from_conf_options(conf, group, **kwargs): - """Load a plugin from an oslo.config CONF object. + """Load a plugin from an oslo_config CONF object. - Each plugin will register there own required options and so there is no + Each plugin will register their own required options and so there is no standard list and the plugin should be consulted. The base options should have been registered with register_conf_options before this function is called. - :param conf: An oslo.config conf object. + :param conf: A conf object. + :type conf: oslo_config.cfg.ConfigOpts :param string group: The group name that options should be read from. - :returns plugin: An authentication Plugin. + :returns: An authentication Plugin or None if a name is not provided + :rtype: :py:class:`keystoneclient.auth.BaseAuthPlugin` - :raises exceptions.NoMatchingPlugin: if a plugin cannot be created. + :raises keystoneclient.exceptions.NoMatchingPlugin: if a plugin cannot be + created. """ # NOTE(jamielennox): plugins are allowed to specify a 'section' which is # the group that auth options should be taken from. If not present they @@ -101,7 +125,7 @@ def load_from_conf_options(conf, group, **kwargs): name = conf[group].auth_plugin if not name: - raise exceptions.NoMatchingPlugin('No plugin name provided for config') + return None plugin_class = base.get_plugin_class(name) plugin_class.register_conf_options(conf, group) diff --git a/keystoneclient/auth/identity/__init__.py b/keystoneclient/auth/identity/__init__.py index e69de29bb..8146c1e58 100644 --- a/keystoneclient/auth/identity/__init__.py +++ b/keystoneclient/auth/identity/__init__.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.auth.identity import base +from keystoneclient.auth.identity import generic +from keystoneclient.auth.identity import v2 +from keystoneclient.auth.identity import v3 + + +BaseIdentityPlugin = base.BaseIdentityPlugin + +V2Password = v2.Password +V2Token = v2.Token + +V3Password = v3.Password +V3Token = v3.Token + +Password = generic.Password +Token = generic.Token + + +__all__ = ('BaseIdentityPlugin', + 'Password', + 'Token', + 'V2Password', + 'V2Token', + 'V3Password', + 'V3Token') diff --git a/keystoneclient/auth/identity/access.py b/keystoneclient/auth/identity/access.py new file mode 100644 index 000000000..3e096b7af --- /dev/null +++ b/keystoneclient/auth/identity/access.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.auth.identity import base + + +class AccessInfoPlugin(base.BaseIdentityPlugin): + """A plugin that turns an existing AccessInfo object into a usable plugin. + + There are cases where reuse of an auth_ref or AccessInfo object is + warranted such as from a cache, from auth_token middleware, or another + source. + + Turn the existing access info object into an identity plugin. This plugin + cannot be refreshed as the AccessInfo object does not contain any + authorizing information. + + :param auth_ref: the existing AccessInfo object. + :type auth_ref: keystoneclient.access.AccessInfo + :param auth_url: the url where this AccessInfo was retrieved from. Required + if using the AUTH_INTERFACE with get_endpoint. (optional) + """ + + def __init__(self, auth_ref, auth_url=None): + super(AccessInfoPlugin, self).__init__(auth_url=auth_url, + reauthenticate=False) + self.auth_ref = auth_ref + + def get_auth_ref(self, session, **kwargs): + return self.auth_ref + + def invalidate(self): + # NOTE(jamielennox): Don't allow the default invalidation to occur + # because on next authentication request we will only get the same + # auth_ref object again. + return False diff --git a/keystoneclient/auth/identity/base.py b/keystoneclient/auth/identity/base.py index 4b02f944b..b27d349e6 100644 --- a/keystoneclient/auth/identity/base.py +++ b/keystoneclient/auth/identity/base.py @@ -12,23 +12,29 @@ import abc import logging +import threading +import warnings -from oslo.config import cfg -import six +from oslo_config import cfg from keystoneclient import _discover from keystoneclient.auth import base from keystoneclient import exceptions -from keystoneclient import utils LOG = logging.getLogger(__name__) -@six.add_metaclass(abc.ABCMeta) -class BaseIdentityPlugin(base.BaseAuthPlugin): +def get_options(): + return [ + cfg.StrOpt('auth-url', help='Authentication URL'), + ] - # we count a token as valid if it is valid for at least this many seconds - MIN_TOKEN_LIFE_SECONDS = 1 + +class BaseIdentityPlugin(base.BaseAuthPlugin, metaclass=abc.ABCMeta): + + # we count a token as valid (not needing refreshing) if it is valid for at + # least this many seconds before the token expiry time + MIN_TOKEN_LIFE_SECONDS = 120 def __init__(self, auth_url=None, @@ -40,18 +46,118 @@ def __init__(self, super(BaseIdentityPlugin, self).__init__() + warnings.warn( + 'keystoneclient auth plugins are deprecated as of the 2.1.0 ' + 'release in favor of keystoneauth1 plugins. They will be removed ' + 'in future releases.', DeprecationWarning) + self.auth_url = auth_url self.auth_ref = None self.reauthenticate = reauthenticate self._endpoint_cache = {} + self._lock = threading.Lock() + + self._username = username + self._password = password + self._token = token + self._trust_id = trust_id + + @property + def username(self): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'username is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + return self._username + + @username.setter + def username(self, value): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'username is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + self._username = value + + @property + def password(self): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'password is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + return self._password + + @password.setter + def password(self, value): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'password is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + self._password = value + + @property + def token(self): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'token is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + return self._token + + @token.setter + def token(self, value): + """Deprecated as of the 1.7.0 release. - # NOTE(jamielennox): DEPRECATED. The following should not really be set - # here but handled by the individual auth plugin. - self.username = username - self.password = password - self.token = token - self.trust_id = trust_id + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'token is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + self._token = value + + @property + def trust_id(self): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'trust_id is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + return self._trust_id + + @trust_id.setter + def trust_id(self, value): + """Deprecated as of the 1.7.0 release. + + It may be removed in the 2.0.0 release. + """ + warnings.warn( + 'trust_id is deprecated as of the 1.7.0 release and may be ' + 'removed in the 2.0.0 release.', DeprecationWarning) + + self._trust_id = value @abc.abstractmethod def get_auth_ref(self, session, **kwargs): @@ -59,28 +165,41 @@ def get_auth_ref(self, session, **kwargs): This method is overridden by the various token version plugins. - This function should not be called independently and is expected to be - invoked via the do_authenticate function. + This method should not be called independently and is expected to be + invoked via the do_authenticate() method. - This function will be invoked if the AcessInfo object cached by the + This method will be invoked if the AccessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo - when invoked. If you are looking to just retrieve the current auth - data then you should use get_access. + when invoked. If you are looking to just retrieve the current auth data + then you should use get_access(). - :raises InvalidResponse: The response returned wasn't appropriate. - :raises HttpError: An error from an invalid HTTP response. + :param session: A session object that can be used for communication. + :type session: keystoneclient.session.Session - :returns AccessInfo: Token access information. + :raises keystoneclient.exceptions.InvalidResponse: The response + returned wasn't + appropriate. + :raises keystoneclient.exceptions.HttpError: An error from an invalid + HTTP response. + + :returns: Token access information. + :rtype: :py:class:`keystoneclient.access.AccessInfo` """ + pass # pragma: no cover def get_token(self, session, **kwargs): """Return a valid auth token. If a valid token is not present then a new one will be fetched. - :raises HttpError: An error from an invalid HTTP response. + :param session: A session object that can be used for communication. + :type session: keystoneclient.session.Session + + :raises keystoneclient.exceptions.HttpError: An error from an invalid + HTTP response. - :return string: A valid token. + :return: A valid token. + :rtype: string """ return self.get_access(session).auth_token @@ -112,12 +231,23 @@ def get_access(self, session, **kwargs): If a valid AccessInfo is present then it is returned otherwise a new one will be fetched. - :raises HttpError: An error from an invalid HTTP response. + :param session: A session object that can be used for communication. + :type session: keystoneclient.session.Session + + :raises keystoneclient.exceptions.HttpError: An error from an invalid + HTTP response. - :returns AccessInfo: Valid AccessInfo + :returns: Valid AccessInfo + :rtype: :py:class:`keystoneclient.access.AccessInfo` """ - if self._needs_reauthenticate(): - self.auth_ref = self.get_auth_ref(session) + # Hey Kids! Thread safety is important particularly in the case where + # a service is creating an admin style plugin that will then proceed + # to make calls from many threads. As a token expires all the threads + # will try and fetch a new token at once, so we want to ensure that + # only one thread tries to actually fetch from keystone at once. + with self._lock: + if self._needs_reauthenticate(): + self.auth_ref = self.get_auth_ref(session) return self.auth_ref @@ -130,12 +260,16 @@ def invalidate(self): returned to indicate that the token may have been revoked or is otherwise now invalid. - :returns bool: True if there was something that the plugin did to - invalidate. This means that it makes sense to try again. - If nothing happens returns False to indicate give up. + :returns: True if there was something that the plugin did to + invalidate. This means that it makes sense to try again. If + nothing happens returns False to indicate give up. + :rtype: bool """ - self.auth_ref = None - return True + if self.auth_ref: + self.auth_ref = None + return True + + return False def get_endpoint(self, session, service_type=None, interface=None, region_name=None, service_name=None, version=None, @@ -145,6 +279,8 @@ def get_endpoint(self, session, service_type=None, interface=None, If a valid token is not present then a new one will be fetched using the session and kwargs. + :param session: A session object that can be used for communication. + :type session: keystoneclient.session.Session :param string service_type: The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided. @@ -160,31 +296,37 @@ def get_endpoint(self, session, service_type=None, interface=None, :param tuple version: The minimum version number required for this endpoint. (optional) - :raises HttpError: An error from an invalid HTTP response. + :raises keystoneclient.exceptions.HttpError: An error from an invalid + HTTP response. - :return string or None: A valid endpoint URL or None if not available. + :return: A valid endpoint URL or None if not available. + :rtype: string or None """ # NOTE(jamielennox): if you specifically ask for requests to be sent to - # the auth url then we can ignore the rest of the checks. Typically if - # you are asking for the auth endpoint it means that there is no - # catalog to query anyway. + # the auth url then we can ignore many of the checks. Typically if you + # are asking for the auth endpoint it means that there is no catalog to + # query however we still need to support asking for a specific version + # of the auth_url for generic plugins. if interface is base.AUTH_INTERFACE: - return self.auth_url - - if not service_type: - LOG.warn('Plugin cannot return an endpoint without knowing the ' - 'service type that is required. Add service_type to ' - 'endpoint filtering data.') - return None - - if not interface: - interface = 'public' + url = self.auth_url + service_type = service_type or 'identity' - service_catalog = self.get_access(session).service_catalog - url = service_catalog.url_for(service_type=service_type, - endpoint_type=interface, - region_name=region_name, - service_name=service_name) + else: + if not service_type: + LOG.warning( + 'Plugin cannot return an endpoint without knowing the ' + 'service type that is required. Add service_type to ' + 'endpoint filtering data.') + return None + + if not interface: + interface = 'public' + + service_catalog = self.get_access(session).service_catalog + url = service_catalog.url_for(service_type=service_type, + endpoint_type=interface, + region_name=region_name, + service_name=service_name) if not version: # NOTE(jamielennox): This may not be the best thing to default to @@ -192,22 +334,35 @@ def get_endpoint(self, session, service_type=None, interface=None, # defaulting to the most recent version. return url + # NOTE(jamielennox): For backwards compatibility people might have a + # versioned endpoint in their catalog even though they want to use + # other endpoint versions. So we support a list of client defined + # situations where we can strip the version component from a URL before + # doing discovery. + hacked_url = _discover.get_catalog_discover_hack(service_type, url) + try: - disc = self.get_discovery(session, url, authenticated=False) + disc = self.get_discovery(session, hacked_url, authenticated=False) except (exceptions.DiscoveryFailure, exceptions.HTTPError, exceptions.ConnectionError): # NOTE(jamielennox): Again if we can't contact the server we fall # back to just returning the URL from the catalog. This may not be # the best default but we need it for now. - LOG.warn('Failed to contact the endpoint at %s for discovery. ' - 'Fallback to using that endpoint as the base url.', url) + LOG.warning( + 'Failed to contact the endpoint at %s for discovery. Fallback ' + 'to using that endpoint as the base url.', url) else: url = disc.url_for(version) return url - @utils.positional() + def get_user_id(self, session, **kwargs): + return self.get_access(session).user_id + + def get_project_id(self, session, **kwargs): + return self.get_access(session).project_id + def get_discovery(self, session, url, authenticated=None): """Return the discovery object for a URL. @@ -218,16 +373,19 @@ def get_discovery(self, session, url, authenticated=None): This function is expected to be used by subclasses and should not be needed by users. - :param Session session: A session object to discover with. + :param session: A session object to discover with. + :type session: keystoneclient.session.Session :param str url: The url to lookup. :param bool authenticated: Include a token in the discovery call. (optional) Defaults to None (use a token if a plugin is installed). - :raises: DiscoveryFailure if for some reason the lookup fails. - :raises: HttpError An error from an invalid HTTP response. + :raises keystoneclient.exceptions.DiscoveryFailure: if for some reason + the lookup fails. + :raises keystoneclient.exceptions.HttpError: An error from an invalid + HTTP response. - :return: A discovery object with the results of looking up that URL. + :returns: A discovery object with the results of looking up that URL. """ # NOTE(jamielennox): we want to cache endpoints on the session as well # so that they maintain sharing between auth plugins. Create a cache on @@ -256,9 +414,5 @@ def get_discovery(self, session, url, authenticated=None): @classmethod def get_options(cls): options = super(BaseIdentityPlugin, cls).get_options() - - options.extend([ - cfg.StrOpt('auth-url', help='Authentication URL'), - ]) - + options.extend(get_options()) return options diff --git a/keystoneclient/auth/identity/generic/__init__.py b/keystoneclient/auth/identity/generic/__init__.py new file mode 100644 index 000000000..a96fb9791 --- /dev/null +++ b/keystoneclient/auth/identity/generic/__init__.py @@ -0,0 +1,21 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.auth.identity.generic.base import BaseGenericPlugin # noqa +from keystoneclient.auth.identity.generic.password import Password # noqa +from keystoneclient.auth.identity.generic.token import Token # noqa + + +__all__ = ('BaseGenericPlugin', + 'Password', + 'Token', + ) diff --git a/keystoneclient/auth/identity/generic/base.py b/keystoneclient/auth/identity/generic/base.py new file mode 100644 index 000000000..1cf3e0a9a --- /dev/null +++ b/keystoneclient/auth/identity/generic/base.py @@ -0,0 +1,190 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import abc +import logging +import urllib.parse as urlparse + +from oslo_config import cfg + +from keystoneclient import _discover +from keystoneclient.auth.identity import base +from keystoneclient import exceptions +from keystoneclient.i18n import _ + + +LOG = logging.getLogger(__name__) + + +def get_options(): + return [ + cfg.StrOpt('domain-id', help='Domain ID to scope to'), + cfg.StrOpt('domain-name', help='Domain name to scope to'), + cfg.StrOpt('tenant-id', help='Tenant ID to scope to'), + cfg.StrOpt('tenant-name', help='Tenant name to scope to'), + cfg.StrOpt('project-id', help='Project ID to scope to'), + cfg.StrOpt('project-name', help='Project name to scope to'), + cfg.StrOpt('project-domain-id', + help='Domain ID containing project'), + cfg.StrOpt('project-domain-name', + help='Domain name containing project'), + cfg.StrOpt('trust-id', help='Trust ID'), + ] + + +class BaseGenericPlugin(base.BaseIdentityPlugin, metaclass=abc.ABCMeta): + """An identity plugin that is not version dependent. + + Internally we will construct a version dependent plugin with the resolved + URL and then proxy all calls from the base plugin to the versioned one. + """ + + def __init__(self, auth_url, + tenant_id=None, + tenant_name=None, + project_id=None, + project_name=None, + project_domain_id=None, + project_domain_name=None, + domain_id=None, + domain_name=None, + trust_id=None): + super(BaseGenericPlugin, self).__init__(auth_url=auth_url) + + self._project_id = project_id or tenant_id + self._project_name = project_name or tenant_name + self._project_domain_id = project_domain_id + self._project_domain_name = project_domain_name + self._domain_id = domain_id + self._domain_name = domain_name + self._trust_id = trust_id + + self._plugin = None + + @property + def trust_id(self): + # Override to remove deprecation. + return self._trust_id + + @trust_id.setter + def trust_id(self, value): + # Override to remove deprecation. + self._trust_id = value + + @abc.abstractmethod + def create_plugin(self, session, version, url, raw_status=None): + """Create a plugin from the given parameters. + + This function will be called multiple times with the version and url + of a potential endpoint. If a plugin can be constructed that fits the + params then it should return it. If not return None and then another + call will be made with other available URLs. + + :param session: A session object. + :type session: keystoneclient.session.Session + :param tuple version: A tuple of the API version at the URL. + :param string url: The base URL for this version. + :param string raw_status: The status that was in the discovery field. + + :returns: A plugin that can match the parameters or None if nothing. + """ + return None # pragma: no cover + + @property + def _has_domain_scope(self): + """Are there domain parameters. + + Domain parameters are v3 only so returns if any are set. + + :returns: True if a domain parameter is set, false otherwise. + """ + return any([self._domain_id, self._domain_name, + self._project_domain_id, self._project_domain_name]) + + @property + def _v2_params(self): + """Return parameters that are common to v2 plugins.""" + return {'trust_id': self._trust_id, + 'tenant_id': self._project_id, + 'tenant_name': self._project_name} + + @property + def _v3_params(self): + """Return parameters that are common to v3 plugins.""" + return {'trust_id': self._trust_id, + 'project_id': self._project_id, + 'project_name': self._project_name, + 'project_domain_id': self._project_domain_id, + 'project_domain_name': self._project_domain_name, + 'domain_id': self._domain_id, + 'domain_name': self._domain_name} + + def _do_create_plugin(self, session): + plugin = None + + try: + disc = self.get_discovery(session, + self.auth_url, + authenticated=False) + except (exceptions.DiscoveryFailure, + exceptions.HTTPError, + exceptions.ConnectionError): + LOG.warning('Discovering versions from the identity service ' + 'failed when creating the password plugin. ' + 'Attempting to determine version from URL.') + + url_parts = urlparse.urlparse(self.auth_url) + path = url_parts.path.lower() + + if path.startswith('/v2.0') and not self._has_domain_scope: + plugin = self.create_plugin(session, (2, 0), self.auth_url) + elif path.startswith('/v3'): + plugin = self.create_plugin(session, (3, 0), self.auth_url) + + else: + disc_data = disc.version_data() + + for data in disc_data: + version = data['version'] + + if (_discover.version_match((2,), version) and + self._has_domain_scope): + # NOTE(jamielennox): if there are domain parameters there + # is no point even trying against v2 APIs. + continue + + plugin = self.create_plugin(session, + version, + data['url'], + raw_status=data['raw_status']) + + if plugin: + break + + if plugin: + return plugin + + # so there were no URLs that i could use for auth of any version. + msg = _('Could not determine a suitable URL for the plugin') + raise exceptions.DiscoveryFailure(msg) + + def get_auth_ref(self, session, **kwargs): + if not self._plugin: + self._plugin = self._do_create_plugin(session) + + return self._plugin.get_auth_ref(session, **kwargs) + + @classmethod + def get_options(cls): + options = super(BaseGenericPlugin, cls).get_options() + options.extend(get_options()) + return options diff --git a/keystoneclient/auth/identity/generic/cli.py b/keystoneclient/auth/identity/generic/cli.py new file mode 100644 index 000000000..de1d74895 --- /dev/null +++ b/keystoneclient/auth/identity/generic/cli.py @@ -0,0 +1,82 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystoneclient.auth.identity.generic import password +from keystoneclient import exceptions as exc +from keystoneclient.i18n import _ + + +class DefaultCLI(password.Password): + """A Plugin that provides typical authentication options for CLIs. + + This plugin provides standard username and password authentication options + as well as allowing users to override with a custom token and endpoint. + """ + + def __init__(self, endpoint=None, token=None, **kwargs): + super(DefaultCLI, self).__init__(**kwargs) + + self._token = token + self._endpoint = endpoint + + @classmethod + def get_options(cls): + options = super(DefaultCLI, cls).get_options() + options.extend([cfg.StrOpt('endpoint', + help='A URL to use instead of a catalog'), + cfg.StrOpt('token', + secret=True, + help='Always use the specified token')]) + return options + + def get_token(self, *args, **kwargs): + if self._token: + return self._token + + return super(DefaultCLI, self).get_token(*args, **kwargs) + + def get_endpoint(self, *args, **kwargs): + if self._endpoint: + return self._endpoint + + return super(DefaultCLI, self).get_endpoint(*args, **kwargs) + + @classmethod + def load_from_argparse_arguments(cls, namespace, **kwargs): + token = kwargs.get('token') or namespace.os_token + endpoint = kwargs.get('endpoint') or namespace.os_endpoint + auth_url = kwargs.get('auth_url') or namespace.os_auth_url + + if token and not endpoint: + # if a user provides a token then they must also provide an + # endpoint because we aren't fetching a token to get a catalog from + msg = _('A service URL must be provided with a token') + raise exc.CommandError(msg) + elif (not token) and (not auth_url): + # if you don't provide a token you are going to provide at least an + # auth_url with which to authenticate. + raise exc.CommandError(_('Expecting an auth URL via either ' + '--os-auth-url or env[OS_AUTH_URL]')) + + plugin = super(DefaultCLI, cls).load_from_argparse_arguments(namespace, + **kwargs) + + if (not token) and (not plugin._password): + # we do this after the load so that the base plugin has an + # opportunity to prompt the user for a password + raise exc.CommandError(_('Expecting a password provided via ' + 'either --os-password, env[OS_PASSWORD], ' + 'or prompted response')) + + return plugin diff --git a/keystoneclient/auth/identity/generic/password.py b/keystoneclient/auth/identity/generic/password.py new file mode 100644 index 000000000..ddcdba8e3 --- /dev/null +++ b/keystoneclient/auth/identity/generic/password.py @@ -0,0 +1,87 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystoneclient import _discover +from keystoneclient.auth.identity.generic import base +from keystoneclient.auth.identity import v2 +from keystoneclient.auth.identity import v3 +from keystoneclient import utils + + +def get_options(): + return [ + cfg.StrOpt('user-id', help='User id'), + cfg.StrOpt('username', dest='username', help='Username', + deprecated_name='user-name'), + cfg.StrOpt('user-domain-id', help="User's domain id"), + cfg.StrOpt('user-domain-name', help="User's domain name"), + cfg.StrOpt('password', secret=True, help="User's password"), + ] + + +class Password(base.BaseGenericPlugin): + """A common user/password authentication plugin. + + :param string username: Username for authentication. + :param string user_id: User ID for authentication. + :param string password: Password for authentication. + :param string user_domain_id: User's domain ID for authentication. + :param string user_domain_name: User's domain name for authentication. + + """ + + def __init__(self, auth_url, username=None, user_id=None, password=None, + user_domain_id=None, user_domain_name=None, **kwargs): + super(Password, self).__init__(auth_url=auth_url, **kwargs) + + self._username = username + self._user_id = user_id + self._password = password + self._user_domain_id = user_domain_id + self._user_domain_name = user_domain_name + + def create_plugin(self, session, version, url, raw_status=None): + if _discover.version_match((2,), version): + if self._user_domain_id or self._user_domain_name: + # If you specify any domain parameters it won't work so quit. + return None + + return v2.Password(auth_url=url, + user_id=self._user_id, + username=self._username, + password=self._password, + **self._v2_params) + + elif _discover.version_match((3,), version): + return v3.Password(auth_url=url, + user_id=self._user_id, + username=self._username, + user_domain_id=self._user_domain_id, + user_domain_name=self._user_domain_name, + password=self._password, + **self._v3_params) + + @classmethod + def get_options(cls): + options = super(Password, cls).get_options() + options.extend(get_options()) + return options + + @classmethod + def load_from_argparse_arguments(cls, namespace, **kwargs): + if not (kwargs.get('password') or namespace.os_password): + kwargs['password'] = utils.prompt_user_password() + + return super(Password, cls).load_from_argparse_arguments(namespace, + **kwargs) diff --git a/keystoneclient/auth/identity/generic/token.py b/keystoneclient/auth/identity/generic/token.py new file mode 100644 index 000000000..e3d01aa0f --- /dev/null +++ b/keystoneclient/auth/identity/generic/token.py @@ -0,0 +1,48 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystoneclient import _discover +from keystoneclient.auth.identity.generic import base +from keystoneclient.auth.identity import v2 +from keystoneclient.auth.identity import v3 + + +def get_options(): + return [ + cfg.StrOpt('token', secret=True, help='Token to authenticate with'), + ] + + +class Token(base.BaseGenericPlugin): + """Generic token auth plugin. + + :param string token: Token for authentication. + """ + + def __init__(self, auth_url, token=None, **kwargs): + super(Token, self).__init__(auth_url, **kwargs) + self._token = token + + def create_plugin(self, session, version, url, raw_status=None): + if _discover.version_match((2,), version): + return v2.Token(url, self._token, **self._v2_params) + + elif _discover.version_match((3,), version): + return v3.Token(url, self._token, **self._v3_params) + + @classmethod + def get_options(cls): + options = super(Token, cls).get_options() + options.extend(get_options()) + return options diff --git a/keystoneclient/auth/identity/v2.py b/keystoneclient/auth/identity/v2.py index 174f89937..b2ecb4b59 100644 --- a/keystoneclient/auth/identity/v2.py +++ b/keystoneclient/auth/identity/v2.py @@ -13,8 +13,7 @@ import abc import logging -from oslo.config import cfg -import six +from oslo_config import cfg from keystoneclient import access from keystoneclient.auth.identity import base @@ -24,8 +23,16 @@ _logger = logging.getLogger(__name__) -@six.add_metaclass(abc.ABCMeta) -class Auth(base.BaseIdentityPlugin): +class Auth(base.BaseIdentityPlugin, metaclass=abc.ABCMeta): + """Identity V2 Authentication Plugin. + + :param string auth_url: Identity service endpoint for authorization. + :param string trust_id: Trust ID for trust scoping. + :param string tenant_id: Tenant ID for project scoping. + :param string tenant_name: Tenant name for project scoping. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True + """ @classmethod def get_options(cls): @@ -39,29 +46,28 @@ def get_options(cls): return options - @utils.positional() def __init__(self, auth_url, trust_id=None, tenant_id=None, tenant_name=None, reauthenticate=True): - """Construct an Identity V2 Authentication Plugin. - - :param string auth_url: Identity service endpoint for authorization. - :param string trust_id: Trust ID for trust scoping. - :param string tenant_id: Tenant ID for project scoping. - :param string tenant_name: Tenant name for project scoping. - :param bool reauthenticate: Allow fetching a new token if the current - one is going to expire. - (optional) default True - """ super(Auth, self).__init__(auth_url=auth_url, reauthenticate=reauthenticate) - self.trust_id = trust_id + self._trust_id = trust_id self.tenant_id = tenant_id self.tenant_name = tenant_name + @property + def trust_id(self): + # Override to remove deprecation. + return self._trust_id + + @trust_id.setter + def trust_id(self, value): + # Override to remove deprecation. + self._trust_id = value + def get_auth_ref(self, session, **kwargs): headers = {'Accept': 'application/json'} url = self.auth_url.rstrip('/') + '/tokens' @@ -91,35 +97,69 @@ def get_auth_data(self, headers=None): :param dict headers: The headers that will be sent with the auth request if a plugin needs to add to them. - :return dict: A dict of authentication data for the auth type. + :return: A dict of authentication data for the auth type. + :rtype: dict """ + pass # pragma: no cover + + +_NOT_PASSED = object() class Password(Auth): + """A plugin for authenticating with a username and password. - @utils.positional(4) - def __init__(self, auth_url, username=None, password=None, user_id=None, - **kwargs): - """A plugin for authenticating with a username and password. + A username or user_id must be provided. - A username or user_id must be provided. + :param string auth_url: Identity service endpoint for authorization. + :param string username: Username for authentication. + :param string password: Password for authentication. + :param string user_id: User ID for authentication. + :param string trust_id: Trust ID for trust scoping. + :param string tenant_id: Tenant ID for tenant scoping. + :param string tenant_name: Tenant name for tenant scoping. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True - :param string auth_url: Identity service endpoint for authorization. - :param string username: Username for authentication. - :param string password: Password for authentication. - :param string user_id: User ID for authentication. + :raises TypeError: if a user_id or username is not provided. + """ - :raises TypeError: if a user_id or username is not provided. - """ + def __init__(self, auth_url, username=_NOT_PASSED, password=None, + user_id=_NOT_PASSED, **kwargs): super(Password, self).__init__(auth_url, **kwargs) - if not (user_id or username): + if username is _NOT_PASSED and user_id is _NOT_PASSED: msg = 'You need to specify either a username or user_id' raise TypeError(msg) + if username is _NOT_PASSED: + username = None + if user_id is _NOT_PASSED: + user_id = None + self.user_id = user_id - self.username = username - self.password = password + self._username = username + self._password = password + + @property + def username(self): + # Override to remove deprecation. + return self._username + + @username.setter + def username(self, value): + # Override to remove deprecation. + self._username = value + + @property + def password(self): + # Override to remove deprecation. + return self._password + + @password.setter + def password(self, value): + # Override to remove deprecation. + self._password = value def get_auth_data(self, headers=None): auth = {'password': self.password} @@ -131,16 +171,24 @@ def get_auth_data(self, headers=None): return {'passwordCredentials': auth} + @classmethod + def load_from_argparse_arguments(cls, namespace, **kwargs): + if not (kwargs.get('password') or namespace.os_password): + kwargs['password'] = utils.prompt_user_password() + + return super(Password, cls).load_from_argparse_arguments(namespace, + **kwargs) + @classmethod def get_options(cls): options = super(Password, cls).get_options() options.extend([ - cfg.StrOpt('user-name', + cfg.StrOpt('username', dest='username', - deprecated_name='username', + deprecated_name='user-name', help='Username to login with'), - cfg.StrOpt('user-id', help='User ID to longin with'), + cfg.StrOpt('user-id', help='User ID to login with'), cfg.StrOpt('password', secret=True, help='Password to use'), ]) @@ -148,15 +196,30 @@ def get_options(cls): class Token(Auth): + """A plugin for authenticating with an existing token. - def __init__(self, auth_url, token, **kwargs): - """A plugin for authenticating with an existing token. + :param string auth_url: Identity service endpoint for authorization. + :param string token: Existing token for authentication. + :param string tenant_id: Tenant ID for tenant scoping. + :param string tenant_name: Tenant name for tenant scoping. + :param string trust_id: Trust ID for trust scoping. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True + """ - :param string auth_url: Identity service endpoint for authorization. - :param string token: Existing token for authentication. - """ + def __init__(self, auth_url, token, **kwargs): super(Token, self).__init__(auth_url, **kwargs) - self.token = token + self._token = token + + @property + def token(self): + # Override to remove deprecation. + return self._token + + @token.setter + def token(self, value): + # Override to remove deprecation. + self._token = value def get_auth_data(self, headers=None): if headers is not None: diff --git a/keystoneclient/auth/identity/v3.py b/keystoneclient/auth/identity/v3.py deleted file mode 100644 index cd4f9c58a..000000000 --- a/keystoneclient/auth/identity/v3.py +++ /dev/null @@ -1,290 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import abc -import logging - -from oslo.config import cfg -import six - -from keystoneclient import access -from keystoneclient.auth.identity import base -from keystoneclient import exceptions -from keystoneclient import utils - -_logger = logging.getLogger(__name__) - - -class Auth(base.BaseIdentityPlugin): - - @utils.positional() - def __init__(self, auth_url, auth_methods, - trust_id=None, - domain_id=None, - domain_name=None, - project_id=None, - project_name=None, - project_domain_id=None, - project_domain_name=None, - reauthenticate=True): - """Construct an Identity V3 Authentication Plugin. - - :param string auth_url: Identity service endpoint for authentication. - :param list auth_methods: A collection of methods to authenticate with. - :param string trust_id: Trust ID for trust scoping. - :param string domain_id: Domain ID for domain scoping. - :param string domain_name: Domain name for domain scoping. - :param string project_id: Project ID for project scoping. - :param string project_name: Project name for project scoping. - :param string project_domain_id: Project's domain ID for project. - :param string project_domain_name: Project's domain name for project. - :param bool reauthenticate: Allow fetching a new token if the current - one is going to expire. - (optional) default True - """ - - super(Auth, self).__init__(auth_url=auth_url, - reauthenticate=reauthenticate) - - self.auth_methods = auth_methods - self.trust_id = trust_id - self.domain_id = domain_id - self.domain_name = domain_name - self.project_id = project_id - self.project_name = project_name - self.project_domain_id = project_domain_id - self.project_domain_name = project_domain_name - - @property - def token_url(self): - """The full URL where we will send authentication data.""" - return '%s/auth/tokens' % self.auth_url.rstrip('/') - - def get_auth_ref(self, session, **kwargs): - headers = {'Accept': 'application/json'} - body = {'auth': {'identity': {}}} - ident = body['auth']['identity'] - - for method in self.auth_methods: - name, auth_data = method.get_auth_data(session, self, headers) - ident.setdefault('methods', []).append(name) - ident[name] = auth_data - - if not ident: - raise exceptions.AuthorizationFailure('Authentication method ' - 'required (e.g. password)') - - mutual_exclusion = [bool(self.domain_id or self.domain_name), - bool(self.project_id or self.project_name), - bool(self.trust_id)] - - if sum(mutual_exclusion) > 1: - raise exceptions.AuthorizationFailure('Authentication cannot be ' - 'scoped to multiple ' - 'targets. Pick one of: ' - 'project, domain or trust') - - if self.domain_id: - body['auth']['scope'] = {'domain': {'id': self.domain_id}} - elif self.domain_name: - body['auth']['scope'] = {'domain': {'name': self.domain_name}} - elif self.project_id: - body['auth']['scope'] = {'project': {'id': self.project_id}} - elif self.project_name: - scope = body['auth']['scope'] = {'project': {}} - scope['project']['name'] = self.project_name - - if self.project_domain_id: - scope['project']['domain'] = {'id': self.project_domain_id} - elif self.project_domain_name: - scope['project']['domain'] = {'name': self.project_domain_name} - elif self.trust_id: - body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}} - - _logger.debug('Making authentication request to %s', self.token_url) - resp = session.post(self.token_url, json=body, headers=headers, - authenticated=False, log=False) - - try: - resp_data = resp.json()['token'] - except (KeyError, ValueError): - raise exceptions.InvalidResponse(response=resp) - - return access.AccessInfoV3(resp.headers['X-Subject-Token'], - **resp_data) - - @classmethod - def get_options(cls): - options = super(Auth, cls).get_options() - - options.extend([ - cfg.StrOpt('domain-id', help='Domain ID to scope to'), - cfg.StrOpt('domain-name', help='Domain name to scope to'), - cfg.StrOpt('project-id', help='Project ID to scope to'), - cfg.StrOpt('project-name', help='Project name to scope to'), - cfg.StrOpt('project-domain-id', - help='Domain ID containing project'), - cfg.StrOpt('project-domain-name', - help='Domain name containing project'), - cfg.StrOpt('trust-id', help='Trust ID'), - ]) - - return options - - -@six.add_metaclass(abc.ABCMeta) -class AuthMethod(object): - """One part of a V3 Authentication strategy. - - V3 Tokens allow multiple methods to be presented when authentication - against the server. Each one of these methods is implemented by an - AuthMethod. - - Note: When implementing an AuthMethod use the method_parameters - and do not use positional arguments. Otherwise they can't be picked up by - the factory method and don't work as well with AuthConstructors. - """ - - _method_parameters = [] - - def __init__(self, **kwargs): - for param in self._method_parameters: - setattr(self, param, kwargs.pop(param, None)) - - if kwargs: - msg = "Unexpected Attributes: %s" % ", ".join(kwargs.keys()) - raise AttributeError(msg) - - @classmethod - def _extract_kwargs(cls, kwargs): - """Remove parameters related to this method from other kwargs.""" - return dict([(p, kwargs.pop(p, None)) - for p in cls._method_parameters]) - - @abc.abstractmethod - def get_auth_data(self, session, auth, headers, **kwargs): - """Return the authentication section of an auth plugin. - - :param Session session: The communication session. - :param Auth auth: The auth plugin calling the method. - :param dict headers: The headers that will be sent with the auth - request if a plugin needs to add to them. - :return tuple(string, dict): The identifier of this plugin and a dict - of authentication data for the auth type. - """ - - -@six.add_metaclass(abc.ABCMeta) -class AuthConstructor(Auth): - """AuthConstructor is a means of creating an Auth Plugin that contains - only one authentication method. This is generally the required usage. - - An AuthConstructor creates an AuthMethod based on the method's - arguments and the auth_method_class defined by the plugin. It then - creates the auth plugin with only that authentication method. - """ - - _auth_method_class = None - - def __init__(self, auth_url, *args, **kwargs): - method_kwargs = self._auth_method_class._extract_kwargs(kwargs) - method = self._auth_method_class(*args, **method_kwargs) - super(AuthConstructor, self).__init__(auth_url, [method], **kwargs) - - -class PasswordMethod(AuthMethod): - - _method_parameters = ['user_id', - 'username', - 'user_domain_id', - 'user_domain_name', - 'password'] - - def __init__(self, **kwargs): - """Construct a User/Password based authentication method. - - :param string password: Password for authentication. - :param string username: Username for authentication. - :param string user_id: User ID for authentication. - :param string user_domain_id: User's domain ID for authentication. - :param string user_domain_name: User's domain name for authentication. - """ - super(PasswordMethod, self).__init__(**kwargs) - - def get_auth_data(self, session, auth, headers, **kwargs): - user = {'password': self.password} - - if self.user_id: - user['id'] = self.user_id - elif self.username: - user['name'] = self.username - - if self.user_domain_id: - user['domain'] = {'id': self.user_domain_id} - elif self.user_domain_name: - user['domain'] = {'name': self.user_domain_name} - - return 'password', {'user': user} - - -class Password(AuthConstructor): - _auth_method_class = PasswordMethod - - @classmethod - def get_options(cls): - options = super(Password, cls).get_options() - - options.extend([ - cfg.StrOpt('user-id', help='User ID'), - cfg.StrOpt('user-name', dest='username', help='Username', - deprecated_name='username'), - cfg.StrOpt('user-domain-id', help="User's domain id"), - cfg.StrOpt('user-domain-name', help="User's domain name"), - cfg.StrOpt('password', secret=True, help="User's password"), - ]) - - return options - - -class TokenMethod(AuthMethod): - - _method_parameters = ['token'] - - def __init__(self, **kwargs): - """Construct an Auth plugin to fetch a token from a token. - - :param string token: Token for authentication. - """ - super(TokenMethod, self).__init__(**kwargs) - - def get_auth_data(self, session, auth, headers, **kwargs): - headers['X-Auth-Token'] = self.token - return 'token', {'id': self.token} - - -class Token(AuthConstructor): - _auth_method_class = TokenMethod - - def __init__(self, auth_url, token, **kwargs): - super(Token, self).__init__(auth_url, token=token, **kwargs) - - @classmethod - def get_options(cls): - options = super(Token, cls).get_options() - - options.extend([ - cfg.StrOpt('token', - secret=True, - help='Token to authenticate with'), - ]) - - return options diff --git a/keystoneclient/auth/identity/v3/__init__.py b/keystoneclient/auth/identity/v3/__init__.py new file mode 100644 index 000000000..abbaa658d --- /dev/null +++ b/keystoneclient/auth/identity/v3/__init__.py @@ -0,0 +1,32 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# flake8: noqa: F405 + +from keystoneclient.auth.identity.v3.base import * # noqa +from keystoneclient.auth.identity.v3.federated import * # noqa +from keystoneclient.auth.identity.v3.password import * # noqa +from keystoneclient.auth.identity.v3.token import * # noqa + + +__all__ = ('Auth', + 'AuthConstructor', + 'AuthMethod', + 'BaseAuth', + + 'FederatedBaseAuth', + + 'Password', + 'PasswordMethod', + + 'Token', + 'TokenMethod') diff --git a/keystoneclient/auth/identity/v3/base.py b/keystoneclient/auth/identity/v3/base.py new file mode 100644 index 000000000..c055d4ff7 --- /dev/null +++ b/keystoneclient/auth/identity/v3/base.py @@ -0,0 +1,259 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import abc +import logging + +from oslo_config import cfg +from oslo_serialization import jsonutils + +from keystoneclient import access +from keystoneclient.auth.identity import base +from keystoneclient import exceptions +from keystoneclient.i18n import _ + +_logger = logging.getLogger(__name__) + +__all__ = ('Auth', 'AuthMethod', 'AuthConstructor', 'BaseAuth') + + +class BaseAuth(base.BaseIdentityPlugin, metaclass=abc.ABCMeta): + """Identity V3 Authentication Plugin. + + :param string auth_url: Identity service endpoint for authentication. + :param List auth_methods: A collection of methods to authenticate with. + :param string trust_id: Trust ID for trust scoping. + :param string domain_id: Domain ID for domain scoping. + :param string domain_name: Domain name for domain scoping. + :param string project_id: Project ID for project scoping. + :param string project_name: Project name for project scoping. + :param string project_domain_id: Project's domain ID for project. + :param string project_domain_name: Project's domain name for project. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True + :param bool include_catalog: Include the service catalog in the returned + token. (optional) default True. + """ + + def __init__(self, auth_url, + trust_id=None, + domain_id=None, + domain_name=None, + project_id=None, + project_name=None, + project_domain_id=None, + project_domain_name=None, + reauthenticate=True, + include_catalog=True): + super(BaseAuth, self).__init__(auth_url=auth_url, + reauthenticate=reauthenticate) + self._trust_id = trust_id + self.domain_id = domain_id + self.domain_name = domain_name + self.project_id = project_id + self.project_name = project_name + self.project_domain_id = project_domain_id + self.project_domain_name = project_domain_name + self.include_catalog = include_catalog + + @property + def trust_id(self): + # Override to remove deprecation. + return self._trust_id + + @trust_id.setter + def trust_id(self, value): + # Override to remove deprecation. + self._trust_id = value + + @property + def token_url(self): + """The full URL where we will send authentication data.""" + return '%s/auth/tokens' % self.auth_url.rstrip('/') + + @abc.abstractmethod + def get_auth_ref(self, session, **kwargs): + return None # pragma: no cover + + @classmethod + def get_options(cls): + options = super(BaseAuth, cls).get_options() + + options.extend([ + cfg.StrOpt('domain-id', help='Domain ID to scope to'), + cfg.StrOpt('domain-name', help='Domain name to scope to'), + cfg.StrOpt('project-id', help='Project ID to scope to'), + cfg.StrOpt('project-name', help='Project name to scope to'), + cfg.StrOpt('project-domain-id', + help='Domain ID containing project'), + cfg.StrOpt('project-domain-name', + help='Domain name containing project'), + cfg.StrOpt('trust-id', help='Trust ID'), + ]) + + return options + + +class Auth(BaseAuth): + """Identity V3 Authentication Plugin. + + :param string auth_url: Identity service endpoint for authentication. + :param List auth_methods: A collection of methods to authenticate with. + :param string trust_id: Trust ID for trust scoping. + :param string domain_id: Domain ID for domain scoping. + :param string domain_name: Domain name for domain scoping. + :param string project_id: Project ID for project scoping. + :param string project_name: Project name for project scoping. + :param string project_domain_id: Project's domain ID for project. + :param string project_domain_name: Project's domain name for project. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True + :param bool include_catalog: Include the service catalog in the returned + token. (optional) default True. + :param bool unscoped: Force the return of an unscoped token. This will make + the keystone server return an unscoped token even if + a default_project_id is set for this user. + """ + + def __init__(self, auth_url, auth_methods, **kwargs): + self.unscoped = kwargs.pop('unscoped', False) + super(Auth, self).__init__(auth_url=auth_url, **kwargs) + self.auth_methods = auth_methods + + def get_auth_ref(self, session, **kwargs): + headers = {'Accept': 'application/json'} + body = {'auth': {'identity': {}}} + ident = body['auth']['identity'] + rkwargs = {} + + for method in self.auth_methods: + name, auth_data = method.get_auth_data(session, + self, + headers, + request_kwargs=rkwargs) + ident.setdefault('methods', []).append(name) + ident[name] = auth_data + + if not ident: + raise exceptions.AuthorizationFailure( + _('Authentication method required (e.g. password)')) + + mutual_exclusion = [bool(self.domain_id or self.domain_name), + bool(self.project_id or self.project_name), + bool(self.trust_id), + bool(self.unscoped)] + + if sum(mutual_exclusion) > 1: + raise exceptions.AuthorizationFailure( + _('Authentication cannot be scoped to multiple targets. Pick ' + 'one of: project, domain, trust or unscoped')) + + if self.domain_id: + body['auth']['scope'] = {'domain': {'id': self.domain_id}} + elif self.domain_name: + body['auth']['scope'] = {'domain': {'name': self.domain_name}} + elif self.project_id: + body['auth']['scope'] = {'project': {'id': self.project_id}} + elif self.project_name: + scope = body['auth']['scope'] = {'project': {}} + scope['project']['name'] = self.project_name + + if self.project_domain_id: + scope['project']['domain'] = {'id': self.project_domain_id} + elif self.project_domain_name: + scope['project']['domain'] = {'name': self.project_domain_name} + elif self.trust_id: + body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}} + elif self.unscoped: + body['auth']['scope'] = {'unscoped': {}} + + # NOTE(jamielennox): we add nocatalog here rather than in token_url + # directly as some federation plugins require the base token_url + token_url = self.token_url + if not self.include_catalog: + token_url += '?nocatalog' + + _logger.debug('Making authentication request to %s', token_url) + resp = session.post(token_url, json=body, headers=headers, + authenticated=False, log=False, **rkwargs) + + try: + _logger.debug(jsonutils.dumps(resp.json())) + resp_data = resp.json()['token'] + except (KeyError, ValueError): + raise exceptions.InvalidResponse(response=resp) + + return access.AccessInfoV3(resp.headers['X-Subject-Token'], + **resp_data) + + +class AuthMethod(object, metaclass=abc.ABCMeta): + """One part of a V3 Authentication strategy. + + V3 Tokens allow multiple methods to be presented when authentication + against the server. Each one of these methods is implemented by an + AuthMethod. + + Note: When implementing an AuthMethod use the method_parameters + and do not use positional arguments. Otherwise they can't be picked up by + the factory method and don't work as well with AuthConstructors. + """ + + _method_parameters = [] + + def __init__(self, **kwargs): + for param in self._method_parameters: + setattr(self, param, kwargs.pop(param, None)) + + if kwargs: + msg = _("Unexpected Attributes: %s") % ", ".join(kwargs) + raise AttributeError(msg) + + @classmethod + def _extract_kwargs(cls, kwargs): + """Remove parameters related to this method from other kwargs.""" + return dict([(p, kwargs.pop(p, None)) + for p in cls._method_parameters]) + + @abc.abstractmethod + def get_auth_data(self, session, auth, headers, **kwargs): + """Return the authentication section of an auth plugin. + + :param session: The communication session. + :type session: keystoneclient.session.Session + :param base.Auth auth: The auth plugin calling the method. + :param dict headers: The headers that will be sent with the auth + request if a plugin needs to add to them. + :return: The identifier of this plugin and a dict of authentication + data for the auth type. + :rtype: tuple(string, dict) + """ + pass # pragma: no cover + + +class AuthConstructor(Auth, metaclass=abc.ABCMeta): + """Abstract base class for creating an Auth Plugin. + + The Auth Plugin created contains only one authentication method. This + is generally the required usage. + + An AuthConstructor creates an AuthMethod based on the method's + arguments and the auth_method_class defined by the plugin. It then + creates the auth plugin with only that authentication method. + """ + + _auth_method_class = None + + def __init__(self, auth_url, *args, **kwargs): + method_kwargs = self._auth_method_class._extract_kwargs(kwargs) + method = self._auth_method_class(*args, **method_kwargs) + super(AuthConstructor, self).__init__(auth_url, [method], **kwargs) diff --git a/keystoneclient/auth/identity/v3/federated.py b/keystoneclient/auth/identity/v3/federated.py new file mode 100644 index 000000000..755e7f51b --- /dev/null +++ b/keystoneclient/auth/identity/v3/federated.py @@ -0,0 +1,119 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import abc + +from oslo_config import cfg + +from keystoneclient.auth.identity.v3 import base +from keystoneclient.auth.identity.v3 import token + +__all__ = ('FederatedBaseAuth',) + + +class FederatedBaseAuth(base.BaseAuth, metaclass=abc.ABCMeta): + + rescoping_plugin = token.Token + + def __init__(self, auth_url, identity_provider, protocol, **kwargs): + """Class constructor for federated authentication plugins. + + Accepting following parameters: + + :param auth_url: URL of the Identity Service + :type auth_url: string + :param identity_provider: Name of the Identity Provider the client + will authenticate against. This parameter + will be used to build a dynamic URL used to + obtain unscoped OpenStack token. + :type identity_provider: string + :param protocol: Protocol name configured on the keystone service + provider side + :type protocol: string + + """ + super(FederatedBaseAuth, self).__init__(auth_url=auth_url, **kwargs) + self.identity_provider = identity_provider + self.protocol = protocol + + @classmethod + def get_options(cls): + options = super(FederatedBaseAuth, cls).get_options() + + options.extend([ + cfg.StrOpt('identity-provider', + help="Identity Provider's name"), + cfg.StrOpt('protocol', help="Name of the federated protocol used " + "for federated authentication. Must " + "match its counterpart name " + "configured at the keystone service " + "provider. Typically values would be " + "'saml2' or 'oidc'.") + ]) + + return options + + @property + def federated_token_url(self): + """Full URL where authorization data is sent.""" + values = { + 'host': self.auth_url.rstrip('/'), + 'identity_provider': self.identity_provider, + 'protocol': self.protocol + } + url = ("%(host)s/OS-FEDERATION/identity_providers/" + "%(identity_provider)s/protocols/%(protocol)s/auth") + url = url % values + + return url + + def _get_scoping_data(self): + return {'trust_id': self.trust_id, + 'domain_id': self.domain_id, + 'domain_name': self.domain_name, + 'project_id': self.project_id, + 'project_name': self.project_name, + 'project_domain_id': self.project_domain_id, + 'project_domain_name': self.project_domain_name} + + def get_auth_ref(self, session, **kwargs): + """Authenticate retrieve token information. + + This is a multi-step process where a client does federated authn + receives an unscoped token. + + If an unscoped token is successfully received and scoping information + is present then the token is rescoped to that target. + + :param session: a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :returns: a token data representation + :rtype: :py:class:`keystoneclient.access.AccessInfo` + + """ + auth_ref = self.get_unscoped_auth_ref(session) + scoping = self._get_scoping_data() + + if any(scoping.values()): + token_plugin = self.rescoping_plugin(self.auth_url, + token=auth_ref.auth_token, + **scoping) + + auth_ref = token_plugin.get_auth_ref(session) + + return auth_ref + + @abc.abstractmethod + def get_unscoped_auth_ref(self, session, **kwargs): + """Fetch unscoped federated token.""" + pass # pragma: no cover diff --git a/keystoneclient/auth/identity/v3/password.py b/keystoneclient/auth/identity/v3/password.py new file mode 100644 index 000000000..99094a1e2 --- /dev/null +++ b/keystoneclient/auth/identity/v3/password.py @@ -0,0 +1,97 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystoneclient.auth.identity.v3 import base +from keystoneclient import utils + + +__all__ = ('PasswordMethod', 'Password') + + +class PasswordMethod(base.AuthMethod): + """Construct a User/Password based authentication method. + + :param string password: Password for authentication. + :param string username: Username for authentication. + :param string user_id: User ID for authentication. + :param string user_domain_id: User's domain ID for authentication. + :param string user_domain_name: User's domain name for authentication. + """ + + _method_parameters = ['user_id', + 'username', + 'user_domain_id', + 'user_domain_name', + 'password'] + + def get_auth_data(self, session, auth, headers, **kwargs): + user = {'password': self.password} + + if self.user_id: + user['id'] = self.user_id + elif self.username: + user['name'] = self.username + + if self.user_domain_id: + user['domain'] = {'id': self.user_domain_id} + elif self.user_domain_name: + user['domain'] = {'name': self.user_domain_name} + + return 'password', {'user': user} + + +class Password(base.AuthConstructor): + """A plugin for authenticating with a username and password. + + :param string auth_url: Identity service endpoint for authentication. + :param string password: Password for authentication. + :param string username: Username for authentication. + :param string user_id: User ID for authentication. + :param string user_domain_id: User's domain ID for authentication. + :param string user_domain_name: User's domain name for authentication. + :param string trust_id: Trust ID for trust scoping. + :param string domain_id: Domain ID for domain scoping. + :param string domain_name: Domain name for domain scoping. + :param string project_id: Project ID for project scoping. + :param string project_name: Project name for project scoping. + :param string project_domain_id: Project's domain ID for project. + :param string project_domain_name: Project's domain name for project. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True + """ + + _auth_method_class = PasswordMethod + + @classmethod + def get_options(cls): + options = super(Password, cls).get_options() + + options.extend([ + cfg.StrOpt('user-id', help='User ID'), + cfg.StrOpt('username', dest='username', help='Username', + deprecated_name='user-name'), + cfg.StrOpt('user-domain-id', help="User's domain id"), + cfg.StrOpt('user-domain-name', help="User's domain name"), + cfg.StrOpt('password', secret=True, help="User's password"), + ]) + + return options + + @classmethod + def load_from_argparse_arguments(cls, namespace, **kwargs): + if not (kwargs.get('password') or namespace.os_password): + kwargs['password'] = utils.prompt_user_password() + + return super(Password, cls).load_from_argparse_arguments(namespace, + **kwargs) diff --git a/keystoneclient/auth/identity/v3/token.py b/keystoneclient/auth/identity/v3/token.py new file mode 100644 index 000000000..396a11a20 --- /dev/null +++ b/keystoneclient/auth/identity/v3/token.py @@ -0,0 +1,65 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystoneclient.auth.identity.v3 import base + + +__all__ = ('TokenMethod', 'Token') + + +class TokenMethod(base.AuthMethod): + """Construct an Auth plugin to fetch a token from a token. + + :param string token: Token for authentication. + """ + + _method_parameters = ['token'] + + def get_auth_data(self, session, auth, headers, **kwargs): + headers['X-Auth-Token'] = self.token + return 'token', {'id': self.token} + + +class Token(base.AuthConstructor): + """A plugin for authenticating with an existing Token. + + :param string auth_url: Identity service endpoint for authentication. + :param string token: Token for authentication. + :param string trust_id: Trust ID for trust scoping. + :param string domain_id: Domain ID for domain scoping. + :param string domain_name: Domain name for domain scoping. + :param string project_id: Project ID for project scoping. + :param string project_name: Project name for project scoping. + :param string project_domain_id: Project's domain ID for project. + :param string project_domain_name: Project's domain name for project. + :param bool reauthenticate: Allow fetching a new token if the current one + is going to expire. (optional) default True + """ + + _auth_method_class = TokenMethod + + def __init__(self, auth_url, token, **kwargs): + super(Token, self).__init__(auth_url, token=token, **kwargs) + + @classmethod + def get_options(cls): + options = super(Token, cls).get_options() + + options.extend([ + cfg.StrOpt('token', + secret=True, + help='Token to authenticate with'), + ]) + + return options diff --git a/keystoneclient/auth/token_endpoint.py b/keystoneclient/auth/token_endpoint.py index 1f031d229..6b60f9cb8 100644 --- a/keystoneclient/auth/token_endpoint.py +++ b/keystoneclient/auth/token_endpoint.py @@ -10,6 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. +import warnings + +from oslo_config import cfg from keystoneclient.auth import base @@ -24,6 +27,12 @@ class Token(base.BaseAuthPlugin): def __init__(self, endpoint, token): # NOTE(jamielennox): endpoint is reserved for when plugins # can be used to provide that information + warnings.warn( + 'TokenEndpoint plugin is deprecated as of the 2.1.0 release in ' + 'favor of keystoneauth1.token_endpoint.Token. It will be removed ' + 'in future releases.', + DeprecationWarning) + self.endpoint = endpoint self.token = token @@ -38,8 +47,9 @@ def get_endpoint(self, session, **kwargs): """ return self.endpoint - def get_options(self): - options = super(Token, self).get_options() + @classmethod + def get_options(cls): + options = super(Token, cls).get_options() options.extend([ cfg.StrOpt('endpoint', diff --git a/keystoneclient/base.py b/keystoneclient/base.py index f94c16b4f..4f3ed227a 100644 --- a/keystoneclient/base.py +++ b/keystoneclient/base.py @@ -15,18 +15,37 @@ # License for the specific language governing permissions and limitations # under the License. -""" -Base utilities to build API operation managers and objects on top of. -""" +"""Base utilities to build API operation managers and objects on top of.""" import abc +import copy import functools +import urllib +import warnings -import six -from six.moves import urllib +from keystoneauth1 import exceptions as ksa_exceptions +from keystoneauth1 import plugin +from oslo_utils import strutils -from keystoneclient import exceptions -from keystoneclient.openstack.common.apiclient import base +from keystoneclient import exceptions as ksc_exceptions +from keystoneclient.i18n import _ + + +class Response(object): + + def __init__(self, http_response, data): + self.request_ids = [] + if isinstance(http_response, list): + # http_response is a list of in case + # of pagination + for resp_obj in http_response: + # Extract 'x-openstack-request-id' from headers + self.request_ids.append(resp_obj.headers.get( + 'x-openstack-request-id')) + else: + self.request_ids.append(http_response.headers.get( + 'x-openstack-request-id')) + self.data = data def getid(obj): @@ -35,27 +54,22 @@ def getid(obj): Abstracts the common pattern of allowing both an object or an object's ID (UUID) as a parameter when dealing with relationships. """ - try: - if obj.uuid: - return obj.uuid - except AttributeError: - pass - try: - return obj.id - except AttributeError: - return obj + if getattr(obj, 'uuid', None): + return obj.uuid + else: + return getattr(obj, 'id', obj) def filter_none(**kwargs): """Remove any entries from a dictionary where the value is None.""" - return dict((k, v) for k, v in six.iteritems(kwargs) if v is not None) + return dict((k, v) for k, v in kwargs.items() if v is not None) def filter_kwargs(f): @functools.wraps(f) def func(*args, **kwargs): new_kwargs = {} - for key, ref in six.iteritems(kwargs): + for key, ref in kwargs.items(): if ref is None: # drop null values continue @@ -77,23 +91,37 @@ class Manager(object): Managers interact with a particular type of API (servers, flavors, images, etc.) and provide CRUD operations for them. + + :param client: instance of BaseClient descendant for HTTP requests + """ + resource_class = None def __init__(self, client): - """Initializes Manager with `client`. - - :param client: instance of BaseClient descendant for HTTP requests - """ super(Manager, self).__init__() self.client = client @property def api(self): - """Deprecated. Use `client` instead. + """The client. + + .. warning:: + + This property is deprecated as of the 1.7.0 release in favor of + :meth:`client` and may be removed in the 2.0.0 release. + """ + warnings.warn( + 'api is deprecated as of the 1.7.0 release in favor of client and ' + 'may be removed in the 2.0.0 release', DeprecationWarning) return self.client + def _prepare_return_value(self, http_response, data): + if self.client.include_metadata: + return Response(http_response, data) + return data + def _list(self, url, response_key, obj_class=None, body=None, **kwargs): """List the collection. @@ -119,10 +147,13 @@ def _list(self, url, response_key, obj_class=None, body=None, **kwargs): # unlike other services which just return the list... try: data = data['values'] - except (KeyError, TypeError): + except (KeyError, TypeError): # nosec(cjschaef): keystone data values + # not as expected (see comment above), assumption is that values + # are already returned in a list (so simply utilize that list) pass - return [obj_class(self, res, loaded=True) for res in data if res] + return self._prepare_return_value( + resp, [obj_class(self, res, loaded=True) for res in data if res]) def _get(self, url, response_key, **kwargs): """Get an object from collection. @@ -133,7 +164,8 @@ def _get(self, url, response_key, **kwargs): :param kwargs: Additional arguments will be passed to the request. """ resp, body = self.client.get(url, **kwargs) - return self.resource_class(self, body[response_key], loaded=True) + return self._prepare_return_value( + resp, self.resource_class(self, body[response_key], loaded=True)) def _head(self, url, **kwargs): """Retrieve request headers for an object. @@ -142,12 +174,7 @@ def _head(self, url, **kwargs): :param kwargs: Additional arguments will be passed to the request. """ resp, body = self.client.head(url, **kwargs) - return resp.status_code == 204 - - def _create(self, url, body, response_key, return_raw=False, **kwargs): - """Deprecated. Use `_post` instead. - """ - return self._post(url, body, response_key, return_raw, **kwargs) + return self._prepare_return_value(resp, resp.status_code == 204) def _post(self, url, body, response_key, return_raw=False, **kwargs): """Create an object. @@ -164,7 +191,8 @@ def _post(self, url, body, response_key, return_raw=False, **kwargs): resp, body = self.client.post(url, body=body, **kwargs) if return_raw: return body[response_key] - return self.resource_class(self, body[response_key]) + return self._prepare_return_value( + resp, self.resource_class(self, body[response_key])) def _put(self, url, body=None, response_key=None, **kwargs): """Update an object with PUT method. @@ -180,9 +208,15 @@ def _put(self, url, body=None, response_key=None, **kwargs): # PUT requests may not return a body if body is not None: if response_key is not None: - return self.resource_class(self, body[response_key]) + return self._prepare_return_value( + resp, self.resource_class(self, body[response_key])) else: - return self.resource_class(self, body) + return self._prepare_return_value( + resp, self.resource_class(self, body)) + # In some cases (e.g. 'add_endpoint_to_project' from endpoint_filters + # resource), PUT request may not return a body so return None as + # response along with request_id if include_metadata is True. + return self._prepare_return_value(resp, body) def _patch(self, url, body=None, response_key=None, **kwargs): """Update an object with PATCH method. @@ -196,9 +230,11 @@ def _patch(self, url, body=None, response_key=None, **kwargs): """ resp, body = self.client.patch(url, body=body, **kwargs) if response_key is not None: - return self.resource_class(self, body[response_key]) + return self._prepare_return_value( + resp, self.resource_class(self, body[response_key])) else: - return self.resource_class(self, body) + return self._prepare_return_value( + resp, self.resource_class(self, body)) def _delete(self, url, **kwargs): """Delete an object. @@ -206,32 +242,34 @@ def _delete(self, url, **kwargs): :param url: a partial URL, e.g., '/servers/my-server' :param kwargs: Additional arguments will be passed to the request. """ - return self.client.delete(url, **kwargs) + resp, body = self.client.delete(url, **kwargs) + return resp, self._prepare_return_value(resp, body) def _update(self, url, body=None, response_key=None, method="PUT", - management=True, **kwargs): + **kwargs): methods = {"PUT": self.client.put, "POST": self.client.post, "PATCH": self.client.patch} try: resp, body = methods[method](url, body=body, - management=management, **kwargs) except KeyError: - raise exceptions.ClientException("Invalid update method: %s" - % method) + raise ksc_exceptions.ClientException(_("Invalid update method: %s") + % method) # PUT requests may not return a body if body: - return self.resource_class(self, body[response_key]) + return self._prepare_return_value( + resp, self.resource_class(self, body[response_key])) + else: + return self._prepare_return_value(resp, body) -@six.add_metaclass(abc.ABCMeta) -class ManagerWithFind(Manager): +class ManagerWithFind(Manager, metaclass=abc.ABCMeta): """Manager with additional `find()`/`findall()` methods.""" @abc.abstractmethod def list(self): - pass + pass # pragma: no cover def find(self, **kwargs): """Find a single item with attributes matching ``**kwargs``. @@ -240,15 +278,20 @@ def find(self, **kwargs): the Python side. """ rl = self.findall(**kwargs) - num = len(rl) - if num == 0: - msg = "No %s matching %s." % (self.resource_class.__name__, kwargs) - raise exceptions.NotFound(404, msg) - elif num > 1: - raise exceptions.NoUniqueMatch + if self.client.include_metadata: + base_response = rl + rl = rl.data + base_response.data = rl[0] + + if len(rl) == 0: + msg = _("No %(name)s matching %(kwargs)s.") % { + 'name': self.resource_class.__name__, 'kwargs': kwargs} + raise ksa_exceptions.NotFound(404, msg) + elif len(rl) > 1: + raise ksc_exceptions.NoUniqueMatch else: - return rl[0] + return base_response if self.client.include_metadata else rl[0] def findall(self, **kwargs): """Find all items with attributes matching ``**kwargs``. @@ -259,15 +302,23 @@ def findall(self, **kwargs): found = [] searches = kwargs.items() - for obj in self.list(): - try: - if all(getattr(obj, attr) == value - for (attr, value) in searches): - found.append(obj) - except AttributeError: - continue + def _extract_data(objs, response_data): + for obj in objs: + try: + if all(getattr(obj, attr) == value + for (attr, value) in searches): + response_data.append(obj) + except AttributeError: + continue + return response_data + + objs = self.list() + if self.client.include_metadata: + # 'objs' is the object of 'Response' class. + objs.data = _extract_data(objs.data, found) + return objs - return found + return _extract_data(objs, found) class CrudManager(Manager): @@ -283,12 +334,13 @@ class CrudManager(Manager): refer to an individual member of the collection. """ + collection_key = None key = None base_url = None def build_url(self, dict_args_in_out=None): - """Builds a resource URL for the given kwargs. + """Build a resource URL for the given kwargs. Given an example collection where `collection_key = 'entities'` and `key = 'entity'`, the following URL's could be generated. @@ -304,6 +356,8 @@ def build_url(self, dict_args_in_out=None): If a `base_url` is provided, the generated URL will be appended to it. + If a 'tail' is provided, it will be appended to the end of the URL. + """ if dict_args_in_out is None: dict_args_in_out = {} @@ -316,12 +370,15 @@ def build_url(self, dict_args_in_out=None): if entity_id is not None: url += '/%s' % entity_id + if dict_args_in_out.get('tail'): + url += dict_args_in_out['tail'] + return url @filter_kwargs def create(self, **kwargs): url = self.build_url(dict_args_in_out=kwargs) - return self._create( + return self._post( url, {self.key: kwargs}, self.key) @@ -336,20 +393,68 @@ def get(self, **kwargs): def head(self, **kwargs): return self._head(self.build_url(dict_args_in_out=kwargs)) + def _build_query(self, params): + if params is None: + return '' + else: + # NOTE(spilla) Since the manager cannot take in a hyphen as a + # key in the kwarg, it is passed in with a _. This needs to be + # replaced with a proper hyphen for the URL to work properly. + tags_params = ('tags_any', 'not_tags', 'not_tags_any') + for tag_param in tags_params: + if tag_param in params: + params[tag_param.replace('_', '-')] = params.pop(tag_param) + return '?%s' % urllib.parse.urlencode(params, doseq=True) + + def build_key_only_query(self, params_list): + """Build a query that does not include values, just keys. + + The Identity API has some calls that define queries without values, + this can not be accomplished by using urllib.parse.urlencode(). This + method builds a query using only the keys. + """ + return '?%s' % '&'.join(params_list) if params_list else '' + @filter_kwargs - def list(self, **kwargs): + def list(self, fallback_to_auth=False, **kwargs): + + def return_resp(resp, include_metadata=False): + base_response = None + list_data = resp + if include_metadata: + base_response = resp + list_data = resp.data + base_response.data = list_data + return base_response if include_metadata else list_data + + if 'id' in kwargs.keys(): + # Ensure that users are not trying to call things like + # ``domains.list(id='default')`` when they should have used + # ``[domains.get(domain_id='default')]`` instead. Keystone supports + # ``GET /v3/domains/{domain_id}``, not ``GET + # /v3/domains?id={domain_id}``. + raise TypeError( + _("list() got an unexpected keyword argument 'id'. To " + "retrieve a single object using a globally unique " + "identifier, try using get() instead.")) + url = self.build_url(dict_args_in_out=kwargs) - if kwargs: - query = '?%s' % urllib.parse.urlencode(kwargs) - else: - query = '' - return self._list( - '%(url)s%(query)s' % { - 'url': url, - 'query': query, - }, - self.collection_key) + try: + query = self._build_query(kwargs) + url_query = '%(url)s%(query)s' % {'url': url, 'query': query} + list_resp = self._list(url_query, self.collection_key) + return return_resp(list_resp, + include_metadata=self.client.include_metadata) + except ksa_exceptions.EmptyCatalog: + if fallback_to_auth: + list_resp = self._list(url_query, self.collection_key, + endpoint_filter={ + 'interface': plugin.AUTH_INTERFACE}) + return return_resp( + list_resp, include_metadata=self.client.include_metadata) + else: + raise @filter_kwargs def put(self, **kwargs): @@ -377,32 +482,133 @@ def find(self, **kwargs): """Find a single item with attributes matching ``**kwargs``.""" url = self.build_url(dict_args_in_out=kwargs) - if kwargs: - query = '?%s' % urllib.parse.urlencode(kwargs) - else: - query = '' - rl = self._list( - '%(url)s%(query)s' % { - 'url': url, - 'query': query, - }, + query = self._build_query(kwargs) + url_query = '%(url)s%(query)s' % { + 'url': url, + 'query': query + } + elements = self._list( + url_query, self.collection_key) - num = len(rl) - if num == 0: - msg = "No %s matching %s." % (self.resource_class.__name__, kwargs) - raise exceptions.NotFound(404, msg) - elif num > 1: - raise exceptions.NoUniqueMatch + if self.client.include_metadata: + base_response = elements + elements = elements.data + base_response.data = elements[0] + + if not elements: + msg = _("No %(name)s matching %(kwargs)s.") % { + 'name': self.resource_class.__name__, 'kwargs': kwargs} + raise ksa_exceptions.NotFound(404, msg) + elif len(elements) > 1: + raise ksc_exceptions.NoUniqueMatch else: - return rl[0] + return (base_response if self.client.include_metadata + else elements[0]) -class Resource(base.Resource): +class Resource(object): """Base class for OpenStack resources (tenant, user, etc.). This is pretty much just a bag for attributes. """ + HUMAN_ID = False + NAME_ATTR = 'name' + + def __init__(self, manager, info, loaded=False): + """Populate and bind to a manager. + + :param manager: BaseManager object + :param info: dictionary representing resource attributes + :param loaded: prevent lazy-loading if set to True + """ + self.manager = manager + self._info = info + self._add_details(info) + self._loaded = loaded + + def __repr__(self): + """Return string representation of resource attributes.""" + reprkeys = sorted(k + for k in self.__dict__.keys() + if k[0] != '_' and k != 'manager') + info = ", ".join("%s=%s" % (k, getattr(self, k)) for k in reprkeys) + return "<%s %s>" % (self.__class__.__name__, info) + + @property + def human_id(self): + """Human-readable ID which can be used for bash completion.""" + if self.HUMAN_ID: + name = getattr(self, self.NAME_ATTR, None) + if name is not None: + return strutils.to_slug(name) + return None + + def _add_details(self, info): + for (k, v) in info.items(): + try: + try: + setattr(self, k, v) + except UnicodeEncodeError: + # This happens when we're running with Python version that + # does not support Unicode identifiers (e.g. Python 2.7). + # In that case we can't help but not set this attribute; + # it'll be available in a dict representation though + pass + self._info[k] = v + except AttributeError: # nosec(cjschaef): we already defined the + # attribute on the class + pass + + def __getattr__(self, k): + """Checking attribute existence.""" + if k not in self.__dict__: + # NOTE(bcwaldon): disallow lazy-loading if already loaded once + if not self.is_loaded(): + self.get() + return self.__getattr__(k) + + raise AttributeError(k) + else: + return self.__dict__[k] + + def get(self): + """Support for lazy loading details. + + Some clients, such as novaclient have the option to lazy load the + details, details which can be loaded with this function. + """ + # set_loaded() first ... so if we have to bail, we know we tried. + self.set_loaded(True) + if not hasattr(self.manager, 'get'): + return + + new = self.manager.get(self.id) + if new: + self._add_details(new._info) + + def __eq__(self, other): + """Define equality for resources.""" + if not isinstance(other, Resource): + return NotImplemented + # two resources of different types are not equal + if not isinstance(other, self.__class__): + return False + return self._info == other._info + + def __ne__(self, other): + """Define inequality for resources.""" + return not self == other + + def is_loaded(self): + return self._loaded + + def set_loaded(self, val): + self._loaded = val + + def to_dict(self): + return copy.deepcopy(self._info) + def delete(self): return self.manager.delete(self) diff --git a/keystoneclient/baseclient.py b/keystoneclient/baseclient.py index 97943684d..ca39f6d14 100644 --- a/keystoneclient/baseclient.py +++ b/keystoneclient/baseclient.py @@ -10,10 +10,17 @@ # License for the specific language governing permissions and limitations # under the License. +import warnings + class Client(object): def __init__(self, session): + warnings.warn( + 'keystoneclient.baseclient.Client is deprecated as of the 2.1.0 ' + 'release. It will be removed in future releases.', + DeprecationWarning) + self.session = session def request(self, url, method, **kwargs): diff --git a/keystoneclient/client.py b/keystoneclient/client.py index c58009bba..5da9794dc 100644 --- a/keystoneclient/client.py +++ b/keystoneclient/client.py @@ -10,37 +10,54 @@ # License for the specific language governing permissions and limitations # under the License. +from debtcollector import removals + from keystoneclient import discover from keystoneclient import httpclient from keystoneclient import session as client_session -# Using client.HTTPClient is deprecated. Use httpclient.HTTPClient instead. -HTTPClient = httpclient.HTTPClient +@removals.remove(message='Use keystoneclient.httpclient.HTTPClient instead', + version='1.7.0', removal_version='2.0.0') +class HTTPClient(httpclient.HTTPClient): + """Deprecated alias for httpclient.HTTPClient. + + This class is deprecated as of the 1.7.0 release in favor of + :class:`keystoneclient.httpclient.HTTPClient` and may be removed in the + 2.0.0 release. + + """ def Client(version=None, unstable=False, session=None, **kwargs): """Factory function to create a new identity service client. + The returned client will be either a V3 or V2 client. Check the version + using the :py:attr:`~keystoneclient.v3.client.Client.version` property or + the instance's class (with instanceof). + :param tuple version: The required version of the identity API. If specified the client will be selected such that the major version is equivalent and an endpoint provides at least the specified minor version. For example to - specify the 3.1 API use (3, 1). + specify the 3.1 API use ``(3, 1)``. (optional) :param bool unstable: Accept endpoints not marked as 'stable'. (optional) - :param Session session: A session object to be used for communication. If - one is not provided it will be constructed from the - provided kwargs. (optional) + :param session: A session object to be used for communication. If one is + not provided it will be constructed from the provided + kwargs. (optional) + :type session: keystoneclient.session.Session :param kwargs: Additional arguments are passed through to the client that is being created. - :returns: New keystone client object - (keystoneclient.v2_0.Client or keystoneclient.v3.Client). - - :raises: DiscoveryFailure if the server's response is invalid - :raises: VersionNotAvailable if a suitable client cannot be found. + :returns: New keystone client object. + :rtype: :py:class:`keystoneclient.v3.client.Client` or + :py:class:`keystoneclient.v2_0.client.Client` + :raises keystoneclient.exceptions.DiscoveryFailure: if the server's + response is invalid. + :raises keystoneclient.exceptions.VersionNotAvailable: if a suitable client + cannot be found. """ if not session: - session = client_session.Session.construct(kwargs) + session = client_session.Session._construct(kwargs) d = discover.Discover(session=session, **kwargs) return d.create_client(version=version, unstable=unstable) diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py index 85fa30715..2ee8b52ae 100644 --- a/keystoneclient/common/cms.py +++ b/keystoneclient/common/cms.py @@ -25,9 +25,10 @@ import logging import zlib -import six +from debtcollector import removals from keystoneclient import exceptions +from keystoneclient.i18n import _ subprocess = None @@ -36,6 +37,17 @@ PKIZ_PREFIX = 'PKIZ_' PKIZ_CMS_FORM = 'DER' PKI_ASN1_FORM = 'PEM' +# Adding nosec since this fails bandit B105, 'Possible hardcoded password'. +DEFAULT_TOKEN_DIGEST_ALGORITHM = 'sha256' # nosec + + +# The openssl cms command exits with these status codes. +# See https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES +class OpensslCmsExitStatus(object): + SUCCESS = 0 + COMMAND_OPTIONS_PARSING_ERROR = 1 + INPUT_FILE_READ_ERROR = 2 + CREATE_CMS_READ_MIME_ERROR = 3 def _ensure_subprocess(): @@ -49,13 +61,20 @@ def _ensure_subprocess(): if patcher.already_patched: from eventlet.green import subprocess else: - import subprocess + import subprocess # nosec(cjschaef): we must be careful when + # using subprocess.Popen with possibly untrusted data, + # assumption is that the certificate/key files provided are + # trustworthy except ImportError: - import subprocess # noqa + import subprocess # noqa # nosec(cjschaef): we must be careful + # when using subprocess.Popen with possibly untrusted data, + # assumption is that the certificate/key files provided are + # trustworthy def set_subprocess(_subprocess=None): """Set subprocess module to use. + The subprocess could be eventlet.green.subprocess if using eventlet, or Python's subprocess otherwise. """ @@ -73,32 +92,22 @@ def _check_files_accessible(files): except IOError as e: # Catching IOError means there is an issue with # the given file. - err = ('Hit OSError in _process_communicate_handle_oserror()\n' - 'Likely due to %s: %s') % (try_file, e.strerror) + err = try_file, e.strerror # Emulate openssl behavior, which returns with code 2 when - # access to a file failed: - - # You can get more from - # http://www.openssl.org/docs/apps/cms.html#EXIT_CODES - # - # $ openssl cms -verify -certfile not_exist_file -CAfile \ - # not_exist_file -inform PEM -nosmimecap -nodetach \ - # -nocerts -noattr - # Error opening certificate file not_exist_file - retcode = 2 + # access to a file failed. + retcode = OpensslCmsExitStatus.INPUT_FILE_READ_ERROR return retcode, err def _process_communicate_handle_oserror(process, data, files): """Wrapper around process.communicate that checks for OSError.""" - try: output, err = process.communicate(data) except OSError as e: if e.errno != errno.EPIPE: raise - # OSError with EPIPE only occurs with Python 2.6.x/old 2.7.x + # OSError with EPIPE only occurs with old Python 2.7.x versions # http://bugs.python.org/issue10963 # The quick exit is typically caused by the openssl command not being @@ -106,12 +115,25 @@ def _process_communicate_handle_oserror(process, data, files): retcode, err = _check_files_accessible(files) if process.stderr: msg = process.stderr.read() - err = err + msg.decode('utf-8') + if isinstance(msg, bytes): + msg = msg.decode('utf-8') + if err: + err = (_('Hit OSError in ' + '_process_communicate_handle_oserror(): ' + '%(stderr)s\nLikely due to %(file)s: %(error)s') % + {'stderr': msg, + 'file': err[0], + 'error': err[1]}) + else: + err = (_('Hit OSError in ' + '_process_communicate_handle_oserror(): %s') % msg) + output = '' else: retcode = process.poll() if err is not None: - err = err.decode('utf-8') + if isinstance(err, bytes): + err = err.decode('utf-8') return output, err, retcode @@ -122,22 +144,25 @@ def _encoding_for_form(inform): elif inform == PKIZ_CMS_FORM: encoding = 'hex' else: - raise ValueError('"inform" must be either %s or %s' % - (PKI_ASN1_FORM, PKIZ_CMS_FORM)) + raise ValueError( + _('"inform" must be one of: %s') % ','.join((PKI_ASN1_FORM, + PKIZ_CMS_FORM))) return encoding def cms_verify(formatted, signing_cert_file_name, ca_file_name, inform=PKI_ASN1_FORM): - """Verifies the signature of the contents IAW CMS syntax. + """Verify the signature of the contents IAW CMS syntax. - :raises: subprocess.CalledProcessError - :raises: CertificateConfigError if certificate is not configured properly. + :raises subprocess.CalledProcessError: + :raises keystoneclient.exceptions.CertificateConfigError: if certificate + is not configured + properly. """ _ensure_subprocess() - if isinstance(formatted, six.string_types): - data = bytearray(formatted, _encoding_for_form(inform)) + if isinstance(formatted, str): + data = bytes(formatted, _encoding_for_form(inform)) else: data = formatted process = subprocess.Popen(['openssl', 'cms', '-verify', @@ -148,39 +173,46 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name, '-nocerts', '-noattr'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, - stderr=subprocess.PIPE) + stderr=subprocess.PIPE, + close_fds=True) output, err, retcode = _process_communicate_handle_oserror( process, data, (signing_cert_file_name, ca_file_name)) # Do not log errors, as some happen in the positive thread # instead, catch them in the calling code and log them there. - # When invoke the openssl with not exist file, return code 2 - # and error msg will be returned. + # When invoke the openssl >= 1.1.0 with not exist file, return code should + # be 2 instead of 1 and error msg will be returned. # You can get more from - # http://www.openssl.org/docs/apps/cms.html#EXIT_CODES + # https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES # - # $ openssl cms -verify -certfile not_exist_file -CAfile \ - # not_exist_file -inform PEM -nosmimecap -nodetach \ + # $ openssl cms -verify -certfile not_exist_file -CAfile + # not_exist_file -inform PEM -nosmimecap -nodetach # -nocerts -noattr + # openssl < 1.1.0 returns # Error opening certificate file not_exist_file + # openssl >= 1.1.0 returns + # cms: Cannot open input file not_exist_file, No such file or directory # - if retcode == 2: + if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR: if err.startswith('Error reading S/MIME message'): raise exceptions.CMSError(err) else: raise exceptions.CertificateConfigError(err) - elif retcode: - # NOTE(dmllr): Python 2.6 compatibility: - # CalledProcessError did not have output keyword argument - e = subprocess.CalledProcessError(retcode, 'openssl') - e.output = err - raise e + # workaround for OpenSSL >= 1.1.0, + # should return OpensslCmsExitStatus.INPUT_FILE_READ_ERROR + elif retcode == OpensslCmsExitStatus.COMMAND_OPTIONS_PARSING_ERROR: + if err.startswith('cms: Cannot open input file'): + raise exceptions.CertificateConfigError(err) + else: + raise subprocess.CalledProcessError(retcode, 'openssl', output=err) + elif retcode != OpensslCmsExitStatus.SUCCESS: + raise subprocess.CalledProcessError(retcode, 'openssl', output=err) return output def is_pkiz(token_text): - """Determine if a token a cmsz token + """Determine if a token is PKIZ. Checks if the string has the prefix that indicates it is a Crypto Message Syntax, Z compressed token. @@ -191,11 +223,13 @@ def is_pkiz(token_text): def pkiz_sign(text, signing_cert_file_name, signing_key_file_name, - compression_level=6): + compression_level=6, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): signed = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, - PKIZ_CMS_FORM) + PKIZ_CMS_FORM, + message_digest=message_digest) compressed = zlib.compress(signed, compression_level) encoded = PKIZ_PREFIX + base64.urlsafe_b64encode( @@ -216,25 +250,17 @@ def pkiz_verify(signed_text, signing_cert_file_name, ca_file_name): inform=PKIZ_CMS_FORM) -# This function is deprecated and will be removed once the ASN1 token format -# is no longer required. It is only here to be used for testing. def token_to_cms(signed_text): - copy_of_text = signed_text.replace('-', '/') + """Convert a custom formatted token to a PEM-formatted token. - formatted = '-----BEGIN CMS-----\n' - line_length = 64 - while len(copy_of_text) > 0: - if (len(copy_of_text) > line_length): - formatted += copy_of_text[:line_length] - copy_of_text = copy_of_text[line_length:] - else: - formatted += copy_of_text - copy_of_text = '' - formatted += '\n' - - formatted += '-----END CMS-----\n' + See documentation for cms_to_token() for details on the custom formatting. + """ + copy_of_text = signed_text.replace('-', '/') - return formatted + lines = ['-----BEGIN CMS-----'] + lines += [copy_of_text[n:n + 64] for n in range(0, len(copy_of_text), 64)] + lines.append('-----END CMS-----\n') + return '\n'.join(lines) def verify_token(token, signing_cert_file_name, ca_file_name): @@ -285,7 +311,7 @@ def is_asn1_token(token): Checking for just M is insufficient But we will only check for MII: - Max length of the content using 2 octets is 7FFF or 32767. + Max length of the content using 2 octets is 3FFF or 16383. It's not practical to support a token of this length or greater in http therefore, we will check for MII only and ignore the case of larger tokens @@ -293,21 +319,27 @@ def is_asn1_token(token): return token[:3] == PKI_ASN1_PREFIX +@removals.remove(message='Use is_asn1_token() instead.', version='1.7.0', + removal_version='2.0.0') def is_ans1_token(token): - """Deprecated. Use is_asn1_token() instead.""" - LOG.warning('The function is_ans1_token() is deprecated, ' - 'use is_asn1_token() instead.') + """Deprecated. + + This function is deprecated as of the 1.7.0 release in favor of + :func:`is_asn1_token` and may be removed in the 2.0.0 release. + """ return is_asn1_token(token) -def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name): +def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): return cms_sign_data(data_to_sign, signing_cert_file_name, - signing_key_file_name) + signing_key_file_name, message_digest=message_digest) def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, - outform=PKI_ASN1_FORM): - """Uses OpenSSL to sign a document. + outform=PKI_ASN1_FORM, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): + """Use OpenSSL to sign a document. Produces a Base64 encoding of a DER formatted CMS Document http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax @@ -319,12 +351,12 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, the data :param outform: Format for the signed document PKIZ_CMS_FORM or PKI_ASN1_FORM - + :param message_digest: Digest algorithm to use when signing or resigning """ _ensure_subprocess() - if isinstance(data_to_sign, six.string_types): - data = bytearray(data_to_sign, encoding='utf-8') + if isinstance(data_to_sign, str): + data = bytes(data_to_sign, encoding='utf-8') else: data = data_to_sign process = subprocess.Popen(['openssl', 'cms', '-sign', @@ -332,17 +364,18 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, '-inkey', signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach', - '-nocerts', '-noattr'], + '-nocerts', '-noattr', + '-md', message_digest, ], stdin=subprocess.PIPE, stdout=subprocess.PIPE, - stderr=subprocess.PIPE) + stderr=subprocess.PIPE, + close_fds=True) output, err, retcode = _process_communicate_handle_oserror( process, data, (signing_cert_file_name, signing_key_file_name)) - if retcode or ('Error' in err): - LOG.error('Signing error: %s', err) - if retcode == 3: + if retcode != OpensslCmsExitStatus.SUCCESS or ('Error' in err): + if retcode == OpensslCmsExitStatus.CREATE_CMS_READ_MIME_ERROR: LOG.error('Signing error: Unable to load certificate - ' 'ensure you have configured PKI with ' '"keystone-manage pki_setup"') @@ -355,13 +388,33 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, return output -def cms_sign_token(text, signing_cert_file_name, signing_key_file_name): - output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name) +def cms_sign_token(text, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): + output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, + message_digest=message_digest) return cms_to_token(output) def cms_to_token(cms_text): - + """Convert a CMS-signed token in PEM format to a custom URL-safe format. + + The conversion consists of replacing '/' char in the PEM-formatted token + with the '-' char and doing other such textual replacements to make the + result marshallable via HTTP. The return value can thus be used as the + value of a HTTP header such as "X-Auth-Token". + + This ad-hoc conversion is an unfortunate oversight since the returned + value now does not conform to any of the standard variants of base64 + encoding. It would have been better to use base64url encoding (either on + the PEM formatted text or, perhaps even better, on the inner CMS-signed + binary value without any PEM formatting). In any case, the same conversion + is done in reverse in the other direction (for token verification), so + there are no correctness issues here. Note that the non-standard encoding + of the token will be preserved so as to not break backward compatibility. + + The conversion issue is detailed by the code author in a blog post at + http://adam.younglogic.com/2014/02/compressed-tokens/. + """ start_delim = '-----BEGIN CMS-----' end_delim = '-----END CMS-----' signed_text = cms_text @@ -383,7 +436,7 @@ def cms_hash_token(token_id, mode='md5'): return None if is_asn1_token(token_id) or is_pkiz(token_id): hasher = hashlib.new(mode) - if isinstance(token_id, six.text_type): + if isinstance(token_id, str): token_id = token_id.encode('utf-8') hasher.update(token_id) return hasher.hexdigest() diff --git a/keystoneclient/contrib/auth/v3/oidc.py b/keystoneclient/contrib/auth/v3/oidc.py new file mode 100644 index 000000000..3884293cc --- /dev/null +++ b/keystoneclient/contrib/auth/v3/oidc.py @@ -0,0 +1,209 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystoneclient import access +from keystoneclient.auth.identity.v3 import federated + + +class OidcPassword(federated.FederatedBaseAuth): + """Implement authentication plugin for OpenID Connect protocol. + + OIDC or OpenID Connect is a protocol for federated authentication. + + The OpenID Connect specification can be found at:: + ``http://openid.net/specs/openid-connect-core-1_0.html`` + """ + + @classmethod + def get_options(cls): + options = super(OidcPassword, cls).get_options() + options.extend([ + cfg.StrOpt('username', help='Username'), + cfg.StrOpt('password', secret=True, help='Password'), + cfg.StrOpt('client-id', help='OAuth 2.0 Client ID'), + cfg.StrOpt('client-secret', secret=True, + help='OAuth 2.0 Client Secret'), + cfg.StrOpt('access-token-endpoint', + help='OpenID Connect Provider Token Endpoint'), + cfg.StrOpt('scope', default="profile", + help='OpenID Connect scope that is requested from OP') + ]) + return options + + def __init__(self, auth_url, identity_provider, protocol, + username, password, client_id, client_secret, + access_token_endpoint, scope='profile', + grant_type='password'): + """The OpenID Connect plugin. + + It expects the following: + + :param auth_url: URL of the Identity Service + :type auth_url: string + + :param identity_provider: Name of the Identity Provider the client + will authenticate against + :type identity_provider: string + + :param protocol: Protocol name as configured in keystone + :type protocol: string + + :param username: Username used to authenticate + :type username: string + + :param password: Password used to authenticate + :type password: string + + :param client_id: OAuth 2.0 Client ID + :type client_id: string + + :param client_secret: OAuth 2.0 Client Secret + :type client_secret: string + + :param access_token_endpoint: OpenID Connect Provider Token Endpoint, + for example: + https://localhost:8020/oidc/OP/token + :type access_token_endpoint: string + + :param scope: OpenID Connect scope that is requested from OP, + defaults to "profile", for example: "profile email" + :type scope: string + + :param grant_type: OpenID Connect grant type, it represents the flow + that is used to talk to the OP. Valid values are: + "authorization_code", "refresh_token", or + "password". + :type grant_type: string + """ + super(OidcPassword, self).__init__(auth_url, identity_provider, + protocol) + self._username = username + self._password = password + self.client_id = client_id + self.client_secret = client_secret + self.access_token_endpoint = access_token_endpoint + self.scope = scope + self.grant_type = grant_type + + @property + def username(self): + # Override to remove deprecation. + return self._username + + @username.setter + def username(self, value): + # Override to remove deprecation. + self._username = value + + @property + def password(self): + # Override to remove deprecation. + return self._password + + @password.setter + def password(self, value): + # Override to remove deprecation. + self._password = value + + def get_unscoped_auth_ref(self, session): + """Authenticate with OpenID Connect and get back claims. + + This is a multi-step process. First an access token must be retrieved, + to do this, the username and password, the OpenID Connect client ID + and secret, and the access token endpoint must be known. + + Secondly, we then exchange the access token upon accessing the + protected Keystone endpoint (federated auth URL). This will trigger + the OpenID Connect Provider to perform a user introspection and + retrieve information (specified in the scope) about the user in + the form of an OpenID Connect Claim. These claims will be sent + to Keystone in the form of environment variables. + + :param session: a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :returns: a token data representation + :rtype: :py:class:`keystoneclient.access.AccessInfo` + """ + # get an access token + client_auth = (self.client_id, self.client_secret) + payload = {'grant_type': self.grant_type, 'username': self.username, + 'password': self.password, 'scope': self.scope} + response = self._get_access_token(session, client_auth, payload, + self.access_token_endpoint) + access_token = response.json()['access_token'] + + # use access token against protected URL + headers = {'Authorization': 'Bearer ' + access_token} + response = self._get_keystone_token(session, headers, + self.federated_token_url) + + # grab the unscoped token + token = response.headers['X-Subject-Token'] + token_json = response.json()['token'] + return access.AccessInfoV3(token, **token_json) + + def _get_access_token(self, session, client_auth, payload, + access_token_endpoint): + """Exchange a variety of user supplied values for an access token. + + :param session: a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :param client_auth: a tuple representing client id and secret + :type client_auth: tuple + + :param payload: a dict containing various OpenID Connect values, for + example:: + {'grant_type': 'password', 'username': self.username, + 'password': self.password, 'scope': self.scope} + :type payload: dict + + :param access_token_endpoint: URL to use to get an access token, for + example: https://localhost/oidc/token + :type access_token_endpoint: string + """ + op_response = session.post(self.access_token_endpoint, + requests_auth=client_auth, + data=payload, + authenticated=False) + return op_response + + def _get_keystone_token(self, session, headers, federated_token_url): + r"""Exchange an acess token for a keystone token. + + By Sending the access token in an `Authorization: Bearer` header, to + an OpenID Connect protected endpoint (Federated Token URL). The + OpenID Connect server will use the access token to look up information + about the authenticated user (this technique is called instrospection). + The output of the instrospection will be an OpenID Connect Claim, that + will be used against the mapping engine. Should the mapping engine + succeed, a Keystone token will be presented to the user. + + :param session: a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :param headers: an Authorization header containing the access token. + :type headers_: dict + + :param federated_auth_url: Protected URL for federated authentication, + for example: https://localhost:5000/v3/\ + OS-FEDERATION/identity_providers/bluepages/\ + protocols/oidc/auth + :type federated_auth_url: string + """ + auth_response = session.post(self.federated_token_url, + headers=headers, + authenticated=False) + return auth_response diff --git a/keystoneclient/contrib/auth/v3/saml2.py b/keystoneclient/contrib/auth/v3/saml2.py index f2b458e76..acf3f0513 100644 --- a/keystoneclient/contrib/auth/v3/saml2.py +++ b/keystoneclient/contrib/auth/v3/saml2.py @@ -10,48 +10,125 @@ # License for the specific language governing permissions and limitations # under the License. -from lxml import etree -from oslo.config import cfg +import datetime +import urllib.parse +import uuid + +from lxml import etree # nosec(cjschaef): used to create xml, not parse it +from oslo_config import cfg from keystoneclient import access from keystoneclient.auth.identity import v3 from keystoneclient import exceptions +from keystoneclient.i18n import _ + + +class _BaseSAMLPlugin(v3.AuthConstructor): + + HTTP_MOVED_TEMPORARILY = 302 + HTTP_SEE_OTHER = 303 + + PROTOCOL = 'saml2' + + @staticmethod + def _first(_list): + if len(_list) != 1: + raise IndexError(_("Only single element list is acceptable")) + return _list[0] + + @staticmethod + def str_to_xml(content, msg=None, include_exc=True): + try: + return etree.XML(content) + except etree.XMLSyntaxError as e: + if not msg: + msg = str(e) + else: + msg = msg % e if include_exc else msg + raise exceptions.AuthorizationFailure(msg) + + @staticmethod + def xml_to_str(content, **kwargs): + return etree.tostring(content, **kwargs) + + @property + def token_url(self): + """Return full URL where authorization data is sent.""" + values = { + 'host': self.auth_url.rstrip('/'), + 'identity_provider': self.identity_provider, + 'protocol': self.PROTOCOL + } + url = ("%(host)s/OS-FEDERATION/identity_providers/" + "%(identity_provider)s/protocols/%(protocol)s/auth") + url = url % values + + return url + + @classmethod + def get_options(cls): + options = super(_BaseSAMLPlugin, cls).get_options() + options.extend([ + cfg.StrOpt('identity-provider', help="Identity Provider's name"), + cfg.StrOpt('identity-provider-url', + help="Identity Provider's URL"), + cfg.StrOpt('username', dest='username', help='Username', + deprecated_name='user-name'), + cfg.StrOpt('password', secret=True, help='Password') + ]) + return options class Saml2UnscopedTokenAuthMethod(v3.AuthMethod): _method_parameters = [] def get_auth_data(self, session, auth, headers, **kwargs): - raise exceptions.MethodNotImplemented(('This method should never ' - 'be called')) + raise exceptions.MethodNotImplemented(_('This method should never ' + 'be called')) -class Saml2UnscopedToken(v3.AuthConstructor): - """Implement authentication plugin for SAML2 protocol. +class Saml2UnscopedToken(_BaseSAMLPlugin): + r"""Implement authentication plugin for SAML2 protocol. - ECP stands for ``Enhanced Client or Proxy`` and is a SAML2 extension + ECP stands for `Enhanced Client or Proxy` and is a SAML2 extension for federated authentication where a transportation layer consists of HTTP protocol and XML SOAP messages. - Read for more information:: - ``https://wiki.shibboleth.net/confluence/display/SHIB2/ECP`` + `Read for more information + `_ on ECP. - The SAML2 ECP specification can be found at:: - ``https://www.oasis-open.org/committees/download.php/ - 49979/saml-ecp-v2.0-wd09.pdf`` + Reference the `SAML2 ECP specification `_. Currently only HTTPBasicAuth mechanism is available for the IdP authenication. + :param auth_url: URL of the Identity Service + :type auth_url: string + + :param identity_provider: name of the Identity Provider the client will + authenticate against. This parameter will be used + to build a dynamic URL used to obtain unscoped + OpenStack token. + :type identity_provider: string + + :param identity_provider_url: An Identity Provider URL, where the SAML2 + authn request will be sent. + :type identity_provider_url: string + + :param username: User's login + :type username: string + + :param password: User's password + :type password: string + """ _auth_method_class = Saml2UnscopedTokenAuthMethod - PROTOCOL = 'saml2' - HTTP_MOVED_TEMPORARILY = 302 SAML2_HEADER_INDEX = 0 ECP_SP_EMPTY_REQUEST_HEADERS = { - 'Accept': 'text/html; application/vnd.paos+xml', + 'Accept': 'text/html, application/vnd.paos+xml', 'PAOS': ('ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:' 'SAML:2.0:profiles:SSO:ecp"') } @@ -92,59 +169,40 @@ def __init__(self, auth_url, identity_provider_url, username, password, **kwargs): - """Class constructor accepting following parameters: - :param auth_url: URL of the Identity Service - :type auth_url: string - - :param identity_provider: name of the Identity Provider the client - will authenticate against. This parameter - will be used to build a dynamic URL used to - obtain unscoped OpenStack token. - :type identity_provider: string - - :param identity_provider_url: An Identity Provider URL, where the SAML2 - authn request will be sent. - :type identity_provider_url: string - - :param username: User's login - :type username: string - - :param password: User's password - :type password: string - - """ super(Saml2UnscopedToken, self).__init__(auth_url=auth_url, **kwargs) self.identity_provider = identity_provider self.identity_provider_url = identity_provider_url - self.username, self.password = username, password + self._username, self._password = username, password - @classmethod - def get_options(cls): - options = super(Saml2UnscopedToken, cls).get_options() - options.extend([ - cfg.StrOpt('identity-provider', help="Identity Provider's name"), - cfg.StrOpt('identity-provider-url', - help="Identity Provider's URL"), - cfg.StrOpt('user-name', dest='username', help='Username', - deprecated_name='username'), - cfg.StrOpt('password', help='Password') - ]) - return options + @property + def username(self): + # Override to remove deprecation. + return self._username - def _handle_http_302_ecp_redirect(self, session, response, method, - **kwargs): - if response.status_code != self.HTTP_MOVED_TEMPORARILY: + @username.setter + def username(self, value): + # Override to remove deprecation. + self._username = value + + @property + def password(self): + # Override to remove deprecation. + return self._password + + @password.setter + def password(self, value): + # Override to remove deprecation. + self._password = value + + def _handle_http_ecp_redirect(self, session, response, method, **kwargs): + if response.status_code not in (self.HTTP_MOVED_TEMPORARILY, + self.HTTP_SEE_OTHER): return response location = response.headers['location'] return session.request(location, method, authenticated=False, **kwargs) - def _first(self, _list): - if len(_list) != 1: - raise IndexError("Only single element is acceptable") - return _list[0] - def _prepare_idp_saml2_request(self, saml2_authn_request): header = saml2_authn_request[self.SAML2_HEADER_INDEX] saml2_authn_request.remove(header) @@ -173,9 +231,9 @@ def _check_consumer_urls(self, session, sp_response_consumer_url, authenticated=False) # prepare error message and raise an exception. - msg = ("Consumer URLs from Service Provider %(service_provider)s " - "%(sp_consumer_url)s and Identity Provider " - "%(identity_provider)s %(idp_consumer_url)s are not equal") + msg = _("Consumer URLs from Service Provider %(service_provider)s " + "%(sp_consumer_url)s and Identity Provider " + "%(identity_provider)s %(idp_consumer_url)s are not equal") msg = msg % { 'service_provider': self.token_url, 'sp_consumer_url': sp_response_consumer_url, @@ -219,8 +277,8 @@ def _send_service_provider_request(self, session): try: self.saml2_authn_request = etree.XML(sp_response.content) except etree.XMLSyntaxError as e: - msg = ("SAML2: Error parsing XML returned " - "from Service Provider, reason: %s" % e) + msg = _("SAML2: Error parsing XML returned " + "from Service Provider, reason: %s") % e raise exceptions.AuthorizationFailure(msg) relay_state = self.saml2_authn_request.xpath( @@ -230,13 +288,11 @@ def _send_service_provider_request(self, session): sp_response_consumer_url = self.saml2_authn_request.xpath( self.ECP_SERVICE_PROVIDER_CONSUMER_URL, namespaces=self.ECP_SAML2_NAMESPACES) - self.sp_response_consumer_url = self._first( - sp_response_consumer_url) + self.sp_response_consumer_url = self._first(sp_response_consumer_url) return False def _send_idp_saml2_authn_request(self, session): """Present modified SAML2 authn assertion from the Service Provider.""" - self._prepare_idp_saml2_request(self.saml2_authn_request) idp_saml2_authn_request = self.saml2_authn_request @@ -251,16 +307,15 @@ def _send_idp_saml2_authn_request(self, session): try: self.saml2_idp_authn_response = etree.XML(idp_response.content) except etree.XMLSyntaxError as e: - msg = ("SAML2: Error parsing XML returned " - "from Identity Provider, reason: %s" % e) + msg = _("SAML2: Error parsing XML returned " + "from Identity Provider, reason: %s") % e raise exceptions.AuthorizationFailure(msg) idp_response_consumer_url = self.saml2_idp_authn_response.xpath( self.ECP_IDP_CONSUMER_URL, namespaces=self.ECP_SAML2_NAMESPACES) - self.idp_response_consumer_url = self._first( - idp_response_consumer_url) + self.idp_response_consumer_url = self._first(idp_response_consumer_url) self._check_consumer_urls(session, self.idp_response_consumer_url, self.sp_response_consumer_url) @@ -272,8 +327,8 @@ def _send_service_provider_saml2_authn_response(self, session): authenticated user. This function directs the HTTP request to SP managed URL, for instance: ``https://:/Shibboleth.sso/ SAML2/ECP``. - Upon success the there's a session created and access to the protected - resource is granted. Many implementations of the SP return HTTP 302 + Upon success there's a session created and access to the protected + resource is granted. Many implementations of the SP return HTTP 302/303 status code pointing to the protected URL (``https://:/v3/ OS-FEDERATION/identity_providers/{identity_provider}/protocols/ {protocol_id}/auth`` in this case). Saml2 plugin should point to that @@ -290,31 +345,17 @@ def _send_service_provider_saml2_authn_response(self, session): data=etree.tostring(self.saml2_idp_authn_response), authenticated=False, redirect=False) - # Don't follow HTTP specs - after the HTTP 302 response don't repeat - # the call directed to the Location URL. In this case, this is an - # indication that saml2 session is now active and protected resource + # Don't follow HTTP specs - after the HTTP 302/303 response don't + # repeat the call directed to the Location URL. In this case, this is + # an indication that saml2 session is now active and protected resource # can be accessed. - response = self._handle_http_302_ecp_redirect( + response = self._handle_http_ecp_redirect( session, response, method='GET', headers=self.ECP_SP_SAML2_REQUEST_HEADERS) self.authenticated_response = response - @property - def token_url(self): - """Return full URL where authorization data is sent.""" - values = { - 'host': self.auth_url.rstrip('/'), - 'identity_provider': self.identity_provider, - 'protocol': self.PROTOCOL - } - url = ("%(host)s/OS-FEDERATION/identity_providers/" - "%(identity_provider)s/protocols/%(protocol)s/auth") - url = url % values - - return url - - def _get_unscoped_token(self, session, **kwargs): + def _get_unscoped_token(self, session): """Get unscoped OpenStack token after federated authentication. This is a multi-step process including multiple HTTP requests. @@ -404,21 +445,463 @@ def get_auth_ref(self, session, **kwargs): :param session : a session object to send out HTTP requests. :type session: keystoneclient.session.Session - :return access.AccessInfoV3: an object with scoped token's id and - unscoped token json included. + :return: an object with scoped token's id and unscoped token json + included. + :rtype: :py:class:`keystoneclient.access.AccessInfoV3` """ - token, token_json = self._get_unscoped_token(session, **kwargs) + token, token_json = self._get_unscoped_token(session) return access.AccessInfoV3(token, **token_json) +class ADFSUnscopedToken(_BaseSAMLPlugin): + """Authentication plugin for Microsoft ADFS2.0 IdPs. + + :param auth_url: URL of the Identity Service + :type auth_url: string + + :param identity_provider: name of the Identity Provider the client will + authenticate against. This parameter will be used + to build a dynamic URL used to obtain unscoped + OpenStack token. + :type identity_provider: string + + :param identity_provider_url: An Identity Provider URL, where the SAML2 + authentication request will be sent. + :type identity_provider_url: string + + :param service_provider_endpoint: Endpoint where an assertion is being + sent, for instance: ``https://host.domain/Shibboleth.sso/ADFS`` + :type service_provider_endpoint: string + + :param username: User's login + :type username: string + + :param password: User's password + :type password: string + + """ + + _auth_method_class = Saml2UnscopedTokenAuthMethod + + DEFAULT_ADFS_TOKEN_EXPIRATION = 120 + + HEADER_SOAP = {"Content-Type": "application/soap+xml; charset=utf-8"} + HEADER_X_FORM = {"Content-Type": "application/x-www-form-urlencoded"} + + NAMESPACES = { + 's': 'http://www.w3.org/2003/05/soap-envelope', + 'a': 'http://www.w3.org/2005/08/addressing', + 'u': ('http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-utility-1.0.xsd') + } + + ADFS_TOKEN_NAMESPACES = { + 's': 'http://www.w3.org/2003/05/soap-envelope', + 't': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512' + } + ADFS_ASSERTION_XPATH = ('/s:Envelope/s:Body' + '/t:RequestSecurityTokenResponseCollection' + '/t:RequestSecurityTokenResponse') + + def __init__(self, auth_url, identity_provider, identity_provider_url, + service_provider_endpoint, username, password, **kwargs): + super(ADFSUnscopedToken, self).__init__(auth_url=auth_url, **kwargs) + self.identity_provider = identity_provider + self.identity_provider_url = identity_provider_url + self.service_provider_endpoint = service_provider_endpoint + self._username, self._password = username, password + + @property + def username(self): + # Override to remove deprecation. + return self._username + + @username.setter + def username(self, value): + # Override to remove deprecation. + self._username = value + + @property + def password(self): + # Override to remove deprecation. + return self._password + + @password.setter + def password(self, value): + # Override to remove deprecation. + self._password = value + + @classmethod + def get_options(cls): + options = super(ADFSUnscopedToken, cls).get_options() + + options.extend([ + cfg.StrOpt('service-provider-endpoint', + help="Service Provider's Endpoint") + ]) + return options + + def _cookies(self, session): + """Check if cookie jar is not empty. + + keystoneclient.session.Session object doesn't have a cookies attribute. + We should then try fetching cookies from the underlying + requests.Session object. If that fails too, there is something wrong + and let Python raise the AttributeError. + + :param session + :returns: True if cookie jar is nonempty, False otherwise + :raises AttributeError: in case cookies are not find anywhere + + """ + try: + return bool(session.cookies) + except AttributeError: # nosec(cjschaef): fetch cookies from + # underylying requests.Session object, or fail trying + pass + + return bool(session.session.cookies) + + def _token_dates(self, fmt='%Y-%m-%dT%H:%M:%S.%fZ'): + """Calculate created and expires datetime objects. + + The method is going to be used for building ADFS Request Security + Token message. Time interval between ``created`` and ``expires`` + dates is now static and equals to 120 seconds. ADFS security tokens + should not be live too long, as currently ``keystoneclient`` + doesn't have mechanisms for reusing such tokens (every time ADFS authn + method is called, keystoneclient will login with the ADFS instance). + + :param fmt: Datetime format for specifying string format of a date. + It should not be changed if the method is going to be used + for building the ADFS security token request. + :type fmt: string + + """ + date_created = datetime.datetime.utcnow() + date_expires = date_created + datetime.timedelta( + seconds=self.DEFAULT_ADFS_TOKEN_EXPIRATION) + return [_time.strftime(fmt) for _time in (date_created, date_expires)] + + def _prepare_adfs_request(self): + """Build the ADFS Request Security Token SOAP message. + + Some values like username or password are inserted in the request. + + """ + WSS_SECURITY_NAMESPACE = { + 'o': ('http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-secext-1.0.xsd') + } + + TRUST_NAMESPACE = { + 'trust': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512' + } + + WSP_NAMESPACE = { + 'wsp': 'http://schemas.xmlsoap.org/ws/2004/09/policy' + } + + WSA_NAMESPACE = { + 'wsa': 'http://www.w3.org/2005/08/addressing' + } + + root = etree.Element( + '{http://www.w3.org/2003/05/soap-envelope}Envelope', + nsmap=self.NAMESPACES) + + header = etree.SubElement( + root, '{http://www.w3.org/2003/05/soap-envelope}Header') + action = etree.SubElement( + header, "{http://www.w3.org/2005/08/addressing}Action") + action.set( + "{http://www.w3.org/2003/05/soap-envelope}mustUnderstand", "1") + action.text = ('http://docs.oasis-open.org/ws-sx/ws-trust/200512' + '/RST/Issue') + + messageID = etree.SubElement( + header, '{http://www.w3.org/2005/08/addressing}MessageID') + messageID.text = 'urn:uuid:' + uuid.uuid4().hex + replyID = etree.SubElement( + header, '{http://www.w3.org/2005/08/addressing}ReplyTo') + address = etree.SubElement( + replyID, '{http://www.w3.org/2005/08/addressing}Address') + address.text = 'http://www.w3.org/2005/08/addressing/anonymous' + + to = etree.SubElement( + header, '{http://www.w3.org/2005/08/addressing}To') + to.set("{http://www.w3.org/2003/05/soap-envelope}mustUnderstand", "1") + + security = etree.SubElement( + header, '{http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-secext-1.0.xsd}Security', + nsmap=WSS_SECURITY_NAMESPACE) + + security.set( + "{http://www.w3.org/2003/05/soap-envelope}mustUnderstand", "1") + + timestamp = etree.SubElement( + security, ('{http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-utility-1.0.xsd}Timestamp')) + timestamp.set( + ('{http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-utility-1.0.xsd}Id'), '_0') + + created = etree.SubElement( + timestamp, ('{http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-utility-1.0.xsd}Created')) + + expires = etree.SubElement( + timestamp, ('{http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-utility-1.0.xsd}Expires')) + + created.text, expires.text = self._token_dates() + + usernametoken = etree.SubElement( + security, '{http://docs.oasis-open.org/wss/2004/01/oasis-200401-' + 'wss-wssecurity-secext-1.0.xsd}UsernameToken') + usernametoken.set( + ('{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-' + 'wssecurity-utility-1.0.xsd}u'), "uuid-%s-1" % uuid.uuid4().hex) + + username = etree.SubElement( + usernametoken, ('{http://docs.oasis-open.org/wss/2004/01/oasis-' + '200401-wss-wssecurity-secext-1.0.xsd}Username')) + password = etree.SubElement( + usernametoken, ('{http://docs.oasis-open.org/wss/2004/01/oasis-' + '200401-wss-wssecurity-secext-1.0.xsd}Password'), + Type=('http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-' + 'username-token-profile-1.0#PasswordText')) + + body = etree.SubElement( + root, "{http://www.w3.org/2003/05/soap-envelope}Body") + + request_security_token = etree.SubElement( + body, ('{http://docs.oasis-open.org/ws-sx/ws-trust/200512}' + 'RequestSecurityToken'), nsmap=TRUST_NAMESPACE) + + applies_to = etree.SubElement( + request_security_token, + '{http://schemas.xmlsoap.org/ws/2004/09/policy}AppliesTo', + nsmap=WSP_NAMESPACE) + + endpoint_reference = etree.SubElement( + applies_to, + '{http://www.w3.org/2005/08/addressing}EndpointReference', + nsmap=WSA_NAMESPACE) + + wsa_address = etree.SubElement( + endpoint_reference, + '{http://www.w3.org/2005/08/addressing}Address') + + keytype = etree.SubElement( + request_security_token, + '{http://docs.oasis-open.org/ws-sx/ws-trust/200512}KeyType') + keytype.text = ('http://docs.oasis-open.org/ws-sx/' + 'ws-trust/200512/Bearer') + + request_type = etree.SubElement( + request_security_token, + '{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestType') + request_type.text = ('http://docs.oasis-open.org/ws-sx/' + 'ws-trust/200512/Issue') + token_type = etree.SubElement( + request_security_token, + '{http://docs.oasis-open.org/ws-sx/ws-trust/200512}TokenType') + token_type.text = 'urn:oasis:names:tc:SAML:1.0:assertion' + + # After constructing the request, let's plug in some values + username.text = self.username + password.text = self.password + to.text = self.identity_provider_url + wsa_address.text = self.service_provider_endpoint + + self.prepared_request = root + + def _get_adfs_security_token(self, session): + """Send ADFS Security token to the ADFS server. + + Store the result in the instance attribute and raise an exception in + case the response is not valid XML data. + + If a user cannot authenticate due to providing bad credentials, the + ADFS2.0 server will return a HTTP 500 response and a XML Fault message. + If ``exceptions.InternalServerError`` is caught, the method tries to + parse the XML response. + If parsing is unsuccessful, an ``exceptions.AuthorizationFailure`` is + raised with a reason from the XML fault. Otherwise an original + ``exceptions.InternalServerError`` is re-raised. + + :param session : a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :raises keystoneclient.exceptions.AuthorizationFailure: when HTTP + response from the ADFS server is not a valid XML ADFS security + token. + :raises keystoneclient.exceptions.InternalServerError: If response + status code is HTTP 500 and the response XML cannot be + recognized. + + """ + def _get_failure(e): + xpath = '/s:Envelope/s:Body/s:Fault/s:Code/s:Subcode/s:Value' + content = e.response.content + try: + obj = self.str_to_xml(content).xpath( + xpath, namespaces=self.NAMESPACES) + obj = self._first(obj) + return obj.text + # NOTE(marek-denis): etree.Element.xpath() doesn't raise an + # exception, it just returns an empty list. In that case, _first() + # will raise IndexError and we should treat it as an indication XML + # is not valid. exceptions.AuthorizationFailure can be raised from + # str_to_xml(), however since server returned HTTP 500 we should + # re-raise exceptions.InternalServerError. + except (IndexError, exceptions.AuthorizationFailure): + raise e + + request_security_token = self.xml_to_str(self.prepared_request) + try: + response = session.post( + url=self.identity_provider_url, headers=self.HEADER_SOAP, + data=request_security_token, authenticated=False) + except exceptions.InternalServerError as e: + reason = _get_failure(e) + raise exceptions.AuthorizationFailure(reason) + msg = _("Error parsing XML returned from " + "the ADFS Identity Provider, reason: %s") + self.adfs_token = self.str_to_xml(response.content, msg) + + def _prepare_sp_request(self): + """Prepare ADFS Security Token to be sent to the Service Provider. + + The method works as follows: + * Extract SAML2 assertion from the ADFS Security Token. + * Replace namespaces + * urlencode assertion + * concatenate static string with the encoded assertion + + """ + assertion = self.adfs_token.xpath( + self.ADFS_ASSERTION_XPATH, namespaces=self.ADFS_TOKEN_NAMESPACES) + assertion = self._first(assertion) + assertion = self.xml_to_str(assertion) + # TODO(marek-denis): Ideally no string replacement should occur. + # Unfortunately lxml doesn't allow for namespaces changing in-place and + # probably the only solution good for now is to build the assertion + # from scratch and reuse values from the adfs security token. + assertion = assertion.replace( + b'http://docs.oasis-open.org/ws-sx/ws-trust/200512', + b'http://schemas.xmlsoap.org/ws/2005/02/trust') + + encoded_assertion = urllib.parse.quote(assertion) + self.encoded_assertion = 'wa=wsignin1.0&wresult=' + encoded_assertion + + def _send_assertion_to_service_provider(self, session): + """Send prepared assertion to a service provider. + + As the assertion doesn't contain a protected resource, the value from + the ``location`` header is not valid and we should not let the Session + object get redirected there. The aim of this call is to get a cookie in + the response which is required for entering a protected endpoint. + + :param session : a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :raises: Corresponding HTTP error exception + + """ + session.post( + url=self.service_provider_endpoint, data=self.encoded_assertion, + headers=self.HEADER_X_FORM, redirect=False, authenticated=False) + + def _access_service_provider(self, session): + """Access protected endpoint and fetch unscoped token. + + After federated authentication workflow a protected endpoint should be + accessible with the session object. The access is granted basing on the + cookies stored within the session object. If, for some reason no + cookies are present (quantity test) it means something went wrong and + user will not be able to fetch an unscoped token. In that case an + ``exceptions.AuthorizationFailure` exception is raised and no HTTP call + is even made. + + :param session : a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :raises keystoneclient.exceptions.AuthorizationFailure: in case session + object has empty cookie jar. + + """ + if self._cookies(session) is False: + raise exceptions.AuthorizationFailure( + _("Session object doesn't contain a cookie, therefore you are " + "not allowed to enter the Identity Provider's protected " + "area.")) + self.authenticated_response = session.get(self.token_url, + authenticated=False) + + def _get_unscoped_token(self, session, *kwargs): + """Retrieve unscoped token after authentcation with ADFS server. + + This is a multistep process:: + + * Prepare ADFS Request Securty Token - + build an etree.XML object filling certain attributes with proper user + credentials, created/expires dates (ticket is be valid for 120 seconds + as currently we don't handle reusing ADFS issued security tokens) . + Step handled by ``ADFSUnscopedToken._prepare_adfs_request()`` method. + + * Send ADFS Security token to the ADFS server. Step handled by + ``ADFSUnscopedToken._get_adfs_security_token()`` method. + + * Receive and parse security token, extract actual SAML assertion and + prepare a request addressed for the Service Provider endpoint. + This also includes changing namespaces in the XML document. Step + handled by ``ADFSUnscopedToken._prepare_sp_request()`` method. + + * Send prepared assertion to the Service Provider endpoint. Usually + the server will respond with HTTP 301 code which should be ignored as + the 'location' header doesn't contain protected area. The goal of this + operation is fetching the session cookie which later allows for + accessing protected URL endpoints. Step handed by + ``ADFSUnscopedToken._send_assertion_to_service_provider()`` method. + + * Once the session cookie is issued, the protected endpoint can be + accessed and an unscoped token can be retrieved. Step handled by + ``ADFSUnscopedToken._access_service_provider()`` method. + + :param session : a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :returns: (Unscoped federated token, token JSON body) + + """ + self._prepare_adfs_request() + self._get_adfs_security_token(session) + self._prepare_sp_request() + self._send_assertion_to_service_provider(session) + self._access_service_provider(session) + + try: + return (self.authenticated_response.headers['X-Subject-Token'], + self.authenticated_response.json()['token']) + except (KeyError, ValueError): + raise exceptions.InvalidResponse( + response=self.authenticated_response) + + def get_auth_ref(self, session, **kwargs): + token, token_json = self._get_unscoped_token(session) + return access.AccessInfoV3(token, **token_json) + + class Saml2ScopedTokenMethod(v3.TokenMethod): _method_name = 'saml2' def get_auth_data(self, session, auth, headers, **kwargs): """Build and return request body for token scoping step.""" - t = super(Saml2ScopedTokenMethod, self).get_auth_data( session, auth, headers, **kwargs) _token_method, token = t @@ -434,4 +917,4 @@ def __init__(self, auth_url, token, **kwargs): super(Saml2ScopedToken, self).__init__(auth_url, token, **kwargs) if not (self.project_id or self.domain_id): raise exceptions.ValidationError( - 'Neither project nor domain specified') + _('Neither project nor domain specified')) diff --git a/keystoneclient/contrib/bootstrap/shell.py b/keystoneclient/contrib/bootstrap/shell.py deleted file mode 100644 index 9a4ed9fcf..000000000 --- a/keystoneclient/contrib/bootstrap/shell.py +++ /dev/null @@ -1,40 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystoneclient import utils -from keystoneclient.v2_0 import client - - -@utils.arg('--user-name', metavar='', default='admin', dest='user', - help='The name of the user to be created (default="admin").') -@utils.arg('--pass', metavar='', required=True, dest='passwd', - help='The password for the new user.') -@utils.arg('--role-name', metavar='', default='admin', dest='role', - help='The name of the role to be created and granted to the user ' - '(default="admin").') -@utils.arg('--tenant-name', metavar='', default='admin', - dest='tenant', - help='The name of the tenant to be created (default="admin").') -def do_bootstrap(kc, args): - """Grants a new role to a new user on a new tenant, after creating each.""" - tenant = kc.tenants.create(tenant_name=args.tenant) - role = kc.roles.create(name=args.role) - user = kc.users.create(name=args.user, password=args.passwd, email=None) - kc.roles.add_user_role(user=user, role=role, tenant=tenant) - - # verify the result - user_client = client.Client( - username=args.user, - password=args.passwd, - tenant_name=args.tenant, - auth_url=kc.management_url) - user_client.authenticate() diff --git a/keystoneclient/contrib/ec2/utils.py b/keystoneclient/contrib/ec2/utils.py index 3b722f23c..f7cefa1bf 100644 --- a/keystoneclient/contrib/ec2/utils.py +++ b/keystoneclient/contrib/ec2/utils.py @@ -20,14 +20,16 @@ import hashlib import hmac import re +import urllib.parse -import six -from six.moves import urllib +from keystoneclient.i18n import _ class Ec2Signer(object): - """Utility class which adds allows a request to be signed with an AWS style - signature, which can then be used for authentication via the keystone ec2 + """Utility class for EC2 signing of request. + + This allows a request to be signed with an AWS style signature, + which can then be used for authentication via the keystone ec2 authentication extension. """ @@ -38,8 +40,10 @@ def __init__(self, secret_key): self.hmac_256 = hmac.new(self.secret_key, digestmod=hashlib.sha256) def _v4_creds(self, credentials): - """Detect if the credentials are for a v4 signed request, since AWS - removed the SignatureVersion field from the v4 request spec... + """Detect if the credentials are for a v4 signed request. + + Check is needed since AWS removed the SignatureVersion field from + the v4 request spec... This expects a dict of the request headers to be passed in the credentials dict, since the recommended way to pass v4 creds is @@ -65,7 +69,8 @@ def _v4_creds(self, credentials): if (credentials['params']['X-Amz-Algorithm'] == 'AWS4-HMAC-SHA256'): return True - except KeyError: + except KeyError: # nosec(cjschaef): in cases of not finding + # entries, simply return False pass return False @@ -91,17 +96,17 @@ def generate(self, credentials): credentials['body_hash']) if signature_version is not None: - raise Exception('Unknown signature version: %s' % + raise Exception(_('Unknown signature version: %s') % signature_version) else: - raise Exception('Unexpected signature format') + raise Exception(_('Unexpected signature format')) @staticmethod def _get_utf8_value(value): """Get the UTF8-encoded version of a value.""" - if not isinstance(value, (six.binary_type, six.text_type)): + if not isinstance(value, (str, bytes)): value = str(value) - if isinstance(value, six.text_type): + if isinstance(value, str): return value.encode('utf-8') else: return value @@ -114,9 +119,7 @@ def _calc_signature_0(self, params): def _calc_signature_1(self, params): """Generate AWS signature version 1 string.""" - keys = list(params) - keys.sort(key=six.text_type.lower) - for key in keys: + for key in sorted(params, key=str.lower): self.hmac.update(key.encode('utf-8')) val = self._get_utf8_value(params[key]) self.hmac.update(val) @@ -124,8 +127,9 @@ def _calc_signature_1(self, params): @staticmethod def _canonical_qs(params): - """Construct a sorted, correctly encoded query string as required for - _calc_signature_2 and _calc_signature_4. + """Construct a sorted, correctly encoded query string. + + This is required for _calc_signature_2 and _calc_signature_4. """ keys = list(params) keys.sort() @@ -154,14 +158,14 @@ def _calc_signature_2(self, params, verb, server_string, path): def _calc_signature_4(self, params, verb, server_string, path, headers, body_hash): """Generate AWS signature version 4 string.""" - def sign(key, msg): return hmac.new(key, self._get_utf8_value(msg), hashlib.sha256).digest() def signature_key(datestamp, region_name, service_name): - """Signature key derivation, see - http://docs.aws.amazon.com/general/latest/gr/ + """Signature key derivation. + + See http://docs.aws.amazon.com/general/latest/gr/ signature-v4-examples.html#signature-v4-examples-python """ k_date = sign(self._get_utf8_value(b"AWS4" + self.secret_key), @@ -187,8 +191,9 @@ def auth_param(param_name): return param_str def date_param(): - """Get the X-Amz-Date' value, which can be either a header - or parameter. + """Get the X-Amz-Date' value. + + The value can be either a header or parameter. Note AWS supports parsing the Date header also, but this is not currently supported here as it will require some format mangling @@ -209,14 +214,14 @@ def canonical_header_str(): # - the Authorization header (SignedHeaders key) # - the X-Amz-SignedHeaders query parameter headers_lower = dict((k.lower().strip(), v.strip()) - for (k, v) in six.iteritems(headers)) + for (k, v) in headers.items()) # Boto versions < 2.9.3 strip the port component of the host:port # header, so detect the user-agent via the header and strip the # port if we detect an old boto version. FIXME: remove when all # distros package boto >= 2.9.3, this is a transitional workaround user_agent = headers_lower.get('user-agent', '') - strip_port = re.match('Boto/2.[0-9].[0-2]', user_agent) + strip_port = re.match(r'Boto/2\.[0-9]\.[0-2]', user_agent) header_list = [] sh_str = auth_param('SignedHeaders') @@ -232,12 +237,19 @@ def canonical_header_str(): header_list.append('%s:%s' % (h, headers_lower[h])) return '\n'.join(header_list) + '\n' + def canonical_query_str(verb, params): + # POST requests pass parameters in through the request body + canonical_qs = '' + if verb.upper() != 'POST': + canonical_qs = self._canonical_qs(params) + return canonical_qs + # Create canonical request: # http://docs.aws.amazon.com/general/latest/gr/ # sigv4-create-canonical-request.html # Get parameters and headers in expected string format cr = "\n".join((verb.upper(), path, - self._canonical_qs(params), + canonical_query_str(verb, params), canonical_header_str(), auth_param('SignedHeaders'), body_hash)) @@ -250,7 +262,7 @@ def canonical_header_str(): credential_date = credential_split[1] param_date = date_param() if not param_date.startswith(credential_date): - raise Exception('Request date mismatch error') + raise Exception(_('Request date mismatch error')) # Create the string to sign # http://docs.aws.amazon.com/general/latest/gr/ diff --git a/keystoneclient/contrib/revoke/model.py b/keystoneclient/contrib/revoke/model.py deleted file mode 100644 index 2fc405cf1..000000000 --- a/keystoneclient/contrib/revoke/model.py +++ /dev/null @@ -1,314 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystoneclient.openstack.common import timeutils - -# The set of attributes common between the RevokeEvent -# and the dictionaries created from the token Data. -_NAMES = ['trust_id', - 'consumer_id', - 'access_token_id', - 'expires_at', - 'domain_id', - 'project_id', - 'user_id', - 'role_id'] - - -# Additional arguments for creating a RevokeEvent -_EVENT_ARGS = ['issued_before', 'revoked_at'] - -# Values that will be in the token data but not in the event. -# These will compared with event values that have different names. -# For example: both trustor_id and trustee_id are compared against user_id -_TOKEN_KEYS = ['identity_domain_id', - 'assignment_domain_id', - 'issued_at', - 'trustor_id', - 'trustee_id'] - - -REVOKE_KEYS = _NAMES + _EVENT_ARGS - - -def blank_token_data(issued_at): - token_data = dict() - for name in _NAMES: - token_data[name] = None - for name in _TOKEN_KEYS: - token_data[name] = None - # required field - token_data['issued_at'] = issued_at - return token_data - - -class RevokeEvent(object): - def __init__(self, **kwargs): - for k in REVOKE_KEYS: - v = kwargs.get(k, None) - setattr(self, k, v) - if self.revoked_at is None: - self.revoked_at = timeutils.utcnow() - if self.issued_before is None: - self.issued_before = self.revoked_at - - def to_dict(self): - keys = ['user_id', - 'role_id', - 'domain_id', - 'project_id'] - event = dict((key, self.__dict__[key]) for key in keys - if self.__dict__[key] is not None) - if self.trust_id is not None: - event['OS-TRUST:trust_id'] = self.trust_id - if self.consumer_id is not None: - event['OS-OAUTH1:consumer_id'] = self.consumer_id - if self.consumer_id is not None: - event['OS-OAUTH1:access_token_id'] = self.access_token_id - if self.expires_at is not None: - event['expires_at'] = timeutils.isotime(self.expires_at, - subsecond=True) - if self.issued_before is not None: - event['issued_before'] = timeutils.isotime(self.issued_before, - subsecond=True) - return event - - def key_for_name(self, name): - return "%s=%s" % (name, getattr(self, name) or '*') - - -def attr_keys(event): - return map(event.key_for_name, _NAMES) - - -class RevokeTree(object): - """Fast Revocation Checking Tree Structure - - The Tree is an index to quickly match tokens against events. - Each node is a hashtable of key=value combinations from revocation events. - The - - """ - - def __init__(self, revoke_events=None): - self.revoke_map = dict() - self.add_events(revoke_events) - - def add_event(self, event): - """Updates the tree based on a revocation event. - - Creates any necessary internal nodes in the tree corresponding to the - fields of the revocation event. The leaf node will always be set to - the latest 'issued_before' for events that are otherwise identical. - - :param: Event to add to the tree - - :returns: the event that was passed in. - - """ - revoke_map = self.revoke_map - for key in attr_keys(event): - revoke_map = revoke_map.setdefault(key, {}) - revoke_map['issued_before'] = max( - event.issued_before, revoke_map.get( - 'issued_before', event.issued_before)) - return event - - def remove_event(self, event): - """Update the tree based on the removal of a Revocation Event - - Removes empty nodes from the tree from the leaf back to the root. - - If multiple events trace the same path, but have different - 'issued_before' values, only the last is ever stored in the tree. - So only an exact match on 'issued_before' ever triggers a removal - - :param: Event to remove from the tree - - """ - stack = [] - revoke_map = self.revoke_map - for name in _NAMES: - key = event.key_for_name(name) - nxt = revoke_map.get(key) - if nxt is None: - break - stack.append((revoke_map, key, nxt)) - revoke_map = nxt - else: - if event.issued_before == revoke_map['issued_before']: - revoke_map.pop('issued_before') - for parent, key, child in reversed(stack): - if not any(child): - del parent[key] - - def add_events(self, revoke_events): - return map(self.add_event, revoke_events or []) - - def is_revoked(self, token_data): - """Check if a token matches the revocation event - - Compare the values for each level of the tree with the values from - the token, accounting for attributes that have alternative - keys, and for wildcard matches. - if there is a match, continue down the tree. - if there is no match, exit early. - - token_data is a map based on a flattened view of token. - The required fields are: - - 'expires_at','user_id', 'project_id', 'identity_domain_id', - 'assignment_domain_id', 'trust_id', 'trustor_id', 'trustee_id' - 'consumer_id', 'access_token_id' - - """ - # Alternative names to be checked in token for every field in - # revoke tree. - alternatives = { - 'user_id': ['user_id', 'trustor_id', 'trustee_id'], - 'domain_id': ['identity_domain_id', 'assignment_domain_id'], - } - # Contains current forest (collection of trees) to be checked. - partial_matches = [self.revoke_map] - # We iterate over every layer of our revoke tree (except the last one). - for name in _NAMES: - # bundle is the set of partial matches for the next level down - # the tree - bundle = [] - wildcard = '%s=*' % (name,) - # For every tree in current forest. - for tree in partial_matches: - # If there is wildcard node on current level we take it. - bundle.append(tree.get(wildcard)) - if name == 'role_id': - # Roles are very special since a token has a list of them. - # If the revocation event matches any one of them, - # revoke the token. - for role_id in token_data.get('roles', []): - bundle.append(tree.get('role_id=%s' % role_id)) - else: - # For other fields we try to get any branch that concur - # with any alternative field in the token. - for alt_name in alternatives.get(name, [name]): - bundle.append( - tree.get('%s=%s' % (name, token_data[alt_name]))) - # tree.get returns `None` if there is no match, so `bundle.append` - # adds a 'None' entry. This call remoes the `None` entries. - partial_matches = [x for x in bundle if x is not None] - if not partial_matches: - # If we end up with no branches to follow means that the token - # is definitely not in the revoke tree and all further - # iterations will be for nothing. - return False - - # The last (leaf) level is checked in a special way because we verify - # issued_at field differently. - for leaf in partial_matches: - try: - if leaf['issued_before'] > token_data['issued_at']: - return True - except KeyError: - pass - # If we made it out of the loop then no element in revocation tree - # corresponds to our token and it is good. - return False - - -def build_token_values_v2(access, default_domain_id): - token_data = access['token'] - token_values = { - 'expires_at': timeutils.normalize_time( - timeutils.parse_isotime(token_data['expires'])), - 'issued_at': timeutils.normalize_time( - timeutils.parse_isotime(token_data['issued_at']))} - - token_values['user_id'] = access.get('user', {}).get('id') - - project = token_data.get('tenant') - if project is not None: - token_values['project_id'] = project['id'] - else: - token_values['project_id'] = None - - token_values['identity_domain_id'] = default_domain_id - token_values['assignment_domain_id'] = default_domain_id - - trust = token_data.get('trust') - if trust is None: - token_values['trust_id'] = None - token_values['trustor_id'] = None - token_values['trustee_id'] = None - else: - token_values['trust_id'] = trust['id'] - token_values['trustor_id'] = trust['trustor_id'] - token_values['trustee_id'] = trust['trustee_id'] - - token_values['consumer_id'] = None - token_values['access_token_id'] = None - - role_list = [] - # Roles are by ID in metadata and by name in the user section - roles = access.get('metadata', {}).get('roles', []) - for role in roles: - role_list.append(role) - token_values['roles'] = role_list - return token_values - - -def build_token_values(token_data): - token_values = { - 'expires_at': timeutils.normalize_time( - timeutils.parse_isotime(token_data['expires_at'])), - 'issued_at': timeutils.normalize_time( - timeutils.parse_isotime(token_data['issued_at']))} - - user = token_data.get('user') - if user is not None: - token_values['user_id'] = user['id'] - token_values['identity_domain_id'] = user['domain']['id'] - else: - token_values['user_id'] = None - token_values['identity_domain_id'] = None - - project = token_data.get('project', token_data.get('tenant')) - if project is not None: - token_values['project_id'] = project['id'] - token_values['assignment_domain_id'] = project['domain']['id'] - else: - token_values['project_id'] = None - token_values['assignment_domain_id'] = None - - role_list = [] - roles = token_data.get('roles') - if roles is not None: - for role in roles: - role_list.append(role['id']) - token_values['roles'] = role_list - - trust = token_data.get('OS-TRUST:trust') - if trust is None: - token_values['trust_id'] = None - token_values['trustor_id'] = None - token_values['trustee_id'] = None - else: - token_values['trust_id'] = trust['id'] - token_values['trustor_id'] = trust['trustor_user']['id'] - token_values['trustee_id'] = trust['trustee_user']['id'] - - oauth1 = token_data.get('OS-OAUTH1') - if oauth1 is None: - token_values['consumer_id'] = None - token_values['access_token_id'] = None - else: - token_values['consumer_id'] = oauth1['consumer_id'] - token_values['access_token_id'] = oauth1['access_token_id'] - return token_values diff --git a/keystoneclient/discover.py b/keystoneclient/discover.py index 07de97dd4..16174162d 100644 --- a/keystoneclient/discover.py +++ b/keystoneclient/discover.py @@ -10,104 +10,148 @@ # License for the specific language governing permissions and limitations # under the License. -import logging +import warnings -import six +from debtcollector import removals +from keystoneauth1 import plugin from keystoneclient import _discover from keystoneclient import exceptions +from keystoneclient.i18n import _ from keystoneclient import session as client_session -from keystoneclient import utils from keystoneclient.v2_0 import client as v2_client from keystoneclient.v3 import client as v3_client -_logger = logging.getLogger(__name__) - - _CLIENT_VERSIONS = {2: v2_client.Client, 3: v3_client.Client} +# functions needed from the private file that can be made public + +def normalize_version_number(version): + """Turn a version representation into a tuple. + + Takes a string, tuple or float which represent version formats we can + handle and converts them into a (major, minor) version tuple that we can + actually use for discovery. + + e.g. 'v3.3' gives (3, 3) + 3.1 gives (3, 1) + + :param version: Inputted version number to try and convert. + + :returns: A usable version tuple + :rtype: tuple + + :raises TypeError: if the inputted version cannot be converted to tuple. + """ + return _discover.normalize_version_number(version) + + +def version_match(required, candidate): + """Test that an available version satisfies the required version. + + To be suitable a version must be of the same major version as required + and be at least a match in minor/patch level. + + eg. 3.3 is a match for a required 3.1 but 4.1 is not. + + :param tuple required: the version that must be met. + :param tuple candidate: the version to test against required. + + :returns: True if candidate is suitable False otherwise. + :rtype: bool + """ + return _discover.version_match(required, candidate) + + def available_versions(url, session=None, **kwargs): """Retrieve raw version data from a url.""" if not session: - session = client_session.Session.construct(kwargs) + session = client_session.Session._construct(kwargs) return _discover.get_version_data(session, url) class Discover(_discover.Discover): - """A means to discover and create clients depending on the supported API - versions on the server. + """A means to discover and create clients. + + Clients are created depending on the supported API versions on the server. Querying the server is done on object creation and every subsequent method operates upon the data that was retrieved. + + The connection parameters associated with this method are the same format + and name as those used by a client (see + :py:class:`keystoneclient.v2_0.client.Client` and + :py:class:`keystoneclient.v3.client.Client`). If not overridden in + subsequent methods they will also be what is passed to the constructed + client. + + In the event that auth_url and endpoint is provided then auth_url will be + used in accordance with how the client operates. + + .. warning:: + + Creating an instance of this class without using the session argument + is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 + release. + + :param session: A session object that will be used for communication. + Clients will also be constructed with this session. + :type session: keystoneclient.session.Session + :param string auth_url: Identity service endpoint for authorization. + (optional) + :param string endpoint: A user-supplied endpoint URL for the identity + service. (optional) + :param string original_ip: The original IP of the requesting user which + will be sent to identity service in a + 'Forwarded' header. (optional) This is ignored + if a session is provided. Deprecated as of the + 1.7.0 release and may be removed in the 2.0.0 + release. + :param boolean debug: Enables debug logging of all request and responses to + the identity service. default False (optional) + This is ignored if a session is provided. Deprecated + as of the 1.7.0 release and may be removed in the + 2.0.0 release. + :param string cacert: Path to the Privacy Enhanced Mail (PEM) file which + contains the trusted authority X.509 certificates + needed to established SSL connection with the + identity service. (optional) This is ignored if a + session is provided. Deprecated as of the 1.7.0 + release and may be removed in the 2.0.0 release. + :param string key: Path to the Privacy Enhanced Mail (PEM) file which + contains the unencrypted client private key needed to + established two-way SSL connection with the identity + service. (optional) This is ignored if a session is + provided. Deprecated as of the 1.7.0 release and may be + removed in the 2.0.0 release. + :param string cert: Path to the Privacy Enhanced Mail (PEM) file which + contains the corresponding X.509 client certificate + needed to established two-way SSL connection with the + identity service. (optional) This is ignored if a + session is provided. Deprecated as of the 1.7.0 release + and may be removed in the 2.0.0 release. + :param boolean insecure: Does not perform X.509 certificate validation when + establishing SSL connection with identity service. + default: False (optional) This is ignored if a + session is provided. Deprecated as of the 1.7.0 + release and may be removed in the 2.0.0 release. + :param bool authenticated: Should a token be used to perform the initial + discovery operations. default: None (attach a + token if an auth plugin is available). + """ - @utils.positional(2) def __init__(self, session=None, authenticated=None, **kwargs): - """Construct a new discovery object. - - The connection parameters associated with this method are the same - format and name as those used by a client (see - keystoneclient.v2_0.client.Client and keystoneclient.v3.client.Client). - If not overridden in subsequent methods they will also be what is - passed to the constructed client. - - In the event that auth_url and endpoint is provided then auth_url will - be used in accordance with how the client operates. - - The initialization process also queries the server. - - :param Session session: A session object that will be used for - communication. Clients will also be constructed - with this session. - :param string auth_url: Identity service endpoint for authorization. - (optional) - :param string endpoint: A user-supplied endpoint URL for the identity - service. (optional) - :param string original_ip: The original IP of the requesting user - which will be sent to identity service in a - 'Forwarded' header. (optional) - DEPRECATED: use the session object. This is - ignored if a session is provided. - :param boolean debug: Enables debug logging of all request and - responses to the identity service. - default False (optional) - DEPRECATED: use the session object. This is - ignored if a session is provided. - :param string cacert: Path to the Privacy Enhanced Mail (PEM) file - which contains the trusted authority X.509 - certificates needed to established SSL connection - with the identity service. (optional) - DEPRECATED: use the session object. This is - ignored if a session is provided. - :param string key: Path to the Privacy Enhanced Mail (PEM) file which - contains the unencrypted client private key needed - to established two-way SSL connection with the - identity service. (optional) - DEPRECATED: use the session object. This is - ignored if a session is provided. - :param string cert: Path to the Privacy Enhanced Mail (PEM) file which - contains the corresponding X.509 client certificate - needed to established two-way SSL connection with - the identity service. (optional) - DEPRECATED: use the session object. This is - ignored if a session is provided. - :param boolean insecure: Does not perform X.509 certificate validation - when establishing SSL connection with identity - service. default: False (optional) - DEPRECATED: use the session object. This is - ignored if a session is provided. - :param bool authenticated: Should a token be used to perform the - initial discovery operations. - default: None (attach a token if an auth - plugin is available). - """ - if not session: - session = client_session.Session.construct(kwargs) + warnings.warn( + 'Constructing a Discover instance without using a session is ' + 'deprecated as of the 1.7.0 release and may be removed in the ' + '2.0.0 release.', DeprecationWarning) + session = client_session.Session._construct(kwargs) kwargs['session'] = session url = None @@ -120,24 +164,33 @@ def __init__(self, session=None, authenticated=None, **kwargs): elif auth_url: self._use_endpoint = False url = auth_url + elif session.auth: + self._use_endpoint = False + url = session.get_endpoint(interface=plugin.AUTH_INTERFACE) if not url: - raise exceptions.DiscoveryFailure('Not enough information to ' - 'determine URL. Provide either ' - 'auth_url or endpoint') + raise exceptions.DiscoveryFailure( + _('Not enough information to determine URL. Provide' + ' either a Session, or auth_url or endpoint')) self._client_kwargs = kwargs super(Discover, self).__init__(session, url, authenticated=authenticated) + @removals.remove(message='Use raw_version_data instead.', version='1.7.0', + removal_version='2.0.0') def available_versions(self, **kwargs): - """Return a list of identity APIs available on the server and the data - associated with them. + """Return a list of identity APIs available on the server. + + The list returned includes the data associated with them. - DEPRECATED: use raw_version_data() + .. warning:: + + This method is deprecated as of the 1.7.0 release in favor of + :meth:`raw_version_data` and may be removed in the 2.0.0 release. :param bool unstable: Accept endpoints not marked 'stable'. (optional) - DEPRECTED. Equates to setting allow_experimental + Equates to setting allow_experimental and allow_unknown to True. :param bool allow_experimental: Allow experimental version endpoints. :param bool allow_deprecated: Allow deprecated version endpoints. @@ -150,6 +203,10 @@ def available_versions(self, **kwargs): """ return self.raw_version_data(**kwargs) + @removals.removed_kwarg( + 'unstable', + message='Use allow_experimental and allow_unknown instead.', + version='1.7.0', removal_version='2.0.0') def raw_version_data(self, unstable=False, **kwargs): """Get raw version information from URL. @@ -157,14 +214,17 @@ def raw_version_data(self, unstable=False, **kwargs): on the data, so what is returned here will be the data in the same format it was received from the endpoint. - :param bool unstable: (deprecated) equates to setting - allow_experimental and allow_unknown. + :param bool unstable: equates to setting allow_experimental and + allow_unknown. This argument is deprecated as of + the 1.7.0 release and may be removed in the 2.0.0 + release. :param bool allow_experimental: Allow experimental version endpoints. :param bool allow_deprecated: Allow deprecated version endpoints. :param bool allow_unknown: Allow endpoints with an unrecognised status. - :returns list: The endpoints returned from the server that match the - criteria. + :returns: The endpoints returned from the server that match the + criteria. + :rtype: List Example:: @@ -172,8 +232,8 @@ def raw_version_data(self, unstable=False, **kwargs): >>> disc = discover.Discovery(auth_url='http://localhost:5000') >>> disc.raw_version_data() [{'id': 'v3.0', - 'links': [{'href': u'http://127.0.0.1:5000/v3/', - 'rel': u'self'}], + 'links': [{'href': 'http://127.0.0.1:5000/v3/', + 'rel': 'self'}], 'media-types': [ {'base': 'application/json', 'type': 'application/vnd.openstack.identity-v3+json'}, @@ -182,11 +242,11 @@ def raw_version_data(self, unstable=False, **kwargs): 'status': 'stable', 'updated': '2013-03-06T00:00:00Z'}, {'id': 'v2.0', - 'links': [{'href': u'http://127.0.0.1:5000/v2.0/', - 'rel': u'self'}, - {'href': u'...', - 'rel': u'describedby', - 'type': u'application/pdf'}], + 'links': [{'href': 'http://127.0.0.1:5000/v2.0/', + 'rel': 'self'}, + {'href': '...', + 'rel': 'describedby', + 'type': 'application/pdf'}], 'media-types': [ {'base': 'application/json', 'type': 'application/vnd.openstack.identity-v2.0+json'}, @@ -213,10 +273,11 @@ def _calculate_version(self, version, unstable): version_data = all_versions[-1] if not version_data: - msg = 'Could not find a suitable endpoint' + msg = _('Could not find a suitable endpoint') if version: - msg += ' for client version: %s' % str(version) + msg = _('Could not find a suitable endpoint for client ' + 'version: %s') % str(version) raise exceptions.VersionNotAvailable(msg) @@ -228,11 +289,11 @@ def _create_client(self, version_data, **kwargs): client_class = _CLIENT_VERSIONS[version_data['version'][0]] except KeyError: version = '.'.join(str(v) for v in version_data['version']) - msg = 'No client available for version: %s' % version + msg = _('No client available for version: %s') % version raise exceptions.DiscoveryFailure(msg) # kwargs should take priority over stored kwargs. - for k, v in six.iteritems(self._client_kwargs): + for k, v in self._client_kwargs.items(): kwargs.setdefault(k, v) # restore the url to either auth_url or endpoint depending on what @@ -261,8 +322,41 @@ def create_client(self, version=None, unstable=False, **kwargs): :returns: An instantiated identity client object. - :raises: DiscoveryFailure if the server response is invalid - :raises: VersionNotAvailable if a suitable client cannot be found. + :raises keystoneclient.exceptions.DiscoveryFailure: if the server + response is invalid + :raises keystoneclient.exceptions.VersionNotAvailable: if a suitable + client cannot be found. """ version_data = self._calculate_version(version, unstable) return self._create_client(version_data, **kwargs) + + +def add_catalog_discover_hack(service_type, old, new): + """Add a version removal rule for a particular service. + + Originally deployments of OpenStack would contain a versioned endpoint in + the catalog for different services. E.g. an identity service might look + like ``http://localhost:5000/v2.0``. This is a problem when we want to use + a different version like v3.0 as there is no way to tell where it is + located. We cannot simply change all service catalogs either so there must + be a way to handle the older style of catalog. + + This function adds a rule for a given service type that if part of the URL + matches a given regular expression in *old* then it will be replaced with + the *new* value. This will replace all instances of old with new. It should + therefore contain a regex anchor. + + For example the included rule states:: + + add_catalog_version_hack('identity', re.compile('/v2.0/?$'), '/') + + so if the catalog retrieves an *identity* URL that ends with /v2.0 or + /v2.0/ then it should replace it simply with / to fix the user's catalog. + + :param str service_type: The service type as defined in the catalog that + the rule will apply to. + :param re.RegexObject old: The regular expression to search for and replace + if found. + :param str new: The new string to replace the pattern with. + """ + _discover._VERSION_HACKS.add_discover_hack(service_type, old, new) diff --git a/keystoneclient/exceptions.py b/keystoneclient/exceptions.py index 5ad84c07c..034e5c977 100644 --- a/keystoneclient/exceptions.py +++ b/keystoneclient/exceptions.py @@ -12,66 +12,423 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +"""Exception definitions.""" + +from keystoneauth1 import exceptions as _exc + +from keystoneclient.i18n import _ + + +ClientException = _exc.ClientException +"""The base exception class for all exceptions this library raises. + +An alias of :py:exc:`keystoneauth1.exceptions.base.ClientException` +""" + +ConnectionError = _exc.ConnectionError +"""Cannot connect to API service. + +An alias of :py:exc:`keystoneauth1.exceptions.connection.ConnectionError` +""" + +ConnectionRefused = _exc.ConnectFailure +"""Connection refused while trying to connect to API service. + +An alias of :py:exc:`keystoneauth1.exceptions.connection.ConnectFailure` """ -Exception definitions. + +SSLError = _exc.SSLError +"""An SSL error occurred. + +An alias of :py:exc:`keystoneauth1.exceptions.connection.SSLError` +""" + +AuthorizationFailure = _exc.AuthorizationFailure +"""Cannot authorize API client. + +An alias of :py:exc:`keystoneauth1.exceptions.auth.AuthorizationFailure` +""" + + +class ValidationError(ClientException): + """Error in validation on API client side.""" + + pass + + +class UnsupportedVersion(ClientException): + """User is trying to use an unsupported version of the API.""" + + pass + + +class CommandError(ClientException): + """Error in CLI tool.""" + + pass + + +class AuthPluginOptionsMissing(AuthorizationFailure): + """Auth plugin misses some options.""" + + def __init__(self, opt_names): + super(AuthPluginOptionsMissing, self).__init__( + _("Authentication failed. Missing options: %s") % + ", ".join(opt_names)) + self.opt_names = opt_names + + +class AuthSystemNotFound(AuthorizationFailure): + """User has specified an AuthSystem that is not installed.""" + + def __init__(self, auth_system): + super(AuthSystemNotFound, self).__init__( + _("AuthSystemNotFound: %r") % auth_system) + self.auth_system = auth_system + + +class NoUniqueMatch(ClientException): + """Multiple entities found instead of one.""" + + pass + + +EndpointException = _exc.CatalogException +"""Something is rotten in Service Catalog. + +An alias of :py:exc:`keystoneauth1.exceptions.catalog.CatalogException` +""" + +EndpointNotFound = _exc.EndpointNotFound +"""Could not find requested endpoint in Service Catalog. + +An alias of :py:exc:`keystoneauth1.exceptions.catalog.EndpointNotFound` +""" + + +class AmbiguousEndpoints(EndpointException): + """Found more than one matching endpoint in Service Catalog.""" + + def __init__(self, endpoints=None): + super(AmbiguousEndpoints, self).__init__( + _("AmbiguousEndpoints: %r") % endpoints) + self.endpoints = endpoints + + +HttpError = _exc.HttpError +"""The base exception class for all HTTP exceptions. + +An alias of :py:exc:`keystoneauth1.exceptions.http.HttpError` +""" + +HTTPClientError = _exc.HTTPClientError +"""Client-side HTTP error. + +Exception for cases in which the client seems to have erred. +An alias of :py:exc:`keystoneauth1.exceptions.http.HTTPClientError` +""" + +HttpServerError = _exc.HttpServerError +"""Server-side HTTP error. + +Exception for cases in which the server is aware that it has +erred or is incapable of performing the request. +An alias of :py:exc:`keystoneauth1.exceptions.http.HttpServerError` +""" + + +class HTTPRedirection(HttpError): + """HTTP Redirection.""" + + message = _("HTTP Redirection") + + +class MultipleChoices(HTTPRedirection): + """HTTP 300 - Multiple Choices. + + Indicates multiple options for the resource that the client may follow. + """ + + http_status = 300 + message = _("Multiple Choices") + + +BadRequest = _exc.BadRequest +"""HTTP 400 - Bad Request. + +The request cannot be fulfilled due to bad syntax. +An alias of :py:exc:`keystoneauth1.exceptions.http.BadRequest` +""" + +Unauthorized = _exc.Unauthorized +"""HTTP 401 - Unauthorized. + +Similar to 403 Forbidden, but specifically for use when authentication +is required and has failed or has not yet been provided. +An alias of :py:exc:`keystoneauth1.exceptions.http.Unauthorized` +""" + +PaymentRequired = _exc.PaymentRequired +"""HTTP 402 - Payment Required. + +Reserved for future use. +An alias of :py:exc:`keystoneauth1.exceptions.http.PaymentRequired` +""" + +Forbidden = _exc.Forbidden +"""HTTP 403 - Forbidden. + +The request was a valid request, but the server is refusing to respond +to it. +An alias of :py:exc:`keystoneauth1.exceptions.http.Forbidden` +""" + +NotFound = _exc.NotFound +"""HTTP 404 - Not Found. + +The requested resource could not be found but may be available again +in the future. +An alias of :py:exc:`keystoneauth1.exceptions.http.NotFound` +""" + +MethodNotAllowed = _exc.MethodNotAllowed +"""HTTP 405 - Method Not Allowed. + +A request was made of a resource using a request method not supported +by that resource. +An alias of :py:exc:`keystoneauth1.exceptions.http.MethodNotAllowed` +""" + +NotAcceptable = _exc.NotAcceptable +"""HTTP 406 - Not Acceptable. + +The requested resource is only capable of generating content not +acceptable according to the Accept headers sent in the request. +An alias of :py:exc:`keystoneauth1.exceptions.http.NotAcceptable` +""" + +ProxyAuthenticationRequired = _exc.ProxyAuthenticationRequired +"""HTTP 407 - Proxy Authentication Required. + +The client must first authenticate itself with the proxy. +An alias of :py:exc:`keystoneauth1.exceptions.http.ProxyAuthenticationRequired` +""" + +RequestTimeout = _exc.RequestTimeout +"""HTTP 408 - Request Timeout. + +The server timed out waiting for the request. +An alias of :py:exc:`keystoneauth1.exceptions.http.RequestTimeout` +""" + +Conflict = _exc.Conflict +"""HTTP 409 - Conflict. + +Indicates that the request could not be processed because of conflict +in the request, such as an edit conflict. +An alias of :py:exc:`keystoneauth1.exceptions.http.Conflict` +""" + +Gone = _exc.Gone +"""HTTP 410 - Gone. + +Indicates that the resource requested is no longer available and will +not be available again. +An alias of :py:exc:`keystoneauth1.exceptions.http.Gone` +""" + +LengthRequired = _exc.LengthRequired +"""HTTP 411 - Length Required. + +The request did not specify the length of its content, which is +required by the requested resource. +An alias of :py:exc:`keystoneauth1.exceptions.http.LengthRequired` +""" + +PreconditionFailed = _exc.PreconditionFailed +"""HTTP 412 - Precondition Failed. + +The server does not meet one of the preconditions that the requester +put on the request. +An alias of :py:exc:`keystoneauth1.exceptions.http.PreconditionFailed` +""" + +RequestEntityTooLarge = _exc.RequestEntityTooLarge +"""HTTP 413 - Request Entity Too Large. + +The request is larger than the server is willing or able to process. +An alias of :py:exc:`keystoneauth1.exceptions.http.RequestEntityTooLarge` +""" + +RequestUriTooLong = _exc.RequestUriTooLong +"""HTTP 414 - Request-URI Too Long. + +The URI provided was too long for the server to process. +An alias of :py:exc:`keystoneauth1.exceptions.http.RequestUriTooLong` +""" + +UnsupportedMediaType = _exc.UnsupportedMediaType +"""HTTP 415 - Unsupported Media Type. + +The request entity has a media type which the server or resource does +not support. +An alias of :py:exc:`keystoneauth1.exceptions.http.UnsupportedMediaType` +""" + +RequestedRangeNotSatisfiable = _exc.RequestedRangeNotSatisfiable +"""HTTP 416 - Requested Range Not Satisfiable. + +The client has asked for a portion of the file, but the server cannot +supply that portion. +An alias of +:py:exc:`keystoneauth1.exceptions.http.RequestedRangeNotSatisfiable` +""" + +ExpectationFailed = _exc.ExpectationFailed +"""HTTP 417 - Expectation Failed. + +The server cannot meet the requirements of the Expect request-header field. +An alias of :py:exc:`keystoneauth1.exceptions.http.ExpectationFailed` +""" + +UnprocessableEntity = _exc.UnprocessableEntity +"""HTTP 422 - Unprocessable Entity. + +The request was well-formed but was unable to be followed due to semantic +errors. +An alias of :py:exc:`keystoneauth1.exceptions.http.UnprocessableEntity` +""" + +InternalServerError = _exc.InternalServerError +"""HTTP 500 - Internal Server Error. + +A generic error message, given when no more specific message is suitable. +An alias of :py:exc:`keystoneauth1.exceptions.http.InternalServerError` +""" + +HttpNotImplemented = _exc.HttpNotImplemented +"""HTTP 501 - Not Implemented. + +The server either does not recognize the request method, or it lacks +the ability to fulfill the request. +An alias of :py:exc:`keystoneauth1.exceptions.http.HttpNotImplemented` +""" + +BadGateway = _exc.BadGateway +"""HTTP 502 - Bad Gateway. + +The server was acting as a gateway or proxy and received an invalid +response from the upstream server. +An alias of :py:exc:`keystoneauth1.exceptions.http.BadGateway` +""" + +ServiceUnavailable = _exc.ServiceUnavailable +"""HTTP 503 - Service Unavailable. + +The server is currently unavailable. +An alias of :py:exc:`keystoneauth1.exceptions.http.ServiceUnavailable` +""" + +GatewayTimeout = _exc.GatewayTimeout +"""HTTP 504 - Gateway Timeout. + +The server was acting as a gateway or proxy and did not receive a timely +response from the upstream server. +An alias of :py:exc:`keystoneauth1.exceptions.http.GatewayTimeout` +""" + +HttpVersionNotSupported = _exc.HttpVersionNotSupported +"""HTTP 505 - HttpVersion Not Supported. + +The server does not support the HTTP protocol version used in the request. +An alias of :py:exc:`keystoneauth1.exceptions.http.HttpVersionNotSupported` +""" + +from_response = _exc.from_response +"""Return an instance of :class:`HttpError` or subclass based on response. + +An alias of :py:func:`keystoneauth1.exceptions.http.from_response` """ -#flake8: noqa -from keystoneclient.openstack.common.apiclient.exceptions import * # NOTE(akurilin): This alias should be left here to support backwards # compatibility until we are sure that usage of these exceptions in # projects is correct. -ConnectionError = ConnectionRefused HTTPNotImplemented = HttpNotImplemented Timeout = RequestTimeout HTTPError = HttpError class CertificateConfigError(Exception): - """Error reading the certificate""" + """Error reading the certificate.""" + def __init__(self, output): self.output = output - msg = 'Unable to load certificate.' + msg = _('Unable to load certificate.') super(CertificateConfigError, self).__init__(msg) class CMSError(Exception): - """Error reading the certificate""" + """Error reading the certificate.""" + def __init__(self, output): self.output = output - msg = 'Unable to sign or verify data.' + msg = _('Unable to sign or verify data.') super(CMSError, self).__init__(msg) -class EmptyCatalog(EndpointNotFound): - """The service catalog is empty.""" - pass - +EmptyCatalog = _exc.EmptyCatalog +"""The service catalog is empty. -class SSLError(ConnectionRefused): - """An SSL error occurred.""" +An alias of :py:exc:`keystoneauth1.exceptions.catalog.EmptyCatalog` +""" +DiscoveryFailure = _exc.DiscoveryFailure +"""Discovery of client versions failed. -class DiscoveryFailure(ClientException): - """Discovery of client versions failed.""" +An alias of :py:exc:`keystoneauth1.exceptions.discovery.DiscoveryFailure` +""" +VersionNotAvailable = _exc.VersionNotAvailable +"""Discovery failed as the version you requested is not available. -class VersionNotAvailable(DiscoveryFailure): - """Discovery failed as the version you requested is not available.""" +An alias of :py:exc:`keystoneauth1.exceptions.discovery.VersionNotAvailable` +""" class MethodNotImplemented(ClientException): """Method not implemented by the keystoneclient API.""" -class MissingAuthPlugin(ClientException): - """An authenticated request is required but no plugin available.""" +MissingAuthPlugin = _exc.MissingAuthPlugin +"""An authenticated request is required but no plugin available. + +An alias of :py:exc:`keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin` +""" + +NoMatchingPlugin = _exc.NoMatchingPlugin +"""There were no auth plugins that could be created from the parameters +provided. + +An alias of :py:exc:`keystoneauth1.exceptions.auth_plugins.NoMatchingPlugin` +""" + + +class UnsupportedParameters(ClientException): + """A parameter that was provided or returned is not supported. + + :param List(str) names: Names of the unsupported parameters. + + .. py:attribute:: names + + Names of the unsupported parameters. + """ + def __init__(self, names): + self.names = names -class NoMatchingPlugin(ClientException): - """There were no auth plugins that could be created from the parameters - provided.""" + m = _('The following parameters were given that are unsupported: %s') + super(UnsupportedParameters, self).__init__(m % ', '.join(self.names)) class InvalidResponse(ClientException): diff --git a/keystoneclient/fixture/__init__.py b/keystoneclient/fixture/__init__.py index faece1e46..92034a0da 100644 --- a/keystoneclient/fixture/__init__.py +++ b/keystoneclient/fixture/__init__.py @@ -11,25 +11,48 @@ # under the License. """ -The generators in this directory produce keystone compliant structures for use -in testing. +Produce keystone compliant structures for testing. +The generators in this directory produce keystone compliant structures for +use in testing. They should be considered part of the public API because they may be relied upon to generate test tokens for other clients. However they should never be imported into the main client (keystoneclient or other). Because of this there may be dependencies from this module on libraries that are only available in testing. + +.. warning:: + + The keystoneclient.fixture package is deprecated in favor of + keystoneauth1.fixture and will not be supported. + """ +# flake8: noqa: F405 + +import warnings + from keystoneclient.fixture.discovery import * # noqa -from keystoneclient.fixture.exception import FixtureValidationError # noqa -from keystoneclient.fixture.v2 import Token as V2Token # noqa -from keystoneclient.fixture.v3 import Token as V3Token # noqa +from keystoneclient.fixture import exception +from keystoneclient.fixture import v2 +from keystoneclient.fixture import v3 + + +warnings.warn( + "The keystoneclient.fixture package is deprecated in favor of " + "keystoneauth1.fixture and will not be supported.", DeprecationWarning) + + +FixtureValidationError = exception.FixtureValidationError +V2Token = v2.Token +V3Token = v3.Token +V3FederationToken = v3.V3FederationToken -__all__ = ['DiscoveryList', +__all__ = ('DiscoveryList', 'FixtureValidationError', 'V2Discovery', 'V3Discovery', 'V2Token', 'V3Token', - ] + 'V3FederationToken', + ) diff --git a/keystoneclient/fixture/discovery.py b/keystoneclient/fixture/discovery.py index 0a7f625cb..e664d2833 100644 --- a/keystoneclient/fixture/discovery.py +++ b/keystoneclient/fixture/discovery.py @@ -10,258 +10,29 @@ # License for the specific language governing permissions and limitations # under the License. -import datetime +from keystoneauth1.fixture import discovery -from keystoneclient.openstack.common import timeutils -from keystoneclient import utils -__all__ = ['DiscoveryList', +__all__ = ('DiscoveryList', 'V2Discovery', 'V3Discovery', - ] + ) -_DEFAULT_DAYS_AGO = 30 +V2Discovery = discovery.V2Discovery +"""A Version element for a V2 identity service endpoint. -class DiscoveryBase(dict): - """The basic version discovery structure. +An alias of :py:exc:`keystoneauth1.fixture.discovery.V2Discovery` +""" - All version discovery elements should have access to these values. - """ +V3Discovery = discovery.V3Discovery +"""A Version element for a V3 identity service endpoint. - @utils.positional() - def __init__(self, id, status=None, updated=None): - """Create a new structure. +An alias of :py:exc:`keystoneauth1.fixture.discovery.V3Discovery` +""" - :param string id: The version id for this version entry. - :param string status: The status of this entry. - :param DateTime updated: When the API was last updated. - """ - super(DiscoveryBase, self).__init__() +DiscoveryList = discovery.DiscoveryList +"""A List of version elements. - self.id = id - self.status = status or 'stable' - self.updated = updated or (timeutils.utcnow() - - datetime.timedelta(days=_DEFAULT_DAYS_AGO)) - - @property - def id(self): - return self.get('id') - - @id.setter - def id(self, value): - self['id'] = value - - @property - def status(self): - return self.get('status') - - @status.setter - def status(self, value): - self['status'] = value - - @property - def links(self): - return self.setdefault('links', []) - - @property - def updated_str(self): - return self.get('updated') - - @updated_str.setter - def updated_str(self, value): - self['updated'] = value - - @property - def updated(self): - return timeutils.parse_isotime(self.updated_str) - - @updated.setter - def updated(self, value): - self.updated_str = timeutils.isotime(value) - - @utils.positional() - def add_link(self, href, rel='self', type=None): - link = {'href': href, 'rel': rel} - if type: - link['type'] = type - self.links.append(link) - return link - - @property - def media_types(self): - return self.setdefault('media-types', []) - - @utils.positional(1) - def add_media_type(self, base, type): - mt = {'base': base, 'type': type} - self.media_types.append(mt) - return mt - - -class V2Discovery(DiscoveryBase): - """A Version element for a V2 identity service endpoint. - - Provides some default values and helper methods for creating a v2.0 - endpoint version structure. Clients should use this instead of creating - their own structures. - """ - - _DESC_URL = 'http://docs.openstack.org/api/openstack-identity-service/2.0/' - - @utils.positional() - def __init__(self, href, id=None, html=True, pdf=True, **kwargs): - """Create a new structure. - - :param string href: The url that this entry should point to. - :param string id: The version id that should be reported. (optional) - Defaults to 'v2.0'. - :param bool html: Add HTML describedby links to the structure. - :param bool pdf: Add PDF describedby links to the structure. - """ - super(V2Discovery, self).__init__(id or 'v2.0', **kwargs) - - self.add_link(href) - - if html: - self.add_html_description() - if pdf: - self.add_pdf_description() - - def add_html_description(self): - """Add the HTML described by links. - - The standard structure includes a link to a HTML document with the - API specification. Add it to this entry. - """ - self.add_link(href=self._DESC_URL + 'content', - rel='describedby', - type='text/html') - - def add_pdf_description(self): - """Add the PDF described by links. - - The standard structure includes a link to a PDF document with the - API specification. Add it to this entry. - """ - self.add_link(href=self._DESC_URL + 'identity-dev-guide-2.0.pdf', - rel='describedby', - type='application/pdf') - - -class V3Discovery(DiscoveryBase): - """A Version element for a V3 identity service endpoint. - - Provides some default values and helper methods for creating a v3 - endpoint version structure. Clients should use this instead of creating - there own structures. - """ - - @utils.positional() - def __init__(self, href, id=None, json=True, xml=True, **kwargs): - """Create a new structure. - - :param href: The url that this entry should point to. - :param string id: The version id that should be reported. (optional) - Defaults to 'v3.0'. - :param bool json: Add JSON media-type elements to the structure. - :param bool xml: Add XML media-type elements to the structure. - """ - super(V3Discovery, self).__init__(id or 'v3.0', **kwargs) - - self.add_link(href) - - if json: - self.add_json_media_type() - if xml: - self.add_xml_media_type() - - def add_json_media_type(self): - """Add the JSON media-type links. - - The standard structure includes a list of media-types that the endpoint - supports. Add JSON to the list. - """ - self.add_media_type(base='application/json', - type='application/vnd.openstack.identity-v3+json') - - def add_xml_media_type(self): - """Add the XML media-type links. - - The standard structure includes a list of media-types that the endpoint - supports. Add XML to the list. - """ - self.add_media_type(base='application/xml', - type='application/vnd.openstack.identity-v3+xml') - - -class DiscoveryList(dict): - """A List of version elements. - - Creates a correctly structured list of identity service endpoints for - use in testing with discovery. - """ - - TEST_URL = 'http://keystone.host:5000/' - - @utils.positional(2) - def __init__(self, href=None, v2=True, v3=True, v2_id=None, v3_id=None, - v2_status=None, v2_updated=None, v2_html=True, v2_pdf=True, - v3_status=None, v3_updated=None, v3_json=True, v3_xml=True): - """Create a new structure. - - :param string href: The url that this should be based at. - :param bool v2: Add a v2 element. - :param bool v3: Add a v3 element. - :param string v2_status: The status to use for the v2 element. - :param DateTime v2_updated: The update time to use for the v2 element. - :param bool v2_html: True to add a html link to the v2 element. - :param bool v2_pdf: True to add a pdf link to the v2 element. - :param string v3_status: The status to use for the v3 element. - :param DateTime v3_updated: The update time to use for the v3 element. - :param bool v3_json: True to add a html link to the v2 element. - :param bool v3_xml: True to add a pdf link to the v2 element. - """ - - super(DiscoveryList, self).__init__(versions={'values': []}) - - href = href or self.TEST_URL - - if v2: - v2_href = href.rstrip('/') + '/v2.0' - self.add_v2(v2_href, id=v2_id, status=v2_status, - updated=v2_updated, html=v2_html, pdf=v2_pdf) - - if v3: - v3_href = href.rstrip('/') + '/v3' - self.add_v3(v3_href, id=v3_id, status=v3_status, - updated=v3_updated, json=v3_json, xml=v3_xml) - - @property - def versions(self): - return self['versions']['values'] - - def add_version(self, version): - """Add a new version structure to the list. - - :param dict version: A new version structure to add to the list. - """ - self.versions.append(version) - - def add_v2(self, href, **kwargs): - """Add a v2 version to the list. - - The parameters are the same as V2Discovery. - """ - obj = V2Discovery(href, **kwargs) - self.add_version(obj) - return obj - - def add_v3(self, href, **kwargs): - """Add a v3 version to the list. - - The parameters are the same as V3Discovery. - """ - obj = V3Discovery(href, **kwargs) - self.add_version(obj) - return obj +An alias of :py:exc:`keystoneauth1.fixture.discovery.DiscoveryList` +""" diff --git a/keystoneclient/fixture/exception.py b/keystoneclient/fixture/exception.py index 416a3cf45..99e487633 100644 --- a/keystoneclient/fixture/exception.py +++ b/keystoneclient/fixture/exception.py @@ -10,11 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. +from keystoneauth1.fixture import exception -class FixtureValidationError(Exception): - """The token you created is not legitimate. - The data contained in the token that was generated is not valid and would - not have been returned from a keystone server. You should not do testing - with this token. - """ +FixtureValidationError = exception.FixtureValidationError +"""The token you created is not legitimate. + +An alias of :py:exc:`keystoneauth1.fixture.exception.FixtureValidationError`` +""" diff --git a/keystoneclient/fixture/v2.py b/keystoneclient/fixture/v2.py index 467ad4c21..9fbf4e005 100644 --- a/keystoneclient/fixture/v2.py +++ b/keystoneclient/fixture/v2.py @@ -10,205 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. -import datetime -import uuid +from keystoneauth1.fixture import v2 -from keystoneclient.fixture import exception -from keystoneclient.openstack.common import timeutils +Token = v2.Token +"""A V2 Keystone token that can be used for testing. -class _Service(dict): - - def add_endpoint(self, public, admin=None, internal=None, - tenant_id=None, region=None): - data = {'tenantId': tenant_id or uuid.uuid4().hex, - 'publicURL': public, - 'adminURL': admin or public, - 'internalURL': internal or public, - 'region': region} - - self.setdefault('endpoints', []).append(data) - return data - - -class Token(dict): - """A V2 Keystone token that can be used for testing. - - This object is designed to allow clients to generate a correct V2 token for - use in there test code. It should prevent clients from having to know the - correct token format and allow them to test the portions of token handling - that matter to them and not copy and paste sample. - """ - - def __init__(self, token_id=None, expires=None, issued=None, - tenant_id=None, tenant_name=None, user_id=None, - user_name=None, trust_id=None, trustee_user_id=None): - super(Token, self).__init__() - - self.token_id = token_id or uuid.uuid4().hex - self.user_id = user_id or uuid.uuid4().hex - self.user_name = user_name or uuid.uuid4().hex - - if not issued: - issued = timeutils.utcnow() - datetime.timedelta(minutes=2) - if not expires: - expires = issued + datetime.timedelta(hours=1) - - try: - self.issued = issued - except (TypeError, AttributeError): - # issued should be able to be passed as a string so ignore - self.issued_str = issued - - try: - self.expires = expires - except (TypeError, AttributeError): - # expires should be able to be passed as a string so ignore - self.expires_str = expires - - if tenant_id or tenant_name: - self.set_scope(tenant_id, tenant_name) - - if trust_id or trustee_user_id: - # the trustee_user_id will generally be the same as the user_id as - # the token is being issued to the trustee - self.set_trust(id=trust_id, - trustee_user_id=trustee_user_id or user_id) - - @property - def root(self): - return self.setdefault('access', {}) - - @property - def _token(self): - return self.root.setdefault('token', {}) - - @property - def token_id(self): - return self._token['id'] - - @token_id.setter - def token_id(self, value): - self._token['id'] = value - - @property - def expires_str(self): - return self._token['expires'] - - @expires_str.setter - def expires_str(self, value): - self._token['expires'] = value - - @property - def expires(self): - return timeutils.parse_isotime(self.expires_str) - - @expires.setter - def expires(self, value): - self.expires_str = timeutils.isotime(value) - - @property - def issued_str(self): - return self._token['issued_at'] - - @issued_str.setter - def issued_str(self, value): - self._token['issued_at'] = value - - @property - def issued(self): - return timeutils.parse_isotime(self.issued_str) - - @issued.setter - def issued(self, value): - self.issued_str = timeutils.isotime(value) - - @property - def _user(self): - return self.root.setdefault('user', {}) - - @property - def user_id(self): - return self._user['id'] - - @user_id.setter - def user_id(self, value): - self._user['id'] = value - - @property - def user_name(self): - return self._user['name'] - - @user_name.setter - def user_name(self, value): - self._user['name'] = value - - @property - def tenant_id(self): - return self._token.get('tenant', {}).get('id') - - @tenant_id.setter - def tenant_id(self, value): - self._token.setdefault('tenant', {})['id'] = value - - @property - def tenant_name(self): - return self._token.get('tenant', {}).get('name') - - @tenant_name.setter - def tenant_name(self, value): - self._token.setdefault('tenant', {})['name'] = value - - @property - def _metadata(self): - return self.root.setdefault('metadata', {}) - - @property - def trust_id(self): - return self.root.setdefault('trust', {})['id'] - - @trust_id.setter - def trust_id(self, value): - self.root.setdefault('trust', {})['id'] = value - - @property - def trustee_user_id(self): - return self.root.setdefault('trust', {}).get('trustee_user_id') - - @trustee_user_id.setter - def trustee_user_id(self, value): - self.root.setdefault('trust', {})['trustee_user_id'] = value - - def validate(self): - scoped = 'tenant' in self.token - catalog = self.root.get('serviceCatalog') - - if catalog and not scoped: - msg = 'You cannot have a service catalog on an unscoped token' - raise exception.FixtureValidationError(msg) - - if scoped and not self.user.get('roles'): - msg = 'You must have roles on a token to scope it' - raise exception.FixtureValidationError(msg) - - def add_role(self, name=None, id=None): - id = id or uuid.uuid4().hex - name = name or uuid.uuid4().hex - roles = self._user.setdefault('roles', []) - roles.append({'name': name}) - self._metadata.setdefault('roles', []).append(id) - return {'id': id, 'name': name} - - def add_service(self, type, name=None): - name = name or uuid.uuid4().hex - service = _Service(name=name, type=type) - self.root.setdefault('serviceCatalog', []).append(service) - return service - - def set_scope(self, id=None, name=None): - self.tenant_id = id or uuid.uuid4().hex - self.tenant_name = name or uuid.uuid4().hex - - def set_trust(self, id=None, trustee_user_id=None): - self.trust_id = id or uuid.uuid4().hex - self.trustee_user_id = trustee_user_id or uuid.uuid4().hex +An alias of :py:exc:`keystoneauth1.fixture.v2.Token` +""" diff --git a/keystoneclient/fixture/v3.py b/keystoneclient/fixture/v3.py index 18286e3bc..596f3e2b5 100644 --- a/keystoneclient/fixture/v3.py +++ b/keystoneclient/fixture/v3.py @@ -10,345 +10,17 @@ # License for the specific language governing permissions and limitations # under the License. -import datetime -import uuid +from keystoneauth1.fixture import v3 -from keystoneclient.fixture import exception -from keystoneclient.openstack.common import timeutils +Token = v3.Token +"""A V3 Keystone token that can be used for testing. -class _Service(dict): - """One of the services that exist in the catalog. +An alias of :py:exc:`keystoneauth1.fixture.v3.Token` +""" - You use this by adding a service to a token which returns an instance of - this object and then you can add_endpoints to the service. - """ +V3FederationToken = v3.V3FederationToken +"""A V3 Keystone Federation token that can be used for testing. - def add_endpoint(self, interface, url, region=None): - data = {'interface': interface, - 'url': url, - 'region': region} - self.setdefault('endpoints', []).append(data) - return data - - def add_standard_endpoints(self, public=None, admin=None, internal=None, - region=None): - ret = [] - - if public: - ret.append(self.add_endpoint('public', public, region=region)) - if admin: - ret.append(self.add_endpoint('admin', admin, region=region)) - if internal: - ret.append(self.add_endpoint('internal', internal, region=region)) - - return ret - - -class Token(dict): - """A V3 Keystone token that can be used for testing. - - This object is designed to allow clients to generate a correct V3 token for - use in there test code. It should prevent clients from having to know the - correct token format and allow them to test the portions of token handling - that matter to them and not copy and paste sample. - """ - - def __init__(self, expires=None, issued=None, user_id=None, user_name=None, - user_domain_id=None, user_domain_name=None, methods=None, - project_id=None, project_name=None, project_domain_id=None, - project_domain_name=None, domain_id=None, domain_name=None, - trust_id=None, trust_impersonation=None, trustee_user_id=None, - trustor_user_id=None, oauth_access_token_id=None, - oauth_consumer_id=None): - super(Token, self).__init__() - - self.user_id = user_id or uuid.uuid4().hex - self.user_name = user_name or uuid.uuid4().hex - self.user_domain_id = user_domain_id or uuid.uuid4().hex - self.user_domain_name = user_domain_name or uuid.uuid4().hex - - if not methods: - methods = ['password'] - self.methods.extend(methods) - - if not issued: - issued = timeutils.utcnow() - datetime.timedelta(minutes=2) - - try: - self.issued = issued - except (TypeError, AttributeError): - # issued should be able to be passed as a string so ignore - self.issued_str = issued - - if not expires: - expires = self.issued + datetime.timedelta(hours=1) - - try: - self.expires = expires - except (TypeError, AttributeError): - # expires should be able to be passed as a string so ignore - self.expires_str = expires - - if (project_id or project_name or - project_domain_id or project_domain_name): - self.set_project_scope(id=project_id, - name=project_name, - domain_id=project_domain_id, - domain_name=project_domain_name) - - if domain_id or domain_name: - self.set_domain_scope(id=domain_id, name=domain_name) - - if (trust_id or (trust_impersonation is not None) or - trustee_user_id or trustor_user_id): - self.set_trust_scope(id=trust_id, - impersonation=trust_impersonation, - trustee_user_id=trustee_user_id, - trustor_user_id=trustor_user_id) - - if oauth_access_token_id or oauth_consumer_id: - self.set_oauth(access_token_id=oauth_access_token_id, - consumer_id=oauth_consumer_id) - - @property - def root(self): - return self.setdefault('token', {}) - - @property - def expires_str(self): - return self.root.get('expires_at') - - @expires_str.setter - def expires_str(self, value): - self.root['expires_at'] = value - - @property - def expires(self): - return timeutils.parse_isotime(self.expires_str) - - @expires.setter - def expires(self, value): - self.expires_str = timeutils.isotime(value, subsecond=True) - - @property - def issued_str(self): - return self.root.get('issued_at') - - @issued_str.setter - def issued_str(self, value): - self.root['issued_at'] = value - - @property - def issued(self): - return timeutils.parse_isotime(self.issued_str) - - @issued.setter - def issued(self, value): - self.issued_str = timeutils.isotime(value, subsecond=True) - - @property - def _user(self): - return self.root.setdefault('user', {}) - - @property - def user_id(self): - return self._user.get('id') - - @user_id.setter - def user_id(self, value): - self._user['id'] = value - - @property - def user_name(self): - return self._user.get('name') - - @user_name.setter - def user_name(self, value): - self._user['name'] = value - - @property - def _user_domain(self): - return self._user.setdefault('domain', {}) - - @property - def user_domain_id(self): - return self._user_domain.get('id') - - @user_domain_id.setter - def user_domain_id(self, value): - self._user_domain['id'] = value - - @property - def user_domain_name(self): - return self._user_domain.get('name') - - @user_domain_name.setter - def user_domain_name(self, value): - self._user_domain['name'] = value - - @property - def methods(self): - return self.root.setdefault('methods', []) - - @property - def project_id(self): - return self.root.get('project', {}).get('id') - - @project_id.setter - def project_id(self, value): - self.root.setdefault('project', {})['id'] = value - - @property - def project_name(self): - return self.root.get('project', {}).get('name') - - @project_name.setter - def project_name(self, value): - self.root.setdefault('project', {})['name'] = value - - @property - def project_domain_id(self): - return self.root.get('project', {}).get('domain', {}).get('id') - - @project_domain_id.setter - def project_domain_id(self, value): - project = self.root.setdefault('project', {}) - project.setdefault('domain', {})['id'] = value - - @property - def project_domain_name(self): - return self.root.get('project', {}).get('domain', {}).get('name') - - @project_domain_name.setter - def project_domain_name(self, value): - project = self.root.setdefault('project', {}) - project.setdefault('domain', {})['name'] = value - - @property - def domain_id(self): - return self.root.get('domain', {}).get('id') - - @domain_id.setter - def domain_id(self, value): - self.root.setdefault('domain', {})['id'] = value - - @property - def domain_name(self): - return self.root.get('domain', {}).get('name') - - @domain_name.setter - def domain_name(self, value): - self.root.setdefault('domain', {})['name'] = value - - @property - def trust_id(self): - return self.root.get('OS-TRUST:trust', {}).get('id') - - @trust_id.setter - def trust_id(self, value): - self.root.setdefault('OS-TRUST:trust', {})['id'] = value - - @property - def trust_impersonation(self): - return self.root.get('OS-TRUST:trust', {}).get('impersonation') - - @trust_impersonation.setter - def trust_impersonation(self, value): - self.root.setdefault('OS-TRUST:trust', {})['impersonation'] = value - - @property - def trustee_user_id(self): - trust = self.root.get('OS-TRUST:trust', {}) - return trust.get('trustee_user', {}).get('id') - - @trustee_user_id.setter - def trustee_user_id(self, value): - trust = self.root.setdefault('OS-TRUST:trust', {}) - trust.setdefault('trustee_user', {})['id'] = value - - @property - def trustor_user_id(self): - trust = self.root.get('OS-TRUST:trust', {}) - return trust.get('trustor_user', {}).get('id') - - @trustor_user_id.setter - def trustor_user_id(self, value): - trust = self.root.setdefault('OS-TRUST:trust', {}) - trust.setdefault('trustor_user', {})['id'] = value - - @property - def oauth_access_token_id(self): - return self.root.get('OS-OAUTH1', {}).get('access_token_id') - - @oauth_access_token_id.setter - def oauth_access_token_id(self, value): - self.root.setdefault('OS-OAUTH1', {})['access_token_id'] = value - - @property - def oauth_consumer_id(self): - return self.root.get('OS-OAUTH1', {}).get('consumer_id') - - @oauth_consumer_id.setter - def oauth_consumer_id(self, value): - self.root.setdefault('OS-OAUTH1', {})['consumer_id'] = value - - def validate(self): - project = self.root.get('project') - domain = self.root.get('domain') - trust = self.root.get('OS-TRUST:trust') - catalog = self.root.get('catalog') - roles = self.root.get('roles') - scoped = project or domain or trust - - if sum((bool(project), bool(domain), bool(trust))) > 1: - msg = 'You cannot scope to multiple targets' - raise exception.FixtureValidationError(msg) - - if catalog and not scoped: - msg = 'You cannot have a service catalog on an unscoped token' - raise exception.FixtureValidationError(msg) - - if scoped and not self.user.get('roles'): - msg = 'You must have roles on a token to scope it' - raise exception.FixtureValidationError(msg) - - if bool(scoped) != bool(roles): - msg = 'You must be scoped to have roles and vice-versa' - raise exception.FixtureValidationError(msg) - - def add_role(self, name=None, id=None): - roles = self.root.setdefault('roles', []) - data = {'id': id or uuid.uuid4().hex, - 'name': name or uuid.uuid4().hex} - roles.append(data) - return data - - def add_service(self, type, name=None): - service = _Service(type=type) - if name: - service['name'] = name - self.root.setdefault('catalog', []).append(service) - return service - - def set_project_scope(self, id=None, name=None, domain_id=None, - domain_name=None): - self.project_id = id or uuid.uuid4().hex - self.project_name = name or uuid.uuid4().hex - self.project_domain_id = domain_id or uuid.uuid4().hex - self.project_domain_name = domain_name or uuid.uuid4().hex - - def set_domain_scope(self, id=None, name=None): - self.domain_id = id or uuid.uuid4().hex - self.domain_name = name or uuid.uuid4().hex - - def set_trust_scope(self, id=None, impersonation=False, - trustee_user_id=None, trustor_user_id=None): - self.trust_id = id or uuid.uuid4().hex - self.trust_impersonation = impersonation - self.trustee_user_id = trustee_user_id or uuid.uuid4().hex - self.trustor_user_id = trustor_user_id or uuid.uuid4().hex - - def set_oauth(self, access_token_id=None, consumer_id=None): - self.oauth_access_token_id = access_token_id or uuid.uuid4().hex - self.oauth_consumer_id = consumer_id or uuid.uuid4().hex +An alias of :py:exc:`keystoneauth1.fixture.v3.V3FederationToken` +""" diff --git a/keystoneclient/generic/__init__.py b/keystoneclient/generic/__init__.py index ed59d727c..745692105 100644 --- a/keystoneclient/generic/__init__.py +++ b/keystoneclient/generic/__init__.py @@ -1,4 +1,4 @@ -__all__ = [ +__all__ = ( 'client', -] +) diff --git a/keystoneclient/generic/client.py b/keystoneclient/generic/client.py index 3c81268f5..7c82c195f 100644 --- a/keystoneclient/generic/client.py +++ b/keystoneclient/generic/client.py @@ -14,16 +14,23 @@ # under the License. import logging +import urllib.parse as urlparse -from six.moves.urllib import parse as urlparse +from debtcollector import removals from keystoneclient import exceptions from keystoneclient import httpclient +from keystoneclient.i18n import _ _logger = logging.getLogger(__name__) +# NOTE(jamielennox): To be removed after Pike. +@removals.removed_class('keystoneclient.generic.client.Client', + message='Use keystoneauth discovery', + version='3.9.0', + removal_version='4.0.0') class Client(httpclient.HTTPClient): """Client for the OpenStack Keystone pre-version calls API. @@ -74,18 +81,18 @@ def discover(self, url=None): return self._local_keystone_exists() def _local_keystone_exists(self): - """Checks if Keystone is available on default local port 35357.""" + """Check if Keystone is available on default local port 35357.""" results = self._check_keystone_versions("http://localhost:35357") if results is None: results = self._check_keystone_versions("https://localhost:35357") return results def _check_keystone_versions(self, url): - """Calls Keystone URL and detects the available API versions.""" + """Call Keystone URL and detects the available API versions.""" try: - resp, body = self.request(url, "GET", - headers={'Accept': - 'application/json'}) + resp, body = self._request(url, "GET", + headers={'Accept': + 'application/json'}) # Multiple Choices status code is returned by the root # identity endpoint, with references to one or more # Identity API versions -- v3 spec @@ -94,7 +101,7 @@ def _check_keystone_versions(self, url): try: results = {} if 'version' in body: - results['message'] = "Keystone found at %s" % url + results['message'] = _("Keystone found at %s") % url version = body['version'] # Stable/diablo incorrect format id, status, version_url = ( @@ -105,7 +112,7 @@ def _check_keystone_versions(self, url): return results elif 'versions' in body: # Correct format - results['message'] = "Keystone found at %s" % url + results['message'] = _("Keystone found at %s") % url for version in body['versions']['values']: id, status, version_url = ( self._get_version_info(version, url)) @@ -114,8 +121,8 @@ def _check_keystone_versions(self, url): "url": version_url} return results else: - results['message'] = ("Unrecognized response from %s" - % url) + results['message'] = ( + _("Unrecognized response from %s") % url) return results except KeyError: raise exceptions.AuthorizationFailure() @@ -123,8 +130,8 @@ def _check_keystone_versions(self, url): return self._check_keystone_versions(resp['location']) else: raise exceptions.from_response(resp, "GET", url) - except Exception as e: - _logger.exception(e) + except Exception: + _logger.exception('Failed to detect available versions.') def discover_extensions(self, url=None): """Discover Keystone extensions supported. @@ -143,13 +150,13 @@ def discover_extensions(self, url=None): return self._check_keystone_extensions(url) def _check_keystone_extensions(self, url): - """Calls Keystone URL and detects the available extensions.""" + """Call Keystone URL and detects the available extensions.""" try: if not url.endswith("/"): url += '/' - resp, body = self.request("%sextensions" % url, "GET", - headers={'Accept': - 'application/json'}) + resp, body = self._request("%sextensions" % url, "GET", + headers={'Accept': + 'application/json'}) if resp.status_code in (200, 204): # some cases we get No Content if 'extensions' in body and 'values' in body['extensions']: # Parse correct format (per contract) @@ -159,7 +166,7 @@ def _check_keystone_extensions(self, url): extensions = body['extensions'] else: return dict(message=( - 'Unrecognized extensions response from %s' % url)) + _('Unrecognized extensions response from %s') % url)) return dict(self._get_extension_info(e) for e in extensions) elif resp.status_code == 305: @@ -167,12 +174,12 @@ def _check_keystone_extensions(self, url): else: raise exceptions.from_response( resp, "GET", "%sextensions" % url) - except Exception as e: - _logger.exception(e) + except Exception: + _logger.exception('Failed to check keystone extensions.') @staticmethod def _get_version_info(version, root_url): - """Parses version information. + """Parse version information. :param version: a dict of a Keystone version response :param root_url: string url used to construct @@ -191,7 +198,7 @@ def _get_version_info(version, root_url): @staticmethod def _get_extension_info(extension): - """Parses extension information. + """Parse extension information. :param extension: a dict of a Keystone extension response :returns: tuple - (alias, name) diff --git a/keystoneclient/generic/shell.py b/keystoneclient/generic/shell.py deleted file mode 100644 index 4f9bd33b4..000000000 --- a/keystoneclient/generic/shell.py +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2010 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import six - -from keystoneclient.generic import client -from keystoneclient import utils - - -CLIENT_CLASS = client.Client - - -@utils.unauthenticated -def do_discover(cs, args): - """Discover Keystone servers, supported API versions and extensions. - """ - if cs.endpoint: - versions = cs.discover(cs.endpoint) - elif cs.auth_url: - versions = cs.discover(cs.auth_url) - else: - versions = cs.discover() - if versions: - if 'message' in versions: - print(versions['message']) - for key, version in six.iteritems(versions): - if key != 'message': - print(" - supports version %s (%s) here %s" % - (version['id'], version['status'], version['url'])) - extensions = cs.discover_extensions(version['url']) - if extensions: - for key, extension in six.iteritems(extensions): - if key != 'message': - print(" - and %s: %s" % - (key, extension)) - else: - print("No Keystone-compatible endpoint found") diff --git a/keystoneclient/httpclient.py b/keystoneclient/httpclient.py index d9fe955d6..8c38d1596 100644 --- a/keystoneclient/httpclient.py +++ b/keystoneclient/httpclient.py @@ -15,128 +15,243 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. -""" -OpenStack Client interface. Handles the REST calls and responses. -""" +"""OpenStack Client interface. Handles the REST calls and responses.""" +import importlib.metadata import logging -import pkg_resources +import warnings -from six.moves.urllib import parse as urlparse +from debtcollector import removals +from debtcollector import renames +from keystoneauth1 import adapter +from oslo_serialization import jsonutils +import packaging.version +import requests try: - import pickle + import pickle # nosec(cjschaef): see bug 1534288 for details # NOTE(sdague): The conditional keyring import needs to only # trigger if it's a version of keyring that's supported in global # requirements. Update _min and _bad when that changes. - keyring_v = pkg_resources.parse_version( - pkg_resources.get_distribution("keyring").version) - keyring_min = pkg_resources.parse_version('2.1') - keyring_bad = (pkg_resources.parse_version('3.3'),) + keyring_v = packaging.version.Version( + importlib.metadata.version('keyring') + ) + keyring_min = packaging.version.Version('5.5.1') + # This is a list of versions, e.g., pkg_resources.parse_version('3.3') + keyring_bad = [] if keyring_v >= keyring_min and keyring_v not in keyring_bad: import keyring else: keyring = None -except (ImportError, pkg_resources.DistributionNotFound): +except (ImportError, importlib.metadata.PackageNotFoundError): keyring = None pickle = None -# Python 2.5 compat fix -if not hasattr(urlparse, 'parse_qsl'): - import cgi - urlparse.parse_qsl = cgi.parse_qsl - +from keystoneclient import _discover from keystoneclient import access from keystoneclient.auth import base from keystoneclient import baseclient from keystoneclient import exceptions -from keystoneclient.openstack.common import jsonutils +from keystoneclient.i18n import _ from keystoneclient import session as client_session -from keystoneclient import utils _logger = logging.getLogger(__name__) -# These variables are moved and using them via httpclient is deprecated. -# Maintain here for compatibility. USER_AGENT = client_session.USER_AGENT -request = client_session.request +"""Default user agent string. + +This property is deprecated as of the 1.7.0 release in favor of +:data:`keystoneclient.session.USER_AGENT` and may be removed in the 2.0.0 +release. +""" + + +@removals.remove(message='Use keystoneclient.session.request instead.', + version='1.7.0', removal_version='2.0.0') +def request(*args, **kwargs): + """Make a request. + + This function is deprecated as of the 1.7.0 release in favor of + :func:`keystoneclient.session.request` and may be removed in the + 2.0.0 release. + """ + return client_session.request(*args, **kwargs) + + +class _FakeRequestSession(object): + """This object is a temporary hack that should be removed later. + + Keystoneclient has a cyclical dependency with its managers which is + preventing it from being cleaned up correctly. This is always bad but when + we switched to doing connection pooling this object wasn't getting cleaned + either and so we had left over TCP connections hanging around. + + Until we can fix the client cleanup we rollback the use of a requests + session and do individual connections like we used to. + """ + + def request(self, *args, **kwargs): + return requests.request(*args, **kwargs) + + +class _KeystoneAdapter(adapter.LegacyJsonAdapter): + """A wrapper layer to interface keystoneclient with a session. + + An adapter provides a generic interface between a client and the session to + provide client specific defaults. This object is passed to the managers. + Keystoneclient managers have some additional requirements of variables that + they expect to be present on the passed object. + + Subclass the existing adapter to provide those values that keystoneclient + managers expect. + """ + + @property + def user_id(self): + """Best effort to retrieve the user_id from the plugin. + + Some managers rely on being able to get the currently authenticated + user id. This is a problem when we are trying to abstract away the + details of an auth plugin. + + For example changing a user's password can require access to the + currently authenticated user_id. + + Perform a best attempt to fetch this data. It will work in the legacy + case and with identity plugins and be None otherwise which is the same + as the historical behavior. + """ + # the identity plugin case + try: + return self.session.auth.get_access(self.session).user_id + except AttributeError: # nosec(cjschaef): attempt legacy retrival, or + # return None + pass + + # there is a case that we explicitly allow (tested by our unit tests) + # that says you should be able to set the user_id on a legacy client + # and it should overwrite the one retrieved via authentication. If it's + # a legacy then self.session.auth is a client and we retrieve user_id. + try: + return self.session.auth.user_id + except AttributeError: # nosec(cjschaef): retrivals failed, return + # None + pass + + return None class HTTPClient(baseclient.Client, base.BaseAuthPlugin): + """HTTP client. + + .. warning:: + + Creating an instance of this class without using the session argument + is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 + release. + + :param string user_id: User ID for authentication. (optional) + :param string username: Username for authentication. (optional) + :param string user_domain_id: User's domain ID for authentication. + (optional) + :param string user_domain_name: User's domain name for authentication. + (optional) + :param string password: Password for authentication. (optional) + :param string domain_id: Domain ID for domain scoping. (optional) + :param string domain_name: Domain name for domain scoping. (optional) + :param string project_id: Project ID for project scoping. (optional) + :param string project_name: Project name for project scoping. (optional) + :param string project_domain_id: Project's domain ID for project scoping. + (optional) + :param string project_domain_name: Project's domain name for project + scoping. (optional) + :param string auth_url: Identity service endpoint for authorization. + :param string region_name: Name of a region to select when choosing an + endpoint from the service catalog. + :param integer timeout: This argument is deprecated as of the 1.7.0 release + in favor of session and may be removed in the 2.0.0 + release. (optional) + :param string endpoint: A user-supplied endpoint URL for the identity + service. Lazy-authentication is possible for API + service calls if endpoint is set at instantiation. + (optional) + :param string token: Token for authentication. (optional) + :param string cacert: This argument is deprecated as of the 1.7.0 release + in favor of session and may be removed in the 2.0.0 + release. (optional) + :param string key: This argument is deprecated as of the 1.7.0 release + in favor of session and may be removed in the 2.0.0 + release. (optional) + :param string cert: This argument is deprecated as of the 1.7.0 release + in favor of session and may be removed in the 2.0.0 + release. (optional) + :param boolean insecure: This argument is deprecated as of the 1.7.0 + release in favor of session and may be removed in + the 2.0.0 release. (optional) + :param string original_ip: This argument is deprecated as of the 1.7.0 + release in favor of session and may be removed + in the 2.0.0 release. (optional) + :param dict auth_ref: To allow for consumers of the client to manage their + own caching strategy, you may initialize a client + with a previously captured auth_reference (token). If + there are keyword arguments passed that also exist in + auth_ref, the value from the argument will take + precedence. + :param boolean use_keyring: Enables caching auth_ref into keyring. + default: False (optional) + :param boolean force_new_token: Keyring related parameter, forces request + for new token. default: False (optional) + :param integer stale_duration: Gap in seconds to determine if token from + keyring is about to expire. default: 30 + (optional) + :param string tenant_name: Tenant name. (optional) The tenant_name keyword + argument is deprecated as of the 1.7.0 release + in favor of project_name and may be removed in + the 2.0.0 release. + :param string tenant_id: Tenant id. (optional) The tenant_id keyword + argument is deprecated as of the 1.7.0 release in + favor of project_id and may be removed in the + 2.0.0 release. + :param string trust_id: Trust ID for trust scoping. (optional) + :param object session: A Session object to be used for + communicating with the identity service. + :type session: keystoneclient.session.Session + :param string service_name: The default service_name for URL discovery. + default: None (optional) + :param string interface: The default interface for URL discovery. + default: admin (v2), public (v3). (optional) + :param string endpoint_override: Always use this endpoint URL for requests + for this client. (optional) + :param auth: An auth plugin to use instead of the session one. (optional) + :type auth: keystoneclient.auth.base.BaseAuthPlugin + :param string user_agent: The User-Agent string to set. + default: python-keystoneclient (optional) + :param int connect_retries: the maximum number of retries that should + be attempted for connection errors. + Default None - use session default which + is don't retry. (optional) + """ version = None - @utils.positional(enforcement=utils.positional.WARN) + @renames.renamed_kwarg('tenant_name', 'project_name', version='1.7.0', + removal_version='2.0.0') + @renames.renamed_kwarg('tenant_id', 'project_id', version='1.7.0', + removal_version='2.0.0') def __init__(self, username=None, tenant_id=None, tenant_name=None, password=None, auth_url=None, region_name=None, endpoint=None, - token=None, debug=False, auth_ref=None, use_keyring=False, + token=None, auth_ref=None, use_keyring=False, force_new_token=False, stale_duration=None, user_id=None, user_domain_id=None, user_domain_name=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, - trust_id=None, session=None, **kwargs): - """Construct a new http client - - :param string user_id: User ID for authentication. (optional) - :param string username: Username for authentication. (optional) - :param string user_domain_id: User's domain ID for authentication. - (optional) - :param string user_domain_name: User's domain name for authentication. - (optional) - :param string password: Password for authentication. (optional) - :param string domain_id: Domain ID for domain scoping. (optional) - :param string domain_name: Domain name for domain scoping. (optional) - :param string project_id: Project ID for project scoping. (optional) - :param string project_name: Project name for project scoping. - (optional) - :param string project_domain_id: Project's domain ID for project - scoping. (optional) - :param string project_domain_name: Project's domain name for project - scoping. (optional) - :param string auth_url: Identity service endpoint for authorization. - :param string region_name: Name of a region to select when choosing an - endpoint from the service catalog. - :param integer timeout: DEPRECATED: use session. (optional) - :param string endpoint: A user-supplied endpoint URL for the identity - service. Lazy-authentication is possible for - API service calls if endpoint is set at - instantiation. (optional) - :param string token: Token for authentication. (optional) - :param string cacert: DEPRECATED: use session. (optional) - :param string key: DEPRECATED: use session. (optional) - :param string cert: DEPRECATED: use session. (optional) - :param boolean insecure: DEPRECATED: use session. (optional) - :param string original_ip: DEPRECATED: use session. (optional) - :param boolean debug: DEPRECATED: use logging configuration. (optional) - :param dict auth_ref: To allow for consumers of the client to manage - their own caching strategy, you may initialize a - client with a previously captured auth_reference - (token). If there are keyword arguments passed - that also exist in auth_ref, the value from the - argument will take precedence. - :param boolean use_keyring: Enables caching auth_ref into keyring. - default: False (optional) - :param boolean force_new_token: Keyring related parameter, forces - request for new token. - default: False (optional) - :param integer stale_duration: Gap in seconds to determine if token - from keyring is about to expire. - default: 30 (optional) - :param string tenant_name: Tenant name. (optional) - The tenant_name keyword argument is - deprecated, use project_name instead. - :param string tenant_id: Tenant id. (optional) - The tenant_id keyword argument is - deprecated, use project_id instead. - :param string trust_id: Trust ID for trust scoping. (optional) - :param object session: A Session object to be used for - communicating with the identity service. - - """ + trust_id=None, session=None, service_name=None, + interface='default', endpoint_override=None, auth=None, + user_agent=USER_AGENT, connect_retries=None, **kwargs): # set baseline defaults self.user_id = None self.username = None @@ -151,7 +266,6 @@ def __init__(self, username=None, tenant_id=None, tenant_name=None, self.project_domain_id = None self.project_domain_name = None - self.region_name = None self.auth_url = None self._endpoint = None self._management_url = None @@ -171,12 +285,23 @@ def __init__(self, username=None, tenant_id=None, tenant_name=None, self.project_id = self.auth_ref.project_id self.project_name = self.auth_ref.project_name self.project_domain_id = self.auth_ref.project_domain_id - self.auth_url = self.auth_ref.auth_url[0] - self._management_url = self.auth_ref.management_url[0] + auth_urls = self.auth_ref.service_catalog.get_urls( + service_type='identity', endpoint_type='public', + region_name=region_name) + self.auth_url = auth_urls[0] + management_urls = self.auth_ref.service_catalog.get_urls( + service_type='identity', endpoint_type='admin', + region_name=region_name) + self._management_url = management_urls[0] self.auth_token_from_user = self.auth_ref.auth_token self.trust_id = self.auth_ref.trust_id - if self.auth_ref.has_service_catalog(): - self.region_name = self.auth_ref.service_catalog.region_name + + # TODO(blk-u): Using self.auth_ref.service_catalog._region_name is + # deprecated and this code must be removed when the property is + # actually removed. + if self.auth_ref.has_service_catalog() and not region_name: + region_name = self.auth_ref.service_catalog._region_name + else: self.auth_ref = None @@ -233,17 +358,52 @@ def __init__(self, username=None, tenant_id=None, tenant_name=None, self.auth_token_from_user = None if endpoint: self._endpoint = endpoint.rstrip('/') - if region_name: - self.region_name = region_name self._auth_token = None if not session: - session = client_session.Session.construct(kwargs) + + warnings.warn( + 'Constructing an HTTPClient instance without using a session ' + 'is deprecated as of the 1.7.0 release and may be removed in ' + 'the 2.0.0 release.', DeprecationWarning) + + kwargs['session'] = _FakeRequestSession() + session = client_session.Session._construct(kwargs) session.auth = self - super(HTTPClient, self).__init__(session=session) + self.session = session self.domain = '' - self.debug_log = debug + + version = ( + _discover.normalize_version_number(self.version) if self.version + else None) + + # NOTE(frickler): If we know we have v3, use the public interface as + # default, otherwise keep the historic default of admin + if interface == 'default': + if version == (3, 0): + interface = 'public' + else: + interface = 'admin' + + # NOTE(jamielennox): unfortunately we can't just use **kwargs here as + # it would incompatibly limit the kwargs that can be passed to __init__ + # try and keep this list in sync with adapter.Adapter.__init__ + self._adapter = _KeystoneAdapter(session, + service_type='identity', + service_name=service_name, + interface=interface, + region_name=region_name, + endpoint_override=endpoint_override, + version=version, + auth=auth, + user_agent=user_agent, + connect_retries=connect_retries) + + # NOTE(dstanek): This allows me to not have to change keystoneauth or + # to write an adapter to the adapter here. Splitting thing into + # multiple project isn't always all sunshine and roses. + self._adapter.include_metadata = kwargs.pop('include_metadata', False) # keyring setup if use_keyring and keyring is None: @@ -273,6 +433,12 @@ def get_endpoint(self, session, interface=None, **kwargs): else: return self.management_url + def get_user_id(self, session, **kwargs): + return self.auth_ref.user_id + + def get_project_id(self, session, **kwargs): + return self.auth_ref.project_id + @auth_token.setter def auth_token(self, value): """Override the auth_token. @@ -289,28 +455,48 @@ def auth_token(self): @property def service_catalog(self): - """Returns this client's service catalog.""" - return self.auth_ref.service_catalog + """Return this client's service catalog.""" + try: + return self.auth_ref.service_catalog + except AttributeError: + return None def has_service_catalog(self): - """Returns True if this client provides a service catalog.""" - return self.auth_ref.has_service_catalog() + """Return True if this client provides a service catalog.""" + return self.auth_ref and self.auth_ref.has_service_catalog() @property def tenant_id(self): """Provide read-only backwards compatibility for tenant_id. - This is deprecated, use project_id instead. + + .. warning:: + + This is deprecated as of the 1.7.0 release in favor of project_id + and may be removed in the 2.0.0 release. """ + warnings.warn( + 'tenant_id is deprecated as of the 1.7.0 release in favor of ' + 'project_id and may be removed in the 2.0.0 release.', + DeprecationWarning) + return self.project_id @property def tenant_name(self): """Provide read-only backwards compatibility for tenant_name. - This is deprecated, use project_name instead. + + .. warning:: + + This is deprecated as of the 1.7.0 release in favor of project_name + and may be removed in the 2.0.0 release. """ + warnings.warn( + 'tenant_name is deprecated as of the 1.7.0 release in favor of ' + 'project_name and may be removed in the 2.0.0 release.', + DeprecationWarning) + return self.project_name - @utils.positional(enforcement=utils.positional.WARN) def authenticate(self, username=None, password=None, tenant_name=None, tenant_id=None, auth_url=None, token=None, user_id=None, domain_name=None, domain_id=None, @@ -346,9 +532,10 @@ def authenticate(self, username=None, password=None, tenant_name=None, self.management_url from the details provided in the token. :returns: ``True`` if authentication was successful. - :raises: AuthorizationFailure if unable to authenticate or validate - the existing authorization token - :raises: ValueError if insufficient parameters are used. + :raises keystoneclient.exceptions.AuthorizationFailure: if unable to + authenticate or validate the existing authorization token + :raises keystoneclient.exceptions.ValueError: if insufficient + parameters are used. If keyring is used, token is retrieved from keyring instead. Authentication will only be necessary if any of the following @@ -376,7 +563,7 @@ def authenticate(self, username=None, password=None, tenant_name=None, project_domain_name = project_domain_name or self.project_domain_name trust_id = trust_id or self.trust_id - region_name = region_name or self.region_name + region_name = region_name or self._adapter.region_name if not token: token = self.auth_token_from_user @@ -429,10 +616,10 @@ def _build_keyring_key(self, **kwargs): Used to store and retrieve auth_ref from keyring. - Returns a slash-separated string of values ordered by key name. + Return a slash-separated string of values ordered by key name. """ - return '/'.join([kwargs[k] or '?' for k in sorted(kwargs.keys())]) + return '/'.join([kwargs[k] or '?' for k in sorted(kwargs)]) def get_auth_ref_from_keyring(self, **kwargs): """Retrieve auth_ref from keyring. @@ -452,7 +639,8 @@ def get_auth_ref_from_keyring(self, **kwargs): auth_ref = keyring.get_password("keystoneclient_auth", keyring_key) if auth_ref: - auth_ref = pickle.loads(auth_ref) + auth_ref = pickle.loads(auth_ref) # nosec(cjschaef): see + # bug 1534288 if auth_ref.will_expire_soon(self.stale_duration): # token has expired, don't use it auth_ref = None @@ -462,14 +650,13 @@ def get_auth_ref_from_keyring(self, **kwargs): return (keyring_key, auth_ref) def store_auth_ref_into_keyring(self, keyring_key): - """Store auth_ref into keyring. - - """ + """Store auth_ref into keyring.""" if self.use_keyring: try: keyring.set_password("keystoneclient_auth", keyring_key, - pickle.dumps(self.auth_ref)) + pickle.dumps(self.auth_ref)) # nosec + # (cjschaef): see bug 1534288 except Exception as e: _logger.warning("Failed to store token into keyring %s", e) @@ -479,8 +666,8 @@ def _process_management_url(self, region_name): service_type='identity', endpoint_type='admin', region_name=region_name) - except exceptions.EndpointNotFound: - _logger.warning("Failed to retrieve management_url from token") + except exceptions.EndpointNotFound as e: + _logger.debug("Failed to find endpoint for management url %s", e) def process_token(self, region_name=None): """Extract and process information from the new auth_ref. @@ -493,14 +680,14 @@ def process_token(self, region_name=None): if self.auth_ref.project_scoped: if not self.auth_ref.tenant_id: raise exceptions.AuthorizationFailure( - "Token didn't provide tenant_id") + _("Token didn't provide tenant_id")) self._process_management_url(region_name) self.project_name = self.auth_ref.tenant_name self.project_id = self.auth_ref.tenant_id if not self.auth_ref.user_id: raise exceptions.AuthorizationFailure( - "Token didn't provide user_id") + _("Token didn't provide user_id")) self.user_id = self.auth_ref.user_id @@ -519,7 +706,6 @@ def management_url(self, value): # permanently setting _endpoint would better match that behaviour. self._endpoint = value - @utils.positional(enforcement=utils.positional.WARN) def get_raw_token_from_identity_service(self, auth_url, username=None, password=None, tenant_name=None, tenant_id=None, token=None, @@ -547,106 +733,199 @@ def get_raw_token_from_identity_service(self, auth_url, username=None, def serialize(self, entity): return jsonutils.dumps(entity) - @staticmethod - def _decode_body(resp): - if resp.text: - try: - body_resp = jsonutils.loads(resp.text) - except (ValueError, TypeError): - body_resp = None - _logger.debug("Could not decode JSON from body: %s", - resp.text) - else: - _logger.debug("No body was returned.") - body_resp = None - - return body_resp - - def request(self, url, method, **kwargs): + @removals.remove(version='1.7.0', removal_version='2.0.0') + def request(self, *args, **kwargs): """Send an http request with the specified characteristics. Wrapper around requests.request to handle tasks such as setting headers, JSON encoding/decoding, and error handling. - """ - try: - kwargs['json'] = kwargs.pop('body') - except KeyError: - pass + .. warning:: + + *DEPRECATED*: This function is no longer used. It was designed to + be used only by the managers and the managers now receive an + adapter so this function is no longer on the standard request path. + This may be removed in the 2.0.0 release. + """ + return self._request(*args, **kwargs) + def _request(self, *args, **kwargs): kwargs.setdefault('authenticated', False) - resp = super(HTTPClient, self).request(url, method, **kwargs) - return resp, self._decode_body(resp) + return self._adapter.request(*args, **kwargs) def _cs_request(self, url, method, management=True, **kwargs): - """Makes an authenticated request to keystone endpoint by - concatenating self.management_url and url and passing in method and + """Make an authenticated request to keystone endpoint. + + Request are made to keystone endpoint by concatenating + self.management_url and url and passing in method and any associated kwargs. """ - # NOTE(jamielennox): remember that if you use the legacy client mode - # (you create a client without a session) then this HTTPClient object - # is the auth plugin you are using. Values in the endpoint_filter may - # be ignored and you should look at get_endpoint to figure out what. - interface = 'admin' if management else 'public' - endpoint_filter = kwargs.setdefault('endpoint_filter', {}) - endpoint_filter.setdefault('service_type', 'identity') - endpoint_filter.setdefault('interface', interface) - - if self.version: - endpoint_filter.setdefault('version', self.version) - - if self.region_name: - endpoint_filter.setdefault('region_name', self.region_name) + if not management: + endpoint_filter = kwargs.setdefault('endpoint_filter', {}) + endpoint_filter.setdefault('interface', 'public') kwargs.setdefault('authenticated', None) - try: - return self.request(url, method, **kwargs) - except exceptions.MissingAuthPlugin: - _logger.info('Cannot get authenticated endpoint without an ' - 'auth plugin') - raise exceptions.AuthorizationFailure( - 'Current authorization does not have a known management url') + return self._request(url, method, **kwargs) + @removals.remove(version='1.7.0', removal_version='2.0.0') def get(self, url, **kwargs): + """Perform an authenticated GET request. + + This calls :py:meth:`.request()` with ``method`` set to ``GET`` and an + authentication token if one is available. + + .. warning:: + + *DEPRECATED*: This function is no longer used and is deprecated as + of the 1.7.0 release and may be removed in the 2.0.0 release. It + was designed to be used by the managers and the managers now + receive an adapter so this function is no longer on the standard + request path. + """ return self._cs_request(url, 'GET', **kwargs) + @removals.remove(version='1.7.0', removal_version='2.0.0') def head(self, url, **kwargs): + """Perform an authenticated HEAD request. + + This calls :py:meth:`.request()` with ``method`` set to ``HEAD`` and an + authentication token if one is available. + + .. warning:: + + *DEPRECATED*: This function is no longer used and is deprecated as + of the 1.7.0 release and may be removed in the 2.0.0 release. It + was designed to be used by the managers and the managers now + receive an adapter so this function is no longer on the standard + request path. + """ return self._cs_request(url, 'HEAD', **kwargs) + @removals.remove(version='1.7.0', removal_version='2.0.0') def post(self, url, **kwargs): + """Perform an authenticate POST request. + + This calls :py:meth:`.request()` with ``method`` set to ``POST`` and an + authentication token if one is available. + + .. warning:: + + *DEPRECATED*: This function is no longer used and is deprecated as + of the 1.7.0 release and may be removed in the 2.0.0 release. It + was designed to be used by the managers and the managers now + receive an adapter so this function is no longer on the standard + request path. + """ return self._cs_request(url, 'POST', **kwargs) + @removals.remove(version='1.7.0', removal_version='2.0.0') def put(self, url, **kwargs): + """Perform an authenticate PUT request. + + This calls :py:meth:`.request()` with ``method`` set to ``PUT`` and an + authentication token if one is available. + + .. warning:: + + *DEPRECATED*: This function is no longer used and is deprecated as + of the 1.7.0 release and may be removed in the 2.0.0 release. It + was designed to be used by the managers and the managers now + receive an adapter so this function is no longer on the standard + request path. + """ return self._cs_request(url, 'PUT', **kwargs) + @removals.remove(version='1.7.0', removal_version='2.0.0') def patch(self, url, **kwargs): + """Perform an authenticate PATCH request. + + This calls :py:meth:`.request()` with ``method`` set to ``PATCH`` and + an authentication token if one is available. + + .. warning:: + + *DEPRECATED*: This function is no longer used and is deprecated as + of the 1.7.0 release and may be removed in the 2.0.0 release. It + was designed to be used by the managers and the managers now + receive an adapter so this function is no longer on the standard + request path. + """ return self._cs_request(url, 'PATCH', **kwargs) + @removals.remove(version='1.7.0', removal_version='2.0.0') def delete(self, url, **kwargs): - return self._cs_request(url, 'DELETE', **kwargs) + """Perform an authenticate DELETE request. + + This calls :py:meth:`.request()` with ``method`` set to ``DELETE`` and + an authentication token if one is available. - # DEPRECATIONS: The following methods are no longer directly supported - # but maintained for compatibility purposes. + .. warning:: + + *DEPRECATED*: This function is no longer used and is deprecated as + of the 1.7.0 release and may be removed in the 2.0.0 release. It + was designed to be used by the managers and the managers now + receive an adapter so this function is no longer on the standard + request path. + """ + return self._cs_request(url, 'DELETE', **kwargs) deprecated_session_variables = {'original_ip': None, 'cert': None, 'timeout': None, 'verify_cert': 'verify'} + deprecated_adapter_variables = {'region_name': None} + def __getattr__(self, name): - # FIXME(jamielennox): provide a proper deprecated warning + """Fetch deprecated session variables.""" try: var_name = self.deprecated_session_variables[name] - except KeyError: - raise AttributeError("Unknown Attribute: %s" % name) + except KeyError: # nosec(cjschaef): try adapter variable or raise + # an AttributeError + pass + else: + warnings.warn( + 'The %s session variable is deprecated as of the 1.7.0 ' + 'release and may be removed in the 2.0.0 release' % name, + DeprecationWarning) + return getattr(self.session, var_name or name) + + try: + var_name = self.deprecated_adapter_variables[name] + except KeyError: # nosec(cjschaef): raise an AttributeError + pass + else: + warnings.warn( + 'The %s adapter variable is deprecated as of the 1.7.0 ' + 'release and may be removed in the 2.0.0 release' % name, + DeprecationWarning) + return getattr(self._adapter, var_name or name) - return getattr(self.session, var_name or name) + raise AttributeError(_("Unknown Attribute: %s") % name) def __setattr__(self, name, val): - # FIXME(jamielennox): provide a proper deprecated warning + """Assign value to deprecated seesion variables.""" try: var_name = self.deprecated_session_variables[name] - except KeyError: - super(HTTPClient, self).__setattr__(name, val) + except KeyError: # nosec(cjschaef): try adapter variable or call + # parent class's __setattr__ + pass + else: + warnings.warn( + 'The %s session variable is deprecated as of the 1.7.0 ' + 'release and may be removed in the 2.0.0 release' % name, + DeprecationWarning) + return setattr(self.session, var_name or name) + + try: + var_name = self.deprecated_adapter_variables[name] + except KeyError: # nosec(cjschaef): call parent class's __setattr__ + pass else: - setattr(self.session, var_name or name) + warnings.warn( + 'The %s adapter variable is deprecated as of the 1.7.0 ' + 'release and may be removed in the 2.0.0 release' % name, + DeprecationWarning) + return setattr(self._adapter, var_name or name) + + super(HTTPClient, self).__setattr__(name, val) diff --git a/keystoneclient/i18n.py b/keystoneclient/i18n.py new file mode 100644 index 000000000..f3726d199 --- /dev/null +++ b/keystoneclient/i18n.py @@ -0,0 +1,27 @@ +# Copyright 2014 IBM Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""oslo.i18n integration module. + +See https://docs.openstack.org/oslo.i18n/latest/user/index.html . + +""" + +import oslo_i18n + + +_translators = oslo_i18n.TranslatorFactory(domain='keystoneclient') + +# The primary translation function using the well-known name "_" +_ = _translators.primary diff --git a/keystoneclient/locale/keystoneclient.pot b/keystoneclient/locale/keystoneclient.pot deleted file mode 100644 index a96686484..000000000 --- a/keystoneclient/locale/keystoneclient.pot +++ /dev/null @@ -1,20 +0,0 @@ -# Translations template for python-keystoneclient. -# Copyright (C) 2012 ORGANIZATION -# This file is distributed under the same license as the -# python-keystoneclient project. -# FIRST AUTHOR , 2012. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: python-keystoneclient 0.1.3.12\n" -"Report-Msgid-Bugs-To: EMAIL@ADDRESS\n" -"POT-Creation-Date: 2012-09-29 16:02-0700\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=utf-8\n" -"Content-Transfer-Encoding: 8bit\n" -"Generated-By: Babel 0.9.6\n" - diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py deleted file mode 100644 index d2eb29b2e..000000000 --- a/keystoneclient/middleware/auth_token.py +++ /dev/null @@ -1,1595 +0,0 @@ -# Copyright 2010-2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -TOKEN-BASED AUTH MIDDLEWARE - -This WSGI component: - -* Verifies that incoming client requests have valid tokens by validating - tokens with the auth service. -* Rejects unauthenticated requests UNLESS it is in 'delay_auth_decision' - mode, which means the final decision is delegated to the downstream WSGI - component (usually the OpenStack service) -* Collects and forwards identity information based on a valid token - such as user name, tenant, etc - -Refer to: http://docs.openstack.org/developer/python-keystoneclient/ -middlewarearchitecture.html - -HEADERS -------- - -* Headers starting with HTTP\_ is a standard http header -* Headers starting with HTTP_X is an extended http header - -Coming in from initial call from client or customer -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -HTTP_X_AUTH_TOKEN - The client token being passed in. - -HTTP_X_STORAGE_TOKEN - The client token being passed in (legacy Rackspace use) to support - swift/cloud files - -Used for communication between components -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -WWW-Authenticate - HTTP header returned to a user indicating which endpoint to use - to retrieve a new token - -What we add to the request for use by the OpenStack service -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -HTTP_X_IDENTITY_STATUS - 'Confirmed' or 'Invalid' - The underlying service will only see a value of 'Invalid' if the Middleware - is configured to run in 'delay_auth_decision' mode - -HTTP_X_DOMAIN_ID - Identity service managed unique identifier, string. Only present if - this is a domain-scoped v3 token. - -HTTP_X_DOMAIN_NAME - Unique domain name, string. Only present if this is a domain-scoped - v3 token. - -HTTP_X_PROJECT_ID - Identity service managed unique identifier, string. Only present if - this is a project-scoped v3 token, or a tenant-scoped v2 token. - -HTTP_X_PROJECT_NAME - Project name, unique within owning domain, string. Only present if - this is a project-scoped v3 token, or a tenant-scoped v2 token. - -HTTP_X_PROJECT_DOMAIN_ID - Identity service managed unique identifier of owning domain of - project, string. Only present if this is a project-scoped v3 token. If - this variable is set, this indicates that the PROJECT_NAME can only - be assumed to be unique within this domain. - -HTTP_X_PROJECT_DOMAIN_NAME - Name of owning domain of project, string. Only present if this is a - project-scoped v3 token. If this variable is set, this indicates that - the PROJECT_NAME can only be assumed to be unique within this domain. - -HTTP_X_USER_ID - Identity-service managed unique identifier, string - -HTTP_X_USER_NAME - User identifier, unique within owning domain, string - -HTTP_X_USER_DOMAIN_ID - Identity service managed unique identifier of owning domain of - user, string. If this variable is set, this indicates that the USER_NAME - can only be assumed to be unique within this domain. - -HTTP_X_USER_DOMAIN_NAME - Name of owning domain of user, string. If this variable is set, this - indicates that the USER_NAME can only be assumed to be unique within - this domain. - -HTTP_X_ROLES - Comma delimited list of case-sensitive role names - -HTTP_X_SERVICE_CATALOG - json encoded keystone service catalog (optional). - For compatibility reasons this catalog will always be in the V2 catalog - format even if it is a v3 token. - -HTTP_X_TENANT_ID - *Deprecated* in favor of HTTP_X_PROJECT_ID - Identity service managed unique identifier, string. For v3 tokens, this - will be set to the same value as HTTP_X_PROJECT_ID - -HTTP_X_TENANT_NAME - *Deprecated* in favor of HTTP_X_PROJECT_NAME - Project identifier, unique within owning domain, string. For v3 tokens, - this will be set to the same value as HTTP_X_PROJECT_NAME - -HTTP_X_TENANT - *Deprecated* in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME - Keystone-assigned unique identifier, string. For v3 tokens, this - will be set to the same value as HTTP_X_PROJECT_ID - -HTTP_X_USER - *Deprecated* in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME - User name, unique within owning domain, string - -HTTP_X_ROLE - *Deprecated* in favor of HTTP_X_ROLES - Will contain the same values as HTTP_X_ROLES. - -OTHER ENVIRONMENT VARIABLES ---------------------------- - -keystone.token_info - Information about the token discovered in the process of - validation. This may include extended information returned by the - Keystone token validation call, as well as basic information about - the tenant and user. - -""" - -import contextlib -import datetime -import logging -import os -import stat -import tempfile -import time - -import netaddr -from oslo.config import cfg -import requests -import six -from six.moves import urllib - -from keystoneclient import access -from keystoneclient.common import cms -from keystoneclient import exceptions -from keystoneclient.middleware import memcache_crypt -from keystoneclient.openstack.common import jsonutils -from keystoneclient.openstack.common import memorycache -from keystoneclient.openstack.common import timeutils - - -# alternative middleware configuration in the main application's -# configuration file e.g. in nova.conf -# [keystone_authtoken] -# auth_host = 127.0.0.1 -# auth_port = 35357 -# auth_protocol = http -# admin_tenant_name = admin -# admin_user = admin -# admin_password = badpassword - -# when deploy Keystone auth_token middleware with Swift, user may elect -# to use Swift memcache instead of the local Keystone memcache. Swift memcache -# is passed in from the request environment and its identified by the -# 'swift.cache' key. However it could be different, depending on deployment. -# To use Swift memcache, you must set the 'cache' option to the environment -# key where the Swift cache object is stored. - - -# NOTE(jamielennox): A number of options below are deprecated however are left -# in the list and only mentioned as deprecated in the help string. This is -# because we have to provide the same deprecation functionality for arguments -# passed in via the conf in __init__ (from paste) and there is no way to test -# that the default value was set or not in CONF. -# Also if we were to remove the options from the CONF list (as typical CONF -# deprecation works) then other projects will not be able to override the -# options via CONF. - -opts = [ - cfg.StrOpt('auth_admin_prefix', - default='', - help='Prefix to prepend at the beginning of the path. ' - 'Deprecated, use identity_uri.'), - cfg.StrOpt('auth_host', - default='127.0.0.1', - help='Host providing the admin Identity API endpoint. ' - 'Deprecated, use identity_uri.'), - cfg.IntOpt('auth_port', - default=35357, - help='Port of the admin Identity API endpoint. ' - 'Deprecated, use identity_uri.'), - cfg.StrOpt('auth_protocol', - default='https', - help='Protocol of the admin Identity API endpoint ' - '(http or https). Deprecated, use identity_uri.'), - cfg.StrOpt('auth_uri', - default=None, - # FIXME(dolph): should be default='http://127.0.0.1:5000/v2.0/', - # or (depending on client support) an unversioned, publicly - # accessible identity endpoint (see bug 1207517) - help='Complete public Identity API endpoint'), - cfg.StrOpt('identity_uri', - default=None, - help='Complete admin Identity API endpoint. This should ' - 'specify the unversioned root endpoint ' - 'e.g. https://localhost:35357/'), - cfg.StrOpt('auth_version', - default=None, - help='API version of the admin Identity API endpoint'), - cfg.BoolOpt('delay_auth_decision', - default=False, - help='Do not handle authorization requests within the' - ' middleware, but delegate the authorization decision to' - ' downstream WSGI components'), - cfg.BoolOpt('http_connect_timeout', - default=None, - help='Request timeout value for communicating with Identity' - ' API server.'), - cfg.IntOpt('http_request_max_retries', - default=3, - help='How many times are we trying to reconnect when' - ' communicating with Identity API Server.'), - cfg.StrOpt('admin_token', - secret=True, - help='This option is deprecated and may be removed in a future' - ' release. Single shared secret with the Keystone configuration' - ' used for bootstrapping a Keystone installation, or otherwise' - ' bypassing the normal authentication process. This option' - ' should not be used, use `admin_user` and `admin_password`' - ' instead.'), - cfg.StrOpt('admin_user', - help='Keystone account username'), - cfg.StrOpt('admin_password', - secret=True, - help='Keystone account password'), - cfg.StrOpt('admin_tenant_name', - default='admin', - help='Keystone service account tenant name to validate' - ' user tokens'), - cfg.StrOpt('cache', - default=None, - help='Env key for the swift cache'), - cfg.StrOpt('certfile', - help='Required if Keystone server requires client certificate'), - cfg.StrOpt('keyfile', - help='Required if Keystone server requires client certificate'), - cfg.StrOpt('cafile', default=None, - help='A PEM encoded Certificate Authority to use when ' - 'verifying HTTPs connections. Defaults to system CAs.'), - cfg.BoolOpt('insecure', default=False, help='Verify HTTPS connections.'), - cfg.StrOpt('signing_dir', - help='Directory used to cache files related to PKI tokens'), - cfg.ListOpt('memcached_servers', - deprecated_name='memcache_servers', - help='Optionally specify a list of memcached server(s) to' - ' use for caching. If left undefined, tokens will instead be' - ' cached in-process.'), - cfg.IntOpt('token_cache_time', - default=300, - help='In order to prevent excessive effort spent validating' - ' tokens, the middleware caches previously-seen tokens for a' - ' configurable duration (in seconds). Set to -1 to disable' - ' caching completely.'), - cfg.IntOpt('revocation_cache_time', - default=10, - help='Determines the frequency at which the list of revoked' - ' tokens is retrieved from the Identity service (in seconds). A' - ' high number of revocation events combined with a low cache' - ' duration may significantly reduce performance.'), - cfg.StrOpt('memcache_security_strategy', - default=None, - help='(optional) if defined, indicate whether token data' - ' should be authenticated or authenticated and encrypted.' - ' Acceptable values are MAC or ENCRYPT. If MAC, token data is' - ' authenticated (with HMAC) in the cache. If ENCRYPT, token' - ' data is encrypted and authenticated in the cache. If the' - ' value is not one of these options or empty, auth_token will' - ' raise an exception on initialization.'), - cfg.StrOpt('memcache_secret_key', - default=None, - secret=True, - help='(optional, mandatory if memcache_security_strategy is' - ' defined) this string is used for key derivation.'), - cfg.BoolOpt('include_service_catalog', - default=True, - help='(optional) indicate whether to set the X-Service-Catalog' - ' header. If False, middleware will not ask for service' - ' catalog on token validation and will not set the' - ' X-Service-Catalog header.'), - cfg.StrOpt('enforce_token_bind', - default='permissive', - help='Used to control the use and type of token binding. Can' - ' be set to: "disabled" to not check token binding.' - ' "permissive" (default) to validate binding information if the' - ' bind type is of a form known to the server and ignore it if' - ' not. "strict" like "permissive" but if the bind type is' - ' unknown the token will be rejected. "required" any form of' - ' token binding is needed to be allowed. Finally the name of a' - ' binding method that must be present in tokens.'), - cfg.BoolOpt('check_revocations_for_cached', default=False, - help='If true, the revocation list will be checked for cached' - ' tokens. This requires that PKI tokens are configured on the' - ' Keystone server.'), - cfg.ListOpt('hash_algorithms', default=['md5'], - help='Hash algorithms to use for hashing PKI tokens. This may' - ' be a single algorithm or multiple. The algorithms are those' - ' supported by Python standard hashlib.new(). The hashes will' - ' be tried in the order given, so put the preferred one first' - ' for performance. The result of the first hash will be stored' - ' in the cache. This will typically be set to multiple values' - ' only while migrating from a less secure algorithm to a more' - ' secure one. Once all the old tokens are expired this option' - ' should be set to a single value for better performance.'), -] - -CONF = cfg.CONF -CONF.register_opts(opts, group='keystone_authtoken') - -LIST_OF_VERSIONS_TO_ATTEMPT = ['v2.0', 'v3.0'] -CACHE_KEY_TEMPLATE = 'tokens/%s' - - -class BIND_MODE: - DISABLED = 'disabled' - PERMISSIVE = 'permissive' - STRICT = 'strict' - REQUIRED = 'required' - KERBEROS = 'kerberos' - - -def will_expire_soon(expiry): - """Determines if expiration is about to occur. - - :param expiry: a datetime of the expected expiration - :returns: boolean : true if expiration is within 30 seconds - """ - soon = (timeutils.utcnow() + datetime.timedelta(seconds=30)) - return expiry < soon - - -def _token_is_v2(token_info): - return ('access' in token_info) - - -def _token_is_v3(token_info): - return ('token' in token_info) - - -def confirm_token_not_expired(data): - if not data: - raise InvalidUserToken('Token authorization failed') - if _token_is_v2(data): - timestamp = data['access']['token']['expires'] - elif _token_is_v3(data): - timestamp = data['token']['expires_at'] - else: - raise InvalidUserToken('Token authorization failed') - expires = timeutils.parse_isotime(timestamp) - expires = timeutils.normalize_time(expires) - utcnow = timeutils.utcnow() - if utcnow >= expires: - raise InvalidUserToken('Token authorization failed') - return timeutils.isotime(at=expires, subsecond=True) - - -def _v3_to_v2_catalog(catalog): - """Convert a catalog to v2 format. - - X_SERVICE_CATALOG must be specified in v2 format. If you get a token - that is in v3 convert it. - """ - v2_services = [] - for v3_service in catalog: - # first copy over the entries we allow for the service - v2_service = {'type': v3_service['type']} - try: - v2_service['name'] = v3_service['name'] - except KeyError: - pass - - # now convert the endpoints. Because in v3 we specify region per - # URL not per group we have to collect all the entries of the same - # region together before adding it to the new service. - regions = {} - for v3_endpoint in v3_service.get('endpoints', []): - region_name = v3_endpoint.get('region') - try: - region = regions[region_name] - except KeyError: - region = {'region': region_name} if region_name else {} - regions[region_name] = region - - interface_name = v3_endpoint['interface'].lower() + 'URL' - region[interface_name] = v3_endpoint['url'] - - v2_service['endpoints'] = list(regions.values()) - v2_services.append(v2_service) - - return v2_services - - -def safe_quote(s): - """URL-encode strings that are not already URL-encoded.""" - return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s - - -class InvalidUserToken(Exception): - pass - - -class ServiceError(Exception): - pass - - -class ConfigurationError(Exception): - pass - - -class NetworkError(Exception): - pass - - -class MiniResp(object): - def __init__(self, error_message, env, headers=[]): - # The HEAD method is unique: it must never return a body, even if - # it reports an error (RFC-2616 clause 9.4). We relieve callers - # from varying the error responses depending on the method. - if env['REQUEST_METHOD'] == 'HEAD': - self.body = [''] - else: - self.body = [error_message] - self.headers = list(headers) - self.headers.append(('Content-type', 'text/plain')) - - -class AuthProtocol(object): - """Auth Middleware that handles authenticating client calls.""" - - def __init__(self, app, conf): - self.LOG = logging.getLogger(conf.get('log_name', __name__)) - self.LOG.info('Starting keystone auth_token middleware') - self.LOG.warning( - 'This middleware module is deprecated as of v0.10.0 in favor of ' - 'keystonemiddleware.auth_token - please update your WSGI pipeline ' - 'to reference the new middleware package.') - self.conf = conf - self.app = app - - # delay_auth_decision means we still allow unauthenticated requests - # through and we let the downstream service make the final decision - self.delay_auth_decision = (self._conf_get('delay_auth_decision') in - (True, 'true', 't', '1', 'on', 'yes', 'y')) - - # where to find the auth service (we use this to validate tokens) - self.identity_uri = self._conf_get('identity_uri') - self.auth_uri = self._conf_get('auth_uri') - - # NOTE(jamielennox): it does appear here that our defaults arguments - # are backwards. We need to do it this way so that we can handle the - # same deprecation strategy for CONF and the conf variable. - if not self.identity_uri: - self.LOG.warning('Configuring admin URI using auth fragments. ' - 'This is deprecated, use \'identity_uri\'' - ' instead.') - - auth_host = self._conf_get('auth_host') - auth_port = int(self._conf_get('auth_port')) - auth_protocol = self._conf_get('auth_protocol') - auth_admin_prefix = self._conf_get('auth_admin_prefix') - - if netaddr.valid_ipv6(auth_host): - # Note(dzyu) it is an IPv6 address, so it needs to be wrapped - # with '[]' to generate a valid IPv6 URL, based on - # http://www.ietf.org/rfc/rfc2732.txt - auth_host = '[%s]' % auth_host - - self.identity_uri = '%s://%s:%s' % (auth_protocol, auth_host, - auth_port) - if auth_admin_prefix: - self.identity_uri = '%s/%s' % (self.identity_uri, - auth_admin_prefix.strip('/')) - else: - self.identity_uri = self.identity_uri.rstrip('/') - - if self.auth_uri is None: - self.LOG.warning( - 'Configuring auth_uri to point to the public identity ' - 'endpoint is required; clients may not be able to ' - 'authenticate against an admin endpoint') - - # FIXME(dolph): drop support for this fallback behavior as - # documented in bug 1207517. - # NOTE(jamielennox): we urljoin '/' to get just the base URI as - # this is the original behaviour. - self.auth_uri = urllib.parse.urljoin(self.identity_uri, '/') - self.auth_uri = self.auth_uri.rstrip('/') - - # SSL - self.cert_file = self._conf_get('certfile') - self.key_file = self._conf_get('keyfile') - self.ssl_ca_file = self._conf_get('cafile') - self.ssl_insecure = self._conf_get('insecure') - - # signing - self.signing_dirname = self._conf_get('signing_dir') - if self.signing_dirname is None: - self.signing_dirname = tempfile.mkdtemp(prefix='keystone-signing-') - self.LOG.info('Using %s as cache directory for signing certificate', - self.signing_dirname) - self.verify_signing_dir() - - val = '%s/signing_cert.pem' % self.signing_dirname - self.signing_cert_file_name = val - val = '%s/cacert.pem' % self.signing_dirname - self.signing_ca_file_name = val - val = '%s/revoked.pem' % self.signing_dirname - self.revoked_file_name = val - - # Credentials used to verify this component with the Auth service since - # validating tokens is a privileged call - self.admin_token = self._conf_get('admin_token') - if self.admin_token: - self.LOG.warning( - "The admin_token option in the auth_token middleware is " - "deprecated and should not be used. The admin_user and " - "admin_password options should be used instead. The " - "admin_token option may be removed in a future release.") - self.admin_token_expiry = None - self.admin_user = self._conf_get('admin_user') - self.admin_password = self._conf_get('admin_password') - self.admin_tenant_name = self._conf_get('admin_tenant_name') - - memcache_security_strategy = ( - self._conf_get('memcache_security_strategy')) - - self._token_cache = TokenCache( - self.LOG, - cache_time=int(self._conf_get('token_cache_time')), - hash_algorithms=self._conf_get('hash_algorithms'), - env_cache_name=self._conf_get('cache'), - memcached_servers=self._conf_get('memcached_servers'), - memcache_security_strategy=memcache_security_strategy, - memcache_secret_key=self._conf_get('memcache_secret_key')) - - self._token_revocation_list = None - self._token_revocation_list_fetched_time = None - self.token_revocation_list_cache_timeout = datetime.timedelta( - seconds=self._conf_get('revocation_cache_time')) - http_connect_timeout_cfg = self._conf_get('http_connect_timeout') - self.http_connect_timeout = (http_connect_timeout_cfg and - int(http_connect_timeout_cfg)) - self.auth_version = None - self.http_request_max_retries = ( - self._conf_get('http_request_max_retries')) - - self.include_service_catalog = self._conf_get( - 'include_service_catalog') - - self.check_revocations_for_cached = self._conf_get( - 'check_revocations_for_cached') - - def _conf_get(self, name): - # try config from paste-deploy first - if name in self.conf: - return self.conf[name] - else: - return CONF.keystone_authtoken[name] - - def _choose_api_version(self): - """Determine the api version that we should use.""" - - # If the configuration specifies an auth_version we will just - # assume that is correct and use it. We could, of course, check - # that this version is supported by the server, but in case - # there are some problems in the field, we want as little code - # as possible in the way of letting auth_token talk to the - # server. - if self._conf_get('auth_version'): - version_to_use = self._conf_get('auth_version') - self.LOG.info('Auth Token proceeding with requested %s apis', - version_to_use) - else: - version_to_use = None - versions_supported_by_server = self._get_supported_versions() - if versions_supported_by_server: - for version in LIST_OF_VERSIONS_TO_ATTEMPT: - if version in versions_supported_by_server: - version_to_use = version - break - if version_to_use: - self.LOG.info('Auth Token confirmed use of %s apis', - version_to_use) - else: - self.LOG.error( - 'Attempted versions [%s] not in list supported by ' - 'server [%s]', - ', '.join(LIST_OF_VERSIONS_TO_ATTEMPT), - ', '.join(versions_supported_by_server)) - raise ServiceError('No compatible apis supported by server') - return version_to_use - - def _get_supported_versions(self): - versions = [] - response, data = self._json_request('GET', '/') - if response.status_code == 501: - self.LOG.warning('Old keystone installation found...assuming v2.0') - versions.append('v2.0') - elif response.status_code != 300: - self.LOG.error('Unable to get version info from keystone: %s', - response.status_code) - raise ServiceError('Unable to get version info from keystone') - else: - try: - for version in data['versions']['values']: - versions.append(version['id']) - except KeyError: - self.LOG.error( - 'Invalid version response format from server') - raise ServiceError('Unable to parse version response ' - 'from keystone') - - self.LOG.debug('Server reports support for api versions: %s', - ', '.join(versions)) - return versions - - def __call__(self, env, start_response): - """Handle incoming request. - - Authenticate send downstream on success. Reject request if - we can't authenticate. - - """ - self.LOG.debug('Authenticating user token') - - self._token_cache.initialize(env) - - try: - self._remove_auth_headers(env) - user_token = self._get_user_token_from_header(env) - token_info = self._validate_user_token(user_token, env) - env['keystone.token_info'] = token_info - user_headers = self._build_user_headers(token_info) - self._add_headers(env, user_headers) - return self.app(env, start_response) - - except InvalidUserToken: - if self.delay_auth_decision: - self.LOG.info( - 'Invalid user token - deferring reject downstream') - self._add_headers(env, {'X-Identity-Status': 'Invalid'}) - return self.app(env, start_response) - else: - self.LOG.info('Invalid user token - rejecting request') - return self._reject_request(env, start_response) - - except ServiceError as e: - self.LOG.critical('Unable to obtain admin token: %s', e) - resp = MiniResp('Service unavailable', env) - start_response('503 Service Unavailable', resp.headers) - return resp.body - - def _remove_auth_headers(self, env): - """Remove headers so a user can't fake authentication. - - :param env: wsgi request environment - - """ - auth_headers = ( - 'X-Identity-Status', - 'X-Domain-Id', - 'X-Domain-Name', - 'X-Project-Id', - 'X-Project-Name', - 'X-Project-Domain-Id', - 'X-Project-Domain-Name', - 'X-User-Id', - 'X-User-Name', - 'X-User-Domain-Id', - 'X-User-Domain-Name', - 'X-Roles', - 'X-Service-Catalog', - # Deprecated - 'X-User', - 'X-Tenant-Id', - 'X-Tenant-Name', - 'X-Tenant', - 'X-Role', - ) - self.LOG.debug('Removing headers from request environment: %s', - ','.join(auth_headers)) - self._remove_headers(env, auth_headers) - - def _get_user_token_from_header(self, env): - """Get token id from request. - - :param env: wsgi request environment - :return token id - :raises InvalidUserToken if no token is provided in request - - """ - token = self._get_header(env, 'X-Auth-Token', - self._get_header(env, 'X-Storage-Token')) - if token: - return token - else: - if not self.delay_auth_decision: - self.LOG.warn('Unable to find authentication token' - ' in headers') - self.LOG.debug('Headers: %s', env) - raise InvalidUserToken('Unable to find token in headers') - - def _reject_request(self, env, start_response): - """Redirect client to auth server. - - :param env: wsgi request environment - :param start_response: wsgi response callback - :returns HTTPUnauthorized http response - - """ - headers = [('WWW-Authenticate', 'Keystone uri=\'%s\'' % self.auth_uri)] - resp = MiniResp('Authentication required', env, headers) - start_response('401 Unauthorized', resp.headers) - return resp.body - - def get_admin_token(self): - """Return admin token, possibly fetching a new one. - - if self.admin_token_expiry is set from fetching an admin token, check - it for expiration, and request a new token is the existing token - is about to expire. - - :return admin token id - :raise ServiceError when unable to retrieve token from keystone - - """ - if self.admin_token_expiry: - if will_expire_soon(self.admin_token_expiry): - self.admin_token = None - - if not self.admin_token: - (self.admin_token, - self.admin_token_expiry) = self._request_admin_token() - - return self.admin_token - - def _http_request(self, method, path, **kwargs): - """HTTP request helper used to make unspecified content type requests. - - :param method: http method - :param path: relative request url - :return (http response object, response body) - :raise ServerError when unable to communicate with keystone - - """ - url = '%s/%s' % (self.identity_uri, path.lstrip('/')) - - kwargs.setdefault('timeout', self.http_connect_timeout) - if self.cert_file and self.key_file: - kwargs['cert'] = (self.cert_file, self.key_file) - elif self.cert_file or self.key_file: - self.LOG.warn('Cannot use only a cert or key file. ' - 'Please provide both. Ignoring.') - - kwargs['verify'] = self.ssl_ca_file or True - if self.ssl_insecure: - kwargs['verify'] = False - - RETRIES = self.http_request_max_retries - retry = 0 - while True: - try: - response = requests.request(method, url, **kwargs) - break - except Exception as e: - if retry >= RETRIES: - self.LOG.error('HTTP connection exception: %s', e) - raise NetworkError('Unable to communicate with keystone') - # NOTE(vish): sleep 0.5, 1, 2 - self.LOG.warn('Retrying on HTTP connection exception: %s', e) - time.sleep(2.0 ** retry / 2) - retry += 1 - - return response - - def _json_request(self, method, path, body=None, additional_headers=None): - """HTTP request helper used to make json requests. - - :param method: http method - :param path: relative request url - :param body: dict to encode to json as request body. Optional. - :param additional_headers: dict of additional headers to send with - http request. Optional. - :return (http response object, response body parsed as json) - :raise ServerError when unable to communicate with keystone - - """ - kwargs = { - 'headers': { - 'Content-type': 'application/json', - 'Accept': 'application/json', - }, - } - - if additional_headers: - kwargs['headers'].update(additional_headers) - - if body: - kwargs['data'] = jsonutils.dumps(body) - - response = self._http_request(method, path, **kwargs) - - try: - data = jsonutils.loads(response.text) - except ValueError: - self.LOG.debug('Keystone did not return json-encoded body') - data = {} - - return response, data - - def _request_admin_token(self): - """Retrieve new token as admin user from keystone. - - :return token id upon success - :raises ServerError when unable to communicate with keystone - - Irrespective of the auth version we are going to use for the - user token, for simplicity we always use a v2 admin token to - validate the user token. - - """ - params = { - 'auth': { - 'passwordCredentials': { - 'username': self.admin_user, - 'password': self.admin_password, - }, - 'tenantName': self.admin_tenant_name, - } - } - - response, data = self._json_request('POST', - '/v2.0/tokens', - body=params) - - try: - token = data['access']['token']['id'] - expiry = data['access']['token']['expires'] - if not (token and expiry): - raise AssertionError('invalid token or expire') - datetime_expiry = timeutils.parse_isotime(expiry) - return (token, timeutils.normalize_time(datetime_expiry)) - except (AssertionError, KeyError): - self.LOG.warn( - 'Unexpected response from keystone service: %s', data) - raise ServiceError('invalid json response') - except (ValueError): - data['access']['token']['id'] = '' - self.LOG.warn( - 'Unable to parse expiration time from token: %s', data) - raise ServiceError('invalid json response') - - def _validate_user_token(self, user_token, env, retry=True): - """Authenticate user token - - :param user_token: user's token id - :param retry: Ignored, as it is not longer relevant - :return uncrypted body of the token if the token is valid - :raise InvalidUserToken if token is rejected - :no longer raises ServiceError since it no longer makes RPC - - """ - token_id = None - - try: - token_ids, cached = self._token_cache.get(user_token) - token_id = token_ids[0] - if cached: - data = cached - - if self.check_revocations_for_cached: - # A token stored in Memcached might have been revoked - # regardless of initial mechanism used to validate it, - # and needs to be checked. - for tid in token_ids: - is_revoked = self._is_token_id_in_revoked_list(tid) - if is_revoked: - self.LOG.debug( - 'Token is marked as having been revoked') - raise InvalidUserToken( - 'Token authorization failed') - elif cms.is_pkiz(user_token): - verified = self.verify_pkiz_token(user_token, token_ids) - data = jsonutils.loads(verified) - elif cms.is_asn1_token(user_token): - verified = self.verify_signed_token(user_token, token_ids) - data = jsonutils.loads(verified) - else: - data = self.verify_uuid_token(user_token, retry) - expires = confirm_token_not_expired(data) - self._confirm_token_bind(data, env) - self._token_cache.store(token_id, data, expires) - return data - except NetworkError: - self.LOG.debug('Token validation failure.', exc_info=True) - self.LOG.warn('Authorization failed for token') - raise InvalidUserToken('Token authorization failed') - except Exception: - self.LOG.debug('Token validation failure.', exc_info=True) - if token_id: - self._token_cache.store_invalid(token_id) - self.LOG.warn('Authorization failed for token') - raise InvalidUserToken('Token authorization failed') - - def _build_user_headers(self, token_info): - """Convert token object into headers. - - Build headers that represent authenticated user - see main - doc info at start of file for details of headers to be defined. - - :param token_info: token object returned by keystone on authentication - :raise InvalidUserToken when unable to parse token object - - """ - auth_ref = access.AccessInfo.factory(body=token_info) - roles = ','.join(auth_ref.role_names) - - if _token_is_v2(token_info) and not auth_ref.project_id: - raise InvalidUserToken('Unable to determine tenancy.') - - rval = { - 'X-Identity-Status': 'Confirmed', - 'X-Domain-Id': auth_ref.domain_id, - 'X-Domain-Name': auth_ref.domain_name, - 'X-Project-Id': auth_ref.project_id, - 'X-Project-Name': auth_ref.project_name, - 'X-Project-Domain-Id': auth_ref.project_domain_id, - 'X-Project-Domain-Name': auth_ref.project_domain_name, - 'X-User-Id': auth_ref.user_id, - 'X-User-Name': auth_ref.username, - 'X-User-Domain-Id': auth_ref.user_domain_id, - 'X-User-Domain-Name': auth_ref.user_domain_name, - 'X-Roles': roles, - # Deprecated - 'X-User': auth_ref.username, - 'X-Tenant-Id': auth_ref.project_id, - 'X-Tenant-Name': auth_ref.project_name, - 'X-Tenant': auth_ref.project_name, - 'X-Role': roles, - } - - self.LOG.debug('Received request from user: %s with project_id : %s' - ' and roles: %s ', - auth_ref.user_id, auth_ref.project_id, roles) - - if self.include_service_catalog and auth_ref.has_service_catalog(): - catalog = auth_ref.service_catalog.get_data() - if _token_is_v3(token_info): - catalog = _v3_to_v2_catalog(catalog) - rval['X-Service-Catalog'] = jsonutils.dumps(catalog) - - return rval - - def _header_to_env_var(self, key): - """Convert header to wsgi env variable. - - :param key: http header name (ex. 'X-Auth-Token') - :return wsgi env variable name (ex. 'HTTP_X_AUTH_TOKEN') - - """ - return 'HTTP_%s' % key.replace('-', '_').upper() - - def _add_headers(self, env, headers): - """Add http headers to environment.""" - for (k, v) in six.iteritems(headers): - env_key = self._header_to_env_var(k) - env[env_key] = v - - def _remove_headers(self, env, keys): - """Remove http headers from environment.""" - for k in keys: - env_key = self._header_to_env_var(k) - try: - del env[env_key] - except KeyError: - pass - - def _get_header(self, env, key, default=None): - """Get http header from environment.""" - env_key = self._header_to_env_var(key) - return env.get(env_key, default) - - def _invalid_user_token(self, msg=False): - # NOTE(jamielennox): use False as the default so that None is valid - if msg is False: - msg = 'Token authorization failed' - - raise InvalidUserToken(msg) - - def _confirm_token_bind(self, data, env): - bind_mode = self._conf_get('enforce_token_bind') - - if bind_mode == BIND_MODE.DISABLED: - return - - try: - if _token_is_v2(data): - bind = data['access']['token']['bind'] - elif _token_is_v3(data): - bind = data['token']['bind'] - else: - self._invalid_user_token() - except KeyError: - bind = {} - - # permissive and strict modes don't require there to be a bind - permissive = bind_mode in (BIND_MODE.PERMISSIVE, BIND_MODE.STRICT) - - if not bind: - if permissive: - # no bind provided and none required - return - else: - self.LOG.info('No bind information present in token.') - self._invalid_user_token() - - # get the named mode if bind_mode is not one of the predefined - if permissive or bind_mode == BIND_MODE.REQUIRED: - name = None - else: - name = bind_mode - - if name and name not in bind: - self.LOG.info('Named bind mode %s not in bind information', name) - self._invalid_user_token() - - for bind_type, identifier in six.iteritems(bind): - if bind_type == BIND_MODE.KERBEROS: - if not env.get('AUTH_TYPE', '').lower() == 'negotiate': - self.LOG.info('Kerberos credentials required and ' - 'not present.') - self._invalid_user_token() - - if not env.get('REMOTE_USER') == identifier: - self.LOG.info('Kerberos credentials do not match ' - 'those in bind.') - self._invalid_user_token() - - self.LOG.debug('Kerberos bind authentication successful.') - - elif bind_mode == BIND_MODE.PERMISSIVE: - self.LOG.debug('Ignoring Unknown bind for permissive mode: ' - '%(bind_type)s: %(identifier)s.', - {'bind_type': bind_type, - 'identifier': identifier}) - - else: - self.LOG.info('Couldn`t verify unknown bind: %(bind_type)s: ' - '%(identifier)s.', - {'bind_type': bind_type, - 'identifier': identifier}) - self._invalid_user_token() - - def verify_uuid_token(self, user_token, retry=True): - """Authenticate user token with keystone. - - :param user_token: user's token id - :param retry: flag that forces the middleware to retry - user authentication when an indeterminate - response is received. Optional. - :return: token object received from keystone on success - :raise InvalidUserToken: if token is rejected - :raise ServiceError: if unable to authenticate token - - """ - # Determine the highest api version we can use. - if not self.auth_version: - self.auth_version = self._choose_api_version() - - if self.auth_version == 'v3.0': - headers = {'X-Auth-Token': self.get_admin_token(), - 'X-Subject-Token': safe_quote(user_token)} - path = '/v3/auth/tokens' - if not self.include_service_catalog: - # NOTE(gyee): only v3 API support this option - path = path + '?nocatalog' - response, data = self._json_request( - 'GET', - path, - additional_headers=headers) - else: - headers = {'X-Auth-Token': self.get_admin_token()} - response, data = self._json_request( - 'GET', - '/v2.0/tokens/%s' % safe_quote(user_token), - additional_headers=headers) - - if response.status_code == 200: - return data - if response.status_code == 404: - self.LOG.warn('Authorization failed for token') - raise InvalidUserToken('Token authorization failed') - if response.status_code == 401: - self.LOG.info( - 'Keystone rejected admin token, resetting') - self.admin_token = None - else: - self.LOG.error('Bad response code while validating token: %s', - response.status_code) - if retry: - self.LOG.info('Retrying validation') - return self.verify_uuid_token(user_token, False) - else: - self.LOG.warn('Invalid user token. Keystone response: %s', data) - - raise InvalidUserToken() - - def is_signed_token_revoked(self, token_ids): - """Indicate whether the token appears in the revocation list.""" - for token_id in token_ids: - if self._is_token_id_in_revoked_list(token_id): - self.LOG.debug('Token is marked as having been revoked') - return True - return False - - def _is_token_id_in_revoked_list(self, token_id): - """Indicate whether the token_id appears in the revocation list.""" - revocation_list = self.token_revocation_list - revoked_tokens = revocation_list.get('revoked', None) - if not revoked_tokens: - return False - - revoked_ids = (x['id'] for x in revoked_tokens) - return token_id in revoked_ids - - def cms_verify(self, data, inform=cms.PKI_ASN1_FORM): - """Verifies the signature of the provided data's IAW CMS syntax. - - If either of the certificate files might be missing, fetch them and - retry. - """ - def verify(): - try: - return cms.cms_verify(data, self.signing_cert_file_name, - self.signing_ca_file_name, - inform=inform).decode('utf-8') - except cms.subprocess.CalledProcessError as err: - self.LOG.warning('Verify error: %s', err) - raise - - try: - return verify() - except exceptions.CertificateConfigError: - # the certs might be missing; unconditionally fetch to avoid racing - self.fetch_signing_cert() - self.fetch_ca_cert() - - try: - # retry with certs in place - return verify() - except exceptions.CertificateConfigError as err: - # if this is still occurring, something else is wrong and we - # need err.output to identify the problem - self.LOG.error('CMS Verify output: %s', err.output) - raise - - def verify_signed_token(self, signed_text, token_ids): - """Check that the token is unrevoked and has a valid signature.""" - if self.is_signed_token_revoked(token_ids): - raise InvalidUserToken('Token has been revoked') - - formatted = cms.token_to_cms(signed_text) - verified = self.cms_verify(formatted) - return verified - - def verify_pkiz_token(self, signed_text, token_ids): - if self.is_signed_token_revoked(token_ids): - raise InvalidUserToken('Token has been revoked') - try: - uncompressed = cms.pkiz_uncompress(signed_text) - verified = self.cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM) - return verified - # TypeError If the signed_text is not zlib compressed - except TypeError: - raise InvalidUserToken(signed_text) - - def verify_signing_dir(self): - if os.path.exists(self.signing_dirname): - if not os.access(self.signing_dirname, os.W_OK): - raise ConfigurationError( - 'unable to access signing_dir %s' % self.signing_dirname) - uid = os.getuid() - if os.stat(self.signing_dirname).st_uid != uid: - self.LOG.warning( - 'signing_dir is not owned by %s', uid) - current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode) - if current_mode != stat.S_IRWXU: - self.LOG.warning( - 'signing_dir mode is %s instead of %s', - oct(current_mode), oct(stat.S_IRWXU)) - else: - os.makedirs(self.signing_dirname, stat.S_IRWXU) - - @property - def token_revocation_list_fetched_time(self): - if not self._token_revocation_list_fetched_time: - # If the fetched list has been written to disk, use its - # modification time. - if os.path.exists(self.revoked_file_name): - mtime = os.path.getmtime(self.revoked_file_name) - fetched_time = datetime.datetime.utcfromtimestamp(mtime) - # Otherwise the list will need to be fetched. - else: - fetched_time = datetime.datetime.min - self._token_revocation_list_fetched_time = fetched_time - return self._token_revocation_list_fetched_time - - @token_revocation_list_fetched_time.setter - def token_revocation_list_fetched_time(self, value): - self._token_revocation_list_fetched_time = value - - @property - def token_revocation_list(self): - timeout = (self.token_revocation_list_fetched_time + - self.token_revocation_list_cache_timeout) - list_is_current = timeutils.utcnow() < timeout - - if list_is_current: - # Load the list from disk if required - if not self._token_revocation_list: - open_kwargs = {'encoding': 'utf-8'} if six.PY3 else {} - with open(self.revoked_file_name, 'r', **open_kwargs) as f: - self._token_revocation_list = jsonutils.loads(f.read()) - else: - self.token_revocation_list = self.fetch_revocation_list() - return self._token_revocation_list - - def _atomic_write_to_signing_dir(self, file_name, value): - # In Python2, encoding is slow so the following check avoids it if it - # is not absolutely necessary. - if isinstance(value, six.text_type): - value = value.encode('utf-8') - - def _atomic_write(destination, data): - with tempfile.NamedTemporaryFile(dir=self.signing_dirname, - delete=False) as f: - f.write(data) - os.rename(f.name, destination) - - try: - _atomic_write(file_name, value) - except (OSError, IOError): - self.verify_signing_dir() - _atomic_write(file_name, value) - - @token_revocation_list.setter - def token_revocation_list(self, value): - """Save a revocation list to memory and to disk. - - :param value: A json-encoded revocation list - - """ - self._token_revocation_list = jsonutils.loads(value) - self.token_revocation_list_fetched_time = timeutils.utcnow() - self._atomic_write_to_signing_dir(self.revoked_file_name, value) - - def fetch_revocation_list(self, retry=True): - headers = {'X-Auth-Token': self.get_admin_token()} - response, data = self._json_request('GET', '/v2.0/tokens/revoked', - additional_headers=headers) - if response.status_code == 401: - if retry: - self.LOG.info( - 'Keystone rejected admin token, resetting admin token') - self.admin_token = None - return self.fetch_revocation_list(retry=False) - if response.status_code != 200: - raise ServiceError('Unable to fetch token revocation list.') - if 'signed' not in data: - raise ServiceError('Revocation list improperly formatted.') - return self.cms_verify(data['signed']) - - def _fetch_cert_file(self, cert_file_name, cert_type): - if not self.auth_version: - self.auth_version = self._choose_api_version() - - if self.auth_version == 'v3.0': - if cert_type == 'signing': - cert_type = 'certificates' - path = '/v3/OS-SIMPLE-CERT/' + cert_type - else: - path = '/v2.0/certificates/' + cert_type - response = self._http_request('GET', path) - if response.status_code != 200: - raise exceptions.CertificateConfigError(response.text) - self._atomic_write_to_signing_dir(cert_file_name, response.text) - - def fetch_signing_cert(self): - self._fetch_cert_file(self.signing_cert_file_name, 'signing') - - def fetch_ca_cert(self): - self._fetch_cert_file(self.signing_ca_file_name, 'ca') - - -class CachePool(list): - """A lazy pool of cache references.""" - - def __init__(self, cache, memcached_servers): - self._environment_cache = cache - self._memcached_servers = memcached_servers - - @contextlib.contextmanager - def reserve(self): - """Context manager to manage a pooled cache reference.""" - if self._environment_cache is not None: - # skip pooling and just use the cache from the upstream filter - yield self._environment_cache - return # otherwise the context manager will continue! - - try: - c = self.pop() - except IndexError: - # the pool is empty, so we need to create a new client - c = memorycache.get_client(self._memcached_servers) - - try: - yield c - finally: - self.append(c) - - -class TokenCache(object): - """Encapsulates the auth_token token cache functionality. - - auth_token caches tokens that it's seen so that when a token is re-used the - middleware doesn't have to do a more expensive operation (like going to the - identity server) to validate the token. - - initialize() must be called before calling the other methods. - - Store a valid token in the cache using store(); mark a token as invalid in - the cache using store_invalid(). - - Check if a token is in the cache and retrieve it using get(). - - """ - - _INVALID_INDICATOR = 'invalid' - - def __init__(self, log, cache_time=None, hash_algorithms=None, - env_cache_name=None, memcached_servers=None, - memcache_security_strategy=None, memcache_secret_key=None): - self.LOG = log - self._cache_time = cache_time - self._hash_algorithms = hash_algorithms - self._env_cache_name = env_cache_name - self._memcached_servers = memcached_servers - - # memcache value treatment, ENCRYPT or MAC - self._memcache_security_strategy = memcache_security_strategy - if self._memcache_security_strategy is not None: - self._memcache_security_strategy = ( - self._memcache_security_strategy.upper()) - self._memcache_secret_key = memcache_secret_key - - self._cache_pool = None - self._initialized = False - - self._assert_valid_memcache_protection_config() - - def initialize(self, env): - if self._initialized: - return - - self._cache_pool = CachePool(env.get(self._env_cache_name), - self._memcached_servers) - self._initialized = True - - def get(self, user_token): - """Check if the token is cached already. - - Returns a tuple. The first element is a list of token IDs, where the - first one is the preferred hash. - - The second element is the token data from the cache if the token was - cached, otherwise ``None``. - - :raises InvalidUserToken: if the token is invalid - - """ - - if cms.is_asn1_token(user_token): - # user_token is a PKI token that's not hashed. - - token_hashes = list(cms.cms_hash_token(user_token, mode=algo) - for algo in self._hash_algorithms) - - for token_hash in token_hashes: - cached = self._cache_get(token_hash) - if cached: - return (token_hashes, cached) - - # The token wasn't found using any hash algorithm. - return (token_hashes, None) - - # user_token is either a UUID token or a hashed PKI token. - token_id = user_token - cached = self._cache_get(token_id) - return ([token_id], cached) - - def store(self, token_id, data, expires): - """Put token data into the cache. - - Stores the parsed expire date in cache allowing - quick check of token freshness on retrieval. - - """ - self.LOG.debug('Storing token in cache') - self._cache_store(token_id, (data, expires)) - - def store_invalid(self, token_id): - """Store invalid token in cache.""" - self.LOG.debug('Marking token as unauthorized in cache') - self._cache_store(token_id, self._INVALID_INDICATOR) - - def _assert_valid_memcache_protection_config(self): - if self._memcache_security_strategy: - if self._memcache_security_strategy not in ('MAC', 'ENCRYPT'): - raise ConfigurationError('memcache_security_strategy must be ' - 'ENCRYPT or MAC') - if not self._memcache_secret_key: - raise ConfigurationError('memcache_secret_key must be defined ' - 'when a memcache_security_strategy ' - 'is defined') - - def _cache_get(self, token_id): - """Return token information from cache. - - If token is invalid raise InvalidUserToken - return token only if fresh (not expired). - """ - - if not token_id: - # Nothing to do - return - - if self._memcache_security_strategy is None: - key = CACHE_KEY_TEMPLATE % token_id - with self._cache_pool.reserve() as cache: - serialized = cache.get(key) - else: - secret_key = self._memcache_secret_key - if isinstance(secret_key, six.string_types): - secret_key = secret_key.encode('utf-8') - security_strategy = self._memcache_security_strategy - if isinstance(security_strategy, six.string_types): - security_strategy = security_strategy.encode('utf-8') - keys = memcache_crypt.derive_keys( - token_id, - secret_key, - security_strategy) - cache_key = CACHE_KEY_TEMPLATE % ( - memcache_crypt.get_cache_key(keys)) - with self._cache_pool.reserve() as cache: - raw_cached = cache.get(cache_key) - try: - # unprotect_data will return None if raw_cached is None - serialized = memcache_crypt.unprotect_data(keys, - raw_cached) - except Exception: - msg = 'Failed to decrypt/verify cache data' - self.LOG.exception(msg) - # this should have the same effect as data not - # found in cache - serialized = None - - if serialized is None: - return None - - # Note that _INVALID_INDICATOR and (data, expires) are the only - # valid types of serialized cache entries, so there is not - # a collision with jsonutils.loads(serialized) == None. - if not isinstance(serialized, six.string_types): - serialized = serialized.decode('utf-8') - cached = jsonutils.loads(serialized) - if cached == self._INVALID_INDICATOR: - self.LOG.debug('Cached Token is marked unauthorized') - raise InvalidUserToken('Token authorization failed') - - data, expires = cached - - try: - expires = timeutils.parse_isotime(expires) - except ValueError: - # Gracefully handle upgrade of expiration times from *nix - # timestamps to ISO 8601 formatted dates by ignoring old cached - # values. - return - - expires = timeutils.normalize_time(expires) - utcnow = timeutils.utcnow() - if utcnow < expires: - self.LOG.debug('Returning cached token') - return data - else: - self.LOG.debug('Cached Token seems expired') - raise InvalidUserToken('Token authorization failed') - - def _cache_store(self, token_id, data): - """Store value into memcache. - - data may be _INVALID_INDICATOR or a tuple like (data, expires) - - """ - serialized_data = jsonutils.dumps(data) - if isinstance(serialized_data, six.text_type): - serialized_data = serialized_data.encode('utf-8') - if self._memcache_security_strategy is None: - cache_key = CACHE_KEY_TEMPLATE % token_id - data_to_store = serialized_data - else: - secret_key = self._memcache_secret_key - if isinstance(secret_key, six.string_types): - secret_key = secret_key.encode('utf-8') - security_strategy = self._memcache_security_strategy - if isinstance(security_strategy, six.string_types): - security_strategy = security_strategy.encode('utf-8') - keys = memcache_crypt.derive_keys( - token_id, secret_key, security_strategy) - cache_key = CACHE_KEY_TEMPLATE % memcache_crypt.get_cache_key(keys) - data_to_store = memcache_crypt.protect_data(keys, serialized_data) - - with self._cache_pool.reserve() as cache: - cache.set(cache_key, data_to_store, time=self._cache_time) - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return AuthProtocol(app, conf) - return auth_filter - - -def app_factory(global_conf, **local_conf): - conf = global_conf.copy() - conf.update(local_conf) - return AuthProtocol(None, conf) - - -if __name__ == '__main__': - """Run this module directly to start a protected echo service:: - - $ python -m keystoneclient.middleware.auth_token - - When the ``auth_token`` module authenticates a request, the echo service - will respond with all the environment variables presented to it by this - module. - - """ - def echo_app(environ, start_response): - """A WSGI application that echoes the CGI environment to the user.""" - start_response('200 OK', [('Content-Type', 'application/json')]) - environment = dict((k, v) for k, v in six.iteritems(environ) - if k.startswith('HTTP_X_')) - yield jsonutils.dumps(environment) - - from wsgiref import simple_server - - # hardcode any non-default configuration here - conf = {'auth_protocol': 'http', 'admin_token': 'ADMIN'} - app = AuthProtocol(echo_app, conf) - server = simple_server.make_server('', 8000, app) - print('Serving on port 8000 (Ctrl+C to end)...') - server.serve_forever() diff --git a/keystoneclient/middleware/memcache_crypt.py b/keystoneclient/middleware/memcache_crypt.py deleted file mode 100644 index 40e205132..000000000 --- a/keystoneclient/middleware/memcache_crypt.py +++ /dev/null @@ -1,209 +0,0 @@ -# Copyright 2010-2013 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -Utilities for memcache encryption and integrity check. - -Data should be serialized before entering these functions. Encryption -has a dependency on the pycrypto. If pycrypto is not available, -CryptoUnavailableError will be raised. - -This module will not be called unless signing or encryption is enabled -in the config. It will always validate signatures, and will decrypt -data if encryption is enabled. It is not valid to mix protection -modes. - -""" - -import base64 -import functools -import hashlib -import hmac -import math -import os -import sys - -import six - -# make sure pycrypto is available -try: - from Crypto.Cipher import AES -except ImportError: - AES = None - -HASH_FUNCTION = hashlib.sha384 -DIGEST_LENGTH = HASH_FUNCTION().digest_size -DIGEST_SPLIT = DIGEST_LENGTH // 3 -DIGEST_LENGTH_B64 = 4 * int(math.ceil(DIGEST_LENGTH / 3.0)) - - -class InvalidMacError(Exception): - """raise when unable to verify MACed data. - - This usually indicates that data had been expectedly modified in memcache. - - """ - pass - - -class DecryptError(Exception): - """raise when unable to decrypt encrypted data. - - """ - pass - - -class CryptoUnavailableError(Exception): - """raise when Python Crypto module is not available. - - """ - pass - - -def assert_crypto_availability(f): - """Ensure Crypto module is available.""" - - @functools.wraps(f) - def wrapper(*args, **kwds): - if AES is None: - raise CryptoUnavailableError() - return f(*args, **kwds) - return wrapper - - -if sys.version_info >= (3, 3): - constant_time_compare = hmac.compare_digest -else: - def constant_time_compare(first, second): - """Returns True if both string inputs are equal, otherwise False. - - This function should take a constant amount of time regardless of - how many characters in the strings match. - - """ - if len(first) != len(second): - return False - result = 0 - if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes): - for x, y in zip(first, second): - result |= x ^ y - else: - for x, y in zip(first, second): - result |= ord(x) ^ ord(y) - return result == 0 - - -def derive_keys(token, secret, strategy): - """Derives keys for MAC and ENCRYPTION from the user-provided - secret. The resulting keys should be passed to the protect and - unprotect functions. - - As suggested by NIST Special Publication 800-108, this uses the - first 128 bits from the sha384 KDF for the obscured cache key - value, the second 128 bits for the message authentication key and - the remaining 128 bits for the encryption key. - - This approach is faster than computing a separate hmac as the KDF - for each desired key. - """ - digest = hmac.new(secret, token + strategy, HASH_FUNCTION).digest() - return {'CACHE_KEY': digest[:DIGEST_SPLIT], - 'MAC': digest[DIGEST_SPLIT: 2 * DIGEST_SPLIT], - 'ENCRYPTION': digest[2 * DIGEST_SPLIT:], - 'strategy': strategy} - - -def sign_data(key, data): - """Sign the data using the defined function and the derived key.""" - mac = hmac.new(key, data, HASH_FUNCTION).digest() - return base64.b64encode(mac) - - -@assert_crypto_availability -def encrypt_data(key, data): - """Encrypt the data with the given secret key. - - Padding is n bytes of the value n, where 1 <= n <= blocksize. - """ - iv = os.urandom(16) - cipher = AES.new(key, AES.MODE_CBC, iv) - padding = 16 - len(data) % 16 - return iv + cipher.encrypt(data + six.int2byte(padding) * padding) - - -@assert_crypto_availability -def decrypt_data(key, data): - """Decrypt the data with the given secret key.""" - iv = data[:16] - cipher = AES.new(key, AES.MODE_CBC, iv) - try: - result = cipher.decrypt(data[16:]) - except Exception: - raise DecryptError('Encrypted data appears to be corrupted.') - - # Strip the last n padding bytes where n is the last value in - # the plaintext - return result[:-1 * six.byte2int([result[-1]])] - - -def protect_data(keys, data): - """Given keys and serialized data, returns an appropriately - protected string suitable for storage in the cache. - - """ - if keys['strategy'] == b'ENCRYPT': - data = encrypt_data(keys['ENCRYPTION'], data) - - encoded_data = base64.b64encode(data) - - signature = sign_data(keys['MAC'], encoded_data) - return signature + encoded_data - - -def unprotect_data(keys, signed_data): - """Given keys and cached string data, verifies the signature, - decrypts if necessary, and returns the original serialized data. - - """ - # cache backends return None when no data is found. We don't mind - # that this particular special value is unsigned. - if signed_data is None: - return None - - # First we calculate the signature - provided_mac = signed_data[:DIGEST_LENGTH_B64] - calculated_mac = sign_data( - keys['MAC'], - signed_data[DIGEST_LENGTH_B64:]) - - # Then verify that it matches the provided value - if not constant_time_compare(provided_mac, calculated_mac): - raise InvalidMacError('Invalid MAC; data appears to be corrupted.') - - data = base64.b64decode(signed_data[DIGEST_LENGTH_B64:]) - - # then if necessary decrypt the data - if keys['strategy'] == b'ENCRYPT': - data = decrypt_data(keys['ENCRYPTION'], data) - - return data - - -def get_cache_key(keys): - """Given keys generated by derive_keys(), returns a base64 - encoded value suitable for use as a cache key in memcached. - - """ - return base64.b64encode(keys['CACHE_KEY']) diff --git a/keystoneclient/middleware/s3_token.py b/keystoneclient/middleware/s3_token.py deleted file mode 100644 index 50d0f1cbe..000000000 --- a/keystoneclient/middleware/s3_token.py +++ /dev/null @@ -1,268 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# Copyright 2011,2012 Akira YOSHIYAMA -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# This source code is based ./auth_token.py and ./ec2_token.py. -# See them for their copyright. - -""" -S3 TOKEN MIDDLEWARE - -This WSGI component: - -* Get a request from the swift3 middleware with an S3 Authorization - access key. -* Validate s3 token in Keystone. -* Transform the account name to AUTH_%(tenant_name). - -""" - -import logging - -import requests -import six -from six.moves import urllib -import webob - -from keystoneclient.openstack.common import jsonutils - - -PROTOCOL_NAME = 'S3 Token Authentication' - - -# TODO(kun): remove it after oslo merge this. -def split_path(path, minsegs=1, maxsegs=None, rest_with_last=False): - """Validate and split the given HTTP request path. - - **Examples**:: - - ['a'] = split_path('/a') - ['a', None] = split_path('/a', 1, 2) - ['a', 'c'] = split_path('/a/c', 1, 2) - ['a', 'c', 'o/r'] = split_path('/a/c/o/r', 1, 3, True) - - :param path: HTTP Request path to be split - :param minsegs: Minimum number of segments to be extracted - :param maxsegs: Maximum number of segments to be extracted - :param rest_with_last: If True, trailing data will be returned as part - of last segment. If False, and there is - trailing data, raises ValueError. - :returns: list of segments with a length of maxsegs (non-existent - segments will return as None) - :raises: ValueError if given an invalid path - """ - if not maxsegs: - maxsegs = minsegs - if minsegs > maxsegs: - raise ValueError('minsegs > maxsegs: %d > %d' % (minsegs, maxsegs)) - if rest_with_last: - segs = path.split('/', maxsegs) - minsegs += 1 - maxsegs += 1 - count = len(segs) - if (segs[0] or count < minsegs or count > maxsegs or - '' in segs[1:minsegs]): - raise ValueError('Invalid path: %s' % urllib.parse.quote(path)) - else: - minsegs += 1 - maxsegs += 1 - segs = path.split('/', maxsegs) - count = len(segs) - if (segs[0] or count < minsegs or count > maxsegs + 1 or - '' in segs[1:minsegs] or - (count == maxsegs + 1 and segs[maxsegs])): - raise ValueError('Invalid path: %s' % urllib.parse.quote(path)) - segs = segs[1:maxsegs] - segs.extend([None] * (maxsegs - 1 - len(segs))) - return segs - - -class ServiceError(Exception): - pass - - -class S3Token(object): - """Auth Middleware that handles S3 authenticating client calls.""" - - def __init__(self, app, conf): - """Common initialization code.""" - self.app = app - self.logger = logging.getLogger(conf.get('log_name', __name__)) - self.logger.debug('Starting the %s component', PROTOCOL_NAME) - self.logger.warning( - 'This middleware module is deprecated as of v0.11.0 in favor of ' - 'keystonemiddleware.s3_token - please update your WSGI pipeline ' - 'to reference the new middleware package.') - self.reseller_prefix = conf.get('reseller_prefix', 'AUTH_') - # where to find the auth service (we use this to validate tokens) - - auth_host = conf.get('auth_host') - auth_port = int(conf.get('auth_port', 35357)) - auth_protocol = conf.get('auth_protocol', 'https') - - self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port) - - # SSL - insecure = conf.get('insecure', False) - cert_file = conf.get('certfile') - key_file = conf.get('keyfile') - - if insecure: - self.verify = False - elif cert_file and key_file: - self.verify = (cert_file, key_file) - elif cert_file: - self.verify = cert_file - else: - self.verify = None - - def deny_request(self, code): - error_table = { - 'AccessDenied': (401, 'Access denied'), - 'InvalidURI': (400, 'Could not parse the specified URI'), - } - resp = webob.Response(content_type='text/xml') - resp.status = error_table[code][0] - error_msg = ('\r\n' - '\r\n %s\r\n ' - '%s\r\n\r\n' % - (code, error_table[code][1])) - if six.PY3: - error_msg = error_msg.encode() - resp.body = error_msg - return resp - - def _json_request(self, creds_json): - headers = {'Content-Type': 'application/json'} - try: - response = requests.post('%s/v2.0/s3tokens' % self.request_uri, - headers=headers, data=creds_json, - verify=self.verify) - except requests.exceptions.RequestException as e: - self.logger.info('HTTP connection exception: %s', e) - resp = self.deny_request('InvalidURI') - raise ServiceError(resp) - - if response.status_code < 200 or response.status_code >= 300: - self.logger.debug('Keystone reply error: status=%s reason=%s', - response.status_code, response.reason) - resp = self.deny_request('AccessDenied') - raise ServiceError(resp) - - return response - - def __call__(self, environ, start_response): - """Handle incoming request. authenticate and send downstream.""" - req = webob.Request(environ) - self.logger.debug('Calling S3Token middleware.') - - try: - parts = split_path(req.path, 1, 4, True) - version, account, container, obj = parts - except ValueError: - msg = 'Not a path query, skipping.' - self.logger.debug(msg) - return self.app(environ, start_response) - - # Read request signature and access id. - if 'Authorization' not in req.headers: - msg = 'No Authorization header. skipping.' - self.logger.debug(msg) - return self.app(environ, start_response) - - token = req.headers.get('X-Auth-Token', - req.headers.get('X-Storage-Token')) - if not token: - msg = 'You did not specify an auth or a storage token. skipping.' - self.logger.debug(msg) - return self.app(environ, start_response) - - auth_header = req.headers['Authorization'] - try: - access, signature = auth_header.split(' ')[-1].rsplit(':', 1) - except ValueError: - msg = 'You have an invalid Authorization header: %s' - self.logger.debug(msg, auth_header) - return self.deny_request('InvalidURI')(environ, start_response) - - # NOTE(chmou): This is to handle the special case with nova - # when we have the option s3_affix_tenant. We will force it to - # connect to another account than the one - # authenticated. Before people start getting worried about - # security, I should point that we are connecting with - # username/token specified by the user but instead of - # connecting to its own account we will force it to go to an - # another account. In a normal scenario if that user don't - # have the reseller right it will just fail but since the - # reseller account can connect to every account it is allowed - # by the swift_auth middleware. - force_tenant = None - if ':' in access: - access, force_tenant = access.split(':') - - # Authenticate request. - creds = {'credentials': {'access': access, - 'token': token, - 'signature': signature}} - creds_json = jsonutils.dumps(creds) - self.logger.debug('Connecting to Keystone sending this JSON: %s', - creds_json) - # NOTE(vish): We could save a call to keystone by having - # keystone return token, tenant, user, and roles - # from this call. - # - # NOTE(chmou): We still have the same problem we would need to - # change token_auth to detect if we already - # identified and not doing a second query and just - # pass it through to swiftauth in this case. - try: - resp = self._json_request(creds_json) - except ServiceError as e: - resp = e.args[0] - msg = 'Received error, exiting middleware with error: %s' - self.logger.debug(msg, resp.status_code) - return resp(environ, start_response) - - self.logger.debug('Keystone Reply: Status: %d, Output: %s', - resp.status_code, resp.content) - - try: - identity_info = resp.json() - token_id = str(identity_info['access']['token']['id']) - tenant = identity_info['access']['token']['tenant'] - except (ValueError, KeyError): - error = 'Error on keystone reply: %d %s' - self.logger.debug(error, resp.status_code, resp.content) - return self.deny_request('InvalidURI')(environ, start_response) - - req.headers['X-Auth-Token'] = token_id - tenant_to_connect = force_tenant or tenant['id'] - self.logger.debug('Connecting with tenant: %s', tenant_to_connect) - new_tenant_name = '%s%s' % (self.reseller_prefix, tenant_to_connect) - environ['PATH_INFO'] = environ['PATH_INFO'].replace(account, - new_tenant_name) - return self.app(environ, start_response) - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return S3Token(app, conf) - return auth_filter diff --git a/keystoneclient/openstack/common/apiclient/auth.py b/keystoneclient/openstack/common/apiclient/auth.py deleted file mode 100644 index e68990d57..000000000 --- a/keystoneclient/openstack/common/apiclient/auth.py +++ /dev/null @@ -1,221 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# Copyright 2013 Spanish National Research Council. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# E0202: An attribute inherited from %s hide this method -# pylint: disable=E0202 - -import abc -import argparse -import os - -import six -from stevedore import extension - -from keystoneclient.openstack.common.apiclient import exceptions - - -_discovered_plugins = {} - - -def discover_auth_systems(): - """Discover the available auth-systems. - - This won't take into account the old style auth-systems. - """ - global _discovered_plugins - _discovered_plugins = {} - - def add_plugin(ext): - _discovered_plugins[ext.name] = ext.plugin - - ep_namespace = "keystoneclient.openstack.common.apiclient.auth" - mgr = extension.ExtensionManager(ep_namespace) - mgr.map(add_plugin) - - -def load_auth_system_opts(parser): - """Load options needed by the available auth-systems into a parser. - - This function will try to populate the parser with options from the - available plugins. - """ - group = parser.add_argument_group("Common auth options") - BaseAuthPlugin.add_common_opts(group) - for name, auth_plugin in six.iteritems(_discovered_plugins): - group = parser.add_argument_group( - "Auth-system '%s' options" % name, - conflict_handler="resolve") - auth_plugin.add_opts(group) - - -def load_plugin(auth_system): - try: - plugin_class = _discovered_plugins[auth_system] - except KeyError: - raise exceptions.AuthSystemNotFound(auth_system) - return plugin_class(auth_system=auth_system) - - -def load_plugin_from_args(args): - """Load required plugin and populate it with options. - - Try to guess auth system if it is not specified. Systems are tried in - alphabetical order. - - :type args: argparse.Namespace - :raises: AuthPluginOptionsMissing - """ - auth_system = args.os_auth_system - if auth_system: - plugin = load_plugin(auth_system) - plugin.parse_opts(args) - plugin.sufficient_options() - return plugin - - for plugin_auth_system in sorted(six.iterkeys(_discovered_plugins)): - plugin_class = _discovered_plugins[plugin_auth_system] - plugin = plugin_class() - plugin.parse_opts(args) - try: - plugin.sufficient_options() - except exceptions.AuthPluginOptionsMissing: - continue - return plugin - raise exceptions.AuthPluginOptionsMissing(["auth_system"]) - - -@six.add_metaclass(abc.ABCMeta) -class BaseAuthPlugin(object): - """Base class for authentication plugins. - - An authentication plugin needs to override at least the authenticate - method to be a valid plugin. - """ - - auth_system = None - opt_names = [] - common_opt_names = [ - "auth_system", - "username", - "password", - "tenant_name", - "token", - "auth_url", - ] - - def __init__(self, auth_system=None, **kwargs): - self.auth_system = auth_system or self.auth_system - self.opts = dict((name, kwargs.get(name)) - for name in self.opt_names) - - @staticmethod - def _parser_add_opt(parser, opt): - """Add an option to parser in two variants. - - :param opt: option name (with underscores) - """ - dashed_opt = opt.replace("_", "-") - env_var = "OS_%s" % opt.upper() - arg_default = os.environ.get(env_var, "") - arg_help = "Defaults to env[%s]." % env_var - parser.add_argument( - "--os-%s" % dashed_opt, - metavar="<%s>" % dashed_opt, - default=arg_default, - help=arg_help) - parser.add_argument( - "--os_%s" % opt, - metavar="<%s>" % dashed_opt, - help=argparse.SUPPRESS) - - @classmethod - def add_opts(cls, parser): - """Populate the parser with the options for this plugin. - """ - for opt in cls.opt_names: - # use `BaseAuthPlugin.common_opt_names` since it is never - # changed in child classes - if opt not in BaseAuthPlugin.common_opt_names: - cls._parser_add_opt(parser, opt) - - @classmethod - def add_common_opts(cls, parser): - """Add options that are common for several plugins. - """ - for opt in cls.common_opt_names: - cls._parser_add_opt(parser, opt) - - @staticmethod - def get_opt(opt_name, args): - """Return option name and value. - - :param opt_name: name of the option, e.g., "username" - :param args: parsed arguments - """ - return (opt_name, getattr(args, "os_%s" % opt_name, None)) - - def parse_opts(self, args): - """Parse the actual auth-system options if any. - - This method is expected to populate the attribute `self.opts` with a - dict containing the options and values needed to make authentication. - """ - self.opts.update(dict(self.get_opt(opt_name, args) - for opt_name in self.opt_names)) - - def authenticate(self, http_client): - """Authenticate using plugin defined method. - - The method usually analyses `self.opts` and performs - a request to authentication server. - - :param http_client: client object that needs authentication - :type http_client: HTTPClient - :raises: AuthorizationFailure - """ - self.sufficient_options() - self._do_authenticate(http_client) - - @abc.abstractmethod - def _do_authenticate(self, http_client): - """Protected method for authentication. - """ - - def sufficient_options(self): - """Check if all required options are present. - - :raises: AuthPluginOptionsMissing - """ - missing = [opt - for opt in self.opt_names - if not self.opts.get(opt)] - if missing: - raise exceptions.AuthPluginOptionsMissing(missing) - - @abc.abstractmethod - def token_and_endpoint(self, endpoint_type, service_type): - """Return token and endpoint. - - :param service_type: Service type of the endpoint - :type service_type: string - :param endpoint_type: Type of endpoint. - Possible values: public or publicURL, - internal or internalURL, - admin or adminURL - :type endpoint_type: string - :returns: tuple of token and endpoint strings - :raises: EndpointException - """ diff --git a/keystoneclient/openstack/common/apiclient/base.py b/keystoneclient/openstack/common/apiclient/base.py deleted file mode 100644 index 511fd732c..000000000 --- a/keystoneclient/openstack/common/apiclient/base.py +++ /dev/null @@ -1,525 +0,0 @@ -# Copyright 2010 Jacob Kaplan-Moss -# Copyright 2011 OpenStack Foundation -# Copyright 2012 Grid Dynamics -# Copyright 2013 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Base utilities to build API operation managers and objects on top of. -""" - -# E1102: %s is not callable -# pylint: disable=E1102 - -import abc -import copy - -import six -from six.moves.urllib import parse - -from keystoneclient.openstack.common.apiclient import exceptions -from keystoneclient.openstack.common.gettextutils import _ -from keystoneclient.openstack.common import strutils -from keystoneclient.openstack.common import uuidutils - - -def getid(obj): - """Return id if argument is a Resource. - - Abstracts the common pattern of allowing both an object or an object's ID - (UUID) as a parameter when dealing with relationships. - """ - try: - if obj.uuid: - return obj.uuid - except AttributeError: - pass - try: - return obj.id - except AttributeError: - return obj - - -# TODO(aababilov): call run_hooks() in HookableMixin's child classes -class HookableMixin(object): - """Mixin so classes can register and run hooks.""" - _hooks_map = {} - - @classmethod - def add_hook(cls, hook_type, hook_func): - """Add a new hook of specified type. - - :param cls: class that registers hooks - :param hook_type: hook type, e.g., '__pre_parse_args__' - :param hook_func: hook function - """ - if hook_type not in cls._hooks_map: - cls._hooks_map[hook_type] = [] - - cls._hooks_map[hook_type].append(hook_func) - - @classmethod - def run_hooks(cls, hook_type, *args, **kwargs): - """Run all hooks of specified type. - - :param cls: class that registers hooks - :param hook_type: hook type, e.g., '__pre_parse_args__' - :param args: args to be passed to every hook function - :param kwargs: kwargs to be passed to every hook function - """ - hook_funcs = cls._hooks_map.get(hook_type) or [] - for hook_func in hook_funcs: - hook_func(*args, **kwargs) - - -class BaseManager(HookableMixin): - """Basic manager type providing common operations. - - Managers interact with a particular type of API (servers, flavors, images, - etc.) and provide CRUD operations for them. - """ - resource_class = None - - def __init__(self, client): - """Initializes BaseManager with `client`. - - :param client: instance of BaseClient descendant for HTTP requests - """ - super(BaseManager, self).__init__() - self.client = client - - def _list(self, url, response_key, obj_class=None, json=None): - """List the collection. - - :param url: a partial URL, e.g., '/servers' - :param response_key: the key to be looked up in response dictionary, - e.g., 'servers' - :param obj_class: class for constructing the returned objects - (self.resource_class will be used by default) - :param json: data that will be encoded as JSON and passed in POST - request (GET will be sent by default) - """ - if json: - body = self.client.post(url, json=json).json() - else: - body = self.client.get(url).json() - - if obj_class is None: - obj_class = self.resource_class - - data = body[response_key] - # NOTE(ja): keystone returns values as list as {'values': [ ... ]} - # unlike other services which just return the list... - try: - data = data['values'] - except (KeyError, TypeError): - pass - - return [obj_class(self, res, loaded=True) for res in data if res] - - def _get(self, url, response_key): - """Get an object from collection. - - :param url: a partial URL, e.g., '/servers' - :param response_key: the key to be looked up in response dictionary, - e.g., 'server' - """ - body = self.client.get(url).json() - return self.resource_class(self, body[response_key], loaded=True) - - def _head(self, url): - """Retrieve request headers for an object. - - :param url: a partial URL, e.g., '/servers' - """ - resp = self.client.head(url) - return resp.status_code == 204 - - def _post(self, url, json, response_key, return_raw=False): - """Create an object. - - :param url: a partial URL, e.g., '/servers' - :param json: data that will be encoded as JSON and passed in POST - request (GET will be sent by default) - :param response_key: the key to be looked up in response dictionary, - e.g., 'servers' - :param return_raw: flag to force returning raw JSON instead of - Python object of self.resource_class - """ - body = self.client.post(url, json=json).json() - if return_raw: - return body[response_key] - return self.resource_class(self, body[response_key]) - - def _put(self, url, json=None, response_key=None): - """Update an object with PUT method. - - :param url: a partial URL, e.g., '/servers' - :param json: data that will be encoded as JSON and passed in POST - request (GET will be sent by default) - :param response_key: the key to be looked up in response dictionary, - e.g., 'servers' - """ - resp = self.client.put(url, json=json) - # PUT requests may not return a body - if resp.content: - body = resp.json() - if response_key is not None: - return self.resource_class(self, body[response_key]) - else: - return self.resource_class(self, body) - - def _patch(self, url, json=None, response_key=None): - """Update an object with PATCH method. - - :param url: a partial URL, e.g., '/servers' - :param json: data that will be encoded as JSON and passed in POST - request (GET will be sent by default) - :param response_key: the key to be looked up in response dictionary, - e.g., 'servers' - """ - body = self.client.patch(url, json=json).json() - if response_key is not None: - return self.resource_class(self, body[response_key]) - else: - return self.resource_class(self, body) - - def _delete(self, url): - """Delete an object. - - :param url: a partial URL, e.g., '/servers/my-server' - """ - return self.client.delete(url) - - -@six.add_metaclass(abc.ABCMeta) -class ManagerWithFind(BaseManager): - """Manager with additional `find()`/`findall()` methods.""" - - @abc.abstractmethod - def list(self): - pass - - def find(self, **kwargs): - """Find a single item with attributes matching ``**kwargs``. - - This isn't very efficient: it loads the entire list then filters on - the Python side. - """ - matches = self.findall(**kwargs) - num_matches = len(matches) - if num_matches == 0: - msg = _("No %(name)s matching %(args)s.") % { - 'name': self.resource_class.__name__, - 'args': kwargs - } - raise exceptions.NotFound(msg) - elif num_matches > 1: - raise exceptions.NoUniqueMatch() - else: - return matches[0] - - def findall(self, **kwargs): - """Find all items with attributes matching ``**kwargs``. - - This isn't very efficient: it loads the entire list then filters on - the Python side. - """ - found = [] - searches = kwargs.items() - - for obj in self.list(): - try: - if all(getattr(obj, attr) == value - for (attr, value) in searches): - found.append(obj) - except AttributeError: - continue - - return found - - -class CrudManager(BaseManager): - """Base manager class for manipulating entities. - - Children of this class are expected to define a `collection_key` and `key`. - - - `collection_key`: Usually a plural noun by convention (e.g. `entities`); - used to refer collections in both URL's (e.g. `/v3/entities`) and JSON - objects containing a list of member resources (e.g. `{'entities': [{}, - {}, {}]}`). - - `key`: Usually a singular noun by convention (e.g. `entity`); used to - refer to an individual member of the collection. - - """ - collection_key = None - key = None - - def build_url(self, base_url=None, **kwargs): - """Builds a resource URL for the given kwargs. - - Given an example collection where `collection_key = 'entities'` and - `key = 'entity'`, the following URL's could be generated. - - By default, the URL will represent a collection of entities, e.g.:: - - /entities - - If kwargs contains an `entity_id`, then the URL will represent a - specific member, e.g.:: - - /entities/{entity_id} - - :param base_url: if provided, the generated URL will be appended to it - """ - url = base_url if base_url is not None else '' - - url += '/%s' % self.collection_key - - # do we have a specific entity? - entity_id = kwargs.get('%s_id' % self.key) - if entity_id is not None: - url += '/%s' % entity_id - - return url - - def _filter_kwargs(self, kwargs): - """Drop null values and handle ids.""" - for key, ref in six.iteritems(kwargs.copy()): - if ref is None: - kwargs.pop(key) - else: - if isinstance(ref, Resource): - kwargs.pop(key) - kwargs['%s_id' % key] = getid(ref) - return kwargs - - def create(self, **kwargs): - kwargs = self._filter_kwargs(kwargs) - return self._post( - self.build_url(**kwargs), - {self.key: kwargs}, - self.key) - - def get(self, **kwargs): - kwargs = self._filter_kwargs(kwargs) - return self._get( - self.build_url(**kwargs), - self.key) - - def head(self, **kwargs): - kwargs = self._filter_kwargs(kwargs) - return self._head(self.build_url(**kwargs)) - - def list(self, base_url=None, **kwargs): - """List the collection. - - :param base_url: if provided, the generated URL will be appended to it - """ - kwargs = self._filter_kwargs(kwargs) - - return self._list( - '%(base_url)s%(query)s' % { - 'base_url': self.build_url(base_url=base_url, **kwargs), - 'query': '?%s' % parse.urlencode(kwargs) if kwargs else '', - }, - self.collection_key) - - def put(self, base_url=None, **kwargs): - """Update an element. - - :param base_url: if provided, the generated URL will be appended to it - """ - kwargs = self._filter_kwargs(kwargs) - - return self._put(self.build_url(base_url=base_url, **kwargs)) - - def update(self, **kwargs): - kwargs = self._filter_kwargs(kwargs) - params = kwargs.copy() - params.pop('%s_id' % self.key) - - return self._patch( - self.build_url(**kwargs), - {self.key: params}, - self.key) - - def delete(self, **kwargs): - kwargs = self._filter_kwargs(kwargs) - - return self._delete( - self.build_url(**kwargs)) - - def find(self, base_url=None, **kwargs): - """Find a single item with attributes matching ``**kwargs``. - - :param base_url: if provided, the generated URL will be appended to it - """ - kwargs = self._filter_kwargs(kwargs) - - rl = self._list( - '%(base_url)s%(query)s' % { - 'base_url': self.build_url(base_url=base_url, **kwargs), - 'query': '?%s' % parse.urlencode(kwargs) if kwargs else '', - }, - self.collection_key) - num = len(rl) - - if num == 0: - msg = _("No %(name)s matching %(args)s.") % { - 'name': self.resource_class.__name__, - 'args': kwargs - } - raise exceptions.NotFound(404, msg) - elif num > 1: - raise exceptions.NoUniqueMatch - else: - return rl[0] - - -class Extension(HookableMixin): - """Extension descriptor.""" - - SUPPORTED_HOOKS = ('__pre_parse_args__', '__post_parse_args__') - manager_class = None - - def __init__(self, name, module): - super(Extension, self).__init__() - self.name = name - self.module = module - self._parse_extension_module() - - def _parse_extension_module(self): - self.manager_class = None - for attr_name, attr_value in self.module.__dict__.items(): - if attr_name in self.SUPPORTED_HOOKS: - self.add_hook(attr_name, attr_value) - else: - try: - if issubclass(attr_value, BaseManager): - self.manager_class = attr_value - except TypeError: - pass - - def __repr__(self): - return "" % self.name - - -class Resource(object): - """Base class for OpenStack resources (tenant, user, etc.). - - This is pretty much just a bag for attributes. - """ - - HUMAN_ID = False - NAME_ATTR = 'name' - - def __init__(self, manager, info, loaded=False): - """Populate and bind to a manager. - - :param manager: BaseManager object - :param info: dictionary representing resource attributes - :param loaded: prevent lazy-loading if set to True - """ - self.manager = manager - self._info = info - self._add_details(info) - self._loaded = loaded - self._init_completion_cache() - - def _init_completion_cache(self): - cache_write = getattr(self.manager, 'write_to_completion_cache', None) - if not cache_write: - return - - # NOTE(sirp): ensure `id` is already present because if it isn't we'll - # enter an infinite loop of __getattr__ -> get -> __init__ -> - # __getattr__ -> ... - if 'id' in self.__dict__ and uuidutils.is_uuid_like(self.id): - cache_write('uuid', self.id) - - if self.human_id: - cache_write('human_id', self.human_id) - - def __repr__(self): - reprkeys = sorted(k - for k in self.__dict__.keys() - if k[0] != '_' and k != 'manager') - info = ", ".join("%s=%s" % (k, getattr(self, k)) for k in reprkeys) - return "<%s %s>" % (self.__class__.__name__, info) - - @property - def human_id(self): - """Human-readable ID which can be used for bash completion. - """ - if self.HUMAN_ID: - name = getattr(self, self.NAME_ATTR, None) - if name is not None: - return strutils.to_slug(name) - return None - - def _add_details(self, info): - for (k, v) in six.iteritems(info): - try: - setattr(self, k, v) - self._info[k] = v - except AttributeError: - # In this case we already defined the attribute on the class - pass - - def __getattr__(self, k): - if k not in self.__dict__: - # NOTE(bcwaldon): disallow lazy-loading if already loaded once - if not self.is_loaded(): - self.get() - return self.__getattr__(k) - - raise AttributeError(k) - else: - return self.__dict__[k] - - def get(self): - """Support for lazy loading details. - - Some clients, such as novaclient have the option to lazy load the - details, details which can be loaded with this function. - """ - # set_loaded() first ... so if we have to bail, we know we tried. - self.set_loaded(True) - if not hasattr(self.manager, 'get'): - return - - new = self.manager.get(self.id) - if new: - self._add_details(new._info) - - def __eq__(self, other): - if not isinstance(other, Resource): - return NotImplemented - # two resources of different types are not equal - if not isinstance(other, self.__class__): - return False - if hasattr(self, 'id') and hasattr(other, 'id'): - return self.id == other.id - return self._info == other._info - - def is_loaded(self): - return self._loaded - - def set_loaded(self, val): - self._loaded = val - - def to_dict(self): - return copy.deepcopy(self._info) diff --git a/keystoneclient/openstack/common/apiclient/client.py b/keystoneclient/openstack/common/apiclient/client.py deleted file mode 100644 index ed0fbc8e6..000000000 --- a/keystoneclient/openstack/common/apiclient/client.py +++ /dev/null @@ -1,364 +0,0 @@ -# Copyright 2010 Jacob Kaplan-Moss -# Copyright 2011 OpenStack Foundation -# Copyright 2011 Piston Cloud Computing, Inc. -# Copyright 2013 Alessio Ababilov -# Copyright 2013 Grid Dynamics -# Copyright 2013 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -OpenStack Client interface. Handles the REST calls and responses. -""" - -# E0202: An attribute inherited from %s hide this method -# pylint: disable=E0202 - -import logging -import time - -try: - import simplejson as json -except ImportError: - import json - -import requests - -from keystoneclient.openstack.common.apiclient import exceptions -from keystoneclient.openstack.common.gettextutils import _ -from keystoneclient.openstack.common import importutils - - -_logger = logging.getLogger(__name__) - - -class HTTPClient(object): - """This client handles sending HTTP requests to OpenStack servers. - - Features: - - - share authentication information between several clients to different - services (e.g., for compute and image clients); - - reissue authentication request for expired tokens; - - encode/decode JSON bodies; - - raise exceptions on HTTP errors; - - pluggable authentication; - - store authentication information in a keyring; - - store time spent for requests; - - register clients for particular services, so one can use - `http_client.identity` or `http_client.compute`; - - log requests and responses in a format that is easy to copy-and-paste - into terminal and send the same request with curl. - """ - - user_agent = "keystoneclient.openstack.common.apiclient" - - def __init__(self, - auth_plugin, - region_name=None, - endpoint_type="publicURL", - original_ip=None, - verify=True, - cert=None, - timeout=None, - timings=False, - keyring_saver=None, - debug=False, - user_agent=None, - http=None): - self.auth_plugin = auth_plugin - - self.endpoint_type = endpoint_type - self.region_name = region_name - - self.original_ip = original_ip - self.timeout = timeout - self.verify = verify - self.cert = cert - - self.keyring_saver = keyring_saver - self.debug = debug - self.user_agent = user_agent or self.user_agent - - self.times = [] # [("item", starttime, endtime), ...] - self.timings = timings - - # requests within the same session can reuse TCP connections from pool - self.http = http or requests.Session() - - self.cached_token = None - - def _http_log_req(self, method, url, kwargs): - if not self.debug: - return - - string_parts = [ - "curl -i", - "-X '%s'" % method, - "'%s'" % url, - ] - - for element in kwargs['headers']: - header = "-H '%s: %s'" % (element, kwargs['headers'][element]) - string_parts.append(header) - - _logger.debug("REQ: %s" % " ".join(string_parts)) - if 'data' in kwargs: - _logger.debug("REQ BODY: %s\n" % (kwargs['data'])) - - def _http_log_resp(self, resp): - if not self.debug: - return - _logger.debug( - "RESP: [%s] %s\n", - resp.status_code, - resp.headers) - if resp._content_consumed: - _logger.debug( - "RESP BODY: %s\n", - resp.text) - - def serialize(self, kwargs): - if kwargs.get('json') is not None: - kwargs['headers']['Content-Type'] = 'application/json' - kwargs['data'] = json.dumps(kwargs['json']) - try: - del kwargs['json'] - except KeyError: - pass - - def get_timings(self): - return self.times - - def reset_timings(self): - self.times = [] - - def request(self, method, url, **kwargs): - """Send an http request with the specified characteristics. - - Wrapper around `requests.Session.request` to handle tasks such as - setting headers, JSON encoding/decoding, and error handling. - - :param method: method of HTTP request - :param url: URL of HTTP request - :param kwargs: any other parameter that can be passed to - requests.Session.request (such as `headers`) or `json` - that will be encoded as JSON and used as `data` argument - """ - kwargs.setdefault("headers", kwargs.get("headers", {})) - kwargs["headers"]["User-Agent"] = self.user_agent - if self.original_ip: - kwargs["headers"]["Forwarded"] = "for=%s;by=%s" % ( - self.original_ip, self.user_agent) - if self.timeout is not None: - kwargs.setdefault("timeout", self.timeout) - kwargs.setdefault("verify", self.verify) - if self.cert is not None: - kwargs.setdefault("cert", self.cert) - self.serialize(kwargs) - - self._http_log_req(method, url, kwargs) - if self.timings: - start_time = time.time() - resp = self.http.request(method, url, **kwargs) - if self.timings: - self.times.append(("%s %s" % (method, url), - start_time, time.time())) - self._http_log_resp(resp) - - if resp.status_code >= 400: - _logger.debug( - "Request returned failure status: %s", - resp.status_code) - raise exceptions.from_response(resp, method, url) - - return resp - - @staticmethod - def concat_url(endpoint, url): - """Concatenate endpoint and final URL. - - E.g., "http://keystone/v2.0/" and "/tokens" are concatenated to - "http://keystone/v2.0/tokens". - - :param endpoint: the base URL - :param url: the final URL - """ - return "%s/%s" % (endpoint.rstrip("/"), url.strip("/")) - - def client_request(self, client, method, url, **kwargs): - """Send an http request using `client`'s endpoint and specified `url`. - - If request was rejected as unauthorized (possibly because the token is - expired), issue one authorization attempt and send the request once - again. - - :param client: instance of BaseClient descendant - :param method: method of HTTP request - :param url: URL of HTTP request - :param kwargs: any other parameter that can be passed to - `HTTPClient.request` - """ - - filter_args = { - "endpoint_type": client.endpoint_type or self.endpoint_type, - "service_type": client.service_type, - } - token, endpoint = (self.cached_token, client.cached_endpoint) - just_authenticated = False - if not (token and endpoint): - try: - token, endpoint = self.auth_plugin.token_and_endpoint( - **filter_args) - except exceptions.EndpointException: - pass - if not (token and endpoint): - self.authenticate() - just_authenticated = True - token, endpoint = self.auth_plugin.token_and_endpoint( - **filter_args) - if not (token and endpoint): - raise exceptions.AuthorizationFailure( - _("Cannot find endpoint or token for request")) - - old_token_endpoint = (token, endpoint) - kwargs.setdefault("headers", {})["X-Auth-Token"] = token - self.cached_token = token - client.cached_endpoint = endpoint - # Perform the request once. If we get Unauthorized, then it - # might be because the auth token expired, so try to - # re-authenticate and try again. If it still fails, bail. - try: - return self.request( - method, self.concat_url(endpoint, url), **kwargs) - except exceptions.Unauthorized as unauth_ex: - if just_authenticated: - raise - self.cached_token = None - client.cached_endpoint = None - self.authenticate() - try: - token, endpoint = self.auth_plugin.token_and_endpoint( - **filter_args) - except exceptions.EndpointException: - raise unauth_ex - if (not (token and endpoint) or - old_token_endpoint == (token, endpoint)): - raise unauth_ex - self.cached_token = token - client.cached_endpoint = endpoint - kwargs["headers"]["X-Auth-Token"] = token - return self.request( - method, self.concat_url(endpoint, url), **kwargs) - - def add_client(self, base_client_instance): - """Add a new instance of :class:`BaseClient` descendant. - - `self` will store a reference to `base_client_instance`. - - Example: - - >>> def test_clients(): - ... from keystoneclient.auth import keystone - ... from openstack.common.apiclient import client - ... auth = keystone.KeystoneAuthPlugin( - ... username="user", password="pass", tenant_name="tenant", - ... auth_url="http://auth:5000/v2.0") - ... openstack_client = client.HTTPClient(auth) - ... # create nova client - ... from novaclient.v1_1 import client - ... client.Client(openstack_client) - ... # create keystone client - ... from keystoneclient.v2_0 import client - ... client.Client(openstack_client) - ... # use them - ... openstack_client.identity.tenants.list() - ... openstack_client.compute.servers.list() - """ - service_type = base_client_instance.service_type - if service_type and not hasattr(self, service_type): - setattr(self, service_type, base_client_instance) - - def authenticate(self): - self.auth_plugin.authenticate(self) - # Store the authentication results in the keyring for later requests - if self.keyring_saver: - self.keyring_saver.save(self) - - -class BaseClient(object): - """Top-level object to access the OpenStack API. - - This client uses :class:`HTTPClient` to send requests. :class:`HTTPClient` - will handle a bunch of issues such as authentication. - """ - - service_type = None - endpoint_type = None # "publicURL" will be used - cached_endpoint = None - - def __init__(self, http_client, extensions=None): - self.http_client = http_client - http_client.add_client(self) - - # Add in any extensions... - if extensions: - for extension in extensions: - if extension.manager_class: - setattr(self, extension.name, - extension.manager_class(self)) - - def client_request(self, method, url, **kwargs): - return self.http_client.client_request( - self, method, url, **kwargs) - - def head(self, url, **kwargs): - return self.client_request("HEAD", url, **kwargs) - - def get(self, url, **kwargs): - return self.client_request("GET", url, **kwargs) - - def post(self, url, **kwargs): - return self.client_request("POST", url, **kwargs) - - def put(self, url, **kwargs): - return self.client_request("PUT", url, **kwargs) - - def delete(self, url, **kwargs): - return self.client_request("DELETE", url, **kwargs) - - def patch(self, url, **kwargs): - return self.client_request("PATCH", url, **kwargs) - - @staticmethod - def get_class(api_name, version, version_map): - """Returns the client class for the requested API version - - :param api_name: the name of the API, e.g. 'compute', 'image', etc - :param version: the requested API version - :param version_map: a dict of client classes keyed by version - :rtype: a client class for the requested API version - """ - try: - client_path = version_map[str(version)] - except (KeyError, ValueError): - msg = _("Invalid %(api_name)s client version '%(version)s'. " - "Must be one of: %(version_map)s") % { - 'api_name': api_name, - 'version': version, - 'version_map': ', '.join(version_map.keys()) - } - raise exceptions.UnsupportedVersion(msg) - - return importutils.import_class(client_path) diff --git a/keystoneclient/openstack/common/apiclient/exceptions.py b/keystoneclient/openstack/common/apiclient/exceptions.py deleted file mode 100644 index d7e93704a..000000000 --- a/keystoneclient/openstack/common/apiclient/exceptions.py +++ /dev/null @@ -1,466 +0,0 @@ -# Copyright 2010 Jacob Kaplan-Moss -# Copyright 2011 Nebula, Inc. -# Copyright 2013 Alessio Ababilov -# Copyright 2013 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Exception definitions. -""" - -import inspect -import sys - -import six - -from keystoneclient.openstack.common.gettextutils import _ - - -class ClientException(Exception): - """The base exception class for all exceptions this library raises. - """ - pass - - -class MissingArgs(ClientException): - """Supplied arguments are not sufficient for calling a function.""" - def __init__(self, missing): - self.missing = missing - msg = _("Missing arguments: %s") % ", ".join(missing) - super(MissingArgs, self).__init__(msg) - - -class ValidationError(ClientException): - """Error in validation on API client side.""" - pass - - -class UnsupportedVersion(ClientException): - """User is trying to use an unsupported version of the API.""" - pass - - -class CommandError(ClientException): - """Error in CLI tool.""" - pass - - -class AuthorizationFailure(ClientException): - """Cannot authorize API client.""" - pass - - -class ConnectionRefused(ClientException): - """Cannot connect to API service.""" - pass - - -class AuthPluginOptionsMissing(AuthorizationFailure): - """Auth plugin misses some options.""" - def __init__(self, opt_names): - super(AuthPluginOptionsMissing, self).__init__( - _("Authentication failed. Missing options: %s") % - ", ".join(opt_names)) - self.opt_names = opt_names - - -class AuthSystemNotFound(AuthorizationFailure): - """User has specified an AuthSystem that is not installed.""" - def __init__(self, auth_system): - super(AuthSystemNotFound, self).__init__( - _("AuthSystemNotFound: %s") % repr(auth_system)) - self.auth_system = auth_system - - -class NoUniqueMatch(ClientException): - """Multiple entities found instead of one.""" - pass - - -class EndpointException(ClientException): - """Something is rotten in Service Catalog.""" - pass - - -class EndpointNotFound(EndpointException): - """Could not find requested endpoint in Service Catalog.""" - pass - - -class AmbiguousEndpoints(EndpointException): - """Found more than one matching endpoint in Service Catalog.""" - def __init__(self, endpoints=None): - super(AmbiguousEndpoints, self).__init__( - _("AmbiguousEndpoints: %s") % repr(endpoints)) - self.endpoints = endpoints - - -class HttpError(ClientException): - """The base exception class for all HTTP exceptions. - """ - http_status = 0 - message = _("HTTP Error") - - def __init__(self, message=None, details=None, - response=None, request_id=None, - url=None, method=None, http_status=None): - self.http_status = http_status or self.http_status - self.message = message or self.message - self.details = details - self.request_id = request_id - self.response = response - self.url = url - self.method = method - formatted_string = "%s (HTTP %s)" % (self.message, self.http_status) - if request_id: - formatted_string += " (Request-ID: %s)" % request_id - super(HttpError, self).__init__(formatted_string) - - -class HTTPRedirection(HttpError): - """HTTP Redirection.""" - message = _("HTTP Redirection") - - -class HTTPClientError(HttpError): - """Client-side HTTP error. - - Exception for cases in which the client seems to have erred. - """ - message = _("HTTP Client Error") - - -class HttpServerError(HttpError): - """Server-side HTTP error. - - Exception for cases in which the server is aware that it has - erred or is incapable of performing the request. - """ - message = _("HTTP Server Error") - - -class MultipleChoices(HTTPRedirection): - """HTTP 300 - Multiple Choices. - - Indicates multiple options for the resource that the client may follow. - """ - - http_status = 300 - message = _("Multiple Choices") - - -class BadRequest(HTTPClientError): - """HTTP 400 - Bad Request. - - The request cannot be fulfilled due to bad syntax. - """ - http_status = 400 - message = _("Bad Request") - - -class Unauthorized(HTTPClientError): - """HTTP 401 - Unauthorized. - - Similar to 403 Forbidden, but specifically for use when authentication - is required and has failed or has not yet been provided. - """ - http_status = 401 - message = _("Unauthorized") - - -class PaymentRequired(HTTPClientError): - """HTTP 402 - Payment Required. - - Reserved for future use. - """ - http_status = 402 - message = _("Payment Required") - - -class Forbidden(HTTPClientError): - """HTTP 403 - Forbidden. - - The request was a valid request, but the server is refusing to respond - to it. - """ - http_status = 403 - message = _("Forbidden") - - -class NotFound(HTTPClientError): - """HTTP 404 - Not Found. - - The requested resource could not be found but may be available again - in the future. - """ - http_status = 404 - message = _("Not Found") - - -class MethodNotAllowed(HTTPClientError): - """HTTP 405 - Method Not Allowed. - - A request was made of a resource using a request method not supported - by that resource. - """ - http_status = 405 - message = _("Method Not Allowed") - - -class NotAcceptable(HTTPClientError): - """HTTP 406 - Not Acceptable. - - The requested resource is only capable of generating content not - acceptable according to the Accept headers sent in the request. - """ - http_status = 406 - message = _("Not Acceptable") - - -class ProxyAuthenticationRequired(HTTPClientError): - """HTTP 407 - Proxy Authentication Required. - - The client must first authenticate itself with the proxy. - """ - http_status = 407 - message = _("Proxy Authentication Required") - - -class RequestTimeout(HTTPClientError): - """HTTP 408 - Request Timeout. - - The server timed out waiting for the request. - """ - http_status = 408 - message = _("Request Timeout") - - -class Conflict(HTTPClientError): - """HTTP 409 - Conflict. - - Indicates that the request could not be processed because of conflict - in the request, such as an edit conflict. - """ - http_status = 409 - message = _("Conflict") - - -class Gone(HTTPClientError): - """HTTP 410 - Gone. - - Indicates that the resource requested is no longer available and will - not be available again. - """ - http_status = 410 - message = _("Gone") - - -class LengthRequired(HTTPClientError): - """HTTP 411 - Length Required. - - The request did not specify the length of its content, which is - required by the requested resource. - """ - http_status = 411 - message = _("Length Required") - - -class PreconditionFailed(HTTPClientError): - """HTTP 412 - Precondition Failed. - - The server does not meet one of the preconditions that the requester - put on the request. - """ - http_status = 412 - message = _("Precondition Failed") - - -class RequestEntityTooLarge(HTTPClientError): - """HTTP 413 - Request Entity Too Large. - - The request is larger than the server is willing or able to process. - """ - http_status = 413 - message = _("Request Entity Too Large") - - def __init__(self, *args, **kwargs): - try: - self.retry_after = int(kwargs.pop('retry_after')) - except (KeyError, ValueError): - self.retry_after = 0 - - super(RequestEntityTooLarge, self).__init__(*args, **kwargs) - - -class RequestUriTooLong(HTTPClientError): - """HTTP 414 - Request-URI Too Long. - - The URI provided was too long for the server to process. - """ - http_status = 414 - message = _("Request-URI Too Long") - - -class UnsupportedMediaType(HTTPClientError): - """HTTP 415 - Unsupported Media Type. - - The request entity has a media type which the server or resource does - not support. - """ - http_status = 415 - message = _("Unsupported Media Type") - - -class RequestedRangeNotSatisfiable(HTTPClientError): - """HTTP 416 - Requested Range Not Satisfiable. - - The client has asked for a portion of the file, but the server cannot - supply that portion. - """ - http_status = 416 - message = _("Requested Range Not Satisfiable") - - -class ExpectationFailed(HTTPClientError): - """HTTP 417 - Expectation Failed. - - The server cannot meet the requirements of the Expect request-header field. - """ - http_status = 417 - message = _("Expectation Failed") - - -class UnprocessableEntity(HTTPClientError): - """HTTP 422 - Unprocessable Entity. - - The request was well-formed but was unable to be followed due to semantic - errors. - """ - http_status = 422 - message = _("Unprocessable Entity") - - -class InternalServerError(HttpServerError): - """HTTP 500 - Internal Server Error. - - A generic error message, given when no more specific message is suitable. - """ - http_status = 500 - message = _("Internal Server Error") - - -# NotImplemented is a python keyword. -class HttpNotImplemented(HttpServerError): - """HTTP 501 - Not Implemented. - - The server either does not recognize the request method, or it lacks - the ability to fulfill the request. - """ - http_status = 501 - message = _("Not Implemented") - - -class BadGateway(HttpServerError): - """HTTP 502 - Bad Gateway. - - The server was acting as a gateway or proxy and received an invalid - response from the upstream server. - """ - http_status = 502 - message = _("Bad Gateway") - - -class ServiceUnavailable(HttpServerError): - """HTTP 503 - Service Unavailable. - - The server is currently unavailable. - """ - http_status = 503 - message = _("Service Unavailable") - - -class GatewayTimeout(HttpServerError): - """HTTP 504 - Gateway Timeout. - - The server was acting as a gateway or proxy and did not receive a timely - response from the upstream server. - """ - http_status = 504 - message = _("Gateway Timeout") - - -class HttpVersionNotSupported(HttpServerError): - """HTTP 505 - HttpVersion Not Supported. - - The server does not support the HTTP protocol version used in the request. - """ - http_status = 505 - message = _("HTTP Version Not Supported") - - -# _code_map contains all the classes that have http_status attribute. -_code_map = dict( - (getattr(obj, 'http_status', None), obj) - for name, obj in six.iteritems(vars(sys.modules[__name__])) - if inspect.isclass(obj) and getattr(obj, 'http_status', False) -) - - -def from_response(response, method, url): - """Returns an instance of :class:`HttpError` or subclass based on response. - - :param response: instance of `requests.Response` class - :param method: HTTP method used for request - :param url: URL used for request - """ - - req_id = response.headers.get("x-openstack-request-id") - # NOTE(hdd) true for older versions of nova and cinder - if not req_id: - req_id = response.headers.get("x-compute-request-id") - kwargs = { - "http_status": response.status_code, - "response": response, - "method": method, - "url": url, - "request_id": req_id, - } - if "retry-after" in response.headers: - kwargs["retry_after"] = response.headers["retry-after"] - - content_type = response.headers.get("Content-Type", "") - if content_type.startswith("application/json"): - try: - body = response.json() - except ValueError: - pass - else: - if isinstance(body, dict): - error = list(body.values())[0] - kwargs["message"] = error.get("message") - kwargs["details"] = error.get("details") - elif content_type.startswith("text/"): - kwargs["details"] = response.text - - try: - cls = _code_map[response.status_code] - except KeyError: - if 500 <= response.status_code < 600: - cls = HttpServerError - elif 400 <= response.status_code < 500: - cls = HTTPClientError - else: - cls = HttpError - return cls(**kwargs) diff --git a/keystoneclient/openstack/common/apiclient/fake_client.py b/keystoneclient/openstack/common/apiclient/fake_client.py deleted file mode 100644 index 47894e305..000000000 --- a/keystoneclient/openstack/common/apiclient/fake_client.py +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -A fake server that "responds" to API methods with pre-canned responses. - -All of these responses come from the spec, so if for some reason the spec's -wrong the tests might raise AssertionError. I've indicated in comments the -places where actual behavior differs from the spec. -""" - -# W0102: Dangerous default value %s as argument -# pylint: disable=W0102 - -import json - -import requests -import six -from six.moves.urllib import parse - -from keystoneclient.openstack.common.apiclient import client - - -def assert_has_keys(dct, required=[], optional=[]): - for k in required: - try: - assert k in dct - except AssertionError: - extra_keys = set(dct.keys()).difference(set(required + optional)) - raise AssertionError("found unexpected keys: %s" % - list(extra_keys)) - - -class TestResponse(requests.Response): - """Wrap requests.Response and provide a convenient initialization. - """ - - def __init__(self, data): - super(TestResponse, self).__init__() - self._content_consumed = True - if isinstance(data, dict): - self.status_code = data.get('status_code', 200) - # Fake the text attribute to streamline Response creation - text = data.get('text', "") - if isinstance(text, (dict, list)): - self._content = json.dumps(text) - default_headers = { - "Content-Type": "application/json", - } - else: - self._content = text - default_headers = {} - if six.PY3 and isinstance(self._content, six.string_types): - self._content = self._content.encode('utf-8', 'strict') - self.headers = data.get('headers') or default_headers - else: - self.status_code = data - - def __eq__(self, other): - return (self.status_code == other.status_code and - self.headers == other.headers and - self._content == other._content) - - -class FakeHTTPClient(client.HTTPClient): - - def __init__(self, *args, **kwargs): - self.callstack = [] - self.fixtures = kwargs.pop("fixtures", None) or {} - if not args and "auth_plugin" not in kwargs: - args = (None, ) - super(FakeHTTPClient, self).__init__(*args, **kwargs) - - def assert_called(self, method, url, body=None, pos=-1): - """Assert than an API method was just called. - """ - expected = (method, url) - called = self.callstack[pos][0:2] - assert self.callstack, \ - "Expected %s %s but no calls were made." % expected - - assert expected == called, 'Expected %s %s; got %s %s' % \ - (expected + called) - - if body is not None: - if self.callstack[pos][3] != body: - raise AssertionError('%r != %r' % - (self.callstack[pos][3], body)) - - def assert_called_anytime(self, method, url, body=None): - """Assert than an API method was called anytime in the test. - """ - expected = (method, url) - - assert self.callstack, \ - "Expected %s %s but no calls were made." % expected - - found = False - entry = None - for entry in self.callstack: - if expected == entry[0:2]: - found = True - break - - assert found, 'Expected %s %s; got %s' % \ - (method, url, self.callstack) - if body is not None: - assert entry[3] == body, "%s != %s" % (entry[3], body) - - self.callstack = [] - - def clear_callstack(self): - self.callstack = [] - - def authenticate(self): - pass - - def client_request(self, client, method, url, **kwargs): - # Check that certain things are called correctly - if method in ["GET", "DELETE"]: - assert "json" not in kwargs - - # Note the call - self.callstack.append( - (method, - url, - kwargs.get("headers") or {}, - kwargs.get("json") or kwargs.get("data"))) - try: - fixture = self.fixtures[url][method] - except KeyError: - pass - else: - return TestResponse({"headers": fixture[0], - "text": fixture[1]}) - - # Call the method - args = parse.parse_qsl(parse.urlparse(url)[4]) - kwargs.update(args) - munged_url = url.rsplit('?', 1)[0] - munged_url = munged_url.strip('/').replace('/', '_').replace('.', '_') - munged_url = munged_url.replace('-', '_') - - callback = "%s_%s" % (method.lower(), munged_url) - - if not hasattr(self, callback): - raise AssertionError('Called unknown API method: %s %s, ' - 'expected fakes method name: %s' % - (method, url, callback)) - - resp = getattr(self, callback)(**kwargs) - if len(resp) == 3: - status, headers, body = resp - else: - status, body = resp - headers = {} - return TestResponse({ - "status_code": status, - "text": body, - "headers": headers, - }) diff --git a/keystoneclient/openstack/common/gettextutils.py b/keystoneclient/openstack/common/gettextutils.py deleted file mode 100644 index d57d468a8..000000000 --- a/keystoneclient/openstack/common/gettextutils.py +++ /dev/null @@ -1,498 +0,0 @@ -# Copyright 2012 Red Hat, Inc. -# Copyright 2013 IBM Corp. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -gettext for openstack-common modules. - -Usual usage in an openstack.common module: - - from keystoneclient.openstack.common.gettextutils import _ -""" - -import copy -import functools -import gettext -import locale -from logging import handlers -import os - -from babel import localedata -import six - -_AVAILABLE_LANGUAGES = {} - -# FIXME(dhellmann): Remove this when moving to oslo.i18n. -USE_LAZY = False - - -class TranslatorFactory(object): - """Create translator functions - """ - - def __init__(self, domain, lazy=False, localedir=None): - """Establish a set of translation functions for the domain. - - :param domain: Name of translation domain, - specifying a message catalog. - :type domain: str - :param lazy: Delays translation until a message is emitted. - Defaults to False. - :type lazy: Boolean - :param localedir: Directory with translation catalogs. - :type localedir: str - """ - self.domain = domain - self.lazy = lazy - if localedir is None: - localedir = os.environ.get(domain.upper() + '_LOCALEDIR') - self.localedir = localedir - - def _make_translation_func(self, domain=None): - """Return a new translation function ready for use. - - Takes into account whether or not lazy translation is being - done. - - The domain can be specified to override the default from the - factory, but the localedir from the factory is always used - because we assume the log-level translation catalogs are - installed in the same directory as the main application - catalog. - - """ - if domain is None: - domain = self.domain - if self.lazy: - return functools.partial(Message, domain=domain) - t = gettext.translation( - domain, - localedir=self.localedir, - fallback=True, - ) - if six.PY3: - return t.gettext - return t.ugettext - - @property - def primary(self): - "The default translation function." - return self._make_translation_func() - - def _make_log_translation_func(self, level): - return self._make_translation_func(self.domain + '-log-' + level) - - @property - def log_info(self): - "Translate info-level log messages." - return self._make_log_translation_func('info') - - @property - def log_warning(self): - "Translate warning-level log messages." - return self._make_log_translation_func('warning') - - @property - def log_error(self): - "Translate error-level log messages." - return self._make_log_translation_func('error') - - @property - def log_critical(self): - "Translate critical-level log messages." - return self._make_log_translation_func('critical') - - -# NOTE(dhellmann): When this module moves out of the incubator into -# oslo.i18n, these global variables can be moved to an integration -# module within each application. - -# Create the global translation functions. -_translators = TranslatorFactory('keystoneclient') - -# The primary translation function using the well-known name "_" -_ = _translators.primary - -# Translators for log levels. -# -# The abbreviated names are meant to reflect the usual use of a short -# name like '_'. The "L" is for "log" and the other letter comes from -# the level. -_LI = _translators.log_info -_LW = _translators.log_warning -_LE = _translators.log_error -_LC = _translators.log_critical - -# NOTE(dhellmann): End of globals that will move to the application's -# integration module. - - -def enable_lazy(): - """Convenience function for configuring _() to use lazy gettext - - Call this at the start of execution to enable the gettextutils._ - function to use lazy gettext functionality. This is useful if - your project is importing _ directly instead of using the - gettextutils.install() way of importing the _ function. - """ - # FIXME(dhellmann): This function will be removed in oslo.i18n, - # because the TranslatorFactory makes it superfluous. - global _, _LI, _LW, _LE, _LC, USE_LAZY - tf = TranslatorFactory('keystoneclient', lazy=True) - _ = tf.primary - _LI = tf.log_info - _LW = tf.log_warning - _LE = tf.log_error - _LC = tf.log_critical - USE_LAZY = True - - -def install(domain, lazy=False): - """Install a _() function using the given translation domain. - - Given a translation domain, install a _() function using gettext's - install() function. - - The main difference from gettext.install() is that we allow - overriding the default localedir (e.g. /usr/share/locale) using - a translation-domain-specific environment variable (e.g. - NOVA_LOCALEDIR). - - :param domain: the translation domain - :param lazy: indicates whether or not to install the lazy _() function. - The lazy _() introduces a way to do deferred translation - of messages by installing a _ that builds Message objects, - instead of strings, which can then be lazily translated into - any available locale. - """ - if lazy: - from six import moves - tf = TranslatorFactory(domain, lazy=True) - moves.builtins.__dict__['_'] = tf.primary - else: - localedir = '%s_LOCALEDIR' % domain.upper() - if six.PY3: - gettext.install(domain, - localedir=os.environ.get(localedir)) - else: - gettext.install(domain, - localedir=os.environ.get(localedir), - unicode=True) - - -class Message(six.text_type): - """A Message object is a unicode object that can be translated. - - Translation of Message is done explicitly using the translate() method. - For all non-translation intents and purposes, a Message is simply unicode, - and can be treated as such. - """ - - def __new__(cls, msgid, msgtext=None, params=None, - domain='keystoneclient', *args): - """Create a new Message object. - - In order for translation to work gettext requires a message ID, this - msgid will be used as the base unicode text. It is also possible - for the msgid and the base unicode text to be different by passing - the msgtext parameter. - """ - # If the base msgtext is not given, we use the default translation - # of the msgid (which is in English) just in case the system locale is - # not English, so that the base text will be in that locale by default. - if not msgtext: - msgtext = Message._translate_msgid(msgid, domain) - # We want to initialize the parent unicode with the actual object that - # would have been plain unicode if 'Message' was not enabled. - msg = super(Message, cls).__new__(cls, msgtext) - msg.msgid = msgid - msg.domain = domain - msg.params = params - return msg - - def translate(self, desired_locale=None): - """Translate this message to the desired locale. - - :param desired_locale: The desired locale to translate the message to, - if no locale is provided the message will be - translated to the system's default locale. - - :returns: the translated message in unicode - """ - - translated_message = Message._translate_msgid(self.msgid, - self.domain, - desired_locale) - if self.params is None: - # No need for more translation - return translated_message - - # This Message object may have been formatted with one or more - # Message objects as substitution arguments, given either as a single - # argument, part of a tuple, or as one or more values in a dictionary. - # When translating this Message we need to translate those Messages too - translated_params = _translate_args(self.params, desired_locale) - - translated_message = translated_message % translated_params - - return translated_message - - @staticmethod - def _translate_msgid(msgid, domain, desired_locale=None): - if not desired_locale: - system_locale = locale.getdefaultlocale() - # If the system locale is not available to the runtime use English - if not system_locale[0]: - desired_locale = 'en_US' - else: - desired_locale = system_locale[0] - - locale_dir = os.environ.get(domain.upper() + '_LOCALEDIR') - lang = gettext.translation(domain, - localedir=locale_dir, - languages=[desired_locale], - fallback=True) - if six.PY3: - translator = lang.gettext - else: - translator = lang.ugettext - - translated_message = translator(msgid) - return translated_message - - def __mod__(self, other): - # When we mod a Message we want the actual operation to be performed - # by the parent class (i.e. unicode()), the only thing we do here is - # save the original msgid and the parameters in case of a translation - params = self._sanitize_mod_params(other) - unicode_mod = super(Message, self).__mod__(params) - modded = Message(self.msgid, - msgtext=unicode_mod, - params=params, - domain=self.domain) - return modded - - def _sanitize_mod_params(self, other): - """Sanitize the object being modded with this Message. - - - Add support for modding 'None' so translation supports it - - Trim the modded object, which can be a large dictionary, to only - those keys that would actually be used in a translation - - Snapshot the object being modded, in case the message is - translated, it will be used as it was when the Message was created - """ - if other is None: - params = (other,) - elif isinstance(other, dict): - # Merge the dictionaries - # Copy each item in case one does not support deep copy. - params = {} - if isinstance(self.params, dict): - for key, val in self.params.items(): - params[key] = self._copy_param(val) - for key, val in other.items(): - params[key] = self._copy_param(val) - else: - params = self._copy_param(other) - return params - - def _copy_param(self, param): - try: - return copy.deepcopy(param) - except Exception: - # Fallback to casting to unicode this will handle the - # python code-like objects that can't be deep-copied - return six.text_type(param) - - def __add__(self, other): - msg = _('Message objects do not support addition.') - raise TypeError(msg) - - def __radd__(self, other): - return self.__add__(other) - - if six.PY2: - def __str__(self): - # NOTE(luisg): Logging in python 2.6 tries to str() log records, - # and it expects specifically a UnicodeError in order to proceed. - msg = _('Message objects do not support str() because they may ' - 'contain non-ascii characters. ' - 'Please use unicode() or translate() instead.') - raise UnicodeError(msg) - - -def get_available_languages(domain): - """Lists the available languages for the given translation domain. - - :param domain: the domain to get languages for - """ - if domain in _AVAILABLE_LANGUAGES: - return copy.copy(_AVAILABLE_LANGUAGES[domain]) - - localedir = '%s_LOCALEDIR' % domain.upper() - find = lambda x: gettext.find(domain, - localedir=os.environ.get(localedir), - languages=[x]) - - # NOTE(mrodden): en_US should always be available (and first in case - # order matters) since our in-line message strings are en_US - language_list = ['en_US'] - # NOTE(luisg): Babel <1.0 used a function called list(), which was - # renamed to locale_identifiers() in >=1.0, the requirements master list - # requires >=0.9.6, uncapped, so defensively work with both. We can remove - # this check when the master list updates to >=1.0, and update all projects - list_identifiers = (getattr(localedata, 'list', None) or - getattr(localedata, 'locale_identifiers')) - locale_identifiers = list_identifiers() - - for i in locale_identifiers: - if find(i) is not None: - language_list.append(i) - - # NOTE(luisg): Babel>=1.0,<1.3 has a bug where some OpenStack supported - # locales (e.g. 'zh_CN', and 'zh_TW') aren't supported even though they - # are perfectly legitimate locales: - # https://github.com/mitsuhiko/babel/issues/37 - # In Babel 1.3 they fixed the bug and they support these locales, but - # they are still not explicitly "listed" by locale_identifiers(). - # That is why we add the locales here explicitly if necessary so that - # they are listed as supported. - aliases = {'zh': 'zh_CN', - 'zh_Hant_HK': 'zh_HK', - 'zh_Hant': 'zh_TW', - 'fil': 'tl_PH'} - for (locale_, alias) in six.iteritems(aliases): - if locale_ in language_list and alias not in language_list: - language_list.append(alias) - - _AVAILABLE_LANGUAGES[domain] = language_list - return copy.copy(language_list) - - -def translate(obj, desired_locale=None): - """Gets the translated unicode representation of the given object. - - If the object is not translatable it is returned as-is. - If the locale is None the object is translated to the system locale. - - :param obj: the object to translate - :param desired_locale: the locale to translate the message to, if None the - default system locale will be used - :returns: the translated object in unicode, or the original object if - it could not be translated - """ - message = obj - if not isinstance(message, Message): - # If the object to translate is not already translatable, - # let's first get its unicode representation - message = six.text_type(obj) - if isinstance(message, Message): - # Even after unicoding() we still need to check if we are - # running with translatable unicode before translating - return message.translate(desired_locale) - return obj - - -def _translate_args(args, desired_locale=None): - """Translates all the translatable elements of the given arguments object. - - This method is used for translating the translatable values in method - arguments which include values of tuples or dictionaries. - If the object is not a tuple or a dictionary the object itself is - translated if it is translatable. - - If the locale is None the object is translated to the system locale. - - :param args: the args to translate - :param desired_locale: the locale to translate the args to, if None the - default system locale will be used - :returns: a new args object with the translated contents of the original - """ - if isinstance(args, tuple): - return tuple(translate(v, desired_locale) for v in args) - if isinstance(args, dict): - translated_dict = {} - for (k, v) in six.iteritems(args): - translated_v = translate(v, desired_locale) - translated_dict[k] = translated_v - return translated_dict - return translate(args, desired_locale) - - -class TranslationHandler(handlers.MemoryHandler): - """Handler that translates records before logging them. - - The TranslationHandler takes a locale and a target logging.Handler object - to forward LogRecord objects to after translating them. This handler - depends on Message objects being logged, instead of regular strings. - - The handler can be configured declaratively in the logging.conf as follows: - - [handlers] - keys = translatedlog, translator - - [handler_translatedlog] - class = handlers.WatchedFileHandler - args = ('/var/log/api-localized.log',) - formatter = context - - [handler_translator] - class = openstack.common.log.TranslationHandler - target = translatedlog - args = ('zh_CN',) - - If the specified locale is not available in the system, the handler will - log in the default locale. - """ - - def __init__(self, locale=None, target=None): - """Initialize a TranslationHandler - - :param locale: locale to use for translating messages - :param target: logging.Handler object to forward - LogRecord objects to after translation - """ - # NOTE(luisg): In order to allow this handler to be a wrapper for - # other handlers, such as a FileHandler, and still be able to - # configure it using logging.conf, this handler has to extend - # MemoryHandler because only the MemoryHandlers' logging.conf - # parsing is implemented such that it accepts a target handler. - handlers.MemoryHandler.__init__(self, capacity=0, target=target) - self.locale = locale - - def setFormatter(self, fmt): - self.target.setFormatter(fmt) - - def emit(self, record): - # We save the message from the original record to restore it - # after translation, so other handlers are not affected by this - original_msg = record.msg - original_args = record.args - - try: - self._translate_and_log_record(record) - finally: - record.msg = original_msg - record.args = original_args - - def _translate_and_log_record(self, record): - record.msg = translate(record.msg, self.locale) - - # In addition to translating the message, we also need to translate - # arguments that were passed to the log method that were not part - # of the main message e.g., log.info(_('Some message %s'), this_one)) - record.args = _translate_args(record.args, self.locale) - - self.target.emit(record) diff --git a/keystoneclient/openstack/common/importutils.py b/keystoneclient/openstack/common/importutils.py deleted file mode 100644 index 1261278ad..000000000 --- a/keystoneclient/openstack/common/importutils.py +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2011 OpenStack Foundation. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Import related utilities and helper functions. -""" - -import sys -import traceback - - -def import_class(import_str): - """Returns a class from a string including module and class.""" - mod_str, _sep, class_str = import_str.rpartition('.') - __import__(mod_str) - try: - return getattr(sys.modules[mod_str], class_str) - except AttributeError: - raise ImportError('Class %s cannot be found (%s)' % - (class_str, - traceback.format_exception(*sys.exc_info()))) - - -def import_object(import_str, *args, **kwargs): - """Import a class and return an instance of it.""" - return import_class(import_str)(*args, **kwargs) - - -def import_object_ns(name_space, import_str, *args, **kwargs): - """Tries to import object from default namespace. - - Imports a class and return an instance of it, first by trying - to find the class in a default namespace, then failing back to - a full path if not found in the default namespace. - """ - import_value = "%s.%s" % (name_space, import_str) - try: - return import_class(import_value)(*args, **kwargs) - except ImportError: - return import_class(import_str)(*args, **kwargs) - - -def import_module(import_str): - """Import a module.""" - __import__(import_str) - return sys.modules[import_str] - - -def import_versioned_module(version, submodule=None): - module = 'keystoneclient.v%s' % version - if submodule: - module = '.'.join((module, submodule)) - return import_module(module) - - -def try_import(import_str, default=None): - """Try to import a module and if it fails return default.""" - try: - return import_module(import_str) - except ImportError: - return default diff --git a/keystoneclient/openstack/common/jsonutils.py b/keystoneclient/openstack/common/jsonutils.py deleted file mode 100644 index 3ae414a20..000000000 --- a/keystoneclient/openstack/common/jsonutils.py +++ /dev/null @@ -1,186 +0,0 @@ -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# Copyright 2011 Justin Santa Barbara -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -''' -JSON related utilities. - -This module provides a few things: - - 1) A handy function for getting an object down to something that can be - JSON serialized. See to_primitive(). - - 2) Wrappers around loads() and dumps(). The dumps() wrapper will - automatically use to_primitive() for you if needed. - - 3) This sets up anyjson to use the loads() and dumps() wrappers if anyjson - is available. -''' - - -import codecs -import datetime -import functools -import inspect -import itertools -import sys - -if sys.version_info < (2, 7): - # On Python <= 2.6, json module is not C boosted, so try to use - # simplejson module if available - try: - import simplejson as json - except ImportError: - import json -else: - import json - -import six -import six.moves.xmlrpc_client as xmlrpclib - -from keystoneclient.openstack.common import gettextutils -from keystoneclient.openstack.common import importutils -from keystoneclient.openstack.common import strutils -from keystoneclient.openstack.common import timeutils - -netaddr = importutils.try_import("netaddr") - -_nasty_type_tests = [inspect.ismodule, inspect.isclass, inspect.ismethod, - inspect.isfunction, inspect.isgeneratorfunction, - inspect.isgenerator, inspect.istraceback, inspect.isframe, - inspect.iscode, inspect.isbuiltin, inspect.isroutine, - inspect.isabstract] - -_simple_types = (six.string_types + six.integer_types - + (type(None), bool, float)) - - -def to_primitive(value, convert_instances=False, convert_datetime=True, - level=0, max_depth=3): - """Convert a complex object into primitives. - - Handy for JSON serialization. We can optionally handle instances, - but since this is a recursive function, we could have cyclical - data structures. - - To handle cyclical data structures we could track the actual objects - visited in a set, but not all objects are hashable. Instead we just - track the depth of the object inspections and don't go too deep. - - Therefore, convert_instances=True is lossy ... be aware. - - """ - # handle obvious types first - order of basic types determined by running - # full tests on nova project, resulting in the following counts: - # 572754 - # 460353 - # 379632 - # 274610 - # 199918 - # 114200 - # 51817 - # 26164 - # 6491 - # 283 - # 19 - if isinstance(value, _simple_types): - return value - - if isinstance(value, datetime.datetime): - if convert_datetime: - return timeutils.strtime(value) - else: - return value - - # value of itertools.count doesn't get caught by nasty_type_tests - # and results in infinite loop when list(value) is called. - if type(value) == itertools.count: - return six.text_type(value) - - # FIXME(vish): Workaround for LP bug 852095. Without this workaround, - # tests that raise an exception in a mocked method that - # has a @wrap_exception with a notifier will fail. If - # we up the dependency to 0.5.4 (when it is released) we - # can remove this workaround. - if getattr(value, '__module__', None) == 'mox': - return 'mock' - - if level > max_depth: - return '?' - - # The try block may not be necessary after the class check above, - # but just in case ... - try: - recursive = functools.partial(to_primitive, - convert_instances=convert_instances, - convert_datetime=convert_datetime, - level=level, - max_depth=max_depth) - if isinstance(value, dict): - return dict((k, recursive(v)) for k, v in six.iteritems(value)) - elif isinstance(value, (list, tuple)): - return [recursive(lv) for lv in value] - - # It's not clear why xmlrpclib created their own DateTime type, but - # for our purposes, make it a datetime type which is explicitly - # handled - if isinstance(value, xmlrpclib.DateTime): - value = datetime.datetime(*tuple(value.timetuple())[:6]) - - if convert_datetime and isinstance(value, datetime.datetime): - return timeutils.strtime(value) - elif isinstance(value, gettextutils.Message): - return value.data - elif hasattr(value, 'iteritems'): - return recursive(dict(value.iteritems()), level=level + 1) - elif hasattr(value, '__iter__'): - return recursive(list(value)) - elif convert_instances and hasattr(value, '__dict__'): - # Likely an instance of something. Watch for cycles. - # Ignore class member vars. - return recursive(value.__dict__, level=level + 1) - elif netaddr and isinstance(value, netaddr.IPAddress): - return six.text_type(value) - else: - if any(test(value) for test in _nasty_type_tests): - return six.text_type(value) - return value - except TypeError: - # Class objects are tricky since they may define something like - # __iter__ defined but it isn't callable as list(). - return six.text_type(value) - - -def dumps(value, default=to_primitive, **kwargs): - return json.dumps(value, default=default, **kwargs) - - -def loads(s, encoding='utf-8', **kwargs): - return json.loads(strutils.safe_decode(s, encoding), **kwargs) - - -def load(fp, encoding='utf-8', **kwargs): - return json.load(codecs.getreader(encoding)(fp), **kwargs) - - -try: - import anyjson -except ImportError: - pass -else: - anyjson._modules.append((__name__, 'dumps', TypeError, - 'loads', ValueError, 'load')) - anyjson.force_implementation(__name__) diff --git a/keystoneclient/openstack/common/memorycache.py b/keystoneclient/openstack/common/memorycache.py deleted file mode 100644 index a83363494..000000000 --- a/keystoneclient/openstack/common/memorycache.py +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Super simple fake memcache client.""" - -from oslo.config import cfg - -from keystoneclient.openstack.common import timeutils - -memcache_opts = [ - cfg.ListOpt('memcached_servers', - help='Memcached servers or None for in process cache.'), -] - -CONF = cfg.CONF -CONF.register_opts(memcache_opts) - - -def get_client(memcached_servers=None): - client_cls = Client - - if not memcached_servers: - memcached_servers = CONF.memcached_servers - if memcached_servers: - import memcache - client_cls = memcache.Client - - return client_cls(memcached_servers, debug=0) - - -class Client(object): - """Replicates a tiny subset of memcached client interface.""" - - def __init__(self, *args, **kwargs): - """Ignores the passed in args.""" - self.cache = {} - - def get(self, key): - """Retrieves the value for a key or None. - - This expunges expired keys during each get. - """ - - now = timeutils.utcnow_ts() - for k in list(self.cache): - (timeout, _value) = self.cache[k] - if timeout and now >= timeout: - del self.cache[k] - - return self.cache.get(key, (0, None))[1] - - def set(self, key, value, time=0, min_compress_len=0): - """Sets the value for a key.""" - timeout = 0 - if time != 0: - timeout = timeutils.utcnow_ts() + time - self.cache[key] = (timeout, value) - return True - - def add(self, key, value, time=0, min_compress_len=0): - """Sets the value for a key if it doesn't exist.""" - if self.get(key) is not None: - return False - return self.set(key, value, time, min_compress_len) - - def incr(self, key, delta=1): - """Increments the value for a key.""" - value = self.get(key) - if value is None: - return None - new_value = int(value) + delta - self.cache[key] = (self.cache[key][0], str(new_value)) - return new_value - - def delete(self, key, time=0): - """Deletes the value associated with a key.""" - if key in self.cache: - del self.cache[key] diff --git a/keystoneclient/openstack/common/strutils.py b/keystoneclient/openstack/common/strutils.py deleted file mode 100644 index 0a4c42e3a..000000000 --- a/keystoneclient/openstack/common/strutils.py +++ /dev/null @@ -1,239 +0,0 @@ -# Copyright 2011 OpenStack Foundation. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -System-level utilities and helper functions. -""" - -import math -import re -import sys -import unicodedata - -import six - -from keystoneclient.openstack.common.gettextutils import _ - - -UNIT_PREFIX_EXPONENT = { - 'k': 1, - 'K': 1, - 'Ki': 1, - 'M': 2, - 'Mi': 2, - 'G': 3, - 'Gi': 3, - 'T': 4, - 'Ti': 4, -} -UNIT_SYSTEM_INFO = { - 'IEC': (1024, re.compile(r'(^[-+]?\d*\.?\d+)([KMGT]i?)?(b|bit|B)$')), - 'SI': (1000, re.compile(r'(^[-+]?\d*\.?\d+)([kMGT])?(b|bit|B)$')), -} - -TRUE_STRINGS = ('1', 't', 'true', 'on', 'y', 'yes') -FALSE_STRINGS = ('0', 'f', 'false', 'off', 'n', 'no') - -SLUGIFY_STRIP_RE = re.compile(r"[^\w\s-]") -SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+") - - -def int_from_bool_as_string(subject): - """Interpret a string as a boolean and return either 1 or 0. - - Any string value in: - - ('True', 'true', 'On', 'on', '1') - - is interpreted as a boolean True. - - Useful for JSON-decoded stuff and config file parsing - """ - return bool_from_string(subject) and 1 or 0 - - -def bool_from_string(subject, strict=False, default=False): - """Interpret a string as a boolean. - - A case-insensitive match is performed such that strings matching 't', - 'true', 'on', 'y', 'yes', or '1' are considered True and, when - `strict=False`, anything else returns the value specified by 'default'. - - Useful for JSON-decoded stuff and config file parsing. - - If `strict=True`, unrecognized values, including None, will raise a - ValueError which is useful when parsing values passed in from an API call. - Strings yielding False are 'f', 'false', 'off', 'n', 'no', or '0'. - """ - if not isinstance(subject, six.string_types): - subject = six.text_type(subject) - - lowered = subject.strip().lower() - - if lowered in TRUE_STRINGS: - return True - elif lowered in FALSE_STRINGS: - return False - elif strict: - acceptable = ', '.join( - "'%s'" % s for s in sorted(TRUE_STRINGS + FALSE_STRINGS)) - msg = _("Unrecognized value '%(val)s', acceptable values are:" - " %(acceptable)s") % {'val': subject, - 'acceptable': acceptable} - raise ValueError(msg) - else: - return default - - -def safe_decode(text, incoming=None, errors='strict'): - """Decodes incoming text/bytes string using `incoming` if they're not - already unicode. - - :param incoming: Text's current encoding - :param errors: Errors handling policy. See here for valid - values http://docs.python.org/2/library/codecs.html - :returns: text or a unicode `incoming` encoded - representation of it. - :raises TypeError: If text is not an instance of str - """ - if not isinstance(text, (six.string_types, six.binary_type)): - raise TypeError("%s can't be decoded" % type(text)) - - if isinstance(text, six.text_type): - return text - - if not incoming: - incoming = (sys.stdin.encoding or - sys.getdefaultencoding()) - - try: - return text.decode(incoming, errors) - except UnicodeDecodeError: - # Note(flaper87) If we get here, it means that - # sys.stdin.encoding / sys.getdefaultencoding - # didn't return a suitable encoding to decode - # text. This happens mostly when global LANG - # var is not set correctly and there's no - # default encoding. In this case, most likely - # python will use ASCII or ANSI encoders as - # default encodings but they won't be capable - # of decoding non-ASCII characters. - # - # Also, UTF-8 is being used since it's an ASCII - # extension. - return text.decode('utf-8', errors) - - -def safe_encode(text, incoming=None, - encoding='utf-8', errors='strict'): - """Encodes incoming text/bytes string using `encoding`. - - If incoming is not specified, text is expected to be encoded with - current python's default encoding. (`sys.getdefaultencoding`) - - :param incoming: Text's current encoding - :param encoding: Expected encoding for text (Default UTF-8) - :param errors: Errors handling policy. See here for valid - values http://docs.python.org/2/library/codecs.html - :returns: text or a bytestring `encoding` encoded - representation of it. - :raises TypeError: If text is not an instance of str - """ - if not isinstance(text, (six.string_types, six.binary_type)): - raise TypeError("%s can't be encoded" % type(text)) - - if not incoming: - incoming = (sys.stdin.encoding or - sys.getdefaultencoding()) - - if isinstance(text, six.text_type): - return text.encode(encoding, errors) - elif text and encoding != incoming: - # Decode text before encoding it with `encoding` - text = safe_decode(text, incoming, errors) - return text.encode(encoding, errors) - else: - return text - - -def string_to_bytes(text, unit_system='IEC', return_int=False): - """Converts a string into an float representation of bytes. - - The units supported for IEC :: - - Kb(it), Kib(it), Mb(it), Mib(it), Gb(it), Gib(it), Tb(it), Tib(it) - KB, KiB, MB, MiB, GB, GiB, TB, TiB - - The units supported for SI :: - - kb(it), Mb(it), Gb(it), Tb(it) - kB, MB, GB, TB - - Note that the SI unit system does not support capital letter 'K' - - :param text: String input for bytes size conversion. - :param unit_system: Unit system for byte size conversion. - :param return_int: If True, returns integer representation of text - in bytes. (default: decimal) - :returns: Numerical representation of text in bytes. - :raises ValueError: If text has an invalid value. - - """ - try: - base, reg_ex = UNIT_SYSTEM_INFO[unit_system] - except KeyError: - msg = _('Invalid unit system: "%s"') % unit_system - raise ValueError(msg) - match = reg_ex.match(text) - if match: - magnitude = float(match.group(1)) - unit_prefix = match.group(2) - if match.group(3) in ['b', 'bit']: - magnitude /= 8 - else: - msg = _('Invalid string format: %s') % text - raise ValueError(msg) - if not unit_prefix: - res = magnitude - else: - res = magnitude * pow(base, UNIT_PREFIX_EXPONENT[unit_prefix]) - if return_int: - return int(math.ceil(res)) - return res - - -def to_slug(value, incoming=None, errors="strict"): - """Normalize string. - - Convert to lowercase, remove non-word characters, and convert spaces - to hyphens. - - Inspired by Django's `slugify` filter. - - :param value: Text to slugify - :param incoming: Text's current encoding - :param errors: Errors handling policy. See here for valid - values http://docs.python.org/2/library/codecs.html - :returns: slugified unicode representation of `value` - :raises TypeError: If text is not an instance of str - """ - value = safe_decode(value, incoming, errors) - # NOTE(aababilov): no need to use safe_(encode|decode) here: - # encodings are always "ascii", error handling is always "ignore" - # and types are always known (first: unicode; second: str) - value = unicodedata.normalize("NFKD", value).encode( - "ascii", "ignore").decode("ascii") - value = SLUGIFY_STRIP_RE.sub("", value).strip().lower() - return SLUGIFY_HYPHENATE_RE.sub("-", value) diff --git a/keystoneclient/openstack/common/timeutils.py b/keystoneclient/openstack/common/timeutils.py deleted file mode 100644 index c48da95f1..000000000 --- a/keystoneclient/openstack/common/timeutils.py +++ /dev/null @@ -1,210 +0,0 @@ -# Copyright 2011 OpenStack Foundation. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Time related utilities and helper functions. -""" - -import calendar -import datetime -import time - -import iso8601 -import six - - -# ISO 8601 extended time format with microseconds -_ISO8601_TIME_FORMAT_SUBSECOND = '%Y-%m-%dT%H:%M:%S.%f' -_ISO8601_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S' -PERFECT_TIME_FORMAT = _ISO8601_TIME_FORMAT_SUBSECOND - - -def isotime(at=None, subsecond=False): - """Stringify time in ISO 8601 format.""" - if not at: - at = utcnow() - st = at.strftime(_ISO8601_TIME_FORMAT - if not subsecond - else _ISO8601_TIME_FORMAT_SUBSECOND) - tz = at.tzinfo.tzname(None) if at.tzinfo else 'UTC' - st += ('Z' if tz == 'UTC' else tz) - return st - - -def parse_isotime(timestr): - """Parse time from ISO 8601 format.""" - try: - return iso8601.parse_date(timestr) - except iso8601.ParseError as e: - raise ValueError(six.text_type(e)) - except TypeError as e: - raise ValueError(six.text_type(e)) - - -def strtime(at=None, fmt=PERFECT_TIME_FORMAT): - """Returns formatted utcnow.""" - if not at: - at = utcnow() - return at.strftime(fmt) - - -def parse_strtime(timestr, fmt=PERFECT_TIME_FORMAT): - """Turn a formatted time back into a datetime.""" - return datetime.datetime.strptime(timestr, fmt) - - -def normalize_time(timestamp): - """Normalize time in arbitrary timezone to UTC naive object.""" - offset = timestamp.utcoffset() - if offset is None: - return timestamp - return timestamp.replace(tzinfo=None) - offset - - -def is_older_than(before, seconds): - """Return True if before is older than seconds.""" - if isinstance(before, six.string_types): - before = parse_strtime(before).replace(tzinfo=None) - else: - before = before.replace(tzinfo=None) - - return utcnow() - before > datetime.timedelta(seconds=seconds) - - -def is_newer_than(after, seconds): - """Return True if after is newer than seconds.""" - if isinstance(after, six.string_types): - after = parse_strtime(after).replace(tzinfo=None) - else: - after = after.replace(tzinfo=None) - - return after - utcnow() > datetime.timedelta(seconds=seconds) - - -def utcnow_ts(): - """Timestamp version of our utcnow function.""" - if utcnow.override_time is None: - # NOTE(kgriffs): This is several times faster - # than going through calendar.timegm(...) - return int(time.time()) - - return calendar.timegm(utcnow().timetuple()) - - -def utcnow(): - """Overridable version of utils.utcnow.""" - if utcnow.override_time: - try: - return utcnow.override_time.pop(0) - except AttributeError: - return utcnow.override_time - return datetime.datetime.utcnow() - - -def iso8601_from_timestamp(timestamp): - """Returns an iso8601 formatted date from timestamp.""" - return isotime(datetime.datetime.utcfromtimestamp(timestamp)) - - -utcnow.override_time = None - - -def set_time_override(override_time=None): - """Overrides utils.utcnow. - - Make it return a constant time or a list thereof, one at a time. - - :param override_time: datetime instance or list thereof. If not - given, defaults to the current UTC time. - """ - utcnow.override_time = override_time or datetime.datetime.utcnow() - - -def advance_time_delta(timedelta): - """Advance overridden time using a datetime.timedelta.""" - assert utcnow.override_time is not None - try: - for dt in utcnow.override_time: - dt += timedelta - except TypeError: - utcnow.override_time += timedelta - - -def advance_time_seconds(seconds): - """Advance overridden time by seconds.""" - advance_time_delta(datetime.timedelta(0, seconds)) - - -def clear_time_override(): - """Remove the overridden time.""" - utcnow.override_time = None - - -def marshall_now(now=None): - """Make an rpc-safe datetime with microseconds. - - Note: tzinfo is stripped, but not required for relative times. - """ - if not now: - now = utcnow() - return dict(day=now.day, month=now.month, year=now.year, hour=now.hour, - minute=now.minute, second=now.second, - microsecond=now.microsecond) - - -def unmarshall_time(tyme): - """Unmarshall a datetime dict.""" - return datetime.datetime(day=tyme['day'], - month=tyme['month'], - year=tyme['year'], - hour=tyme['hour'], - minute=tyme['minute'], - second=tyme['second'], - microsecond=tyme['microsecond']) - - -def delta_seconds(before, after): - """Return the difference between two timing objects. - - Compute the difference in seconds between two date, time, or - datetime objects (as a float, to microsecond resolution). - """ - delta = after - before - return total_seconds(delta) - - -def total_seconds(delta): - """Return the total seconds of datetime.timedelta object. - - Compute total seconds of datetime.timedelta, datetime.timedelta - doesn't have method total_seconds in Python2.6, calculate it manually. - """ - try: - return delta.total_seconds() - except AttributeError: - return ((delta.days * 24 * 3600) + delta.seconds + - float(delta.microseconds) / (10 ** 6)) - - -def is_soon(dt, window): - """Determines if time is going to happen in the next window seconds. - - :param dt: the time - :param window: minimum seconds to remain to consider the time not soon - - :return: True if expiration is within the given duration - """ - soon = (utcnow() + datetime.timedelta(seconds=window)) - return normalize_time(dt) <= soon diff --git a/keystoneclient/service_catalog.py b/keystoneclient/service_catalog.py index cf85ed7aa..afbefc0ae 100644 --- a/keystoneclient/service_catalog.py +++ b/keystoneclient/service_catalog.py @@ -17,37 +17,73 @@ # limitations under the License. import abc - -import six +import warnings from keystoneclient import exceptions -from keystoneclient import utils +from keystoneclient.i18n import _ + +class ServiceCatalog(object, metaclass=abc.ABCMeta): + """Helper methods for dealing with a Keystone Service Catalog. -@six.add_metaclass(abc.ABCMeta) -class ServiceCatalog(object): - """Helper methods for dealing with a Keystone Service Catalog.""" + .. warning:: + + Setting region_name is deprecated in favor of passing the region name + as a parameter to calls made to the service catalog as of the 1.7.0 + release and may be removed in the 2.0.0 release. + + """ @classmethod def factory(cls, resource_dict, token=None, region_name=None): - """Create ServiceCatalog object given an auth token.""" + """Create ServiceCatalog object given an auth token. + + .. warning:: + + Setting region_name is deprecated in favor of passing the region + name as a parameter to calls made to the service catalog as of the + 1.7.0 release and may be removed in the 2.0.0 release. + + """ if ServiceCatalogV3.is_valid(resource_dict): return ServiceCatalogV3(token, resource_dict, region_name) elif ServiceCatalogV2.is_valid(resource_dict): return ServiceCatalogV2(resource_dict, region_name) else: - raise NotImplementedError('Unrecognized auth response') + raise NotImplementedError(_('Unrecognized auth response')) def __init__(self, region_name=None): + if region_name: + warnings.warn( + 'Setting region_name on the service catalog is deprecated in ' + 'favor of passing the region name as a parameter to calls ' + 'made to the service catalog as of the 1.7.0 release and may ' + 'be removed in the 2.0.0 release.', + DeprecationWarning) + self._region_name = region_name @property def region_name(self): - # FIXME(jamielennox): Having region_name set on the service catalog - # directly is deprecated. It should instead be provided as a parameter - # to calls made to the service_catalog. Provide appropriate warning. + """Region name. + + .. warning:: + + region_name is deprecated in favor of passing the region name as a + parameter to calls made to the service catalog as of the 1.7.0 + release and may be removed in the 2.0.0 release. + + """ + warnings.warn( + 'region_name is deprecated in favor of passing the region name as ' + 'a parameter to calls made to the service catalog as of the 1.7.0 ' + 'release and may be removed in the 2.0.0 release.', + DeprecationWarning) return self._region_name + def _get_endpoint_region(self, endpoint): + return endpoint.get('region_id') or endpoint.get('region') + @abc.abstractmethod def get_token(self): """Fetch token details from service catalog. @@ -61,7 +97,7 @@ def get_token(self): - `domain_id`: Authorized domain's ID """ - raise NotImplementedError() + raise NotImplementedError() # pragma: no cover @abc.abstractmethod def _is_endpoint_type_match(self, endpoint, endpoint_type): @@ -70,6 +106,7 @@ def _is_endpoint_type_match(self, endpoint, endpoint_type): :returns: True if the provided endpoint matches the required endpoint_type otherwise False. """ + pass # pragma: no cover @abc.abstractmethod def _normalize_endpoint_type(self, endpoint_type): @@ -82,6 +119,7 @@ def _normalize_endpoint_type(self, endpoint_type): :returns: the endpoint string in the format appropriate for this service catalog. """ + pass # pragma: no cover def get_endpoints(self, service_type=None, endpoint_type=None, region_name=None, service_name=None): @@ -115,7 +153,7 @@ def get_endpoints(self, service_type=None, endpoint_type=None, if service_name: try: sn = service['name'] - except KeyError: + except KeyError: # nosec(cjschaef) # assume that we're in v3.0-v3.2 and don't have the name in # the catalog. Skip the check. pass @@ -123,22 +161,25 @@ def get_endpoints(self, service_type=None, endpoint_type=None, if service_name != sn: continue - sc[st] = [] + endpoints = sc.setdefault(st, []) for endpoint in service.get('endpoints', []): if (endpoint_type and not self._is_endpoint_type_match(endpoint, endpoint_type)): continue - if region_name and region_name != endpoint.get('region'): + if (region_name and + region_name != self._get_endpoint_region(endpoint)): continue - sc[st].append(endpoint) + endpoints.append(endpoint) return sc def _get_service_endpoints(self, attr, filter_value, service_type, endpoint_type, region_name, service_name): - """Fetch the endpoints of a particular service_type and handle - the filtering. + """Fetch the endpoints of a particular service_type. + + Endpoints returned are also filtered based on the attr and + filter_value provided. """ sc_endpoints = self.get_endpoints(service_type=service_type, endpoint_type=endpoint_type, @@ -150,10 +191,13 @@ def _get_service_endpoints(self, attr, filter_value, service_type, except KeyError: return - # TODO(jamielennox): at least swiftclient is known to set attr and not - # filter_value and expects that to mean that filtering is ignored, so - # we can't check for the presence of attr. This behaviour should be - # deprecated and an appropriate warning provided. + if attr and not filter_value: + warnings.warn( + 'Providing attr without filter_value to get_urls() is ' + 'deprecated as of the 1.7.0 release and may be removed in the ' + '2.0.0 release. Either both should be provided or neither ' + 'should be provided.') + if filter_value: return [endpoint for endpoint in endpoints if endpoint.get(attr) == filter_value] @@ -161,7 +205,6 @@ def _get_service_endpoints(self, attr, filter_value, service_type, return endpoints @abc.abstractmethod - @utils.positional(enforcement=utils.positional.WARN) def get_urls(self, attr=None, filter_value=None, service_type='identity', endpoint_type='publicURL', region_name=None, service_name=None): @@ -183,9 +226,8 @@ def get_urls(self, attr=None, filter_value=None, :returns: tuple of urls or None (if no match found) """ - raise NotImplementedError() + raise NotImplementedError() # pragma: no cover - @utils.positional(3, enforcement=utils.positional.WARN) def url_for(self, attr=None, filter_value=None, service_type='identity', endpoint_type='publicURL', region_name=None, service_name=None): @@ -208,7 +250,7 @@ def url_for(self, attr=None, filter_value=None, """ if not self.get_data(): - raise exceptions.EmptyCatalog('The service catalog is empty.') + raise exceptions.EmptyCatalog(_('The service catalog is empty.')) urls = self.get_urls(attr=attr, filter_value=filter_value, @@ -220,15 +262,33 @@ def url_for(self, attr=None, filter_value=None, try: return urls[0] except Exception: - pass - - msg = '%s endpoint for %s service' % (endpoint_type, service_type) - if service_name: - msg += ' named %s' % service_name - if region_name: - msg += ' in %s region' % region_name - msg += ' not found' - raise exceptions.EndpointNotFound(msg) + if service_name and region_name: + msg = (_('%(endpoint_type)s endpoint for %(service_type)s ' + 'service named %(service_name)s in %(region_name)s ' + 'region not found') % + {'endpoint_type': endpoint_type, + 'service_type': service_type, + 'service_name': service_name, + 'region_name': region_name}) + elif service_name: + msg = (_('%(endpoint_type)s endpoint for %(service_type)s ' + 'service named %(service_name)s not found') % + {'endpoint_type': endpoint_type, + 'service_type': service_type, + 'service_name': service_name}) + elif region_name: + msg = (_('%(endpoint_type)s endpoint for %(service_type)s ' + 'service in %(region_name)s region not found') % + {'endpoint_type': endpoint_type, + 'service_type': service_type, + 'region_name': region_name}) + else: + msg = (_('%(endpoint_type)s endpoint for %(service_type)s ' + 'service not found') % + {'endpoint_type': endpoint_type, + 'service_type': service_type}) + + raise exceptions.EndpointNotFound(msg) @abc.abstractmethod def get_data(self): @@ -239,12 +299,13 @@ def get_data(self): :returns: list containing raw catalog data entries or None """ - raise NotImplementedError() + raise NotImplementedError() # pragma: no cover class ServiceCatalogV2(ServiceCatalog): - """An object for encapsulating the service catalog using raw v2 auth token - from Keystone. + """An object for encapsulating the v2 service catalog. + + The object is created using raw v2 auth token from Keystone. """ def __init__(self, resource_dict, region_name=None): @@ -260,7 +321,7 @@ def is_valid(cls, resource_dict): def _normalize_endpoint_type(self, endpoint_type): if endpoint_type and 'URL' not in endpoint_type: - endpoint_type = endpoint_type + 'URL' + endpoint_type += 'URL' return endpoint_type @@ -276,12 +337,11 @@ def get_token(self): try: token['user_id'] = self.catalog['user']['id'] token['tenant_id'] = self.catalog['token']['tenant']['id'] - except Exception: + except KeyError: # nosec(cjschaef) # just leave the tenant and user out if it doesn't exist pass return token - @utils.positional(enforcement=utils.positional.WARN) def get_urls(self, attr=None, filter_value=None, service_type='identity', endpoint_type='publicURL', region_name=None, service_name=None): @@ -300,8 +360,9 @@ def get_urls(self, attr=None, filter_value=None, class ServiceCatalogV3(ServiceCatalog): - """An object for encapsulating the service catalog using raw v3 auth token - from Keystone. + """An object for encapsulating the v3 service catalog. + + The object is created using raw v3 auth token from Keystone. """ def __init__(self, token, resource_dict, region_name=None): @@ -342,12 +403,11 @@ def get_token(self): project = self.catalog.get('project') if project: token['tenant_id'] = project['id'] - except Exception: + except KeyError: # nosec(cjschaef) # just leave the domain, project and user out if it doesn't exist pass return token - @utils.positional(enforcement=utils.positional.WARN) def get_urls(self, attr=None, filter_value=None, service_type='identity', endpoint_type='public', region_name=None, service_name=None): diff --git a/keystoneclient/session.py b/keystoneclient/session.py index 26b95e1ee..4944d45f6 100644 --- a/keystoneclient/session.py +++ b/keystoneclient/session.py @@ -11,23 +11,35 @@ # under the License. import argparse +import functools +import hashlib import logging import os - -from oslo.config import cfg +import socket +import time +import urllib.parse +import warnings + +from debtcollector import removals +from oslo_config import cfg +from oslo_serialization import jsonutils +from oslo_utils import encodeutils +from oslo_utils import importutils +from oslo_utils import strutils import requests -import six -from six.moves import urllib from keystoneclient import exceptions -from keystoneclient.openstack.common import importutils -from keystoneclient.openstack.common import jsonutils -from keystoneclient import utils +from keystoneclient.i18n import _ osprofiler_web = importutils.try_import("osprofiler.web") USER_AGENT = 'python-keystoneclient' +# NOTE(jamielennox): Clients will likely want to print more than json. Please +# propose a patch if you have a content type you think is reasonable to print +# here and we'll add it to the list as required. +_LOG_CONTENT_TYPES = set(['application/json']) + _logger = logging.getLogger(__name__) @@ -37,10 +49,10 @@ def _positive_non_zero_float(argument_value): try: value = float(argument_value) except ValueError: - msg = "%s must be a float" % argument_value + msg = _("%s must be a float") % argument_value raise argparse.ArgumentTypeError(msg) if value <= 0: - msg = "%s must be greater than 0" % argument_value + msg = _("%s must be greater than 0") % argument_value raise argparse.ArgumentTypeError(msg) return value @@ -49,71 +61,91 @@ def request(url, method='GET', **kwargs): return Session().request(url, method=method, **kwargs) -class _FakeRequestSession(object): - """This object is a temporary hack that should be removed later. +def _remove_service_catalog(body): + try: + data = jsonutils.loads(body) - Keystoneclient has a cyclical dependency with its managers which is - preventing it from being cleaned up correctly. This is always bad but when - we switched to doing connection pooling this object wasn't getting cleaned - either and so we had left over TCP connections hanging around. + # V3 token + if 'token' in data and 'catalog' in data['token']: + data['token']['catalog'] = '' + return jsonutils.dumps(data) - Until we can fix the client cleanup we rollback the use of a requests - session and do individual connections like we used to. - """ + # V2 token + if 'serviceCatalog' in data['access']: + data['access']['serviceCatalog'] = '' + return jsonutils.dumps(data) - def request(self, *args, **kwargs): - return requests.request(*args, **kwargs) + except Exception: # nosec(cjschaef): multiple exceptions can be raised + # Don't fail trying to clean up the request body. + pass + return body class Session(object): + """Maintains client communication state and common functionality. + + As much as possible the parameters to this class reflect and are passed + directly to the requests library. + + :param auth: An authentication plugin to authenticate the session with. + (optional, defaults to None) + :type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin` + :param requests.Session session: A requests session object that can be used + for issuing requests. (optional) + :param string original_ip: The original IP of the requesting user which + will be sent to identity service in a + 'Forwarded' header. (optional) + :param verify: The verification arguments to pass to requests. These are of + the same form as requests expects, so True or False to + verify (or not) against system certificates or a path to a + bundle or CA certs to check against or None for requests to + attempt to locate and use certificates. (optional, defaults + to True) + :param cert: A client certificate to pass to requests. These are of the + same form as requests expects. Either a single filename + containing both the certificate and key or a tuple containing + the path to the certificate then a path to the key. (optional) + :param float timeout: A timeout to pass to requests. This should be a + numerical value indicating some amount (or fraction) + of seconds or 0 for no timeout. (optional, defaults + to 0) + :param string user_agent: A User-Agent header string to use for the + request. If not provided a default is used. + (optional, defaults to 'python-keystoneclient') + :param int/bool redirect: Controls the maximum number of redirections that + can be followed by a request. Either an integer + for a specific count or True/False for + forever/never. (optional, default to 30) + """ user_agent = None - REDIRECT_STATUSES = (301, 302, 303, 305, 307) - DEFAULT_REDIRECT_LIMIT = 30 + _REDIRECT_STATUSES = (301, 302, 303, 305, 307) + + REDIRECT_STATUSES = _REDIRECT_STATUSES + """This property is deprecated as of the 1.7.0 release and may be removed + in the 2.0.0 release.""" + + _DEFAULT_REDIRECT_LIMIT = 30 + + DEFAULT_REDIRECT_LIMIT = _DEFAULT_REDIRECT_LIMIT + """This property is deprecated as of the 1.7.0 release and may be removed + in the 2.0.0 release.""" - @utils.positional(2, enforcement=utils.positional.WARN) def __init__(self, auth=None, session=None, original_ip=None, verify=True, cert=None, timeout=None, user_agent=None, - redirect=DEFAULT_REDIRECT_LIMIT): - """Maintains client communication state and common functionality. - - As much as possible the parameters to this class reflect and are passed - directly to the requests library. - - :param auth: An authentication plugin to authenticate the session with. - (optional, defaults to None) - :param requests.Session session: A requests session object that can be - used for issuing requests. (optional) - :param string original_ip: The original IP of the requesting user - which will be sent to identity service in a - 'Forwarded' header. (optional) - :param verify: The verification arguments to pass to requests. These - are of the same form as requests expects, so True or - False to verify (or not) against system certificates or - a path to a bundle or CA certs to check against or None - for requests to attempt to locate and use certificates. - (optional, defaults to True) - :param cert: A client certificate to pass to requests. These are of the - same form as requests expects. Either a single filename - containing both the certificate and key or a tuple - containing the path to the certificate then a path to the - key. (optional) - :param float timeout: A timeout to pass to requests. This should be a - numerical value indicating some amount - (or fraction) of seconds or 0 for no timeout. - (optional, defaults to 0) - :param string user_agent: A User-Agent header string to use for the - request. If not provided a default is used. - (optional, defaults to - 'python-keystoneclient') - :param int/bool redirect: Controls the maximum number of redirections - that can be followed by a request. Either an - integer for a specific count or True/False - for forever/never. (optional, default to 30) - """ + redirect=_DEFAULT_REDIRECT_LIMIT): + warnings.warn( + 'keystoneclient.session.Session is deprecated as of the 2.1.0 ' + 'release in favor of keystoneauth1.session.Session. It will be ' + 'removed in future releases.', + DeprecationWarning) + if not session: - session = _FakeRequestSession() + session = requests.Session() + # Use TCPKeepAliveAdapter to fix bug 1323862 + for scheme in list(session.adapters): + session.mount(scheme, TCPKeepAliveAdapter()) self.auth = auth self.session = session @@ -130,28 +162,36 @@ def __init__(self, auth=None, session=None, original_ip=None, verify=True, if user_agent is not None: self.user_agent = user_agent - @utils.positional() + @staticmethod + def _process_header(header): + """Redact the secure headers to be logged.""" + secure_headers = ('authorization', 'x-auth-token', + 'x-subject-token', 'x-service-token') + if header[0].lower() in secure_headers: + # hashlib.sha1() bandit nosec, as it is HMAC-SHA1 in + # keystone, which is considered secure (unlike just sha1) + token_hasher = hashlib.sha1() # nosec(lhinds) + token_hasher.update(header[1].encode('utf-8')) + token_hash = token_hasher.hexdigest() + return (header[0], '{SHA1}%s' % token_hash) + return header + def _http_log_request(self, url, method=None, data=None, - json=None, headers=None): - if not _logger.isEnabledFor(logging.DEBUG): + headers=None, logger=_logger): + if not logger.isEnabledFor(logging.DEBUG): # NOTE(morganfainberg): This whole debug section is expensive, # there is no need to do the work if we're not going to emit a # debug log. return - def process_header(header): - secure_headers = ('authorization', 'x-auth-token', - 'x-subject-token',) - if header[0].lower() in secure_headers: - return (header[0], 'TOKEN_REDACTED') - return header - - string_parts = ['REQ: curl -i'] + string_parts = ['REQ: curl -g -i'] # NOTE(jamielennox): None means let requests do its default validation # so we need to actually check that this is False. if self.verify is False: string_parts.append('--insecure') + elif isinstance(self.verify, str): + string_parts.append('--cacert "%s"' % self.verify) if method: string_parts.extend(['-X', method]) @@ -159,47 +199,67 @@ def process_header(header): string_parts.append(url) if headers: - for header in six.iteritems(headers): - string_parts.append('-H "%s: %s"' % process_header(header)) - if json: - data = jsonutils.dumps(json) + for header in headers.items(): + string_parts.append('-H "%s: %s"' + % self._process_header(header)) + if data: + if isinstance(data, bytes): + try: + data = data.decode("ascii") + except UnicodeDecodeError: + data = "" string_parts.append("-d '%s'" % data) - - _logger.debug(' '.join(string_parts)) - - @utils.positional() - def _http_log_response(self, response=None, json=None, - status_code=None, headers=None, text=None): - if not _logger.isEnabledFor(logging.DEBUG): + try: + logger.debug(' '.join(string_parts)) + except UnicodeDecodeError: + logger.debug("Replaced characters that could not be decoded" + " in log output, original caused UnicodeDecodeError") + string_parts = [ + encodeutils.safe_decode( + part, errors='replace') for part in string_parts] + logger.debug(' '.join(string_parts)) + + def _http_log_response(self, response, logger): + if not logger.isEnabledFor(logging.DEBUG): return - if response: - if not status_code: - status_code = response.status_code - if not headers: - headers = response.headers - if not text: - text = response.text - if json: - text = jsonutils.dumps(json) - - string_parts = ['RESP:'] + # NOTE(samueldmq): If the response does not provide enough info about + # the content type to decide whether it is useful and safe to log it + # or not, just do not log the body. Trying to# read the response body + # anyways may result on reading a long stream of bytes and getting an + # unexpected MemoryError. See bug 1616105 for further details. + content_type = response.headers.get('content-type', None) + + # NOTE(lamt): Per [1], the Content-Type header can be of the form + # Content-Type := type "/" subtype *[";" parameter] + # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html + for log_type in _LOG_CONTENT_TYPES: + if content_type is not None and content_type.startswith(log_type): + text = _remove_service_catalog(response.text) + break + else: + text = ('Omitted, Content-Type is set to %s. Only ' + '%s responses have their bodies logged.') + text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES)) - if status_code: - string_parts.append('[%s]' % status_code) - if headers: - string_parts.append('%s' % headers) - if text: - string_parts.append('\nRESP BODY: %s\n' % text) + string_parts = [ + 'RESP:', + '[%s]' % response.status_code + ] + for header in response.headers.items(): + string_parts.append('%s: %s' % self._process_header(header)) + string_parts.append('\nRESP BODY: %s\n' % strutils.mask_password(text)) - _logger.debug(' '.join(string_parts)) + logger.debug(' '.join(string_parts)) - @utils.positional(enforcement=utils.positional.WARN) + # NOTE(artmr): parameter 'original_ip' value is never used def request(self, url, method, json=None, original_ip=None, user_agent=None, redirect=None, authenticated=None, endpoint_filter=None, auth=None, requests_auth=None, - raise_exc=True, allow_reauth=True, log=True, **kwargs): + raise_exc=True, allow_reauth=True, log=True, + endpoint_override=None, connect_retries=0, logger=_logger, + **kwargs): """Send an HTTP request with the specified characteristics. Wrapper around `requests.Session.request` to handle tasks such as @@ -225,6 +285,9 @@ def request(self, url, method, json=None, original_ip=None, can be followed by a request. Either an integer for a specific count or True/False for forever/never. (optional) + :param int connect_retries: the maximum number of retries that should + be attempted for connection errors. + (optional, defaults to 0 - never retry). :param bool authenticated: True if a token should be attached to this request, False if not or None for attach if an auth_plugin is available. @@ -234,14 +297,19 @@ def request(self, url, method, json=None, original_ip=None, endpoint to use for this request. If not provided then URL is expected to be a fully qualified URL. (optional) + :param str endpoint_override: The URL to use instead of looking up the + endpoint in the auth plugin. This will be + ignored if a fully qualified URL is + provided but take priority over an + endpoint_filter. (optional) :param auth: The auth plugin to use when authenticating this request. This will override the plugin that is attached to the session (if any). (optional) - :type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin` + :type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin` :param requests_auth: A requests library auth plugin that cannot be passed via kwarg because the `auth` kwarg collides with our own auth plugins. (optional) - :type requests_auth: :class:`requests.auth.AuthBase` + :type requests_auth: :py:class:`requests.auth.AuthBase` :param bool raise_exc: If True then raise an appropriate exception for failed HTTP requests. If False then return the request object. (optional, default True) @@ -250,30 +318,34 @@ def request(self, url, method, json=None, original_ip=None, response. (optional, default True) :param bool log: If True then log the request and response data to the debug log. (optional, default True) + :param logger: The logger object to use to log request and responses. + If not provided the keystoneclient.session default + logger will be used. + :type logger: logging.Logger :param kwargs: any other parameter that can be passed to requests.Session.request (such as `headers`). Except: 'data' will be overwritten by the data in 'json' param. 'allow_redirects' is ignored as redirects are handled by the session. - :raises exceptions.ClientException: For connection failure, or to - indicate an error response code. + :raises keystoneclient.exceptions.ClientException: For connection + failure, or to indicate an error response code. :returns: The response to the request. """ - headers = kwargs.setdefault('headers', dict()) if authenticated is None: authenticated = bool(auth or self.auth) if authenticated: - token = self.get_token(auth) + auth_headers = self.get_auth_headers(auth) - if not token: - raise exceptions.AuthorizationFailure("No token Available") + if auth_headers is None: + msg = _('No valid authentication is available') + raise exceptions.AuthorizationFailure(msg) - headers['X-Auth-Token'] = token + headers.update(auth_headers) if osprofiler_web: headers.update(osprofiler_web.get_trace_id_headers()) @@ -282,12 +354,19 @@ def request(self, url, method, json=None, original_ip=None, # should ignore the filter. This will make it easier for clients who # want to overrule the default endpoint_filter data added to all client # requests. We check fully qualified here by the presence of a host. - url_data = urllib.parse.urlparse(url) - if endpoint_filter and not url_data.netloc: - base_url = self.get_endpoint(auth, **endpoint_filter) + if not urllib.parse.urlparse(url).netloc: + base_url = None + + if endpoint_override: + base_url = endpoint_override + elif endpoint_filter: + base_url = self.get_endpoint(auth, **endpoint_filter) if not base_url: - raise exceptions.EndpointNotFound() + service_type = (endpoint_filter or {}).get('service_type', + 'unknown') + msg = _('Endpoint for %s service') % service_type + raise exceptions.EndpointNotFound(msg) url = '%s/%s' % (base_url.rstrip('/'), url.lstrip('/')) @@ -320,7 +399,8 @@ def request(self, url, method, json=None, original_ip=None, if log: self._http_log_request(url, method=method, data=kwargs.get('data'), - headers=headers) + headers=headers, + logger=logger) # Force disable requests redirect handling. We will manage this below. kwargs['allow_redirects'] = False @@ -328,47 +408,85 @@ def request(self, url, method, json=None, original_ip=None, if redirect is None: redirect = self.redirect - resp = self._send_request(url, method, redirect, log, **kwargs) + send = functools.partial(self._send_request, + url, method, redirect, log, logger, + connect_retries) + + try: + connection_params = self.get_auth_connection_params(auth=auth) + except exceptions.MissingAuthPlugin: # nosec(cjschaef) + # NOTE(jamielennox): If we've gotten this far without an auth + # plugin then we should be happy with allowing no additional + # connection params. This will be the typical case for plugins + # anyway. + pass + else: + if connection_params: + kwargs.update(connection_params) + + resp = send(**kwargs) # handle getting a 401 Unauthorized response by invalidating the plugin # and then retrying the request. This is only tried once. if resp.status_code == 401 and authenticated and allow_reauth: if self.invalidate(auth): - token = self.get_token(auth) - if token: - headers['X-Auth-Token'] = token - resp = self._send_request(url, method, redirect, log, - **kwargs) + auth_headers = self.get_auth_headers(auth) + + if auth_headers is not None: + headers.update(auth_headers) + resp = send(**kwargs) if raise_exc and resp.status_code >= 400: - _logger.debug('Request returned failure status: %s', - resp.status_code) + logger.debug('Request returned failure status: %s', + resp.status_code) raise exceptions.from_response(resp, method, url) return resp - def _send_request(self, url, method, redirect, log, **kwargs): + def _send_request(self, url, method, redirect, log, logger, + connect_retries, connect_retry_delay=0.5, **kwargs): # NOTE(jamielennox): We handle redirection manually because the # requests lib follows some browser patterns where it will redirect # POSTs as GETs for certain statuses which is not want we want for an # API. See: https://en.wikipedia.org/wiki/Post/Redirect/Get + # NOTE(jamielennox): The interaction between retries and redirects are + # handled naively. We will attempt only a maximum number of retries and + # redirects rather than per request limits. Otherwise the extreme case + # could be redirects * retries requests. This will be sufficient in + # most cases and can be fixed properly if there's ever a need. + try: - resp = self.session.request(method, url, **kwargs) - except requests.exceptions.SSLError: - msg = 'SSL exception connecting to %s' % url - raise exceptions.SSLError(msg) - except requests.exceptions.Timeout: - msg = 'Request to %s timed out' % url - raise exceptions.RequestTimeout(msg) - except requests.exceptions.ConnectionError: - msg = 'Unable to establish connection to %s' % url - raise exceptions.ConnectionRefused(msg) + try: + resp = self.session.request(method, url, **kwargs) + except requests.exceptions.SSLError as e: + msg = _('SSL exception connecting to %(url)s: ' + '%(error)s') % {'url': url, 'error': e} + raise exceptions.SSLError(msg) + except requests.exceptions.Timeout: + msg = _('Request to %s timed out') % url + raise exceptions.RequestTimeout(msg) + except requests.exceptions.ConnectionError: + msg = _('Unable to establish connection to %s') % url + raise exceptions.ConnectionRefused(msg) + except (exceptions.RequestTimeout, exceptions.ConnectionRefused) as e: + if connect_retries <= 0: + raise + + logger.info('Failure: %(e)s. Retrying in %(delay).1fs.', + {'e': e, 'delay': connect_retry_delay}) + time.sleep(connect_retry_delay) + + return self._send_request( + url, method, redirect, log, logger, + connect_retries=connect_retries - 1, + connect_retry_delay=connect_retry_delay * 2, + **kwargs) if log: - self._http_log_response(response=resp) + self._http_log_response(resp, logger) - if resp.status_code in self.REDIRECT_STATUSES: + if resp.status_code in self._REDIRECT_STATUSES: # be careful here in python True == 1 and False == 0 if isinstance(redirect, bool): redirect_allowed = redirect @@ -382,11 +500,15 @@ def _send_request(self, url, method, redirect, log, **kwargs): try: location = resp.headers['location'] except KeyError: - _logger.warn("Failed to redirect request to %s as new " - "location was not provided.", resp.url) + logger.warning("Failed to redirect request to %s as new " + "location was not provided.", resp.url) else: - new_resp = self._send_request(location, method, redirect, log, - **kwargs) + # NOTE(jamielennox): We don't pass through connect_retry_delay. + # This request actually worked so we can reset the delay count. + new_resp = self._send_request( + location, method, redirect, log, logger, + connect_retries=connect_retries, + **kwargs) if not isinstance(new_resp.history, list): new_resp.history = list(new_resp.history) @@ -396,44 +518,89 @@ def _send_request(self, url, method, redirect, log, **kwargs): return resp def head(self, url, **kwargs): + """Perform a HEAD request. + + This calls :py:meth:`.request()` with ``method`` set to ``HEAD``. + + """ return self.request(url, 'HEAD', **kwargs) def get(self, url, **kwargs): + """Perform a GET request. + + This calls :py:meth:`.request()` with ``method`` set to ``GET``. + + """ return self.request(url, 'GET', **kwargs) def post(self, url, **kwargs): + """Perform a POST request. + + This calls :py:meth:`.request()` with ``method`` set to ``POST``. + + """ return self.request(url, 'POST', **kwargs) def put(self, url, **kwargs): + """Perform a PUT request. + + This calls :py:meth:`.request()` with ``method`` set to ``PUT``. + + """ return self.request(url, 'PUT', **kwargs) def delete(self, url, **kwargs): + """Perform a DELETE request. + + This calls :py:meth:`.request()` with ``method`` set to ``DELETE``. + + """ return self.request(url, 'DELETE', **kwargs) def patch(self, url, **kwargs): + """Perform a PATCH request. + + This calls :py:meth:`.request()` with ``method`` set to ``PATCH``. + + """ return self.request(url, 'PATCH', **kwargs) @classmethod def construct(cls, kwargs): - """Handles constructing a session from the older HTTPClient args as - well as the new request style arguments. + """Handle constructing a session from both old and new arguments. - *DEPRECATED*: This function is purely for bridging the gap between - older client arguments and the session arguments that they relate to. - It is not intended to be used as a generic Session Factory. + Support constructing a session from the old + :py:class:`~keystoneclient.httpclient.HTTPClient` args as well as the + new request-style arguments. + + .. warning:: + + *DEPRECATED as of 1.7.0*: This function is purely for bridging the + gap between older client arguments and the session arguments that + they relate to. It is not intended to be used as a generic Session + Factory. This function may be removed in the 2.0.0 release. This function purposefully modifies the input kwargs dictionary so that the remaining kwargs dict can be reused and passed on to other - functionswithout session arguments. + functions without session arguments. """ + warnings.warn( + 'Session.construct() is deprecated as of the 1.7.0 release in ' + 'favor of using session constructor and may be removed in the ' + '2.0.0 release.', DeprecationWarning) + return cls._construct(kwargs) + + @classmethod + def _construct(cls, kwargs): params = {} for attr in ('verify', 'cacert', 'cert', 'key', 'insecure', 'timeout', 'session', 'original_ip', 'user_agent'): try: params[attr] = kwargs.pop(attr) - except KeyError: + except KeyError: # nosec(cjschaef): we are brute force + # identifying possible attributes for kwargs pass return cls._make(**params) @@ -454,70 +621,191 @@ def _make(cls, insecure=False, verify=None, cacert=None, cert=None, verify = cacert or True if cert and key: - # passing cert and key together is deprecated in favour of the - # requests lib form of having the cert and key as a tuple + warnings.warn( + 'Passing cert and key together is deprecated as of the 1.7.0 ' + 'release in favor of the requests library form of having the ' + 'cert and key as a tuple and may be removed in the 2.0.0 ' + 'release.', DeprecationWarning) cert = (cert, key) return cls(verify=verify, cert=cert, **kwargs) + def _auth_required(self, auth, msg): + if not auth: + auth = self.auth + + if not auth: + raise exceptions.MissingAuthPlugin(msg) + + return auth + + def get_auth_headers(self, auth=None, **kwargs): + """Return auth headers as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin + on the session. (optional) + :type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin` + + :raises keystoneclient.exceptions.AuthorizationFailure: if a new token + fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: if a plugin is not + available. + + :returns: Authentication headers or None for failure. + :rtype: dict + """ + msg = _('An auth plugin is required to fetch a token') + auth = self._auth_required(auth, msg) + return auth.get_headers(self, **kwargs) + + @removals.remove(message='Use get_auth_headers instead.', version='1.7.0', + removal_version='2.0.0') def get_token(self, auth=None): """Return a token as provided by the auth plugin. :param auth: The auth plugin to use for token. Overrides the plugin on the session. (optional) - :type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin` + :type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin` - :raises AuthorizationFailure: if a new token fetch fails. + :raises keystoneclient.exceptions.AuthorizationFailure: if a new token + fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: if a plugin is not + available. - :returns string: A valid token. - """ - if not auth: - auth = self.auth + .. warning:: - if not auth: - raise exceptions.MissingAuthPlugin("Token Required") + This method is deprecated as of the 1.7.0 release in favor of + :meth:`get_auth_headers` and may be removed in the 2.0.0 release. + This method assumes that the only header that is used to + authenticate a message is 'X-Auth-Token' which may not be correct. - try: - return auth.get_token(self) - except exceptions.HttpError as exc: - raise exceptions.AuthorizationFailure("Authentication failure: " - "%s" % exc) + :returns: A valid token. + :rtype: string + """ + return (self.get_auth_headers(auth) or {}).get('X-Auth-Token') def get_endpoint(self, auth=None, **kwargs): """Get an endpoint as provided by the auth plugin. :param auth: The auth plugin to use for token. Overrides the plugin on the session. (optional) - :type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin` + :type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin` - :raises MissingAuthPlugin: if a plugin is not available. + :raises keystoneclient.exceptions.MissingAuthPlugin: if a plugin is not + available. - :returns string: An endpoint if available or None. + :returns: An endpoint if available or None. + :rtype: string """ - if not auth: - auth = self.auth + msg = _('An auth plugin is required to determine endpoint URL') + auth = self._auth_required(auth, msg) + return auth.get_endpoint(self, **kwargs) - if not auth: - raise exceptions.MissingAuthPlugin('An auth plugin is required to ' - 'determine the endpoint URL.') + def get_auth_connection_params(self, auth=None, **kwargs): + """Return auth connection params as provided by the auth plugin. - return auth.get_endpoint(self, **kwargs) + An auth plugin may specify connection parameters to the request like + providing a client certificate for communication. + + We restrict the values that may be returned from this function to + prevent an auth plugin overriding values unrelated to connection + parameters. The values that are currently accepted are: + + - `cert`: a path to a client certificate, or tuple of client + certificate and key pair that are used with this request. + - `verify`: a boolean value to indicate verifying SSL certificates + against the system CAs or a path to a CA file to verify with. + + These values are passed to the requests library and further information + on accepted values may be found there. + + :param auth: The auth plugin to use for tokens. Overrides the plugin + on the session. (optional) + :type auth: keystoneclient.auth.base.BaseAuthPlugin + + :raises keystoneclient.exceptions.AuthorizationFailure: if a new token + fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: if a plugin is not + available. + :raises keystoneclient.exceptions.UnsupportedParameters: if the plugin + returns a parameter that is not supported by this session. + + :returns: Authentication headers or None for failure. + :rtype: dict + """ + msg = _('An auth plugin is required to fetch connection params') + auth = self._auth_required(auth, msg) + params = auth.get_connection_params(self, **kwargs) + + # NOTE(jamielennox): There needs to be some consensus on what + # parameters are allowed to be modified by the auth plugin here. + # Ideally I think it would be only the send() parts of the request + # flow. For now lets just allow certain elements. + params_copy = params.copy() + + for arg in ('cert', 'verify'): + try: + kwargs[arg] = params_copy.pop(arg) + except KeyError: # nosec(cjschaef): we are brute force + # identifying and removing values in params_copy + pass + + if params_copy: + raise exceptions.UnsupportedParameters(list(params_copy)) + + return params def invalidate(self, auth=None): """Invalidate an authentication plugin. - """ - if not auth: - auth = self.auth - if not auth: - msg = 'Auth plugin not available to invalidate' - raise exceptions.MissingAuthPlugin(msg) + :param auth: The auth plugin to invalidate. Overrides the plugin on the + session. (optional) + :type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin` + """ + msg = _('An auth plugin is required to validate') + auth = self._auth_required(auth, msg) return auth.invalidate() - @utils.positional.classmethod() + def get_user_id(self, auth=None): + """Return the authenticated user_id as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin + on the session. (optional) + :type auth: keystoneclient.auth.base.BaseAuthPlugin + + :raises keystoneclient.exceptions.AuthorizationFailure: + if a new token fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: + if a plugin is not available. + + :returns string: Current user_id or None if not supported by plugin. + """ + msg = _('An auth plugin is required to get user_id') + auth = self._auth_required(auth, msg) + return auth.get_user_id(self) + + def get_project_id(self, auth=None): + """Return the authenticated project_id as provided by the auth plugin. + + :param auth: The auth plugin to use for token. Overrides the plugin + on the session. (optional) + :type auth: keystoneclient.auth.base.BaseAuthPlugin + + :raises keystoneclient.exceptions.AuthorizationFailure: + if a new token fetch fails. + :raises keystoneclient.exceptions.MissingAuthPlugin: + if a plugin is not available. + + :returns string: Current project_id or None if not supported by plugin. + """ + msg = _('An auth plugin is required to get project_id') + auth = self._auth_required(auth, msg) + return auth.get_project_id(self) + + @classmethod def get_conf_options(cls, deprecated_opts=None): - """Get the oslo.config options that are needed for a session. + """Get oslo_config options that are needed for a :py:class:`.Session`. These may be useful without being registered for config file generation or to manipulate the options before registering them yourself. @@ -530,17 +818,17 @@ def get_conf_options(cls, deprecated_opts=None): :timeout: The max time to wait for HTTP connections. :param dict deprecated_opts: Deprecated options that should be included - in the definition of new options. This should be a dictionary from - the name of the new option to a list of oslo.DeprecatedOpts that + in the definition of new options. This should be a dict from the + name of the new option to a list of oslo.DeprecatedOpts that correspond to the new option. (optional) - Example to support the 'ca_file' option pointing to the new - 'cafile' option name:: + For example, to support the ``ca_file`` option pointing to the new + ``cafile`` option name:: - old_opt = oslo.cfg.DeprecatedOpt('ca_file', 'old_group') + old_opt = oslo_cfg.DeprecatedOpt('ca_file', 'old_group') deprecated_opts={'cafile': [old_opt]} - :returns: A list of oslo.config options. + :returns: A list of oslo_config options. """ if deprecated_opts is None: deprecated_opts = {} @@ -564,9 +852,9 @@ def get_conf_options(cls, deprecated_opts=None): help='Timeout value for http requests'), ] - @utils.positional.classmethod() + @classmethod def register_conf_options(cls, conf, group, deprecated_opts=None): - """Register the oslo.config options that are needed for a session. + """Register the oslo_config options that are needed for a session. The options that are set are: :cafile: The certificate authority filename. @@ -575,17 +863,17 @@ def register_conf_options(cls, conf, group, deprecated_opts=None): :insecure: Whether to ignore SSL verification. :timeout: The max time to wait for HTTP connections. - :param oslo.config.Cfg conf: config object to register with. + :param oslo_config.Cfg conf: config object to register with. :param string group: The ini group to register options in. :param dict deprecated_opts: Deprecated options that should be included - in the definition of new options. This should be a dictionary from - the name of the new option to a list of oslo.DeprecatedOpts that + in the definition of new options. This should be a dict from the + name of the new option to a list of oslo.DeprecatedOpts that correspond to the new option. (optional) - Example to support the 'ca_file' option pointing to the new - 'cafile' option name:: + For example, to support the ``ca_file`` option pointing to the new + ``cafile`` option name:: - old_opt = oslo.cfg.DeprecatedOpt('ca_file', 'old_group') + old_opt = oslo_cfg.DeprecatedOpt('ca_file', 'old_group') deprecated_opts={'cafile': [old_opt]} :returns: The list of options that was registered. @@ -597,23 +885,24 @@ def register_conf_options(cls, conf, group, deprecated_opts=None): @classmethod def load_from_conf_options(cls, conf, group, **kwargs): - """Create a session object from an oslo.config object. + """Create a session object from an oslo_config object. The options must have been previously registered with register_conf_options. - :param oslo.config.Cfg conf: config object to register with. + :param oslo_config.Cfg conf: config object to register with. :param string group: The ini group to register options in. :param dict kwargs: Additional parameters to pass to session construction. :returns: A new session object. + :rtype: :py:class:`.Session` """ c = conf[group] kwargs['insecure'] = c.insecure kwargs['cacert'] = c.cafile - kwargs['cert'] = c.certfile - kwargs['key'] = c.keyfile + if c.certfile and c.keyfile: + kwargs['cert'] = (c.certfile, c.keyfile) kwargs['timeout'] = c.timeout return cls._make(**kwargs) @@ -658,18 +947,71 @@ def register_cli_options(parser): @classmethod def load_from_cli_options(cls, args, **kwargs): - """Create a session object from CLI arguments. + """Create a :py:class:`.Session` object from CLI arguments. - The CLI arguments must have been registered with register_cli_options. + The CLI arguments must have been registered with + :py:meth:`.register_cli_options`. :param Namespace args: result of parsed arguments. :returns: A new session object. + :rtype: :py:class:`.Session` """ kwargs['insecure'] = args.insecure kwargs['cacert'] = args.os_cacert - kwargs['cert'] = args.os_cert - kwargs['key'] = args.os_key + if args.os_cert and args.os_key: + kwargs['cert'] = (args.os_cert, args.os_key) kwargs['timeout'] = args.timeout return cls._make(**kwargs) + + +class TCPKeepAliveAdapter(requests.adapters.HTTPAdapter): + """The custom adapter used to set TCP Keep-Alive on all connections. + + This Adapter also preserves the default behaviour of Requests which + disables Nagle's Algorithm. See also: + http://blogs.msdn.com/b/windowsazurestorage/archive/2010/06/25/nagle-s-algorithm-is-not-friendly-towards-small-requests.aspx + """ + + def init_poolmanager(self, *args, **kwargs): + if 'socket_options' not in kwargs: + socket_options = [ + # Keep Nagle's algorithm off + (socket.IPPROTO_TCP, socket.TCP_NODELAY, 1), + # Turn on TCP Keep-Alive + (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1), + ] + + # Some operating systems (e.g., OSX) do not support setting + # keepidle + if hasattr(socket, 'TCP_KEEPIDLE'): + socket_options += [ + # Wait 60 seconds before sending keep-alive probes + (socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, 60) + ] + + # TODO(claudiub): Windows does not contain the TCP_KEEPCNT and + # TCP_KEEPINTVL socket attributes. Instead, it contains + # SIO_KEEPALIVE_VALS, which can be set via ioctl, which should be + # set once it is available in requests. + # https://msdn.microsoft.com/en-us/library/dd877220%28VS.85%29.aspx + if hasattr(socket, 'TCP_KEEPCNT'): + socket_options += [ + # Set the maximum number of keep-alive probes + (socket.IPPROTO_TCP, socket.TCP_KEEPCNT, 4) + ] + + if hasattr(socket, 'TCP_KEEPINTVL'): + socket_options += [ + # Send keep-alive probes every 15 seconds + (socket.IPPROTO_TCP, socket.TCP_KEEPINTVL, 15) + ] + + # After waiting 60 seconds, and then sending a probe once every 15 + # seconds 4 times, these options should ensure that a connection + # hands for no longer than 2 minutes before a ConnectionError is + # raised. + + kwargs['socket_options'] = socket_options + super(TCPKeepAliveAdapter, self).init_poolmanager(*args, **kwargs) diff --git a/keystoneclient/shell.py b/keystoneclient/shell.py deleted file mode 100644 index 61b93e958..000000000 --- a/keystoneclient/shell.py +++ /dev/null @@ -1,469 +0,0 @@ -# Copyright 2010 Jacob Kaplan-Moss -# Copyright 2011 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Pending deprecation: Command-line interface to the OpenStack Identity API. - -This CLI is pending deprecation in favor of python-openstackclient. For a -Python library, continue using python-keystoneclient. - -""" - -from __future__ import print_function - -import argparse -import getpass -import logging -import os -import sys - -import six - -import keystoneclient -from keystoneclient import access -from keystoneclient.contrib.bootstrap import shell as shell_bootstrap -from keystoneclient import exceptions as exc -from keystoneclient.generic import shell as shell_generic -from keystoneclient.openstack.common import strutils -from keystoneclient import session -from keystoneclient import utils -from keystoneclient.v2_0 import shell as shell_v2_0 - - -def env(*vars, **kwargs): - """Search for the first defined of possibly many env vars - - Returns the first environment variable defined in vars, or - returns the default defined in kwargs. - - """ - for v in vars: - value = os.environ.get(v) - if value: - return value - return kwargs.get('default', '') - - -class OpenStackIdentityShell(object): - - def __init__(self, parser_class=argparse.ArgumentParser): - self.parser_class = parser_class - - def get_base_parser(self): - parser = self.parser_class( - prog='keystone', - description=__doc__.strip(), - epilog='See "keystone help COMMAND" ' - 'for help on a specific command.', - add_help=False, - formatter_class=OpenStackHelpFormatter, - ) - - # Global arguments - parser.add_argument('-h', - '--help', - action='store_true', - help=argparse.SUPPRESS) - - parser.add_argument('--version', - action='version', - version=keystoneclient.__version__, - help="Shows the client version and exits.") - - parser.add_argument('--debug', - default=False, - action='store_true', - help="Prints debugging output onto the console, " - "this includes the curl request and response " - "calls. Helpful for debugging and " - "understanding the API calls.") - - parser.add_argument('--os-username', - metavar='', - default=env('OS_USERNAME'), - help='Name used for authentication with the ' - 'OpenStack Identity service. ' - 'Defaults to env[OS_USERNAME].') - parser.add_argument('--os_username', - help=argparse.SUPPRESS) - - parser.add_argument('--os-password', - metavar='', - default=env('OS_PASSWORD'), - help='Password used for authentication with the ' - 'OpenStack Identity service. ' - 'Defaults to env[OS_PASSWORD].') - parser.add_argument('--os_password', - help=argparse.SUPPRESS) - - parser.add_argument('--os-tenant-name', - metavar='', - default=env('OS_TENANT_NAME'), - help='Tenant to request authorization on. ' - 'Defaults to env[OS_TENANT_NAME].') - parser.add_argument('--os_tenant_name', - help=argparse.SUPPRESS) - - parser.add_argument('--os-tenant-id', - metavar='', - default=env('OS_TENANT_ID'), - help='Tenant to request authorization on. ' - 'Defaults to env[OS_TENANT_ID].') - parser.add_argument('--os_tenant_id', - help=argparse.SUPPRESS) - - parser.add_argument('--os-auth-url', - metavar='', - default=env('OS_AUTH_URL'), - help='Specify the Identity endpoint to use for ' - 'authentication. ' - 'Defaults to env[OS_AUTH_URL].') - parser.add_argument('--os_auth_url', - help=argparse.SUPPRESS) - - parser.add_argument('--os-region-name', - metavar='', - default=env('OS_REGION_NAME'), - help='Specify the region to use. ' - 'Defaults to env[OS_REGION_NAME].') - parser.add_argument('--os_region_name', - help=argparse.SUPPRESS) - - parser.add_argument('--os-identity-api-version', - metavar='', - default=env('OS_IDENTITY_API_VERSION', - 'KEYSTONE_VERSION'), - help='Specify Identity API version to use. ' - 'Defaults to env[OS_IDENTITY_API_VERSION]' - ' or 2.0.') - parser.add_argument('--os_identity_api_version', - help=argparse.SUPPRESS) - - parser.add_argument('--os-token', - metavar='', - default=env('OS_SERVICE_TOKEN'), - help='Specify an existing token to use instead of ' - 'retrieving one via authentication (e.g. ' - 'with username & password). ' - 'Defaults to env[OS_SERVICE_TOKEN].') - - parser.add_argument('--os-endpoint', - metavar='', - default=env('OS_SERVICE_ENDPOINT'), - help='Specify an endpoint to use instead of ' - 'retrieving one from the service catalog ' - '(via authentication). ' - 'Defaults to env[OS_SERVICE_ENDPOINT].') - - parser.add_argument('--os-cache', - default=env('OS_CACHE', default=False), - action='store_true', - help='Use the auth token cache. ' - 'Defaults to env[OS_CACHE].') - parser.add_argument('--os_cache', - help=argparse.SUPPRESS) - - parser.add_argument('--force-new-token', - default=False, - action="store_true", - dest='force_new_token', - help="If the keyring is available and in use, " - "token will always be stored and fetched " - "from the keyring until the token has " - "expired. Use this option to request a " - "new token and replace the existing one " - "in the keyring.") - - parser.add_argument('--stale-duration', - metavar='', - default=access.STALE_TOKEN_DURATION, - dest='stale_duration', - help="Stale duration (in seconds) used to " - "determine whether a token has expired " - "when retrieving it from keyring. This " - "is useful in mitigating process or " - "network delays. Default is %s seconds." % - access.STALE_TOKEN_DURATION) - - session.Session.register_cli_options(parser) - - parser.add_argument('--os_cacert', help=argparse.SUPPRESS) - parser.add_argument('--os_key', help=argparse.SUPPRESS) - parser.add_argument('--os_cert', help=argparse.SUPPRESS) - - return parser - - def get_subcommand_parser(self, version): - parser = self.get_base_parser() - - self.subcommands = {} - subparsers = parser.add_subparsers(metavar='') - - try: - actions_module = { - '2.0': shell_v2_0, - }[version] - except KeyError: - actions_module = shell_v2_0 - - self._find_actions(subparsers, actions_module) - self._find_actions(subparsers, shell_generic) - self._find_actions(subparsers, shell_bootstrap) - self._find_actions(subparsers, self) - self._add_bash_completion_subparser(subparsers) - - return parser - - def _add_bash_completion_subparser(self, subparsers): - subparser = subparsers.add_parser( - 'bash_completion', - add_help=False, - formatter_class=OpenStackHelpFormatter - ) - self.subcommands['bash_completion'] = subparser - subparser.set_defaults(func=self.do_bash_completion) - - def _find_actions(self, subparsers, actions_module): - for attr in (a for a in dir(actions_module) if a.startswith('do_')): - # I prefer to be hyphen-separated instead of underscores. - command = attr[3:].replace('_', '-') - callback = getattr(actions_module, attr) - desc = callback.__doc__ or '' - help = desc.strip().split('\n')[0] - arguments = getattr(callback, 'arguments', []) - - subparser = subparsers.add_parser( - command, - help=help, - description=desc, - add_help=False, - formatter_class=OpenStackHelpFormatter) - subparser.add_argument('-h', '--help', action='help', - help=argparse.SUPPRESS) - self.subcommands[command] = subparser - group = subparser.add_argument_group(title='Arguments') - for (args, kwargs) in arguments: - group.add_argument(*args, **kwargs) - subparser.set_defaults(func=callback) - - def auth_check(self, args): - if args.os_token or args.os_endpoint: - if not args.os_token: - raise exc.CommandError( - 'Expecting a token provided via either --os-token or ' - 'env[OS_SERVICE_TOKEN]') - - if not args.os_endpoint: - raise exc.CommandError( - 'Expecting an endpoint provided via either ' - '--os-endpoint or env[OS_SERVICE_ENDPOINT]') - - # user supplied a token and endpoint and at least one other cred - if args.os_username or args.os_password or args.os_auth_url: - msg = ('WARNING: Bypassing authentication using a token & ' - 'endpoint (authentication credentials are being ' - 'ignored).') - print(msg) - - else: - if not args.os_auth_url: - raise exc.CommandError( - 'Expecting an auth URL via either --os-auth-url or ' - 'env[OS_AUTH_URL]') - - if args.os_username or args.os_password: - if not args.os_username: - raise exc.CommandError( - 'Expecting a username provided via either ' - '--os-username or env[OS_USERNAME]') - - if not args.os_password: - # No password, If we've got a tty, try prompting for it - if hasattr(sys.stdin, 'isatty') and sys.stdin.isatty(): - # Check for Ctl-D - try: - args.os_password = getpass.getpass('OS Password: ') - except EOFError: - pass - # No password because we didn't have a tty or the - # user Ctl-D when prompted? - if not args.os_password: - raise exc.CommandError( - 'Expecting a password provided via either ' - '--os-password, env[OS_PASSWORD], or ' - 'prompted response') - - else: - raise exc.CommandError('Expecting authentication method via' - '\n either a service token, ' - '--os-token or env[OS_SERVICE_TOKEN], ' - '\n credentials, ' - '--os-username or env[OS_USERNAME]') - - def main(self, argv): - # Parse args once to find version - parser = self.get_base_parser() - (options, args) = parser.parse_known_args(argv) - - # build available subcommands based on version - api_version = options.os_identity_api_version - subcommand_parser = self.get_subcommand_parser(api_version) - self.parser = subcommand_parser - - # Handle top-level --help/-h before attempting to parse - # a command off the command line - if not argv or options.help: - self.do_help(options) - return 0 - - # Parse args again and call whatever callback was selected - args = subcommand_parser.parse_args(argv) - - # Short-circuit and deal with help command right away. - if args.func == self.do_help: - self.do_help(args) - return 0 - elif args.func == self.do_bash_completion: - self.do_bash_completion(args) - return 0 - - if args.debug: - logging_level = logging.DEBUG - iso_logger = logging.getLogger('iso8601') - iso_logger.setLevel('WARN') - else: - logging_level = logging.WARNING - - logging.basicConfig(level=logging_level) - - # TODO(heckj): supporting backwards compatibility with environment - # variables. To be removed after DEVSTACK is updated, ideally in - # the Grizzly release cycle. - args.os_token = args.os_token or env('SERVICE_TOKEN') - args.os_endpoint = args.os_endpoint or env('SERVICE_ENDPOINT') - - if utils.isunauthenticated(args.func): - self.cs = shell_generic.CLIENT_CLASS(endpoint=args.os_auth_url, - cacert=args.os_cacert, - key=args.os_key, - cert=args.os_cert, - insecure=args.insecure, - timeout=args.timeout) - else: - self.auth_check(args) - token = None - if args.os_token and args.os_endpoint: - token = args.os_token - api_version = options.os_identity_api_version - self.cs = self.get_api_class(api_version)( - username=args.os_username, - tenant_name=args.os_tenant_name, - tenant_id=args.os_tenant_id, - token=token, - endpoint=args.os_endpoint, - password=args.os_password, - auth_url=args.os_auth_url, - region_name=args.os_region_name, - cacert=args.os_cacert, - key=args.os_key, - cert=args.os_cert, - insecure=args.insecure, - debug=args.debug, - use_keyring=args.os_cache, - force_new_token=args.force_new_token, - stale_duration=args.stale_duration, - timeout=args.timeout) - - try: - args.func(self.cs, args) - except exc.Unauthorized: - raise exc.CommandError("Invalid OpenStack Identity credentials.") - except exc.AuthorizationFailure: - raise exc.CommandError("Unable to authorize user") - - def get_api_class(self, version): - try: - return { - "2.0": shell_v2_0.CLIENT_CLASS, - }[version] - except KeyError: - if version: - msg = ('WARNING: unsupported identity-api-version %s, ' - 'falling back to 2.0' % version) - print(msg) - return shell_v2_0.CLIENT_CLASS - - def do_bash_completion(self, args): - """Prints all of the commands and options to stdout. - - The keystone.bash_completion script doesn't have to hard code them. - """ - commands = set() - options = set() - for sc_str, sc in self.subcommands.items(): - commands.add(sc_str) - for option in list(sc._optionals._option_string_actions): - options.add(option) - - commands.remove('bash-completion') - commands.remove('bash_completion') - print(' '.join(commands | options)) - - @utils.arg('command', metavar='', nargs='?', - help='Display help for .') - def do_help(self, args): - """Display help about this program or one of its subcommands.""" - if getattr(args, 'command', None): - if args.command in self.subcommands: - self.subcommands[args.command].print_help() - else: - raise exc.CommandError("'%s' is not a valid subcommand" % - args.command) - else: - self.parser.print_help() - - -# I'm picky about my shell help. -class OpenStackHelpFormatter(argparse.HelpFormatter): - INDENT_BEFORE_ARGUMENTS = 6 - MAX_WIDTH_ARGUMENTS = 32 - - def add_arguments(self, actions): - for action in filter(lambda x: not x.option_strings, actions): - for choice in action.choices: - length = len(choice) + self.INDENT_BEFORE_ARGUMENTS - if(length > self._max_help_position and - length <= self.MAX_WIDTH_ARGUMENTS): - self._max_help_position = length - super(OpenStackHelpFormatter, self).add_arguments(actions) - - def start_section(self, heading): - # Title-case the headings - heading = '%s%s' % (heading[0].upper(), heading[1:]) - super(OpenStackHelpFormatter, self).start_section(heading) - - -def main(): - try: - OpenStackIdentityShell().main(sys.argv[1:]) - - except Exception as e: - print(strutils.safe_encode(six.text_type(e)), file=sys.stderr) - sys.exit(1) - - -if __name__ == "__main__": - sys.exit(main()) diff --git a/keystoneclient/tests/auth/utils.py b/keystoneclient/tests/auth/utils.py deleted file mode 100644 index 5cc7011d7..000000000 --- a/keystoneclient/tests/auth/utils.py +++ /dev/null @@ -1,83 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import functools - -import mock -from oslo.config import cfg -import six - -from keystoneclient.auth import base -from keystoneclient.tests import utils - - -class MockPlugin(base.BaseAuthPlugin): - - INT_DESC = 'test int' - FLOAT_DESC = 'test float' - BOOL_DESC = 'test bool' - - def __init__(self, **kwargs): - self._data = kwargs - - def __getitem__(self, key): - return self._data[key] - - def get_token(self, *args, **kwargs): - return 'aToken' - - def get_endpoint(self, *args, **kwargs): - return 'http://test' - - @classmethod - def get_options(cls): - return [ - cfg.IntOpt('a-int', default='3', help=cls.INT_DESC), - cfg.BoolOpt('a-bool', help=cls.BOOL_DESC), - cfg.FloatOpt('a-float', help=cls.FLOAT_DESC), - ] - - -class MockManager(object): - - def __init__(self, driver): - self.driver = driver - - -def mock_plugin(f): - @functools.wraps(f) - def inner(*args, **kwargs): - with mock.patch.object(base, 'get_plugin_class') as m: - m.return_value = MockPlugin - args = list(args) + [m] - return f(*args, **kwargs) - - return inner - - -class TestCase(utils.TestCase): - - GROUP = 'auth' - V2PASS = 'v2password' - V3TOKEN = 'v3token' - - a_int = 88 - a_float = 88.8 - a_bool = False - - TEST_VALS = {'a_int': a_int, - 'a_float': a_float, - 'a_bool': a_bool} - - def assertTestVals(self, plugin, vals=TEST_VALS): - for k, v in six.iteritems(vals): - self.assertEqual(v, plugin[k]) diff --git a/doc/ext/__init__.py b/keystoneclient/tests/functional/__init__.py similarity index 100% rename from doc/ext/__init__.py rename to keystoneclient/tests/functional/__init__.py diff --git a/keystoneclient/tests/functional/base.py b/keystoneclient/tests/functional/base.py new file mode 100644 index 000000000..76355099f --- /dev/null +++ b/keystoneclient/tests/functional/base.py @@ -0,0 +1,88 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from openstack import config as occ +import openstack.exceptions +import testtools + +from keystoneclient import client + +IDENTITY_CLIENT = 'identity' +OPENSTACK_CLOUDS = ('functional_admin', 'devstack-admin', 'envvars') + + +def get_client(version): + """Create a keystoneclient instance to run functional tests. + + The client is instantiated either based on a clouds.yaml config file or + from the environment variables. + + First, look for a 'functional_admin' cloud, as this is a cloud that the + user may have defined for functional testing with admin credentials. If + that is not found, check for the 'devstack-admin' cloud. Finally, fall + back to looking for environment variables. + + """ + for cloud in OPENSTACK_CLOUDS: + try: + cloud_config = occ.OpenStackConfig().get_one( + cloud=cloud, identity_api_version=version) + endpoint = cloud_config.get_session_endpoint(IDENTITY_CLIENT) + return client.Client( + version=version, + session=cloud_config.get_session(), + endpoint=endpoint) + except openstack.exceptions.ConfigException: + pass + + raise Exception("Could not find any cloud definition for clouds named" + " functional_admin or devstack-admin. Check your" + " clouds.yaml file or your envvars and try again.") + + +class ClientTestCase(testtools.TestCase): + + def setUp(self): + super(ClientTestCase, self).setUp() + + if not self.auth_ref.project_scoped: + raise Exception("Could not run functional tests, which are " + "run based on the scope provided for " + "authentication. Please provide a project " + "scope information.") + + @property + def client(self): + if not hasattr(self, '_client'): + self._client = get_client(self.version) + + return self._client + + @property + def auth_ref(self): + return self.client.session.auth.get_auth_ref(self.client.session) + + @property + def project_domain_id(self): + return self.auth_ref.project_domain_id + + @property + def project_id(self): + return self.client.session.get_project_id() + + @property + def user_id(self): + return self.client.session.get_user_id() + + +class V3ClientTestCase(ClientTestCase): + version = '3' diff --git a/keystoneclient/openstack/common/uuidutils.py b/keystoneclient/tests/functional/test_base.py similarity index 54% rename from keystoneclient/openstack/common/uuidutils.py rename to keystoneclient/tests/functional/test_base.py index 234b880c9..091fc77d4 100644 --- a/keystoneclient/openstack/common/uuidutils.py +++ b/keystoneclient/tests/functional/test_base.py @@ -1,6 +1,3 @@ -# Copyright (c) 2012 Intel Corporation. -# All Rights Reserved. -# # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at @@ -13,25 +10,12 @@ # License for the specific language governing permissions and limitations # under the License. -""" -UUID related utilities and helper functions. -""" - -import uuid - - -def generate_uuid(): - return str(uuid.uuid4()) - +import keystoneclient +from keystoneclient.tests.functional import base -def is_uuid_like(val): - """Returns validation of a value as a UUID. - For our purposes, a UUID is a canonical form string: - aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa +class V3ClientVersionTestCase(base.V3ClientTestCase): - """ - try: - return str(uuid.UUID(val)) == val - except (TypeError, ValueError, AttributeError): - return False + def test_version(self): + self.assertIsInstance(self.client, + keystoneclient.v3.client.Client) diff --git a/keystoneclient/contrib/bootstrap/__init__.py b/keystoneclient/tests/functional/v3/__init__.py similarity index 100% rename from keystoneclient/contrib/bootstrap/__init__.py rename to keystoneclient/tests/functional/v3/__init__.py diff --git a/keystoneclient/tests/functional/v3/client_fixtures.py b/keystoneclient/tests/functional/v3/client_fixtures.py new file mode 100644 index 000000000..edffc9b8c --- /dev/null +++ b/keystoneclient/tests/functional/v3/client_fixtures.py @@ -0,0 +1,252 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import fixtures +import uuid + + +RESOURCE_NAME_PREFIX = 'keystoneclient-functional-' + + +class Base(fixtures.Fixture): + + def __init__(self, client, domain_id=None): + super(Base, self).__init__() + + self.client = client + self.domain_id = domain_id + self.ref = None + self.entity = None + + def __getattr__(self, name): + """Return the attribute from the represented entity.""" + return getattr(self.entity, name) + + +class User(Base): + + def setUp(self): + super(User, self).setUp() + + self.ref = {'name': RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.domain_id} + self.entity = self.client.users.create(**self.ref) + self.addCleanup(self.client.users.delete, self.entity) + + +class Group(Base): + + def setUp(self): + super(Group, self).setUp() + + self.ref = {'name': RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.domain_id} + self.entity = self.client.groups.create(**self.ref) + self.addCleanup(self.client.groups.delete, self.entity) + + +class Domain(Base): + + def setUp(self): + super(Domain, self).setUp() + + self.ref = {'name': RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'enabled': True} + self.entity = self.client.domains.create(**self.ref) + + # Only disabled domains can be deleted + self.addCleanup(self.client.domains.delete, self.entity) + self.addCleanup(self.client.domains.update, self.entity, enabled=False) + + +class Project(Base): + + def __init__(self, client, domain_id=None, parent=None, tags=None): + super(Project, self).__init__(client, domain_id) + self.parent = parent + self.tags = tags if tags else [] + + def setUp(self): + super(Project, self).setUp() + + self.ref = {'name': RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.domain_id, + 'enabled': True, + 'parent': self.parent, + 'tags': self.tags} + self.entity = self.client.projects.create(**self.ref) + self.addCleanup(self.client.projects.delete, self.entity) + + +class Role(Base): + + def __init__(self, client, name=None, domain=None): + super(Role, self).__init__(client) + self.name = name or RESOURCE_NAME_PREFIX + uuid.uuid4().hex + self.domain = domain + + def setUp(self): + super(Role, self).setUp() + + self.ref = {'name': self.name, + 'domain': self.domain} + self.entity = self.client.roles.create(**self.ref) + self.addCleanup(self.client.roles.delete, self.entity) + + +class InferenceRule(Base): + + def __init__(self, client, prior_role, implied_role): + super(InferenceRule, self).__init__(client) + self.prior_role = prior_role + self.implied_role = implied_role + + def setUp(self): + super(InferenceRule, self).setUp() + + self.ref = {'prior_role': self.prior_role, + 'implied_role': self.implied_role} + self.entity = self.client.inference_rules.create(**self.ref) + self.addCleanup(self.client.inference_rules.delete, self.prior_role, + self.implied_role) + + +class Service(Base): + + def setUp(self): + super(Service, self).setUp() + + self.ref = {'name': RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'type': uuid.uuid4().hex, + 'enabled': True, + 'description': uuid.uuid4().hex} + self.entity = self.client.services.create(**self.ref) + self.addCleanup(self.client.services.delete, self.entity) + + +class Policy(Base): + + def setUp(self): + super(Policy, self).setUp() + + self.ref = {'blob': uuid.uuid4().hex, + 'type': uuid.uuid4().hex} + self.entity = self.client.policies.create(**self.ref) + self.addCleanup(self.client.policies.delete, self.entity) + + +class Region(Base): + + def __init__(self, client, parent_region=None): + super(Region, self).__init__(client) + self.parent_region = parent_region + + def setUp(self): + super(Region, self).setUp() + + self.ref = {'description': uuid.uuid4().hex, + 'parent_region': self.parent_region} + self.entity = self.client.regions.create(**self.ref) + self.addCleanup(self.client.regions.delete, self.entity) + + +class Endpoint(Base): + + def __init__(self, client, service, interface, region=None): + super(Endpoint, self).__init__(client) + self.service = service + self.interface = interface + self.region = region + + def setUp(self): + super(Endpoint, self).setUp() + + self.ref = {'service': self.service, + 'url': 'http://' + uuid.uuid4().hex, + 'enabled': True, + 'interface': self.interface, + 'region': self.region} + self.entity = self.client.endpoints.create(**self.ref) + self.addCleanup(self.client.endpoints.delete, self.entity) + + +class EndpointGroup(Base): + + def setUp(self): + super(EndpointGroup, self).setUp() + + self.ref = {'name': RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'filters': {'interface': 'public'}, + 'description': uuid.uuid4().hex} + self.entity = self.client.endpoint_groups.create(**self.ref) + self.addCleanup(self.client.endpoint_groups.delete, self.entity) + + +class Credential(Base): + + def __init__(self, client, user, type, project=None): + super(Credential, self).__init__(client) + self.user = user + self.type = type + self.project = project + + if type == 'ec2': + self.blob = ("{\"access\":\"" + uuid.uuid4().hex + + "\",\"secret\":\"secretKey\"}") + else: + self.blob = uuid.uuid4().hex + + def setUp(self): + super(Credential, self).setUp() + + self.ref = {'user': self.user, + 'type': self.type, + 'blob': self.blob, + 'project': self.project} + self.entity = self.client.credentials.create(**self.ref) + self.addCleanup(self.client.credentials.delete, self.entity) + + +class EC2(Base): + + def __init__(self, client, user_id, project_id): + super(EC2, self).__init__(client) + self.user_id = user_id + self.project_id = project_id + + def setUp(self): + super(EC2, self).setUp() + + self.ref = {'user_id': self.user_id, + 'project_id': self.project_id} + self.entity = self.client.ec2.create(**self.ref) + self.addCleanup(self.client.ec2.delete, + self.user_id, + self.entity.access) + + +class DomainConfig(Base): + + def __init__(self, client, domain_id): + super(DomainConfig, self).__init__(client, domain_id=domain_id) + self.domain_id = domain_id + + def setUp(self): + super(DomainConfig, self).setUp() + + self.ref = {'identity': {'driver': uuid.uuid4().hex}, + 'ldap': {'url': uuid.uuid4().hex}} + self.entity = self.client.domain_configs.create( + self.domain_id, self.ref) + self.addCleanup(self.client.domain_configs.delete, + self.domain_id) diff --git a/keystoneclient/tests/functional/v3/test_credentials.py b/keystoneclient/tests/functional/v3/test_credentials.py new file mode 100644 index 000000000..a5d00b1c0 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_credentials.py @@ -0,0 +1,194 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class CredentialsTestCase(base.V3ClientTestCase): + + def setUp(self): + super(CredentialsTestCase, self).setUp() + self.test_domain = fixtures.Domain(self.client) + self.useFixture(self.test_domain) + + def check_credential(self, credential, credential_ref=None): + self.assertIsNotNone(credential.id) + self.assertIn('self', credential.links) + self.assertIn('/credentials/' + credential.id, + credential.links['self']) + + if credential_ref: + self.assertEqual(credential_ref['user'], credential.user_id) + self.assertEqual(credential_ref['type'], credential.type) + self.assertEqual(credential_ref['blob'], credential.blob) + + # There is no guarantee below attributes are present in credential + if credential_ref['type'] == 'ec2' or hasattr(credential_ref, + 'project'): + self.assertEqual(credential_ref['project'], + credential.project_id) + + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(credential.user_id) + self.assertIsNotNone(credential.type) + self.assertIsNotNone(credential.blob) + if credential.type == 'ec2': + self.assertIsNotNone(credential.project_id) + + def test_create_credential_of_cert_type(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + + credential_ref = {'user': user.id, + 'type': 'cert', + 'blob': uuid.uuid4().hex} + credential = self.client.credentials.create(**credential_ref) + + self.addCleanup(self.client.credentials.delete, credential) + self.check_credential(credential, credential_ref) + + def test_create_credential_of_ec2_type(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + + # project is mandatory attribute if the credential type is ec2 + credential_ref = {'user': user.id, + 'type': 'ec2', + 'blob': ("{\"access\":\"" + uuid.uuid4().hex + + "\",\"secret\":\"secretKey\"}")} + self.assertRaises(http.BadRequest, + self.client.credentials.create, + **credential_ref) + + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + + credential_ref = {'user': user.id, + 'type': 'ec2', + 'blob': ("{\"access\":\"" + uuid.uuid4().hex + + "\",\"secret\":\"secretKey\"}"), + 'project': project.id} + credential = self.client.credentials.create(**credential_ref) + + self.addCleanup(self.client.credentials.delete, credential) + self.check_credential(credential, credential_ref) + + def test_create_credential_of_totp_type(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + + credential_ref = {'user': user.id, + 'type': 'totp', + 'blob': uuid.uuid4().hex} + credential = self.client.credentials.create(**credential_ref) + + self.addCleanup(self.client.credentials.delete, credential) + self.check_credential(credential, credential_ref) + + def test_get_credential(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + + for credential_type in ['cert', 'ec2', 'totp']: + credential = fixtures.Credential(self.client, user=user.id, + type=credential_type, + project=project.id) + self.useFixture(credential) + + credential_ret = self.client.credentials.get(credential.id) + self.check_credential(credential_ret, credential.ref) + + def test_list_credentials(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + + cert_credential = fixtures.Credential(self.client, user=user.id, + type='cert') + self.useFixture(cert_credential) + + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + ec2_credential = fixtures.Credential(self.client, user=user.id, + type='ec2', project=project.id) + self.useFixture(ec2_credential) + + totp_credential = fixtures.Credential(self.client, user=user.id, + type='totp') + self.useFixture(totp_credential) + + credentials = self.client.credentials.list() + + # All credentials are valid + for credential in credentials: + self.check_credential(credential) + + self.assertIn(cert_credential.entity, credentials) + self.assertIn(ec2_credential.entity, credentials) + self.assertIn(totp_credential.entity, credentials) + + def test_update_credential(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + + new_user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(new_user) + new_project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(new_project) + + credential = fixtures.Credential(self.client, user=user.id, + type='cert') + self.useFixture(credential) + + new_type = 'ec2' + new_blob = ("{\"access\":\"" + uuid.uuid4().hex + + "\",\"secret\":\"secretKey\"}") + + credential_ret = self.client.credentials.update(credential.id, + user=new_user.id, + type=new_type, + blob=new_blob, + project=new_project.id) + + credential.ref.update({'user': new_user.id, 'type': new_type, + 'blob': new_blob, 'project': new_project.id}) + self.check_credential(credential_ret, credential.ref) + + def test_delete_credential(self): + user = fixtures.User(self.client, self.test_domain.id) + self.useFixture(user) + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + + for credential_type in ['cert', 'ec2', 'totp']: + + if credential_type == 'ec2': + blob_value = ("{\"access\":\"" + uuid.uuid4().hex + + "\",\"secret\":\"secretKey\"}") + else: + blob_value = uuid.uuid4().hex + + credential = self.client.credentials.create(user=user.id, + type=credential_type, + blob=blob_value, + project=project.id) + self.client.credentials.delete(credential.id) + self.assertRaises(http.NotFound, + self.client.credentials.get, + credential.id) diff --git a/keystoneclient/tests/functional/v3/test_domain_configs.py b/keystoneclient/tests/functional/v3/test_domain_configs.py new file mode 100644 index 000000000..f3ca71a22 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_domain_configs.py @@ -0,0 +1,106 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class DomainConfigsTestCase(base.V3ClientTestCase): + + def setUp(self): + super(DomainConfigsTestCase, self).setUp() + self.test_domain = fixtures.Domain(self.client) + self.useFixture(self.test_domain) + + def check_domain_config(self, config, config_ref): + for attr in config_ref: + self.assertEqual( + getattr(config, attr), + config_ref[attr], + 'Expected different %s' % attr) + + def _new_ref(self): + return {'identity': {'driver': uuid.uuid4().hex}, + 'ldap': {'url': uuid.uuid4().hex}} + + def test_create_domain_config(self): + config_ref = self._new_ref() + config = self.client.domain_configs.create( + self.test_domain.id, config_ref) + self.addCleanup( + self.client.domain_configs.delete, self.test_domain.id) + self.check_domain_config(config, config_ref) + + def test_create_invalid_domain_config(self): + invalid_groups_ref = { + uuid.uuid4().hex: {uuid.uuid4().hex: uuid.uuid4().hex}, + uuid.uuid4().hex: {uuid.uuid4().hex: uuid.uuid4().hex}} + self.assertRaises(http.Forbidden, + self.client.domain_configs.create, + self.test_domain.id, + invalid_groups_ref) + + invalid_options_ref = { + 'identity': {uuid.uuid4().hex: uuid.uuid4().hex}, + 'ldap': {uuid.uuid4().hex: uuid.uuid4().hex}} + self.assertRaises(http.Forbidden, + self.client.domain_configs.create, + self.test_domain.id, + invalid_options_ref) + + def test_get_domain_config(self): + config = fixtures.DomainConfig(self.client, self.test_domain.id) + self.useFixture(config) + + config_ret = self.client.domain_configs.get(self.test_domain.id) + self.check_domain_config(config_ret, config.ref) + + def test_update_domain_config(self): + config = fixtures.DomainConfig(self.client, self.test_domain.id) + self.useFixture(config) + + update_config_ref = self._new_ref() + config_ret = self.client.domain_configs.update( + self.test_domain.id, update_config_ref) + self.check_domain_config(config_ret, update_config_ref) + + def test_update_invalid_domain_config(self): + config = fixtures.DomainConfig(self.client, self.test_domain.id) + self.useFixture(config) + + invalid_groups_ref = { + uuid.uuid4().hex: {uuid.uuid4().hex: uuid.uuid4().hex}, + uuid.uuid4().hex: {uuid.uuid4().hex: uuid.uuid4().hex}} + self.assertRaises(http.Forbidden, + self.client.domain_configs.update, + self.test_domain.id, + invalid_groups_ref) + + invalid_options_ref = { + 'identity': {uuid.uuid4().hex: uuid.uuid4().hex}, + 'ldap': {uuid.uuid4().hex: uuid.uuid4().hex}} + self.assertRaises(http.Forbidden, + self.client.domain_configs.update, + self.test_domain.id, + invalid_options_ref) + + def test_domain_config_delete(self): + config_ref = self._new_ref() + self.client.domain_configs.create(self.test_domain.id, config_ref) + + self.client.domain_configs.delete(self.test_domain.id) + self.assertRaises(http.NotFound, + self.client.domain_configs.get, + self.project_domain_id) diff --git a/keystoneclient/tests/functional/v3/test_domains.py b/keystoneclient/tests/functional/v3/test_domains.py new file mode 100644 index 000000000..cdfbdd742 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_domains.py @@ -0,0 +1,97 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class DomainsTestCase(base.V3ClientTestCase): + + def check_domain(self, domain, domain_ref=None): + self.assertIsNotNone(domain.id) + self.assertIn('self', domain.links) + self.assertIn('/domains/' + domain.id, domain.links['self']) + + if domain_ref: + self.assertEqual(domain_ref['name'], domain.name) + self.assertEqual(domain_ref['enabled'], domain.enabled) + + # There is no guarantee description is present in domain + if hasattr(domain_ref, 'description'): + self.assertEqual(domain_ref['description'], domain.description) + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(domain.name) + self.assertIsNotNone(domain.enabled) + + def test_create_domain(self): + domain_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'enabled': True} + domain = self.client.domains.create(**domain_ref) + self.check_domain(domain, domain_ref) + + # Only disabled domains can be deleted + self.addCleanup(self.client.domains.delete, domain) + self.addCleanup(self.client.domains.update, domain, enabled=False) + + def test_get_domain(self): + domain_id = self.project_domain_id + domain_ret = self.client.domains.get(domain_id) + self.check_domain(domain_ret) + + def test_list_domains(self): + domain_one = fixtures.Domain(self.client) + self.useFixture(domain_one) + + domain_two = fixtures.Domain(self.client) + self.useFixture(domain_two) + + domains = self.client.domains.list() + + # All domains are valid + for domain in domains: + self.check_domain(domain) + + self.assertIn(domain_one.entity, domains) + self.assertIn(domain_two.entity, domains) + + def test_update_domain(self): + domain = fixtures.Domain(self.client) + self.useFixture(domain) + + new_description = uuid.uuid4().hex + domain_ret = self.client.domains.update(domain.id, + description=new_description) + + domain.ref.update({'description': new_description}) + self.check_domain(domain_ret, domain.ref) + + def test_delete_domain(self): + domain = self.client.domains.create(name=uuid.uuid4().hex, + description=uuid.uuid4().hex, + enabled=True) + + # Only disabled domains can be deleted + self.assertRaises(http.Forbidden, + self.client.domains.delete, + domain.id) + + self.client.domains.update(domain, enabled=False) + self.client.domains.delete(domain.id) + self.assertRaises(http.NotFound, + self.client.domains.get, + domain.id) diff --git a/keystoneclient/tests/functional/v3/test_ec2.py b/keystoneclient/tests/functional/v3/test_ec2.py new file mode 100644 index 000000000..09703b0db --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_ec2.py @@ -0,0 +1,92 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class EC2TestCase(base.V3ClientTestCase): + + def check_ec2(self, ec2, ec2_ref=None): + self.assertIn('self', ec2.links) + self.assertIn('/users/%s/credentials/OS-EC2/%s' + % (ec2.user_id, ec2.access), ec2.links['self']) + + if ec2_ref: + self.assertEqual(ec2_ref['user_id'], ec2.user_id) + self.assertEqual(ec2_ref['project_id'], ec2.tenant_id) + + else: + self.assertIsNotNone(ec2.user_id) + self.assertIsNotNone(ec2.tenant_id) + + def test_create_ec2(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + project = fixtures.Project(self.client, self.project_domain_id) + self.useFixture(project) + + ec2_ref = {'user_id': user.id, + 'project_id': project.id} + ec2 = self.client.ec2.create(**ec2_ref) + + self.addCleanup(self.client.ec2.delete, user.id, ec2.access) + self.check_ec2(ec2, ec2_ref) + + def test_get_ec2(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + project = fixtures.Project(self.client, self.project_domain_id) + self.useFixture(project) + + ec2 = fixtures.EC2(self.client, user_id=user.id, project_id=project.id) + self.useFixture(ec2) + + ec2_ret = self.client.ec2.get(user.id, ec2.access) + self.check_ec2(ec2_ret, ec2.ref) + + def test_list_ec2(self): + user_one = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user_one) + ec2_one = fixtures.EC2(self.client, user_id=user_one.id, + project_id=self.project_domain_id) + self.useFixture(ec2_one) + + user_two = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user_two) + ec2_two = fixtures.EC2(self.client, user_id=user_two.id, + project_id=self.project_domain_id) + self.useFixture(ec2_two) + + ec2_list = self.client.ec2.list(user_one.id) + + # All ec2 are valid + for ec2 in ec2_list: + self.check_ec2(ec2) + + self.assertIn(ec2_one.entity, ec2_list) + self.assertNotIn(ec2_two.entity, ec2_list) + + def test_delete_ec2(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + project = fixtures.Project(self.client, self.project_domain_id) + self.useFixture(project) + + ec2 = self.client.ec2.create(user.id, project.id) + + self.client.ec2.delete(user.id, ec2.access) + self.assertRaises(http.NotFound, + self.client.ec2.get, + user.id, ec2.access) diff --git a/keystoneclient/tests/functional/v3/test_endpoint_filters.py b/keystoneclient/tests/functional/v3/test_endpoint_filters.py new file mode 100644 index 000000000..d8956bed2 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_endpoint_filters.py @@ -0,0 +1,86 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures +from keystoneclient.tests.functional.v3 import test_endpoint_groups +from keystoneclient.tests.functional.v3 import test_projects + + +class EndpointFiltersTestCase(base.V3ClientTestCase, + test_endpoint_groups.EndpointGroupsTestMixin, + test_projects.ProjectsTestMixin): + + def setUp(self): + super(EndpointFiltersTestCase, self).setUp() + + self.project = fixtures.Project(self.client) + self.endpoint_group = fixtures.EndpointGroup(self.client) + self.useFixture(self.project) + self.useFixture(self.endpoint_group) + + self.client.endpoint_filter.add_endpoint_group_to_project( + self.endpoint_group, self.project) + + def test_add_endpoint_group_to_project(self): + project = fixtures.Project(self.client) + endpoint_group = fixtures.EndpointGroup(self.client) + self.useFixture(project) + self.useFixture(endpoint_group) + + self.client.endpoint_filter.add_endpoint_group_to_project( + endpoint_group, project) + self.client.endpoint_filter.check_endpoint_group_in_project( + endpoint_group, project) + + def test_delete_endpoint_group_from_project(self): + self.client.endpoint_filter.delete_endpoint_group_from_project( + self.endpoint_group, self.project) + self.assertRaises( + http.NotFound, + self.client.endpoint_filter.check_endpoint_group_in_project, + self.endpoint_group, self.project) + + def test_list_endpoint_groups_for_project(self): + endpoint_group_two = fixtures.EndpointGroup(self.client) + self.useFixture(endpoint_group_two) + self.client.endpoint_filter.add_endpoint_group_to_project( + endpoint_group_two, self.project) + + endpoint_groups = ( + self.client.endpoint_filter.list_endpoint_groups_for_project( + self.project + ) + ) + + for endpoint_group in endpoint_groups: + self.check_endpoint_group(endpoint_group) + + self.assertIn(self.endpoint_group.entity, endpoint_groups) + self.assertIn(endpoint_group_two.entity, endpoint_groups) + + def test_list_projects_for_endpoint_group(self): + project_two = fixtures.Project(self.client) + self.useFixture(project_two) + self.client.endpoint_filter.add_endpoint_group_to_project( + self.endpoint_group, project_two) + + f = self.client.endpoint_filter.list_projects_for_endpoint_group + projects = f(self.endpoint_group) + + for project in projects: + self.check_project(project) + + self.assertIn(self.project.entity, projects) + self.assertIn(project_two.entity, projects) diff --git a/keystoneclient/tests/functional/v3/test_endpoint_groups.py b/keystoneclient/tests/functional/v3/test_endpoint_groups.py new file mode 100644 index 000000000..52fcf724e --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_endpoint_groups.py @@ -0,0 +1,123 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class EndpointGroupsTestMixin(object): + + def check_endpoint_group(self, endpoint_group, endpoint_group_ref=None): + self.assertIsNotNone(endpoint_group.id) + self.assertIn('self', endpoint_group.links) + self.assertIn('/endpoint_groups/' + endpoint_group.id, + endpoint_group.links['self']) + + if endpoint_group_ref: + self.assertEqual(endpoint_group_ref['name'], endpoint_group.name) + self.assertEqual(endpoint_group_ref['filters'], + endpoint_group.filters) + + # There is no guarantee description is present in endpoint groups + if hasattr(endpoint_group_ref, 'description'): + self.assertEqual(endpoint_group_ref['description'], + endpoint_group.description) + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(endpoint_group.name) + self.assertIsNotNone(endpoint_group.filters) + + +class EndpointGroupsTestCase(base.V3ClientTestCase, EndpointGroupsTestMixin): + + def test_create_endpoint_group(self): + endpoint_group_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'filters': {'interface': 'internal'}, + 'description': uuid.uuid4().hex} + endpoint_group = self.client.endpoint_groups.create( + **endpoint_group_ref) + + self.addCleanup(self.client.endpoint_groups.delete, endpoint_group) + self.check_endpoint_group(endpoint_group, endpoint_group_ref) + + def test_get_endpoint_group(self): + endpoint_group = fixtures.EndpointGroup(self.client) + self.useFixture(endpoint_group) + + endpoint_ret = self.client.endpoint_groups.get(endpoint_group.id) + self.check_endpoint_group(endpoint_ret, endpoint_group.ref) + + self.assertRaises(http.NotFound, + self.client.endpoint_groups.get, + uuid.uuid4().hex) + + def test_check_endpoint_group(self): + endpoint_group = fixtures.EndpointGroup(self.client) + self.useFixture(endpoint_group) + + self.client.endpoint_groups.check(endpoint_group.id) + self.assertRaises(http.NotFound, + self.client.endpoint_groups.check, + uuid.uuid4().hex) + + def test_list_endpoint_groups(self): + endpoint_group_one = fixtures.EndpointGroup(self.client) + self.useFixture(endpoint_group_one) + + endpoint_group_two = fixtures.EndpointGroup(self.client) + self.useFixture(endpoint_group_two) + + endpoint_groups = self.client.endpoint_groups.list() + + # All endpoints are valid + for endpoint_group in endpoint_groups: + self.check_endpoint_group(endpoint_group) + + self.assertIn(endpoint_group_one.entity, endpoint_groups) + self.assertIn(endpoint_group_two.entity, endpoint_groups) + + def test_update_endpoint_group(self): + endpoint_group = fixtures.EndpointGroup(self.client) + self.useFixture(endpoint_group) + + new_name = fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex + new_filters = {'interface': 'public'} + new_description = uuid.uuid4().hex + + endpoint_group_ret = self.client.endpoint_groups.update( + endpoint_group, + name=new_name, + filters=new_filters, + description=new_description) + + endpoint_group.ref.update({'name': new_name, 'filters': new_filters, + 'description': new_description}) + self.check_endpoint_group(endpoint_group_ret, endpoint_group.ref) + + def test_delete_endpoint_group(self): + endpoint_group = self.client.endpoint_groups.create( + name=fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + filters={'interface': 'admin'}, + description=uuid.uuid4().hex) + + self.client.endpoint_groups.delete(endpoint_group.id) + self.assertRaises(http.NotFound, + self.client.endpoint_groups.check, + endpoint_group.id) + self.assertRaises(http.NotFound, + self.client.endpoint_groups.get, + endpoint_group.id) diff --git a/keystoneclient/tests/functional/v3/test_endpoints.py b/keystoneclient/tests/functional/v3/test_endpoints.py new file mode 100644 index 000000000..c83797064 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_endpoints.py @@ -0,0 +1,141 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class EndpointsTestCase(base.V3ClientTestCase): + + def check_endpoint(self, endpoint, endpoint_ref=None): + self.assertIsNotNone(endpoint.id) + self.assertIn('self', endpoint.links) + self.assertIn('/endpoints/' + endpoint.id, endpoint.links['self']) + + if endpoint_ref: + self.assertEqual(endpoint_ref['service'], endpoint.service_id) + self.assertEqual(endpoint_ref['url'], endpoint.url) + self.assertEqual(endpoint_ref['interface'], endpoint.interface) + self.assertEqual(endpoint_ref['enabled'], endpoint.enabled) + + # There is no guarantee below attributes are present in endpoint + if hasattr(endpoint_ref, 'region'): + self.assertEqual(endpoint_ref['region'], endpoint.region) + + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(endpoint.service_id) + self.assertIsNotNone(endpoint.url) + self.assertIsNotNone(endpoint.interface) + self.assertIsNotNone(endpoint.enabled) + + def test_create_endpoint(self): + service = fixtures.Service(self.client) + self.useFixture(service) + + endpoint_ref = {'service': service.id, + 'url': 'http://' + uuid.uuid4().hex, + 'enabled': True, + 'interface': 'public'} + endpoint = self.client.endpoints.create(**endpoint_ref) + + self.addCleanup(self.client.endpoints.delete, endpoint) + self.check_endpoint(endpoint, endpoint_ref) + + def test_get_endpoint(self): + service = fixtures.Service(self.client) + self.useFixture(service) + + interfaces = ['public', 'admin', 'internal'] + for interface in interfaces: + endpoint = fixtures.Endpoint(self.client, service.id, interface) + self.useFixture(endpoint) + endpoint_ret = self.client.endpoints.get(endpoint.id) + # All endpoints are valid + self.check_endpoint(endpoint_ret, endpoint.ref) + + def test_list_endpoints(self): + service = fixtures.Service(self.client) + self.useFixture(service) + + region = fixtures.Region(self.client) + self.useFixture(region) + + endpoint_one = fixtures.Endpoint(self.client, service.id, 'public', + region=region.id) + self.useFixture(endpoint_one) + + endpoint_two = fixtures.Endpoint(self.client, service.id, 'admin', + region=region.id) + self.useFixture(endpoint_two) + + endpoint_three = fixtures.Endpoint(self.client, service.id, 'internal', + region=region.id) + self.useFixture(endpoint_three) + + endpoints = self.client.endpoints.list() + + # All endpoints are valid + for endpoint in endpoints: + self.check_endpoint(endpoint) + + self.assertIn(endpoint_one.entity, endpoints) + self.assertIn(endpoint_two.entity, endpoints) + self.assertIn(endpoint_three.entity, endpoints) + + def test_update_endpoint(self): + service = fixtures.Service(self.client) + self.useFixture(service) + + new_service = fixtures.Service(self.client) + self.useFixture(new_service) + + new_region = fixtures.Region(self.client) + self.useFixture(new_region) + + endpoint = fixtures.Endpoint(self.client, service.id, 'public') + self.useFixture(endpoint) + + new_url = 'http://' + uuid.uuid4().hex + new_interface = 'internal' + new_enabled = False + + endpoint_ret = self.client.endpoints.update(endpoint.id, + service=new_service.id, + url=new_url, + interface=new_interface, + enabled=new_enabled, + region=new_region.id) + + endpoint.ref.update({'service': new_service.id, 'url': new_url, + 'interface': new_interface, + 'enabled': new_enabled, + 'region': new_region.entity}) + self.check_endpoint(endpoint_ret, endpoint.ref) + + def test_delete_endpoint(self): + service = fixtures.Service(self.client) + self.useFixture(service) + endpoint = self.client.endpoints.create(service=service.id, + url='http://' + + uuid.uuid4().hex, + enabled=True, + interface='public') + + self.client.endpoints.delete(endpoint.id) + self.assertRaises(http.NotFound, + self.client.endpoints.get, + endpoint.id) diff --git a/keystoneclient/tests/functional/v3/test_federation.py b/keystoneclient/tests/functional/v3/test_federation.py new file mode 100644 index 000000000..da312662b --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_federation.py @@ -0,0 +1,106 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base + + +class TestIdentityProviders(base.V3ClientTestCase): + + def test_idp_create(self): + idp_id = uuid.uuid4().hex + # Create an identity provider just passing an ID + idp = self.client.federation.identity_providers.create(id=idp_id) + self.addCleanup( + self.client.federation.identity_providers.delete, idp_id) + + self.assertEqual(idp_id, idp.id) + self.assertEqual([], idp.remote_ids) + self.assertFalse(idp.enabled) + + def test_idp_create_enabled_true(self): + # Create an enabled identity provider + idp_id = uuid.uuid4().hex + idp = self.client.federation.identity_providers.create( + id=idp_id, enabled=True) + self.addCleanup( + self.client.federation.identity_providers.delete, idp_id) + + self.assertEqual(idp_id, idp.id) + self.assertEqual([], idp.remote_ids) + self.assertTrue(idp.enabled) + + def test_idp_create_with_remote_ids(self): + # Create an enabled identity provider with remote IDs + idp_id = uuid.uuid4().hex + remote_ids = [uuid.uuid4().hex, uuid.uuid4().hex] + idp = self.client.federation.identity_providers.create( + id=idp_id, enabled=True, remote_ids=remote_ids) + self.addCleanup( + self.client.federation.identity_providers.delete, idp_id) + + self.assertEqual(idp_id, idp.id) + self.assertIn(remote_ids[0], idp.remote_ids) + self.assertIn(remote_ids[1], idp.remote_ids) + self.assertTrue(idp.enabled) + + def test_idp_list(self): + idp_ids = [] + for _ in range(3): + idp_id = uuid.uuid4().hex + self.client.federation.identity_providers.create(id=idp_id) + self.addCleanup( + self.client.federation.identity_providers.delete, idp_id) + idp_ids.append(idp_id) + + idp_list = self.client.federation.identity_providers.list() + fetched_ids = [fetched_idp.id for fetched_idp in idp_list] + for idp_id in idp_ids: + self.assertIn(idp_id, fetched_ids) + + def test_idp_get(self): + idp_id = uuid.uuid4().hex + remote_ids = [uuid.uuid4().hex, uuid.uuid4().hex] + idp_create = self.client.federation.identity_providers.create( + id=idp_id, enabled=True, remote_ids=remote_ids) + self.addCleanup( + self.client.federation.identity_providers.delete, idp_id) + + idp_get = self.client.federation.identity_providers.get(idp_id) + self.assertEqual(idp_create.id, idp_get.id) + self.assertEqual(idp_create.enabled, idp_get.enabled) + self.assertIn(idp_create.remote_ids[0], idp_get.remote_ids) + self.assertIn(idp_create.remote_ids[1], idp_get.remote_ids) + + def test_idp_delete(self): + idp_id = uuid.uuid4().hex + self.client.federation.identity_providers.create(id=idp_id) + + # Get should not raise an error + self.client.federation.identity_providers.get(idp_id) + + # Delete it + self.client.federation.identity_providers.delete(idp_id) + + # Now get should raise an error + self.assertRaises( + http.NotFound, + self.client.federation.identity_providers.get, + idp_id) + + # Should not be present in the identity provider list + idp_list = self.client.federation.identity_providers.list() + fetched_ids = [fetched_idp.id for fetched_idp in idp_list] + self.assertNotIn(idp_id, fetched_ids) diff --git a/keystoneclient/tests/functional/v3/test_groups.py b/keystoneclient/tests/functional/v3/test_groups.py new file mode 100644 index 000000000..5e818ab19 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_groups.py @@ -0,0 +1,94 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class GroupsTestCase(base.V3ClientTestCase): + + def check_group(self, group, group_ref=None): + self.assertIsNotNone(group.id) + self.assertIn('self', group.links) + self.assertIn('/groups/' + group.id, group.links['self']) + + if group_ref: + self.assertEqual(group_ref['name'], group.name) + self.assertEqual(group_ref['domain'], group.domain_id) + + # There is no guarantee description is present in group + if hasattr(group_ref, 'description'): + self.assertEqual(group_ref['description'], group.description) + + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(group.name) + self.assertIsNotNone(group.domain_id) + + def test_create_group(self): + group_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.project_domain_id, + 'description': uuid.uuid4().hex} + + group = self.client.groups.create(**group_ref) + self.addCleanup(self.client.groups.delete, group) + self.check_group(group, group_ref) + + def test_get_group(self): + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group) + + group_ret = self.client.groups.get(group.id) + self.check_group(group_ret, group.ref) + + def test_list_groups(self): + group_one = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group_one) + + group_two = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group_two) + + groups = self.client.groups.list() + + # All groups are valid + for group in groups: + self.check_group(group) + + self.assertIn(group_one.entity, groups) + self.assertIn(group_two.entity, groups) + + def test_update_group(self): + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group) + + new_name = fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex + new_description = uuid.uuid4().hex + + group_ret = self.client.groups.update(group.id, + name=new_name, + description=new_description) + + group.ref.update({'name': new_name, 'description': new_description}) + self.check_group(group_ret, group.ref) + + def test_delete_group(self): + group = self.client.groups.create(name=uuid.uuid4().hex, + domain=self.project_domain_id) + + self.client.groups.delete(group.id) + self.assertRaises(http.NotFound, + self.client.groups.get, + group.id) diff --git a/keystoneclient/tests/functional/v3/test_implied_roles.py b/keystoneclient/tests/functional/v3/test_implied_roles.py new file mode 100644 index 000000000..4a8b446ea --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_implied_roles.py @@ -0,0 +1,70 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +role_defs = ["test_admin", + "test_id_manager", + "test_resource_manager", + "test_role_manager", + "test_assignment_manager", + "test_domain_manager", + "test_project_manager", + "test_catalog_manager", + "test_policy_manager", + "test_observer", + "test_domain_tech_lead", + "test_project_observer", + "test_member"] + +inference_rules = {"test_admin": "test_policy_manager", + "test_id_manager": "test_project_observer", + "test_resource_manager": "test_project_observer", + "test_role_manager": "test_project_observer", + "test_catalog_manager": "test_project_observer", + "test_policy_manager": "test_project_observer", + "test_project_observer": "test_observer", + "test_member": "test_observer"} + + +class TestImpliedRoles(base.V3ClientTestCase): + + def setUp(self): + super(TestImpliedRoles, self).setUp() + + def test_implied_roles(self): + initial_rule_count = ( + len(self.client.inference_rules.list_inference_roles())) + + self.create_roles() + self.create_rules() + rule_count = len(self.client.inference_rules.list_inference_roles()) + self.assertEqual(initial_rule_count + len(inference_rules), + rule_count) + + def role_dict(self): + roles = {role.name: role.id for role in self.client.roles.list()} + return roles + + def create_roles(self): + for role_def in role_defs: + role = fixtures.Role(self.client, name=role_def) + self.useFixture(role) + + def create_rules(self): + roles = self.role_dict() + for prior, implied in inference_rules.items(): + rule = fixtures.InferenceRule(self.client, roles[prior], + roles[implied]) + self.useFixture(rule) diff --git a/keystoneclient/tests/functional/v3/test_policies.py b/keystoneclient/tests/functional/v3/test_policies.py new file mode 100644 index 000000000..6ad0aae73 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_policies.py @@ -0,0 +1,89 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class PoliciesTestCase(base.V3ClientTestCase): + + def check_policy(self, policy, policy_ref=None): + self.assertIsNotNone(policy.id) + self.assertIn('self', policy.links) + self.assertIn('/policies/' + policy.id, policy.links['self']) + + if policy_ref: + self.assertEqual(policy_ref['blob'], policy.blob) + self.assertEqual(policy_ref['type'], policy.type) + + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(policy.blob) + self.assertIsNotNone(policy.type) + + def test_create_policy(self): + policy_ref = {'blob': uuid.uuid4().hex, + 'type': uuid.uuid4().hex} + + policy = self.client.policies.create(**policy_ref) + self.addCleanup(self.client.policies.delete, policy) + self.check_policy(policy, policy_ref) + + def test_get_policy(self): + policy = fixtures.Policy(self.client) + self.useFixture(policy) + + policy_ret = self.client.policies.get(policy.id) + self.check_policy(policy_ret, policy.ref) + + def test_list_policies(self): + policy_one = fixtures.Policy(self.client) + self.useFixture(policy_one) + + policy_two = fixtures.Policy(self.client) + self.useFixture(policy_two) + + policies = self.client.policies.list() + + # All policies are valid + for policy in policies: + self.check_policy(policy) + + self.assertIn(policy_one.entity, policies) + self.assertIn(policy_two.entity, policies) + + def test_update_policy(self): + policy = fixtures.Policy(self.client) + self.useFixture(policy) + + new_blob = uuid.uuid4().hex + new_type = uuid.uuid4().hex + + policy_ret = self.client.policies.update(policy.id, + blob=new_blob, + type=new_type) + + policy.ref.update({'blob': new_blob, 'type': new_type}) + self.check_policy(policy_ret, policy.ref) + + def test_delete_policy(self): + policy = self.client.policies.create(blob=uuid.uuid4().hex, + type=uuid.uuid4().hex) + + self.client.policies.delete(policy.id) + self.assertRaises(http.NotFound, + self.client.policies.get, + policy.id) diff --git a/keystoneclient/tests/functional/v3/test_projects.py b/keystoneclient/tests/functional/v3/test_projects.py new file mode 100644 index 000000000..a7f082db1 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_projects.py @@ -0,0 +1,469 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http +from keystoneclient import exceptions +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class ProjectsTestMixin(object): + + def check_project(self, project, project_ref=None): + self.assertIsNotNone(project.id) + self.assertIn('self', project.links) + self.assertIn('/projects/' + project.id, project.links['self']) + + if project_ref: + self.assertEqual(project_ref['name'], project.name) + self.assertEqual(project_ref['domain'], project.domain_id) + self.assertEqual(project_ref['enabled'], project.enabled) + + # There is no guarantee the attributes below are present in project + if hasattr(project_ref, 'description'): + self.assertEqual(project_ref['description'], + project.description) + if hasattr(project_ref, 'parent'): + self.assertEqual(project_ref['parent'], project.parent) + + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(project.name) + self.assertIsNotNone(project.domain_id) + self.assertIsNotNone(project.enabled) + + +class ProjectsTestCase(base.V3ClientTestCase, ProjectsTestMixin): + + def setUp(self): + super(ProjectsTestCase, self).setUp() + self.test_domain = fixtures.Domain(self.client) + self.useFixture(self.test_domain) + + self.test_project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(self.test_project) + self.special_tag = '~`!@#$%^&*()-_+=<>.? \'"' + + def test_create_subproject(self): + project_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.test_domain.id, + 'enabled': True, + 'description': uuid.uuid4().hex, + 'parent': self.test_project.id} + + project = self.client.projects.create(**project_ref) + self.addCleanup(self.client.projects.delete, project) + self.check_project(project, project_ref) + + def test_create_project(self): + project_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.test_domain.id, + 'enabled': True, + 'description': uuid.uuid4().hex} + + project = self.client.projects.create(**project_ref) + self.addCleanup(self.client.projects.delete, project) + self.check_project(project, project_ref) + + def test_get_project(self): + project_ret = self.client.projects.get(self.test_project.id) + self.check_project(project_ret, self.test_project.ref) + + def test_get_project_invalid_params(self): + self.assertRaises(exceptions.ValidationError, + self.client.projects.get, + self.test_project.id, + subtree_as_list=True, subtree_as_ids=True) + self.assertRaises(exceptions.ValidationError, + self.client.projects.get, + self.test_project.id, + parents_as_list=True, parents_as_ids=True) + + def test_get_hierarchy_as_list(self): + project = fixtures.Project(self.client, self.test_domain.id, + parent=self.test_project.id) + self.useFixture(project) + + child_project = fixtures.Project(self.client, self.test_domain.id, + parent=project.id) + self.useFixture(child_project) + + # Only parents and subprojects that the current user has role + # assingments on are returned when asked for subtree_as_list and + # parents_as_list. + role = fixtures.Role(self.client) + self.useFixture(role) + self.client.roles.grant(role.id, user=self.user_id, + project=self.test_project.id) + self.client.roles.grant(role.id, user=self.user_id, + project=project.id) + self.client.roles.grant(role.id, user=self.user_id, + project=child_project.id) + + project_ret = self.client.projects.get(project.id, + subtree_as_list=True, + parents_as_list=True) + + self.check_project(project_ret, project.ref) + self.assertCountEqual( + [{'project': self.test_project.entity.to_dict()}], + project_ret.parents) + self.assertCountEqual( + [{'project': child_project.entity.to_dict()}], + project_ret.subtree) + + def test_get_hierarchy_as_ids(self): + project = fixtures.Project(self.client, self.test_domain.id, + parent=self.test_project.id) + self.useFixture(project) + + child_project = fixtures.Project(self.client, self.test_domain.id, + parent=project.id) + self.useFixture(child_project) + + project_ret = self.client.projects.get(project.id, + subtree_as_ids=True, + parents_as_ids=True) + + self.assertCountEqual([self.test_project.id], project_ret.parents) + self.assertCountEqual([child_project.id], project_ret.subtree) + + def test_list_projects(self): + project_one = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project_one) + + project_two = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project_two) + + projects = self.client.projects.list() + + # All projects are valid + for project in projects: + self.check_project(project) + + self.assertIn(project_one.entity, projects) + self.assertIn(project_two.entity, projects) + + def test_list_subprojects(self): + parent_project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(parent_project) + + child_project_one = fixtures.Project(self.client, self.test_domain.id, + parent=parent_project.id) + self.useFixture(child_project_one) + + child_project_two = fixtures.Project(self.client, self.test_domain.id, + parent=parent_project.id) + self.useFixture(child_project_two) + + projects = self.client.projects.list(parent=parent_project.id) + + # All projects are valid + for project in projects: + self.check_project(project) + + self.assertIn(child_project_one.entity, projects) + self.assertIn(child_project_two.entity, projects) + + # Parent project should not be included in the result + self.assertNotIn(parent_project.entity, projects) + + def test_update_project(self): + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + + new_name = fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex + new_description = uuid.uuid4().hex + project_ret = self.client.projects.update(project.id, + name=new_name, + enabled=False, + description=new_description) + + project.ref.update({'name': new_name, 'enabled': False, + 'description': new_description}) + self.check_project(project_ret, project.ref) + + def test_update_project_domain_not_allowed(self): + domain = fixtures.Domain(self.client) + self.useFixture(domain) + # Cannot update domain after project is created. + self.assertRaises(http.BadRequest, + self.client.projects.update, + self.test_project.id, domain=domain.id) + + def test_delete_project(self): + project = self.client.projects.create(name=uuid.uuid4().hex, + domain=self.test_domain.id, + enabled=True) + + self.client.projects.delete(project.id) + self.assertRaises(http.NotFound, + self.client.projects.get, + project.id) + + def test_list_projects_with_tag_filters(self): + project_one = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag1']) + project_two = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag1', 'tag2']) + project_three = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag2', 'tag3']) + + self.useFixture(project_one) + self.useFixture(project_two) + self.useFixture(project_three) + + projects = self.client.projects.list(tags='tag1') + project_ids = [] + for project in projects: + project_ids.append(project.id) + self.assertIn(project_one.id, project_ids) + + projects = self.client.projects.list(tags_any='tag1') + project_ids = [] + for project in projects: + project_ids.append(project.id) + self.assertIn(project_one.id, project_ids) + self.assertIn(project_two.id, project_ids) + + projects = self.client.projects.list(not_tags='tag1') + project_ids = [] + for project in projects: + project_ids.append(project.id) + self.assertNotIn(project_one.id, project_ids) + + projects = self.client.projects.list(not_tags_any='tag1,tag2') + project_ids = [] + for project in projects: + project_ids.append(project.id) + self.assertNotIn(project_one.id, project_ids) + self.assertNotIn(project_two.id, project_ids) + self.assertNotIn(project_three.id, project_ids) + + projects = self.client.projects.list(tags='tag1,tag2') + project_ids = [] + for project in projects: + project_ids.append(project.id) + self.assertNotIn(project_one.id, project_ids) + self.assertIn(project_two.id, project_ids) + self.assertNotIn(project_three.id, project_ids) + + def test_add_tag(self): + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + + tags = self.client.projects.get(project.id).tags + self.assertEqual([], tags) + + project.add_tag('tag1') + tags = self.client.projects.get(project.id).tags + self.assertEqual(['tag1'], tags) + + # verify there is an error when you try to add the same tag + self.assertRaises(http.BadRequest, + project.add_tag, + 'tag1') + + def test_update_tags(self): + project = fixtures.Project(self.client, self.test_domain.id) + self.useFixture(project) + + tags = self.client.projects.get(project.id).tags + self.assertEqual([], tags) + + project.update_tags(['tag1', 'tag2', self.special_tag]) + tags = self.client.projects.get(project.id).tags + self.assertIn('tag1', tags) + self.assertIn('tag2', tags) + self.assertIn(self.special_tag, tags) + self.assertEqual(3, len(tags)) + + project.update_tags([]) + tags = self.client.projects.get(project.id).tags + self.assertEqual([], tags) + + # cannot have duplicate tags in update + self.assertRaises(http.BadRequest, + project.update_tags, + ['tag1', 'tag1']) + + def test_delete_tag(self): + project = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag1', self.special_tag]) + self.useFixture(project) + + project.delete_tag('tag1') + tags = self.client.projects.get(project.id).tags + self.assertEqual([self.special_tag], tags) + + project.delete_tag(self.special_tag) + tags = self.client.projects.get(project.id).tags + self.assertEqual([], tags) + + def test_delete_all_tags(self): + project_one = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag1']) + + project_two = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag1', 'tag2', self.special_tag]) + + project_three = fixtures.Project( + self.client, self.test_domain.id, + tags=[]) + + self.useFixture(project_one) + self.useFixture(project_two) + self.useFixture(project_three) + + result_one = project_one.delete_all_tags() + tags_one = self.client.projects.get(project_one.id).tags + tags_two = self.client.projects.get(project_two.id).tags + self.assertEqual([], result_one) + self.assertEqual([], tags_one) + self.assertIn('tag1', tags_two) + + result_two = project_two.delete_all_tags() + tags_two = self.client.projects.get(project_two.id).tags + self.assertEqual([], result_two) + self.assertEqual([], tags_two) + + result_three = project_three.delete_all_tags() + tags_three = self.client.projects.get(project_three.id).tags + self.assertEqual([], result_three) + self.assertEqual([], tags_three) + + def test_list_tags(self): + tags_one = ['tag1'] + project_one = fixtures.Project( + self.client, self.test_domain.id, + tags=tags_one) + + tags_two = ['tag1', 'tag2'] + project_two = fixtures.Project( + self.client, self.test_domain.id, + tags=tags_two) + + tags_three = [] + project_three = fixtures.Project( + self.client, self.test_domain.id, + tags=tags_three) + + self.useFixture(project_one) + self.useFixture(project_two) + self.useFixture(project_three) + + result_one = project_one.list_tags() + result_two = project_two.list_tags() + result_three = project_three.list_tags() + + for tag in tags_one: + self.assertIn(tag, result_one) + self.assertEqual(1, len(result_one)) + + for tag in tags_two: + self.assertIn(tag, result_two) + self.assertEqual(2, len(result_two)) + + for tag in tags_three: + self.assertIn(tag, result_three) + self.assertEqual(0, len(result_three)) + + def test_check_tag(self): + project = fixtures.Project( + self.client, self.test_domain.id, + tags=['tag1']) + self.useFixture(project) + + tags = self.client.projects.get(project.id).tags + self.assertEqual(['tag1'], tags) + self.assertTrue(project.check_tag('tag1')) + self.assertFalse(project.check_tag('tag2')) + self.assertFalse(project.check_tag(self.special_tag)) + + def test_add_invalid_tags(self): + project_one = fixtures.Project( + self.client, self.test_domain.id) + + self.useFixture(project_one) + + self.assertRaises(exceptions.BadRequest, + project_one.add_tag, + ',') + self.assertRaises(exceptions.BadRequest, + project_one.add_tag, + '/') + self.assertRaises(exceptions.BadRequest, + project_one.add_tag, + '') + + def test_update_invalid_tags(self): + tags_comma = ['tag1', ','] + tags_slash = ['tag1', '/'] + tags_blank = ['tag1', ''] + project_one = fixtures.Project( + self.client, self.test_domain.id) + + self.useFixture(project_one) + + self.assertRaises(exceptions.BadRequest, + project_one.update_tags, + tags_comma) + self.assertRaises(exceptions.BadRequest, + project_one.update_tags, + tags_slash) + self.assertRaises(exceptions.BadRequest, + project_one.update_tags, + tags_blank) + + def test_create_project_invalid_tags(self): + project_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.test_domain.id, + 'enabled': True, + 'description': uuid.uuid4().hex, + 'tags': ','} + + self.assertRaises(exceptions.BadRequest, + self.client.projects.create, + **project_ref) + + project_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.test_domain.id, + 'enabled': True, + 'description': uuid.uuid4().hex, + 'tags': '/'} + + self.assertRaises(exceptions.BadRequest, + self.client.projects.create, + **project_ref) + + project_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.test_domain.id, + 'enabled': True, + 'description': uuid.uuid4().hex, + 'tags': ''} + + self.assertRaises(exceptions.BadRequest, + self.client.projects.create, + **project_ref) diff --git a/keystoneclient/tests/functional/v3/test_regions.py b/keystoneclient/tests/functional/v3/test_regions.py new file mode 100644 index 000000000..51f93863e --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_regions.py @@ -0,0 +1,85 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class RegionsTestCase(base.V3ClientTestCase): + + def check_region(self, region, region_ref=None): + self.assertIsNotNone(region.id) + self.assertIn('self', region.links) + self.assertIn('/regions/' + region.id, region.links['self']) + + # There is no guarantee the below attributes are present in region + if hasattr(region_ref, 'description'): + self.assertEqual(region_ref['description'], region.description) + if hasattr(region_ref, 'parent_region'): + self.assertEqual( + region_ref['parent_region'], + region.parent_region) + + def test_create_region(self): + region_ref = {'description': uuid.uuid4().hex} + + region = self.client.regions.create(**region_ref) + self.addCleanup(self.client.regions.delete, region) + self.check_region(region, region_ref) + + def test_get_region(self): + region = fixtures.Region(self.client) + self.useFixture(region) + + region_ret = self.client.regions.get(region.id) + self.check_region(region_ret, region.ref) + + def test_list_regions(self): + region_one = fixtures.Region(self.client) + self.useFixture(region_one) + + region_two = fixtures.Region(self.client, parent_region=region_one.id) + self.useFixture(region_two) + + regions = self.client.regions.list() + + # All regions are valid + for region in regions: + self.check_region(region) + + self.assertIn(region_one.entity, regions) + self.assertIn(region_two.entity, regions) + + def test_update_region(self): + parent = fixtures.Region(self.client) + self.useFixture(parent) + + region = fixtures.Region(self.client) + self.useFixture(region) + + new_description = uuid.uuid4().hex + region_ret = self.client.regions.update(region.id, + description=new_description, + parent_region=parent.id) + self.check_region(region_ret, region.ref) + + def test_delete_region(self): + region = self.client.regions.create() + + self.client.regions.delete(region.id) + self.assertRaises(http.NotFound, + self.client.regions.get, + region.id) diff --git a/keystoneclient/tests/functional/v3/test_roles.py b/keystoneclient/tests/functional/v3/test_roles.py new file mode 100644 index 000000000..6dba6ffa3 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_roles.py @@ -0,0 +1,236 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http +from keystoneclient import exceptions +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class RolesTestCase(base.V3ClientTestCase): + + def check_role(self, role, role_ref=None): + self.assertIsNotNone(role.id) + self.assertIn('self', role.links) + self.assertIn('/roles/' + role.id, role.links['self']) + + if role_ref: + self.assertEqual(role_ref['name'], role.name) + + # There is no guarantee domain is present in role + if hasattr(role_ref, 'domain'): + self.assertEqual(role_ref['domain'], role.domain_id) + + else: + # Only check remaining mandatory attribute + self.assertIsNotNone(role.name) + + def test_create_role(self): + role_ref = {'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex} + + role = self.client.roles.create(**role_ref) + self.addCleanup(self.client.roles.delete, role) + self.check_role(role, role_ref) + + def test_create_domain_role(self): + role_ref = {'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.project_domain_id} + + role = self.client.roles.create(**role_ref) + self.addCleanup(self.client.roles.delete, role) + self.check_role(role, role_ref) + + def test_get_role(self): + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + role_ret = self.client.roles.get(role.id) + self.check_role(role_ret, role.ref) + + def test_update_role_name(self): + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + new_name = fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex + role_ret = self.client.roles.update(role.id, + name=new_name) + + role.ref.update({'name': new_name}) + self.check_role(role_ret, role.ref) + + def test_update_role_domain(self): + role = fixtures.Role(self.client) + self.useFixture(role) + + domain = fixtures.Domain(self.client) + self.useFixture(domain) + new_domain = domain.id + role_ret = self.client.roles.update(role.id, + domain=new_domain) + + role.ref.update({'domain': new_domain}) + self.check_role(role_ret, role.ref) + + def test_list_roles_invalid_params(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + + # Only filter in role grants for a user on a resource. + # Domain or project should be specified. + self.assertRaises(exceptions.ValidationError, + self.client.roles.list, + user=user.id) + + # Only filter in role grants for a group on a resource. + # Domain or project should be specified. + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group) + + self.assertRaises(exceptions.ValidationError, + self.client.roles.list, + group=group.id) + + def test_list_roles(self): + global_role = fixtures.Role(self.client) + self.useFixture(global_role) + + domain = fixtures.Domain(self.client) + self.useFixture(domain) + + domain_role = fixtures.Role(self.client, domain=domain.id) + self.useFixture(domain_role) + + global_roles = self.client.roles.list() + domain_roles = self.client.roles.list(domain_id=domain.id) + roles = global_roles + domain_roles + + # All roles are valid + for role in roles: + self.check_role(role) + + self.assertIn(global_role.entity, global_roles) + self.assertIn(domain_role.entity, domain_roles) + + def test_delete_role(self): + role = self.client.roles.create(name=uuid.uuid4().hex, + domain=self.project_domain_id) + + self.client.roles.delete(role.id) + self.assertRaises(http.NotFound, + self.client.roles.get, + role.id) + + def test_grant_role_invalid_params(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + # Only grant role to a group on a resource. + # Domain or project must be specified. + self.assertRaises(exceptions.ValidationError, + self.client.roles.grant, + role.id, + user=user.id) + + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group) + + # Only grant role to a group on a resource. + # Domain or project must be specified. + self.assertRaises(exceptions.ValidationError, + self.client.roles.grant, + role.id, + group=group.id) + + def test_user_domain_grant_and_revoke(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + + domain = fixtures.Domain(self.client) + self.useFixture(domain) + + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + self.client.roles.grant(role, user=user.id, domain=domain.id) + roles_after_grant = self.client.roles.list(user=user.id, + domain=domain.id) + self.assertCountEqual(roles_after_grant, [role.entity]) + + self.client.roles.revoke(role, user=user.id, domain=domain.id) + roles_after_revoke = self.client.roles.list(user=user.id, + domain=domain.id) + self.assertEqual(roles_after_revoke, []) + + def test_user_project_grant_and_revoke(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + + project = fixtures.Project(self.client, self.project_domain_id) + self.useFixture(project) + + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + self.client.roles.grant(role, user=user.id, project=project.id) + roles_after_grant = self.client.roles.list(user=user.id, + project=project.id) + self.assertCountEqual(roles_after_grant, [role.entity]) + + self.client.roles.revoke(role, user=user.id, project=project.id) + roles_after_revoke = self.client.roles.list(user=user.id, + project=project.id) + self.assertEqual(roles_after_revoke, []) + + def test_group_domain_grant_and_revoke(self): + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group) + + domain = fixtures.Domain(self.client) + self.useFixture(domain) + + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + self.client.roles.grant(role, group=group.id, domain=domain.id) + roles_after_grant = self.client.roles.list(group=group.id, + domain=domain.id) + self.assertCountEqual(roles_after_grant, [role.entity]) + + self.client.roles.revoke(role, group=group.id, domain=domain.id) + roles_after_revoke = self.client.roles.list(group=group.id, + domain=domain.id) + self.assertEqual(roles_after_revoke, []) + + def test_group_project_grant_and_revoke(self): + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(group) + + project = fixtures.Project(self.client, self.project_domain_id) + self.useFixture(project) + + role = fixtures.Role(self.client, domain=self.project_domain_id) + self.useFixture(role) + + self.client.roles.grant(role, group=group.id, project=project.id) + roles_after_grant = self.client.roles.list(group=group.id, + project=project.id) + self.assertCountEqual(roles_after_grant, [role.entity]) + + self.client.roles.revoke(role, group=group.id, project=project.id) + roles_after_revoke = self.client.roles.list(group=group.id, + project=project.id) + self.assertEqual(roles_after_revoke, []) diff --git a/keystoneclient/tests/functional/v3/test_services.py b/keystoneclient/tests/functional/v3/test_services.py new file mode 100644 index 000000000..c17747d3e --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_services.py @@ -0,0 +1,106 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http + +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class ServicesTestCase(base.V3ClientTestCase): + + def check_service(self, service, service_ref=None): + self.assertIsNotNone(service.id) + self.assertIn('self', service.links) + self.assertIn('/services/' + service.id, service.links['self']) + + if service_ref: + self.assertEqual(service_ref['name'], service.name) + self.assertEqual(service_ref['enabled'], service.enabled) + self.assertEqual(service_ref['type'], service.type) + + # There is no guarantee description is present in service + if hasattr(service_ref, 'description'): + self.assertEqual(service_ref['description'], + service.description) + + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(service.name) + self.assertIsNotNone(service.enabled) + self.assertIsNotNone(service.type) + + def test_create_service(self): + service_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'type': uuid.uuid4().hex, + 'enabled': True, + 'description': uuid.uuid4().hex} + + service = self.client.services.create(**service_ref) + + self.addCleanup(self.client.services.delete, service) + self.check_service(service, service_ref) + + def test_get_service(self): + service = fixtures.Service(self.client) + self.useFixture(service) + + service_ret = self.client.services.get(service.id) + self.check_service(service_ret, service.ref) + + def test_list_services(self): + service_one = fixtures.Service(self.client) + self.useFixture(service_one) + + service_two = fixtures.Service(self.client) + self.useFixture(service_two) + + services = self.client.services.list() + + # All services are valid + for service in services: + self.check_service(service) + + self.assertIn(service_one.entity, services) + self.assertIn(service_two.entity, services) + + def test_update_service(self): + service = fixtures.Service(self.client) + self.useFixture(service) + + new_name = fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex + new_type = uuid.uuid4().hex + new_enabled = False + new_description = uuid.uuid4().hex + + service_ret = self.client.services.update(service.id, + name=new_name, + type=new_type, + enabled=new_enabled, + description=new_description) + + service.ref.update({'name': new_name, 'type': new_type, + 'enabled': new_enabled, + 'description': new_description}) + self.check_service(service_ret, service.ref) + + def test_delete_service(self): + service = self.client.services.create(name=uuid.uuid4().hex, + type=uuid.uuid4().hex) + + self.client.services.delete(service.id) + self.assertRaises(http.NotFound, + self.client.services.get, + service.id) diff --git a/keystoneclient/tests/functional/v3/test_users.py b/keystoneclient/tests/functional/v3/test_users.py new file mode 100644 index 000000000..780ddbacf --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_users.py @@ -0,0 +1,140 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1.exceptions import http +from keystoneclient.tests.functional import base +from keystoneclient.tests.functional.v3 import client_fixtures as fixtures + + +class UsersTestCase(base.V3ClientTestCase): + + def check_user(self, user, user_ref=None): + self.assertIsNotNone(user.id) + self.assertIsNotNone(user.enabled) + self.assertIn('self', user.links) + self.assertIn('/users/' + user.id, user.links['self']) + + if user_ref: + self.assertEqual(user_ref['name'], user.name) + self.assertEqual(user_ref['domain'], user.domain_id) + # There is no guarantee the attributes below are present in user + if hasattr(user_ref, 'description'): + self.assertEqual(user_ref['description'], user.description) + if hasattr(user_ref, 'email'): + self.assertEqual(user_ref['email'], user.email) + if hasattr(user_ref, 'default_project'): + self.assertEqual(user_ref['default_project'], + user.default_project_id) + else: + # Only check remaining mandatory attributes + self.assertIsNotNone(user.name) + self.assertIsNotNone(user.domain_id) + + def test_create_user(self): + user_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.project_domain_id, + 'default_project': self.project_id, + 'password': uuid.uuid4().hex, + 'description': uuid.uuid4().hex} + + user = self.client.users.create(**user_ref) + self.addCleanup(self.client.users.delete, user) + self.check_user(user, user_ref) + + def test_get_user(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + + user_ret = self.client.users.get(user.id) + self.check_user(user_ret, user.ref) + + def test_list_users(self): + user_one = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user_one) + + user_two = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user_two) + + users = self.client.users.list() + + # All users are valid + for user in users: + self.check_user(user) + + self.assertIn(user_one.entity, users) + self.assertIn(user_two.entity, users) + + def test_list_users_with_filters(self): + suffix = uuid.uuid4().hex + user1_ref = { + 'name': 'test_user' + suffix, + 'domain': self.project_domain_id, + 'default_project': self.project_id, + 'password': uuid.uuid4().hex, + 'description': uuid.uuid4().hex} + + user2_ref = { + 'name': fixtures.RESOURCE_NAME_PREFIX + uuid.uuid4().hex, + 'domain': self.project_domain_id, + 'default_project': self.project_id, + 'password': uuid.uuid4().hex, + 'description': uuid.uuid4().hex} + + user1 = self.client.users.create(**user1_ref) + self.client.users.create(**user2_ref) + + users = self.client.users.list(name__contains=['test_user', suffix]) + self.assertEqual(1, len(users)) + self.assertIn(user1, users) + + def test_update_user(self): + user = fixtures.User(self.client, self.project_domain_id) + self.useFixture(user) + + new_description = uuid.uuid4().hex + user_ret = self.client.users.update(user.id, + description=new_description) + + user.ref.update({'description': new_description}) + self.check_user(user_ret, user.ref) + + def test_user_grouping(self): + # keystoneclient.v3.users owns user grouping operations, this is why + # this test case belongs to this class + user = fixtures.User(self.client, self.project_domain_id) + group = fixtures.Group(self.client, self.project_domain_id) + self.useFixture(user) + self.useFixture(group) + + self.assertRaises(http.NotFound, + self.client.users.check_in_group, + user.id, group.id) + + self.client.users.add_to_group(user.id, group.id) + self.client.users.check_in_group(user.id, group.id) + self.client.users.remove_from_group(user.id, group.id) + + self.assertRaises(http.NotFound, + self.client.users.check_in_group, + user.id, group.id) + + def test_delete_user(self): + user = self.client.users.create(name=uuid.uuid4().hex, + domain=self.project_domain_id) + + self.client.users.delete(user.id) + self.assertRaises(http.NotFound, + self.client.users.get, + user.id) diff --git a/keystoneclient/tests/generic/test_shell.py b/keystoneclient/tests/generic/test_shell.py deleted file mode 100644 index e30b056e8..000000000 --- a/keystoneclient/tests/generic/test_shell.py +++ /dev/null @@ -1,129 +0,0 @@ -# Copyright 2014 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import mock -from six import moves - -from keystoneclient.generic import shell -from keystoneclient.tests import utils - - -class DoDiscoverTest(utils.TestCase): - """Unit tests for do_discover function.""" - foo_version = { - 'id': 'foo_id', - 'status': 'foo_status', - 'url': 'http://foo/url', - } - bar_version = { - 'id': 'bar_id', - 'status': 'bar_status', - 'url': 'http://bar/url', - } - foo_extension = { - 'foo': 'foo_extension', - 'message': 'extension_message', - 'bar': 'bar_extension', - } - stub_message = 'This is a stub message' - - def setUp(self): - super(DoDiscoverTest, self).setUp() - - self.client_mock = mock.Mock() - self.client_mock.discover.return_value = {} - - def _execute_discover(self): - """Call do_discover function and capture output - - :return: captured output is returned - """ - with mock.patch('sys.stdout', - new_callable=moves.StringIO) as mock_stdout: - shell.do_discover(self.client_mock, args=None) - output = mock_stdout.getvalue() - return output - - def _check_version_print(self, output, version): - """Checks all api version's parameters are present in output.""" - self.assertIn(version['id'], output) - self.assertIn(version['status'], output) - self.assertIn(version['url'], output) - - def test_no_keystones(self): - # No servers configured for client, - # corresponding message should be printed - output = self._execute_discover() - self.assertIn('No Keystone-compatible endpoint found', output) - - def test_endpoint(self): - # Endpoint is configured for client, - # client's discover method should be called with that value - self.client_mock.endpoint = 'Some non-empty value' - shell.do_discover(self.client_mock, args=None) - self.client_mock.discover.assert_called_with(self.client_mock.endpoint) - - def test_auth_url(self): - # No endpoint provided for client, but there is an auth_url - # client's discover method should be called with auth_url value - self.client_mock.endpoint = False - self.client_mock.auth_url = 'Some non-empty value' - shell.do_discover(self.client_mock, args=None) - self.client_mock.discover.assert_called_with(self.client_mock.auth_url) - - def test_empty(self): - # No endpoint or auth_url is configured for client. - # client.discover() should be called without parameters - self.client_mock.endpoint = False - self.client_mock.auth_url = False - shell.do_discover(self.client_mock, args=None) - self.client_mock.discover.assert_called_with() - - def test_message(self): - # If client.discover() result contains message - it should be printed - self.client_mock.discover.return_value = {'message': self.stub_message} - output = self._execute_discover() - self.assertIn(self.stub_message, output) - - def test_versions(self): - # Every version in client.discover() result should be printed - # and client.discover_extension() should be called on its url - self.client_mock.discover.return_value = { - 'foo': self.foo_version, - 'bar': self.bar_version, - } - self.client_mock.discover_extensions.return_value = {} - output = self._execute_discover() - self._check_version_print(output, self.foo_version) - self._check_version_print(output, self.bar_version) - - discover_extension_calls = [ - mock.call(self.foo_version['url']), - mock.call(self.bar_version['url']), - ] - - self.client_mock.discover_extensions.assert_has_calls( - discover_extension_calls, - any_order=True) - - def test_extensions(self): - # Every extension's parameters should be printed - # Extension's message should be omitted - self.client_mock.discover.return_value = {'foo': self.foo_version} - self.client_mock.discover_extensions.return_value = self.foo_extension - output = self._execute_discover() - self.assertIn(self.foo_extension['foo'], output) - self.assertIn(self.foo_extension['bar'], output) - self.assertNotIn(self.foo_extension['message'], output) diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py deleted file mode 100644 index 5e1a71f7f..000000000 --- a/keystoneclient/tests/test_auth_token_middleware.py +++ /dev/null @@ -1,1911 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import calendar -import datetime -import json -import os -import shutil -import stat -import tempfile -import time -import uuid - -import fixtures -import iso8601 -import mock -from requests_mock.contrib import fixture as mock_fixture -from six.moves.urllib import parse as urlparse -import testresources -import testtools -from testtools import matchers -import webob - -from keystoneclient import access -from keystoneclient.common import cms -from keystoneclient import exceptions -from keystoneclient import fixture -from keystoneclient.middleware import auth_token -from keystoneclient.openstack.common import jsonutils -from keystoneclient.openstack.common import memorycache -from keystoneclient.openstack.common import timeutils -from keystoneclient.tests import client_fixtures -from keystoneclient.tests import utils - - -EXPECTED_V2_DEFAULT_ENV_RESPONSE = { - 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'HTTP_X_TENANT_ID': 'tenant_id1', - 'HTTP_X_TENANT_NAME': 'tenant_name1', - 'HTTP_X_USER_ID': 'user_id1', - 'HTTP_X_USER_NAME': 'user_name1', - 'HTTP_X_ROLES': 'role1,role2', - 'HTTP_X_USER': 'user_name1', # deprecated (diablo-compat) - 'HTTP_X_TENANT': 'tenant_name1', # deprecated (diablo-compat) - 'HTTP_X_ROLE': 'role1,role2', # deprecated (diablo-compat) -} - - -BASE_HOST = 'https://keystone.example.com:1234' -BASE_URI = '%s/testadmin' % BASE_HOST -FAKE_ADMIN_TOKEN_ID = 'admin_token2' -FAKE_ADMIN_TOKEN = jsonutils.dumps( - {'access': {'token': {'id': FAKE_ADMIN_TOKEN_ID, - 'expires': '2022-10-03T16:58:01Z'}}}) - - -VERSION_LIST_v2 = jsonutils.dumps(fixture.DiscoveryList(href=BASE_URI, - v3=False)) -VERSION_LIST_v3 = jsonutils.dumps(fixture.DiscoveryList(href=BASE_URI)) - -ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2' -MEMCACHED_SERVERS = ['localhost:11211'] -MEMCACHED_AVAILABLE = None - - -def memcached_available(): - """Do a sanity check against memcached. - - Returns ``True`` if the following conditions are met (otherwise, returns - ``False``): - - - ``python-memcached`` is installed - - a usable ``memcached`` instance is available via ``MEMCACHED_SERVERS`` - - the client is able to set and get a key/value pair - - """ - global MEMCACHED_AVAILABLE - - if MEMCACHED_AVAILABLE is None: - try: - import memcache - c = memcache.Client(MEMCACHED_SERVERS) - c.set('ping', 'pong', time=1) - MEMCACHED_AVAILABLE = c.get('ping') == 'pong' - except ImportError: - MEMCACHED_AVAILABLE = False - - return MEMCACHED_AVAILABLE - - -def cleanup_revoked_file(filename): - try: - os.remove(filename) - except OSError: - pass - - -class TimezoneFixture(fixtures.Fixture): - @staticmethod - def supported(): - # tzset is only supported on Unix. - return hasattr(time, 'tzset') - - def __init__(self, new_tz): - super(TimezoneFixture, self).__init__() - self.tz = new_tz - self.old_tz = os.environ.get('TZ') - - def setUp(self): - super(TimezoneFixture, self).setUp() - if not self.supported(): - raise NotImplementedError('timezone override is not supported.') - os.environ['TZ'] = self.tz - time.tzset() - self.addCleanup(self.cleanup) - - def cleanup(self): - if self.old_tz is not None: - os.environ['TZ'] = self.old_tz - elif 'TZ' in os.environ: - del os.environ['TZ'] - time.tzset() - - -class FakeApp(object): - """This represents a WSGI app protected by the auth_token middleware.""" - - SUCCESS = b'SUCCESS' - - def __init__(self, expected_env=None): - self.expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE) - - if expected_env: - self.expected_env.update(expected_env) - - def __call__(self, env, start_response): - for k, v in self.expected_env.items(): - assert env[k] == v, '%s != %s' % (env[k], v) - - resp = webob.Response() - resp.body = FakeApp.SUCCESS - return resp(env, start_response) - - -class v3FakeApp(FakeApp): - """This represents a v3 WSGI app protected by the auth_token middleware.""" - - def __init__(self, expected_env=None): - - # with v3 additions, these are for the DEFAULT TOKEN - v3_default_env_additions = { - 'HTTP_X_PROJECT_ID': 'tenant_id1', - 'HTTP_X_PROJECT_NAME': 'tenant_name1', - 'HTTP_X_PROJECT_DOMAIN_ID': 'domain_id1', - 'HTTP_X_PROJECT_DOMAIN_NAME': 'domain_name1', - 'HTTP_X_USER_DOMAIN_ID': 'domain_id1', - 'HTTP_X_USER_DOMAIN_NAME': 'domain_name1' - } - - if expected_env: - v3_default_env_additions.update(expected_env) - - super(v3FakeApp, self).__init__(v3_default_env_additions) - - -class BaseAuthTokenMiddlewareTest(testtools.TestCase): - """Base test class for auth_token middleware. - - All the tests allow for running with auth_token - configured for receiving v2 or v3 tokens, with the - choice being made by passing configuration data into - setUp(). - - The base class will, by default, run all the tests - expecting v2 token formats. Child classes can override - this to specify, for instance, v3 format. - - """ - def setUp(self, expected_env=None, auth_version=None, fake_app=None): - testtools.TestCase.setUp(self) - - self.expected_env = expected_env or dict() - self.fake_app = fake_app or FakeApp - self.middleware = None - - self.conf = { - 'identity_uri': 'https://keystone.example.com:1234/testadmin/', - 'signing_dir': client_fixtures.CERTDIR, - 'auth_version': auth_version, - 'auth_uri': 'https://keystone.example.com:1234', - } - - self.auth_version = auth_version - self.response_status = None - self.response_headers = None - - self.requests = self.useFixture(mock_fixture.Fixture()) - - def set_middleware(self, expected_env=None, conf=None): - """Configure the class ready to call the auth_token middleware. - - Set up the various fake items needed to run the middleware. - Individual tests that need to further refine these can call this - function to override the class defaults. - - """ - if conf: - self.conf.update(conf) - - if expected_env: - self.expected_env.update(expected_env) - - self.middleware = auth_token.AuthProtocol( - self.fake_app(self.expected_env), self.conf) - self.middleware._iso8601 = iso8601 - - with tempfile.NamedTemporaryFile(dir=self.middleware.signing_dirname, - delete=False) as f: - pass - self.middleware.revoked_file_name = f.name - - self.addCleanup(cleanup_revoked_file, - self.middleware.revoked_file_name) - - self.middleware.token_revocation_list = jsonutils.dumps( - {"revoked": [], "extra": "success"}) - - def start_fake_response(self, status, headers): - self.response_status = int(status.split(' ', 1)[0]) - self.response_headers = dict(headers) - - def assertLastPath(self, path): - if path: - parts = urlparse.urlparse(self.requests.last_request.url) - self.assertEqual(path, parts.path) - else: - self.assertIsNone(self.requests.last_request) - - -class MultiStepAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_fetch_revocation_list_with_expire(self): - self.set_middleware() - - # Get a token, then try to retrieve revocation list and get a 401. - # Get a new token, try to retrieve revocation list and return 200. - self.requests.register_uri('POST', "%s/v2.0/tokens" % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - text = self.examples.SIGNED_REVOCATION_LIST - self.requests.register_uri('GET', "%s/v2.0/tokens/revoked" % BASE_URI, - response_list=[{'status_code': 401}, - {'text': text}]) - - fetched_list = jsonutils.loads(self.middleware.fetch_revocation_list()) - self.assertEqual(fetched_list, self.examples.REVOCATION_LIST) - - # Check that 4 requests have been made - self.assertEqual(len(self.requests.request_history), 4) - - -class DiabloAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - """Auth Token middleware should understand Diablo keystone responses.""" - def setUp(self): - # pre-diablo only had Tenant ID, which was also the Name - expected_env = { - 'HTTP_X_TENANT_ID': 'tenant_id1', - 'HTTP_X_TENANT_NAME': 'tenant_id1', - # now deprecated (diablo-compat) - 'HTTP_X_TENANT': 'tenant_id1', - } - - super(DiabloAuthTokenMiddlewareTest, self).setUp( - expected_env=expected_env) - - self.requests.register_uri('GET', "%s/" % BASE_URI, - text=VERSION_LIST_v2, status_code=300) - - self.requests.register_uri('POST', "%s/v2.0/tokens" % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.token_id = self.examples.VALID_DIABLO_TOKEN - token_response = self.examples.JSON_TOKEN_RESPONSES[self.token_id] - - url = '%s/v2.0/tokens/%s' % (BASE_URI, self.token_id) - self.requests.register_uri('GET', url, text=token_response) - - self.set_middleware() - - def test_valid_diablo_response(self): - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.token_id - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - self.assertIn('keystone.token_info', req.environ) - - -class NoMemcacheAuthToken(BaseAuthTokenMiddlewareTest): - """These tests will not have the memcache module available.""" - - def setUp(self): - super(NoMemcacheAuthToken, self).setUp() - self.useFixture(utils.DisableModuleFixture('memcache')) - - def test_nomemcache(self): - conf = { - 'admin_token': 'admin_token1', - 'auth_host': 'keystone.example.com', - 'auth_port': 1234, - 'memcached_servers': MEMCACHED_SERVERS, - 'auth_uri': 'https://keystone.example.com:1234', - } - - auth_token.AuthProtocol(FakeApp(), conf) - - -class CachePoolTest(BaseAuthTokenMiddlewareTest): - def test_use_cache_from_env(self): - """If `swift.cache` is set in the environment and `cache` is set in the - config then the env cache is used. - """ - env = {'swift.cache': 'CACHE_TEST'} - conf = { - 'cache': 'swift.cache' - } - self.set_middleware(conf=conf) - self.middleware._token_cache.initialize(env) - with self.middleware._token_cache._cache_pool.reserve() as cache: - self.assertEqual(cache, 'CACHE_TEST') - - def test_not_use_cache_from_env(self): - """If `swift.cache` is set in the environment but `cache` isn't set in - the config then the env cache isn't used. - """ - self.set_middleware() - env = {'swift.cache': 'CACHE_TEST'} - self.middleware._token_cache.initialize(env) - with self.middleware._token_cache._cache_pool.reserve() as cache: - self.assertNotEqual(cache, 'CACHE_TEST') - - def test_multiple_context_managers_share_single_client(self): - self.set_middleware() - token_cache = self.middleware._token_cache - env = {} - token_cache.initialize(env) - - caches = [] - - with token_cache._cache_pool.reserve() as cache: - caches.append(cache) - - with token_cache._cache_pool.reserve() as cache: - caches.append(cache) - - self.assertIs(caches[0], caches[1]) - self.assertEqual(set(caches), set(token_cache._cache_pool)) - - def test_nested_context_managers_create_multiple_clients(self): - self.set_middleware() - env = {} - self.middleware._token_cache.initialize(env) - token_cache = self.middleware._token_cache - - with token_cache._cache_pool.reserve() as outer_cache: - with token_cache._cache_pool.reserve() as inner_cache: - self.assertNotEqual(outer_cache, inner_cache) - - self.assertEqual( - set([inner_cache, outer_cache]), - set(token_cache._cache_pool)) - - -class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """These tests are not affected by the token format - (see CommonAuthTokenMiddlewareTest). - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_will_expire_soon(self): - tenseconds = datetime.datetime.utcnow() + datetime.timedelta( - seconds=10) - self.assertTrue(auth_token.will_expire_soon(tenseconds)) - fortyseconds = datetime.datetime.utcnow() + datetime.timedelta( - seconds=40) - self.assertFalse(auth_token.will_expire_soon(fortyseconds)) - - def test_token_is_v2_accepts_v2(self): - token = self.examples.UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertTrue(auth_token._token_is_v2(token_response)) - - def test_token_is_v2_rejects_v3(self): - token = self.examples.v3_UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertFalse(auth_token._token_is_v2(token_response)) - - def test_token_is_v3_rejects_v2(self): - token = self.examples.UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertFalse(auth_token._token_is_v3(token_response)) - - def test_token_is_v3_accepts_v3(self): - token = self.examples.v3_UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertTrue(auth_token._token_is_v3(token_response)) - - @testtools.skipUnless(memcached_available(), 'memcached not available') - def test_encrypt_cache_data(self): - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'encrypt', - 'memcache_secret_key': 'mysecret' - } - self.set_middleware(conf=conf) - token = b'my_token' - some_time_later = timeutils.utcnow() + datetime.timedelta(hours=4) - expires = timeutils.strtime(some_time_later) - data = ('this_data', expires) - token_cache = self.middleware._token_cache - token_cache.initialize({}) - token_cache._cache_store(token, data) - self.assertEqual(token_cache._cache_get(token), data[0]) - - @testtools.skipUnless(memcached_available(), 'memcached not available') - def test_sign_cache_data(self): - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'mac', - 'memcache_secret_key': 'mysecret' - } - self.set_middleware(conf=conf) - token = b'my_token' - some_time_later = timeutils.utcnow() + datetime.timedelta(hours=4) - expires = timeutils.strtime(some_time_later) - data = ('this_data', expires) - token_cache = self.middleware._token_cache - token_cache.initialize({}) - token_cache._cache_store(token, data) - self.assertEqual(token_cache._cache_get(token), data[0]) - - @testtools.skipUnless(memcached_available(), 'memcached not available') - def test_no_memcache_protection(self): - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_secret_key': 'mysecret' - } - self.set_middleware(conf=conf) - token = 'my_token' - some_time_later = timeutils.utcnow() + datetime.timedelta(hours=4) - expires = timeutils.strtime(some_time_later) - data = ('this_data', expires) - token_cache = self.middleware._token_cache - token_cache.initialize({}) - token_cache._cache_store(token, data) - self.assertEqual(token_cache._cache_get(token), data[0]) - - def test_assert_valid_memcache_protection_config(self): - # test missing memcache_secret_key - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'Encrypt' - } - self.assertRaises(auth_token.ConfigurationError, self.set_middleware, - conf=conf) - # test invalue memcache_security_strategy - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'whatever' - } - self.assertRaises(auth_token.ConfigurationError, self.set_middleware, - conf=conf) - # test missing memcache_secret_key - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'mac' - } - self.assertRaises(auth_token.ConfigurationError, self.set_middleware, - conf=conf) - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'Encrypt', - 'memcache_secret_key': '' - } - self.assertRaises(auth_token.ConfigurationError, self.set_middleware, - conf=conf) - conf = { - 'memcached_servers': MEMCACHED_SERVERS, - 'memcache_security_strategy': 'mAc', - 'memcache_secret_key': '' - } - self.assertRaises(auth_token.ConfigurationError, self.set_middleware, - conf=conf) - - def test_config_revocation_cache_timeout(self): - conf = { - 'revocation_cache_time': 24, - 'auth_uri': 'https://keystone.example.com:1234', - } - middleware = auth_token.AuthProtocol(self.fake_app, conf) - self.assertEqual(middleware.token_revocation_list_cache_timeout, - datetime.timedelta(seconds=24)) - - -class CommonAuthTokenMiddlewareTest(object): - """These tests are run once using v2 tokens and again using v3 tokens.""" - - def test_init_does_not_call_http(self): - conf = { - 'revocation_cache_time': 1 - } - self.set_middleware(conf=conf) - self.assertLastPath(None) - - def test_init_by_ipv6Addr_auth_host(self): - del self.conf['identity_uri'] - conf = { - 'auth_host': '2001:2013:1:f101::1', - 'auth_port': 1234, - 'auth_protocol': 'http', - 'auth_uri': None, - } - self.set_middleware(conf=conf) - expected_auth_uri = 'http://[2001:2013:1:f101::1]:1234' - self.assertEqual(expected_auth_uri, self.middleware.auth_uri) - - def assert_valid_request_200(self, token, with_catalog=True): - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - body = self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - if with_catalog: - self.assertTrue(req.headers.get('X-Service-Catalog')) - else: - self.assertNotIn('X-Service-Catalog', req.headers) - self.assertEqual(body, [FakeApp.SUCCESS]) - self.assertIn('keystone.token_info', req.environ) - return req - - def test_valid_uuid_request(self): - for _ in range(2): # Do it twice because first result was cached. - token = self.token_dict['uuid_token_default'] - self.assert_valid_request_200(token) - self.assert_valid_last_url(token) - - def test_valid_uuid_request_with_auth_fragments(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = 1234 - self.conf['auth_admin_prefix'] = '/testadmin' - self.set_middleware() - self.assert_valid_request_200(self.token_dict['uuid_token_default']) - self.assert_valid_last_url(self.token_dict['uuid_token_default']) - - def _test_cache_revoked(self, token, revoked_form=None): - # When the token is cached and revoked, 401 is returned. - self.middleware.check_revocations_for_cached = True - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - - # Token should be cached as ok after this. - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(200, self.response_status) - - # Put it in revocation list. - self.middleware.token_revocation_list = self.get_revocation_list_json( - token_ids=[revoked_form or token]) - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(401, self.response_status) - - def test_cached_revoked_uuid(self): - # When the UUID token is cached and revoked, 401 is returned. - self._test_cache_revoked(self.token_dict['uuid_token_default']) - - def test_valid_signed_request(self): - for _ in range(2): # Do it twice because first result was cached. - self.assert_valid_request_200( - self.token_dict['signed_token_scoped']) - # ensure that signed requests do not generate HTTP traffic - self.assertLastPath(None) - - def test_valid_signed_compressed_request(self): - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - # ensure that signed requests do not generate HTTP traffic - self.assertLastPath(None) - - def test_revoked_token_receives_401(self): - self.middleware.token_revocation_list = self.get_revocation_list_json() - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.token_dict['revoked_token'] - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - - def test_revoked_token_receives_401_sha256(self): - self.conf['hash_algorithms'] = ['sha256', 'md5'] - self.set_middleware() - self.middleware.token_revocation_list = ( - self.get_revocation_list_json(mode='sha256')) - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.token_dict['revoked_token'] - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - - def test_cached_revoked_pki(self): - # When the PKI token is cached and revoked, 401 is returned. - token = self.token_dict['signed_token_scoped'] - revoked_form = cms.cms_hash_token(token) - self._test_cache_revoked(token, revoked_form) - - def test_revoked_token_receives_401_md5_secondary(self): - # When hash_algorithms has 'md5' as the secondary hash and the - # revocation list contains the md5 hash for a token, that token is - # considered revoked so returns 401. - self.conf['hash_algorithms'] = ['sha256', 'md5'] - self.set_middleware() - self.middleware.token_revocation_list = self.get_revocation_list_json() - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.token_dict['revoked_token'] - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - - def test_revoked_hashed_pki_token(self): - # If hash_algorithms is set as ['sha256', 'md5'], - # and check_revocations_for_cached is True, - # and a token is in the cache because it was successfully validated - # using the md5 hash, then - # if the token is in the revocation list by md5 hash, it'll be - # rejected and auth_token returns 401. - self.conf['hash_algorithms'] = ['sha256', 'md5'] - self.conf['check_revocations_for_cached'] = True - self.set_middleware() - - token = self.token_dict['signed_token_scoped'] - - # Put the token in the revocation list. - token_hashed = cms.cms_hash_token(token) - self.middleware.token_revocation_list = self.get_revocation_list_json( - token_ids=[token_hashed]) - - # First, request is using the hashed token, is valid so goes in - # cache using the given hash. - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token_hashed - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(200, self.response_status) - - # This time use the PKI token - req.headers['X-Auth-Token'] = token - self.middleware(req.environ, self.start_fake_response) - - # Should find the token in the cache and revocation list. - self.assertEqual(401, self.response_status) - - def get_revocation_list_json(self, token_ids=None, mode=None): - if token_ids is None: - key = 'revoked_token_hash' + (('_' + mode) if mode else '') - token_ids = [self.token_dict[key]] - revocation_list = {'revoked': [{'id': x, 'expires': timeutils.utcnow()} - for x in token_ids]} - return jsonutils.dumps(revocation_list) - - def test_is_signed_token_revoked_returns_false(self): - # explicitly setting an empty revocation list here to document intent - self.middleware.token_revocation_list = jsonutils.dumps( - {"revoked": [], "extra": "success"}) - result = self.middleware.is_signed_token_revoked( - [self.token_dict['revoked_token_hash']]) - self.assertFalse(result) - - def test_is_signed_token_revoked_returns_true(self): - self.middleware.token_revocation_list = self.get_revocation_list_json() - result = self.middleware.is_signed_token_revoked( - [self.token_dict['revoked_token_hash']]) - self.assertTrue(result) - - def test_is_signed_token_revoked_returns_true_sha256(self): - self.conf['hash_algorithms'] = ['sha256', 'md5'] - self.set_middleware() - self.middleware.token_revocation_list = ( - self.get_revocation_list_json(mode='sha256')) - result = self.middleware.is_signed_token_revoked( - [self.token_dict['revoked_token_hash_sha256']]) - self.assertTrue(result) - - def test_verify_signed_token_raises_exception_for_revoked_token(self): - self.middleware.token_revocation_list = self.get_revocation_list_json() - self.assertRaises(auth_token.InvalidUserToken, - self.middleware.verify_signed_token, - self.token_dict['revoked_token'], - [self.token_dict['revoked_token_hash']]) - - def test_verify_signed_token_raises_exception_for_revoked_token_s256(self): - self.conf['hash_algorithms'] = ['sha256', 'md5'] - self.set_middleware() - self.middleware.token_revocation_list = ( - self.get_revocation_list_json(mode='sha256')) - self.assertRaises(auth_token.InvalidUserToken, - self.middleware.verify_signed_token, - self.token_dict['revoked_token'], - [self.token_dict['revoked_token_hash_sha256'], - self.token_dict['revoked_token_hash']]) - - def test_verify_signed_token_raises_exception_for_revoked_pkiz_token(self): - self.middleware.token_revocation_list = ( - self.examples.REVOKED_TOKEN_PKIZ_LIST_JSON) - self.assertRaises(auth_token.InvalidUserToken, - self.middleware.verify_pkiz_token, - self.token_dict['revoked_token_pkiz'], - [self.token_dict['revoked_token_pkiz_hash']]) - - def assertIsValidJSON(self, text): - json.loads(text) - - def test_verify_signed_token_succeeds_for_unrevoked_token(self): - self.middleware.token_revocation_list = self.get_revocation_list_json() - text = self.middleware.verify_signed_token( - self.token_dict['signed_token_scoped'], - [self.token_dict['signed_token_scoped_hash']]) - self.assertIsValidJSON(text) - - def test_verify_signed_compressed_token_succeeds_for_unrevoked_token(self): - self.middleware.token_revocation_list = self.get_revocation_list_json() - text = self.middleware.verify_pkiz_token( - self.token_dict['signed_token_scoped_pkiz'], - [self.token_dict['signed_token_scoped_hash']]) - self.assertIsValidJSON(text) - - def test_verify_signed_token_succeeds_for_unrevoked_token_sha256(self): - self.conf['hash_algorithms'] = ['sha256', 'md5'] - self.set_middleware() - self.middleware.token_revocation_list = ( - self.get_revocation_list_json(mode='sha256')) - text = self.middleware.verify_signed_token( - self.token_dict['signed_token_scoped'], - [self.token_dict['signed_token_scoped_hash_sha256'], - self.token_dict['signed_token_scoped_hash']]) - self.assertIsValidJSON(text) - - def test_verify_signing_dir_create_while_missing(self): - tmp_name = uuid.uuid4().hex - test_parent_signing_dir = "/tmp/%s" % tmp_name - self.middleware.signing_dirname = "/tmp/%s/%s" % ((tmp_name,) * 2) - self.middleware.signing_cert_file_name = ( - "%s/test.pem" % self.middleware.signing_dirname) - self.middleware.verify_signing_dir() - # NOTE(wu_wenxiang): Verify if the signing dir was created as expected. - self.assertTrue(os.path.isdir(self.middleware.signing_dirname)) - self.assertTrue(os.access(self.middleware.signing_dirname, os.W_OK)) - self.assertEqual(os.stat(self.middleware.signing_dirname).st_uid, - os.getuid()) - self.assertEqual( - stat.S_IMODE(os.stat(self.middleware.signing_dirname).st_mode), - stat.S_IRWXU) - shutil.rmtree(test_parent_signing_dir) - - def test_get_token_revocation_list_fetched_time_returns_min(self): - self.middleware.token_revocation_list_fetched_time = None - self.middleware.revoked_file_name = '' - self.assertEqual(self.middleware.token_revocation_list_fetched_time, - datetime.datetime.min) - - def test_get_token_revocation_list_fetched_time_returns_mtime(self): - self.middleware.token_revocation_list_fetched_time = None - mtime = os.path.getmtime(self.middleware.revoked_file_name) - fetched_time = datetime.datetime.utcfromtimestamp(mtime) - self.assertEqual(fetched_time, - self.middleware.token_revocation_list_fetched_time) - - @testtools.skipUnless(TimezoneFixture.supported(), - 'TimezoneFixture not supported') - def test_get_token_revocation_list_fetched_time_returns_utc(self): - with TimezoneFixture('UTC-1'): - self.middleware.token_revocation_list = jsonutils.dumps( - self.examples.REVOCATION_LIST) - self.middleware.token_revocation_list_fetched_time = None - fetched_time = self.middleware.token_revocation_list_fetched_time - self.assertTrue(timeutils.is_soon(fetched_time, 1)) - - def test_get_token_revocation_list_fetched_time_returns_value(self): - expected = self.middleware._token_revocation_list_fetched_time - self.assertEqual(self.middleware.token_revocation_list_fetched_time, - expected) - - def test_get_revocation_list_returns_fetched_list(self): - # auth_token uses v2 to fetch this, so don't allow the v3 - # tests to override the fake http connection - self.middleware.token_revocation_list_fetched_time = None - os.remove(self.middleware.revoked_file_name) - self.assertEqual(self.middleware.token_revocation_list, - self.examples.REVOCATION_LIST) - - def test_get_revocation_list_returns_current_list_from_memory(self): - self.assertEqual(self.middleware.token_revocation_list, - self.middleware._token_revocation_list) - - def test_get_revocation_list_returns_current_list_from_disk(self): - in_memory_list = self.middleware.token_revocation_list - self.middleware._token_revocation_list = None - self.assertEqual(self.middleware.token_revocation_list, in_memory_list) - - def test_invalid_revocation_list_raises_service_error(self): - self.requests.register_uri('GET', '%s/v2.0/tokens/revoked' % BASE_URI, - text='{}') - - self.assertRaises(auth_token.ServiceError, - self.middleware.fetch_revocation_list) - - def test_fetch_revocation_list(self): - # auth_token uses v2 to fetch this, so don't allow the v3 - # tests to override the fake http connection - fetched_list = jsonutils.loads(self.middleware.fetch_revocation_list()) - self.assertEqual(fetched_list, self.examples.REVOCATION_LIST) - - def test_request_invalid_uuid_token(self): - # remember because we are testing the middleware we stub the connection - # to the keystone server, but this is not what gets returned - invalid_uri = "%s/v2.0/tokens/invalid-token" % BASE_URI - self.requests.register_uri('GET', invalid_uri, text="", - status_code=404) - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = 'invalid-token' - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - self.assertEqual(self.response_headers['WWW-Authenticate'], - "Keystone uri='https://keystone.example.com:1234'") - - def test_request_invalid_signed_token(self): - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.examples.INVALID_SIGNED_TOKEN - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(401, self.response_status) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - self.response_headers['WWW-Authenticate']) - - def test_request_invalid_signed_pkiz_token(self): - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.examples.INVALID_SIGNED_PKIZ_TOKEN - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(401, self.response_status) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - self.response_headers['WWW-Authenticate']) - - def test_request_no_token(self): - req = webob.Request.blank('/') - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - self.assertEqual(self.response_headers['WWW-Authenticate'], - "Keystone uri='https://keystone.example.com:1234'") - - def test_request_no_token_log_message(self): - class FakeLog(object): - def __init__(self): - self.msg = None - self.debugmsg = None - - def warn(self, msg=None, *args, **kwargs): - self.msg = msg - - def debug(self, msg=None, *args, **kwargs): - self.debugmsg = msg - - self.middleware.LOG = FakeLog() - self.middleware.delay_auth_decision = False - self.assertRaises(auth_token.InvalidUserToken, - self.middleware._get_user_token_from_header, {}) - self.assertIsNotNone(self.middleware.LOG.msg) - self.assertIsNotNone(self.middleware.LOG.debugmsg) - - def test_request_no_token_http(self): - req = webob.Request.blank('/', environ={'REQUEST_METHOD': 'HEAD'}) - self.set_middleware() - body = self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - self.assertEqual(self.response_headers['WWW-Authenticate'], - "Keystone uri='https://keystone.example.com:1234'") - self.assertEqual(body, ['']) - - def test_request_blank_token(self): - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = '' - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - self.assertEqual(self.response_headers['WWW-Authenticate'], - "Keystone uri='https://keystone.example.com:1234'") - - def _get_cached_token(self, token, mode='md5'): - token_id = cms.cms_hash_token(token, mode=mode) - return self.middleware._token_cache._cache_get(token_id) - - def test_memcache(self): - req = webob.Request.blank('/') - token = self.token_dict['signed_token_scoped'] - req.headers['X-Auth-Token'] = token - self.middleware(req.environ, self.start_fake_response) - self.assertIsNotNone(self._get_cached_token(token)) - - def test_expired(self): - req = webob.Request.blank('/') - token = self.token_dict['signed_token_scoped_expired'] - req.headers['X-Auth-Token'] = token - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - - def test_memcache_set_invalid_uuid(self): - invalid_uri = "%s/v2.0/tokens/invalid-token" % BASE_URI - self.requests.register_uri('GET', invalid_uri, status_code=404) - - req = webob.Request.blank('/') - token = 'invalid-token' - req.headers['X-Auth-Token'] = token - self.middleware(req.environ, self.start_fake_response) - self.assertRaises(auth_token.InvalidUserToken, - self._get_cached_token, token) - - def _test_memcache_set_invalid_signed(self, hash_algorithms=None, - exp_mode='md5'): - req = webob.Request.blank('/') - token = self.token_dict['signed_token_scoped_expired'] - req.headers['X-Auth-Token'] = token - if hash_algorithms: - self.conf['hash_algorithms'] = hash_algorithms - self.set_middleware() - self.middleware(req.environ, self.start_fake_response) - self.assertRaises(auth_token.InvalidUserToken, - self._get_cached_token, token, mode=exp_mode) - - def test_memcache_set_invalid_signed(self): - self._test_memcache_set_invalid_signed() - - def test_memcache_set_invalid_signed_sha256_md5(self): - hash_algorithms = ['sha256', 'md5'] - self._test_memcache_set_invalid_signed(hash_algorithms=hash_algorithms, - exp_mode='sha256') - - def test_memcache_set_invalid_signed_sha256(self): - hash_algorithms = ['sha256'] - self._test_memcache_set_invalid_signed(hash_algorithms=hash_algorithms, - exp_mode='sha256') - - def test_memcache_set_expired(self, extra_conf={}, extra_environ={}): - token_cache_time = 10 - conf = { - 'token_cache_time': token_cache_time, - 'signing_dir': client_fixtures.CERTDIR, - } - conf.update(extra_conf) - self.set_middleware(conf=conf) - req = webob.Request.blank('/') - token = self.token_dict['signed_token_scoped'] - req.headers['X-Auth-Token'] = token - req.environ.update(extra_environ) - timeutils_utcnow = 'keystoneclient.openstack.common.timeutils.utcnow' - now = datetime.datetime.utcnow() - with mock.patch(timeutils_utcnow) as mock_utcnow: - mock_utcnow.return_value = now - self.middleware(req.environ, self.start_fake_response) - self.assertIsNotNone(self._get_cached_token(token)) - expired = now + datetime.timedelta(seconds=token_cache_time) - with mock.patch(timeutils_utcnow) as mock_utcnow: - mock_utcnow.return_value = expired - self.assertIsNone(self._get_cached_token(token)) - - def test_swift_memcache_set_expired(self): - extra_conf = {'cache': 'swift.cache'} - extra_environ = {'swift.cache': memorycache.Client()} - self.test_memcache_set_expired(extra_conf, extra_environ) - - def test_http_error_not_cached_token(self): - """Test to don't cache token as invalid on network errors. - - We use UUID tokens since they are the easiest one to reach - get_http_connection. - """ - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = ERROR_TOKEN - self.middleware.http_request_max_retries = 0 - self.middleware(req.environ, self.start_fake_response) - self.assertIsNone(self._get_cached_token(ERROR_TOKEN)) - self.assert_valid_last_url(ERROR_TOKEN) - - def test_http_request_max_retries(self): - times_retry = 10 - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = ERROR_TOKEN - - conf = {'http_request_max_retries': times_retry} - self.set_middleware(conf=conf) - - with mock.patch('time.sleep') as mock_obj: - self.middleware(req.environ, self.start_fake_response) - - self.assertEqual(mock_obj.call_count, times_retry) - - def test_nocatalog(self): - conf = { - 'include_service_catalog': False - } - self.set_middleware(conf=conf) - self.assert_valid_request_200(self.token_dict['uuid_token_default'], - with_catalog=False) - - def assert_kerberos_bind(self, token, bind_level, - use_kerberos=True, success=True): - conf = { - 'enforce_token_bind': bind_level, - 'auth_version': self.auth_version, - } - self.set_middleware(conf=conf) - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - - if use_kerberos: - if use_kerberos is True: - req.environ['REMOTE_USER'] = self.examples.KERBEROS_BIND - else: - req.environ['REMOTE_USER'] = use_kerberos - - req.environ['AUTH_TYPE'] = 'Negotiate' - - body = self.middleware(req.environ, self.start_fake_response) - - if success: - self.assertEqual(self.response_status, 200) - self.assertEqual(body, [FakeApp.SUCCESS]) - self.assertIn('keystone.token_info', req.environ) - self.assert_valid_last_url(token) - else: - self.assertEqual(self.response_status, 401) - self.assertEqual(self.response_headers['WWW-Authenticate'], - "Keystone uri='https://keystone.example.com:1234'" - ) - - def test_uuid_bind_token_disabled_with_kerb_user(self): - for use_kerberos in [True, False]: - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='disabled', - use_kerberos=use_kerberos, - success=True) - - def test_uuid_bind_token_disabled_with_incorrect_ticket(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos='ronald@MCDONALDS.COM', - success=False) - - def test_uuid_bind_token_permissive_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='permissive', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_permissive_without_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='permissive', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_permissive_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='permissive', - use_kerberos=use_kerberos, - success=True) - - def test_uuid_bind_token_permissive_with_incorrect_ticket(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos='ronald@MCDONALDS.COM', - success=False) - - def test_uuid_bind_token_strict_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='strict', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_strict_with_kerbout_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='strict', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_strict_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='strict', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_required_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='required', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_required_without_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='required', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_required_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='required', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_required_without_bind(self): - for use_kerberos in [True, False]: - self.assert_kerberos_bind(self.token_dict['uuid_token_default'], - bind_level='required', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_named_kerberos_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_named_kerberos_without_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_named_kerberos_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='kerberos', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_named_kerberos_without_bind(self): - for use_kerberos in [True, False]: - self.assert_kerberos_bind(self.token_dict['uuid_token_default'], - bind_level='kerberos', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_named_kerberos_with_incorrect_ticket(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos='ronald@MCDONALDS.COM', - success=False) - - def test_uuid_bind_token_with_unknown_named_FOO(self): - token = self.token_dict['uuid_token_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='FOO', - use_kerberos=use_kerberos, - success=False) - - -class V2CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def __init__(self, *args, **kwargs): - super(V2CertDownloadMiddlewareTest, self).__init__(*args, **kwargs) - self.auth_version = 'v2.0' - self.fake_app = None - self.ca_path = '/v2.0/certificates/ca' - self.signing_path = '/v2.0/certificates/signing' - - def setUp(self): - super(V2CertDownloadMiddlewareTest, self).setUp( - auth_version=self.auth_version, - fake_app=self.fake_app) - self.base_dir = tempfile.mkdtemp() - self.addCleanup(shutil.rmtree, self.base_dir) - self.cert_dir = os.path.join(self.base_dir, 'certs') - os.makedirs(self.cert_dir, stat.S_IRWXU) - conf = { - 'signing_dir': self.cert_dir, - 'auth_version': self.auth_version, - } - self.set_middleware(conf=conf) - - # Usually we supply a signed_dir with pre-installed certificates, - # so invocation of /usr/bin/openssl succeeds. This time we give it - # an empty directory, so it fails. - def test_request_no_token_dummy(self): - cms._ensure_subprocess() - - self.requests.register_uri('GET', "%s%s" % (BASE_URI, self.ca_path), - status_code=404) - url = "%s%s" % (BASE_URI, self.signing_path) - self.requests.register_uri('GET', url, status_code=404) - self.assertRaises(exceptions.CertificateConfigError, - self.middleware.verify_signed_token, - self.examples.SIGNED_TOKEN_SCOPED, - [self.examples.SIGNED_TOKEN_SCOPED_HASH]) - - def test_fetch_signing_cert(self): - data = 'FAKE CERT' - url = '%s%s' % (BASE_URI, self.signing_path) - self.requests.register_uri('GET', url, text=data) - self.middleware.fetch_signing_cert() - - with open(self.middleware.signing_cert_file_name, 'r') as f: - self.assertEqual(f.read(), data) - - self.assertLastPath("/testadmin%s" % self.signing_path) - - def test_fetch_signing_ca(self): - data = 'FAKE CA' - self.requests.register_uri('GET', "%s%s" % (BASE_URI, self.ca_path), - text=data) - self.middleware.fetch_ca_cert() - - with open(self.middleware.signing_ca_file_name, 'r') as f: - self.assertEqual(f.read(), data) - - self.assertLastPath("/testadmin%s" % self.ca_path) - - def test_prefix_trailing_slash(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = 1234 - self.conf['auth_admin_prefix'] = '/newadmin/' - - self.requests.register_uri('GET', - "%s/newadmin%s" % (BASE_HOST, self.ca_path), - text='FAKECA') - url = "%s/newadmin%s" % (BASE_HOST, self.signing_path) - self.requests.register_uri('GET', url, text='FAKECERT') - - self.set_middleware(conf=self.conf) - - self.middleware.fetch_ca_cert() - - self.assertLastPath('/newadmin%s' % self.ca_path) - - self.middleware.fetch_signing_cert() - - self.assertLastPath('/newadmin%s' % self.signing_path) - - def test_without_prefix(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = 1234 - self.conf['auth_admin_prefix'] = '' - - self.requests.register_uri('GET', "%s%s" % (BASE_HOST, self.ca_path), - text='FAKECA') - self.requests.register_uri('GET', "%s%s" % (BASE_HOST, - self.signing_path), - text='FAKECERT') - - self.set_middleware(conf=self.conf) - - self.middleware.fetch_ca_cert() - - self.assertLastPath(self.ca_path) - - self.middleware.fetch_signing_cert() - - self.assertLastPath(self.signing_path) - - -class V3CertDownloadMiddlewareTest(V2CertDownloadMiddlewareTest): - - def __init__(self, *args, **kwargs): - super(V3CertDownloadMiddlewareTest, self).__init__(*args, **kwargs) - self.auth_version = 'v3.0' - self.fake_app = v3FakeApp - self.ca_path = '/v3/OS-SIMPLE-CERT/ca' - self.signing_path = '/v3/OS-SIMPLE-CERT/certificates' - - -def network_error_response(method, uri, headers): - raise auth_token.NetworkError("Network connection error.") - - -class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - CommonAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """v2 token specific tests. - - There are some differences between how the auth-token middleware handles - v2 and v3 tokens over and above the token formats, namely: - - - A v3 keystone server will auto scope a token to a user's default project - if no scope is specified. A v2 server assumes that the auth-token - middleware will do that. - - A v2 keystone server may issue a token without a catalog, even with a - tenant - - The tests below were originally part of the generic AuthTokenMiddlewareTest - class, but now, since they really are v2 specific, they are included here. - - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v2AuthTokenMiddlewareTest, self).setUp() - - self.token_dict = { - 'uuid_token_default': self.examples.UUID_TOKEN_DEFAULT, - 'uuid_token_unscoped': self.examples.UUID_TOKEN_UNSCOPED, - 'uuid_token_bind': self.examples.UUID_TOKEN_BIND, - 'uuid_token_unknown_bind': self.examples.UUID_TOKEN_UNKNOWN_BIND, - 'signed_token_scoped': self.examples.SIGNED_TOKEN_SCOPED, - 'signed_token_scoped_pkiz': self.examples.SIGNED_TOKEN_SCOPED_PKIZ, - 'signed_token_scoped_hash': self.examples.SIGNED_TOKEN_SCOPED_HASH, - 'signed_token_scoped_hash_sha256': - self.examples.SIGNED_TOKEN_SCOPED_HASH_SHA256, - 'signed_token_scoped_expired': - self.examples.SIGNED_TOKEN_SCOPED_EXPIRED, - 'revoked_token': self.examples.REVOKED_TOKEN, - 'revoked_token_pkiz': self.examples.REVOKED_TOKEN_PKIZ, - 'revoked_token_pkiz_hash': - self.examples.REVOKED_TOKEN_PKIZ_HASH, - 'revoked_token_hash': self.examples.REVOKED_TOKEN_HASH, - 'revoked_token_hash_sha256': - self.examples.REVOKED_TOKEN_HASH_SHA256, - } - - self.requests.register_uri('GET', "%s/" % BASE_URI, - text=VERSION_LIST_v2, status_code=300) - - self.requests.register_uri('POST', "%s/v2.0/tokens" % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.requests.register_uri('GET', "%s/v2.0/tokens/revoked" % BASE_URI, - text=self.examples.SIGNED_REVOCATION_LIST) - - for token in (self.examples.UUID_TOKEN_DEFAULT, - self.examples.UUID_TOKEN_UNSCOPED, - self.examples.UUID_TOKEN_BIND, - self.examples.UUID_TOKEN_UNKNOWN_BIND, - self.examples.UUID_TOKEN_NO_SERVICE_CATALOG, - self.examples.SIGNED_TOKEN_SCOPED_KEY,): - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests.register_uri('GET', - '%s/v2.0/tokens/%s' % (BASE_URI, token), - text=text) - - self.requests.register_uri('GET', - '%s/v2.0/tokens/%s' % (BASE_URI, - ERROR_TOKEN), - text=network_error_response) - - self.set_middleware() - - def assert_unscoped_default_tenant_auto_scopes(self, token): - """Unscoped v2 requests with a default tenant should "auto-scope." - - The implied scope is the user's tenant ID. - - """ - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - body = self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - self.assertEqual(body, [FakeApp.SUCCESS]) - self.assertIn('keystone.token_info', req.environ) - - def assert_valid_last_url(self, token_id): - self.assertLastPath("/testadmin/v2.0/tokens/%s" % token_id) - - def test_default_tenant_uuid_token(self): - self.assert_unscoped_default_tenant_auto_scopes( - self.examples.UUID_TOKEN_DEFAULT) - - def test_default_tenant_signed_token(self): - self.assert_unscoped_default_tenant_auto_scopes( - self.examples.SIGNED_TOKEN_SCOPED) - - def assert_unscoped_token_receives_401(self, token): - """Unscoped requests with no default tenant ID should be rejected.""" - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 401) - self.assertEqual(self.response_headers['WWW-Authenticate'], - "Keystone uri='https://keystone.example.com:1234'") - - def test_unscoped_uuid_token_receives_401(self): - self.assert_unscoped_token_receives_401( - self.examples.UUID_TOKEN_UNSCOPED) - - def test_unscoped_pki_token_receives_401(self): - self.assert_unscoped_token_receives_401( - self.examples.SIGNED_TOKEN_UNSCOPED) - - def test_request_prevent_service_catalog_injection(self): - req = webob.Request.blank('/') - req.headers['X-Service-Catalog'] = '[]' - req.headers['X-Auth-Token'] = ( - self.examples.UUID_TOKEN_NO_SERVICE_CATALOG) - body = self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - self.assertFalse(req.headers.get('X-Service-Catalog')) - self.assertEqual(body, [FakeApp.SUCCESS]) - - -class CrossVersionAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_valid_uuid_request_forced_to_2_0(self): - """Test forcing auth_token to use lower api version. - - By installing the v3 http hander, auth_token will be get - a version list that looks like a v3 server - from which it - would normally chose v3.0 as the auth version. However, here - we specify v2.0 in the configuration - which should force - auth_token to use that version instead. - - """ - conf = { - 'signing_dir': client_fixtures.CERTDIR, - 'auth_version': 'v2.0' - } - - self.requests.register_uri('GET', '%s/' % BASE_URI, - text=VERSION_LIST_v3, status_code=300) - - self.requests.register_uri('POST', '%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - token = self.examples.UUID_TOKEN_DEFAULT - url = '%s/v2.0/tokens/%s' % (BASE_URI, token) - response_body = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests.register_uri('GET', url, text=response_body) - - self.set_middleware(conf=conf) - - # This tests will only work is auth_token has chosen to use the - # lower, v2, api version - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.examples.UUID_TOKEN_DEFAULT - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - self.assertLastPath("/testadmin/v2.0/tokens/%s" % - self.examples.UUID_TOKEN_DEFAULT) - - -class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - CommonAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """Test auth_token middleware with v3 tokens. - - Re-execute the AuthTokenMiddlewareTest class tests, but with the - auth_token middleware configured to expect v3 tokens back from - a keystone server. - - This is done by configuring the AuthTokenMiddlewareTest class via - its Setup(), passing in v3 style data that will then be used by - the tests themselves. This approach has been used to ensure we - really are running the same tests for both v2 and v3 tokens. - - There a few additional specific test for v3 only: - - - We allow an unscoped token to be validated (as unscoped), where - as for v2 tokens, the auth_token middleware is expected to try and - auto-scope it (and fail if there is no default tenant) - - Domain scoped tokens - - Since we don't specify an auth version for auth_token to use, by - definition we are thefore implicitely testing that it will use - the highest available auth version, i.e. v3.0 - - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v3AuthTokenMiddlewareTest, self).setUp( - auth_version='v3.0', - fake_app=v3FakeApp) - - self.token_dict = { - 'uuid_token_default': self.examples.v3_UUID_TOKEN_DEFAULT, - 'uuid_token_unscoped': self.examples.v3_UUID_TOKEN_UNSCOPED, - 'uuid_token_bind': self.examples.v3_UUID_TOKEN_BIND, - 'uuid_token_unknown_bind': - self.examples.v3_UUID_TOKEN_UNKNOWN_BIND, - 'signed_token_scoped': self.examples.SIGNED_v3_TOKEN_SCOPED, - 'signed_token_scoped_pkiz': - self.examples.SIGNED_v3_TOKEN_SCOPED_PKIZ, - 'signed_token_scoped_hash': - self.examples.SIGNED_v3_TOKEN_SCOPED_HASH, - 'signed_token_scoped_hash_sha256': - self.examples.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256, - 'signed_token_scoped_expired': - self.examples.SIGNED_TOKEN_SCOPED_EXPIRED, - 'revoked_token': self.examples.REVOKED_v3_TOKEN, - 'revoked_token_pkiz': self.examples.REVOKED_v3_TOKEN_PKIZ, - 'revoked_token_hash': self.examples.REVOKED_v3_TOKEN_HASH, - 'revoked_token_hash_sha256': - self.examples.REVOKED_v3_TOKEN_HASH_SHA256, - 'revoked_token_pkiz_hash': - self.examples.REVOKED_v3_PKIZ_TOKEN_HASH, - } - - self.requests.register_uri('GET', BASE_URI, - text=VERSION_LIST_v3, status_code=300) - - # TODO(jamielennox): auth_token middleware uses a v2 admin token - # regardless of the auth_version that is set. - self.requests.register_uri('POST', '%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - # TODO(jamielennox): there is no v3 revocation url yet, it uses v2 - self.requests.register_uri('GET', '%s/v2.0/tokens/revoked' % BASE_URI, - text=self.examples.SIGNED_REVOCATION_LIST) - - self.requests.register_uri('GET', '%s/v3/auth/tokens' % BASE_URI, - text=self.token_response) - - self.set_middleware() - - def token_response(self, request, context): - auth_id = request.headers.get('X-Auth-Token') - token_id = request.headers.get('X-Subject-Token') - self.assertEqual(auth_id, FAKE_ADMIN_TOKEN_ID) - - response = "" - - if token_id == ERROR_TOKEN: - raise auth_token.NetworkError("Network connection error.") - - try: - response = self.examples.JSON_TOKEN_RESPONSES[token_id] - except KeyError: - context.status_code = 404 - - return response - - def assert_valid_last_url(self, token_id): - self.assertLastPath('/testadmin/v3/auth/tokens') - - def test_valid_unscoped_uuid_request(self): - # Remove items that won't be in an unscoped token - delta_expected_env = { - 'HTTP_X_PROJECT_ID': None, - 'HTTP_X_PROJECT_NAME': None, - 'HTTP_X_PROJECT_DOMAIN_ID': None, - 'HTTP_X_PROJECT_DOMAIN_NAME': None, - 'HTTP_X_TENANT_ID': None, - 'HTTP_X_TENANT_NAME': None, - 'HTTP_X_ROLES': '', - 'HTTP_X_TENANT': None, - 'HTTP_X_ROLE': '', - } - self.set_middleware(expected_env=delta_expected_env) - self.assert_valid_request_200(self.examples.v3_UUID_TOKEN_UNSCOPED, - with_catalog=False) - self.assertLastPath('/testadmin/v3/auth/tokens') - - def test_domain_scoped_uuid_request(self): - # Modify items compared to default token for a domain scope - delta_expected_env = { - 'HTTP_X_DOMAIN_ID': 'domain_id1', - 'HTTP_X_DOMAIN_NAME': 'domain_name1', - 'HTTP_X_PROJECT_ID': None, - 'HTTP_X_PROJECT_NAME': None, - 'HTTP_X_PROJECT_DOMAIN_ID': None, - 'HTTP_X_PROJECT_DOMAIN_NAME': None, - 'HTTP_X_TENANT_ID': None, - 'HTTP_X_TENANT_NAME': None, - 'HTTP_X_TENANT': None - } - self.set_middleware(expected_env=delta_expected_env) - self.assert_valid_request_200( - self.examples.v3_UUID_TOKEN_DOMAIN_SCOPED) - self.assertLastPath('/testadmin/v3/auth/tokens') - - def test_gives_v2_catalog(self): - self.set_middleware() - req = self.assert_valid_request_200( - self.examples.SIGNED_v3_TOKEN_SCOPED) - - catalog = jsonutils.loads(req.headers['X-Service-Catalog']) - - for service in catalog: - for endpoint in service['endpoints']: - # no point checking everything, just that it's in v2 format - self.assertIn('adminURL', endpoint) - self.assertIn('publicURL', endpoint) - self.assertIn('adminURL', endpoint) - - -class TokenEncodingTest(testtools.TestCase): - def test_unquoted_token(self): - self.assertEqual('foo%20bar', auth_token.safe_quote('foo bar')) - - def test_quoted_token(self): - self.assertEqual('foo%20bar', auth_token.safe_quote('foo%20bar')) - - -class TokenExpirationTest(BaseAuthTokenMiddlewareTest): - def setUp(self): - super(TokenExpirationTest, self).setUp() - self.now = timeutils.utcnow() - self.delta = datetime.timedelta(hours=1) - self.one_hour_ago = timeutils.isotime(self.now - self.delta, - subsecond=True) - self.one_hour_earlier = timeutils.isotime(self.now + self.delta, - subsecond=True) - - def create_v2_token_fixture(self, expires=None): - v2_fixture = { - 'access': { - 'token': { - 'id': 'blah', - 'expires': expires or self.one_hour_earlier, - 'tenant': { - 'id': 'tenant_id1', - 'name': 'tenant_name1', - }, - }, - 'user': { - 'id': 'user_id1', - 'name': 'user_name1', - 'roles': [ - {'name': 'role1'}, - {'name': 'role2'}, - ], - }, - 'serviceCatalog': {} - }, - } - - return v2_fixture - - def create_v3_token_fixture(self, expires=None): - - v3_fixture = { - 'token': { - 'expires_at': expires or self.one_hour_earlier, - 'user': { - 'id': 'user_id1', - 'name': 'user_name1', - 'domain': { - 'id': 'domain_id1', - 'name': 'domain_name1' - } - }, - 'project': { - 'id': 'tenant_id1', - 'name': 'tenant_name1', - 'domain': { - 'id': 'domain_id1', - 'name': 'domain_name1' - } - }, - 'roles': [ - {'name': 'role1', 'id': 'Role1'}, - {'name': 'role2', 'id': 'Role2'}, - ], - 'catalog': {} - } - } - - return v3_fixture - - def test_no_data(self): - data = {} - self.assertRaises(auth_token.InvalidUserToken, - auth_token.confirm_token_not_expired, - data) - - def test_bad_data(self): - data = {'my_happy_token_dict': 'woo'} - self.assertRaises(auth_token.InvalidUserToken, - auth_token.confirm_token_not_expired, - data) - - def test_v2_token_not_expired(self): - data = self.create_v2_token_fixture() - expected_expires = data['access']['token']['expires'] - actual_expires = auth_token.confirm_token_not_expired(data) - self.assertEqual(actual_expires, expected_expires) - - def test_v2_token_expired(self): - data = self.create_v2_token_fixture(expires=self.one_hour_ago) - self.assertRaises(auth_token.InvalidUserToken, - auth_token.confirm_token_not_expired, - data) - - @mock.patch('keystoneclient.openstack.common.timeutils.utcnow') - def test_v2_token_with_timezone_offset_not_expired(self, mock_utcnow): - current_time = timeutils.parse_isotime('2000-01-01T00:01:10.000123Z') - current_time = timeutils.normalize_time(current_time) - mock_utcnow.return_value = current_time - data = self.create_v2_token_fixture( - expires='2000-01-01T00:05:10.000123-05:00') - expected_expires = '2000-01-01T05:05:10.000123Z' - actual_expires = auth_token.confirm_token_not_expired(data) - self.assertEqual(actual_expires, expected_expires) - - @mock.patch('keystoneclient.openstack.common.timeutils.utcnow') - def test_v2_token_with_timezone_offset_expired(self, mock_utcnow): - current_time = timeutils.parse_isotime('2000-01-01T00:01:10.000123Z') - current_time = timeutils.normalize_time(current_time) - mock_utcnow.return_value = current_time - data = self.create_v2_token_fixture( - expires='2000-01-01T00:05:10.000123+05:00') - data['access']['token']['expires'] = '2000-01-01T00:05:10.000123+05:00' - self.assertRaises(auth_token.InvalidUserToken, - auth_token.confirm_token_not_expired, - data) - - def test_v3_token_not_expired(self): - data = self.create_v3_token_fixture() - expected_expires = data['token']['expires_at'] - actual_expires = auth_token.confirm_token_not_expired(data) - self.assertEqual(actual_expires, expected_expires) - - def test_v3_token_expired(self): - data = self.create_v3_token_fixture(expires=self.one_hour_ago) - self.assertRaises(auth_token.InvalidUserToken, - auth_token.confirm_token_not_expired, - data) - - @mock.patch('keystoneclient.openstack.common.timeutils.utcnow') - def test_v3_token_with_timezone_offset_not_expired(self, mock_utcnow): - current_time = timeutils.parse_isotime('2000-01-01T00:01:10.000123Z') - current_time = timeutils.normalize_time(current_time) - mock_utcnow.return_value = current_time - data = self.create_v3_token_fixture( - expires='2000-01-01T00:05:10.000123-05:00') - expected_expires = '2000-01-01T05:05:10.000123Z' - - actual_expires = auth_token.confirm_token_not_expired(data) - self.assertEqual(actual_expires, expected_expires) - - @mock.patch('keystoneclient.openstack.common.timeutils.utcnow') - def test_v3_token_with_timezone_offset_expired(self, mock_utcnow): - current_time = timeutils.parse_isotime('2000-01-01T00:01:10.000123Z') - current_time = timeutils.normalize_time(current_time) - mock_utcnow.return_value = current_time - data = self.create_v3_token_fixture( - expires='2000-01-01T00:05:10.000123+05:00') - self.assertRaises(auth_token.InvalidUserToken, - auth_token.confirm_token_not_expired, - data) - - def test_cached_token_not_expired(self): - token = 'mytoken' - data = 'this_data' - self.set_middleware() - self.middleware._token_cache.initialize({}) - some_time_later = timeutils.strtime(at=(self.now + self.delta)) - expires = some_time_later - self.middleware._token_cache.store(token, data, expires) - self.assertEqual(self.middleware._token_cache._cache_get(token), data) - - def test_cached_token_not_expired_with_old_style_nix_timestamp(self): - """Ensure we cannot retrieve a token from the cache. - - Getting a token from the cache should return None when the token data - in the cache stores the expires time as a \*nix style timestamp. - - """ - token = 'mytoken' - data = 'this_data' - self.set_middleware() - token_cache = self.middleware._token_cache - token_cache.initialize({}) - some_time_later = self.now + self.delta - # Store a unix timestamp in the cache. - expires = calendar.timegm(some_time_later.timetuple()) - token_cache.store(token, data, expires) - self.assertIsNone(token_cache._cache_get(token)) - - def test_cached_token_expired(self): - token = 'mytoken' - data = 'this_data' - self.set_middleware() - self.middleware._token_cache.initialize({}) - some_time_earlier = timeutils.strtime(at=(self.now - self.delta)) - expires = some_time_earlier - self.middleware._token_cache.store(token, data, expires) - self.assertThat(lambda: self.middleware._token_cache._cache_get(token), - matchers.raises(auth_token.InvalidUserToken)) - - def test_cached_token_with_timezone_offset_not_expired(self): - token = 'mytoken' - data = 'this_data' - self.set_middleware() - self.middleware._token_cache.initialize({}) - timezone_offset = datetime.timedelta(hours=2) - some_time_later = self.now - timezone_offset + self.delta - expires = timeutils.strtime(some_time_later) + '-02:00' - self.middleware._token_cache.store(token, data, expires) - self.assertEqual(self.middleware._token_cache._cache_get(token), data) - - def test_cached_token_with_timezone_offset_expired(self): - token = 'mytoken' - data = 'this_data' - self.set_middleware() - self.middleware._token_cache.initialize({}) - timezone_offset = datetime.timedelta(hours=2) - some_time_earlier = self.now - timezone_offset - self.delta - expires = timeutils.strtime(some_time_earlier) + '-02:00' - self.middleware._token_cache.store(token, data, expires) - self.assertThat(lambda: self.middleware._token_cache._cache_get(token), - matchers.raises(auth_token.InvalidUserToken)) - - -class CatalogConversionTests(BaseAuthTokenMiddlewareTest): - - PUBLIC_URL = 'http://server:5000/v2.0' - ADMIN_URL = 'http://admin:35357/v2.0' - INTERNAL_URL = 'http://internal:5000/v2.0' - - REGION_ONE = 'RegionOne' - REGION_TWO = 'RegionTwo' - REGION_THREE = 'RegionThree' - - def test_basic_convert(self): - token = fixture.V3Token() - s = token.add_service(type='identity') - s.add_standard_endpoints(public=self.PUBLIC_URL, - admin=self.ADMIN_URL, - internal=self.INTERNAL_URL, - region=self.REGION_ONE) - - auth_ref = access.AccessInfo.factory(body=token) - catalog_data = auth_ref.service_catalog.get_data() - catalog = auth_token._v3_to_v2_catalog(catalog_data) - - self.assertEqual(1, len(catalog)) - service = catalog[0] - self.assertEqual(1, len(service['endpoints'])) - endpoints = service['endpoints'][0] - - self.assertEqual('identity', service['type']) - self.assertEqual(4, len(endpoints)) - self.assertEqual(self.PUBLIC_URL, endpoints['publicURL']) - self.assertEqual(self.ADMIN_URL, endpoints['adminURL']) - self.assertEqual(self.INTERNAL_URL, endpoints['internalURL']) - self.assertEqual(self.REGION_ONE, endpoints['region']) - - def test_multi_region(self): - token = fixture.V3Token() - s = token.add_service(type='identity') - - s.add_endpoint('internal', self.INTERNAL_URL, region=self.REGION_ONE) - s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO) - s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE) - - auth_ref = access.AccessInfo.factory(body=token) - catalog_data = auth_ref.service_catalog.get_data() - catalog = auth_token._v3_to_v2_catalog(catalog_data) - - self.assertEqual(1, len(catalog)) - service = catalog[0] - - # the 3 regions will come through as 3 separate endpoints - expected = [{'internalURL': self.INTERNAL_URL, - 'region': self.REGION_ONE}, - {'publicURL': self.PUBLIC_URL, - 'region': self.REGION_TWO}, - {'adminURL': self.ADMIN_URL, - 'region': self.REGION_THREE}] - - self.assertEqual('identity', service['type']) - self.assertEqual(3, len(service['endpoints'])) - for e in expected: - self.assertIn(e, expected) - - -def load_tests(loader, tests, pattern): - return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/test_base.py b/keystoneclient/tests/test_base.py deleted file mode 100644 index 023d80742..000000000 --- a/keystoneclient/tests/test_base.py +++ /dev/null @@ -1,161 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystoneclient import base -from keystoneclient.tests import utils -from keystoneclient.v2_0 import client -from keystoneclient.v2_0 import roles - - -class HumanReadable(base.Resource): - HUMAN_ID = True - - -class BaseTest(utils.TestCase): - - def test_resource_repr(self): - r = base.Resource(None, dict(foo="bar", baz="spam")) - self.assertEqual(repr(r), "") - - def test_getid(self): - self.assertEqual(base.getid(4), 4) - - class TmpObject(object): - id = 4 - self.assertEqual(base.getid(TmpObject), 4) - - def test_resource_lazy_getattr(self): - self.client = client.Client(username=self.TEST_USER, - token=self.TEST_TOKEN, - tenant_name=self.TEST_TENANT_NAME, - auth_url='http://127.0.0.1:5000', - endpoint='http://127.0.0.1:5000') - - self.client.get = self.mox.CreateMockAnything() - self.client.get('/OS-KSADM/roles/1').AndRaise(AttributeError) - self.mox.ReplayAll() - - f = roles.Role(self.client.roles, {'id': 1, 'name': 'Member'}) - self.assertEqual(f.name, 'Member') - - # Missing stuff still fails after a second get - self.assertRaises(AttributeError, getattr, f, 'blahblah') - - def test_eq(self): - # Two resources of the same type with the same id: equal - r1 = base.Resource(None, {'id': 1, 'name': 'hi'}) - r2 = base.Resource(None, {'id': 1, 'name': 'hello'}) - self.assertEqual(r1, r2) - - # Two resoruces of different types: never equal - r1 = base.Resource(None, {'id': 1}) - r2 = roles.Role(None, {'id': 1}) - self.assertNotEqual(r1, r2) - - # Two resources with no ID: equal if their info is equal - r1 = base.Resource(None, {'name': 'joe', 'age': 12}) - r2 = base.Resource(None, {'name': 'joe', 'age': 12}) - self.assertEqual(r1, r2) - - r1 = base.Resource(None, {'id': 1}) - self.assertNotEqual(r1, object()) - self.assertNotEqual(r1, {'id': 1}) - - def test_human_id(self): - r = base.Resource(None, {"name": "1 of !"}) - self.assertIsNone(r.human_id) - r = HumanReadable(None, {"name": "1 of !"}) - self.assertEqual(r.human_id, "1-of") - - -class ManagerTest(utils.TestCase): - body = {"hello": {"hi": 1}} - url = "/test-url" - - def setUp(self): - super(ManagerTest, self).setUp() - self.client = client.Client(username=self.TEST_USER, - token=self.TEST_TOKEN, - tenant_name=self.TEST_TENANT_NAME, - auth_url='http://127.0.0.1:5000', - endpoint='http://127.0.0.1:5000') - self.mgr = base.Manager(self.client) - self.mgr.resource_class = base.Resource - - def test_api(self): - self.assertEqual(self.mgr.api, self.client) - - def test_get(self): - self.client.get = self.mox.CreateMockAnything() - self.client.get(self.url).AndReturn((None, self.body)) - self.mox.ReplayAll() - - rsrc = self.mgr._get(self.url, "hello") - self.assertEqual(rsrc.hi, 1) - - def test_post(self): - self.client.post = self.mox.CreateMockAnything() - self.client.post(self.url, body=self.body).AndReturn((None, self.body)) - self.client.post(self.url, body=self.body).AndReturn((None, self.body)) - self.mox.ReplayAll() - - rsrc = self.mgr._post(self.url, self.body, "hello") - self.assertEqual(rsrc.hi, 1) - - rsrc = self.mgr._post(self.url, self.body, "hello", return_raw=True) - self.assertEqual(rsrc["hi"], 1) - - def test_put(self): - self.client.put = self.mox.CreateMockAnything() - self.client.put(self.url, body=self.body).AndReturn((None, self.body)) - self.client.put(self.url, body=self.body).AndReturn((None, self.body)) - self.mox.ReplayAll() - - rsrc = self.mgr._put(self.url, self.body, "hello") - self.assertEqual(rsrc.hi, 1) - - rsrc = self.mgr._put(self.url, self.body) - self.assertEqual(rsrc.hello["hi"], 1) - - def test_patch(self): - self.client.patch = self.mox.CreateMockAnything() - self.client.patch(self.url, body=self.body).AndReturn( - (None, self.body)) - self.client.patch(self.url, body=self.body).AndReturn( - (None, self.body)) - self.mox.ReplayAll() - - rsrc = self.mgr._patch(self.url, self.body, "hello") - self.assertEqual(rsrc.hi, 1) - - rsrc = self.mgr._patch(self.url, self.body) - self.assertEqual(rsrc.hello["hi"], 1) - - def test_update(self): - self.client.patch = self.mox.CreateMockAnything() - self.client.put = self.mox.CreateMockAnything() - self.client.patch( - self.url, body=self.body, management=False).AndReturn((None, - self.body)) - self.client.put(self.url, body=None, management=True).AndReturn( - (None, self.body)) - self.mox.ReplayAll() - - rsrc = self.mgr._update( - self.url, body=self.body, response_key="hello", method="PATCH", - management=False) - self.assertEqual(rsrc.hi, 1) - - rsrc = self.mgr._update( - self.url, body=None, response_key="hello", method="PUT", - management=True) - self.assertEqual(rsrc.hi, 1) diff --git a/keystoneclient/tests/test_memcache_crypt.py b/keystoneclient/tests/test_memcache_crypt.py deleted file mode 100644 index be07b24ea..000000000 --- a/keystoneclient/tests/test_memcache_crypt.py +++ /dev/null @@ -1,97 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import six -import testtools - -from keystoneclient.middleware import memcache_crypt - - -class MemcacheCryptPositiveTests(testtools.TestCase): - def _setup_keys(self, strategy): - return memcache_crypt.derive_keys(b'token', b'secret', strategy) - - def test_constant_time_compare(self): - # make sure it works as a compare, the "constant time" aspect - # isn't appropriate to test in unittests - ctc = memcache_crypt.constant_time_compare - self.assertTrue(ctc('abcd', 'abcd')) - self.assertTrue(ctc('', '')) - self.assertFalse(ctc('abcd', 'efgh')) - self.assertFalse(ctc('abc', 'abcd')) - self.assertFalse(ctc('abc', 'abc\x00')) - self.assertFalse(ctc('', 'abc')) - - # For Python 3, we want to test these functions with both str and bytes - # as input. - if six.PY3: - self.assertTrue(ctc(b'abcd', b'abcd')) - self.assertTrue(ctc(b'', b'')) - self.assertFalse(ctc(b'abcd', b'efgh')) - self.assertFalse(ctc(b'abc', b'abcd')) - self.assertFalse(ctc(b'abc', b'abc\x00')) - self.assertFalse(ctc(b'', b'abc')) - - def test_derive_keys(self): - keys = self._setup_keys(b'strategy') - self.assertEqual(len(keys['ENCRYPTION']), - len(keys['CACHE_KEY'])) - self.assertEqual(len(keys['CACHE_KEY']), - len(keys['MAC'])) - self.assertNotEqual(keys['ENCRYPTION'], - keys['MAC']) - self.assertIn('strategy', keys.keys()) - - def test_key_strategy_diff(self): - k1 = self._setup_keys(b'MAC') - k2 = self._setup_keys(b'ENCRYPT') - self.assertNotEqual(k1, k2) - - def test_sign_data(self): - keys = self._setup_keys(b'MAC') - sig = memcache_crypt.sign_data(keys['MAC'], b'data') - self.assertEqual(len(sig), memcache_crypt.DIGEST_LENGTH_B64) - - def test_encryption(self): - keys = self._setup_keys(b'ENCRYPT') - # what you put in is what you get out - for data in [b'data', b'1234567890123456', b'\x00\xFF' * 13 - ] + [six.int2byte(x % 256) * x for x in range(768)]: - crypt = memcache_crypt.encrypt_data(keys['ENCRYPTION'], data) - decrypt = memcache_crypt.decrypt_data(keys['ENCRYPTION'], crypt) - self.assertEqual(data, decrypt) - self.assertRaises(memcache_crypt.DecryptError, - memcache_crypt.decrypt_data, - keys['ENCRYPTION'], crypt[:-1]) - - def test_protect_wrappers(self): - data = b'My Pretty Little Data' - for strategy in [b'MAC', b'ENCRYPT']: - keys = self._setup_keys(strategy) - protected = memcache_crypt.protect_data(keys, data) - self.assertNotEqual(protected, data) - if strategy == b'ENCRYPT': - self.assertNotIn(data, protected) - unprotected = memcache_crypt.unprotect_data(keys, protected) - self.assertEqual(data, unprotected) - self.assertRaises(memcache_crypt.InvalidMacError, - memcache_crypt.unprotect_data, - keys, protected[:-1]) - self.assertIsNone(memcache_crypt.unprotect_data(keys, None)) - - def test_no_pycrypt(self): - aes = memcache_crypt.AES - memcache_crypt.AES = None - self.assertRaises(memcache_crypt.CryptoUnavailableError, - memcache_crypt.encrypt_data, 'token', 'secret', - 'data') - memcache_crypt.AES = aes diff --git a/keystoneclient/tests/test_s3_token_middleware.py b/keystoneclient/tests/test_s3_token_middleware.py deleted file mode 100644 index 0233e8b40..000000000 --- a/keystoneclient/tests/test_s3_token_middleware.py +++ /dev/null @@ -1,237 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import mock -import requests -import six -import testtools -import webob - -from keystoneclient.middleware import s3_token -from keystoneclient.openstack.common import jsonutils -from keystoneclient.tests import utils - - -GOOD_RESPONSE = {'access': {'token': {'id': 'TOKEN_ID', - 'tenant': {'id': 'TENANT_ID'}}}} - - -class FakeApp(object): - """This represents a WSGI app protected by the auth_token middleware.""" - def __call__(self, env, start_response): - resp = webob.Response() - resp.environ = env - return resp(env, start_response) - - -class S3TokenMiddlewareTestBase(utils.TestCase): - - TEST_PROTOCOL = 'https' - TEST_HOST = 'fakehost' - TEST_PORT = 35357 - TEST_URL = '%s://%s:%d/v2.0/s3tokens' % (TEST_PROTOCOL, - TEST_HOST, - TEST_PORT) - - def setUp(self): - super(S3TokenMiddlewareTestBase, self).setUp() - - self.conf = { - 'auth_host': self.TEST_HOST, - 'auth_port': self.TEST_PORT, - 'auth_protocol': self.TEST_PROTOCOL, - } - - def start_fake_response(self, status, headers): - self.response_status = int(status.split(' ', 1)[0]) - self.response_headers = dict(headers) - - -class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase): - - def setUp(self): - super(S3TokenMiddlewareTestGood, self).setUp() - self.middleware = s3_token.S3Token(FakeApp(), self.conf) - - self.requests.register_uri('POST', self.TEST_URL, - status_code=201, json=GOOD_RESPONSE) - - # Ignore the request and pass to the next middleware in the - # pipeline if no path has been specified. - def test_no_path_request(self): - req = webob.Request.blank('/') - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - - # Ignore the request and pass to the next middleware in the - # pipeline if no Authorization header has been specified - def test_without_authorization(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - - def test_without_auth_storage_token(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'badboy' - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - - def test_authorized(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - self.assertTrue(req.path.startswith('/v1/AUTH_TENANT_ID')) - self.assertEqual(req.headers['X-Auth-Token'], 'TOKEN_ID') - - def test_authorized_http(self): - TEST_URL = 'http://%s:%d/v2.0/s3tokens' % (self.TEST_HOST, - self.TEST_PORT) - - self.requests.register_uri('POST', TEST_URL, - status_code=201, json=GOOD_RESPONSE) - - self.middleware = ( - s3_token.filter_factory({'auth_protocol': 'http', - 'auth_host': self.TEST_HOST, - 'auth_port': self.TEST_PORT})(FakeApp())) - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - self.assertTrue(req.path.startswith('/v1/AUTH_TENANT_ID')) - self.assertEqual(req.headers['X-Auth-Token'], 'TOKEN_ID') - - def test_authorization_nova_toconnect(self): - req = webob.Request.blank('/v1/AUTH_swiftint/c/o') - req.headers['Authorization'] = 'access:FORCED_TENANT_ID:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - path = req.environ['PATH_INFO'] - self.assertTrue(path.startswith('/v1/AUTH_FORCED_TENANT_ID')) - - @mock.patch.object(requests, 'post') - def test_insecure(self, MOCK_REQUEST): - self.middleware = ( - s3_token.filter_factory({'insecure': True})(FakeApp())) - - text_return_value = jsonutils.dumps(GOOD_RESPONSE) - if six.PY3: - text_return_value = text_return_value.encode() - MOCK_REQUEST.return_value = utils.TestResponse({ - 'status_code': 201, - 'text': text_return_value}) - - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - - self.assertTrue(MOCK_REQUEST.called) - mock_args, mock_kwargs = MOCK_REQUEST.call_args - self.assertIs(mock_kwargs['verify'], False) - - -class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase): - def setUp(self): - super(S3TokenMiddlewareTestBad, self).setUp() - self.middleware = s3_token.S3Token(FakeApp(), self.conf) - - def test_unauthorized_token(self): - ret = {"error": - {"message": "EC2 access key not found.", - "code": 401, - "title": "Unauthorized"}} - self.requests.register_uri('POST', self.TEST_URL, - status_code=403, json=ret) - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - s3_denied_req = self.middleware.deny_request('AccessDenied') - self.assertEqual(resp.body, s3_denied_req.body) - self.assertEqual(resp.status_int, s3_denied_req.status_int) - - def test_bogus_authorization(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'badboy' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - self.assertEqual(resp.status_int, 400) - s3_invalid_req = self.middleware.deny_request('InvalidURI') - self.assertEqual(resp.body, s3_invalid_req.body) - self.assertEqual(resp.status_int, s3_invalid_req.status_int) - - def test_fail_to_connect_to_keystone(self): - with mock.patch.object(self.middleware, '_json_request') as o: - s3_invalid_req = self.middleware.deny_request('InvalidURI') - o.side_effect = s3_token.ServiceError(s3_invalid_req) - - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - self.assertEqual(resp.body, s3_invalid_req.body) - self.assertEqual(resp.status_int, s3_invalid_req.status_int) - - def test_bad_reply(self): - self.requests.register_uri('POST', self.TEST_URL, - status_code=201, text="") - - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - s3_invalid_req = self.middleware.deny_request('InvalidURI') - self.assertEqual(resp.body, s3_invalid_req.body) - self.assertEqual(resp.status_int, s3_invalid_req.status_int) - - -class S3TokenMiddlewareTestUtil(testtools.TestCase): - def test_split_path_failed(self): - self.assertRaises(ValueError, s3_token.split_path, '') - self.assertRaises(ValueError, s3_token.split_path, '/') - self.assertRaises(ValueError, s3_token.split_path, '//') - self.assertRaises(ValueError, s3_token.split_path, '//a') - self.assertRaises(ValueError, s3_token.split_path, '/a/c') - self.assertRaises(ValueError, s3_token.split_path, '//c') - self.assertRaises(ValueError, s3_token.split_path, '/a/c/') - self.assertRaises(ValueError, s3_token.split_path, '/a//') - self.assertRaises(ValueError, s3_token.split_path, '/a', 2) - self.assertRaises(ValueError, s3_token.split_path, '/a', 2, 3) - self.assertRaises(ValueError, s3_token.split_path, '/a', 2, 3, True) - self.assertRaises(ValueError, s3_token.split_path, '/a/c/o/r', 3, 3) - self.assertRaises(ValueError, s3_token.split_path, '/a', 5, 4) - - def test_split_path_success(self): - self.assertEqual(s3_token.split_path('/a'), ['a']) - self.assertEqual(s3_token.split_path('/a/'), ['a']) - self.assertEqual(s3_token.split_path('/a/c', 2), ['a', 'c']) - self.assertEqual(s3_token.split_path('/a/c/o', 3), ['a', 'c', 'o']) - self.assertEqual(s3_token.split_path('/a/c/o/r', 3, 3, True), - ['a', 'c', 'o/r']) - self.assertEqual(s3_token.split_path('/a/c', 2, 3, True), - ['a', 'c', None]) - self.assertEqual(s3_token.split_path('/a/c/', 2), ['a', 'c']) - self.assertEqual(s3_token.split_path('/a/c/', 2, 3), ['a', 'c', '']) - - def test_split_path_invalid_path(self): - try: - s3_token.split_path('o\nn e', 2) - except ValueError as err: - self.assertEqual(str(err), 'Invalid path: o%0An%20e') - try: - s3_token.split_path('o\nn e', 2, 3, True) - except ValueError as err: - self.assertEqual(str(err), 'Invalid path: o%0An%20e') diff --git a/keystoneclient/tests/test_shell.py b/keystoneclient/tests/test_shell.py deleted file mode 100644 index 2f7586bb7..000000000 --- a/keystoneclient/tests/test_shell.py +++ /dev/null @@ -1,517 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import argparse -import json -import logging -import os -import sys -import uuid - -import fixtures -import mock -import six -import testtools -from testtools import matchers - -from keystoneclient import exceptions -from keystoneclient import session -from keystoneclient import shell as openstack_shell -from keystoneclient.tests import utils -from keystoneclient.v2_0 import shell as shell_v2_0 - - -DEFAULT_USERNAME = 'username' -DEFAULT_PASSWORD = 'password' -DEFAULT_TENANT_ID = 'tenant_id' -DEFAULT_TENANT_NAME = 'tenant_name' -DEFAULT_AUTH_URL = 'http://127.0.0.1:5000/v2.0/' - - -class NoExitArgumentParser(argparse.ArgumentParser): - def error(self, message): - raise exceptions.CommandError(message) - - -class ShellTest(utils.TestCase): - - FAKE_ENV = { - 'OS_USERNAME': DEFAULT_USERNAME, - 'OS_PASSWORD': DEFAULT_PASSWORD, - 'OS_TENANT_ID': DEFAULT_TENANT_ID, - 'OS_TENANT_NAME': DEFAULT_TENANT_NAME, - 'OS_AUTH_URL': DEFAULT_AUTH_URL, - } - - def _tolerant_shell(self, cmd): - t_shell = openstack_shell.OpenStackIdentityShell(NoExitArgumentParser) - t_shell.main(cmd.split()) - - # Patch os.environ to avoid required auth info. - def setUp(self): - - super(ShellTest, self).setUp() - for var in os.environ: - if var.startswith("OS_"): - self.useFixture(fixtures.EnvironmentVariable(var, "")) - - for var in self.FAKE_ENV: - self.useFixture(fixtures.EnvironmentVariable(var, - self.FAKE_ENV[var])) - - # Make a fake shell object, a helping wrapper to call it, and a quick - # way of asserting that certain API calls were made. - global shell, _shell, assert_called, assert_called_anytime - _shell = openstack_shell.OpenStackIdentityShell() - shell = lambda cmd: _shell.main(cmd.split()) - - def test_help_unknown_command(self): - self.assertRaises(exceptions.CommandError, shell, 'help %s' - % uuid.uuid4().hex) - - def shell(self, argstr): - orig = sys.stdout - clean_env = {} - _old_env, os.environ = os.environ, clean_env.copy() - try: - sys.stdout = six.StringIO() - _shell = openstack_shell.OpenStackIdentityShell() - _shell.main(argstr.split()) - except SystemExit: - exc_type, exc_value, exc_traceback = sys.exc_info() - self.assertEqual(exc_value.code, 0) - finally: - out = sys.stdout.getvalue() - sys.stdout.close() - sys.stdout = orig - os.environ = _old_env - return out - - def test_help_no_args(self): - do_tenant_mock = mock.MagicMock() - with mock.patch('keystoneclient.shell.OpenStackIdentityShell.do_help', - do_tenant_mock): - self.shell('') - assert do_tenant_mock.called - - def test_help(self): - required = 'usage:' - help_text = self.shell('help') - self.assertThat(help_text, - matchers.MatchesRegex(required)) - - def test_help_command(self): - required = 'usage: keystone user-create' - help_text = self.shell('help user-create') - self.assertThat(help_text, - matchers.MatchesRegex(required)) - - def test_auth_no_credentials(self): - with testtools.ExpectedException( - exceptions.CommandError, 'Expecting'): - self.shell('user-list') - - def test_debug(self): - logging_mock = mock.MagicMock() - with mock.patch('logging.basicConfig', logging_mock): - self.assertRaises(exceptions.CommandError, - self.shell, '--debug user-list') - self.assertTrue(logging_mock.called) - self.assertEqual([(), {'level': logging.DEBUG}], - list(logging_mock.call_args)) - - def test_auth_password_authurl_no_username(self): - with testtools.ExpectedException( - exceptions.CommandError, - 'Expecting a username provided via either'): - self.shell('--os-password=%s --os-auth-url=%s user-list' - % (uuid.uuid4().hex, uuid.uuid4().hex)) - - def test_auth_username_password_no_authurl(self): - with testtools.ExpectedException( - exceptions.CommandError, 'Expecting an auth URL via either'): - self.shell('--os-password=%s --os-username=%s user-list' - % (uuid.uuid4().hex, uuid.uuid4().hex)) - - def test_token_no_endpoint(self): - with testtools.ExpectedException( - exceptions.CommandError, 'Expecting an endpoint provided'): - self.shell('--os-token=%s user-list' % uuid.uuid4().hex) - - def test_endpoint_no_token(self): - with testtools.ExpectedException( - exceptions.CommandError, 'Expecting a token provided'): - self.shell('--os-endpoint=http://10.0.0.1:5000/v2.0/ user-list') - - def test_shell_args(self): - do_tenant_mock = mock.MagicMock() - with mock.patch('keystoneclient.v2_0.shell.do_user_list', - do_tenant_mock): - shell('user-list') - assert do_tenant_mock.called - ((a, b), c) = do_tenant_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # Old_style options - shell('--os_auth_url http://0.0.0.0:5000/ --os_password xyzpdq ' - '--os_tenant_id 1234 --os_tenant_name fred ' - '--os_username barney ' - '--os_identity_api_version 2.0 user-list') - assert do_tenant_mock.called - ((a, b), c) = do_tenant_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = ('http://0.0.0.0:5000/', 'xyzpdq', '1234', - 'fred', 'barney', '2.0') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - shell('--os-auth-url http://1.1.1.1:5000/ --os-password xyzpdq ' - '--os-tenant-id 4321 --os-tenant-name wilma ' - '--os-username betty ' - '--os-identity-api-version 2.0 user-list') - assert do_tenant_mock.called - ((a, b), c) = do_tenant_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = ('http://1.1.1.1:5000/', 'xyzpdq', '4321', - 'wilma', 'betty', '2.0') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # Test keyring options - shell('--os-auth-url http://1.1.1.1:5000/ --os-password xyzpdq ' - '--os-tenant-id 4321 --os-tenant-name wilma ' - '--os-username betty ' - '--os-identity-api-version 2.0 ' - '--os-cache ' - '--stale-duration 500 ' - '--force-new-token user-list') - assert do_tenant_mock.called - ((a, b), c) = do_tenant_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version, b.os_cache, - b.stale_duration, b.force_new_token) - expect = ('http://1.1.1.1:5000/', 'xyzpdq', '4321', - 'wilma', 'betty', '2.0', True, '500', True) - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # Test os-identity-api-version fall back to 2.0 - shell('--os-identity-api-version 3.0 user-list') - assert do_tenant_mock.called - self.assertTrue(b.os_identity_api_version, '2.0') - - def test_shell_user_create_args(self): - """Test user-create args.""" - do_uc_mock = mock.MagicMock() - # grab the decorators for do_user_create - uc_func = getattr(shell_v2_0, 'do_user_create') - do_uc_mock.arguments = getattr(uc_func, 'arguments', []) - with mock.patch('keystoneclient.v2_0.shell.do_user_create', - do_uc_mock): - - # Old_style options - # Test case with one --tenant_id args present: ec2 creds - shell('user-create --name=FOO ' - '--pass=secrete --tenant_id=barrr --enabled=true') - assert do_uc_mock.called - ((a, b), c) = do_uc_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant_id, b.name, b.passwd, b.enabled) - expect = ('barrr', 'FOO', 'secrete', 'true') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test case with one --tenant args present: ec2 creds - shell('user-create --name=foo ' - '--pass=secrete --tenant=BARRR --enabled=true') - assert do_uc_mock.called - ((a, b), c) = do_uc_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant, b.name, b.passwd, b.enabled) - expect = ('BARRR', 'foo', 'secrete', 'true') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test case with one --tenant-id args present: ec2 creds - shell('user-create --name=foo ' - '--pass=secrete --tenant-id=BARRR --enabled=true') - assert do_uc_mock.called - ((a, b), c) = do_uc_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant, b.name, b.passwd, b.enabled) - expect = ('BARRR', 'foo', 'secrete', 'true') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # Old_style options - # Test case with --os_tenant_id and --tenant_id args present - shell('--os_tenant_id=os-tenant user-create --name=FOO ' - '--pass=secrete --tenant_id=barrr --enabled=true') - assert do_uc_mock.called - ((a, b), c) = do_uc_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, 'os-tenant', - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant_id, b.name, b.passwd, b.enabled) - expect = ('barrr', 'FOO', 'secrete', 'true') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test case with --os-tenant-id and --tenant-id args present - shell('--os-tenant-id=ostenant user-create --name=foo ' - '--pass=secrete --tenant-id=BARRR --enabled=true') - assert do_uc_mock.called - ((a, b), c) = do_uc_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, 'ostenant', - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant, b.name, b.passwd, b.enabled) - expect = ('BARRR', 'foo', 'secrete', 'true') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - def test_do_tenant_create(self): - do_tenant_mock = mock.MagicMock() - with mock.patch('keystoneclient.v2_0.shell.do_tenant_create', - do_tenant_mock): - shell('tenant-create') - assert do_tenant_mock.called - # FIXME(dtroyer): how do you test the decorators? - # shell('tenant-create --tenant-name wilma ' - # '--description "fred\'s wife"') - # assert do_tenant_mock.called - - def test_do_tenant_list(self): - do_tenant_mock = mock.MagicMock() - with mock.patch('keystoneclient.v2_0.shell.do_tenant_list', - do_tenant_mock): - shell('tenant-list') - assert do_tenant_mock.called - - def test_shell_tenant_id_args(self): - """Test a corner case where --tenant_id appears on the - command-line twice. - """ - do_ec2_mock = mock.MagicMock() - # grab the decorators for do_ec2_create_credentials - ec2_func = getattr(shell_v2_0, 'do_ec2_credentials_create') - do_ec2_mock.arguments = getattr(ec2_func, 'arguments', []) - with mock.patch('keystoneclient.v2_0.shell.do_ec2_credentials_create', - do_ec2_mock): - - # Old_style options - # Test case with one --tenant_id args present: ec2 creds - shell('ec2-credentials-create ' - '--tenant_id=ec2-tenant --user_id=ec2-user') - assert do_ec2_mock.called - ((a, b), c) = do_ec2_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant_id, b.user_id) - expect = ('ec2-tenant', 'ec2-user') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test case with one --tenant-id args present: ec2 creds - shell('ec2-credentials-create ' - '--tenant-id=dash-tenant --user-id=dash-user') - assert do_ec2_mock.called - ((a, b), c) = do_ec2_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant_id, b.user_id) - expect = ('dash-tenant', 'dash-user') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # Old_style options - # Test case with two --tenant_id args present - shell('--os_tenant_id=os-tenant ec2-credentials-create ' - '--tenant_id=ec2-tenant --user_id=ec2-user') - assert do_ec2_mock.called - ((a, b), c) = do_ec2_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, 'os-tenant', - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant_id, b.user_id) - expect = ('ec2-tenant', 'ec2-user') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test case with two --tenant-id args present - shell('--os-tenant-id=ostenant ec2-credentials-create ' - '--tenant-id=dash-tenant --user-id=dash-user') - assert do_ec2_mock.called - ((a, b), c) = do_ec2_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, 'ostenant', - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.tenant_id, b.user_id) - expect = ('dash-tenant', 'dash-user') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - def test_do_ec2_get(self): - do_shell_mock = mock.MagicMock() - - with mock.patch('keystoneclient.v2_0.shell.do_ec2_credentials_create', - do_shell_mock): - shell('ec2-credentials-create') - assert do_shell_mock.called - - with mock.patch('keystoneclient.v2_0.shell.do_ec2_credentials_get', - do_shell_mock): - shell('ec2-credentials-get') - assert do_shell_mock.called - - with mock.patch('keystoneclient.v2_0.shell.do_ec2_credentials_list', - do_shell_mock): - shell('ec2-credentials-list') - assert do_shell_mock.called - - with mock.patch('keystoneclient.v2_0.shell.do_ec2_credentials_delete', - do_shell_mock): - shell('ec2-credentials-delete') - assert do_shell_mock.called - - def test_timeout_parse_invalid_type(self): - for f in ['foobar', 'xyz']: - cmd = '--timeout %s endpoint-create' % (f) - self.assertRaises(exceptions.CommandError, - self._tolerant_shell, cmd) - - def test_timeout_parse_invalid_number(self): - for f in [-1, 0]: - cmd = '--timeout %s endpoint-create' % (f) - self.assertRaises(exceptions.CommandError, - self._tolerant_shell, cmd) - - def test_do_timeout(self): - response_mock = mock.MagicMock() - response_mock.status_code = 200 - response_mock.text = json.dumps({ - 'endpoints': [], - }) - request_mock = mock.MagicMock(return_value=response_mock) - with mock.patch.object(session.requests, 'request', - request_mock): - shell(('--timeout 2 --os-token=blah --os-endpoint=blah' - ' --os-auth-url=blah.com endpoint-list')) - request_mock.assert_called_with(mock.ANY, mock.ANY, - timeout=2, - allow_redirects=False, - headers=mock.ANY, - verify=mock.ANY) - - def test_do_endpoints(self): - do_shell_mock = mock.MagicMock() - # grab the decorators for do_endpoint_create - shell_func = getattr(shell_v2_0, 'do_endpoint_create') - do_shell_mock.arguments = getattr(shell_func, 'arguments', []) - with mock.patch('keystoneclient.v2_0.shell.do_endpoint_create', - do_shell_mock): - - # Old_style options - # Test create args - shell('endpoint-create ' - '--service_id=2 --publicurl=http://example.com:1234/go ' - '--adminurl=http://example.com:9876/adm') - assert do_shell_mock.called - ((a, b), c) = do_shell_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.service, b.publicurl, b.adminurl) - expect = ('2', - 'http://example.com:1234/go', - 'http://example.com:9876/adm') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test create args - shell('endpoint-create ' - '--service-id=3 --publicurl=http://example.com:4321/go ' - '--adminurl=http://example.com:9876/adm') - assert do_shell_mock.called - ((a, b), c) = do_shell_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.service, b.publicurl, b.adminurl) - expect = ('3', - 'http://example.com:4321/go', - 'http://example.com:9876/adm') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - - # New-style options - # Test create args - shell('endpoint-create ' - '--service=3 --publicurl=http://example.com:4321/go ' - '--adminurl=http://example.com:9876/adm') - assert do_shell_mock.called - ((a, b), c) = do_shell_mock.call_args - actual = (b.os_auth_url, b.os_password, b.os_tenant_id, - b.os_tenant_name, b.os_username, - b.os_identity_api_version) - expect = (DEFAULT_AUTH_URL, DEFAULT_PASSWORD, DEFAULT_TENANT_ID, - DEFAULT_TENANT_NAME, DEFAULT_USERNAME, '') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) - actual = (b.service, b.publicurl, b.adminurl) - expect = ('3', - 'http://example.com:4321/go', - 'http://example.com:9876/adm') - self.assertTrue(all([x == y for x, y in zip(actual, expect)])) diff --git a/keystoneclient/tests/test_utils.py b/keystoneclient/tests/test_utils.py deleted file mode 100644 index 01131e6f1..000000000 --- a/keystoneclient/tests/test_utils.py +++ /dev/null @@ -1,240 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging -import sys - -import six -import testresources -from testtools import matchers - -from keystoneclient import exceptions -from keystoneclient.tests import client_fixtures -from keystoneclient.tests import utils as test_utils -from keystoneclient import utils - - -class FakeResource(object): - pass - - -class FakeManager(object): - - resource_class = FakeResource - - resources = { - '1234': {'name': 'entity_one'}, - '8e8ec658-c7b0-4243-bdf8-6f7f2952c0d0': {'name': 'entity_two'}, - '\xe3\x82\xbdtest': {'name': u'\u30bdtest'}, - '5678': {'name': '9876'} - } - - def get(self, resource_id): - try: - return self.resources[str(resource_id)] - except KeyError: - raise exceptions.NotFound(resource_id) - - def find(self, name=None): - if name == '9999': - # NOTE(morganfainberg): special case that raises NoUniqueMatch. - raise exceptions.NoUniqueMatch() - for resource_id, resource in self.resources.items(): - if resource['name'] == str(name): - return resource - raise exceptions.NotFound(name) - - -class FindResourceTestCase(test_utils.TestCase): - - def setUp(self): - super(FindResourceTestCase, self).setUp() - self.manager = FakeManager() - - def test_find_none(self): - self.assertRaises(exceptions.CommandError, - utils.find_resource, - self.manager, - 'asdf') - - def test_find_by_integer_id(self): - output = utils.find_resource(self.manager, 1234) - self.assertEqual(output, self.manager.resources['1234']) - - def test_find_by_str_id(self): - output = utils.find_resource(self.manager, '1234') - self.assertEqual(output, self.manager.resources['1234']) - - def test_find_by_uuid(self): - uuid = '8e8ec658-c7b0-4243-bdf8-6f7f2952c0d0' - output = utils.find_resource(self.manager, uuid) - self.assertEqual(output, self.manager.resources[uuid]) - - def test_find_by_unicode(self): - name = '\xe3\x82\xbdtest' - output = utils.find_resource(self.manager, name) - self.assertEqual(output, self.manager.resources[name]) - - def test_find_by_str_name(self): - output = utils.find_resource(self.manager, 'entity_one') - self.assertEqual(output, self.manager.resources['1234']) - - def test_find_by_int_name(self): - output = utils.find_resource(self.manager, 9876) - self.assertEqual(output, self.manager.resources['5678']) - - def test_find_no_unique_match(self): - self.assertRaises(exceptions.CommandError, - utils.find_resource, - self.manager, - 9999) - - -class FakeObject(object): - def __init__(self, name): - self.name = name - - -class PrintTestCase(test_utils.TestCase): - def setUp(self): - super(PrintTestCase, self).setUp() - self.old_stdout = sys.stdout - self.stdout = six.moves.cStringIO() - self.addCleanup(setattr, self, 'stdout', None) - sys.stdout = self.stdout - self.addCleanup(setattr, sys, 'stdout', self.old_stdout) - - def test_print_list_unicode(self): - name = six.u('\u540d\u5b57') - objs = [FakeObject(name)] - # NOTE(Jeffrey4l) If the text's encode is proper, this method will not - # raise UnicodeEncodeError exceptions - utils.print_list(objs, ['name']) - output = self.stdout.getvalue() - # In Python 2, output will be bytes, while in Python 3, it will not. - # Let's decode the value if needed. - if isinstance(output, six.binary_type): - output = output.decode('utf-8') - self.assertIn(name, output) - - def test_print_dict_unicode(self): - name = six.u('\u540d\u5b57') - utils.print_dict({'name': name}) - output = self.stdout.getvalue() - # In Python 2, output will be bytes, while in Python 3, it will not. - # Let's decode the value if needed. - if isinstance(output, six.binary_type): - output = output.decode('utf-8') - self.assertIn(name, output) - - -class TestPositional(test_utils.TestCase): - - @utils.positional(1) - def no_vars(self): - # positional doesn't enforce anything here - return True - - @utils.positional(3, utils.positional.EXCEPT) - def mixed_except(self, arg, kwarg1=None, kwarg2=None): - # self, arg, and kwarg1 may be passed positionally - return (arg, kwarg1, kwarg2) - - @utils.positional(3, utils.positional.WARN) - def mixed_warn(self, arg, kwarg1=None, kwarg2=None): - # self, arg, and kwarg1 may be passed positionally, only a warning - # is emitted - return (arg, kwarg1, kwarg2) - - def test_nothing(self): - self.assertTrue(self.no_vars()) - - def test_mixed_except(self): - self.assertEqual((1, 2, 3), self.mixed_except(1, 2, kwarg2=3)) - self.assertEqual((1, 2, 3), self.mixed_except(1, kwarg1=2, kwarg2=3)) - self.assertEqual((1, None, None), self.mixed_except(1)) - self.assertRaises(TypeError, self.mixed_except, 1, 2, 3) - - def test_mixed_warn(self): - logger_message = six.moves.cStringIO() - handler = logging.StreamHandler(logger_message) - handler.setLevel(logging.DEBUG) - - logger = logging.getLogger(utils.__name__) - level = logger.getEffectiveLevel() - logger.setLevel(logging.DEBUG) - logger.addHandler(handler) - - self.addCleanup(logger.removeHandler, handler) - self.addCleanup(logger.setLevel, level) - - self.mixed_warn(1, 2, 3) - - self.assertIn('takes at most 3 positional', logger_message.getvalue()) - - @utils.positional(enforcement=utils.positional.EXCEPT) - def inspect_func(self, arg, kwarg=None): - return (arg, kwarg) - - def test_inspect_positions(self): - self.assertEqual((1, None), self.inspect_func(1)) - self.assertEqual((1, 2), self.inspect_func(1, kwarg=2)) - self.assertRaises(TypeError, self.inspect_func) - self.assertRaises(TypeError, self.inspect_func, 1, 2) - - @utils.positional.classmethod(1) - def class_method(cls, a, b): - return (cls, a, b) - - @utils.positional.method(1) - def normal_method(self, a, b): - self.assertIsInstance(self, TestPositional) - return (self, a, b) - - def test_class_method(self): - self.assertEqual((TestPositional, 1, 2), self.class_method(1, b=2)) - self.assertRaises(TypeError, self.class_method, 1, 2) - - def test_normal_method(self): - self.assertEqual((self, 1, 2), self.normal_method(1, b=2)) - self.assertRaises(TypeError, self.normal_method, 1, 2) - - -class HashSignedTokenTestCase(test_utils.TestCase, - testresources.ResourcedTestCase): - """Unit tests for utils.hash_signed_token().""" - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_default_md5(self): - """The default hash method is md5.""" - token = self.examples.SIGNED_TOKEN_SCOPED - if six.PY3: - token = token.encode('utf-8') - token_id_default = utils.hash_signed_token(token) - token_id_md5 = utils.hash_signed_token(token, mode='md5') - self.assertThat(token_id_default, matchers.Equals(token_id_md5)) - # md5 hash is 32 chars. - self.assertThat(token_id_default, matchers.HasLength(32)) - - def test_sha256(self): - """Can also hash with sha256.""" - token = self.examples.SIGNED_TOKEN_SCOPED - if six.PY3: - token = token.encode('utf-8') - token_id = utils.hash_signed_token(token, mode='sha256') - # sha256 hash is 64 chars. - self.assertThat(token_id, matchers.HasLength(64)) - - -def load_tests(loader, tests, pattern): - return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/contrib/revoke/__init__.py b/keystoneclient/tests/unit/__init__.py similarity index 100% rename from keystoneclient/contrib/revoke/__init__.py rename to keystoneclient/tests/unit/__init__.py diff --git a/keystoneclient/middleware/__init__.py b/keystoneclient/tests/unit/apiclient/__init__.py similarity index 100% rename from keystoneclient/middleware/__init__.py rename to keystoneclient/tests/unit/apiclient/__init__.py diff --git a/keystoneclient/tests/apiclient/test_exceptions.py b/keystoneclient/tests/unit/apiclient/test_exceptions.py similarity index 93% rename from keystoneclient/tests/apiclient/test_exceptions.py rename to keystoneclient/tests/unit/apiclient/test_exceptions.py index 1f1b1b2f0..65cf08016 100644 --- a/keystoneclient/tests/apiclient/test_exceptions.py +++ b/keystoneclient/tests/unit/apiclient/test_exceptions.py @@ -13,17 +13,15 @@ # License for the specific language governing permissions and limitations # under the License. -import six - from keystoneclient import exceptions -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils class FakeResponse(object): json_data = {} def __init__(self, **kwargs): - for key, value in six.iteritems(kwargs): + for key, value in kwargs.items(): setattr(self, key, value) def json(self): @@ -40,7 +38,7 @@ def assert_exception(self, ex_cls, method, url, status_code, json_data): method, url) self.assertIsInstance(ex, ex_cls) - self.assertEqual(ex.message, json_data["error"]["message"]) + self.assertIn(json_data["error"]["message"], ex.message) self.assertEqual(ex.details, json_data["error"]["details"]) self.assertEqual(ex.method, method) self.assertEqual(ex.url, url) diff --git a/keystoneclient/openstack/__init__.py b/keystoneclient/tests/unit/auth/__init__.py similarity index 100% rename from keystoneclient/openstack/__init__.py rename to keystoneclient/tests/unit/auth/__init__.py diff --git a/keystoneclient/tests/unit/auth/test_access.py b/keystoneclient/tests/unit/auth/test_access.py new file mode 100644 index 000000000..f5f5843a8 --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_access.py @@ -0,0 +1,64 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1 import fixture +from keystoneauth1 import plugin + +from keystoneclient import access +from keystoneclient.auth.identity import access as access_plugin +from keystoneclient import session +from keystoneclient.tests.unit import utils + + +class AccessInfoPluginTests(utils.TestCase): + + def setUp(self): + super(AccessInfoPluginTests, self).setUp() + with self.deprecations.expect_deprecations_here(): + self.session = session.Session() + self.auth_token = uuid.uuid4().hex + + def _plugin(self, **kwargs): + token = fixture.V3Token() + s = token.add_service('identity') + s.add_standard_endpoints(public=self.TEST_ROOT_URL) + + auth_ref = access.AccessInfo.factory(body=token, + auth_token=self.auth_token) + with self.deprecations.expect_deprecations_here(): + return access_plugin.AccessInfoPlugin(auth_ref, **kwargs) + + def test_auth_ref(self): + plugin = self._plugin() + self.assertEqual(self.TEST_ROOT_URL, + plugin.get_endpoint(self.session, + service_type='identity', + interface='public')) + self.assertEqual(self.auth_token, plugin.get_token(session)) + + def test_auth_url(self): + auth_url = 'http://keystone.test.url' + plug = self._plugin(auth_url=auth_url) + + self.assertEqual(auth_url, + plug.get_endpoint(self.session, + interface=plugin.AUTH_INTERFACE)) + + def test_invalidate(self): + plugin = self._plugin() + auth_ref = plugin.auth_ref + + self.assertIsInstance(auth_ref, access.AccessInfo) + self.assertFalse(plugin.invalidate()) + self.assertIs(auth_ref, plugin.auth_ref) diff --git a/keystoneclient/tests/unit/auth/test_auth.py b/keystoneclient/tests/unit/auth/test_auth.py new file mode 100644 index 000000000..3a56fb2aa --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_auth.py @@ -0,0 +1,22 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.tests.unit.auth import utils + + +class AuthTests(utils.TestCase): + + def test_plugin_names_in_available(self): + pass + + def test_plugin_classes_in_available(self): + pass diff --git a/keystoneclient/tests/auth/test_cli.py b/keystoneclient/tests/unit/auth/test_cli.py similarity index 68% rename from keystoneclient/tests/auth/test_cli.py rename to keystoneclient/tests/unit/auth/test_cli.py index 4d3289e5e..b2a2f6ae8 100644 --- a/keystoneclient/tests/auth/test_cli.py +++ b/keystoneclient/tests/unit/auth/test_cli.py @@ -11,14 +11,15 @@ # under the License. import argparse +from unittest import mock import uuid -import mock -from oslo.config import cfg +import fixtures +from oslo_config import cfg from keystoneclient.auth import base from keystoneclient.auth import cli -from keystoneclient.tests.auth import utils +from keystoneclient.tests.unit.auth import utils class TesterPlugin(base.BaseAuthPlugin): @@ -41,8 +42,16 @@ class CliTests(utils.TestCase): def setUp(self): super(CliTests, self).setUp() + self.deprecations.expect_deprecations() self.p = argparse.ArgumentParser() + def env(self, name, value=None): + if value is not None: + # environment variables are always strings + value = str(value) + + return self.useFixture(fixtures.EnvironmentVariable(name, value)) + def test_creating_with_no_args(self): ret = cli.register_argparse_arguments(self.p, []) self.assertIsNone(ret) @@ -104,6 +113,54 @@ def test_default_options(self, m): self.assertEqual(self.a_float, a['a_float']) self.assertEqual(3, a['a_int']) + @utils.mock_plugin + def test_with_default_string_value(self, m): + name = uuid.uuid4().hex + klass = cli.register_argparse_arguments(self.p, [], default=name) + self.assertIs(utils.MockPlugin, klass) + m.assert_called_once_with(name) + + @utils.mock_plugin + def test_overrides_default_string_value(self, m): + name = uuid.uuid4().hex + default = uuid.uuid4().hex + argv = ['--os-auth-plugin', name] + klass = cli.register_argparse_arguments(self.p, argv, default=default) + self.assertIs(utils.MockPlugin, klass) + m.assert_called_once_with(name) + + @utils.mock_plugin + def test_with_default_type_value(self, m): + klass = cli.register_argparse_arguments(self.p, [], + default=utils.MockPlugin) + self.assertIs(utils.MockPlugin, klass) + self.assertEqual(0, m.call_count) + + @utils.mock_plugin + def test_overrides_default_type_value(self, m): + # using this test plugin would fail if called because there + # is no get_options() function + class TestPlugin(object): + pass + name = uuid.uuid4().hex + argv = ['--os-auth-plugin', name] + klass = cli.register_argparse_arguments(self.p, argv, + default=TestPlugin) + self.assertIs(utils.MockPlugin, klass) + m.assert_called_once_with(name) + + @utils.mock_plugin + def test_env_overrides_default_opt(self, m): + name = uuid.uuid4().hex + val = uuid.uuid4().hex + self.env('OS_A_STR', val) + + klass = cli.register_argparse_arguments(self.p, [], default=name) + opts = self.p.parse_args([]) + a = klass.load_from_argparse_arguments(opts) + + self.assertEqual(val, a['a_str']) + def test_deprecated_cli_options(self): TesterPlugin.register_argparse_arguments(self.p) val = uuid.uuid4().hex diff --git a/keystoneclient/tests/auth/test_conf.py b/keystoneclient/tests/unit/auth/test_conf.py similarity index 51% rename from keystoneclient/tests/auth/test_conf.py rename to keystoneclient/tests/unit/auth/test_conf.py index 24b20196f..bea37a4f1 100644 --- a/keystoneclient/tests/auth/test_conf.py +++ b/keystoneclient/tests/unit/auth/test_conf.py @@ -10,25 +10,23 @@ # License for the specific language governing permissions and limitations # under the License. +from unittest import mock import uuid -import mock -from oslo.config import cfg -from oslo.config import fixture as config -import stevedore +from oslo_config import cfg +from oslo_config import fixture as config from keystoneclient.auth import base from keystoneclient.auth import conf -from keystoneclient.auth.identity import v2 as v2_auth -from keystoneclient.auth.identity import v3 as v3_auth from keystoneclient import exceptions -from keystoneclient.tests.auth import utils +from keystoneclient.tests.unit.auth import utils class ConfTests(utils.TestCase): def setUp(self): super(ConfTests, self).setUp() + self.deprecations.expect_deprecations() self.conf_fixture = self.useFixture(config.Config()) # NOTE(jamielennox): we register the basic config options first because @@ -38,73 +36,26 @@ def setUp(self): conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) def test_loading_v2(self): - section = uuid.uuid4().hex - username = uuid.uuid4().hex - password = uuid.uuid4().hex - trust_id = uuid.uuid4().hex - tenant_id = uuid.uuid4().hex - - self.conf_fixture.config(auth_section=section, group=self.GROUP) - conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) - - self.conf_fixture.register_opts(v2_auth.Password.get_options(), - group=section) - - self.conf_fixture.config(auth_plugin=self.V2PASS, - username=username, - password=password, - trust_id=trust_id, - tenant_id=tenant_id, - group=section) - - a = conf.load_from_conf_options(self.conf_fixture.conf, self.GROUP) - - self.assertEqual(username, a.username) - self.assertEqual(password, a.password) - self.assertEqual(trust_id, a.trust_id) - self.assertEqual(tenant_id, a.tenant_id) + pass def test_loading_v3(self): - section = uuid.uuid4().hex - token = uuid.uuid4().hex - trust_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - project_domain_name = uuid.uuid4().hex - - self.conf_fixture.config(auth_section=section, group=self.GROUP) - conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) - - self.conf_fixture.register_opts(v3_auth.Token.get_options(), - group=section) - - self.conf_fixture.config(auth_plugin=self.V3TOKEN, - token=token, - trust_id=trust_id, - project_id=project_id, - project_domain_name=project_domain_name, - group=section) - - a = conf.load_from_conf_options(self.conf_fixture.conf, self.GROUP) - - self.assertEqual(token, a.auth_methods[0].token) - self.assertEqual(trust_id, a.trust_id) - self.assertEqual(project_id, a.project_id) - self.assertEqual(project_domain_name, a.project_domain_name) + pass def test_loading_invalid_plugin(self): - self.conf_fixture.config(auth_plugin=uuid.uuid4().hex, + auth_plugin = uuid.uuid4().hex + self.conf_fixture.config(auth_plugin=auth_plugin, group=self.GROUP) - self.assertRaises(exceptions.NoMatchingPlugin, - conf.load_from_conf_options, - self.conf_fixture.conf, - self.GROUP) + e = self.assertRaises(exceptions.NoMatchingPlugin, + conf.load_from_conf_options, + self.conf_fixture.conf, + self.GROUP) + + self.assertEqual(auth_plugin, e.name) def test_loading_with_no_data(self): - self.assertRaises(exceptions.NoMatchingPlugin, - conf.load_from_conf_options, - self.conf_fixture.conf, - self.GROUP) + self.assertIsNone(conf.load_from_conf_options(self.conf_fixture.conf, + self.GROUP)) @mock.patch('stevedore.DriverManager') def test_other_params(self, m): @@ -153,15 +104,7 @@ def test_diff_section(self, m): self.assertTestVals(a) def test_plugins_are_all_opts(self): - manager = stevedore.ExtensionManager(base.PLUGIN_NAMESPACE, - invoke_on_load=False, - propagate_map_exceptions=True) - - def inner(driver): - for p in driver.plugin.get_options(): - self.assertIsInstance(p, cfg.Opt) - - manager.map(inner) + pass def test_get_common(self): opts = conf.get_common_conf_options() @@ -170,7 +113,4 @@ def test_get_common(self): self.assertEqual(2, len(opts)) def test_get_named(self): - loaded_opts = conf.get_plugin_options('v2password') - plugin_opts = v2_auth.Password.get_options() - - self.assertEqual(plugin_opts, loaded_opts) + pass diff --git a/keystoneclient/tests/unit/auth/test_default_cli.py b/keystoneclient/tests/unit/auth/test_default_cli.py new file mode 100644 index 000000000..8afd2cde7 --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_default_cli.py @@ -0,0 +1,92 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import argparse +from unittest import mock +import uuid + + +from keystoneclient.auth.identity.generic import cli +from keystoneclient import exceptions +from keystoneclient.tests.unit import utils + + +class DefaultCliTests(utils.TestCase): + + def setUp(self): + super(DefaultCliTests, self).setUp() + self.deprecations.expect_deprecations() + + def new_plugin(self, argv): + parser = argparse.ArgumentParser() + cli.DefaultCLI.register_argparse_arguments(parser) + opts = parser.parse_args(argv) + return cli.DefaultCLI.load_from_argparse_arguments(opts) + + def test_endpoint_override(self): + password = uuid.uuid4().hex + url = uuid.uuid4().hex + + p = self.new_plugin(['--os-auth-url', 'url', + '--os-endpoint', url, + '--os-password', password]) + + self.assertEqual(url, p.get_endpoint(None)) + self.assertEqual(password, p._password) + + def test_token_only_override(self): + self.assertRaises(exceptions.CommandError, + self.new_plugin, + ['--os-token', uuid.uuid4().hex]) + + def test_token_endpoint_override(self): + token = uuid.uuid4().hex + endpoint = uuid.uuid4().hex + + p = self.new_plugin(['--os-endpoint', endpoint, + '--os-token', token]) + + self.assertEqual(endpoint, p.get_endpoint(None)) + self.assertEqual(token, p.get_token(None)) + + def test_no_auth_url(self): + exc = self.assertRaises(exceptions.CommandError, + self.new_plugin, + ['--os-username', uuid.uuid4().hex]) + + self.assertIn('auth-url', str(exc)) + + @mock.patch('sys.stdin', autospec=True) + @mock.patch('getpass.getpass') + def test_prompt_password(self, mock_getpass, mock_stdin): + password = uuid.uuid4().hex + + mock_stdin.isatty = lambda: True + mock_getpass.return_value = password + + p = self.new_plugin(['--os-auth-url', uuid.uuid4().hex, + '--os-username', uuid.uuid4().hex]) + + self.assertEqual(password, p._password) + + @mock.patch('sys.stdin', autospec=True) + @mock.patch('getpass.getpass') + def test_prompt_no_password(self, mock_getpass, mock_stdin): + mock_stdin.isatty = lambda: True + mock_getpass.return_value = '' + + exc = self.assertRaises(exceptions.CommandError, + self.new_plugin, + ['--os-auth-url', uuid.uuid4().hex, + '--os-username', uuid.uuid4().hex]) + + self.assertIn('password', str(exc)) diff --git a/keystoneclient/tests/auth/test_identity_common.py b/keystoneclient/tests/unit/auth/test_identity_common.py similarity index 52% rename from keystoneclient/tests/auth/test_identity_common.py rename to keystoneclient/tests/unit/auth/test_identity_common.py index 8c5499c18..3e8cc2b81 100644 --- a/keystoneclient/tests/auth/test_identity_common.py +++ b/keystoneclient/tests/unit/auth/test_identity_common.py @@ -12,22 +12,22 @@ import abc import datetime +from unittest import mock import uuid -import six +from keystoneauth1 import fixture +from keystoneauth1 import plugin +from oslo_utils import timeutils from keystoneclient import access from keystoneclient.auth import base -from keystoneclient.auth.identity import v2 -from keystoneclient.auth.identity import v3 -from keystoneclient import fixture -from keystoneclient.openstack.common import timeutils +from keystoneclient.auth import identity +from keystoneclient import exceptions from keystoneclient import session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils -@six.add_metaclass(abc.ABCMeta) -class CommonIdentityTests(object): +class CommonIdentityTests(object, metaclass=abc.ABCMeta): TEST_ROOT_URL = 'http://127.0.0.1:5000/' TEST_ROOT_ADMIN_URL = 'http://127.0.0.1:35357/' @@ -40,6 +40,7 @@ class CommonIdentityTests(object): def setUp(self): super(CommonIdentityTests, self).setUp() + self.deprecations.expect_deprecations() self.TEST_URL = '%s%s' % (self.TEST_ROOT_URL, self.version) self.TEST_ADMIN_URL = '%s%s' % (self.TEST_ROOT_ADMIN_URL, self.version) @@ -54,6 +55,7 @@ def create_auth_plugin(self, **kwargs): It doesn't really matter what auth mechanism is used but it should be appropriate to the API version. """ + pass @abc.abstractmethod def get_auth_data(self, **kwargs): @@ -62,12 +64,21 @@ def get_auth_data(self, **kwargs): This should register a valid token response and ensure that the compute endpoints are set to TEST_COMPUTE_PUBLIC, _INTERNAL and _ADMIN. """ + pass def stub_auth_data(self, **kwargs): token = self.get_auth_data(**kwargs) + self.user_id = token.user_id + + try: + self.project_id = token.project_id + except AttributeError: + self.project_id = token.tenant_id + self.stub_auth(json=token) - @abc.abstractproperty + @property + @abc.abstractmethod def version(self): """The API version being tested.""" @@ -107,7 +118,7 @@ def test_discovery_uses_session_cache(self): # register responses such that if the discovery URL is hit more than # once then the response will be invalid and not point to COMPUTE_ADMIN resps = [{'json': self.TEST_DISCOVERY}, {'status_code': 500}] - self.requests.register_uri('GET', self.TEST_COMPUTE_ADMIN, resps) + self.requests_mock.get(self.TEST_COMPUTE_ADMIN, resps) body = 'SUCCESS' self.stub_url('GET', ['path'], text=body) @@ -132,7 +143,7 @@ def test_discovery_uses_plugin_cache(self): # register responses such that if the discovery URL is hit more than # once then the response will be invalid and not point to COMPUTE_ADMIN resps = [{'json': self.TEST_DISCOVERY}, {'status_code': 500}] - self.requests.register_uri('GET', self.TEST_COMPUTE_ADMIN, resps) + self.requests_mock.get(self.TEST_COMPUTE_ADMIN, resps) body = 'SUCCESS' self.stub_url('GET', ['path'], text=body) @@ -180,7 +191,7 @@ def test_asking_for_auth_endpoint_ignores_checks(self): s = session.Session(auth=a) auth_url = s.get_endpoint(service_type='compute', - interface=base.AUTH_INTERFACE) + interface=plugin.AUTH_INTERFACE) self.assertEqual(self.TEST_URL, auth_url) @@ -191,7 +202,7 @@ def _create_expired_auth_plugin(self, **kwargs): body = 'SUCCESS' self.stub_url('GET', ['path'], - base_url=self.TEST_COMPUTE_ADMIN, body=body) + base_url=self.TEST_COMPUTE_ADMIN, text=body) a = self.create_auth_plugin(**kwargs) a.auth_ref = expired_auth_ref @@ -209,6 +220,25 @@ def test_no_reauthenticate(self): s = session.Session(auth=a) self.assertIs(expired_auth_ref, a.get_access(s)) + def test_invalidate(self): + a = self.create_auth_plugin() + s = session.Session(auth=a) + + # trigger token fetching + s.get_auth_headers() + + self.assertTrue(a.auth_ref) + self.assertTrue(a.invalidate()) + self.assertIsNone(a.auth_ref) + self.assertFalse(a.invalidate()) + + def test_get_auth_properties(self): + a = self.create_auth_plugin() + s = session.Session() + + self.assertEqual(self.user_id, a.get_user_id(s)) + self.assertEqual(self.project_id, a.get_project_id(s)) + class V3(CommonIdentityTests, utils.TestCase): @@ -242,7 +272,7 @@ def create_auth_plugin(self, **kwargs): kwargs.setdefault('auth_url', self.TEST_URL) kwargs.setdefault('username', self.TEST_USER) kwargs.setdefault('password', self.TEST_PASS) - return v3.Password(**kwargs) + return identity.V3Password(**kwargs) class V2(CommonIdentityTests, utils.TestCase): @@ -255,7 +285,7 @@ def create_auth_plugin(self, **kwargs): kwargs.setdefault('auth_url', self.TEST_URL) kwargs.setdefault('username', self.TEST_USER) kwargs.setdefault('password', self.TEST_PASS) - return v2.Password(**kwargs) + return identity.V2Password(**kwargs) def get_auth_data(self, **kwargs): token = fixture.V2Token(**kwargs) @@ -274,3 +304,201 @@ def get_auth_data(self, **kwargs): def stub_auth(self, **kwargs): self.stub_url('POST', ['tokens'], **kwargs) + + +class CatalogHackTests(utils.TestCase): + + TEST_URL = 'http://keystone.server:5000/v2.0' + OTHER_URL = 'http://other.server:5000/path' + + IDENTITY = 'identity' + + BASE_URL = 'http://keystone.server:5000/' + V2_URL = BASE_URL + 'v2.0' + V3_URL = BASE_URL + 'v3' + + def setUp(self): + super(CatalogHackTests, self).setUp() + self.deprecations.expect_deprecations() + + def test_getting_endpoints(self): + disc = fixture.DiscoveryList(href=self.BASE_URL) + self.stub_url('GET', + ['/'], + base_url=self.BASE_URL, + json=disc) + + token = fixture.V2Token() + service = token.add_service(self.IDENTITY) + service.add_endpoint(public=self.V2_URL, + admin=self.V2_URL, + internal=self.V2_URL) + + self.stub_url('POST', + ['tokens'], + base_url=self.V2_URL, + json=token) + + v2_auth = identity.V2Password(self.V2_URL, + username=uuid.uuid4().hex, + password=uuid.uuid4().hex) + + sess = session.Session(auth=v2_auth) + + endpoint = sess.get_endpoint(service_type=self.IDENTITY, + interface='public', + version=(3, 0)) + + self.assertEqual(self.V3_URL, endpoint) + + def test_returns_original_when_discover_fails(self): + token = fixture.V2Token() + service = token.add_service(self.IDENTITY) + service.add_endpoint(public=self.V2_URL, + admin=self.V2_URL, + internal=self.V2_URL) + + self.stub_url('POST', + ['tokens'], + base_url=self.V2_URL, + json=token) + + self.stub_url('GET', [], base_url=self.BASE_URL, status_code=404) + + v2_auth = identity.V2Password(self.V2_URL, + username=uuid.uuid4().hex, + password=uuid.uuid4().hex) + + sess = session.Session(auth=v2_auth) + + endpoint = sess.get_endpoint(service_type=self.IDENTITY, + interface='public', + version=(3, 0)) + + self.assertEqual(self.V2_URL, endpoint) + + def test_getting_endpoints_on_auth_interface(self): + disc = fixture.DiscoveryList(href=self.BASE_URL) + self.stub_url('GET', + ['/'], + base_url=self.BASE_URL, + status_code=300, + json=disc) + + token = fixture.V2Token() + service = token.add_service(self.IDENTITY) + service.add_endpoint(public=self.V2_URL, + admin=self.V2_URL, + internal=self.V2_URL) + + self.stub_url('POST', + ['tokens'], + base_url=self.V2_URL, + json=token) + + v2_auth = identity.V2Password(self.V2_URL, + username=uuid.uuid4().hex, + password=uuid.uuid4().hex) + + sess = session.Session(auth=v2_auth) + + endpoint = sess.get_endpoint(interface=plugin.AUTH_INTERFACE, + version=(3, 0)) + + self.assertEqual(self.V3_URL, endpoint) + + +class GenericPlugin(base.BaseAuthPlugin): + + BAD_TOKEN = uuid.uuid4().hex + + def __init__(self): + super(GenericPlugin, self).__init__() + + self.endpoint = 'http://keystone.host:5000' + + self.headers = {'headerA': 'valueA', + 'headerB': 'valueB'} + + self.cert = '/path/to/cert' + self.connection_params = {'cert': self.cert, 'verify': False} + + def url(self, prefix): + return '%s/%s' % (self.endpoint, prefix) + + def get_token(self, session, **kwargs): + # NOTE(jamielennox): by specifying get_headers this should not be used + return self.BAD_TOKEN + + def get_headers(self, session, **kwargs): + return self.headers + + def get_endpoint(self, session, **kwargs): + return self.endpoint + + def get_connection_params(self, session, **kwargs): + return self.connection_params + + +class GenericAuthPluginTests(utils.TestCase): + + # filter doesn't matter to GenericPlugin, but we have to specify one + ENDPOINT_FILTER = {uuid.uuid4().hex: uuid.uuid4().hex} + + def setUp(self): + super(GenericAuthPluginTests, self).setUp() + self.auth = GenericPlugin() + + with self.deprecations.expect_deprecations_here(): + self.session = session.Session(auth=self.auth) + + def test_setting_headers(self): + text = uuid.uuid4().hex + self.stub_url('GET', base_url=self.auth.url('prefix'), text=text) + + resp = self.session.get('prefix', endpoint_filter=self.ENDPOINT_FILTER) + + self.assertEqual(text, resp.text) + + for k, v in self.auth.headers.items(): + self.assertRequestHeaderEqual(k, v) + + with self.deprecations.expect_deprecations_here(): + self.assertIsNone(self.session.get_token()) + self.assertEqual(self.auth.headers, + self.session.get_auth_headers()) + self.assertNotIn('X-Auth-Token', + self.requests_mock.last_request.headers) + + def test_setting_connection_params(self): + text = uuid.uuid4().hex + + with mock.patch.object(self.session.session, 'request') as mocked: + mocked.return_value = utils.test_response(text=text) + resp = self.session.get('prefix', + endpoint_filter=self.ENDPOINT_FILTER) + + self.assertEqual(text, resp.text) + + # the cert and verify values passed to request are those that were + # returned from the auth plugin as connection params. + + mocked.assert_called_once_with('GET', + self.auth.url('prefix'), + headers=mock.ANY, + allow_redirects=False, + cert=self.auth.cert, + verify=False) + + def test_setting_bad_connection_params(self): + # The uuid name parameter here is unknown and not in the allowed params + # to be returned to the session and so an error will be raised. + name = uuid.uuid4().hex + self.auth.connection_params[name] = uuid.uuid4().hex + + e = self.assertRaises(exceptions.UnsupportedParameters, + self.session.get, + 'prefix', + endpoint_filter=self.ENDPOINT_FILTER) + + self.assertIn(name, str(e)) diff --git a/keystoneclient/tests/auth/test_identity_v2.py b/keystoneclient/tests/unit/auth/test_identity_v2.py similarity index 79% rename from keystoneclient/tests/auth/test_identity_v2.py rename to keystoneclient/tests/unit/auth/test_identity_v2.py index 52e178bd0..84f4f5194 100644 --- a/keystoneclient/tests/auth/test_identity_v2.py +++ b/keystoneclient/tests/unit/auth/test_identity_v2.py @@ -10,13 +10,16 @@ # License for the specific language governing permissions and limitations # under the License. +import argparse import copy +from unittest import mock import uuid + from keystoneclient.auth.identity import v2 from keystoneclient import exceptions from keystoneclient import session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils class V2IdentityPlugin(utils.TestCase): @@ -77,10 +80,11 @@ class V2IdentityPlugin(utils.TestCase): def setUp(self): super(V2IdentityPlugin, self).setUp() + self.deprecations.expect_deprecations() self.TEST_RESPONSE_DICT = { "access": { "token": { - "expires": "2020-01-01T00:00:10.000123Z", + "expires": "2999-01-01T00:00:10.000123Z", "id": self.TEST_TOKEN, "tenant": { "id": self.TEST_TENANT_ID @@ -100,8 +104,10 @@ def test_authenticate_with_username_password(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS) + self.assertIsNone(a.user_id) s = session.Session(a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'passwordCredentials': {'username': self.TEST_USER, 'password': self.TEST_PASS}}} @@ -114,8 +120,10 @@ def test_authenticate_with_user_id_password(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v2.Password(self.TEST_URL, user_id=self.TEST_USER, password=self.TEST_PASS) + self.assertIsNone(a.username) s = session.Session(a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'passwordCredentials': {'userId': self.TEST_USER, 'password': self.TEST_PASS}}} @@ -128,8 +136,10 @@ def test_authenticate_with_username_password_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, tenant_id=self.TEST_TENANT_ID) + self.assertIsNone(a.user_id) s = session.Session(a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'passwordCredentials': {'username': self.TEST_USER, 'password': self.TEST_PASS}, @@ -141,8 +151,10 @@ def test_authenticate_with_user_id_password_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v2.Password(self.TEST_URL, user_id=self.TEST_USER, password=self.TEST_PASS, tenant_id=self.TEST_TENANT_ID) + self.assertIsNone(a.username) s = session.Session(a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'passwordCredentials': {'userId': self.TEST_USER, 'password': self.TEST_PASS}, @@ -154,7 +166,8 @@ def test_authenticate_with_token(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v2.Token(self.TEST_URL, 'foo') s = session.Session(a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'token': {'id': 'foo'}}} self.assertRequestBodyIs(json=req) @@ -168,7 +181,8 @@ def test_with_trust_id(self): a = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, trust_id='trust') s = session.Session(a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'passwordCredentials': {'username': self.TEST_USER, 'password': self.TEST_PASS}, @@ -190,7 +204,8 @@ def _do_service_url_test(self, base_url, endpoint_filter): resp = s.get('/path', endpoint_filter=endpoint_filter) self.assertEqual(resp.status_code, 200) - self.assertEqual(self.requests.last_request.url, base_url + '/path') + self.assertEqual(self.requests_mock.last_request.url, + base_url + '/path') def test_service_url(self): endpoint_filter = {'service_type': 'compute', @@ -261,9 +276,14 @@ def test_invalidate_response(self): password=self.TEST_PASS) s = session.Session(auth=a) - self.assertEqual('token1', s.get_token()) + with self.deprecations.expect_deprecations_here(): + self.assertEqual('token1', s.get_token()) + self.assertEqual({'X-Auth-Token': 'token1'}, s.get_auth_headers()) + a.invalidate() - self.assertEqual('token2', s.get_token()) + with self.deprecations.expect_deprecations_here(): + self.assertEqual('token2', s.get_token()) + self.assertEqual({'X-Auth-Token': 'token2'}, s.get_auth_headers()) def test_doesnt_log_password(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) @@ -272,9 +292,37 @@ def test_doesnt_log_password(self): a = v2.Password(self.TEST_URL, username=self.TEST_USER, password=password) s = session.Session(auth=a) - self.assertEqual(self.TEST_TOKEN, s.get_token()) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(self.TEST_TOKEN, s.get_token()) + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) self.assertNotIn(password, self.logger.output) def test_password_with_no_user_id_or_name(self): self.assertRaises(TypeError, v2.Password, self.TEST_URL, password=self.TEST_PASS) + + @mock.patch('sys.stdin', autospec=True) + def test_prompt_password(self, mock_stdin): + parser = argparse.ArgumentParser() + v2.Password.register_argparse_arguments(parser) + + username = uuid.uuid4().hex + auth_url = uuid.uuid4().hex + tenant_id = uuid.uuid4().hex + password = uuid.uuid4().hex + + opts = parser.parse_args(['--os-username', username, + '--os-auth-url', auth_url, + '--os-tenant-id', tenant_id]) + + with mock.patch('getpass.getpass') as mock_getpass: + mock_getpass.return_value = password + mock_stdin.isatty = lambda: True + + plugin = v2.Password.load_from_argparse_arguments(opts) + + self.assertEqual(auth_url, plugin.auth_url) + self.assertEqual(username, plugin.username) + self.assertEqual(tenant_id, plugin.tenant_id) + self.assertEqual(password, plugin.password) diff --git a/keystoneclient/tests/auth/test_identity_v3.py b/keystoneclient/tests/unit/auth/test_identity_v3.py similarity index 65% rename from keystoneclient/tests/auth/test_identity_v3.py rename to keystoneclient/tests/unit/auth/test_identity_v3.py index ecdc38abc..fe7815ed2 100644 --- a/keystoneclient/tests/auth/test_identity_v3.py +++ b/keystoneclient/tests/unit/auth/test_identity_v3.py @@ -10,14 +10,20 @@ # License for the specific language governing permissions and limitations # under the License. +import argparse import copy +from unittest import mock import uuid +from keystoneauth1 import fixture + from keystoneclient import access from keystoneclient.auth.identity import v3 +from keystoneclient.auth.identity.v3 import base as v3_base +from keystoneclient import client from keystoneclient import exceptions from keystoneclient import session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils class V3IdentityPlugin(utils.TestCase): @@ -110,6 +116,12 @@ class V3IdentityPlugin(utils.TestCase): def setUp(self): super(V3IdentityPlugin, self).setUp() + + self.TEST_DISCOVERY_RESPONSE = { + 'versions': {'values': [fixture.V3Discovery(self.TEST_URL)]}} + + self.deprecations.expect_deprecations() + self.TEST_RESPONSE_DICT = { "token": { "methods": [ @@ -117,7 +129,7 @@ def setUp(self): "password" ], - "expires_at": "2020-01-01T00:00:10.000123Z", + "expires_at": "2999-01-01T00:00:10.000123Z", "project": { "domain": { "id": self.TEST_DOMAIN_ID, @@ -138,6 +150,31 @@ def setUp(self): "catalog": self.TEST_SERVICE_CATALOG }, } + self.TEST_PROJECTS_RESPONSE = { + "projects": [ + { + "domain_id": "1789d1", + "enabled": "True", + "id": "263fd9", + "links": { + "self": "https://identity:5000/v3/projects/263fd9" + }, + "name": "Dev Group A" + }, + { + "domain_id": "1789d1", + "enabled": "True", + "id": "e56ad3", + "links": { + "self": "https://identity:5000/v3/projects/e56ad3" + }, + "name": "Dev Group B" + } + ], + "links": { + "self": "https://identity:5000/v3/projects", + } + } def stub_auth(self, subject_token=None, **kwargs): if not subject_token: @@ -153,7 +190,8 @@ def test_authenticate_with_username_password(self): password=self.TEST_PASS) s = session.Session(auth=a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['password'], @@ -165,12 +203,37 @@ def test_authenticate_with_username_password(self): self.assertRequestHeaderEqual('Accept', 'application/json') self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN) + def test_authenticate_with_username_password_unscoped(self): + del self.TEST_RESPONSE_DICT['token']['catalog'] + del self.TEST_RESPONSE_DICT['token']['project'] + + self.stub_auth(json=self.TEST_RESPONSE_DICT) + self.stub_url(method="GET", json=self.TEST_DISCOVERY_RESPONSE) + test_user_id = self.TEST_RESPONSE_DICT['token']['user']['id'] + self.stub_url(method="GET", + json=self.TEST_PROJECTS_RESPONSE, + parts=['users', test_user_id, 'projects']) + + a = v3.Password(self.TEST_URL, + username=self.TEST_USER, + password=self.TEST_PASS) + s = session.Session(auth=a) + cs = client.Client(session=s) + + # As a sanity check on the auth_ref, make sure client has the + # proper user id, that it fetches the right project response + self.assertEqual(test_user_id, a.auth_ref.user_id) + t = cs.projects.list(user=a.auth_ref.user_id) + self.assertEqual(2, len(t)) + def test_authenticate_with_username_password_domain_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v3.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, domain_id=self.TEST_DOMAIN_ID) s = session.Session(a) - s.get_token() + + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['password'], @@ -184,24 +247,28 @@ def test_authenticate_with_username_password_project_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v3.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, - project_id=self.TEST_DOMAIN_ID) + project_id=self.TEST_TENANT_ID) s = session.Session(a) - s.get_token() + + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['password'], 'password': {'user': {'name': self.TEST_USER, 'password': self.TEST_PASS}}}, - 'scope': {'project': {'id': self.TEST_DOMAIN_ID}}}} + 'scope': {'project': {'id': self.TEST_TENANT_ID}}}} self.assertRequestBodyIs(json=req) self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN) - self.assertEqual(s.auth.auth_ref.project_id, self.TEST_DOMAIN_ID) + self.assertEqual(s.auth.auth_ref.project_id, self.TEST_TENANT_ID) def test_authenticate_with_token(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v3.Token(self.TEST_URL, self.TEST_TOKEN) s = session.Session(auth=a) - s.get_token() + + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['token'], @@ -224,7 +291,8 @@ def test_with_expired(self): a.auth_ref = access.AccessInfo.factory(body=d) s = session.Session(auth=a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) self.assertEqual(a.auth_ref['expires_at'], self.TEST_RESPONSE_DICT['token']['expires_at']) @@ -233,15 +301,20 @@ def test_with_domain_and_project_scoping(self): a = v3.Password(self.TEST_URL, username='username', password='password', project_id='project', domain_id='domain') + self.assertRaises(exceptions.AuthorizationFailure, a.get_token, None) + self.assertRaises(exceptions.AuthorizationFailure, + a.get_headers, None) def test_with_trust_id(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) a = v3.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, trust_id='trust') s = session.Session(a) - s.get_token() + + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['password'], @@ -257,7 +330,9 @@ def test_with_multiple_mechanisms_factory(self): t = v3.TokenMethod(token='foo') a = v3.Auth(self.TEST_URL, [p, t], trust_id='trust') s = session.Session(a) - s.get_token() + + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['password', 'token'], @@ -276,7 +351,8 @@ def test_with_multiple_mechanisms(self): a = v3.Auth(self.TEST_URL, [p, t], trust_id='trust') s = session.Session(auth=a) - s.get_token() + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) req = {'auth': {'identity': {'methods': ['password', 'token'], @@ -313,7 +389,8 @@ def _do_service_url_test(self, base_url, endpoint_filter): resp = s.get('/path', endpoint_filter=endpoint_filter) self.assertEqual(resp.status_code, 200) - self.assertEqual(self.requests.last_request.url, base_url + '/path') + self.assertEqual(self.requests_mock.last_request.url, + base_url + '/path') def test_service_url(self): endpoint_filter = {'service_type': 'compute', @@ -376,16 +453,20 @@ def test_invalidate_response(self): {'status_code': 200, 'json': self.TEST_RESPONSE_DICT, 'headers': {'X-Subject-Token': 'token2'}}] - self.requests.register_uri('POST', '%s/auth/tokens' % self.TEST_URL, - auth_responses) + self.requests_mock.post('%s/auth/tokens' % self.TEST_URL, + auth_responses) a = v3.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS) s = session.Session(auth=a) - self.assertEqual('token1', s.get_token()) + with self.deprecations.expect_deprecations_here(): + self.assertEqual('token1', s.get_token()) + self.assertEqual({'X-Auth-Token': 'token1'}, s.get_auth_headers()) a.invalidate() - self.assertEqual('token2', s.get_token()) + with self.deprecations.expect_deprecations_here(): + self.assertEqual('token2', s.get_token()) + self.assertEqual({'X-Auth-Token': 'token2'}, s.get_auth_headers()) def test_doesnt_log_password(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) @@ -394,6 +475,96 @@ def test_doesnt_log_password(self): a = v3.Password(self.TEST_URL, username=self.TEST_USER, password=password) s = session.Session(a) - self.assertEqual(self.TEST_TOKEN, s.get_token()) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(self.TEST_TOKEN, s.get_token()) + self.assertEqual({'X-Auth-Token': self.TEST_TOKEN}, + s.get_auth_headers()) self.assertNotIn(password, self.logger.output) + + def test_sends_nocatalog(self): + del self.TEST_RESPONSE_DICT['token']['catalog'] + self.stub_auth(json=self.TEST_RESPONSE_DICT) + + a = v3.Password(self.TEST_URL, + username=self.TEST_USER, + password=self.TEST_PASS, + include_catalog=False) + s = session.Session(auth=a) + + s.get_auth_headers() + + auth_url = self.TEST_URL + '/auth/tokens' + self.assertEqual(auth_url, a.token_url) + self.assertEqual(auth_url + '?nocatalog', + self.requests_mock.last_request.url) + + def test_symbols(self): + self.assertIs(v3.AuthMethod, v3_base.AuthMethod) + self.assertIs(v3.AuthConstructor, v3_base.AuthConstructor) + self.assertIs(v3.Auth, v3_base.Auth) + + def test_unscoped_request(self): + token = fixture.V3Token() + self.stub_auth(json=token) + password = uuid.uuid4().hex + + a = v3.Password(self.TEST_URL, + user_id=token.user_id, + password=password, + unscoped=True) + s = session.Session() + + auth_ref = a.get_access(s) + + with self.deprecations.expect_deprecations_here(): + self.assertFalse(auth_ref.scoped) + body = self.requests_mock.last_request.json() + + ident = body['auth']['identity'] + + self.assertEqual(['password'], ident['methods']) + self.assertEqual(token.user_id, ident['password']['user']['id']) + self.assertEqual(password, ident['password']['user']['password']) + + self.assertEqual({}, body['auth']['scope']['unscoped']) + + def test_unscoped_with_scope_data(self): + a = v3.Password(self.TEST_URL, + user_id=uuid.uuid4().hex, + password=uuid.uuid4().hex, + unscoped=True, + project_id=uuid.uuid4().hex) + + s = session.Session() + + self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s) + + @mock.patch('sys.stdin', autospec=True) + def test_prompt_password(self, mock_stdin): + parser = argparse.ArgumentParser() + v3.Password.register_argparse_arguments(parser) + + username = uuid.uuid4().hex + user_domain_id = uuid.uuid4().hex + auth_url = uuid.uuid4().hex + project_id = uuid.uuid4().hex + password = uuid.uuid4().hex + + opts = parser.parse_args(['--os-username', username, + '--os-auth-url', auth_url, + '--os-user-domain-id', user_domain_id, + '--os-project-id', project_id]) + + with mock.patch('getpass.getpass') as mock_getpass: + mock_getpass.return_value = password + mock_stdin.isatty = lambda: True + + plugin = v3.Password.load_from_argparse_arguments(opts) + + self.assertEqual(auth_url, plugin.auth_url) + self.assertEqual(username, plugin.auth_methods[0].username) + self.assertEqual(project_id, plugin.project_id) + self.assertEqual(user_domain_id, + plugin.auth_methods[0].user_domain_id) + self.assertEqual(password, plugin.auth_methods[0].password) diff --git a/keystoneclient/tests/unit/auth/test_identity_v3_federated.py b/keystoneclient/tests/unit/auth/test_identity_v3_federated.py new file mode 100644 index 000000000..7cbb5ab1e --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_identity_v3_federated.py @@ -0,0 +1,99 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import copy +import uuid + +from keystoneauth1 import fixture + +from keystoneclient import access +from keystoneclient.auth.identity import v3 +from keystoneclient import session +from keystoneclient.tests.unit import utils + + +class TesterFederationPlugin(v3.FederatedBaseAuth): + + def get_unscoped_auth_ref(self, sess, **kwargs): + # This would go and talk to an idp or something + resp = sess.post(self.federated_token_url, authenticated=False) + return access.AccessInfo.factory(resp=resp, body=resp.json()) + + +class V3FederatedPlugin(utils.TestCase): + + AUTH_URL = 'http://keystone/v3' + + def setUp(self): + super(V3FederatedPlugin, self).setUp() + + self.deprecations.expect_deprecations() + + self.unscoped_token = fixture.V3Token() + self.unscoped_token_id = uuid.uuid4().hex + self.scoped_token = copy.deepcopy(self.unscoped_token) + self.scoped_token.set_project_scope() + self.scoped_token.methods.append('token') + self.scoped_token_id = uuid.uuid4().hex + + s = self.scoped_token.add_service('compute', name='nova') + s.add_standard_endpoints(public='http://nova/public', + admin='http://nova/admin', + internal='http://nova/internal') + + self.idp = uuid.uuid4().hex + self.protocol = uuid.uuid4().hex + + self.token_url = ('%s/OS-FEDERATION/identity_providers/%s/protocols/%s' + '/auth' % (self.AUTH_URL, self.idp, self.protocol)) + + headers = {'X-Subject-Token': self.unscoped_token_id} + self.unscoped_mock = self.requests_mock.post(self.token_url, + json=self.unscoped_token, + headers=headers) + + headers = {'X-Subject-Token': self.scoped_token_id} + auth_url = self.AUTH_URL + '/auth/tokens' + self.scoped_mock = self.requests_mock.post(auth_url, + json=self.scoped_token, + headers=headers) + + def get_plugin(self, **kwargs): + kwargs.setdefault('auth_url', self.AUTH_URL) + kwargs.setdefault('protocol', self.protocol) + kwargs.setdefault('identity_provider', self.idp) + return TesterFederationPlugin(**kwargs) + + def test_federated_url(self): + plugin = self.get_plugin() + self.assertEqual(self.token_url, plugin.federated_token_url) + + def test_unscoped_behaviour(self): + sess = session.Session(auth=self.get_plugin()) + self.assertEqual(self.unscoped_token_id, sess.get_token()) + + self.assertTrue(self.unscoped_mock.called) + self.assertFalse(self.scoped_mock.called) + + def test_scoped_behaviour(self): + auth = self.get_plugin(project_id=self.scoped_token.project_id) + sess = session.Session(auth=auth) + self.assertEqual(self.scoped_token_id, sess.get_token()) + + self.assertTrue(self.unscoped_mock.called) + self.assertTrue(self.scoped_mock.called) + + def test_options(self): + opts = [o.name for o in v3.FederatedBaseAuth.get_options()] + + self.assertIn('protocol', opts) + self.assertIn('identity-provider', opts) diff --git a/keystoneclient/tests/unit/auth/test_loading.py b/keystoneclient/tests/unit/auth/test_loading.py new file mode 100644 index 000000000..3c2689dd9 --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_loading.py @@ -0,0 +1,46 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + + +from keystoneclient.tests.unit.auth import utils + + +class TestOtherLoading(utils.TestCase): + + def test_loading_getter(self): + + called_opts = [] + + vals = {'a-int': 44, + 'a-bool': False, + 'a-float': 99.99, + 'a-str': 'value'} + + val = uuid.uuid4().hex + + def _getter(opt): + called_opts.append(opt.name) + # return str because oslo.config should convert them back + return str(vals[opt.name]) + + p = utils.MockPlugin.load_from_options_getter(_getter, other=val) + + self.assertEqual(set(vals), set(called_opts)) + + for k, v in vals.items(): + # replace - to _ because it's the dest used to create kwargs + self.assertEqual(v, p[k.replace('-', '_')]) + + # check that additional kwargs get passed through + self.assertEqual(val, p['other']) diff --git a/keystoneclient/tests/unit/auth/test_password.py b/keystoneclient/tests/unit/auth/test_password.py new file mode 100644 index 000000000..93d2fb8ca --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_password.py @@ -0,0 +1,99 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import argparse +from unittest import mock +import uuid + + +from keystoneclient.auth.identity.generic import password +from keystoneclient.auth.identity import v2 +from keystoneclient.auth.identity import v3 +from keystoneclient.auth.identity.v3 import password as v3_password +from keystoneclient.tests.unit.auth import utils + + +class PasswordTests(utils.GenericPluginTestCase): + + PLUGIN_CLASS = password.Password + V2_PLUGIN_CLASS = v2.Password + V3_PLUGIN_CLASS = v3.Password + + def new_plugin(self, **kwargs): + kwargs.setdefault('username', uuid.uuid4().hex) + kwargs.setdefault('password', uuid.uuid4().hex) + return super(PasswordTests, self).new_plugin(**kwargs) + + def test_with_user_domain_params(self): + self.stub_discovery() + + self.assertCreateV3(domain_id=uuid.uuid4().hex, + user_domain_id=uuid.uuid4().hex) + + def test_v3_user_params_v2_url(self): + self.stub_discovery(v3=False) + self.assertDiscoveryFailure(user_domain_id=uuid.uuid4().hex) + + def test_options(self): + opts = [o.name for o in self.PLUGIN_CLASS.get_options()] + + allowed_opts = ['username', + 'user-domain-id', + 'user-domain-name', + 'user-id', + 'password', + + 'domain-id', + 'domain-name', + 'tenant-id', + 'tenant-name', + 'project-id', + 'project-name', + 'project-domain-id', + 'project-domain-name', + 'trust-id', + 'auth-url'] + + self.assertEqual(set(allowed_opts), set(opts)) + self.assertEqual(len(allowed_opts), len(opts)) + + def test_symbols(self): + self.assertIs(v3.Password, v3_password.Password) + self.assertIs(v3.PasswordMethod, v3_password.PasswordMethod) + + @mock.patch('sys.stdin', autospec=True) + def test_prompt_password(self, mock_stdin): + parser = argparse.ArgumentParser() + self.PLUGIN_CLASS.register_argparse_arguments(parser) + + username = uuid.uuid4().hex + user_domain_id = uuid.uuid4().hex + auth_url = uuid.uuid4().hex + project_id = uuid.uuid4().hex + password = uuid.uuid4().hex + + opts = parser.parse_args(['--os-username', username, + '--os-auth-url', auth_url, + '--os-user-domain-id', user_domain_id, + '--os-project-id', project_id]) + + with mock.patch('getpass.getpass') as mock_getpass: + mock_getpass.return_value = password + mock_stdin.isatty = lambda: True + + plugin = self.PLUGIN_CLASS.load_from_argparse_arguments(opts) + + self.assertEqual(auth_url, plugin.auth_url) + self.assertEqual(username, plugin._username) + self.assertEqual(project_id, plugin._project_id) + self.assertEqual(user_domain_id, plugin._user_domain_id) + self.assertEqual(password, plugin._password) diff --git a/keystoneclient/tests/unit/auth/test_token.py b/keystoneclient/tests/unit/auth/test_token.py new file mode 100644 index 000000000..ce4c1cdc6 --- /dev/null +++ b/keystoneclient/tests/unit/auth/test_token.py @@ -0,0 +1,52 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient.auth.identity.generic import token +from keystoneclient.auth.identity import v2 +from keystoneclient.auth.identity import v3 +from keystoneclient.auth.identity.v3 import token as v3_token +from keystoneclient.tests.unit.auth import utils + + +class TokenTests(utils.GenericPluginTestCase): + + PLUGIN_CLASS = token.Token + V2_PLUGIN_CLASS = v2.Token + V3_PLUGIN_CLASS = v3.Token + + def new_plugin(self, **kwargs): + kwargs.setdefault('token', uuid.uuid4().hex) + return super(TokenTests, self).new_plugin(**kwargs) + + def test_options(self): + opts = [o.name for o in self.PLUGIN_CLASS.get_options()] + + allowed_opts = ['token', + 'domain-id', + 'domain-name', + 'tenant-id', + 'tenant-name', + 'project-id', + 'project-name', + 'project-domain-id', + 'project-domain-name', + 'trust-id', + 'auth-url'] + + self.assertEqual(set(allowed_opts), set(opts)) + self.assertEqual(len(allowed_opts), len(opts)) + + def test_symbols(self): + self.assertIs(v3.Token, v3_token.Token) + self.assertIs(v3.TokenMethod, v3_token.TokenMethod) diff --git a/keystoneclient/tests/auth/test_token_endpoint.py b/keystoneclient/tests/unit/auth/test_token_endpoint.py similarity index 65% rename from keystoneclient/tests/auth/test_token_endpoint.py rename to keystoneclient/tests/unit/auth/test_token_endpoint.py index 1f2c01d6a..9a9a1ed90 100644 --- a/keystoneclient/tests/auth/test_token_endpoint.py +++ b/keystoneclient/tests/unit/auth/test_token_endpoint.py @@ -10,9 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. +from testtools import matchers + from keystoneclient.auth import token_endpoint from keystoneclient import session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils class TokenEndpointTest(utils.TestCase): @@ -20,8 +22,12 @@ class TokenEndpointTest(utils.TestCase): TEST_TOKEN = 'aToken' TEST_URL = 'http://server/prefix' + def setUp(self): + super(TokenEndpointTest, self).setUp() + self.deprecations.expect_deprecations() + def test_basic_case(self): - self.requests.register_uri('GET', self.TEST_URL, text='body') + self.requests_mock.get(self.TEST_URL, text='body') a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN) s = session.Session(auth=a) @@ -43,3 +49,19 @@ def test_basic_endpoint_case(self): self.assertEqual(self.TEST_URL, a.get_endpoint(s)) self.assertEqual('body', data.text) self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN) + + def test_token_endpoint_options(self): + opt_names = [opt.name for opt in token_endpoint.Token.get_options()] + + self.assertThat(opt_names, matchers.HasLength(2)) + + self.assertIn('token', opt_names) + self.assertIn('endpoint', opt_names) + + def test_token_endpoint_user_id(self): + a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN) + s = session.Session() + + # we can't know this information about this sort of plugin + self.assertIsNone(a.get_user_id(s)) + self.assertIsNone(a.get_project_id(s)) diff --git a/keystoneclient/tests/unit/auth/utils.py b/keystoneclient/tests/unit/auth/utils.py new file mode 100644 index 000000000..1e346e35c --- /dev/null +++ b/keystoneclient/tests/unit/auth/utils.py @@ -0,0 +1,202 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import functools +from unittest import mock +import uuid + +from keystoneauth1 import fixture +from oslo_config import cfg + +from keystoneclient import access +from keystoneclient.auth import base +from keystoneclient import exceptions +from keystoneclient import session +from keystoneclient.tests.unit import utils + + +class MockPlugin(base.BaseAuthPlugin): + + INT_DESC = 'test int' + FLOAT_DESC = 'test float' + BOOL_DESC = 'test bool' + STR_DESC = 'test str' + STR_DEFAULT = uuid.uuid4().hex + + def __init__(self, **kwargs): + self._data = kwargs + + def __getitem__(self, key): + """Get the data of the key.""" + return self._data[key] + + def get_token(self, *args, **kwargs): + return 'aToken' + + def get_endpoint(self, *args, **kwargs): + return 'http://test' + + @classmethod + def get_options(cls): + return [ + cfg.IntOpt('a-int', default='3', help=cls.INT_DESC), + cfg.BoolOpt('a-bool', help=cls.BOOL_DESC), + cfg.FloatOpt('a-float', help=cls.FLOAT_DESC), + cfg.StrOpt('a-str', help=cls.STR_DESC, default=cls.STR_DEFAULT), + ] + + +class MockManager(object): + + def __init__(self, driver): + self.driver = driver + + +def mock_plugin(f): + @functools.wraps(f) + def inner(*args, **kwargs): + with mock.patch.object(base, 'get_plugin_class') as m: + m.return_value = MockPlugin + args = list(args) + [m] + return f(*args, **kwargs) + + return inner + + +class TestCase(utils.TestCase): + + GROUP = 'auth' + V2PASS = 'v2password' + V3TOKEN = 'v3token' + + a_int = 88 + a_float = 88.8 + a_bool = False + + TEST_VALS = {'a_int': a_int, + 'a_float': a_float, + 'a_bool': a_bool} + + def assertTestVals(self, plugin, vals=TEST_VALS): + for k, v in vals.items(): + self.assertEqual(v, plugin[k]) + + +class GenericPluginTestCase(utils.TestCase): + + TEST_URL = 'http://keystone.host:5000/' + + # OVERRIDE THESE IN SUB CLASSES + PLUGIN_CLASS = None + V2_PLUGIN_CLASS = None + V3_PLUGIN_CLASS = None + + def setUp(self): + super(GenericPluginTestCase, self).setUp() + + self.token_v2 = fixture.V2Token() + self.token_v3 = fixture.V3Token() + self.token_v3_id = uuid.uuid4().hex + + self.deprecations.expect_deprecations() + self.session = session.Session() + + self.stub_url('POST', ['v2.0', 'tokens'], json=self.token_v2) + self.stub_url('POST', ['v3', 'auth', 'tokens'], + headers={'X-Subject-Token': self.token_v3_id}, + json=self.token_v3) + + def new_plugin(self, **kwargs): + kwargs.setdefault('auth_url', self.TEST_URL) + return self.PLUGIN_CLASS(**kwargs) + + def stub_discovery(self, base_url=None, **kwargs): + kwargs.setdefault('href', self.TEST_URL) + disc = fixture.DiscoveryList(**kwargs) + self.stub_url('GET', json=disc, base_url=base_url, status_code=300) + return disc + + def assertCreateV3(self, **kwargs): + auth = self.new_plugin(**kwargs) + auth_ref = auth.get_auth_ref(self.session) + self.assertIsInstance(auth_ref, access.AccessInfoV3) + self.assertEqual(self.TEST_URL + 'v3/auth/tokens', + self.requests_mock.last_request.url) + self.assertIsInstance(auth._plugin, self.V3_PLUGIN_CLASS) + return auth + + def assertCreateV2(self, **kwargs): + auth = self.new_plugin(**kwargs) + auth_ref = auth.get_auth_ref(self.session) + self.assertIsInstance(auth_ref, access.AccessInfoV2) + self.assertEqual(self.TEST_URL + 'v2.0/tokens', + self.requests_mock.last_request.url) + self.assertIsInstance(auth._plugin, self.V2_PLUGIN_CLASS) + return auth + + def assertDiscoveryFailure(self, **kwargs): + plugin = self.new_plugin(**kwargs) + self.assertRaises(exceptions.DiscoveryFailure, + plugin.get_auth_ref, + self.session) + + def test_create_v3_if_domain_params(self): + self.stub_discovery() + + self.assertCreateV3(domain_id=uuid.uuid4().hex) + self.assertCreateV3(domain_name=uuid.uuid4().hex) + self.assertCreateV3(project_name=uuid.uuid4().hex, + project_domain_name=uuid.uuid4().hex) + self.assertCreateV3(project_name=uuid.uuid4().hex, + project_domain_id=uuid.uuid4().hex) + + def test_create_v2_if_no_domain_params(self): + self.stub_discovery() + self.assertCreateV2() + self.assertCreateV2(project_id=uuid.uuid4().hex) + self.assertCreateV2(project_name=uuid.uuid4().hex) + self.assertCreateV2(tenant_id=uuid.uuid4().hex) + self.assertCreateV2(tenant_name=uuid.uuid4().hex) + + def test_v3_params_v2_url(self): + self.stub_discovery(v3=False) + self.assertDiscoveryFailure(domain_name=uuid.uuid4().hex) + + def test_v2_params_v3_url(self): + self.stub_discovery(v2=False) + self.assertCreateV3() + + def test_no_urls(self): + self.stub_discovery(v2=False, v3=False) + self.assertDiscoveryFailure() + + def test_path_based_url_v2(self): + self.stub_url('GET', ['v2.0'], status_code=403) + self.assertCreateV2(auth_url=self.TEST_URL + 'v2.0') + + def test_path_based_url_v3(self): + self.stub_url('GET', ['v3'], status_code=403) + self.assertCreateV3(auth_url=self.TEST_URL + 'v3') + + def test_disc_error_for_failure(self): + self.stub_url('GET', [], status_code=403) + self.assertDiscoveryFailure() + + def test_v3_plugin_from_failure(self): + url = self.TEST_URL + 'v3' + self.stub_url('GET', [], base_url=url, status_code=403) + self.assertCreateV3(auth_url=url) + + def test_unknown_discovery_version(self): + # make a v4 entry that's mostly the same as a v3 + self.stub_discovery(v2=False, v3_id='v4.0') + self.assertDiscoveryFailure() diff --git a/keystoneclient/tests/client_fixtures.py b/keystoneclient/tests/unit/client_fixtures.py similarity index 71% rename from keystoneclient/tests/client_fixtures.py rename to keystoneclient/tests/unit/client_fixtures.py index d58deb2b6..c6c291984 100644 --- a/keystoneclient/tests/client_fixtures.py +++ b/keystoneclient/tests/unit/client_fixtures.py @@ -12,27 +12,198 @@ # License for the specific language governing permissions and limitations # under the License. +import contextlib import os +import uuid +import warnings import fixtures -import six +from keystoneauth1 import fixture +from keystoneauth1 import identity as ksa_identity +from keystoneauth1 import session as ksa_session +from oslo_serialization import jsonutils +from oslo_utils import timeutils import testresources +from keystoneclient.auth import identity as ksc_identity from keystoneclient.common import cms -from keystoneclient.openstack.common import jsonutils -from keystoneclient.openstack.common import timeutils +from keystoneclient import session as ksc_session from keystoneclient import utils +from keystoneclient.v2_0 import client as v2_client +from keystoneclient.v3 import client as v3_client +TEST_ROOT_URL = 'http://127.0.0.1:5000/' + TESTDIR = os.path.dirname(os.path.abspath(__file__)) -ROOTDIR = os.path.normpath(os.path.join(TESTDIR, '..', '..')) +ROOTDIR = os.path.normpath(os.path.join(TESTDIR, '..', '..', '..')) CERTDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'certs') CMSDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'cms') KEYDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'private') +class BaseFixture(fixtures.Fixture): + + TEST_ROOT_URL = TEST_ROOT_URL + + def __init__(self, requests, deprecations): + super(BaseFixture, self).__init__() + self.requests = requests + self.deprecations = deprecations + self.user_id = uuid.uuid4().hex + self.client = self.new_client() + + +class BaseV2(BaseFixture): + + TEST_URL = '%s%s' % (TEST_ROOT_URL, 'v2.0') + + +class OriginalV2(BaseV2): + + def new_client(self): + # Creating a Client not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + return v2_client.Client(username=uuid.uuid4().hex, + user_id=self.user_id, + token=uuid.uuid4().hex, + tenant_name=uuid.uuid4().hex, + auth_url=self.TEST_URL, + endpoint=self.TEST_URL) + + +class KscSessionV2(BaseV2): + + def new_client(self): + t = fixture.V2Token(user_id=self.user_id) + t.set_scope() + + s = t.add_service('identity') + s.add_endpoint(self.TEST_URL) + + d = fixture.V2Discovery(self.TEST_URL) + + self.requests.register_uri('POST', self.TEST_URL + '/tokens', json=t) + + # NOTE(jamielennox): Because of the versioned URL hack here even though + # the V2 URL will be in the service catalog it will be the root URL + # that will be queried for discovery. + self.requests.register_uri('GET', self.TEST_ROOT_URL, + json={'version': d}) + + with self.deprecations.expect_deprecations_here(): + a = ksc_identity.V2Password(username=uuid.uuid4().hex, + password=uuid.uuid4().hex, + auth_url=self.TEST_URL) + + s = ksc_session.Session(auth=a) + + return v2_client.Client(session=s) + + +class KsaSessionV2(BaseV2): + + def new_client(self): + t = fixture.V2Token(user_id=self.user_id) + t.set_scope() + + s = t.add_service('identity') + s.add_endpoint(self.TEST_URL) + + d = fixture.V2Discovery(self.TEST_URL) + + self.requests.register_uri('POST', self.TEST_URL + '/tokens', json=t) + + # NOTE(jamielennox): Because of the versioned URL hack here even though + # the V2 URL will be in the service catalog it will be the root URL + # that will be queried for discovery. + self.requests.register_uri('GET', self.TEST_ROOT_URL, + json={'version': d}) + + a = ksa_identity.V2Password(username=uuid.uuid4().hex, + password=uuid.uuid4().hex, + auth_url=self.TEST_URL) + s = ksa_session.Session(auth=a) + return v2_client.Client(session=s) + + +class BaseV3(BaseFixture): + + TEST_URL = '%s%s' % (TEST_ROOT_URL, 'v3') + + +class OriginalV3(BaseV3): + + def new_client(self): + # Creating a Client not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + return v3_client.Client(username=uuid.uuid4().hex, + user_id=self.user_id, + token=uuid.uuid4().hex, + tenant_name=uuid.uuid4().hex, + auth_url=self.TEST_URL, + endpoint=self.TEST_URL) + + +class KscSessionV3(BaseV3): + + def new_client(self): + t = fixture.V3Token(user_id=self.user_id) + t.set_project_scope() + + s = t.add_service('identity') + s.add_standard_endpoints(public=self.TEST_URL, + admin=self.TEST_URL) + + d = fixture.V3Discovery(self.TEST_URL) + + headers = {'X-Subject-Token': uuid.uuid4().hex} + self.requests.register_uri('POST', + self.TEST_URL + '/auth/tokens', + headers=headers, + json=t) + self.requests.register_uri('GET', self.TEST_URL, json={'version': d}) + + with self.deprecations.expect_deprecations_here(): + a = ksc_identity.V3Password(username=uuid.uuid4().hex, + password=uuid.uuid4().hex, + user_domain_id=uuid.uuid4().hex, + auth_url=self.TEST_URL) + + s = ksc_session.Session(auth=a) + + return v3_client.Client(session=s) + + +class KsaSessionV3(BaseV3): + + def new_client(self): + t = fixture.V3Token(user_id=self.user_id) + t.set_project_scope() + + s = t.add_service('identity') + s.add_standard_endpoints(public=self.TEST_URL, + admin=self.TEST_URL) + + d = fixture.V3Discovery(self.TEST_URL) + + headers = {'X-Subject-Token': uuid.uuid4().hex} + self.requests.register_uri('POST', + self.TEST_URL + '/auth/tokens', + headers=headers, + json=t) + self.requests.register_uri('GET', self.TEST_URL, json={'version': d}) + + a = ksa_identity.V3Password(username=uuid.uuid4().hex, + password=uuid.uuid4().hex, + user_domain_id=uuid.uuid4().hex, + auth_url=self.TEST_URL) + s = ksa_session.Session(auth=a) + return v3_client.Client(session=s) + + def _hash_signed_token_safe(signed_text, **kwargs): - if isinstance(signed_text, six.text_type): + if isinstance(signed_text, str): signed_text = signed_text.encode('utf-8') return utils.hash_signed_token(signed_text, **kwargs) @@ -127,7 +298,7 @@ def setUp(self): self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2' revoked_token = self.REVOKED_TOKEN - if isinstance(revoked_token, six.text_type): + if isinstance(revoked_token, str): revoked_token = revoked_token.encode('utf-8') self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token) self.REVOKED_TOKEN_HASH_SHA256 = utils.hash_signed_token(revoked_token, @@ -138,7 +309,7 @@ def setUp(self): self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) revoked_v3_token = self.REVOKED_v3_TOKEN - if isinstance(revoked_v3_token, six.text_type): + if isinstance(revoked_v3_token, str): revoked_v3_token = revoked_v3_token.encode('utf-8') self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token) hash = utils.hash_signed_token(revoked_v3_token, mode='sha256') @@ -150,12 +321,12 @@ def setUp(self): self.REVOKED_v3_TOKEN_LIST) revoked_token_pkiz = self.REVOKED_TOKEN_PKIZ - if isinstance(revoked_token_pkiz, six.text_type): + if isinstance(revoked_token_pkiz, str): revoked_token_pkiz = revoked_token_pkiz.encode('utf-8') self.REVOKED_TOKEN_PKIZ_HASH = utils.hash_signed_token( revoked_token_pkiz) revoked_v3_token_pkiz = self.REVOKED_v3_TOKEN_PKIZ - if isinstance(revoked_v3_token_pkiz, six.text_type): + if isinstance(revoked_v3_token_pkiz, str): revoked_v3_token_pkiz = revoked_v3_token_pkiz.encode('utf-8') self.REVOKED_v3_PKIZ_TOKEN_HASH = utils.hash_signed_token( revoked_v3_token_pkiz) @@ -227,7 +398,7 @@ def setUp(self): 'access': { 'token': { 'id': self.UUID_TOKEN_DEFAULT, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', @@ -248,7 +419,7 @@ def setUp(self): 'access': { 'token': { 'id': self.VALID_DIABLO_TOKEN, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', 'tenantId': 'tenant_id1', }, 'user': { @@ -265,7 +436,7 @@ def setUp(self): 'access': { 'token': { 'id': self.UUID_TOKEN_UNSCOPED, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', @@ -281,7 +452,7 @@ def setUp(self): 'access': { 'token': { 'id': 'valid-token', - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', @@ -302,7 +473,7 @@ def setUp(self): 'token': { 'bind': {'kerberos': self.KERBEROS_BIND}, 'id': self.UUID_TOKEN_BIND, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', @@ -324,7 +495,7 @@ def setUp(self): 'token': { 'bind': {'FOO': 'BAR'}, 'id': self.UUID_TOKEN_UNKNOWN_BIND, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', @@ -343,7 +514,7 @@ def setUp(self): }, self.v3_UUID_TOKEN_DEFAULT: { 'token': { - 'expires_at': '2020-01-01T00:00:10.000123Z', + 'expires_at': '2999-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', @@ -370,7 +541,7 @@ def setUp(self): }, self.v3_UUID_TOKEN_UNSCOPED: { 'token': { - 'expires_at': '2020-01-01T00:00:10.000123Z', + 'expires_at': '2999-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', @@ -384,7 +555,7 @@ def setUp(self): }, self.v3_UUID_TOKEN_DOMAIN_SCOPED: { 'token': { - 'expires_at': '2020-01-01T00:00:10.000123Z', + 'expires_at': '2999-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', @@ -409,7 +580,7 @@ def setUp(self): 'access': { 'token': { 'id': self.SIGNED_TOKEN_SCOPED_KEY, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', @@ -427,7 +598,7 @@ def setUp(self): 'access': { 'token': { 'id': self.SIGNED_TOKEN_UNSCOPED_KEY, - 'expires': '2020-01-01T00:00:10.000123Z', + 'expires': '2999-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', @@ -441,7 +612,7 @@ def setUp(self): }, self.SIGNED_v3_TOKEN_SCOPED_KEY: { 'token': { - 'expires_at': '2020-01-01T00:00:10.000123Z', + 'expires_at': '2999-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', @@ -470,7 +641,7 @@ def setUp(self): 'token': { 'bind': {'kerberos': self.KERBEROS_BIND}, 'methods': ['password'], - 'expires_at': '2020-01-01T00:00:10.000123Z', + 'expires_at': '2999-01-01T00:00:10.000123Z', 'user': { 'id': 'user_id1', 'name': 'user_name1', @@ -497,7 +668,7 @@ def setUp(self): self.v3_UUID_TOKEN_UNKNOWN_BIND: { 'token': { 'bind': {'FOO': 'BAR'}, - 'expires_at': '2020-01-01T00:00:10.000123Z', + 'expires_at': '2999-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', @@ -531,7 +702,42 @@ def setUp(self): self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY]) self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in - six.iteritems(self.TOKEN_RESPONSES)]) + self.TOKEN_RESPONSES.items()]) EXAMPLES_RESOURCE = testresources.FixtureResource(Examples()) + + +class Deprecations(fixtures.Fixture): + def setUp(self): + super(Deprecations, self).setUp() + + # If keystoneclient calls any deprecated function this will raise an + # exception. + warnings.filterwarnings('error', category=DeprecationWarning, + module='^keystoneclient\\.') + warnings.filterwarnings('ignore', category=DeprecationWarning, + module='^debtcollector\\.') + self.addCleanup(warnings.resetwarnings) + + def expect_deprecations(self): + """Call this if the test expects to call deprecated function.""" + warnings.resetwarnings() + warnings.filterwarnings('ignore', category=DeprecationWarning, + module='^keystoneclient\\.') + warnings.filterwarnings('ignore', category=DeprecationWarning, + module='^debtcollector\\.') + + @contextlib.contextmanager + def expect_deprecations_here(self): + warnings.resetwarnings() + warnings.filterwarnings('ignore', category=DeprecationWarning, + module='^keystoneclient\\.') + warnings.filterwarnings('ignore', category=DeprecationWarning, + module='^debtcollector\\.') + yield + warnings.resetwarnings() + warnings.filterwarnings('error', category=DeprecationWarning, + module='^keystoneclient\\.') + warnings.filterwarnings('ignore', category=DeprecationWarning, + module='^debtcollector\\.') diff --git a/keystoneclient/openstack/common/apiclient/__init__.py b/keystoneclient/tests/unit/generic/__init__.py similarity index 100% rename from keystoneclient/openstack/common/apiclient/__init__.py rename to keystoneclient/tests/unit/generic/__init__.py diff --git a/keystoneclient/tests/generic/test_client.py b/keystoneclient/tests/unit/generic/test_client.py similarity index 81% rename from keystoneclient/tests/generic/test_client.py rename to keystoneclient/tests/unit/generic/test_client.py index fc5816ba9..5c27b6eb9 100644 --- a/keystoneclient/tests/generic/test_client.py +++ b/keystoneclient/tests/unit/generic/test_client.py @@ -13,15 +13,17 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_serialization import jsonutils + from keystoneclient.generic import client -from keystoneclient.openstack.common import jsonutils -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils BASE_HOST = 'http://keystone.example.com' BASE_URL = "%s:5000/" % BASE_HOST V2_URL = "%sv2.0" % BASE_URL -EXTENSION_NAMESPACE = "http://docs.openstack.org/identity/api/ext/OS-FAKE/v1.0" +EXTENSION_NAMESPACE = ("https://docs.openstack.org/identity/api/ext/OS-FAKE/" + "v1.0") EXTENSION_DESCRIBED = {"href": "https://github.com/openstack/identity-api", "rel": "describedby", "type": "text/html"} @@ -55,9 +57,11 @@ def _create_extension_list(extensions): class ClientDiscoveryTests(utils.TestCase): def test_discover_extensions_v2(self): - self.requests.register_uri('GET', "%s/extensions" % V2_URL, - text=EXTENSION_LIST) - extensions = client.Client().discover_extensions(url=V2_URL) + self.requests_mock.get("%s/extensions" % V2_URL, text=EXTENSION_LIST) + # Creating a HTTPClient not using session is deprecated. + # creating a generic client at all is deprecated. + with self.deprecations.expect_deprecations_here(): + extensions = client.Client().discover_extensions(url=V2_URL) self.assertIn(EXTENSION_ALIAS_FOO, extensions) self.assertEqual(extensions[EXTENSION_ALIAS_FOO], EXTENSION_NAME_FOO) self.assertIn(EXTENSION_ALIAS_BAR, extensions) diff --git a/keystoneclient/tests/unit/test_base.py b/keystoneclient/tests/unit/test_base.py new file mode 100644 index 000000000..ca57dc469 --- /dev/null +++ b/keystoneclient/tests/unit/test_base.py @@ -0,0 +1,425 @@ +# -*- coding: utf-8 -*- +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +import fixtures +from keystoneauth1.identity import v2 +from keystoneauth1 import session +import requests + +from keystoneclient import base +from keystoneclient import exceptions +from keystoneclient.tests.unit import utils +from keystoneclient import utils as base_utils +from keystoneclient.v2_0 import client +from keystoneclient.v2_0 import roles +from keystoneclient.v3 import users + +TEST_REQUEST_ID = uuid.uuid4().hex +TEST_REQUEST_ID_1 = uuid.uuid4().hex + + +def create_response_with_request_id_header(): + resp = requests.Response() + resp.headers['x-openstack-request-id'] = TEST_REQUEST_ID + return resp + + +class HumanReadable(base.Resource): + HUMAN_ID = True + + +class BaseTest(utils.TestCase): + + def test_resource_repr(self): + r = base.Resource(None, dict(foo="bar", baz="spam")) + self.assertEqual(repr(r), "") + + def test_getid(self): + self.assertEqual(base.getid(4), 4) + + class TmpObject(object): + id = 4 + self.assertEqual(base.getid(TmpObject), 4) + + def test_resource_lazy_getattr(self): + auth = v2.Token(token=self.TEST_TOKEN, + auth_url='http://127.0.0.1:5000') + session_ = session.Session(auth=auth) + self.client = client.Client(session=session_) + + self.useFixture(fixtures.MockPatchObject( + self.client._adapter, 'get', side_effect=AttributeError, + autospec=True)) + + f = roles.Role(self.client.roles, {'id': 1, 'name': 'Member'}) + self.assertEqual(f.name, 'Member') + + # Missing stuff still fails after a second get + self.assertRaises(AttributeError, getattr, f, 'blahblah') + + def test_eq(self): + # Two resources with same ID: never equal if their info is not equal + r1 = base.Resource(None, {'id': 1, 'name': 'hi'}) + r2 = base.Resource(None, {'id': 1, 'name': 'hello'}) + self.assertNotEqual(r1, r2) + self.assertTrue(r1 != r2) + + # Two resources with same ID: equal if their info is equal + # The truth of r1==r2 does not imply that r1!=r2 is false in PY2. + # Test that inequality operator is defined and that comparing equal + # items returns False + r1 = base.Resource(None, {'id': 1, 'name': 'hello'}) + r2 = base.Resource(None, {'id': 1, 'name': 'hello'}) + self.assertTrue(r1 == r2) + self.assertFalse(r1 != r2) + + # Two resources of different types: never equal + r1 = base.Resource(None, {'id': 1}) + r2 = roles.Role(None, {'id': 1}) + self.assertNotEqual(r1, r2) + self.assertTrue(r1 != r2) + + # Two resources with no ID: equal if their info is equal + # The truth of r1==r2 does not imply that r1!=r2 is false in PY2. + # Test that inequality operator is defined and that comparing equal + # items returns False. + r1 = base.Resource(None, {'name': 'joe', 'age': 12}) + r2 = base.Resource(None, {'name': 'joe', 'age': 12}) + self.assertTrue(r1 == r2) + self.assertFalse(r1 != r2) + + r1 = base.Resource(None, {'id': 1}) + self.assertNotEqual(r1, object()) + self.assertTrue(r1 != object()) + self.assertNotEqual(r1, {'id': 1}) + self.assertTrue(r1 != {'id': 1}) + + def test_human_id(self): + r = base.Resource(None, {"name": "1 of !"}) + self.assertIsNone(r.human_id) + r = HumanReadable(None, {"name": "1 of !"}) + self.assertEqual(r.human_id, "1-of") + + def test_non_ascii_attr(self): + r_dict = {"name": "foobar", + u"тест": "1234", + u"тест2": u"привет мир"} + + r = base.Resource(None, r_dict) + self.assertEqual(r.name, "foobar") + self.assertEqual(r.to_dict(), r_dict) + + +class ManagerTest(utils.TestCase): + body = {"hello": {"hi": 1}} + url = "/test-url" + + def setUp(self): + super(ManagerTest, self).setUp() + + auth = v2.Token(auth_url='http://127.0.0.1:5000', + token=self.TEST_TOKEN) + session_ = session.Session(auth=auth) + self.client = client.Client(session=session_)._adapter + + self.mgr = base.Manager(self.client) + self.mgr.resource_class = base.Resource + + def test_api(self): + with self.deprecations.expect_deprecations_here(): + self.assertEqual(self.mgr.api, self.client) + + def test_get(self): + get_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'get', autospec=True, return_value=(None, self.body)) + ).mock + rsrc = self.mgr._get(self.url, "hello") + get_mock.assert_called_once_with(self.url) + self.assertEqual(rsrc.hi, 1) + + def test_post(self): + post_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'post', autospec=True, return_value=(None, self.body)) + ).mock + + rsrc = self.mgr._post(self.url, self.body, "hello") + post_mock.assert_called_once_with(self.url, body=self.body) + self.assertEqual(rsrc.hi, 1) + + post_mock.reset_mock() + + rsrc = self.mgr._post(self.url, self.body, "hello", return_raw=True) + post_mock.assert_called_once_with(self.url, body=self.body) + self.assertEqual(rsrc["hi"], 1) + + def test_put(self): + put_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'put', autospec=True, return_value=(None, self.body)) + ).mock + + rsrc = self.mgr._put(self.url, self.body, "hello") + put_mock.assert_called_once_with(self.url, body=self.body) + self.assertEqual(rsrc.hi, 1) + + put_mock.reset_mock() + + rsrc = self.mgr._put(self.url, self.body) + put_mock.assert_called_once_with(self.url, body=self.body) + self.assertEqual(rsrc.hello["hi"], 1) + + def test_patch(self): + patch_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'patch', autospec=True, + return_value=(None, self.body)) + ).mock + + rsrc = self.mgr._patch(self.url, self.body, "hello") + patch_mock.assert_called_once_with(self.url, body=self.body) + self.assertEqual(rsrc.hi, 1) + + patch_mock.reset_mock() + + rsrc = self.mgr._patch(self.url, self.body) + patch_mock.assert_called_once_with(self.url, body=self.body) + self.assertEqual(rsrc.hello["hi"], 1) + + def test_update(self): + patch_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'patch', autospec=True, + return_value=(None, self.body)) + ).mock + + put_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'put', autospec=True, return_value=(None, self.body)) + ).mock + + rsrc = self.mgr._update( + self.url, body=self.body, response_key="hello", method="PATCH", + management=False) + patch_mock.assert_called_once_with( + self.url, management=False, body=self.body) + self.assertEqual(rsrc.hi, 1) + + rsrc = self.mgr._update( + self.url, body=None, response_key="hello", method="PUT", + management=True) + put_mock.assert_called_once_with(self.url, management=True, body=None) + self.assertEqual(rsrc.hi, 1) + + +class ManagerRequestIdTest(utils.TestCase): + url = "/test-url" + resp = create_response_with_request_id_header() + + def setUp(self): + super(ManagerRequestIdTest, self).setUp() + + auth = v2.Token(auth_url='http://127.0.0.1:5000', + token=self.TEST_TOKEN) + session_ = session.Session(auth=auth) + self.client = client.Client(session=session_, + include_metadata='True')._adapter + + self.mgr = base.Manager(self.client) + self.mgr.resource_class = base.Resource + + def mock_request_method(self, request_method, body): + return self.useFixture(fixtures.MockPatchObject( + self.client, request_method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get(self): + body = {"hello": {"hi": 1}} + get_mock = self.mock_request_method('get', body) + rsrc = self.mgr._get(self.url, "hello") + get_mock.assert_called_once_with(self.url) + self.assertEqual(rsrc.data.hi, 1) + self.assertEqual(rsrc.request_ids[0], TEST_REQUEST_ID) + + def test_list(self): + body = {"hello": [{"name": "admin"}, {"name": "admin"}]} + get_mock = self.mock_request_method('get', body) + + returned_list = self.mgr._list(self.url, "hello") + self.assertEqual(returned_list.request_ids[0], TEST_REQUEST_ID) + get_mock.assert_called_once_with(self.url) + + def test_list_with_multiple_response_objects(self): + body = {"hello": [{"name": "admin"}, {"name": "admin"}]} + resp_1 = requests.Response() + resp_1.headers['x-openstack-request-id'] = TEST_REQUEST_ID + resp_2 = requests.Response() + resp_2.headers['x-openstack-request-id'] = TEST_REQUEST_ID_1 + + resp_result = [resp_1, resp_2] + get_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'get', autospec=True, + return_value=(resp_result, body)) + ).mock + + returned_list = self.mgr._list(self.url, "hello") + self.assertIn(returned_list.request_ids[0], [ + TEST_REQUEST_ID, TEST_REQUEST_ID_1]) + self.assertIn(returned_list.request_ids[1], [ + TEST_REQUEST_ID, TEST_REQUEST_ID_1]) + get_mock.assert_called_once_with(self.url) + + def test_post(self): + body = {"hello": {"hi": 1}} + post_mock = self.mock_request_method('post', body) + rsrc = self.mgr._post(self.url, body, "hello") + post_mock.assert_called_once_with(self.url, body=body) + self.assertEqual(rsrc.data.hi, 1) + + post_mock.reset_mock() + + rsrc = self.mgr._post(self.url, body, "hello", return_raw=True) + post_mock.assert_called_once_with(self.url, body=body) + self.assertNotIsInstance(rsrc, base.Response) + self.assertEqual(rsrc["hi"], 1) + + def test_put(self): + body = {"hello": {"hi": 1}} + put_mock = self.mock_request_method('put', body) + rsrc = self.mgr._put(self.url, body, "hello") + put_mock.assert_called_once_with(self.url, body=body) + self.assertEqual(rsrc.data.hi, 1) + + put_mock.reset_mock() + + rsrc = self.mgr._put(self.url, body) + put_mock.assert_called_once_with(self.url, body=body) + self.assertEqual(rsrc.data.hello["hi"], 1) + self.assertEqual(rsrc.request_ids[0], TEST_REQUEST_ID) + + def test_head(self): + get_mock = self.mock_request_method('head', None) + rsrc = self.mgr._head(self.url) + get_mock.assert_called_once_with(self.url) + self.assertFalse(rsrc.data) + self.assertEqual(rsrc.request_ids[0], TEST_REQUEST_ID) + + def test_delete(self): + delete_mock = self.mock_request_method('delete', None) + resp, base_resp = self.mgr._delete(self.url, name="hello") + + delete_mock.assert_called_once_with('/test-url', name='hello') + self.assertEqual(base_resp.request_ids[0], TEST_REQUEST_ID) + self.assertEqual(base_resp.data, None) + self.assertIsInstance(resp, requests.Response) + + def test_patch(self): + body = {"hello": {"hi": 1}} + patch_mock = self.mock_request_method('patch', body) + rsrc = self.mgr._patch(self.url, body, "hello") + patch_mock.assert_called_once_with(self.url, body=body) + self.assertEqual(rsrc.data.hi, 1) + + patch_mock.reset_mock() + + rsrc = self.mgr._patch(self.url, body) + patch_mock.assert_called_once_with(self.url, body=body) + self.assertEqual(rsrc.data.hello["hi"], 1) + self.assertEqual(rsrc.request_ids[0], TEST_REQUEST_ID) + + def test_update(self): + body = {"hello": {"hi": 1}} + patch_mock = self.mock_request_method('patch', body) + put_mock = self.mock_request_method('put', body) + + rsrc = self.mgr._update( + self.url, body=body, response_key="hello", method="PATCH", + management=False) + patch_mock.assert_called_once_with( + self.url, management=False, body=body) + self.assertEqual(rsrc.data.hi, 1) + + rsrc = self.mgr._update( + self.url, body=None, response_key="hello", method="PUT", + management=True) + put_mock.assert_called_once_with(self.url, management=True, body=None) + self.assertEqual(rsrc.data.hi, 1) + self.assertEqual(rsrc.request_ids[0], TEST_REQUEST_ID) + + +class ManagerWithFindRequestIdTest(utils.TestCase): + url = "/fakes" + resp = create_response_with_request_id_header() + + def setUp(self): + super(ManagerWithFindRequestIdTest, self).setUp() + + auth = v2.Token(auth_url='http://127.0.0.1:5000', + token=self.TEST_TOKEN) + session_ = session.Session(auth=auth) + self.client = client.Client(session=session_, + include_metadata='True')._adapter + + def test_find_resource(self): + body = {"roles": [{"name": 'entity_one'}, {"name": 'entity_one_1'}]} + request_resp = requests.Response() + request_resp.headers['x-openstack-request-id'] = TEST_REQUEST_ID + + get_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'get', autospec=True, + side_effect=[exceptions.NotFound, (request_resp, body)]) + ).mock + + mgr = roles.RoleManager(self.client) + mgr.resource_class = roles.Role + response = base_utils.find_resource(mgr, 'entity_one') + get_mock.assert_called_with('/OS-KSADM/roles') + self.assertEqual(response.request_ids[0], TEST_REQUEST_ID) + + +class CrudManagerRequestIdTest(utils.TestCase): + resp = create_response_with_request_id_header() + request_resp = requests.Response() + request_resp.headers['x-openstack-request-id'] = TEST_REQUEST_ID + + def setUp(self): + super(CrudManagerRequestIdTest, self).setUp() + + auth = v2.Token(auth_url='http://127.0.0.1:5000', + token=self.TEST_TOKEN) + session_ = session.Session(auth=auth) + self.client = client.Client(session=session_, + include_metadata='True')._adapter + + def test_find_resource(self): + body = {"users": [{"name": 'entity_one'}]} + get_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'get', autospec=True, + side_effect=[exceptions.NotFound, (self.request_resp, body)]) + ).mock + mgr = users.UserManager(self.client) + mgr.resource_class = users.User + response = base_utils.find_resource(mgr, 'entity_one') + get_mock.assert_called_with('/users?name=entity_one') + self.assertEqual(response.request_ids[0], TEST_REQUEST_ID) + + def test_list(self): + body = {"users": [{"name": "admin"}, {"name": "admin"}]} + + get_mock = self.useFixture(fixtures.MockPatchObject( + self.client, 'get', autospec=True, + return_value=(self.request_resp, body)) + ).mock + mgr = users.UserManager(self.client) + mgr.resource_class = users.User + returned_list = mgr.list() + self.assertEqual(returned_list.request_ids[0], TEST_REQUEST_ID) + get_mock.assert_called_once_with('/users?') diff --git a/keystoneclient/tests/test_cms.py b/keystoneclient/tests/unit/test_cms.py similarity index 68% rename from keystoneclient/tests/test_cms.py rename to keystoneclient/tests/unit/test_cms.py index 8cef98772..2671bcb49 100644 --- a/keystoneclient/tests/test_cms.py +++ b/keystoneclient/tests/unit/test_cms.py @@ -13,23 +13,39 @@ import errno import os import subprocess +from unittest import mock -import mock import testresources from testtools import matchers from keystoneclient.common import cms from keystoneclient import exceptions -from keystoneclient.tests import client_fixtures -from keystoneclient.tests import utils +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit import utils class CMSTest(utils.TestCase, testresources.ResourcedTestCase): - """Unit tests for the keystoneclient.common.cms module.""" resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] + def __init__(self, *args, **kwargs): + super(CMSTest, self).__init__(*args, **kwargs) + process = subprocess.Popen(['openssl', 'version'], + stdout=subprocess.PIPE) + out, err = process.communicate() + # Example output: 'OpenSSL 0.9.8za 5 Jun 2014' + openssl_version = out.split()[1] + + if err or openssl_version.startswith(b'0'): + raise Exception('Your version of OpenSSL is not supported. ' + 'You will need to update it to 1.0 or later.') + + def _raise_OSError(*args): + e = OSError() + e.errno = errno.EPIPE + raise e + def test_cms_verify(self): self.assertRaises(exceptions.CertificateConfigError, cms.cms_verify, @@ -78,12 +94,8 @@ def test_cms_verify_token_no_files(self): '/no/such/file', '/no/such/key') def test_cms_verify_token_no_oserror(self): - def raise_OSError(*args): - e = OSError() - e.errno = errno.EPIPE - raise e - - with mock.patch('subprocess.Popen.communicate', new=raise_OSError): + with mock.patch('subprocess.Popen.communicate', + new=self._raise_OSError): try: cms.cms_verify("x", '/no/such/file', '/no/such/key') except exceptions.CertificateConfigError as e: @@ -143,6 +155,47 @@ def test_cms_hash_token_sha256(self): # sha256 hash is 64 chars. self.assertThat(token_id, matchers.HasLength(64)) + @mock.patch('keystoneclient.common.cms._check_files_accessible') + def test_process_communicate_handle_oserror_epipe(self, files_acc_mock): + process_mock = mock.Mock() + process_mock.communicate = self._raise_OSError + process_mock.stderr = mock.Mock() + process_mock.stderr.read = mock.Mock(return_value='proc stderr') + files_acc_mock.return_value = 1, ('file_path', 'fileerror') + output, err, retcode = cms._process_communicate_handle_oserror( + process_mock, '', []) + + self.assertEqual((output, retcode), ('', 1)) + self.assertIn('file_path', err) + self.assertIn('fileerror', err) + self.assertIn('proc stderr', err) + + @mock.patch('keystoneclient.common.cms._check_files_accessible') + def test_process_communicate_handle_oserror_epipe_files_ok( + self, files_acc_mock): + process_mock = mock.Mock() + process_mock.communicate = self._raise_OSError + process_mock.stderr = mock.Mock() + process_mock.stderr.read = mock.Mock(return_value='proc stderr') + files_acc_mock.return_value = -1, None + output, err, retcode = cms._process_communicate_handle_oserror( + process_mock, '', []) + + self.assertEqual((output, retcode), ('', -1)) + self.assertIn('proc stderr', err) + + def test_process_communicate_handle_oserror_no_exception(self): + process_mock = mock.Mock() + process_mock.communicate.return_value = 'out', 'err' + process_mock.poll.return_value = 0 + + output, err, retcode = cms._process_communicate_handle_oserror( + process_mock, '', []) + + self.assertEqual(output, 'out') + self.assertEqual(err, 'err') + self.assertEqual(retcode, 0) + def load_tests(loader, tests, pattern): return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/test_discovery.py b/keystoneclient/tests/unit/test_discovery.py similarity index 73% rename from keystoneclient/tests/test_discovery.py rename to keystoneclient/tests/unit/test_discovery.py index 10f1c2f21..57c7002cc 100644 --- a/keystoneclient/tests/test_discovery.py +++ b/keystoneclient/tests/unit/test_discovery.py @@ -10,9 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. +import re import uuid -import six +from keystoneauth1 import fixture +from oslo_serialization import jsonutils from testtools import matchers from keystoneclient import _discover @@ -20,10 +22,8 @@ from keystoneclient import client from keystoneclient import discover from keystoneclient import exceptions -from keystoneclient import fixture -from keystoneclient.openstack.common import jsonutils from keystoneclient import session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils from keystoneclient.v2_0 import client as v2_client from keystoneclient.v3 import client as v3_client @@ -86,7 +86,7 @@ V2_AUTH_RESPONSE = jsonutils.dumps({ "access": { "token": { - "expires": "2020-01-01T00:00:10.000123Z", + "expires": "2999-01-01T00:00:10.000123Z", "id": 'fakeToken', "tenant": { "id": '1' @@ -104,7 +104,7 @@ V3_MEDIA_TYPES = V3_VERSION.media_types V3_VERSION.updated_str = UPDATED -V3_TOKEN = six.u('3e2813b7ba0b4006840c3825860b86ed'), +V3_TOKEN = ('3e2813b7ba0b4006840c3825860b86ed',) V3_AUTH_RESPONSE = jsonutils.dumps({ "token": { "methods": [ @@ -112,7 +112,7 @@ "password" ], - "expires_at": "2020-01-01T00:00:10.000123Z", + "expires_at": "2999-01-01T00:00:10.000123Z", "project": { "domain": { "id": '1', @@ -233,15 +233,19 @@ def _create_single_version(version): class AvailableVersionsTests(utils.TestCase): + def setUp(self): + super(AvailableVersionsTests, self).setUp() + self.deprecations.expect_deprecations() + def test_available_versions_basics(self): examples = {'keystone': V3_VERSION_LIST, 'cinder': jsonutils.dumps(CINDER_EXAMPLES), 'glance': jsonutils.dumps(GLANCE_EXAMPLES)} - for path, text in six.iteritems(examples): + for path, text in examples.items(): url = "%s%s" % (BASE_URL, path) - self.requests.register_uri('GET', url, status_code=300, text=text) + self.requests_mock.get(url, status_code=300, text=text) versions = discover.available_versions(url) for v in versions: @@ -251,8 +255,7 @@ def test_available_versions_basics(self): matchers.Contains(n))) def test_available_versions_individual(self): - self.requests.register_uri('GET', V3_URL, status_code=200, - text=V3_VERSION_ENTRY) + self.requests_mock.get(V3_URL, status_code=200, text=V3_VERSION_ENTRY) versions = discover.available_versions(V3_URL) @@ -263,8 +266,7 @@ def test_available_versions_individual(self): self.assertIn('links', v) def test_available_keystone_data(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) versions = discover.available_versions(BASE_URL) self.assertEqual(2, len(versions)) @@ -279,7 +281,7 @@ def test_available_keystone_data(self): def test_available_cinder_data(self): text = jsonutils.dumps(CINDER_EXAMPLES) - self.requests.register_uri('GET', BASE_URL, status_code=300, text=text) + self.requests_mock.get(BASE_URL, status_code=300, text=text) versions = discover.available_versions(BASE_URL) self.assertEqual(2, len(versions)) @@ -295,7 +297,7 @@ def test_available_cinder_data(self): def test_available_glance_data(self): text = jsonutils.dumps(GLANCE_EXAMPLES) - self.requests.register_uri('GET', BASE_URL, status_code=200, text=text) + self.requests_mock.get(BASE_URL, status_code=200, text=text) versions = discover.available_versions(BASE_URL) self.assertEqual(5, len(versions)) @@ -311,11 +313,14 @@ def test_available_glance_data(self): class ClientDiscoveryTests(utils.TestCase): + def setUp(self): + super(ClientDiscoveryTests, self).setUp() + self.deprecations.expect_deprecations() + def assertCreatesV3(self, **kwargs): - self.requests.register_uri('POST', - '%s/auth/tokens' % V3_URL, - text=V3_AUTH_RESPONSE, - headers={'X-Subject-Token': V3_TOKEN}) + self.requests_mock.post('%s/auth/tokens' % V3_URL, + text=V3_AUTH_RESPONSE, + headers={'X-Subject-Token': V3_TOKEN}) kwargs.setdefault('username', 'foo') kwargs.setdefault('password', 'bar') @@ -324,8 +329,7 @@ def assertCreatesV3(self, **kwargs): return keystone def assertCreatesV2(self, **kwargs): - self.requests.register_uri('POST', "%s/tokens" % V2_URL, - text=V2_AUTH_RESPONSE) + self.requests_mock.post("%s/tokens" % V2_URL, text=V2_AUTH_RESPONSE) kwargs.setdefault('username', 'foo') kwargs.setdefault('password', 'bar') @@ -348,94 +352,78 @@ def assertDiscoveryFailure(self, **kwargs): client.Client, **kwargs) def test_discover_v3(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) self.assertCreatesV3(auth_url=BASE_URL) def test_discover_v2(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V2_VERSION_LIST) - self.requests.register_uri('POST', "%s/tokens" % V2_URL, - text=V2_AUTH_RESPONSE) + self.requests_mock.get(BASE_URL, status_code=300, text=V2_VERSION_LIST) + self.requests_mock.post("%s/tokens" % V2_URL, text=V2_AUTH_RESPONSE) self.assertCreatesV2(auth_url=BASE_URL) def test_discover_endpoint_v2(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V2_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V2_VERSION_LIST) self.assertCreatesV2(endpoint=BASE_URL, token='fake-token') def test_discover_endpoint_v3(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) self.assertCreatesV3(endpoint=BASE_URL, token='fake-token') def test_discover_invalid_major_version(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) self.assertVersionNotAvailable(auth_url=BASE_URL, version=5) def test_discover_200_response_fails(self): - self.requests.register_uri('GET', BASE_URL, - status_code=200, text='ok') + self.requests_mock.get(BASE_URL, text='ok') self.assertDiscoveryFailure(auth_url=BASE_URL) def test_discover_minor_greater_than_available_fails(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) self.assertVersionNotAvailable(endpoint=BASE_URL, version=3.4) def test_discover_individual_version_v2(self): - self.requests.register_uri('GET', V2_URL, status_code=200, - text=V2_VERSION_ENTRY) + self.requests_mock.get(V2_URL, text=V2_VERSION_ENTRY) self.assertCreatesV2(auth_url=V2_URL) def test_discover_individual_version_v3(self): - self.requests.register_uri('GET', V3_URL, status_code=200, - text=V3_VERSION_ENTRY) + self.requests_mock.get(V3_URL, text=V3_VERSION_ENTRY) self.assertCreatesV3(auth_url=V3_URL) def test_discover_individual_endpoint_v2(self): - self.requests.register_uri('GET', V2_URL, status_code=200, - text=V2_VERSION_ENTRY) + self.requests_mock.get(V2_URL, text=V2_VERSION_ENTRY) self.assertCreatesV2(endpoint=V2_URL, token='fake-token') def test_discover_individual_endpoint_v3(self): - self.requests.register_uri('GET', V3_URL, status_code=200, - text=V3_VERSION_ENTRY) + self.requests_mock.get(V3_URL, text=V3_VERSION_ENTRY) self.assertCreatesV3(endpoint=V3_URL, token='fake-token') def test_discover_fail_to_create_bad_individual_version(self): - self.requests.register_uri('GET', V2_URL, status_code=200, - text=V2_VERSION_ENTRY) - self.requests.register_uri('GET', V3_URL, status_code=200, - text=V3_VERSION_ENTRY) + self.requests_mock.get(V2_URL, text=V2_VERSION_ENTRY) + self.requests_mock.get(V3_URL, text=V3_VERSION_ENTRY) self.assertVersionNotAvailable(auth_url=V2_URL, version=3) self.assertVersionNotAvailable(auth_url=V3_URL, version=2) def test_discover_unstable_versions(self): version_list = fixture.DiscoveryList(BASE_URL, v3_status='beta') - self.requests.register_uri('GET', BASE_URL, status_code=300, - json=version_list) + self.requests_mock.get(BASE_URL, status_code=300, json=version_list) self.assertCreatesV2(auth_url=BASE_URL) self.assertVersionNotAvailable(auth_url=BASE_URL, version=3) self.assertCreatesV3(auth_url=BASE_URL, unstable=True) def test_discover_forwards_original_ip(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) ip = '192.168.1.1' self.assertCreatesV3(auth_url=BASE_URL, original_ip=ip) - self.assertThat(self.requests.last_request.headers['forwarded'], + self.assertThat(self.requests_mock.last_request.headers['forwarded'], matchers.Contains(ip)) def test_discover_bad_args(self): @@ -443,8 +431,7 @@ def test_discover_bad_args(self): client.Client) def test_discover_bad_response(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - json={'FOO': 'BAR'}) + self.requests_mock.get(BASE_URL, status_code=300, json={'FOO': 'BAR'}) self.assertDiscoveryFailure(auth_url=BASE_URL) def test_discovery_ignore_invalid(self): @@ -453,77 +440,78 @@ def test_discovery_ignore_invalid(self): 'media-types': V3_MEDIA_TYPES, 'status': 'stable', 'updated': UPDATED}] - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=_create_version_list(resp)) + self.requests_mock.get(BASE_URL, status_code=300, + text=_create_version_list(resp)) self.assertDiscoveryFailure(auth_url=BASE_URL) def test_ignore_entry_without_links(self): v3 = V3_VERSION.copy() v3['links'] = [] - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=_create_version_list([v3, V2_VERSION])) + self.requests_mock.get(BASE_URL, status_code=300, + text=_create_version_list([v3, V2_VERSION])) self.assertCreatesV2(auth_url=BASE_URL) def test_ignore_entry_without_status(self): v3 = V3_VERSION.copy() del v3['status'] - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=_create_version_list([v3, V2_VERSION])) + self.requests_mock.get(BASE_URL, status_code=300, + text=_create_version_list([v3, V2_VERSION])) self.assertCreatesV2(auth_url=BASE_URL) def test_greater_version_than_required(self): versions = fixture.DiscoveryList(BASE_URL, v3_id='v3.6') - self.requests.register_uri('GET', BASE_URL, status_code=200, - json=versions) + self.requests_mock.get(BASE_URL, json=versions) self.assertCreatesV3(auth_url=BASE_URL, version=(3, 4)) def test_lesser_version_than_required(self): versions = fixture.DiscoveryList(BASE_URL, v3_id='v3.4') - self.requests.register_uri('GET', BASE_URL, status_code=200, - json=versions) + self.requests_mock.get(BASE_URL, json=versions) self.assertVersionNotAvailable(auth_url=BASE_URL, version=(3, 6)) def test_bad_response(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text="Ugly Duckling") + self.requests_mock.get(BASE_URL, status_code=300, text="Ugly Duckling") self.assertDiscoveryFailure(auth_url=BASE_URL) def test_pass_client_arguments(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V2_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V2_VERSION_LIST) kwargs = {'original_ip': '100', 'use_keyring': False, 'stale_duration': 15} cl = self.assertCreatesV2(auth_url=BASE_URL, **kwargs) - self.assertEqual(cl.original_ip, '100') + with self.deprecations.expect_deprecations_here(): + self.assertEqual(cl.original_ip, '100') self.assertEqual(cl.stale_duration, 15) self.assertFalse(cl.use_keyring) def test_overriding_stored_kwargs(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) - self.requests.register_uri('POST', "%s/auth/tokens" % V3_URL, - text=V3_AUTH_RESPONSE, - headers={'X-Subject-Token': V3_TOKEN}) + self.requests_mock.post("%s/auth/tokens" % V3_URL, + text=V3_AUTH_RESPONSE, + headers={'X-Subject-Token': V3_TOKEN}) - disc = discover.Discover(auth_url=BASE_URL, debug=False, - username='foo') + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL, debug=False, + username='foo') client = disc.create_client(debug=True, password='bar') self.assertIsInstance(client, v3_client.Client) - self.assertTrue(client.debug_log) self.assertFalse(disc._client_kwargs['debug']) self.assertEqual(client.username, 'foo') self.assertEqual(client.password, 'bar') def test_available_versions(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_ENTRY) - disc = discover.Discover(auth_url=BASE_URL) - - versions = disc.available_versions() + self.requests_mock.get(BASE_URL, + status_code=300, + text=V3_VERSION_ENTRY) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) + + with self.deprecations.expect_deprecations_here(): + versions = disc.available_versions() self.assertEqual(1, len(versions)) self.assertEqual(V3_VERSION, versions[0]) @@ -535,37 +523,40 @@ def test_unknown_client_version(self): 'updated': UPDATED} versions = fixture.DiscoveryList() versions.add_version(V4_VERSION) - self.requests.register_uri('GET', BASE_URL, status_code=300, - json=versions) + self.requests_mock.get(BASE_URL, status_code=300, json=versions) - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) self.assertRaises(exceptions.DiscoveryFailure, disc.create_client, version=4) def test_discovery_fail_for_missing_v3(self): versions = fixture.DiscoveryList(v2=True, v3=False) - self.requests.register_uri('GET', BASE_URL, status_code=300, - json=versions) + self.requests_mock.get(BASE_URL, status_code=300, json=versions) - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) self.assertRaises(exceptions.DiscoveryFailure, disc.create_client, version=(3, 0)) def _do_discovery_call(self, token=None, **kwargs): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) if not token: token = uuid.uuid4().hex url = 'http://testurl' - a = token_endpoint.Token(url, token) - s = session.Session(auth=a) + + with self.deprecations.expect_deprecations_here(): + a = token_endpoint.Token(url, token) + s = session.Session(auth=a) # will default to true as there is a plugin on the session discover.Discover(s, auth_url=BASE_URL, **kwargs) - self.assertEqual(BASE_URL, self.requests.last_request.url) + self.assertEqual(BASE_URL, self.requests_mock.last_request.url) def test_setting_authenticated_true(self): token = uuid.uuid4().hex @@ -574,16 +565,18 @@ def test_setting_authenticated_true(self): def test_setting_authenticated_false(self): self._do_discovery_call(authenticated=False) - self.assertNotIn('X-Auth-Token', self.requests.last_request.headers) + self.assertNotIn('X-Auth-Token', + self.requests_mock.last_request.headers) class DiscoverQueryTests(utils.TestCase): def test_available_keystone_data(self): - self.requests.register_uri('GET', BASE_URL, status_code=300, - text=V3_VERSION_LIST) + self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST) - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) versions = disc.version_data() self.assertEqual((2, 0), versions[0]['version']) @@ -609,12 +602,14 @@ def test_available_keystone_data(self): def test_available_cinder_data(self): text = jsonutils.dumps(CINDER_EXAMPLES) - self.requests.register_uri('GET', BASE_URL, status_code=300, text=text) + self.requests_mock.get(BASE_URL, status_code=300, text=text) v1_url = "%sv1/" % BASE_URL v2_url = "%sv2/" % BASE_URL - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) versions = disc.version_data() self.assertEqual((1, 0), versions[0]['version']) @@ -640,12 +635,14 @@ def test_available_cinder_data(self): def test_available_glance_data(self): text = jsonutils.dumps(GLANCE_EXAMPLES) - self.requests.register_uri('GET', BASE_URL, status_code=200, text=text) + self.requests_mock.get(BASE_URL, text=text) v1_url = "%sv1/" % BASE_URL v2_url = "%sv2/" % BASE_URL - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) versions = disc.version_data() self.assertEqual((1, 0), versions[0]['version']) @@ -689,9 +686,11 @@ def test_allow_deprecated(self): 'status': status, 'updated': UPDATED}] text = jsonutils.dumps({'versions': version_list}) - self.requests.register_uri('GET', BASE_URL, status_code=200, text=text) + self.requests_mock.get(BASE_URL, text=text) - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) # deprecated is allowed by default versions = disc.version_data(allow_deprecated=False) @@ -711,9 +710,11 @@ def test_allow_experimental(self): 'status': status, 'updated': UPDATED}] text = jsonutils.dumps({'versions': version_list}) - self.requests.register_uri('GET', BASE_URL, status_code=200, text=text) + self.requests_mock.get(BASE_URL, text=text) - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) versions = disc.version_data() self.assertEqual(0, len(versions)) @@ -728,9 +729,10 @@ def test_allow_unknown(self): status = 'abcdef' version_list = fixture.DiscoveryList(BASE_URL, v2=False, v3_status=status) - self.requests.register_uri('GET', BASE_URL, status_code=200, - json=version_list) - disc = discover.Discover(auth_url=BASE_URL) + self.requests_mock.get(BASE_URL, json=version_list) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) versions = disc.version_data() self.assertEqual(0, len(versions)) @@ -758,10 +760,11 @@ def test_ignoring_invalid_lnks(self): }] text = jsonutils.dumps({'versions': version_list}) - self.requests.register_uri('GET', BASE_URL, status_code=200, - text=text) + self.requests_mock.get(BASE_URL, text=text) - disc = discover.Discover(auth_url=BASE_URL) + # Creating Discover not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + disc = discover.Discover(auth_url=BASE_URL) # raw_version_data will return all choices, even invalid ones versions = disc.raw_version_data() @@ -772,6 +775,42 @@ def test_ignoring_invalid_lnks(self): self.assertEqual(1, len(versions)) +class CatalogHackTests(utils.TestCase): + + TEST_URL = 'http://keystone.server:5000/v2.0' + OTHER_URL = 'http://other.server:5000/path' + + IDENTITY = 'identity' + + BASE_URL = 'http://keystone.server:5000/' + V2_URL = BASE_URL + 'v2.0' + V3_URL = BASE_URL + 'v3' + + def setUp(self): + super(CatalogHackTests, self).setUp() + self.hacks = _discover._VersionHacks() + self.hacks.add_discover_hack(self.IDENTITY, + re.compile('/v2.0/?$'), + '/') + + def test_version_hacks(self): + self.assertEqual(self.BASE_URL, + self.hacks.get_discover_hack(self.IDENTITY, + self.V2_URL)) + + self.assertEqual(self.BASE_URL, + self.hacks.get_discover_hack(self.IDENTITY, + self.V2_URL + '/')) + + self.assertEqual(self.OTHER_URL, + self.hacks.get_discover_hack(self.IDENTITY, + self.OTHER_URL)) + + def test_ignored_non_service_type(self): + self.assertEqual(self.V2_URL, + self.hacks.get_discover_hack('other', self.V2_URL)) + + class DiscoverUtils(utils.TestCase): def test_version_number(self): diff --git a/keystoneclient/tests/test_ec2utils.py b/keystoneclient/tests/unit/test_ec2utils.py similarity index 79% rename from keystoneclient/tests/test_ec2utils.py rename to keystoneclient/tests/unit/test_ec2utils.py index ff4aee356..12cf57531 100644 --- a/keystoneclient/tests/test_ec2utils.py +++ b/keystoneclient/tests/unit/test_ec2utils.py @@ -12,17 +12,17 @@ # License for the specific language governing permissions and limitations # under the License. -from __future__ import unicode_literals - import testtools from keystoneclient.contrib.ec2 import utils +from keystoneclient.tests.unit import client_fixtures class Ec2SignerTest(testtools.TestCase): def setUp(self): super(Ec2SignerTest, self).setUp() + self.useFixture(client_fixtures.Deprecations()) self.access = '966afbde20b84200ae4e62e09acf46b2' self.secret = '89cdf9e94e2643cab35b8b8ac5a51f83' self.signer = utils.Ec2Signer(self.secret) @@ -130,7 +130,17 @@ def test_generate_v4(self): # examples specify no query string, but the final POST example # does, apparently incorrectly since an empty parameter list # aligns all steps and the final signature with the examples - params = {} + params = {'Action': 'CreateUser', + 'UserName': 'NewUser', + 'Version': '2010-05-08', + 'X-Amz-Algorithm': 'AWS4-HMAC-SHA256', + 'X-Amz-Credential': 'AKIAEXAMPLE/20140611/' + 'us-east-1/iam/aws4_request', + 'X-Amz-Date': '20140611T231318Z', + 'X-Amz-Expires': '30', + 'X-Amz-SignedHeaders': 'host', + 'X-Amz-Signature': 'ced6826de92d2bdeed8f846f0bf508e8' + '559e98e4b0199114b84c54174deb456c'} credentials = {'host': 'iam.amazonaws.com', 'verb': 'POST', 'path': '/', @@ -177,9 +187,10 @@ def test_generate_v4_port(self): self.assertEqual(signature, expected) def test_generate_v4_port_strip(self): - """Test v4 generator with host:port format, but for an old - (<2.9.3) version of boto, where the port should be stripped - to match boto behavior. + """Test v4 generator with host:port format for old boto version. + + Validate for old (<2.9.3) version of boto, where the port should + be stripped to match boto behavior. """ # Create a new signer object with the AWS example key secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY' @@ -215,8 +226,10 @@ def test_generate_v4_port_strip(self): self.assertEqual(expected, signature) def test_generate_v4_port_nostrip(self): - """Test v4 generator with host:port format, but for an new - (>=2.9.3) version of boto, where the port should not be stripped. + """Test v4 generator with host:port format for new boto version. + + Validate for new (>=2.9.3) version of boto, where the port should + not be stripped. """ # Create a new signer object with the AWS example key secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY' @@ -250,3 +263,42 @@ def test_generate_v4_port_nostrip(self): expected = ('26dd92ea79aaa49f533d13b1055acdc' 'd7d7321460d64621f96cc79c4f4d4ab2b') self.assertEqual(expected, signature) + + def test_generate_v4_port_malformed_version(self): + """Test v4 generator with host:port format for malformed boto version. + + Validate for malformed version of boto, where the port should + not be stripped. + """ + # Create a new signer object with the AWS example key + secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY' + signer = utils.Ec2Signer(secret) + + body_hash = ('b6359072c78d70ebee1e81adcbab4f0' + '1bf2c23245fa365ef83fe8f1f955085e2') + auth_str = ('AWS4-HMAC-SHA256 ' + 'Credential=AKIAIOSFODNN7EXAMPLE/20110909/' + 'us-east-1/iam/aws4_request,' + 'SignedHeaders=content-type;host;x-amz-date,') + headers = {'Content-type': + 'application/x-www-form-urlencoded; charset=utf-8', + 'X-Amz-Date': '20110909T233600Z', + 'Host': 'foo:8000', + 'Authorization': auth_str, + 'User-Agent': 'Boto/2.922 (linux2)'} + # Note the example in the AWS docs is inconsistent, previous + # examples specify no query string, but the final POST example + # does, apparently incorrectly since an empty parameter list + # aligns all steps and the final signature with the examples + params = {} + credentials = {'host': 'foo:8000', + 'verb': 'POST', + 'path': '/', + 'params': params, + 'headers': headers, + 'body_hash': body_hash} + signature = signer.generate(credentials) + + expected = ('26dd92ea79aaa49f533d13b1055acdc' + 'd7d7321460d64621f96cc79c4f4d4ab2b') + self.assertEqual(expected, signature) diff --git a/keystoneclient/tests/test_fixtures.py b/keystoneclient/tests/unit/test_fixtures.py similarity index 90% rename from keystoneclient/tests/test_fixtures.py rename to keystoneclient/tests/unit/test_fixtures.py index 558d4546d..d7fd26e66 100644 --- a/keystoneclient/tests/test_fixtures.py +++ b/keystoneclient/tests/unit/test_fixtures.py @@ -12,10 +12,9 @@ import uuid -import six from keystoneclient import fixture -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils class V2TokenTests(utils.TestCase): @@ -35,6 +34,7 @@ def test_unscoped(self): self.assertEqual(user_id, token['access']['user']['id']) self.assertEqual(user_name, token.user_name) self.assertEqual(user_name, token['access']['user']['name']) + self.assertIsNone(token.trust_id) def test_tenant_scoped(self): tenant_id = uuid.uuid4().hex @@ -48,6 +48,7 @@ def test_tenant_scoped(self): self.assertEqual(tenant_name, token.tenant_name) tn = token['access']['token']['tenant']['name'] self.assertEqual(tenant_name, tn) + self.assertIsNone(token.trust_id) def test_trust_scoped(self): trust_id = uuid.uuid4().hex @@ -82,6 +83,7 @@ def test_roles(self): def test_services(self): service_type = uuid.uuid4().hex service_name = uuid.uuid4().hex + endpoint_id = uuid.uuid4().hex region = uuid.uuid4().hex public = uuid.uuid4().hex @@ -94,7 +96,8 @@ def test_services(self): svc.add_endpoint(public=public, admin=admin, internal=internal, - region=region) + region=region, + id=endpoint_id) self.assertEqual(1, len(token['access']['serviceCatalog'])) service = token['access']['serviceCatalog'][0]['endpoints'][0] @@ -103,6 +106,7 @@ def test_services(self): self.assertEqual(internal, service['internalURL']) self.assertEqual(admin, service['adminURL']) self.assertEqual(region, service['region']) + self.assertEqual(endpoint_id, service['id']) class V3TokenTests(utils.TestCase): @@ -216,13 +220,16 @@ def test_oauth_scoped(self): def test_catalog(self): service_type = uuid.uuid4().hex service_name = uuid.uuid4().hex + service_id = uuid.uuid4().hex region = uuid.uuid4().hex endpoints = {'public': uuid.uuid4().hex, 'internal': uuid.uuid4().hex, 'admin': uuid.uuid4().hex} token = fixture.V3Token() - svc = token.add_service(type=service_type, name=service_name) + svc = token.add_service(type=service_type, + name=service_name, + id=service_id) svc.add_standard_endpoints(region=region, **endpoints) self.assertEqual(1, len(token['token']['catalog'])) @@ -231,7 +238,14 @@ def test_catalog(self): self.assertEqual(service_name, service['name']) self.assertEqual(service_type, service['type']) + self.assertEqual(service_id, service['id']) + + for endpoint in service['endpoints']: + # assert an id exists for each endpoint, remove it to make testing + # the endpoint content below easier. + self.assertTrue(endpoint.pop('id')) - for interface, url in six.iteritems(endpoints): - endpoint = {'interface': interface, 'url': url, 'region': region} + for interface, url in endpoints.items(): + endpoint = {'interface': interface, 'url': url, + 'region': region, 'region_id': region} self.assertIn(endpoint, service['endpoints']) diff --git a/keystoneclient/tests/test_http.py b/keystoneclient/tests/unit/test_http.py similarity index 64% rename from keystoneclient/tests/test_http.py rename to keystoneclient/tests/unit/test_http.py index 118ad771c..65a428aa6 100644 --- a/keystoneclient/tests/test_http.py +++ b/keystoneclient/tests/unit/test_http.py @@ -12,15 +12,15 @@ # License for the specific language governing permissions and limitations # under the License. +import io import logging -import six from testtools import matchers from keystoneclient import exceptions from keystoneclient import httpclient from keystoneclient import session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils RESPONSE_BODY = '{"hi": "there"}' @@ -28,7 +28,7 @@ def get_client(): cl = httpclient.HTTPClient(username="username", password="password", - tenant_id="tenant", auth_url="auth_test") + project_id="tenant", auth_url="auth_test") return cl @@ -39,37 +39,30 @@ def get_authed_client(): return cl -class FakeLog(object): - def __init__(self): - self.warn_log = str() - self.debug_log = str() - - def warn(self, msg=None, *args, **kwargs): - self.warn_log = "%s\n%s" % (self.warn_log, (msg % args)) - - def debug(self, msg=None, *args, **kwargs): - self.debug_log = "%s\n%s" % (self.debug_log, (msg % args)) - - class ClientTest(utils.TestCase): TEST_URL = 'http://127.0.0.1:5000/hi' def test_unauthorized_client_requests(self): - cl = get_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_client() self.assertRaises(exceptions.AuthorizationFailure, cl.get, '/hi') self.assertRaises(exceptions.AuthorizationFailure, cl.post, '/hi') self.assertRaises(exceptions.AuthorizationFailure, cl.put, '/hi') self.assertRaises(exceptions.AuthorizationFailure, cl.delete, '/hi') def test_get(self): - cl = get_authed_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_authed_client() self.stub_url('GET', text=RESPONSE_BODY) - resp, body = cl.get("/hi") - self.assertEqual(self.requests.last_request.method, 'GET') - self.assertEqual(self.requests.last_request.url, self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + resp, body = cl.get("/hi") + self.assertEqual(self.requests_mock.last_request.method, 'GET') + self.assertEqual(self.requests_mock.last_request.url, self.TEST_URL) self.assertRequestHeaderEqual('X-Auth-Token', 'token') self.assertRequestHeaderEqual('User-Agent', httpclient.USER_AGENT) @@ -78,14 +71,18 @@ def test_get(self): self.assertEqual(body, {"hi": "there"}) def test_get_error_with_plaintext_resp(self): - cl = get_authed_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_authed_client() self.stub_url('GET', status_code=400, text='Some evil plaintext string') self.assertRaises(exceptions.BadRequest, cl.get, '/hi') def test_get_error_with_json_resp(self): - cl = get_authed_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_authed_client() err_response = { "error": { "code": 400, @@ -96,20 +93,24 @@ def test_get_error_with_json_resp(self): self.stub_url('GET', status_code=400, json=err_response) exc_raised = False try: - cl.get('/hi') + with self.deprecations.expect_deprecations_here(): + cl.get('/hi') except exceptions.BadRequest as exc: exc_raised = True - self.assertEqual(exc.message, "Error message string") + self.assertEqual(exc.message, "Error message string (HTTP 400)") self.assertTrue(exc_raised, 'Exception not raised.') def test_post(self): - cl = get_authed_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_authed_client() self.stub_url('POST') - cl.post("/hi", body=[1, 2, 3]) + with self.deprecations.expect_deprecations_here(): + cl.post("/hi", body=[1, 2, 3]) - self.assertEqual(self.requests.last_request.method, 'POST') - self.assertEqual(self.requests.last_request.body, '[1, 2, 3]') + self.assertEqual(self.requests_mock.last_request.method, 'POST') + self.assertEqual(self.requests_mock.last_request.body, '[1, 2, 3]') self.assertRequestHeaderEqual('X-Auth-Token', 'token') self.assertRequestHeaderEqual('Content-Type', 'application/json') @@ -117,13 +118,18 @@ def test_post(self): def test_forwarded_for(self): ORIGINAL_IP = "10.100.100.1" - cl = httpclient.HTTPClient(username="username", password="password", - tenant_id="tenant", auth_url="auth_test", - original_ip=ORIGINAL_IP) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient(username="username", + password="password", + project_id="tenant", + auth_url="auth_test", + original_ip=ORIGINAL_IP) self.stub_url('GET') - cl.request(self.TEST_URL, 'GET') + with self.deprecations.expect_deprecations_here(): + cl.request(self.TEST_URL, 'GET') forwarded = "for=%s;by=%s" % (ORIGINAL_IP, httpclient.USER_AGENT) self.assertRequestHeaderEqual('Forwarded', forwarded) @@ -147,7 +153,7 @@ class BasicRequestTests(utils.TestCase): def setUp(self): super(BasicRequestTests, self).setUp() - self.logger_message = six.moves.cStringIO() + self.logger_message = io.StringIO() handler = logging.StreamHandler(self.logger_message) handler.setLevel(logging.DEBUG) @@ -160,23 +166,26 @@ def setUp(self): self.addCleanup(self.logger.setLevel, level) def request(self, method='GET', response='Test Response', status_code=200, - url=None, **kwargs): + url=None, headers={}, **kwargs): if not url: url = self.url - self.requests.register_uri(method, url, text=response, - status_code=status_code) + self.requests_mock.register_uri(method, url, text=response, + status_code=status_code, + headers=headers) - return httpclient.request(url, method, **kwargs) + with self.deprecations.expect_deprecations_here(): + return httpclient.request(url, method, headers=headers, **kwargs) def test_basic_params(self): method = 'GET' response = 'Test Response' status = 200 - self.request(method=method, status_code=status, response=response) + self.request(method=method, status_code=status, response=response, + headers={'Content-Type': 'application/json'}) - self.assertEqual(self.requests.last_request.method, method) + self.assertEqual(self.requests_mock.last_request.method, method) logger_message = self.logger_message.getvalue() @@ -193,16 +202,17 @@ def test_headers(self): self.request(headers=headers) - for k, v in six.iteritems(headers): + for k, v in headers.items(): self.assertRequestHeaderEqual(k, v) - for header in six.iteritems(headers): + for header in headers.items(): self.assertThat(self.logger_message.getvalue(), matchers.Contains('-H "%s: %s"' % header)) def test_body(self): data = "BODY DATA" - self.request(response=data) + self.request(response=data, + headers={'Content-Type': 'application/json'}) logger_message = self.logger_message.getvalue() self.assertThat(logger_message, matchers.Contains('BODY:')) self.assertThat(logger_message, matchers.Contains(data)) diff --git a/keystoneclient/tests/test_https.py b/keystoneclient/tests/unit/test_https.py similarity index 70% rename from keystoneclient/tests/test_https.py rename to keystoneclient/tests/unit/test_https.py index f9618be98..315a17aaa 100644 --- a/keystoneclient/tests/test_https.py +++ b/keystoneclient/tests/unit/test_https.py @@ -10,17 +10,14 @@ # License for the specific language governing permissions and limitations # under the License. -import mock import requests +from unittest import mock from keystoneclient import httpclient -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils -FAKE_RESPONSE = utils.TestResponse({ - "status_code": 200, - "text": '{"hi": "there"}', -}) +FAKE_RESPONSE = utils.test_response(json={'hi': 'there'}) REQUEST_URL = 'https://127.0.0.1:5000/hi' RESPONSE_BODY = '{"hi": "there"}' @@ -28,8 +25,8 @@ def get_client(): cl = httpclient.HTTPClient(username="username", password="password", - tenant_id="tenant", auth_url="auth_test", - cacert="ca.pem", key="key.pem", cert="cert.pem") + project_id="tenant", auth_url="auth_test", + cacert="ca.pem", cert=('cert.pem', "key.pem")) return cl @@ -42,19 +39,15 @@ def get_authed_client(): class ClientTest(utils.TestCase): - def setUp(self): - super(ClientTest, self).setUp() - self.request_patcher = mock.patch.object(requests, 'request', - self.mox.CreateMockAnything()) - self.request_patcher.start() - self.addCleanup(self.request_patcher.stop) - @mock.patch.object(requests, 'request') def test_get(self, MOCK_REQUEST): MOCK_REQUEST.return_value = FAKE_RESPONSE - cl = get_authed_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_authed_client() - resp, body = cl.get("/hi") + with self.deprecations.expect_deprecations_here(): + resp, body = cl.get("/hi") # this may become too tightly couple later mock_args, mock_kwargs = MOCK_REQUEST.call_args @@ -71,9 +64,12 @@ def test_get(self, MOCK_REQUEST): @mock.patch.object(requests, 'request') def test_post(self, MOCK_REQUEST): MOCK_REQUEST.return_value = FAKE_RESPONSE - cl = get_authed_client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = get_authed_client() - cl.post("/hi", body=[1, 2, 3]) + with self.deprecations.expect_deprecations_here(): + cl.post("/hi", body=[1, 2, 3]) # this may become too tightly couple later mock_args, mock_kwargs = MOCK_REQUEST.call_args @@ -88,13 +84,16 @@ def test_post(self, MOCK_REQUEST): @mock.patch.object(requests, 'request') def test_post_auth(self, MOCK_REQUEST): MOCK_REQUEST.return_value = FAKE_RESPONSE - cl = httpclient.HTTPClient( - username="username", password="password", tenant_id="tenant", - auth_url="auth_test", cacert="ca.pem", key="key.pem", - cert="cert.pem") + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient( + username="username", password="password", project_id="tenant", + auth_url="auth_test", cacert="ca.pem", + cert=('cert.pem', 'key.pem')) cl.management_url = "https://127.0.0.1:5000" cl.auth_token = "token" - cl.post("/hi", body=[1, 2, 3]) + with self.deprecations.expect_deprecations_here(): + cl.post("/hi", body=[1, 2, 3]) # this may become too tightly couple later mock_args, mock_kwargs = MOCK_REQUEST.call_args diff --git a/keystoneclient/tests/test_keyring.py b/keystoneclient/tests/unit/test_keyring.py similarity index 75% rename from keystoneclient/tests/test_keyring.py rename to keystoneclient/tests/unit/test_keyring.py index 0ad05877c..0a5bf7150 100644 --- a/keystoneclient/tests/test_keyring.py +++ b/keystoneclient/tests/unit/test_keyring.py @@ -11,14 +11,15 @@ # under the License. import datetime +from unittest import mock -import mock +from oslo_utils import timeutils from keystoneclient import access from keystoneclient import httpclient -from keystoneclient.openstack.common import timeutils -from keystoneclient.tests import utils -from keystoneclient.tests.v2_0 import client_fixtures +from keystoneclient.tests.unit import utils +from keystoneclient.tests.unit.v2_0 import client_fixtures +from keystoneclient import utils as client_utils try: import keyring # noqa @@ -53,6 +54,7 @@ class MemoryKeyring(keyring.backend.KeyringBackend): setting password, and allows easy password and key retrieval. Also records if a password was retrieved. """ + def __init__(self): self.key = None self.password = None @@ -83,11 +85,15 @@ def set_password(self, service, username, password): keyring.set_keyring(self.memory_keyring) def test_no_keyring_key(self): - """Ensure that if we don't have use_keyring set in the client that + """Test case when no keyring set. + + Ensure that if we don't have use_keyring set in the client that the keyring is never accessed. """ - cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, - tenant_id=TENANT_ID, auth_url=AUTH_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, + project_id=TENANT_ID, auth_url=AUTH_URL) # stub and check that a new token is received method = 'get_raw_token_from_identity_service' @@ -103,8 +109,10 @@ def test_no_keyring_key(self): self.assertFalse(self.memory_keyring.set_password_called) def test_build_keyring_key(self): - cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, - tenant_id=TENANT_ID, auth_url=AUTH_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, + project_id=TENANT_ID, auth_url=AUTH_URL) keyring_key = cl._build_keyring_key(auth_url=AUTH_URL, username=USERNAME, @@ -117,14 +125,16 @@ def test_build_keyring_key(self): (AUTH_URL, TENANT_ID, TENANT, TOKEN, USERNAME)) def test_set_and_get_keyring_expired(self): - cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, - tenant_id=TENANT_ID, auth_url=AUTH_URL, - use_keyring=True) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, + project_id=TENANT_ID, auth_url=AUTH_URL, + use_keyring=True) # set an expired token into the keyring auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN) expired = timeutils.utcnow() - datetime.timedelta(minutes=30) - auth_ref['token']['expires'] = timeutils.isotime(expired) + auth_ref['token']['expires'] = client_utils.isotime(expired) self.memory_keyring.password = pickle.dumps(auth_ref) # stub and check that a new token is received, so not using expired @@ -145,14 +155,16 @@ def test_set_and_get_keyring_expired(self): PROJECT_SCOPED_TOKEN['access']['token']['expires']) def test_get_keyring(self): - cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, - tenant_id=TENANT_ID, auth_url=AUTH_URL, - use_keyring=True) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, + project_id=TENANT_ID, auth_url=AUTH_URL, + use_keyring=True) # set an token into the keyring auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN) future = timeutils.utcnow() + datetime.timedelta(minutes=30) - auth_ref['token']['expires'] = timeutils.isotime(future) + auth_ref['token']['expires'] = client_utils.isotime(future) self.memory_keyring.password = pickle.dumps(auth_ref) # don't stub get_raw_token so will fail if authenticate happens @@ -161,9 +173,11 @@ def test_get_keyring(self): self.assertTrue(self.memory_keyring.fetched) def test_set_keyring(self): - cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, - tenant_id=TENANT_ID, auth_url=AUTH_URL, - use_keyring=True) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD, + project_id=TENANT_ID, auth_url=AUTH_URL, + use_keyring=True) # stub and check that a new token is received method = 'get_raw_token_from_identity_service' diff --git a/keystoneclient/tests/test_session.py b/keystoneclient/tests/unit/test_session.py similarity index 52% rename from keystoneclient/tests/test_session.py rename to keystoneclient/tests/unit/test_session.py index 37477f686..71a8e2743 100644 --- a/keystoneclient/tests/test_session.py +++ b/keystoneclient/tests/unit/test_session.py @@ -1,3 +1,5 @@ +# -*- coding: utf-8 -*- +# # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at @@ -11,34 +13,40 @@ # under the License. import argparse +from io import StringIO import itertools +import logging +from unittest import mock import uuid -import mock -from oslo.config import cfg -from oslo.config import fixture as config +from oslo_config import cfg +from oslo_config import fixture as config +from oslo_serialization import jsonutils import requests -import six from testtools import matchers from keystoneclient import adapter from keystoneclient.auth import base from keystoneclient import exceptions -from keystoneclient.openstack.common import jsonutils +from keystoneclient.i18n import _ from keystoneclient import session as client_session -from keystoneclient.tests import utils +from keystoneclient.tests.unit import utils class SessionTests(utils.TestCase): TEST_URL = 'http://127.0.0.1:5000/' + def setUp(self): + super(SessionTests, self).setUp() + self.deprecations.expect_deprecations() + def test_get(self): session = client_session.Session() self.stub_url('GET', text='response') resp = session.get(self.TEST_URL) - self.assertEqual('GET', self.requests.last_request.method) + self.assertEqual('GET', self.requests_mock.last_request.method) self.assertEqual(resp.text, 'response') self.assertTrue(resp.ok) @@ -47,7 +55,7 @@ def test_post(self): self.stub_url('POST', text='response') resp = session.post(self.TEST_URL, json={'hello': 'world'}) - self.assertEqual('POST', self.requests.last_request.method) + self.assertEqual('POST', self.requests_mock.last_request.method) self.assertEqual(resp.text, 'response') self.assertTrue(resp.ok) self.assertRequestBodyIs(json={'hello': 'world'}) @@ -57,7 +65,7 @@ def test_head(self): self.stub_url('HEAD') resp = session.head(self.TEST_URL) - self.assertEqual('HEAD', self.requests.last_request.method) + self.assertEqual('HEAD', self.requests_mock.last_request.method) self.assertTrue(resp.ok) self.assertRequestBodyIs('') @@ -66,7 +74,7 @@ def test_put(self): self.stub_url('PUT', text='response') resp = session.put(self.TEST_URL, json={'hello': 'world'}) - self.assertEqual('PUT', self.requests.last_request.method) + self.assertEqual('PUT', self.requests_mock.last_request.method) self.assertEqual(resp.text, 'response') self.assertTrue(resp.ok) self.assertRequestBodyIs(json={'hello': 'world'}) @@ -76,7 +84,7 @@ def test_delete(self): self.stub_url('DELETE', text='response') resp = session.delete(self.TEST_URL) - self.assertEqual('DELETE', self.requests.last_request.method) + self.assertEqual('DELETE', self.requests_mock.last_request.method) self.assertTrue(resp.ok) self.assertEqual(resp.text, 'response') @@ -85,7 +93,7 @@ def test_patch(self): self.stub_url('PATCH', text='response') resp = session.patch(self.TEST_URL, json={'hello': 'world'}) - self.assertEqual('PATCH', self.requests.last_request.method) + self.assertEqual('PATCH', self.requests_mock.last_request.method) self.assertTrue(resp.ok) self.assertEqual(resp.text, 'response') self.assertRequestBodyIs(json={'hello': 'world'}) @@ -111,7 +119,7 @@ def test_http_session_opts(self): session = client_session.Session(cert='cert.pem', timeout=5, verify='certs') - FAKE_RESP = utils.TestResponse({'status_code': 200, 'text': 'resp'}) + FAKE_RESP = utils.test_response(text='resp') RESP = mock.Mock(return_value=FAKE_RESP) with mock.patch.object(session.session, 'request', RESP) as mocked: @@ -138,17 +146,24 @@ def test_server_error(self): session.get, self.TEST_URL) def test_session_debug_output(self): + """Test request and response headers in debug logs. + + in order to redact secure headers while debug is true. + """ session = client_session.Session(verify=False) - headers = {'HEADERA': 'HEADERVALB'} + headers = {'HEADERA': 'HEADERVALB', + 'Content-Type': 'application/json'} security_headers = {'Authorization': uuid.uuid4().hex, 'X-Auth-Token': uuid.uuid4().hex, - 'X-Subject-Token': uuid.uuid4().hex, } - body = 'BODYRESPONSE' - data = 'BODYDATA' - self.stub_url('POST', text=body) + 'X-Subject-Token': uuid.uuid4().hex, + 'X-Service-Token': uuid.uuid4().hex} + body = '{"a": "b"}' + data = '{"c": "d"}' all_headers = dict( itertools.chain(headers.items(), security_headers.items())) - session.post(self.TEST_URL, headers=all_headers, data=data) + self.stub_url('POST', text=body, headers=all_headers) + resp = session.post(self.TEST_URL, headers=all_headers, data=data) + self.assertEqual(resp.status_code, 200) self.assertIn('curl', self.logger.output) self.assertIn('POST', self.logger.output) @@ -156,13 +171,216 @@ def test_session_debug_output(self): self.assertIn(body, self.logger.output) self.assertIn("'%s'" % data, self.logger.output) - for k, v in six.iteritems(headers): + for k, v in headers.items(): self.assertIn(k, self.logger.output) self.assertIn(v, self.logger.output) - for k, v in six.iteritems(security_headers): - self.assertIn(k, self.logger.output) + + # Assert that response headers contains actual values and + # only debug logs has been masked + for k, v in security_headers.items(): + self.assertIn('%s: {SHA1}' % k, self.logger.output) + self.assertEqual(v, resp.headers[k]) self.assertNotIn(v, self.logger.output) + def test_logs_failed_output(self): + """Test that output is logged even for failed requests.""" + session = client_session.Session() + body = {uuid.uuid4().hex: uuid.uuid4().hex} + + self.stub_url('GET', json=body, status_code=400, + headers={'Content-Type': 'application/json'}) + resp = session.get(self.TEST_URL, raise_exc=False) + + self.assertEqual(resp.status_code, 400) + self.assertIn(list(body.keys())[0], self.logger.output) + self.assertIn(list(body.values())[0], self.logger.output) + + def test_logging_body_only_for_specified_content_types(self): + """Verify response body is only logged in specific content types. + + Response bodies are logged only when the response's Content-Type header + is set to application/json. This prevents us to get an unexpected + MemoryError when reading arbitrary responses, such as streams. + """ + OMITTED_BODY = ('Omitted, Content-Type is set to %s. Only ' + 'application/json responses have their bodies logged.') + session = client_session.Session(verify=False) + + # Content-Type is not set + body = jsonutils.dumps({'token': {'id': '...'}}) + self.stub_url('POST', text=body) + session.post(self.TEST_URL) + self.assertNotIn(body, self.logger.output) + self.assertIn(OMITTED_BODY % None, self.logger.output) + + # Content-Type is set to text/xml + body = '...' + self.stub_url('POST', text=body, headers={'Content-Type': 'text/xml'}) + session.post(self.TEST_URL) + self.assertNotIn(body, self.logger.output) + self.assertIn(OMITTED_BODY % 'text/xml', self.logger.output) + + # Content-Type is set to application/json + body = jsonutils.dumps({'token': {'id': '...'}}) + self.stub_url('POST', text=body, + headers={'Content-Type': 'application/json'}) + session.post(self.TEST_URL) + self.assertIn(body, self.logger.output) + self.assertNotIn(OMITTED_BODY % 'application/json', self.logger.output) + + # Content-Type is set to application/json; charset=UTF-8 + body = jsonutils.dumps({'token': {'id': '...'}}) + self.stub_url( + 'POST', text=body, + headers={'Content-Type': 'application/json; charset=UTF-8'}) + session.post(self.TEST_URL) + self.assertIn(body, self.logger.output) + self.assertNotIn(OMITTED_BODY % 'application/json; charset=UTF-8', + self.logger.output) + + def test_unicode_data_in_debug_output(self): + """Verify that ascii-encodable data is logged without modification.""" + session = client_session.Session(verify=False) + + body = 'RESP' + data = 'αβγδ' + self.stub_url('POST', text=body) + session.post(self.TEST_URL, data=data) + + self.assertIn("'%s'" % data, self.logger.output) + + def test_logging_cacerts(self): + path_to_certs = '/path/to/certs' + session = client_session.Session(verify=path_to_certs) + + self.stub_url('GET', text='text') + session.get(self.TEST_URL) + + self.assertIn('--cacert', self.logger.output) + self.assertIn(path_to_certs, self.logger.output) + + def test_connect_retries(self): + + def _timeout_error(request, context): + raise requests.exceptions.Timeout() + + self.stub_url('GET', text=_timeout_error) + + session = client_session.Session() + retries = 3 + + with mock.patch('time.sleep') as m: + self.assertRaises(exceptions.RequestTimeout, + session.get, + self.TEST_URL, connect_retries=retries) + + self.assertEqual(retries, m.call_count) + # 3 retries finishing with 2.0 means 0.5, 1.0 and 2.0 + m.assert_called_with(2.0) + + # we count retries so there will be one initial request + 3 retries + self.assertThat(self.requests_mock.request_history, + matchers.HasLength(retries + 1)) + + def test_uses_tcp_keepalive_by_default(self): + session = client_session.Session() + requests_session = session.session + self.assertIsInstance(requests_session.adapters['http://'], + client_session.TCPKeepAliveAdapter) + self.assertIsInstance(requests_session.adapters['https://'], + client_session.TCPKeepAliveAdapter) + + def test_does_not_set_tcp_keepalive_on_custom_sessions(self): + mock_session = mock.Mock() + client_session.Session(session=mock_session) + self.assertFalse(mock_session.mount.called) + + def test_ssl_error_message(self): + error = uuid.uuid4().hex + + def _ssl_error(request, context): + raise requests.exceptions.SSLError(error) + + self.stub_url('GET', text=_ssl_error) + session = client_session.Session() + + # The exception should contain the URL and details about the SSL error + msg = _('SSL exception connecting to %(url)s: %(error)s') % { + 'url': self.TEST_URL, 'error': error} + self.assertRaisesRegex( + exceptions.SSLError, + msg, + session.get, + self.TEST_URL, + ) + + def test_mask_password_in_http_log_response(self): + session = client_session.Session() + + def fake_debug(msg): + self.assertNotIn('verybadpass', msg) + + logger = mock.Mock(isEnabledFor=mock.Mock(return_value=True)) + logger.debug = mock.Mock(side_effect=fake_debug) + body = { + "connection_info": { + "driver_volume_type": "iscsi", + "data": { + "auth_password": "verybadpass", + "target_discovered": False, + "encrypted": False, + "qos_specs": None, + "target_iqn": ("iqn.2010-10.org.openstack:volume-" + "744d2085-8e78-40a5-8659-ef3cffb2480e"), + "target_portal": "172.99.69.228:3260", + "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e", + "target_lun": 1, + "access_mode": "rw", + "auth_username": "verybadusername", + "auth_method": "CHAP"}}} + body_json = jsonutils.dumps(body) + response = mock.Mock(text=body_json, status_code=200, + headers={'content-type': 'application/json'}) + session._http_log_response(response, logger) + self.assertEqual(1, logger.debug.call_count) + + +class TCPKeepAliveAdapter(utils.TestCase): + + @mock.patch.object(client_session, 'socket') + @mock.patch('requests.adapters.HTTPAdapter.init_poolmanager') + def test_init_poolmanager_all_options(self, mock_parent_init_poolmanager, + mock_socket): + # properties expected to be in socket. + mock_socket.TCP_KEEPIDLE = mock.sentinel.TCP_KEEPIDLE + mock_socket.TCP_KEEPCNT = mock.sentinel.TCP_KEEPCNT + mock_socket.TCP_KEEPINTVL = mock.sentinel.TCP_KEEPINTVL + desired_opts = [mock_socket.TCP_KEEPIDLE, mock_socket.TCP_KEEPCNT, + mock_socket.TCP_KEEPINTVL] + + adapter = client_session.TCPKeepAliveAdapter() + adapter.init_poolmanager() + + call_args, call_kwargs = mock_parent_init_poolmanager.call_args + called_socket_opts = call_kwargs['socket_options'] + call_options = [opt for (protocol, opt, value) in called_socket_opts] + for opt in desired_opts: + self.assertIn(opt, call_options) + + @mock.patch.object(client_session, 'socket') + @mock.patch('requests.adapters.HTTPAdapter.init_poolmanager') + def test_init_poolmanager(self, mock_parent_init_poolmanager, mock_socket): + spec = ['IPPROTO_TCP', 'TCP_NODELAY', 'SOL_SOCKET', 'SO_KEEPALIVE'] + mock_socket.mock_add_spec(spec) + adapter = client_session.TCPKeepAliveAdapter() + adapter.init_poolmanager() + + call_args, call_kwargs = mock_parent_init_poolmanager.call_args + called_socket_opts = call_kwargs['socket_options'] + call_options = [opt for (protocol, opt, value) in called_socket_opts] + self.assertEqual([mock_socket.TCP_NODELAY, mock_socket.SO_KEEPALIVE], + call_options) + class RedirectTests(utils.TestCase): @@ -174,19 +392,25 @@ class RedirectTests(utils.TestCase): DEFAULT_REDIRECT_BODY = 'Redirect' DEFAULT_RESP_BODY = 'Found' + def setUp(self): + super(RedirectTests, self).setUp() + self.deprecations.expect_deprecations() + def setup_redirects(self, method='GET', status_code=305, - redirect_kwargs={}, final_kwargs={}): + redirect_kwargs=None, final_kwargs=None): + redirect_kwargs = redirect_kwargs or {} + final_kwargs = final_kwargs or {} redirect_kwargs.setdefault('text', self.DEFAULT_REDIRECT_BODY) for s, d in zip(self.REDIRECT_CHAIN, self.REDIRECT_CHAIN[1:]): - self.requests.register_uri(method, s, status_code=status_code, - headers={'Location': d}, - **redirect_kwargs) + self.requests_mock.register_uri(method, s, status_code=status_code, + headers={'Location': d}, + **redirect_kwargs) final_kwargs.setdefault('status_code', 200) final_kwargs.setdefault('text', self.DEFAULT_RESP_BODY) - self.requests.register_uri(method, self.REDIRECT_CHAIN[-1], - **final_kwargs) + self.requests_mock.register_uri(method, self.REDIRECT_CHAIN[-1], + **final_kwargs) def assertResponse(self, resp): self.assertEqual(resp.status_code, 200) @@ -250,7 +474,8 @@ class ConstructSessionFromArgsTests(utils.TestCase): def _s(self, k=None, **kwargs): k = k or kwargs - return client_session.Session.construct(k) + with self.deprecations.expect_deprecations_here(): + return client_session.Session.construct(k) def test_verify(self): self.assertFalse(self._s(insecure=True).verify) @@ -278,7 +503,9 @@ class AuthPlugin(base.BaseAuthPlugin): Takes Parameters such that it can throw exceptions at the right times. """ - TEST_TOKEN = 'aToken' + TEST_TOKEN = utils.TestCase.TEST_TOKEN + TEST_USER_ID = 'aUser' + TEST_PROJECT_ID = 'aProject' SERVICE_URLS = { 'identity': {'public': 'http://identity-public:1111/v2.0', @@ -306,6 +533,12 @@ def get_endpoint(self, session, service_type=None, interface=None, def invalidate(self): return self._invalidate + def get_user_id(self, session): + return self.TEST_USER_ID + + def get_project_id(self, session): + return self.TEST_PROJECT_ID + class CalledAuthPlugin(base.BaseAuthPlugin): @@ -320,7 +553,7 @@ def __init__(self, invalidate=True): def get_token(self, session): self.get_token_called = True - return 'aToken' + return utils.TestCase.TEST_TOKEN def get_endpoint(self, session, **kwargs): self.get_endpoint_called = True @@ -337,12 +570,16 @@ class SessionAuthTests(utils.TestCase): TEST_URL = 'http://127.0.0.1:5000/' TEST_JSON = {'hello': 'world'} + def setUp(self): + super(SessionAuthTests, self).setUp() + self.deprecations.expect_deprecations() + def stub_service_url(self, service_type, interface, path, method='GET', **kwargs): base_url = AuthPlugin.SERVICE_URLS[service_type][interface] uri = "%s/%s" % (base_url.rstrip('/'), path.lstrip('/')) - self.requests.register_uri(method, uri, **kwargs) + self.requests_mock.register_uri(method, uri, **kwargs) def test_auth_plugin_default_with_plugin(self): self.stub_url('GET', base_url=self.TEST_URL, json=self.TEST_JSON) @@ -351,7 +588,7 @@ def test_auth_plugin_default_with_plugin(self): auth = AuthPlugin() sess = client_session.Session(auth=auth) resp = sess.get(self.TEST_URL) - self.assertDictEqual(resp.json(), self.TEST_JSON) + self.assertEqual(resp.json(), self.TEST_JSON) self.assertRequestHeaderEqual('X-Auth-Token', AuthPlugin.TEST_TOKEN) @@ -361,7 +598,7 @@ def test_auth_plugin_disable(self): auth = AuthPlugin() sess = client_session.Session(auth=auth) resp = sess.get(self.TEST_URL, authenticated=False) - self.assertDictEqual(resp.json(), self.TEST_JSON) + self.assertEqual(resp.json(), self.TEST_JSON) self.assertRequestHeaderEqual('X-Auth-Token', None) @@ -383,7 +620,7 @@ def test_service_type_urls(self): endpoint_filter={'service_type': service_type, 'interface': interface}) - self.assertEqual(self.requests.last_request.url, + self.assertEqual(self.requests_mock.last_request.url, AuthPlugin.SERVICE_URLS['compute']['public'] + path) self.assertEqual(resp.text, body) self.assertEqual(resp.status_code, status) @@ -405,7 +642,7 @@ def test_service_url_raises_if_no_url_returned(self): def test_raises_exc_only_when_asked(self): # A request that returns a HTTP error should by default raise an # exception by default, if you specify raise_exc=False then it will not - self.requests.register_uri('GET', self.TEST_URL, status_code=401) + self.requests_mock.get(self.TEST_URL, status_code=401) sess = client_session.Session() self.assertRaises(exceptions.Unauthorized, sess.get, self.TEST_URL) @@ -417,9 +654,8 @@ def test_passed_auth_plugin(self): passed = CalledAuthPlugin() sess = client_session.Session() - self.requests.register_uri('GET', - CalledAuthPlugin.ENDPOINT + 'path', - status_code=200) + self.requests_mock.get(CalledAuthPlugin.ENDPOINT + 'path', + status_code=200) endpoint_filter = {'service_type': 'identity'} # no plugin with authenticated won't work @@ -442,9 +678,8 @@ def test_passed_auth_plugin_overrides(self): sess = client_session.Session(fixed) - self.requests.register_uri('GET', - CalledAuthPlugin.ENDPOINT + 'path', - status_code=200) + self.requests_mock.get(CalledAuthPlugin.ENDPOINT + 'path', + status_code=200) resp = sess.get('path', auth=passed, endpoint_filter={'service_type': 'identity'}) @@ -460,7 +695,7 @@ def test_requests_auth_plugin(self): requests_auth = object() - FAKE_RESP = utils.TestResponse({'status_code': 200, 'text': 'resp'}) + FAKE_RESP = utils.test_response(text='resp') RESP = mock.Mock(return_value=FAKE_RESP) with mock.patch.object(sess.session, 'request', RESP) as mocked: @@ -476,9 +711,9 @@ def test_reauth_called(self): auth = CalledAuthPlugin(invalidate=True) sess = client_session.Session(auth=auth) - self.requests.register_uri('GET', self.TEST_URL, - [{'text': 'Failed', 'status_code': 401}, - {'text': 'Hello', 'status_code': 200}]) + self.requests_mock.get(self.TEST_URL, + [{'text': 'Failed', 'status_code': 401}, + {'text': 'Hello', 'status_code': 200}]) # allow_reauth=True is the default resp = sess.get(self.TEST_URL, authenticated=True) @@ -491,14 +726,91 @@ def test_reauth_not_called(self): auth = CalledAuthPlugin(invalidate=True) sess = client_session.Session(auth=auth) - self.requests.register_uri('GET', self.TEST_URL, - [{'text': 'Failed', 'status_code': 401}, - {'text': 'Hello', 'status_code': 200}]) + self.requests_mock.get(self.TEST_URL, + [{'text': 'Failed', 'status_code': 401}, + {'text': 'Hello', 'status_code': 200}]) self.assertRaises(exceptions.Unauthorized, sess.get, self.TEST_URL, authenticated=True, allow_reauth=False) self.assertFalse(auth.invalidate_called) + def test_endpoint_override_overrides_filter(self): + auth = CalledAuthPlugin() + sess = client_session.Session(auth=auth) + + override_base = 'http://mytest/' + path = 'path' + override_url = override_base + path + resp_text = uuid.uuid4().hex + + self.requests_mock.get(override_url, text=resp_text) + + resp = sess.get(path, + endpoint_override=override_base, + endpoint_filter={'service_type': 'identity'}) + + self.assertEqual(resp_text, resp.text) + self.assertEqual(override_url, self.requests_mock.last_request.url) + + self.assertTrue(auth.get_token_called) + self.assertFalse(auth.get_endpoint_called) + + def test_endpoint_override_ignore_full_url(self): + auth = CalledAuthPlugin() + sess = client_session.Session(auth=auth) + + path = 'path' + url = self.TEST_URL + path + + resp_text = uuid.uuid4().hex + self.requests_mock.get(url, text=resp_text) + + resp = sess.get(url, + endpoint_override='http://someother.url', + endpoint_filter={'service_type': 'identity'}) + + self.assertEqual(resp_text, resp.text) + self.assertEqual(url, self.requests_mock.last_request.url) + + self.assertTrue(auth.get_token_called) + self.assertFalse(auth.get_endpoint_called) + + def test_user_and_project_id(self): + auth = AuthPlugin() + sess = client_session.Session(auth=auth) + + self.assertEqual(auth.TEST_USER_ID, sess.get_user_id()) + self.assertEqual(auth.TEST_PROJECT_ID, sess.get_project_id()) + + def test_logger_object_passed(self): + logger = logging.getLogger(uuid.uuid4().hex) + logger.setLevel(logging.DEBUG) + logger.propagate = False + + io = StringIO() + handler = logging.StreamHandler(io) + logger.addHandler(handler) + + auth = AuthPlugin() + sess = client_session.Session(auth=auth) + response = {uuid.uuid4().hex: uuid.uuid4().hex} + + self.stub_url('GET', + json=response, + headers={'Content-Type': 'application/json'}) + + resp = sess.get(self.TEST_URL, logger=logger) + + self.assertEqual(response, resp.json()) + output = io.getvalue() + + self.assertIn(self.TEST_URL, output) + self.assertIn(list(response.keys())[0], output) + self.assertIn(list(response.values())[0], output) + + self.assertNotIn(list(response.keys())[0], self.logger.output) + self.assertNotIn(list(response.values())[0], self.logger.output) + class AdapterTest(utils.TestCase): @@ -507,38 +819,56 @@ class AdapterTest(utils.TestCase): INTERFACE = uuid.uuid4().hex REGION_NAME = uuid.uuid4().hex USER_AGENT = uuid.uuid4().hex + VERSION = uuid.uuid4().hex TEST_URL = CalledAuthPlugin.ENDPOINT - def test_setting_variables(self): - response = uuid.uuid4().hex - self.stub_url('GET', text=response) + def setUp(self): + super(AdapterTest, self).setUp() + self.deprecations.expect_deprecations() + def _create_loaded_adapter(self): auth = CalledAuthPlugin() sess = client_session.Session() - adpt = adapter.Adapter(sess, + return adapter.Adapter(sess, auth=auth, service_type=self.SERVICE_TYPE, service_name=self.SERVICE_NAME, interface=self.INTERFACE, region_name=self.REGION_NAME, - user_agent=self.USER_AGENT) - - resp = adpt.get('/') - self.assertEqual(resp.text, response) + user_agent=self.USER_AGENT, + version=self.VERSION) + def _verify_endpoint_called(self, adpt): self.assertEqual(self.SERVICE_TYPE, - auth.endpoint_arguments['service_type']) + adpt.auth.endpoint_arguments['service_type']) self.assertEqual(self.SERVICE_NAME, - auth.endpoint_arguments['service_name']) + adpt.auth.endpoint_arguments['service_name']) self.assertEqual(self.INTERFACE, - auth.endpoint_arguments['interface']) + adpt.auth.endpoint_arguments['interface']) self.assertEqual(self.REGION_NAME, - auth.endpoint_arguments['region_name']) + adpt.auth.endpoint_arguments['region_name']) + self.assertEqual(self.VERSION, + adpt.auth.endpoint_arguments['version']) - self.assertTrue(auth.get_token_called) + def test_setting_variables_on_request(self): + response = uuid.uuid4().hex + self.stub_url('GET', text=response) + adpt = self._create_loaded_adapter() + resp = adpt.get('/') + self.assertEqual(resp.text, response) + + self._verify_endpoint_called(adpt) + self.assertTrue(adpt.auth.get_token_called) self.assertRequestHeaderEqual('User-Agent', self.USER_AGENT) + def test_setting_variables_on_get_endpoint(self): + adpt = self._create_loaded_adapter() + url = adpt.get_endpoint() + + self.assertEqual(self.TEST_URL, url) + self._verify_endpoint_called(adpt) + def test_legacy_binding(self): key = uuid.uuid4().hex val = uuid.uuid4().hex @@ -585,6 +915,99 @@ def test_methods(self): getattr(adpt, method)(url) m.assert_called_once_with(url, method.upper()) + def test_setting_endpoint_override(self): + endpoint_override = 'http://overrideurl' + path = '/path' + endpoint_url = endpoint_override + path + + auth = CalledAuthPlugin() + sess = client_session.Session(auth=auth) + adpt = adapter.Adapter(sess, endpoint_override=endpoint_override) + + response = uuid.uuid4().hex + self.requests_mock.get(endpoint_url, text=response) + + resp = adpt.get(path) + + self.assertEqual(response, resp.text) + self.assertEqual(endpoint_url, self.requests_mock.last_request.url) + + self.assertEqual(endpoint_override, adpt.get_endpoint()) + + def test_adapter_invalidate(self): + auth = CalledAuthPlugin() + sess = client_session.Session() + adpt = adapter.Adapter(sess, auth=auth) + + adpt.invalidate() + + self.assertTrue(auth.invalidate_called) + + def test_adapter_get_token(self): + auth = CalledAuthPlugin() + sess = client_session.Session() + adpt = adapter.Adapter(sess, auth=auth) + + self.assertEqual(self.TEST_TOKEN, adpt.get_token()) + self.assertTrue(auth.get_token_called) + + def test_adapter_connect_retries(self): + retries = 2 + sess = client_session.Session() + adpt = adapter.Adapter(sess, connect_retries=retries) + + def _refused_error(request, context): + raise requests.exceptions.ConnectionError() + + self.stub_url('GET', text=_refused_error) + + with mock.patch('time.sleep') as m: + self.assertRaises(exceptions.ConnectionRefused, + adpt.get, self.TEST_URL) + self.assertEqual(retries, m.call_count) + + # we count retries so there will be one initial request + 2 retries + self.assertThat(self.requests_mock.request_history, + matchers.HasLength(retries + 1)) + + def test_user_and_project_id(self): + auth = AuthPlugin() + sess = client_session.Session() + adpt = adapter.Adapter(sess, auth=auth) + + self.assertEqual(auth.TEST_USER_ID, adpt.get_user_id()) + self.assertEqual(auth.TEST_PROJECT_ID, adpt.get_project_id()) + + def test_logger_object_passed(self): + logger = logging.getLogger(uuid.uuid4().hex) + logger.setLevel(logging.DEBUG) + logger.propagate = False + + io = StringIO() + handler = logging.StreamHandler(io) + logger.addHandler(handler) + + auth = AuthPlugin() + sess = client_session.Session(auth=auth) + adpt = adapter.Adapter(sess, auth=auth, logger=logger) + + response = {uuid.uuid4().hex: uuid.uuid4().hex} + + self.stub_url('GET', json=response, + headers={'Content-Type': 'application/json'}) + + resp = adpt.get(self.TEST_URL, logger=logger) + + self.assertEqual(response, resp.json()) + output = io.getvalue() + + self.assertIn(self.TEST_URL, output) + self.assertIn(list(response.keys())[0], output) + self.assertIn(list(response.values())[0], output) + + self.assertNotIn(list(response.keys())[0], self.logger.output) + self.assertNotIn(list(response.values())[0], self.logger.output) + class ConfLoadingTests(utils.TestCase): @@ -602,10 +1025,11 @@ def config(self, **kwargs): self.conf_fixture.config(**kwargs) def get_session(self, **kwargs): - return client_session.Session.load_from_conf_options( - self.conf_fixture.conf, - self.GROUP, - **kwargs) + with self.deprecations.expect_deprecations_here(): + return client_session.Session.load_from_conf_options( + self.conf_fixture.conf, + self.GROUP, + **kwargs) def test_insecure_timeout(self): self.config(insecure=True, timeout=5) @@ -655,7 +1079,8 @@ def setUp(self): def get_session(self, val, **kwargs): args = self.parser.parse_args(val.split()) - return client_session.Session.load_from_cli_options(args, **kwargs) + with self.deprecations.expect_deprecations_here(): + return client_session.Session.load_from_cli_options(args, **kwargs) def test_insecure_timeout(self): s = self.get_session('--insecure --timeout 5.5') diff --git a/keystoneclient/tests/unit/test_utils.py b/keystoneclient/tests/unit/test_utils.py new file mode 100644 index 000000000..2aa5e92be --- /dev/null +++ b/keystoneclient/tests/unit/test_utils.py @@ -0,0 +1,131 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneauth1 import exceptions as ksa_exceptions +import testresources +from testtools import matchers + + +from keystoneclient import exceptions as ksc_exceptions +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit import utils as test_utils +from keystoneclient import utils + + +class FakeResource(object): + pass + + +class FakeManager(object): + + resource_class = FakeResource + + resources = { + '1234': {'name': 'entity_one'}, + '8e8ec658-c7b0-4243-bdf8-6f7f2952c0d0': {'name': 'entity_two'}, + '\xe3\x82\xbdtest': {'name': '\u30bdtest'}, + '5678': {'name': '9876'} + } + + def get(self, resource_id): + try: + return self.resources[str(resource_id)] + except KeyError: + raise ksa_exceptions.NotFound(resource_id) + + def find(self, name=None): + if name == '9999': + # NOTE(morganfainberg): special case that raises NoUniqueMatch. + raise ksc_exceptions.NoUniqueMatch() + for resource_id, resource in self.resources.items(): + if resource['name'] == str(name): + return resource + raise ksa_exceptions.NotFound(name) + + +class FindResourceTestCase(test_utils.TestCase): + + def setUp(self): + super(FindResourceTestCase, self).setUp() + self.manager = FakeManager() + + def test_find_none(self): + self.assertRaises(ksc_exceptions.CommandError, + utils.find_resource, + self.manager, + 'asdf') + + def test_find_by_integer_id(self): + output = utils.find_resource(self.manager, 1234) + self.assertEqual(output, self.manager.resources['1234']) + + def test_find_by_str_id(self): + output = utils.find_resource(self.manager, '1234') + self.assertEqual(output, self.manager.resources['1234']) + + def test_find_by_uuid(self): + uuid = '8e8ec658-c7b0-4243-bdf8-6f7f2952c0d0' + output = utils.find_resource(self.manager, uuid) + self.assertEqual(output, self.manager.resources[uuid]) + + def test_find_by_unicode(self): + name = '\xe3\x82\xbdtest' + output = utils.find_resource(self.manager, name) + self.assertEqual(output, self.manager.resources[name]) + + def test_find_by_str_name(self): + output = utils.find_resource(self.manager, 'entity_one') + self.assertEqual(output, self.manager.resources['1234']) + + def test_find_by_int_name(self): + output = utils.find_resource(self.manager, 9876) + self.assertEqual(output, self.manager.resources['5678']) + + def test_find_no_unique_match(self): + self.assertRaises(ksc_exceptions.CommandError, + utils.find_resource, + self.manager, + 9999) + + +class FakeObject(object): + def __init__(self, name): + self.name = name + + +class HashSignedTokenTestCase(test_utils.TestCase, + testresources.ResourcedTestCase): + """Unit tests for utils.hash_signed_token().""" + + resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] + + def test_default_md5(self): + """The default hash method is md5.""" + token = self.examples.SIGNED_TOKEN_SCOPED + token = token.encode('utf-8') + token_id_default = utils.hash_signed_token(token) + token_id_md5 = utils.hash_signed_token(token, mode='md5') + self.assertThat(token_id_default, matchers.Equals(token_id_md5)) + # md5 hash is 32 chars. + self.assertThat(token_id_default, matchers.HasLength(32)) + + def test_sha256(self): + """Can also hash with sha256.""" + token = self.examples.SIGNED_TOKEN_SCOPED + token = token.encode('utf-8') + token_id = utils.hash_signed_token(token, mode='sha256') + # sha256 hash is 64 chars. + self.assertThat(token_id, matchers.HasLength(64)) + + +def load_tests(loader, tests, pattern): + return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/utils.py b/keystoneclient/tests/unit/utils.py similarity index 58% rename from keystoneclient/tests/utils.py rename to keystoneclient/tests/unit/utils.py index 4465835e7..4463213b1 100644 --- a/keystoneclient/tests/utils.py +++ b/keystoneclient/tests/unit/utils.py @@ -12,50 +12,41 @@ import logging import sys -import time +import urllib.parse as urlparse import uuid import fixtures -import mock -from mox3 import mox +from oslo_serialization import jsonutils import requests +import requests_mock from requests_mock.contrib import fixture -import six -from six.moves.urllib import parse as urlparse +import testscenarios import testtools -from keystoneclient.openstack.common import jsonutils +from keystoneclient.tests.unit import client_fixtures class TestCase(testtools.TestCase): - TEST_DOMAIN_ID = '1' - TEST_DOMAIN_NAME = 'aDomain' + TEST_DOMAIN_ID = uuid.uuid4().hex + TEST_DOMAIN_NAME = uuid.uuid4().hex TEST_GROUP_ID = uuid.uuid4().hex TEST_ROLE_ID = uuid.uuid4().hex - TEST_TENANT_ID = '1' - TEST_TENANT_NAME = 'aTenant' - TEST_TOKEN = 'aToken' - TEST_TRUST_ID = 'aTrust' - TEST_USER = 'test' + TEST_TENANT_ID = uuid.uuid4().hex + TEST_TENANT_NAME = uuid.uuid4().hex + TEST_TOKEN = uuid.uuid4().hex + TEST_TRUST_ID = uuid.uuid4().hex + TEST_USER = uuid.uuid4().hex TEST_USER_ID = uuid.uuid4().hex TEST_ROOT_URL = 'http://127.0.0.1:5000/' def setUp(self): super(TestCase, self).setUp() - self.mox = mox.Mox() - self.logger = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG)) - self.time_patcher = mock.patch.object(time, 'time', lambda: 1234) - self.time_patcher.start() - - self.requests = self.useFixture(fixture.Fixture()) + self.deprecations = self.useFixture(client_fixtures.Deprecations()) - def tearDown(self): - self.time_patcher.stop() - self.mox.UnsetStubs() - self.mox.VerifyAll() - super(TestCase, self).tearDown() + self.logger = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG)) + self.requests_mock = self.useFixture(fixture.Fixture()) def stub_url(self, method, parts=None, base_url=None, json=None, **kwargs): if not base_url: @@ -72,10 +63,10 @@ def stub_url(self, method, parts=None, base_url=None, json=None, **kwargs): url = base_url url = url.replace("/?", "?") - self.requests.register_uri(method, url, **kwargs) + self.requests_mock.register_uri(method, url, **kwargs) def assertRequestBodyIs(self, body=None, json=None): - last_request_body = self.requests.last_request.body + last_request_body = self.requests_mock.last_request.body if json: val = jsonutils.loads(last_request_body) self.assertEqual(json, val) @@ -83,75 +74,44 @@ def assertRequestBodyIs(self, body=None, json=None): self.assertEqual(body, last_request_body) def assertQueryStringIs(self, qs=''): - """Verify the QueryString matches what is expected. + r"""Verify the QueryString matches what is expected. The qs parameter should be of the format \'foo=bar&abc=xyz\' """ - expected = urlparse.parse_qs(qs) - parts = urlparse.urlparse(self.requests.last_request.url) - querystring = urlparse.parse_qs(parts.query) + expected = urlparse.parse_qs(qs, keep_blank_values=True) + parts = urlparse.urlparse(self.requests_mock.last_request.url) + querystring = urlparse.parse_qs(parts.query, keep_blank_values=True) self.assertEqual(expected, querystring) def assertQueryStringContains(self, **kwargs): - parts = urlparse.urlparse(self.requests.last_request.url) - qs = urlparse.parse_qs(parts.query) + """Verify the query string contains the expected parameters. - for k, v in six.iteritems(kwargs): + This method is used to verify that the query string for the most recent + request made contains all the parameters provided as ``kwargs``, and + that the value of each parameter contains the value for the kwarg. If + the value for the kwarg is an empty string (''), then all that's + verified is that the parameter is present. + + """ + parts = urlparse.urlparse(self.requests_mock.last_request.url) + qs = urlparse.parse_qs(parts.query, keep_blank_values=True) + + for k, v in kwargs.items(): self.assertIn(k, qs) self.assertIn(v, qs[k]) def assertRequestHeaderEqual(self, name, val): - """Verify that the last request made contains a header and its value + """Verify that the last request made contains a header and its value. The request must have already been made. """ - headers = self.requests.last_request.headers + headers = self.requests_mock.last_request.headers self.assertEqual(headers.get(name), val) -if tuple(sys.version_info)[0:2] < (2, 7): - - def assertDictEqual(self, d1, d2, msg=None): - # Simple version taken from 2.7 - self.assertIsInstance(d1, dict, - 'First argument is not a dictionary') - self.assertIsInstance(d2, dict, - 'Second argument is not a dictionary') - if d1 != d2: - if msg: - self.fail(msg) - else: - standardMsg = '%r != %r' % (d1, d2) - self.fail(standardMsg) - - TestCase.assertDictEqual = assertDictEqual - - -class TestResponse(requests.Response): - """Class used to wrap requests.Response and provide some - convenience to initialize with a dict. - """ - - def __init__(self, data): - self._text = None - super(TestResponse, self).__init__() - if isinstance(data, dict): - self.status_code = data.get('status_code', 200) - headers = data.get('headers') - if headers: - self.headers.update(headers) - # Fake the text attribute to streamline Response creation - # _content is defined by requests.Response - self._content = data.get('text') - else: - self.status_code = data - - def __eq__(self, other): - return self.__dict__ == other.__dict__ - - @property - def text(self): - return self.content +def test_response(**kwargs): + r = requests.Request(method='GET', url='http://localhost:5000').prepare() + return requests_mock.create_response(r, **kwargs) class DisableModuleFixture(fixtures.Fixture): @@ -171,7 +131,7 @@ def tearDown(self): def clear_module(self): cleared_modules = {} - for fullname in sys.modules.keys(): + for fullname in list(sys.modules): if (fullname == self.module or fullname.startswith(self.module + '.')): cleared_modules[fullname] = sys.modules.pop(fullname) @@ -179,7 +139,6 @@ def clear_module(self): def setUp(self): """Ensure ImportError for the specified module.""" - super(DisableModuleFixture, self).setUp() # Clear 'module' references in sys.modules @@ -190,6 +149,30 @@ def setUp(self): sys.meta_path.insert(0, finder) +class ClientTestCaseMixin(testscenarios.WithScenarios): + + client_fixture_class = None + data_fixture_class = None + + def setUp(self): + super(ClientTestCaseMixin, self).setUp() + + self.data_fixture = None + self.client_fixture = None + self.client = None + + if self.client_fixture_class: + fix = self.client_fixture_class(self.requests_mock, + self.deprecations) + self.client_fixture = self.useFixture(fix) + self.client = self.client_fixture.client + self.TEST_USER_ID = self.client_fixture.user_id + + if self.data_fixture_class: + fix = self.data_fixture_class(self.requests_mock) + self.data_fixture = self.useFixture(fix) + + class NoModuleFinder(object): """Disallow further imports of 'module'.""" diff --git a/keystoneclient/tests/apiclient/__init__.py b/keystoneclient/tests/unit/v2_0/__init__.py similarity index 100% rename from keystoneclient/tests/apiclient/__init__.py rename to keystoneclient/tests/unit/v2_0/__init__.py diff --git a/keystoneclient/tests/v2_0/client_fixtures.py b/keystoneclient/tests/unit/v2_0/client_fixtures.py similarity index 95% rename from keystoneclient/tests/v2_0/client_fixtures.py rename to keystoneclient/tests/unit/v2_0/client_fixtures.py index 39d808eb1..d3d8bcac3 100644 --- a/keystoneclient/tests/v2_0/client_fixtures.py +++ b/keystoneclient/tests/unit/v2_0/client_fixtures.py @@ -9,10 +9,9 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import uuid -from __future__ import unicode_literals - -from keystoneclient import fixture +from keystoneauth1 import fixture def unscoped_token(): @@ -30,7 +29,8 @@ def project_scoped_token(): tenant_id='225da22d3ce34b15877ea70b2a575f58', tenant_name='exampleproject', user_id='c4da488862bd435c9e6c0275a0d0e49a', - user_name='exampleuser') + user_name='exampleuser', + audit_chain_id=uuid.uuid4().hex) f.add_role(id='member_id', name='Member') @@ -73,7 +73,8 @@ def auth_response_body(): tenant_id='345', tenant_name='My Project', user_id='123', - user_name='jqsmith') + user_name='jqsmith', + audit_chain_id=uuid.uuid4().hex) f.add_role(id='234', name='compute:admin') role = f.add_role(id='235', name='object-store:admin') diff --git a/keystoneclient/tests/v2_0/test_access.py b/keystoneclient/tests/unit/v2_0/test_access.py similarity index 72% rename from keystoneclient/tests/v2_0/test_access.py rename to keystoneclient/tests/unit/v2_0/test_access.py index 52cb6b176..95556aff2 100644 --- a/keystoneclient/tests/v2_0/test_access.py +++ b/keystoneclient/tests/unit/v2_0/test_access.py @@ -13,14 +13,14 @@ import datetime import uuid +from keystoneauth1 import fixture +from oslo_utils import timeutils import testresources from keystoneclient import access -from keystoneclient import fixture -from keystoneclient.openstack.common import timeutils -from keystoneclient.tests import client_fixtures as token_data -from keystoneclient.tests.v2_0 import client_fixtures -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit import client_fixtures as token_data +from keystoneclient.tests.unit.v2_0 import client_fixtures +from keystoneclient.tests.unit.v2_0 import utils class AccessInfoTest(utils.TestCase, testresources.ResourcedTestCase): @@ -45,10 +45,13 @@ def test_building_unscoped_accessinfo(self): self.assertIsNone(auth_ref.tenant_name) self.assertIsNone(auth_ref.tenant_id) - self.assertIsNone(auth_ref.auth_url) - self.assertIsNone(auth_ref.management_url) + with self.deprecations.expect_deprecations_here(): + self.assertIsNone(auth_ref.auth_url) + with self.deprecations.expect_deprecations_here(): + self.assertIsNone(auth_ref.management_url) - self.assertFalse(auth_ref.scoped) + with self.deprecations.expect_deprecations_here(): + self.assertFalse(auth_ref.scoped) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) self.assertFalse(auth_ref.trust_scoped) @@ -61,6 +64,10 @@ def test_building_unscoped_accessinfo(self): self.assertEqual(auth_ref.expires, token.expires) self.assertEqual(auth_ref.issued, token.issued) + self.assertEqual(token.audit_id, auth_ref.audit_id) + self.assertIsNone(auth_ref.audit_chain_id) + self.assertIsNone(token.audit_chain_id) + def test_will_expire_soon(self): token = client_fixtures.unscoped_token() expires = timeutils.utcnow() + datetime.timedelta(minutes=5) @@ -94,18 +101,26 @@ def test_building_scoped_accessinfo(self): self.assertEqual(auth_ref.tenant_name, auth_ref.project_name) self.assertEqual(auth_ref.tenant_id, auth_ref.project_id) - self.assertEqual(auth_ref.auth_url, ('http://public.com:5000/v2.0',)) - self.assertEqual(auth_ref.management_url, ('http://admin:35357/v2.0',)) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(auth_ref.auth_url, + ('http://public.com:5000/v2.0',)) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(auth_ref.management_url, + ('http://admin:35357/v2.0',)) self.assertEqual(auth_ref.project_domain_id, 'default') self.assertEqual(auth_ref.project_domain_name, 'Default') self.assertEqual(auth_ref.user_domain_id, 'default') self.assertEqual(auth_ref.user_domain_name, 'Default') - self.assertTrue(auth_ref.scoped) + with self.deprecations.expect_deprecations_here(): + self.assertTrue(auth_ref.scoped) self.assertTrue(auth_ref.project_scoped) self.assertFalse(auth_ref.domain_scoped) + self.assertEqual(token.audit_id, auth_ref.audit_id) + self.assertEqual(token.audit_chain_id, auth_ref.audit_chain_id) + def test_diablo_token(self): diablo_token = self.examples.TOKEN_RESPONSES[ self.examples.VALID_DIABLO_TOKEN] @@ -120,7 +135,8 @@ def test_diablo_token(self): self.assertEqual(auth_ref.user_domain_id, 'default') self.assertEqual(auth_ref.user_domain_name, 'Default') self.assertEqual(auth_ref.role_names, ['role1', 'role2']) - self.assertFalse(auth_ref.scoped) + with self.deprecations.expect_deprecations_here(): + self.assertFalse(auth_ref.scoped) def test_grizzly_token(self): grizzly_token = self.examples.TOKEN_RESPONSES[ @@ -165,6 +181,37 @@ def test_trusts(self): self.assertEqual(trust_id, token['access']['trust']['id']) + def test_override_auth_token(self): + token = fixture.V2Token() + token.set_scope() + token.add_role() + + new_auth_token = uuid.uuid4().hex + + auth_ref = access.AccessInfo.factory(body=token) + + self.assertEqual(token.token_id, auth_ref.auth_token) + + auth_ref.auth_token = new_auth_token + self.assertEqual(new_auth_token, auth_ref.auth_token) + + del auth_ref.auth_token + self.assertEqual(token.token_id, auth_ref.auth_token) + + def test_override_auth_token_in_factory(self): + token = fixture.V2Token() + token.set_scope() + token.add_role() + + new_auth_token = uuid.uuid4().hex + + auth_ref = access.AccessInfo.factory(body=token, + auth_token=new_auth_token) + + self.assertEqual(new_auth_token, auth_ref.auth_token) + del auth_ref.auth_token + self.assertEqual(token.token_id, auth_ref.auth_token) + def load_tests(loader, tests, pattern): return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/v2_0/test_auth.py b/keystoneclient/tests/unit/v2_0/test_auth.py similarity index 66% rename from keystoneclient/tests/v2_0/test_auth.py rename to keystoneclient/tests/unit/v2_0/test_auth.py index 0c426990e..b73352471 100644 --- a/keystoneclient/tests/v2_0/test_auth.py +++ b/keystoneclient/tests/unit/v2_0/test_auth.py @@ -13,10 +13,12 @@ import copy import datetime +from oslo_serialization import jsonutils +from oslo_utils import timeutils +from testtools import testcase + from keystoneclient import exceptions -from keystoneclient.openstack.common import jsonutils -from keystoneclient.openstack.common import timeutils -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import client @@ -26,7 +28,7 @@ def setUp(self): self.TEST_RESPONSE_DICT = { "access": { "token": { - "expires": "2020-01-01T00:00:10.000123Z", + "expires": "2999-01-01T00:00:10.000123Z", "id": self.TEST_TOKEN, "tenant": { "id": self.TEST_TENANT_ID @@ -59,23 +61,26 @@ def test_authenticate_success_expired(self): # Build a new response TEST_TOKEN = "abcdef" - resp_b['access']['token']['expires'] = '2020-01-01T00:00:10.000123Z' + resp_b['access']['token']['expires'] = '2999-01-01T00:00:10.000123Z' resp_b['access']['token']['id'] = TEST_TOKEN # return expired first, and then the new response self.stub_auth(response_list=[{'json': resp_a, 'headers': headers}, {'json': resp_b, 'headers': headers}]) - cs = client.Client(tenant_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL, - username=self.TEST_USER, - password=self.TEST_TOKEN) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL, + username=self.TEST_USER, + password=self.TEST_TOKEN) self.assertEqual(cs.management_url, self.TEST_RESPONSE_DICT["access"]["serviceCatalog"][3] ['endpoints'][0]["adminURL"]) - self.assertEqual(cs.auth_token, TEST_TOKEN) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(cs.auth_token, TEST_TOKEN) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_authenticate_failure(self): @@ -88,29 +93,27 @@ def test_authenticate_failure(self): self.stub_auth(status_code=401, json=error) - # Workaround for issue with assertRaises on python2.6 - # where with assertRaises(exceptions.Unauthorized): doesn't work - # right - def client_create_wrapper(): - client.Client(username=self.TEST_USER, - password="bad_key", - tenant_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + with testcase.ExpectedException(exceptions.Unauthorized): + with self.deprecations.expect_deprecations_here(): + client.Client(username=self.TEST_USER, + password="bad_key", + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) - self.assertRaises(exceptions.Unauthorized, client_create_wrapper) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_auth_redirect(self): - self.stub_auth(status_code=305, body='Use Proxy', + self.stub_auth(status_code=305, text='Use Proxy', headers={'Location': self.TEST_ADMIN_URL + "/tokens"}) self.stub_auth(base_url=self.TEST_ADMIN_URL, json=self.TEST_RESPONSE_DICT) - cs = client.Client(username=self.TEST_USER, - password=self.TEST_TOKEN, - tenant_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cs = client.Client(username=self.TEST_USER, + password=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.management_url, self.TEST_RESPONSE_DICT["access"]["serviceCatalog"][3] @@ -122,10 +125,11 @@ def test_auth_redirect(self): def test_authenticate_success_password_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(username=self.TEST_USER, - password=self.TEST_TOKEN, - tenant_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cs = client.Client(username=self.TEST_USER, + password=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.management_url, self.TEST_RESPONSE_DICT["access"]["serviceCatalog"][3] ['endpoints'][0]["adminURL"]) @@ -139,12 +143,13 @@ def test_authenticate_success_password_unscoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(username=self.TEST_USER, - password=self.TEST_TOKEN, - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cs = client.Client(username=self.TEST_USER, + password=self.TEST_TOKEN, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_token, self.TEST_RESPONSE_DICT["access"]["token"]["id"]) - self.assertFalse('serviceCatalog' in cs.service_catalog.catalog) + self.assertNotIn('serviceCatalog', cs.service_catalog.catalog) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_auth_url_token_authentication(self): @@ -156,15 +161,17 @@ def test_auth_url_token_authentication(self): self.stub_url('GET', [fake_url], json=fake_resp, base_url=self.TEST_ADMIN_IDENTITY_ENDPOINT) - cl = client.Client(auth_url=self.TEST_URL, - token=fake_token) - json_body = jsonutils.loads(self.requests.last_request.body) + with self.deprecations.expect_deprecations_here(): + cl = client.Client(auth_url=self.TEST_URL, + token=fake_token) + json_body = jsonutils.loads(self.requests_mock.last_request.body) self.assertEqual(json_body['auth']['token']['id'], fake_token) - resp, body = cl.get(fake_url) + with self.deprecations.expect_deprecations_here(): + resp, body = cl.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(self.TEST_TOKEN, token) def test_authenticate_success_token_scoped(self): @@ -172,9 +179,10 @@ def test_authenticate_success_token_scoped(self): self.TEST_REQUEST_BODY['auth']['token'] = {'id': self.TEST_TOKEN} self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(token=self.TEST_TOKEN, - tenant_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cs = client.Client(token=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.management_url, self.TEST_RESPONSE_DICT["access"]["serviceCatalog"][3] ['endpoints'][0]["adminURL"]) @@ -191,10 +199,11 @@ def test_authenticate_success_token_scoped_trust(self): "id": self.TEST_TRUST_ID} self.stub_auth(json=response) - cs = client.Client(token=self.TEST_TOKEN, - tenant_id=self.TEST_TENANT_ID, - trust_id=self.TEST_TRUST_ID, - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cs = client.Client(token=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + trust_id=self.TEST_TRUST_ID, + auth_url=self.TEST_URL) self.assertTrue(cs.auth_ref.trust_scoped) self.assertEqual(cs.auth_ref.trust_id, self.TEST_TRUST_ID) self.assertEqual(cs.auth_ref.trustee_user_id, self.TEST_USER) @@ -208,11 +217,12 @@ def test_authenticate_success_token_unscoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(token=self.TEST_TOKEN, - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cs = client.Client(token=self.TEST_TOKEN, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_token, self.TEST_RESPONSE_DICT["access"]["token"]["id"]) - self.assertFalse('serviceCatalog' in cs.service_catalog.catalog) + self.assertNotIn('serviceCatalog', cs.service_catalog.catalog) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_allow_override_of_auth_token(self): @@ -224,34 +234,35 @@ def test_allow_override_of_auth_token(self): self.stub_url('GET', [fake_url], json=fake_resp, base_url=self.TEST_ADMIN_IDENTITY_ENDPOINT) - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL) + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL) self.assertEqual(cl.auth_token, self.TEST_TOKEN) # the token returned from the authentication will be used - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(self.TEST_TOKEN, token) # then override that token and the new token shall be used cl.auth_token = fake_token - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(fake_token, token) # if we clear that overridden token then we fall back to the original del cl.auth_token - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(self.TEST_TOKEN, token) diff --git a/keystoneclient/tests/unit/v2_0/test_certificates.py b/keystoneclient/tests/unit/v2_0/test_certificates.py new file mode 100644 index 000000000..4f689d9ad --- /dev/null +++ b/keystoneclient/tests/unit/v2_0/test_certificates.py @@ -0,0 +1,40 @@ +# Copyright 2014 IBM Corp. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import testresources + +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit.v2_0 import utils + + +class CertificateTests(utils.ClientTestCase, testresources.ResourcedTestCase): + + resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] + + def test_get_ca_certificate(self): + self.stub_url('GET', ['certificates', 'ca'], + headers={'Content-Type': 'text/html; charset=UTF-8'}, + text=self.examples.SIGNING_CA) + res = self.client.certificates.get_ca_certificate() + self.assertEqual(self.examples.SIGNING_CA, res) + + def test_get_signing_certificate(self): + self.stub_url('GET', ['certificates', 'signing'], + headers={'Content-Type': 'text/html; charset=UTF-8'}, + text=self.examples.SIGNING_CERT) + res = self.client.certificates.get_signing_certificate() + self.assertEqual(self.examples.SIGNING_CERT, res) + + +def load_tests(loader, tests, pattern): + return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/unit/v2_0/test_client.py b/keystoneclient/tests/unit/v2_0/test_client.py new file mode 100644 index 000000000..7fe9b1813 --- /dev/null +++ b/keystoneclient/tests/unit/v2_0/test_client.py @@ -0,0 +1,221 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from oslo_serialization import jsonutils + +from keystoneauth1 import fixture + +from keystoneauth1 import session as auth_session +from keystoneclient.auth import token_endpoint +from keystoneclient import exceptions +from keystoneclient import session +from keystoneclient.tests.unit.v2_0 import client_fixtures +from keystoneclient.tests.unit.v2_0 import utils +from keystoneclient.v2_0 import client + + +class KeystoneClientTest(utils.TestCase): + + def test_unscoped_init(self): + token = client_fixtures.unscoped_token() + self.stub_auth(json=token) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(username='exampleuser', + password='password', + auth_url=self.TEST_URL) + self.assertIsNotNone(c.auth_ref) + with self.deprecations.expect_deprecations_here(): + self.assertFalse(c.auth_ref.scoped) + self.assertFalse(c.auth_ref.domain_scoped) + self.assertFalse(c.auth_ref.project_scoped) + self.assertIsNone(c.auth_ref.trust_id) + self.assertFalse(c.auth_ref.trust_scoped) + self.assertIsNone(c.get_project_id(session=None)) + self.assertEqual(token.user_id, c.get_user_id(session=None)) + + def test_scoped_init(self): + token = client_fixtures.project_scoped_token() + self.stub_auth(json=token) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL) + self.assertIsNotNone(c.auth_ref) + with self.deprecations.expect_deprecations_here(): + self.assertTrue(c.auth_ref.scoped) + self.assertTrue(c.auth_ref.project_scoped) + self.assertFalse(c.auth_ref.domain_scoped) + self.assertIsNone(c.auth_ref.trust_id) + self.assertFalse(c.auth_ref.trust_scoped) + + self.assertEqual(token.tenant_id, c.get_project_id(session=None)) + self.assertEqual(token.user_id, c.get_user_id(session=None)) + + def test_auth_ref_load(self): + self.stub_auth(json=client_fixtures.project_scoped_token()) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL) + cache = jsonutils.dumps(cl.auth_ref) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + new_client = client.Client(auth_ref=jsonutils.loads(cache)) + self.assertIsNotNone(new_client.auth_ref) + with self.deprecations.expect_deprecations_here(): + self.assertTrue(new_client.auth_ref.scoped) + self.assertTrue(new_client.auth_ref.project_scoped) + self.assertFalse(new_client.auth_ref.domain_scoped) + self.assertIsNone(new_client.auth_ref.trust_id) + self.assertFalse(new_client.auth_ref.trust_scoped) + self.assertEqual(new_client.username, 'exampleuser') + self.assertIsNone(new_client.password) + self.assertEqual(new_client.management_url, + 'http://admin:35357/v2.0') + + def test_auth_ref_load_with_overridden_arguments(self): + self.stub_auth(json=client_fixtures.project_scoped_token()) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL) + cache = jsonutils.dumps(cl.auth_ref) + new_auth_url = "http://new-public:5000/v2.0" + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + new_client = client.Client(auth_ref=jsonutils.loads(cache), + auth_url=new_auth_url) + self.assertIsNotNone(new_client.auth_ref) + with self.deprecations.expect_deprecations_here(): + self.assertTrue(new_client.auth_ref.scoped) + self.assertTrue(new_client.auth_ref.project_scoped) + self.assertFalse(new_client.auth_ref.domain_scoped) + self.assertIsNone(new_client.auth_ref.trust_id) + self.assertFalse(new_client.auth_ref.trust_scoped) + self.assertEqual(new_client.auth_url, new_auth_url) + self.assertEqual(new_client.username, 'exampleuser') + self.assertIsNone(new_client.password) + self.assertEqual(new_client.management_url, + 'http://admin:35357/v2.0') + + def test_init_err_no_auth_url(self): + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + self.assertRaises(exceptions.AuthorizationFailure, + client.Client, + username='exampleuser', + password='password') + + def test_management_url_is_updated(self): + first = fixture.V2Token() + first.set_scope() + admin_url = 'http://admin:35357/v2.0' + second_url = 'http://secondurl:35357/v2.0' + + s = first.add_service('identity') + s.add_endpoint(public='http://public.com:5000/v2.0', + admin=admin_url) + + second = fixture.V2Token() + second.set_scope() + s = second.add_service('identity') + s.add_endpoint(public='http://secondurl:5000/v2.0', + admin=second_url) + + self.stub_auth(response_list=[{'json': first}, {'json': second}]) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL) + self.assertEqual(cl.management_url, admin_url) + + with self.deprecations.expect_deprecations_here(): + cl.authenticate() + self.assertEqual(cl.management_url, second_url) + + def test_client_with_region_name_passes_to_service_catalog(self): + # NOTE(jamielennox): this is deprecated behaviour that should be + # removed ASAP, however must remain compatible. + self.stub_auth(json=client_fixtures.auth_response_body()) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL, + region_name='North') + self.assertEqual(cl.service_catalog.url_for(service_type='image'), + 'https://image.north.host/v1/') + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL, + region_name='South') + self.assertEqual(cl.service_catalog.url_for(service_type='image'), + 'https://image.south.host/v1/') + + def test_client_without_auth_params(self): + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + self.assertRaises(exceptions.AuthorizationFailure, + client.Client, + project_name='exampleproject', + auth_url=self.TEST_URL) + + def test_client_params(self): + with self.deprecations.expect_deprecations_here(): + sess = session.Session() + auth = token_endpoint.Token('a', 'b') + + opts = {'auth': auth, + 'connect_retries': 50, + 'endpoint_override': uuid.uuid4().hex, + 'interface': uuid.uuid4().hex, + 'region_name': uuid.uuid4().hex, + 'service_name': uuid.uuid4().hex, + 'user_agent': uuid.uuid4().hex, + } + + cl = client.Client(session=sess, **opts) + + for k, v in opts.items(): + self.assertEqual(v, getattr(cl._adapter, k)) + + self.assertEqual('identity', cl._adapter.service_type) + self.assertEqual((2, 0), cl._adapter.version) + + def test_empty_service_catalog_param(self): + # Client().service_catalog should return None if the client is not + # authenticated + sess = auth_session.Session() + cl = client.Client(session=sess) + self.assertIsNone(cl.service_catalog) diff --git a/keystoneclient/tests/v2_0/test_discovery.py b/keystoneclient/tests/unit/v2_0/test_discovery.py similarity index 86% rename from keystoneclient/tests/v2_0/test_discovery.py rename to keystoneclient/tests/unit/v2_0/test_discovery.py index 7c4f320f9..a3700e0e1 100644 --- a/keystoneclient/tests/v2_0/test_discovery.py +++ b/keystoneclient/tests/unit/v2_0/test_discovery.py @@ -12,7 +12,7 @@ from keystoneclient.generic import client -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils class DiscoverKeystoneTests(utils.UnauthenticatedTestCase): @@ -29,11 +29,11 @@ def setUp(self): "href": "http://127.0.0.1:5000/v2.0/", }, {"rel": "describedby", "type": "text/html", - "href": "http://docs.openstack.org/api/" + "href": "https://docs.openstack.org/api/" "openstack-identity-service/2.0/content/", }, {"rel": "describedby", "type": "application/pdf", - "href": "http://docs.openstack.org/api/" + "href": "https://docs.openstack.org/api/" "openstack-identity-service/2.0/" "identity-dev-guide-2.0.pdf", }, {"rel": "describedby", @@ -55,7 +55,9 @@ def test_get_versions(self): self.stub_url('GET', base_url=self.TEST_ROOT_URL, json=self.TEST_RESPONSE_DICT) - cs = client.Client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client() versions = cs.discover(self.TEST_ROOT_URL) self.assertIsInstance(versions, dict) self.assertIn('message', versions) @@ -69,7 +71,9 @@ def test_get_version_local(self): self.stub_url('GET', base_url="http://localhost:35357/", json=self.TEST_RESPONSE_DICT) - cs = client.Client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client() versions = cs.discover() self.assertIsInstance(versions, dict) self.assertIn('message', versions) diff --git a/keystoneclient/tests/v2_0/test_ec2.py b/keystoneclient/tests/unit/v2_0/test_ec2.py similarity index 97% rename from keystoneclient/tests/v2_0/test_ec2.py rename to keystoneclient/tests/unit/v2_0/test_ec2.py index cfb6fa813..3df053de1 100644 --- a/keystoneclient/tests/v2_0/test_ec2.py +++ b/keystoneclient/tests/unit/v2_0/test_ec2.py @@ -10,11 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import ec2 -class EC2Tests(utils.TestCase): +class EC2Tests(utils.ClientTestCase): def test_create(self): user_id = 'usr' diff --git a/keystoneclient/tests/v2_0/test_endpoints.py b/keystoneclient/tests/unit/v2_0/test_endpoints.py similarity index 98% rename from keystoneclient/tests/v2_0/test_endpoints.py rename to keystoneclient/tests/unit/v2_0/test_endpoints.py index 5272ca05f..7b15cccc9 100644 --- a/keystoneclient/tests/v2_0/test_endpoints.py +++ b/keystoneclient/tests/unit/v2_0/test_endpoints.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import endpoints -class EndpointTests(utils.TestCase): +class EndpointTests(utils.ClientTestCase): def setUp(self): super(EndpointTests, self).setUp() self.TEST_ENDPOINTS = { diff --git a/keystoneclient/tests/v2_0/test_extensions.py b/keystoneclient/tests/unit/v2_0/test_extensions.py similarity index 92% rename from keystoneclient/tests/v2_0/test_extensions.py rename to keystoneclient/tests/unit/v2_0/test_extensions.py index 6a77a5ddb..3927bc07c 100644 --- a/keystoneclient/tests/v2_0/test_extensions.py +++ b/keystoneclient/tests/unit/v2_0/test_extensions.py @@ -10,11 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import extensions -class ExtensionTests(utils.TestCase): +class ExtensionTests(utils.ClientTestCase): def setUp(self): super(ExtensionTests, self).setUp() self.TEST_EXTENSIONS = { @@ -22,7 +22,7 @@ def setUp(self): "values": [ { 'name': 'OpenStack Keystone User CRUD', - 'namespace': 'http://docs.openstack.org/' + 'namespace': 'https://docs.openstack.org/' 'identity/api/ext/OS-KSCRUD/v1.0', 'updated': '2013-07-07T12:00:0-00:00', 'alias': 'OS-KSCRUD', @@ -36,7 +36,7 @@ def setUp(self): }, { 'name': 'OpenStack EC2 API', - 'namespace': 'http://docs.openstack.org/' + 'namespace': 'https://docs.openstack.org/' 'identity/api/ext/OS-EC2/v1.0', 'updated': '2013-09-07T12:00:0-00:00', 'alias': 'OS-EC2', diff --git a/keystoneclient/tests/v2_0/test_roles.py b/keystoneclient/tests/unit/v2_0/test_roles.py similarity index 97% rename from keystoneclient/tests/v2_0/test_roles.py rename to keystoneclient/tests/unit/v2_0/test_roles.py index bd272246b..fab21383c 100644 --- a/keystoneclient/tests/v2_0/test_roles.py +++ b/keystoneclient/tests/unit/v2_0/test_roles.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import roles -class RoleTests(utils.TestCase): +class RoleTests(utils.ClientTestCase): def setUp(self): super(RoleTests, self).setUp() diff --git a/keystoneclient/tests/v2_0/test_service_catalog.py b/keystoneclient/tests/unit/v2_0/test_service_catalog.py similarity index 81% rename from keystoneclient/tests/v2_0/test_service_catalog.py rename to keystoneclient/tests/unit/v2_0/test_service_catalog.py index bc219fd4e..612b7f0a7 100644 --- a/keystoneclient/tests/v2_0/test_service_catalog.py +++ b/keystoneclient/tests/unit/v2_0/test_service_catalog.py @@ -10,10 +10,12 @@ # License for the specific language governing permissions and limitations # under the License. +from keystoneauth1 import fixture + from keystoneclient import access from keystoneclient import exceptions -from keystoneclient.tests.v2_0 import client_fixtures -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import client_fixtures +from keystoneclient.tests.unit.v2_0 import utils class ServiceCatalogTest(utils.TestCase): @@ -47,14 +49,18 @@ def test_service_catalog_endpoints(self): def test_service_catalog_regions(self): self.AUTH_RESPONSE_BODY['access']['region_name'] = "North" - auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) + # Setting region_name on the catalog is deprecated. + with self.deprecations.expect_deprecations_here(): + auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) sc = auth_ref.service_catalog url = sc.url_for(service_type='image', endpoint_type='publicURL') self.assertEqual(url, "https://image.north.host/v1/") self.AUTH_RESPONSE_BODY['access']['region_name'] = "South" - auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) + # Setting region_name on the catalog is deprecated. + with self.deprecations.expect_deprecations_here(): + auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) sc = auth_ref.service_catalog url = sc.url_for(service_type='image', endpoint_type='internalURL') @@ -132,7 +138,9 @@ def test_servcie_catalog_get_url_region_names(self): def test_service_catalog_param_overrides_body_region(self): self.AUTH_RESPONSE_BODY['access']['region_name'] = "North" - auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) + # Setting region_name on the catalog is deprecated. + with self.deprecations.expect_deprecations_here(): + auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) sc = auth_ref.service_catalog url = sc.url_for(service_type='image') @@ -173,3 +181,27 @@ def test_service_catalog_service_name(self): endpoint_type='public') self.assertIsNone(urls) + + def test_service_catalog_multiple_service_types(self): + token = fixture.V2Token() + token.set_scope() + + for i in range(3): + s = token.add_service('compute') + s.add_endpoint(public='public-%d' % i, + admin='admin-%d' % i, + internal='internal-%d' % i, + region='region-%d' % i) + + auth_ref = access.AccessInfo.factory(resp=None, body=token) + + urls = auth_ref.service_catalog.get_urls(service_type='compute', + endpoint_type='publicURL') + + self.assertEqual(set(['public-0', 'public-1', 'public-2']), set(urls)) + + urls = auth_ref.service_catalog.get_urls(service_type='compute', + endpoint_type='publicURL', + region_name='region-1') + + self.assertEqual(('public-1', ), urls) diff --git a/keystoneclient/tests/v2_0/test_services.py b/keystoneclient/tests/unit/v2_0/test_services.py similarity index 72% rename from keystoneclient/tests/v2_0/test_services.py rename to keystoneclient/tests/unit/v2_0/test_services.py index aec6811b5..72c547699 100644 --- a/keystoneclient/tests/v2_0/test_services.py +++ b/keystoneclient/tests/unit/v2_0/test_services.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import services -class ServiceTests(utils.TestCase): +class ServiceTests(utils.ClientTestCase): def setUp(self): super(ServiceTests, self).setUp() @@ -42,7 +42,7 @@ def setUp(self): }, } - def test_create(self): + def test_create_with_description(self): req_body = { "OS-KSADM:service": { "name": "swift", @@ -68,6 +68,37 @@ def test_create(self): self.assertIsInstance(service, services.Service) self.assertEqual(service.id, service_id) self.assertEqual(service.name, req_body['OS-KSADM:service']['name']) + self.assertEqual(service.description, + req_body['OS-KSADM:service']['description']) + self.assertRequestBodyIs(json=req_body) + + def test_create_without_description(self): + req_body = { + "OS-KSADM:service": { + "name": "swift", + "type": "object-store", + "description": None, + } + } + service_id = uuid.uuid4().hex + resp_body = { + "OS-KSADM:service": { + "name": "swift", + "type": "object-store", + "id": service_id, + "description": None, + } + } + self.stub_url('POST', ['OS-KSADM', 'services'], json=resp_body) + + service = self.client.services.create( + req_body['OS-KSADM:service']['name'], + req_body['OS-KSADM:service']['type'], + req_body['OS-KSADM:service']['description']) + self.assertIsInstance(service, services.Service) + self.assertEqual(service.id, service_id) + self.assertEqual(service.name, req_body['OS-KSADM:service']['name']) + self.assertIsNone(service.description) self.assertRequestBodyIs(json=req_body) def test_delete(self): diff --git a/keystoneclient/tests/v2_0/test_tenants.py b/keystoneclient/tests/unit/v2_0/test_tenants.py similarity index 95% rename from keystoneclient/tests/v2_0/test_tenants.py rename to keystoneclient/tests/unit/v2_0/test_tenants.py index 444926153..5e78aa3be 100644 --- a/keystoneclient/tests/v2_0/test_tenants.py +++ b/keystoneclient/tests/unit/v2_0/test_tenants.py @@ -12,15 +12,16 @@ import uuid -from keystoneclient import exceptions -from keystoneclient import fixture -from keystoneclient.tests.v2_0 import utils +from keystoneauth1 import exceptions +from keystoneauth1 import fixture + +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import client from keystoneclient.v2_0 import tenants from keystoneclient.v2_0 import users -class TenantTests(utils.TestCase): +class TenantTests(utils.ClientTestCase): def setUp(self): super(TenantTests, self).setUp() @@ -332,9 +333,9 @@ def test_tenant_list_users(self): def test_list_tenants_use_admin_url(self): self.stub_url('GET', ['tenants'], json=self.TEST_TENANTS) - self.assertEqual(self.TEST_URL, self.client.management_url) - tenant_list = self.client.tenants.list() + self.assertEqual(self.TEST_URL + '/tenants', + self.requests_mock.last_request.url) [self.assertIsInstance(t, tenants.Tenant) for t in tenant_list] self.assertEqual(len(self.TEST_TENANTS['tenants']['values']), @@ -351,9 +352,11 @@ def test_list_tenants_fallback_to_auth_url(self): self.stub_url('GET', ['tenants'], base_url=new_auth_url, json=self.TEST_TENANTS) - c = client.Client(username=self.TEST_USER, - auth_url=new_auth_url, - password=uuid.uuid4().hex) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(username=self.TEST_USER, + auth_url=new_auth_url, + password=uuid.uuid4().hex) self.assertIsNone(c.management_url) tenant_list = c.tenants.list() diff --git a/keystoneclient/tests/v2_0/test_tokens.py b/keystoneclient/tests/unit/v2_0/test_tokens.py similarity index 64% rename from keystoneclient/tests/v2_0/test_tokens.py rename to keystoneclient/tests/unit/v2_0/test_tokens.py index 688972bd7..58df7c219 100644 --- a/keystoneclient/tests/v2_0/test_tokens.py +++ b/keystoneclient/tests/unit/v2_0/test_tokens.py @@ -12,13 +12,16 @@ import uuid -from keystoneclient import fixture -from keystoneclient.tests.v2_0 import utils +from keystoneauth1 import exceptions +from keystoneauth1 import fixture + +from keystoneclient import access +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import client from keystoneclient.v2_0 import tokens -class TokenTests(utils.TestCase): +class TokenTests(utils.ClientTestCase): def test_delete(self): id_ = uuid.uuid4().hex @@ -137,9 +140,9 @@ def test_authenticate_use_admin_url(self): token_fixture.set_scope() self.stub_auth(json=token_fixture) - self.assertEqual(self.TEST_URL, self.client.management_url) - token_ref = self.client.tokens.authenticate(token=uuid.uuid4().hex) + self.assertEqual(self.TEST_URL + '/tokens', + self.requests_mock.last_request.url) self.assertIsInstance(token_ref, tokens.Token) self.assertEqual(token_fixture.token_id, token_ref.id) self.assertEqual(token_fixture.expires_str, token_ref.expires) @@ -150,9 +153,11 @@ def test_authenticate_fallback_to_auth_url(self): token_fixture = fixture.V2Token() self.stub_auth(base_url=new_auth_url, json=token_fixture) - c = client.Client(username=self.TEST_USER, - auth_url=new_auth_url, - password=uuid.uuid4().hex) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(username=self.TEST_USER, + auth_url=new_auth_url, + password=uuid.uuid4().hex) self.assertIsNone(c.management_url) @@ -160,3 +165,53 @@ def test_authenticate_fallback_to_auth_url(self): self.assertIsInstance(token_ref, tokens.Token) self.assertEqual(token_fixture.token_id, token_ref.id) self.assertEqual(token_fixture.expires_str, token_ref.expires) + + def test_validate_token(self): + id_ = uuid.uuid4().hex + token_fixture = fixture.V2Token(token_id=id_) + self.stub_url('GET', ['tokens', id_], json=token_fixture) + + token_data = self.client.tokens.get_token_data(id_) + self.assertEqual(token_fixture, token_data) + + token_ref = self.client.tokens.validate(id_) + self.assertIsInstance(token_ref, tokens.Token) + self.assertEqual(id_, token_ref.id) + + def test_validate_token_invalid_token(self): + # If the token is invalid, typically a NotFound is raised. + + id_ = uuid.uuid4().hex + # The server is expected to return 404 if the token is invalid. + self.stub_url('GET', ['tokens', id_], status_code=404) + + self.assertRaises(exceptions.NotFound, + self.client.tokens.get_token_data, id_) + self.assertRaises(exceptions.NotFound, + self.client.tokens.validate, id_) + + def test_validate_token_access_info_with_token_id(self): + # Can validate a token passing a string token ID. + token_id = uuid.uuid4().hex + token_fixture = fixture.V2Token(token_id=token_id) + self.stub_url('GET', ['tokens', token_id], json=token_fixture) + access_info = self.client.tokens.validate_access_info(token_id) + self.assertIsInstance(access_info, access.AccessInfoV2) + self.assertEqual(token_id, access_info.auth_token) + + def test_validate_token_access_info_with_access_info(self): + # Can validate a token passing an access info. + token_id = uuid.uuid4().hex + token_fixture = fixture.V2Token(token_id=token_id) + self.stub_url('GET', ['tokens', token_id], json=token_fixture) + token = access.AccessInfo.factory(body=token_fixture) + access_info = self.client.tokens.validate_access_info(token) + self.assertIsInstance(access_info, access.AccessInfoV2) + self.assertEqual(token_id, access_info.auth_token) + + def test_get_revoked(self): + sample_revoked_response = {'signed': '-----BEGIN CMS-----\nMIIB...'} + self.stub_url('GET', ['tokens', 'revoked'], + json=sample_revoked_response) + resp = self.client.tokens.get_revoked() + self.assertEqual(sample_revoked_response, resp) diff --git a/keystoneclient/tests/v2_0/test_users.py b/keystoneclient/tests/unit/v2_0/test_users.py similarity index 96% rename from keystoneclient/tests/v2_0/test_users.py rename to keystoneclient/tests/unit/v2_0/test_users.py index 81598df7d..d65073887 100644 --- a/keystoneclient/tests/v2_0/test_users.py +++ b/keystoneclient/tests/unit/v2_0/test_users.py @@ -12,12 +12,12 @@ import uuid -from keystoneclient.tests.v2_0 import utils +from keystoneclient.tests.unit.v2_0 import utils from keystoneclient.v2_0 import roles from keystoneclient.v2_0 import users -class UserTests(utils.TestCase): +class UserTests(utils.ClientTestCase): def setUp(self): super(UserTests, self).setUp() self.ADMIN_USER_ID = uuid.uuid4().hex @@ -191,7 +191,6 @@ def test_list_limit_marker(self): def test_update(self): req_1 = { "user": { - "id": self.DEMO_USER_ID, "email": "gabriel@example.com", "name": "gabriel", } @@ -199,20 +198,17 @@ def test_update(self): password = uuid.uuid4().hex req_2 = { "user": { - "id": self.DEMO_USER_ID, "password": password, } } tenant_id = uuid.uuid4().hex req_3 = { "user": { - "id": self.DEMO_USER_ID, "tenantId": tenant_id, } } req_4 = { "user": { - "id": self.DEMO_USER_ID, "enabled": False, } } @@ -252,10 +248,10 @@ def test_update_own_password(self): resp_body = { 'access': {} } - user_id = uuid.uuid4().hex - self.stub_url('PATCH', ['OS-KSCRUD', 'users', user_id], json=resp_body) + self.stub_url('PATCH', + ['OS-KSCRUD', 'users', self.TEST_USER_ID], + json=resp_body) - self.client.user_id = user_id self.client.users.update_own_password(old_password, new_password) self.assertRequestBodyIs(json=req_body) self.assertNotIn(old_password, self.logger.output) diff --git a/keystoneclient/tests/v2_0/utils.py b/keystoneclient/tests/unit/v2_0/utils.py similarity index 84% rename from keystoneclient/tests/v2_0/utils.py rename to keystoneclient/tests/unit/v2_0/utils.py index 7132236c3..6532d71b5 100644 --- a/keystoneclient/tests/v2_0/utils.py +++ b/keystoneclient/tests/unit/v2_0/utils.py @@ -10,10 +10,8 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient.tests import utils -from keystoneclient.v2_0 import client - -TestResponse = utils.TestResponse +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit import utils class UnauthenticatedTestCase(utils.TestCase): @@ -76,13 +74,17 @@ class TestCase(UnauthenticatedTestCase): "name": "swift" }] - def setUp(self): - super(TestCase, self).setUp() - self.client = client.Client(username=self.TEST_USER, - token=self.TEST_TOKEN, - tenant_name=self.TEST_TENANT_NAME, - auth_url=self.TEST_URL, - endpoint=self.TEST_URL) - def stub_auth(self, **kwargs): self.stub_url('POST', ['tokens'], **kwargs) + + +class ClientTestCase(utils.ClientTestCaseMixin, TestCase): + + scenarios = [ + ('original', + {'client_fixture_class': client_fixtures.OriginalV2}), + ('ksc-session', + {'client_fixture_class': client_fixtures.KscSessionV2}), + ('ksa-session', + {'client_fixture_class': client_fixtures.KsaSessionV2}), + ] diff --git a/keystoneclient/tests/auth/__init__.py b/keystoneclient/tests/unit/v3/__init__.py similarity index 100% rename from keystoneclient/tests/auth/__init__.py rename to keystoneclient/tests/unit/v3/__init__.py diff --git a/keystoneclient/tests/v3/client_fixtures.py b/keystoneclient/tests/unit/v3/client_fixtures.py similarity index 63% rename from keystoneclient/tests/v3/client_fixtures.py rename to keystoneclient/tests/unit/v3/client_fixtures.py index 517f9ae07..e22e7da1c 100644 --- a/keystoneclient/tests/v3/client_fixtures.py +++ b/keystoneclient/tests/unit/v3/client_fixtures.py @@ -9,31 +9,23 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import uuid -from __future__ import unicode_literals +from keystoneauth1 import fixture -from keystoneclient import fixture +def unscoped_token(**kwargs): + return fixture.V3Token(**kwargs) -def unscoped_token(): - return fixture.V3Token(user_id='c4da488862bd435c9e6c0275a0d0e49a', - user_name='exampleuser', - user_domain_id='4e6893b7ba0b4006840c3845660b86ed', - user_domain_name='exampledomain', - expires='2010-11-01T03:32:15-05:00') +def domain_scoped_token(**kwargs): + kwargs.setdefault('audit_chain_id', uuid.uuid4().hex) + f = fixture.V3Token(**kwargs) + if not f.domain_id: + f.set_domain_scope() -def domain_scoped_token(): - f = fixture.V3Token(user_id='c4da488862bd435c9e6c0275a0d0e49a', - user_name='exampleuser', - user_domain_id='4e6893b7ba0b4006840c3845660b86ed', - user_domain_name='exampledomain', - expires='2010-11-01T03:32:15-05:00', - domain_id='8e9283b7ba0b1038840c3842058b86ab', - domain_name='anotherdomain') - - f.add_role(id='76e72a', name='admin') - f.add_role(id='f4f392', name='member') + f.add_role(name='admin') + f.add_role(name='member') region = 'RegionOne' s = f.add_service('volume') @@ -69,19 +61,15 @@ def domain_scoped_token(): return f -def project_scoped_token(): - f = fixture.V3Token(user_id='c4da488862bd435c9e6c0275a0d0e49a', - user_name='exampleuser', - user_domain_id='4e6893b7ba0b4006840c3845660b86ed', - user_domain_name='exampledomain', - expires='2010-11-01T03:32:15-05:00', - project_id='225da22d3ce34b15877ea70b2a575f58', - project_name='exampleproject', - project_domain_id='4e6893b7ba0b4006840c3845660b86ed', - project_domain_name='exampledomain') +def project_scoped_token(**kwargs): + kwargs.setdefault('audit_chain_id', uuid.uuid4().hex) + f = fixture.V3Token(**kwargs) + + if not f.project_id: + f.set_project_scope() - f.add_role(id='76e72a', name='admin') - f.add_role(id='f4f392', name='member') + f.add_role(name='admin') + f.add_role(name='member') region = 'RegionOne' tenant = '225da22d3ce34b15877ea70b2a575f58' @@ -119,7 +107,7 @@ def project_scoped_token(): return f -AUTH_SUBJECT_TOKEN = '3e2813b7ba0b4006840c3825860b86ed' +AUTH_SUBJECT_TOKEN = uuid.uuid4().hex AUTH_RESPONSE_HEADERS = { 'X-Subject-Token': AUTH_SUBJECT_TOKEN, @@ -127,18 +115,11 @@ def project_scoped_token(): def auth_response_body(): - f = fixture.V3Token(user_id='567', - user_name='test', - user_domain_id='1', - user_domain_name='aDomain', - expires='2010-11-01T03:32:15-05:00', - project_domain_id='123', - project_domain_name='aDomain', - project_id='345', - project_name='aTenant') - - f.add_role(id='76e72a', name='admin') - f.add_role(id='f4f392', name='member') + f = fixture.V3Token(audit_chain_id=uuid.uuid4().hex) + f.set_project_scope() + + f.add_role(name='admin') + f.add_role(name='member') s = f.add_service('compute', name='nova') s.add_standard_endpoints( @@ -171,12 +152,6 @@ def auth_response_body(): def trust_token(): - return fixture.V3Token(user_id='0ca8f6', - user_name='exampleuser', - user_domain_id='4e6893b7ba0b4006840c3845660b86ed', - user_domain_name='exampledomain', - expires='2010-11-01T03:32:15-05:00', - trust_id='fe0aef', - trust_impersonation=False, - trustee_user_id='0ca8f6', - trustor_user_id='bd263c') + f = fixture.V3Token(audit_chain_id=uuid.uuid4().hex) + f.set_trust_scope() + return f diff --git a/keystoneclient/tests/unit/v3/examples/xml/ADFS_RequestSecurityTokenResponse.xml b/keystoneclient/tests/unit/v3/examples/xml/ADFS_RequestSecurityTokenResponse.xml new file mode 100644 index 000000000..487bcac59 --- /dev/null +++ b/keystoneclient/tests/unit/v3/examples/xml/ADFS_RequestSecurityTokenResponse.xml @@ -0,0 +1,132 @@ + + + http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal + urn:uuid:487c064b-b7c6-4654-b4d4-715f9961170e + + + 2014-08-05T18:36:14.235Z + 2014-08-05T18:41:14.235Z + + + + + + + + 2014-08-05T18:36:14.063Z + 2014-08-05T19:36:14.063Z + + + + https://ltartari2.cern.ch:5000/Shibboleth.sso/ADFS + + + + + + + https://ltartari2.cern.ch:5000/Shibboleth.sso/ADFS + + + + + marek.denis@cern.ch + + urn:oasis:names:tc:SAML:1.0:cm:bearer + + + + marek.denis@cern.ch + + + marek.denis@cern.ch + + + madenis + + + CERN Users + + + Domain Users + occupants-bldg-31 + CERN-Direct-Employees + ca-dev-allowed + cernts-cerntstest-users + staf-fell-pjas-at-cern + ELG-CERN + student-club-new-members + pawel-dynamic-test-82 + + + Marek Kamil Denis + + + +5555555 + + + 31S-013 + + + Marek Kamil + + + Denis + + + CERN Registered + + + CERN + + + Normal + + + + + marek.denis@cern.ch + + urn:oasis:names:tc:SAML:1.0:cm:bearer + + + + + + + + + + + + + + EaZ/2d0KAY5un9akV3++Npyk6hBc8JuTYs2S3lSxUeQ= + + + CxYiYvNsbedhHdmDbb9YQCBy6Ppus3bNJdw2g2HLq0VU2yRhv23mUW05I89Hs4yG4OcCo0uOZ3zaeNFbSNXMW+Mr996tAXtujKjgyrCXNJAToE+gwltvGxwY1EluSbe3IzoSM3Ao87mKhxGOSzlDhuN7dQ9Rv6l/J4gUjbOO5SIX4pdZ6mVF7cHEfe9x+H8Lg15YjnElQUEaPi+NSW5jYTdtIpsB4ORxJvALuSt6+4doDYc9wuwBiWkEdnBHAQBINoKpAV2oy0/C85SBX3IdRhxUznmL5yEUmf8JvPccXecMPqJow0L43mnCdu74xPwU0as3MNfYQ10kLvHXHfIExg== + + + MIIIEjCCBfqgAwIBAgIKLYgjvQAAAAAAMDANBgkqhkiG9w0BAQsFADBRMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMSUwIwYDVQQDExxDRVJOIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMTEwODA4Mzg1NVoXDTIzMDcyOTA5MTkzOFowVjESMBAGCgmSJomT8ixkARkWAmNoMRQwEgYKCZImiZPyLGQBGRYEY2VybjESMBAGA1UECxMJY29tcHV0ZXJzMRYwFAYDVQQDEw1sb2dpbi5jZXJuLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp6t1C0SGlLddL2M+ltffGioTnDT3eztOxlA9bAGuvB8/Rjym8en6+ET9boM02CyoR5Vpn8iElXVWccAExPIQEq70D6LPe86vb+tYhuKPeLfuICN9Z0SMQ4f+57vk61Co1/uw/8kPvXlyd+Ai8Dsn/G0hpH67bBI9VOQKfpJqclcSJuSlUB5PJffvMUpr29B0eRx8LKFnIHbDILSu6nVbFLcadtWIjbYvoKorXg3J6urtkz+zEDeYMTvA6ZGOFf/Xy5eGtroSq9csSC976tx+umKEPhXBA9AcpiCV9Cj5axN03Aaa+iTE36jpnjcd9d02dy5Q9jE2nUN6KXnB6qF6eQIDAQABo4ID5TCCA+EwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIg73QCYLtjQ2G7Ysrgd71N4WA0GIehd2yb4Wu9TkCAWQCARkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDBoBgNVHSAEYTBfMF0GCisGAQQBYAoEAQEwTzBNBggrBgEFBQcCARZBaHR0cDovL2NhLWRvY3MuY2Vybi5jaC9jYS1kb2NzL2NwLWNwcy9jZXJuLXRydXN0ZWQtY2EyLWNwLWNwcy5wZGYwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAdBgNVHQ4EFgQUqtJcwUXasyM6sRaO5nCMFoFDenMwGAYDVR0RBBEwD4INbG9naW4uY2Vybi5jaDAfBgNVHSMEGDAWgBQdkBnqyM7MPI0UsUzZ7BTiYUADYTCCASoGA1UdHwSCASEwggEdMIIBGaCCARWgggERhkdodHRwOi8vY2FmaWxlcy5jZXJuLmNoL2NhZmlsZXMvY3JsL0NFUk4lMjBDZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXR5LmNybIaBxWxkYXA6Ly8vQ049Q0VSTiUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHksQ049Q0VSTlBLSTA3LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNlcm4sREM9Y2g/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIIBVAYIKwYBBQUHAQEEggFGMIIBQjBcBggrBgEFBQcwAoZQaHR0cDovL2NhZmlsZXMuY2Vybi5jaC9jYWZpbGVzL2NlcnRpZmljYXRlcy9DRVJOJTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcnQwgbsGCCsGAQUFBzAChoGubGRhcDovLy9DTj1DRVJOJTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jZXJuLERDPWNoP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jZXJuLmNoL29jc3AwDQYJKoZIhvcNAQELBQADggIBAGKZ3bknTCfNuh4TMaL3PuvBFjU8LQ5NKY9GLZvY2ibYMRk5Is6eWRgyUsy1UJRQdaQQPnnysqrGq8VRw/NIFotBBsA978/+jj7v4e5Kr4o8HvwAQNLBxNmF6XkDytpLL701FcNEGRqIsoIhNzihi2VBADLC9HxljEyPT52IR767TMk/+xTOqClceq3sq6WRD4m+xaWRUJyOhn+Pqr+wbhXIw4wzHC6X0hcLj8P9Povtm6VmKkN9JPuymMo/0+zSrUt2+TYfmbbEKYJSP0+sceQ76IKxxmSdKAr1qDNE8v+c3DvPM2PKmfivwaV2l44FdP8ulzqTgphkYcN1daa9Oc+qJeyu/eL7xWzk6Zq5R+jVrMlM0p1y2XczI7Hoc96TMOcbVnwgMcVqRM9p57VItn6XubYPR0C33i1yUZjkWbIfqEjq6Vev6lVgngOyzu+hqC/8SDyORA3dlF9aZOD13kPZdF/JRphHREQtaRydAiYRlE/WHTvOcY52jujDftUR6oY0eWaWkwSHbX+kDFx8IlR8UtQCUgkGHBGwnOYLIGu7SRDGSfOBOiVhxKoHWVk/pL6eKY2SkmyOmmgO4JnQGg95qeAOMG/EQZt/2x8GAavUqGvYy9dPFwFf08678hQqkjNSuex7UD0ku8OP1QKvpP44l6vZhFc6A5XqjdU9lus1 + + + + + + + + _c9e77bc4-a81b-4da7-88c2-72a6ba376d3f + + + + + _c9e77bc4-a81b-4da7-88c2-72a6ba376d3f + + + urn:oasis:names:tc:SAML:1.0:assertion + http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue + http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer + + + + \ No newline at end of file diff --git a/keystoneclient/tests/unit/v3/examples/xml/ADFS_fault.xml b/keystoneclient/tests/unit/v3/examples/xml/ADFS_fault.xml new file mode 100644 index 000000000..913252e7f --- /dev/null +++ b/keystoneclient/tests/unit/v3/examples/xml/ADFS_fault.xml @@ -0,0 +1,19 @@ + + + http://www.w3.org/2005/08/addressing/soap/fault + urn:uuid:89c47849-2622-4cdc-bb06-1d46c89ed12d + + + + + s:Sender + + a:FailedAuthentication + + + + At least one security token in the message could not be validated. + + + + \ No newline at end of file diff --git a/keystoneclient/tests/v3/saml2_fixtures.py b/keystoneclient/tests/unit/v3/saml2_fixtures.py similarity index 58% rename from keystoneclient/tests/v3/saml2_fixtures.py rename to keystoneclient/tests/unit/v3/saml2_fixtures.py index 2ecae6ad8..17c1395a8 100644 --- a/keystoneclient/tests/v3/saml2_fixtures.py +++ b/keystoneclient/tests/unit/v3/saml2_fixtures.py @@ -10,9 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. -import six - -SP_SOAP_RESPONSE = six.b(""" -""") +""" -SAML2_ASSERTION = six.b(""" +SAML2_ASSERTION = b""" VALUE= -""") +""" UNSCOPED_TOKEN_HEADER = 'UNSCOPED_TOKEN' @@ -145,7 +143,7 @@ } ], "links": { - "self": "http://identity:35357/v3/OS-FEDERATION/projects", + "self": "http://identity:35357/v3/auth/projects", "previous": 'null', "next": 'null' } @@ -164,8 +162,118 @@ } ], "links": { - "self": "http://identity:35357/v3/OS-FEDERATION/domains", + "self": "http://identity:35357/v3/auth/domains", "previous": 'null', "next": 'null' } } + +SAML_ENCODING = "" + +TOKEN_SAML_RESPONSE = """ + + + http://keystone.idp/v3/OS-FEDERATION/saml2/idp + + + + + + + http://keystone.idp/v3/OS-FEDERATION/saml2/idp + + + + + + + + + + + + 0KH2CxdkfzU+6eiRhTC+mbObUKI= + + + + + m2jh5gDvX/1k+4uKtbb08CHp2b9UWsLw + + + + ... + + + + + admin + + + + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:Password + + + http://keystone.idp/v3/OS-FEDERATION/saml2/idp + + + + + + admin + + + admin + + + admin + + + + +""" + +TOKEN_BASED_SAML = ''.join([SAML_ENCODING, TOKEN_SAML_RESPONSE]) + +ECP_ENVELOPE = """ + + + + ss:mem:1ddfe8b0f58341a5a840d2e8717b0737 + + + + {0} + + +""".format(TOKEN_SAML_RESPONSE) + +TOKEN_BASED_ECP = ''.join([SAML_ENCODING, ECP_ENVELOPE]) diff --git a/keystoneclient/tests/v3/test_access.py b/keystoneclient/tests/unit/v3/test_access.py similarity index 51% rename from keystoneclient/tests/v3/test_access.py rename to keystoneclient/tests/unit/v3/test_access.py index 4353af752..26ca8f15e 100644 --- a/keystoneclient/tests/v3/test_access.py +++ b/keystoneclient/tests/unit/v3/test_access.py @@ -13,16 +13,18 @@ import datetime import uuid +from keystoneauth1 import fixture +from oslo_utils import timeutils + from keystoneclient import access -from keystoneclient import fixture -from keystoneclient.openstack.common import timeutils -from keystoneclient.tests.v3 import client_fixtures -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit import utils as test_utils +from keystoneclient.tests.unit.v3 import client_fixtures +from keystoneclient.tests.unit.v3 import utils -TOKEN_RESPONSE = utils.TestResponse({ - "headers": client_fixtures.AUTH_RESPONSE_HEADERS -}) +TOKEN_RESPONSE = test_utils.test_response( + headers=client_fixtures.AUTH_RESPONSE_HEADERS +) UNSCOPED_TOKEN = client_fixtures.unscoped_token() DOMAIN_SCOPED_TOKEN = client_fixtures.domain_scoped_token() PROJECT_SCOPED_TOKEN = client_fixtures.project_scoped_token() @@ -37,10 +39,10 @@ def test_building_unscoped_accessinfo(self): self.assertIn('methods', auth_ref) self.assertNotIn('catalog', auth_ref) - self.assertEqual(auth_ref.auth_token, - '3e2813b7ba0b4006840c3825860b86ed') - self.assertEqual(auth_ref.username, 'exampleuser') - self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') + self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, + auth_ref.auth_token) + self.assertEqual(UNSCOPED_TOKEN.user_name, auth_ref.username) + self.assertEqual(UNSCOPED_TOKEN.user_id, auth_ref.user_id) self.assertEqual(auth_ref.role_ids, []) self.assertEqual(auth_ref.role_names, []) @@ -48,15 +50,18 @@ def test_building_unscoped_accessinfo(self): self.assertIsNone(auth_ref.project_name) self.assertIsNone(auth_ref.project_id) - self.assertIsNone(auth_ref.auth_url) - self.assertIsNone(auth_ref.management_url) + with self.deprecations.expect_deprecations_here(): + self.assertIsNone(auth_ref.auth_url) + with self.deprecations.expect_deprecations_here(): + self.assertIsNone(auth_ref.management_url) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) - self.assertEqual(auth_ref.user_domain_id, - '4e6893b7ba0b4006840c3845660b86ed') - self.assertEqual(auth_ref.user_domain_name, 'exampledomain') + self.assertEqual(UNSCOPED_TOKEN.user_domain_id, + auth_ref.user_domain_id) + self.assertEqual(UNSCOPED_TOKEN.user_domain_name, + auth_ref.user_domain_name) self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) @@ -69,13 +74,17 @@ def test_building_unscoped_accessinfo(self): self.assertEqual(auth_ref.expires, UNSCOPED_TOKEN.expires) self.assertEqual(auth_ref.issued, UNSCOPED_TOKEN.issued) + self.assertEqual(auth_ref.audit_id, UNSCOPED_TOKEN.audit_id) + self.assertIsNone(auth_ref.audit_chain_id) + self.assertIsNone(UNSCOPED_TOKEN.audit_chain_id) + def test_will_expire_soon(self): expires = timeutils.utcnow() + datetime.timedelta(minutes=5) UNSCOPED_TOKEN['token']['expires_at'] = expires.isoformat() auth_ref = access.AccessInfo.factory(resp=TOKEN_RESPONSE, body=UNSCOPED_TOKEN) self.assertFalse(auth_ref.will_expire_soon(stale_duration=120)) - self.assertTrue(auth_ref.will_expire_soon(stale_duration=300)) + self.assertTrue(auth_ref.will_expire_soon(stale_duration=301)) self.assertFalse(auth_ref.will_expire_soon()) def test_building_domain_scoped_accessinfo(self): @@ -87,24 +96,24 @@ def test_building_domain_scoped_accessinfo(self): self.assertIn('catalog', auth_ref) self.assertTrue(auth_ref['catalog']) - self.assertEqual(auth_ref.auth_token, - '3e2813b7ba0b4006840c3825860b86ed') - self.assertEqual(auth_ref.username, 'exampleuser') - self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') + self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, + auth_ref.auth_token) + self.assertEqual(DOMAIN_SCOPED_TOKEN.user_name, auth_ref.username) + self.assertEqual(DOMAIN_SCOPED_TOKEN.user_id, auth_ref.user_id) - self.assertEqual(auth_ref.role_ids, ['76e72a', 'f4f392']) - self.assertEqual(auth_ref.role_names, ['admin', 'member']) + self.assertEqual(DOMAIN_SCOPED_TOKEN.role_ids, auth_ref.role_ids) + self.assertEqual(DOMAIN_SCOPED_TOKEN.role_names, auth_ref.role_names) - self.assertEqual(auth_ref.domain_name, 'anotherdomain') - self.assertEqual(auth_ref.domain_id, - '8e9283b7ba0b1038840c3842058b86ab') + self.assertEqual(DOMAIN_SCOPED_TOKEN.domain_name, auth_ref.domain_name) + self.assertEqual(DOMAIN_SCOPED_TOKEN.domain_id, auth_ref.domain_id) self.assertIsNone(auth_ref.project_name) self.assertIsNone(auth_ref.project_id) - self.assertEqual(auth_ref.user_domain_id, - '4e6893b7ba0b4006840c3845660b86ed') - self.assertEqual(auth_ref.user_domain_name, 'exampledomain') + self.assertEqual(DOMAIN_SCOPED_TOKEN.user_domain_id, + auth_ref.user_domain_id) + self.assertEqual(DOMAIN_SCOPED_TOKEN.user_domain_name, + auth_ref.user_domain_name) self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) @@ -112,6 +121,10 @@ def test_building_domain_scoped_accessinfo(self): self.assertTrue(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) + self.assertEqual(DOMAIN_SCOPED_TOKEN.audit_id, auth_ref.audit_id) + self.assertEqual(DOMAIN_SCOPED_TOKEN.audit_chain_id, + auth_ref.audit_chain_id) + def test_building_project_scoped_accessinfo(self): auth_ref = access.AccessInfo.factory(resp=TOKEN_RESPONSE, body=PROJECT_SCOPED_TOKEN) @@ -121,40 +134,48 @@ def test_building_project_scoped_accessinfo(self): self.assertIn('catalog', auth_ref) self.assertTrue(auth_ref['catalog']) - self.assertEqual(auth_ref.auth_token, - '3e2813b7ba0b4006840c3825860b86ed') - self.assertEqual(auth_ref.username, 'exampleuser') - self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') + self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, + auth_ref.auth_token) + self.assertEqual(PROJECT_SCOPED_TOKEN.user_name, auth_ref.username) + self.assertEqual(PROJECT_SCOPED_TOKEN.user_id, auth_ref.user_id) - self.assertEqual(auth_ref.role_ids, ['76e72a', 'f4f392']) - self.assertEqual(auth_ref.role_names, ['admin', 'member']) + self.assertEqual(PROJECT_SCOPED_TOKEN.role_ids, auth_ref.role_ids) + self.assertEqual(PROJECT_SCOPED_TOKEN.role_names, auth_ref.role_names) self.assertIsNone(auth_ref.domain_name) self.assertIsNone(auth_ref.domain_id) - self.assertEqual(auth_ref.project_name, 'exampleproject') - self.assertEqual(auth_ref.project_id, - '225da22d3ce34b15877ea70b2a575f58') + self.assertEqual(PROJECT_SCOPED_TOKEN.project_name, + auth_ref.project_name) + self.assertEqual(PROJECT_SCOPED_TOKEN.project_id, auth_ref.project_id) self.assertEqual(auth_ref.tenant_name, auth_ref.project_name) self.assertEqual(auth_ref.tenant_id, auth_ref.project_id) - self.assertEqual(auth_ref.auth_url, - ('http://public.com:5000/v3',)) - self.assertEqual(auth_ref.management_url, - ('http://admin:35357/v3',)) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(auth_ref.auth_url, + ('http://public.com:5000/v3',)) + with self.deprecations.expect_deprecations_here(): + self.assertEqual(auth_ref.management_url, + ('http://admin:35357/v3',)) - self.assertEqual(auth_ref.project_domain_id, - '4e6893b7ba0b4006840c3845660b86ed') - self.assertEqual(auth_ref.project_domain_name, 'exampledomain') + self.assertEqual(PROJECT_SCOPED_TOKEN.project_domain_id, + auth_ref.project_domain_id) + self.assertEqual(PROJECT_SCOPED_TOKEN.project_domain_name, + auth_ref.project_domain_name) - self.assertEqual(auth_ref.user_domain_id, - '4e6893b7ba0b4006840c3845660b86ed') - self.assertEqual(auth_ref.user_domain_name, 'exampledomain') + self.assertEqual(PROJECT_SCOPED_TOKEN.user_domain_id, + auth_ref.user_domain_id) + self.assertEqual(PROJECT_SCOPED_TOKEN.user_domain_name, + auth_ref.user_domain_name) self.assertFalse(auth_ref.domain_scoped) self.assertTrue(auth_ref.project_scoped) + self.assertEqual(PROJECT_SCOPED_TOKEN.audit_id, auth_ref.audit_id) + self.assertEqual(PROJECT_SCOPED_TOKEN.audit_chain_id, + auth_ref.audit_chain_id) + def test_oauth_access(self): consumer_id = uuid.uuid4().hex access_token_id = uuid.uuid4().hex @@ -172,3 +193,19 @@ def test_oauth_access(self): self.assertEqual(consumer_id, auth_ref['OS-OAUTH1']['consumer_id']) self.assertEqual(access_token_id, auth_ref['OS-OAUTH1']['access_token_id']) + + def test_override_auth_token(self): + token = fixture.V3Token() + token.set_project_scope() + + new_auth_token = uuid.uuid4().hex + auth_ref = access.AccessInfo.factory(body=token, + auth_token=new_auth_token) + self.assertEqual(new_auth_token, auth_ref.auth_token) + + def test_federated_property_standard_token(self): + """Check if is_federated property returns expected value.""" + token = fixture.V3Token() + token.set_project_scope() + auth_ref = access.AccessInfo.factory(body=token) + self.assertFalse(auth_ref.is_federated) diff --git a/keystoneclient/tests/unit/v3/test_access_rules.py b/keystoneclient/tests/unit/v3/test_access_rules.py new file mode 100644 index 000000000..d3e22f8dd --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_access_rules.py @@ -0,0 +1,41 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import uuid + +from keystoneclient import exceptions +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import access_rules + + +class AccessRuleTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(AccessRuleTests, self).setUp() + self.key = 'access_rule' + self.collection_key = 'access_rules' + self.model = access_rules.AccessRule + self.manager = self.client.access_rules + self.path_prefix = 'users/%s' % self.TEST_USER_ID + + def new_ref(self, **kwargs): + kwargs = super(AccessRuleTests, self).new_ref(**kwargs) + kwargs.setdefault('path', uuid.uuid4().hex) + kwargs.setdefault('method', uuid.uuid4().hex) + kwargs.setdefault('service', uuid.uuid4().hex) + return kwargs + + def test_update(self): + self.assertRaises(exceptions.MethodNotImplemented, self.manager.update) + + def test_create(self): + self.assertRaises(exceptions.MethodNotImplemented, self.manager.create) diff --git a/keystoneclient/tests/unit/v3/test_application_credentials.py b/keystoneclient/tests/unit/v3/test_application_credentials.py new file mode 100644 index 000000000..6e4bba3e6 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_application_credentials.py @@ -0,0 +1,137 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import uuid + +from oslo_utils import timeutils + +from keystoneclient import exceptions +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import application_credentials + + +class ApplicationCredentialTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(ApplicationCredentialTests, self).setUp() + self.key = 'application_credential' + self.collection_key = 'application_credentials' + self.model = application_credentials.ApplicationCredential + self.manager = self.client.application_credentials + self.path_prefix = 'users/%s' % self.TEST_USER_ID + + def new_ref(self, **kwargs): + kwargs = super(ApplicationCredentialTests, self).new_ref(**kwargs) + kwargs.setdefault('name', uuid.uuid4().hex) + kwargs.setdefault('description', uuid.uuid4().hex) + kwargs.setdefault('unrestricted', False) + return kwargs + + def test_create_with_roles(self): + ref = self.new_ref(user=uuid.uuid4().hex) + ref['roles'] = [{'name': 'atestrole'}] + req_ref = ref.copy() + req_ref.pop('id') + user = req_ref.pop('user') + + self.stub_entity('POST', + ['users', user, self.collection_key], + status_code=201, entity=req_ref) + + super(ApplicationCredentialTests, self).test_create(ref=ref, + req_ref=req_ref) + + def test_create_with_role_id_and_names(self): + ref = self.new_ref(user=uuid.uuid4().hex) + ref['roles'] = [{'name': 'atestrole', 'domain': 'nondefault'}, + uuid.uuid4().hex] + req_ref = ref.copy() + req_ref.pop('id') + user = req_ref.pop('user') + + req_ref['roles'] = [{'name': 'atestrole', 'domain': 'nondefault'}, + {'id': ref['roles'][1]}] + self.stub_entity('POST', + ['users', user, self.collection_key], + status_code=201, entity=req_ref) + + super(ApplicationCredentialTests, self).test_create(ref=ref, + req_ref=req_ref) + + def test_create_expires(self): + ref = self.new_ref(user=uuid.uuid4().hex) + ref['expires_at'] = timeutils.parse_isotime( + '2013-03-04T12:00:01.000000Z') + req_ref = ref.copy() + req_ref.pop('id') + user = req_ref.pop('user') + + req_ref['expires_at'] = '2013-03-04T12:00:01.000000Z' + + self.stub_entity('POST', + ['users', user, self.collection_key], + status_code=201, entity=req_ref) + + super(ApplicationCredentialTests, self).test_create(ref=ref, + req_ref=req_ref) + + def test_create_unrestricted(self): + ref = self.new_ref(user=uuid.uuid4().hex) + ref['unrestricted'] = True + req_ref = ref.copy() + req_ref.pop('id') + user = req_ref.pop('user') + + self.stub_entity('POST', + ['users', user, self.collection_key], + status_code=201, entity=req_ref) + + super(ApplicationCredentialTests, self).test_create(ref=ref, + req_ref=req_ref) + + def test_create_with_access_rules(self): + ref = self.new_ref(user=uuid.uuid4().hex) + access_rules = [ + { + 'method': 'GET', + 'path': '/v3/projects', + 'service': 'identity' + } + ] + ref['access_rules'] = access_rules + req_ref = ref.copy() + req_ref.pop('id') + user = req_ref.pop('user') + + self.stub_entity('POST', + ['users', user, self.collection_key], + status_code=201, entity=req_ref) + + super(ApplicationCredentialTests, self).test_create(ref=ref, + req_ref=req_ref) + + def test_get(self): + ref = self.new_ref(user=uuid.uuid4().hex) + + self.stub_entity( + 'GET', ['users', ref['user'], self.collection_key, ref['id']], + entity=ref) + returned = self.manager.get(ref['id'], ref['user']) + self.assertIsInstance(returned, self.model) + for attr in ref: + self.assertEqual( + getattr(returned, attr), + ref[attr], + 'Expected different %s' % attr) + + def test_update(self): + self.assertRaises(exceptions.MethodNotImplemented, self.manager.update) diff --git a/keystoneclient/tests/v3/test_auth.py b/keystoneclient/tests/unit/v3/test_auth.py similarity index 67% rename from keystoneclient/tests/v3/test_auth.py rename to keystoneclient/tests/unit/v3/test_auth.py index fb079b6b1..d3c44adc7 100644 --- a/keystoneclient/tests/v3/test_auth.py +++ b/keystoneclient/tests/unit/v3/test_auth.py @@ -10,9 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_serialization import jsonutils +from testtools import testcase + from keystoneclient import exceptions -from keystoneclient.openstack.common import jsonutils -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import client @@ -26,7 +28,7 @@ def setUp(self): "password" ], - "expires_at": "2020-01-01T00:00:10.000123Z", + "expires_at": "2999-01-01T00:00:10.000123Z", "project": { "domain": { "id": self.TEST_DOMAIN_ID, @@ -85,10 +87,12 @@ def test_authenticate_success(self): self.stub_auth(json=self.TEST_RESPONSE_DICT, subject_token=TEST_TOKEN) - cs = client.Client(user_id=self.TEST_USER, - password=self.TEST_TOKEN, - project_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(user_id=self.TEST_USER, + password=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_token, TEST_TOKEN) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) @@ -100,17 +104,14 @@ def test_authenticate_failure(self): self.stub_auth(status_code=401, json=error) - # Workaround for issue with assertRaises on python2.6 - # where with assertRaises(exceptions.Unauthorized): doesn't work - # right - def client_create_wrapper(): - client.Client(user_domain_name=self.TEST_DOMAIN_NAME, - username=self.TEST_USER, - password="bad_key", - project_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) - - self.assertRaises(exceptions.Unauthorized, client_create_wrapper) + with testcase.ExpectedException(exceptions.Unauthorized): + with self.deprecations.expect_deprecations_here(): + client.Client(user_domain_name=self.TEST_DOMAIN_NAME, + username=self.TEST_USER, + password="bad_key", + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) + self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_auth_redirect(self): @@ -120,11 +121,13 @@ def test_auth_redirect(self): self.stub_auth(json=self.TEST_RESPONSE_DICT, base_url=self.TEST_ADMIN_URL) - cs = client.Client(user_domain_name=self.TEST_DOMAIN_NAME, - username=self.TEST_USER, - password=self.TEST_TOKEN, - project_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(user_domain_name=self.TEST_DOMAIN_NAME, + username=self.TEST_USER, + password=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.management_url, self.TEST_RESPONSE_DICT["token"]["catalog"][3] @@ -135,11 +138,13 @@ def test_auth_redirect(self): def test_authenticate_success_domain_username_password_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(user_domain_name=self.TEST_DOMAIN_NAME, - username=self.TEST_USER, - password=self.TEST_TOKEN, - project_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(user_domain_name=self.TEST_DOMAIN_NAME, + username=self.TEST_USER, + password=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.management_url, self.TEST_RESPONSE_DICT["token"]["catalog"][3] ['endpoints'][2]["url"]) @@ -165,10 +170,12 @@ def test_authenticate_success_userid_password_domain_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(user_id=self.TEST_USER, - password=self.TEST_TOKEN, - domain_id=self.TEST_DOMAIN_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(user_id=self.TEST_USER, + password=self.TEST_TOKEN, + domain_id=self.TEST_DOMAIN_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_domain_id, self.TEST_DOMAIN_ID) self.assertEqual(cs.management_url, @@ -186,10 +193,12 @@ def test_authenticate_success_userid_password_project_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(user_id=self.TEST_USER, - password=self.TEST_TOKEN, - project_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(user_id=self.TEST_USER, + password=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_tenant_id, self.TEST_TENANT_ID) self.assertEqual(cs.management_url, @@ -205,13 +214,15 @@ def test_authenticate_success_password_unscoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(user_domain_name=self.TEST_DOMAIN_NAME, - username=self.TEST_USER, - password=self.TEST_TOKEN, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(user_domain_name=self.TEST_DOMAIN_NAME, + username=self.TEST_USER, + password=self.TEST_TOKEN, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_token, self.TEST_RESPONSE_HEADERS["X-Subject-Token"]) - self.assertFalse('catalog' in cs.service_catalog.catalog) + self.assertNotIn('catalog', cs.service_catalog.catalog) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_auth_url_token_authentication(self): @@ -221,17 +232,19 @@ def test_auth_url_token_authentication(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) self.stub_url('GET', [fake_url], json=fake_resp, - base_url=self.TEST_ADMIN_IDENTITY_ENDPOINT) + base_url=self.TEST_PUBLIC_IDENTITY_ENDPOINT) - cl = client.Client(auth_url=self.TEST_URL, - token=fake_token) - body = jsonutils.loads(self.requests.last_request.body) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(auth_url=self.TEST_URL, + token=fake_token) + body = jsonutils.loads(self.requests_mock.last_request.body) self.assertEqual(body['auth']['identity']['token']['id'], fake_token) - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(self.TEST_TOKEN, token) def test_authenticate_success_token_domain_scoped(self): @@ -256,9 +269,11 @@ def test_authenticate_success_token_domain_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(token=self.TEST_TOKEN, - domain_id=self.TEST_DOMAIN_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(token=self.TEST_TOKEN, + domain_id=self.TEST_DOMAIN_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_domain_id, self.TEST_DOMAIN_ID) self.assertEqual(cs.management_url, @@ -278,9 +293,11 @@ def test_authenticate_success_token_project_scoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(token=self.TEST_TOKEN, - project_id=self.TEST_TENANT_ID, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(token=self.TEST_TOKEN, + project_id=self.TEST_TENANT_ID, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_tenant_id, self.TEST_TENANT_ID) self.assertEqual(cs.management_url, @@ -302,11 +319,13 @@ def test_authenticate_success_token_unscoped(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) - cs = client.Client(token=self.TEST_TOKEN, - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client(token=self.TEST_TOKEN, + auth_url=self.TEST_URL) self.assertEqual(cs.auth_token, self.TEST_RESPONSE_HEADERS["X-Subject-Token"]) - self.assertFalse('catalog' in cs.service_catalog.catalog) + self.assertNotIn('catalog', cs.service_catalog.catalog) self.assertRequestBodyIs(json=self.TEST_REQUEST_BODY) def test_allow_override_of_auth_token(self): @@ -316,36 +335,38 @@ def test_allow_override_of_auth_token(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) self.stub_url('GET', [fake_url], json=fake_resp, - base_url=self.TEST_ADMIN_IDENTITY_ENDPOINT) + base_url=self.TEST_PUBLIC_IDENTITY_ENDPOINT) - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL) self.assertEqual(cl.auth_token, self.TEST_TOKEN) # the token returned from the authentication will be used - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(self.TEST_TOKEN, token) # then override that token and the new token shall be used cl.auth_token = fake_token - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(fake_token, token) # if we clear that overridden token then we fall back to the original del cl.auth_token - resp, body = cl.get(fake_url) + resp, body = cl._adapter.get(fake_url) self.assertEqual(fake_resp, body) - token = self.requests.last_request.headers.get('X-Auth-Token') + token = self.requests_mock.last_request.headers.get('X-Auth-Token') self.assertEqual(self.TEST_TOKEN, token) diff --git a/keystoneclient/tests/unit/v3/test_auth_manager.py b/keystoneclient/tests/unit/v3/test_auth_manager.py new file mode 100644 index 000000000..dec8b0c05 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_auth_manager.py @@ -0,0 +1,78 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1 import fixture + +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import auth + + +class AuthProjectsTest(utils.ClientTestCase): + + def setUp(self): + super(AuthProjectsTest, self).setUp() + + self.v3token = fixture.V3Token() + self.stub_auth(json=self.v3token) + + self.stub_url('GET', + [], + json={'version': fixture.V3Discovery(self.TEST_URL)}) + + def create_resource(self, id=None, name=None, **kwargs): + kwargs['id'] = id or uuid.uuid4().hex + kwargs['name'] = name or uuid.uuid4().hex + return kwargs + + def test_get_projects(self): + body = {'projects': [self.create_resource(), + self.create_resource(), + self.create_resource()]} + + self.stub_url('GET', ['auth', 'projects'], json=body) + + projects = self.client.auth.projects() + + self.assertEqual(3, len(projects)) + + for p in projects: + self.assertIsInstance(p, auth.Project) + + def test_get_domains(self): + body = {'domains': [self.create_resource(), + self.create_resource(), + self.create_resource()]} + + self.stub_url('GET', ['auth', 'domains'], json=body) + + domains = self.client.auth.domains() + + self.assertEqual(3, len(domains)) + + for d in domains: + self.assertIsInstance(d, auth.Domain) + + def test_get_systems(self): + body = {'system': [{ + 'all': True, + }]} + + self.stub_url('GET', ['auth', 'system'], json=body) + + systems = self.client.auth.systems() + system = systems[0] + + self.assertEqual(1, len(systems)) + self.assertIsInstance(system, auth.System) + self.assertTrue(system.all) diff --git a/keystoneclient/tests/unit/v3/test_auth_oidc.py b/keystoneclient/tests/unit/v3/test_auth_oidc.py new file mode 100644 index 000000000..278800bca --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_auth_oidc.py @@ -0,0 +1,189 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import urllib.parse +import uuid + +from oslo_config import fixture as config + +import testtools + +from keystoneclient.auth import conf +from keystoneclient.contrib.auth.v3 import oidc +from keystoneclient import session +from keystoneclient.tests.unit.v3 import utils + + +ACCESS_TOKEN_ENDPOINT_RESP = {"access_token": "z5H1ITZLlJVDHQXqJun", + "token_type": "bearer", + "expires_in": 3599, + "scope": "profile", + "refresh_token": "DCERsh83IAhu9bhavrp"} + +KEYSTONE_TOKEN_VALUE = uuid.uuid4().hex +UNSCOPED_TOKEN = { + "token": { + "issued_at": "2014-06-09T09:48:59.643406Z", + "extras": {}, + "methods": ["oidc"], + "expires_at": "2014-06-09T10:48:59.643375Z", + "user": { + "OS-FEDERATION": { + "identity_provider": { + "id": "bluepages" + }, + "protocol": { + "id": "oidc" + }, + "groups": [ + {"id": "1764fa5cf69a49a4918131de5ce4af9a"} + ] + }, + "id": "oidc_user%40example.com", + "name": "oidc_user@example.com" + } + } +} + + +class AuthenticateOIDCTests(utils.TestCase): + + GROUP = 'auth' + + def setUp(self): + super(AuthenticateOIDCTests, self).setUp() + + self.deprecations.expect_deprecations() + + self.conf_fixture = self.useFixture(config.Config()) + conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) + + self.session = session.Session() + + self.IDENTITY_PROVIDER = 'bluepages' + self.PROTOCOL = 'oidc' + self.USER_NAME = 'oidc_user@example.com' + self.PASSWORD = uuid.uuid4().hex + self.CLIENT_ID = uuid.uuid4().hex + self.CLIENT_SECRET = uuid.uuid4().hex + self.ACCESS_TOKEN_ENDPOINT = 'https://localhost:8020/oidc/token' + self.FEDERATION_AUTH_URL = '%s/%s' % ( + self.TEST_URL, + 'OS-FEDERATION/identity_providers/bluepages/protocols/oidc/auth') + + self.oidcplugin = oidc.OidcPassword( + self.TEST_URL, + self.IDENTITY_PROVIDER, + self.PROTOCOL, + username=self.USER_NAME, + password=self.PASSWORD, + client_id=self.CLIENT_ID, + client_secret=self.CLIENT_SECRET, + access_token_endpoint=self.ACCESS_TOKEN_ENDPOINT) + + @testtools.skip("TypeError: __init__() got an unexpected keyword" + " argument 'project_name'") + def test_conf_params(self): + """Ensure OpenID Connect config options work.""" + section = uuid.uuid4().hex + identity_provider = uuid.uuid4().hex + protocol = uuid.uuid4().hex + username = uuid.uuid4().hex + password = uuid.uuid4().hex + client_id = uuid.uuid4().hex + client_secret = uuid.uuid4().hex + access_token_endpoint = uuid.uuid4().hex + + self.conf_fixture.config(auth_section=section, group=self.GROUP) + conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) + + self.conf_fixture.register_opts(oidc.OidcPassword.get_options(), + group=section) + self.conf_fixture.config(auth_plugin='v3oidcpassword', + identity_provider=identity_provider, + protocol=protocol, + username=username, + password=password, + client_id=client_id, + client_secret=client_secret, + access_token_endpoint=access_token_endpoint, + group=section) + + a = conf.load_from_conf_options(self.conf_fixture.conf, self.GROUP) + self.assertEqual(identity_provider, a.identity_provider) + self.assertEqual(protocol, a.protocol) + self.assertEqual(username, a.username) + self.assertEqual(password, a.password) + self.assertEqual(client_id, a.client_id) + self.assertEqual(client_secret, a.client_secret) + self.assertEqual(access_token_endpoint, a.access_token_endpoint) + + def test_initial_call_to_get_access_token(self): + """Test initial call, expect JSON access token.""" + # Mock the output that creates the access token + self.requests_mock.post( + self.ACCESS_TOKEN_ENDPOINT, + json=ACCESS_TOKEN_ENDPOINT_RESP) + + # Prep all the values and send the request + grant_type = 'password' + scope = 'profile email' + client_auth = (self.CLIENT_ID, self.CLIENT_SECRET) + payload = {'grant_type': grant_type, 'username': self.USER_NAME, + 'password': self.PASSWORD, 'scope': scope} + res = self.oidcplugin._get_access_token(self.session, + client_auth, + payload, + self.ACCESS_TOKEN_ENDPOINT) + + # Verify the request matches the expected structure + self.assertEqual(self.ACCESS_TOKEN_ENDPOINT, res.request.url) + self.assertEqual('POST', res.request.method) + encoded_payload = urllib.parse.urlencode(payload) + self.assertEqual(encoded_payload, res.request.body) + + def test_second_call_to_protected_url(self): + """Test subsequent call, expect Keystone token.""" + # Mock the output that creates the keystone token + self.requests_mock.post( + self.FEDERATION_AUTH_URL, + json=UNSCOPED_TOKEN, + headers={'X-Subject-Token': KEYSTONE_TOKEN_VALUE}) + + # Prep all the values and send the request + access_token = uuid.uuid4().hex + headers = {'Authorization': 'Bearer ' + access_token} + res = self.oidcplugin._get_keystone_token(self.session, + headers, + self.FEDERATION_AUTH_URL) + + # Verify the request matches the expected structure + self.assertEqual(self.FEDERATION_AUTH_URL, res.request.url) + self.assertEqual('POST', res.request.method) + self.assertEqual(headers['Authorization'], + res.request.headers['Authorization']) + + def test_end_to_end_workflow(self): + """Test full OpenID Connect workflow.""" + # Mock the output that creates the access token + self.requests_mock.post( + self.ACCESS_TOKEN_ENDPOINT, + json=ACCESS_TOKEN_ENDPOINT_RESP) + + # Mock the output that creates the keystone token + self.requests_mock.post( + self.FEDERATION_AUTH_URL, + json=UNSCOPED_TOKEN, + headers={'X-Subject-Token': KEYSTONE_TOKEN_VALUE}) + + response = self.oidcplugin.get_unscoped_auth_ref(self.session) + self.assertEqual(KEYSTONE_TOKEN_VALUE, response.auth_token) diff --git a/keystoneclient/tests/unit/v3/test_auth_saml2.py b/keystoneclient/tests/unit/v3/test_auth_saml2.py new file mode 100644 index 000000000..8c2f67daa --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_auth_saml2.py @@ -0,0 +1,669 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import os +import urllib.parse +import uuid + +from lxml import etree +from oslo_config import fixture as config +import requests + +from keystoneclient.auth import conf +from keystoneclient.contrib.auth.v3 import saml2 +from keystoneclient import exceptions +from keystoneclient import session +from keystoneclient.tests.unit.v3 import client_fixtures +from keystoneclient.tests.unit.v3 import saml2_fixtures +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3.contrib.federation import saml as saml_manager + +ROOTDIR = os.path.dirname(os.path.abspath(__file__)) +XMLDIR = os.path.join(ROOTDIR, 'examples', 'xml/') + + +def make_oneline(s): + return etree.tostring(etree.XML(s)).replace(b'\n', b'') + + +def _load_xml(filename): + with open(XMLDIR + filename, 'rb') as f: + return make_oneline(f.read()) + + +class AuthenticateviaSAML2Tests(utils.TestCase): + + GROUP = 'auth' + + class _AuthenticatedResponse(object): + headers = { + 'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER + } + + def json(self): + return saml2_fixtures.UNSCOPED_TOKEN + + class _AuthenticatedResponseInvalidJson(_AuthenticatedResponse): + + def json(self): + raise ValueError() + + class _AuthentiatedResponseMissingTokenID(_AuthenticatedResponse): + headers = {} + + def setUp(self): + super(AuthenticateviaSAML2Tests, self).setUp() + + self.deprecations.expect_deprecations() + + self.conf_fixture = self.useFixture(config.Config()) + conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) + + self.session = session.Session() + + self.ECP_SP_EMPTY_REQUEST_HEADERS = { + 'Accept': 'text/html; application/vnd.paos+xml', + 'PAOS': ('ver="urn:liberty:paos:2003-08";' + '"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"') + } + + self.ECP_SP_SAML2_REQUEST_HEADERS = { + 'Content-Type': 'application/vnd.paos+xml' + } + + self.ECP_SAML2_NAMESPACES = { + 'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp', + 'S': 'http://schemas.xmlsoap.org/soap/envelope/', + 'paos': 'urn:liberty:paos:2003-08' + } + self.ECP_RELAY_STATE = '//ecp:RelayState' + self.ECP_SERVICE_PROVIDER_CONSUMER_URL = ('/S:Envelope/S:Header/paos:' + 'Request/' + '@responseConsumerURL') + self.ECP_IDP_CONSUMER_URL = ('/S:Envelope/S:Header/ecp:Response/' + '@AssertionConsumerServiceURL') + self.IDENTITY_PROVIDER = 'testidp' + self.IDENTITY_PROVIDER_URL = 'http://local.url' + self.PROTOCOL = 'saml2' + self.FEDERATION_AUTH_URL = '%s/%s' % ( + self.TEST_URL, + 'OS-FEDERATION/identity_providers/testidp/protocols/saml2/auth') + self.SHIB_CONSUMER_URL = ('https://openstack4.local/' + 'Shibboleth.sso/SAML2/ECP') + + self.saml2plugin = saml2.Saml2UnscopedToken( + self.TEST_URL, + self.IDENTITY_PROVIDER, self.IDENTITY_PROVIDER_URL, + self.TEST_USER, self.TEST_TOKEN) + + def test_conf_params(self): + pass + + def test_initial_sp_call(self): + """Test initial call, expect SOAP message.""" + self.requests_mock.get( + self.FEDERATION_AUTH_URL, + content=make_oneline(saml2_fixtures.SP_SOAP_RESPONSE)) + a = self.saml2plugin._send_service_provider_request(self.session) + + self.assertFalse(a) + + fixture_soap_response = make_oneline( + saml2_fixtures.SP_SOAP_RESPONSE) + + sp_soap_response = make_oneline( + etree.tostring(self.saml2plugin.saml2_authn_request)) + + error_msg = "Expected %s instead of %s" % (fixture_soap_response, + sp_soap_response) + + self.assertEqual(fixture_soap_response, sp_soap_response, error_msg) + + self.assertEqual( + self.saml2plugin.sp_response_consumer_url, self.SHIB_CONSUMER_URL, + "Expected consumer_url set to %s instead of %s" % ( + self.SHIB_CONSUMER_URL, + str(self.saml2plugin.sp_response_consumer_url))) + + def test_initial_sp_call_when_saml_authenticated(self): + self.requests_mock.get( + self.FEDERATION_AUTH_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) + + a = self.saml2plugin._send_service_provider_request(self.session) + self.assertTrue(a) + self.assertEqual( + saml2_fixtures.UNSCOPED_TOKEN['token'], + self.saml2plugin.authenticated_response.json()['token']) + self.assertEqual( + saml2_fixtures.UNSCOPED_TOKEN_HEADER, + self.saml2plugin.authenticated_response.headers['X-Subject-Token']) + + def test_get_unscoped_token_when_authenticated(self): + self.requests_mock.get( + self.FEDERATION_AUTH_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER, + 'Content-Type': 'application/json'}) + + token, token_body = self.saml2plugin._get_unscoped_token(self.session) + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN['token'], token_body) + + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN_HEADER, token) + + def test_initial_sp_call_invalid_response(self): + """Send initial SP HTTP request and receive wrong server response.""" + self.requests_mock.get(self.FEDERATION_AUTH_URL, + text='NON XML RESPONSE') + + self.assertRaises( + exceptions.AuthorizationFailure, + self.saml2plugin._send_service_provider_request, + self.session) + + def test_send_authn_req_to_idp(self): + self.requests_mock.post(self.IDENTITY_PROVIDER_URL, + content=saml2_fixtures.SAML2_ASSERTION) + + self.saml2plugin.sp_response_consumer_url = self.SHIB_CONSUMER_URL + self.saml2plugin.saml2_authn_request = etree.XML( + saml2_fixtures.SP_SOAP_RESPONSE) + self.saml2plugin._send_idp_saml2_authn_request(self.session) + + idp_response = make_oneline(etree.tostring( + self.saml2plugin.saml2_idp_authn_response)) + + saml2_assertion_oneline = make_oneline( + saml2_fixtures.SAML2_ASSERTION) + error = "Expected %s instead of %s" % (saml2_fixtures.SAML2_ASSERTION, + idp_response) + self.assertEqual(idp_response, saml2_assertion_oneline, error) + + def test_fail_basicauth_idp_authentication(self): + self.requests_mock.post(self.IDENTITY_PROVIDER_URL, status_code=401) + + self.saml2plugin.sp_response_consumer_url = self.SHIB_CONSUMER_URL + self.saml2plugin.saml2_authn_request = etree.XML( + saml2_fixtures.SP_SOAP_RESPONSE) + self.assertRaises( + exceptions.Unauthorized, + self.saml2plugin._send_idp_saml2_authn_request, + self.session) + + def test_mising_username_password_in_plugin(self): + self.assertRaises(TypeError, + saml2.Saml2UnscopedToken, + self.TEST_URL, self.IDENTITY_PROVIDER, + self.IDENTITY_PROVIDER_URL) + + def test_send_authn_response_to_sp(self): + self.requests_mock.post( + self.SHIB_CONSUMER_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) + + self.saml2plugin.relay_state = etree.XML( + saml2_fixtures.SP_SOAP_RESPONSE).xpath( + self.ECP_RELAY_STATE, namespaces=self.ECP_SAML2_NAMESPACES)[0] + + self.saml2plugin.saml2_idp_authn_response = etree.XML( + saml2_fixtures.SAML2_ASSERTION) + + self.saml2plugin.idp_response_consumer_url = self.SHIB_CONSUMER_URL + self.saml2plugin._send_service_provider_saml2_authn_response( + self.session) + token_json = self.saml2plugin.authenticated_response.json()['token'] + token = self.saml2plugin.authenticated_response.headers[ + 'X-Subject-Token'] + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN['token'], + token_json) + + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN_HEADER, + token) + + def test_consumer_url_mismatch_success(self): + self.saml2plugin._check_consumer_urls( + self.session, self.SHIB_CONSUMER_URL, + self.SHIB_CONSUMER_URL) + + def test_consumer_url_mismatch(self): + self.requests_mock.post(self.SHIB_CONSUMER_URL) + invalid_consumer_url = uuid.uuid4().hex + self.assertRaises( + exceptions.ValidationError, + self.saml2plugin._check_consumer_urls, + self.session, self.SHIB_CONSUMER_URL, + invalid_consumer_url) + + def test_custom_302_redirection(self): + self.requests_mock.post( + self.SHIB_CONSUMER_URL, + text='BODY', + headers={'location': self.FEDERATION_AUTH_URL}, + status_code=302) + + self.requests_mock.get( + self.FEDERATION_AUTH_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) + + self.session.redirect = False + response = self.session.post( + self.SHIB_CONSUMER_URL, data='CLIENT BODY') + self.assertEqual(302, response.status_code) + self.assertEqual(self.FEDERATION_AUTH_URL, + response.headers['location']) + + response = self.saml2plugin._handle_http_ecp_redirect( + self.session, response, 'GET') + + self.assertEqual(self.FEDERATION_AUTH_URL, response.request.url) + self.assertEqual('GET', response.request.method) + + def test_custom_303_redirection(self): + self.requests_mock.post( + self.SHIB_CONSUMER_URL, + text='BODY', + headers={'location': self.FEDERATION_AUTH_URL}, + status_code=303) + + self.requests_mock.get( + self.FEDERATION_AUTH_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) + + self.session.redirect = False + response = self.session.post( + self.SHIB_CONSUMER_URL, data='CLIENT BODY') + self.assertEqual(303, response.status_code) + self.assertEqual(self.FEDERATION_AUTH_URL, + response.headers['location']) + + response = self.saml2plugin._handle_http_ecp_redirect( + self.session, response, 'GET') + + self.assertEqual(self.FEDERATION_AUTH_URL, response.request.url) + self.assertEqual('GET', response.request.method) + + def test_end_to_end_workflow(self): + self.requests_mock.get( + self.FEDERATION_AUTH_URL, + content=make_oneline(saml2_fixtures.SP_SOAP_RESPONSE)) + + self.requests_mock.post(self.IDENTITY_PROVIDER_URL, + content=saml2_fixtures.SAML2_ASSERTION) + + self.requests_mock.post( + self.SHIB_CONSUMER_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER, + 'Content-Type': 'application/json'}) + + self.session.redirect = False + response = self.saml2plugin.get_auth_ref(self.session) + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN_HEADER, + response.auth_token) + + +class ScopeFederationTokenTests(AuthenticateviaSAML2Tests): + + TEST_TOKEN = client_fixtures.AUTH_SUBJECT_TOKEN + + def setUp(self): + super(ScopeFederationTokenTests, self).setUp() + + self.PROJECT_SCOPED_TOKEN_JSON = client_fixtures.project_scoped_token() + self.PROJECT_SCOPED_TOKEN_JSON['methods'] = ['saml2'] + + # for better readability + self.TEST_TENANT_ID = self.PROJECT_SCOPED_TOKEN_JSON.project_id + self.TEST_TENANT_NAME = self.PROJECT_SCOPED_TOKEN_JSON.project_name + + self.DOMAIN_SCOPED_TOKEN_JSON = client_fixtures.domain_scoped_token() + self.DOMAIN_SCOPED_TOKEN_JSON['methods'] = ['saml2'] + + # for better readability + self.TEST_DOMAIN_ID = self.DOMAIN_SCOPED_TOKEN_JSON.domain_id + self.TEST_DOMAIN_NAME = self.DOMAIN_SCOPED_TOKEN_JSON.domain_name + + self.saml2_scope_plugin = saml2.Saml2ScopedToken( + self.TEST_URL, saml2_fixtures.UNSCOPED_TOKEN_HEADER, + project_id=self.TEST_TENANT_ID) + + def test_scope_saml2_token_to_project(self): + self.stub_auth(json=self.PROJECT_SCOPED_TOKEN_JSON) + + token = self.saml2_scope_plugin.get_auth_ref(self.session) + self.assertTrue(token.project_scoped, "Received token is not scoped") + self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, token.auth_token) + self.assertEqual(self.TEST_TENANT_ID, token.project_id) + self.assertEqual(self.TEST_TENANT_NAME, token.project_name) + + def test_scope_saml2_token_to_invalid_project(self): + self.stub_auth(status_code=401) + self.saml2_scope_plugin.project_id = uuid.uuid4().hex + self.saml2_scope_plugin.project_name = None + self.assertRaises(exceptions.Unauthorized, + self.saml2_scope_plugin.get_auth_ref, + self.session) + + def test_scope_saml2_token_to_invalid_domain(self): + self.stub_auth(status_code=401) + self.saml2_scope_plugin.project_id = None + self.saml2_scope_plugin.project_name = None + self.saml2_scope_plugin.domain_id = uuid.uuid4().hex + self.saml2_scope_plugin.domain_name = None + self.assertRaises(exceptions.Unauthorized, + self.saml2_scope_plugin.get_auth_ref, + self.session) + + def test_scope_saml2_token_to_domain(self): + self.stub_auth(json=self.DOMAIN_SCOPED_TOKEN_JSON) + token = self.saml2_scope_plugin.get_auth_ref(self.session) + self.assertTrue(token.domain_scoped, "Received token is not scoped") + self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, token.auth_token) + self.assertEqual(self.TEST_DOMAIN_ID, token.domain_id) + self.assertEqual(self.TEST_DOMAIN_NAME, token.domain_name) + + def test_dont_set_project_nor_domain(self): + self.saml2_scope_plugin.project_id = None + self.saml2_scope_plugin.domain_id = None + self.assertRaises(exceptions.ValidationError, + saml2.Saml2ScopedToken, + self.TEST_URL, client_fixtures.AUTH_SUBJECT_TOKEN) + + +class AuthenticateviaADFSTests(utils.TestCase): + + GROUP = 'auth' + + NAMESPACES = { + 's': 'http://www.w3.org/2003/05/soap-envelope', + 'trust': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512', + 'wsa': 'http://www.w3.org/2005/08/addressing', + 'wsp': 'http://schemas.xmlsoap.org/ws/2004/09/policy', + 'a': 'http://www.w3.org/2005/08/addressing', + 'o': ('http://docs.oasis-open.org/wss/2004/01/oasis' + '-200401-wss-wssecurity-secext-1.0.xsd') + } + + USER_XPATH = ('/s:Envelope/s:Header' + '/o:Security' + '/o:UsernameToken' + '/o:Username') + PASSWORD_XPATH = ('/s:Envelope/s:Header' + '/o:Security' + '/o:UsernameToken' + '/o:Password') + ADDRESS_XPATH = ('/s:Envelope/s:Body' + '/trust:RequestSecurityToken' + '/wsp:AppliesTo/wsa:EndpointReference' + '/wsa:Address') + TO_XPATH = ('/s:Envelope/s:Header' + '/a:To') + + @property + def _uuid4(self): + return '4b911420-4982-4009-8afc-5c596cd487f5' + + def setUp(self): + super(AuthenticateviaADFSTests, self).setUp() + + self.deprecations.expect_deprecations() + + self.conf_fixture = self.useFixture(config.Config()) + conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) + + self.session = session.Session(session=requests.Session()) + + self.IDENTITY_PROVIDER = 'adfs' + self.IDENTITY_PROVIDER_URL = ('http://adfs.local/adfs/service/trust/13' + '/usernamemixed') + self.FEDERATION_AUTH_URL = '%s/%s' % ( + self.TEST_URL, + 'OS-FEDERATION/identity_providers/adfs/protocols/saml2/auth') + self.SP_ENDPOINT = 'https://openstack4.local/Shibboleth.sso/ADFS' + + self.adfsplugin = saml2.ADFSUnscopedToken( + self.TEST_URL, self.IDENTITY_PROVIDER, + self.IDENTITY_PROVIDER_URL, self.SP_ENDPOINT, + self.TEST_USER, self.TEST_TOKEN) + + self.ADFS_SECURITY_TOKEN_RESPONSE = _load_xml( + 'ADFS_RequestSecurityTokenResponse.xml') + self.ADFS_FAULT = _load_xml('ADFS_fault.xml') + + def test_conf_params(self): + pass + + def test_get_adfs_security_token(self): + """Test ADFSUnscopedToken._get_adfs_security_token().""" + self.requests_mock.post( + self.IDENTITY_PROVIDER_URL, + content=make_oneline(self.ADFS_SECURITY_TOKEN_RESPONSE), + status_code=200) + + self.adfsplugin._prepare_adfs_request() + self.adfsplugin._get_adfs_security_token(self.session) + + adfs_response = etree.tostring(self.adfsplugin.adfs_token) + fixture_response = self.ADFS_SECURITY_TOKEN_RESPONSE + + self.assertEqual(fixture_response, adfs_response) + + def test_adfs_request_user(self): + self.adfsplugin._prepare_adfs_request() + user = self.adfsplugin.prepared_request.xpath( + self.USER_XPATH, namespaces=self.NAMESPACES)[0] + self.assertEqual(self.TEST_USER, user.text) + + def test_adfs_request_password(self): + self.adfsplugin._prepare_adfs_request() + password = self.adfsplugin.prepared_request.xpath( + self.PASSWORD_XPATH, namespaces=self.NAMESPACES)[0] + self.assertEqual(self.TEST_TOKEN, password.text) + + def test_adfs_request_to(self): + self.adfsplugin._prepare_adfs_request() + to = self.adfsplugin.prepared_request.xpath( + self.TO_XPATH, namespaces=self.NAMESPACES)[0] + self.assertEqual(self.IDENTITY_PROVIDER_URL, to.text) + + def test_prepare_adfs_request_address(self): + self.adfsplugin._prepare_adfs_request() + address = self.adfsplugin.prepared_request.xpath( + self.ADDRESS_XPATH, namespaces=self.NAMESPACES)[0] + self.assertEqual(self.SP_ENDPOINT, address.text) + + def test_prepare_sp_request(self): + assertion = etree.XML(self.ADFS_SECURITY_TOKEN_RESPONSE) + assertion = assertion.xpath( + saml2.ADFSUnscopedToken.ADFS_ASSERTION_XPATH, + namespaces=saml2.ADFSUnscopedToken.ADFS_TOKEN_NAMESPACES) + assertion = assertion[0] + assertion = etree.tostring(assertion) + + assertion = assertion.replace( + b'http://docs.oasis-open.org/ws-sx/ws-trust/200512', + b'http://schemas.xmlsoap.org/ws/2005/02/trust') + assertion = urllib.parse.quote(assertion) + assertion = 'wa=wsignin1.0&wresult=' + assertion + + self.adfsplugin.adfs_token = etree.XML( + self.ADFS_SECURITY_TOKEN_RESPONSE) + self.adfsplugin._prepare_sp_request() + + self.assertEqual(assertion, self.adfsplugin.encoded_assertion) + + def test_get_adfs_security_token_authn_fail(self): + """Test proper parsing XML fault after bad authentication. + + An exceptions.AuthorizationFailure should be raised including + error message from the XML message indicating where was the problem. + """ + self.requests_mock.post(self.IDENTITY_PROVIDER_URL, + content=make_oneline(self.ADFS_FAULT), + status_code=500) + + self.adfsplugin._prepare_adfs_request() + self.assertRaises(exceptions.AuthorizationFailure, + self.adfsplugin._get_adfs_security_token, + self.session) + # TODO(marek-denis): Python3 tests complain about missing 'message' + # attributes + # self.assertEqual('a:FailedAuthentication', e.message) + + def test_get_adfs_security_token_bad_response(self): + """Test proper handling HTTP 500 and mangled (non XML) response. + + This should never happen yet, keystoneclient should be prepared + and correctly raise exceptions.InternalServerError once it cannot + parse XML fault message + """ + self.requests_mock.post(self.IDENTITY_PROVIDER_URL, + content=b'NOT XML', + status_code=500) + self.adfsplugin._prepare_adfs_request() + self.assertRaises(exceptions.InternalServerError, + self.adfsplugin._get_adfs_security_token, + self.session) + + # TODO(marek-denis): Need to figure out how to properly send cookies + # from the request_uri() method. + def _send_assertion_to_service_provider(self): + """Test whether SP issues a cookie.""" + cookie = uuid.uuid4().hex + + self.requests_mock.post(self.SP_ENDPOINT, + headers={"set-cookie": cookie}, + status_code=302) + + self.adfsplugin.adfs_token = self._build_adfs_request() + self.adfsplugin._prepare_sp_request() + self.adfsplugin._send_assertion_to_service_provider(self.session) + + self.assertEqual(1, len(self.session.session.cookies)) + + def test_send_assertion_to_service_provider_bad_status(self): + self.requests_mock.post(self.SP_ENDPOINT, status_code=500) + + self.adfsplugin.adfs_token = etree.XML( + self.ADFS_SECURITY_TOKEN_RESPONSE) + self.adfsplugin._prepare_sp_request() + + self.assertRaises( + exceptions.InternalServerError, + self.adfsplugin._send_assertion_to_service_provider, + self.session) + + def test_access_sp_no_cookies_fail(self): + # There are no cookies in the session initially, and + # _access_service_provider requires a cookie in the session. + self.assertRaises(exceptions.AuthorizationFailure, + self.adfsplugin._access_service_provider, + self.session) + + def test_check_valid_token_when_authenticated(self): + self.requests_mock.get(self.FEDERATION_AUTH_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers=client_fixtures.AUTH_RESPONSE_HEADERS) + + # _access_service_provider requires a cookie in the session. + cookie = requests.cookies.create_cookie( + name=self.getUniqueString(), value=self.getUniqueString()) + self.session.session.cookies.set_cookie(cookie) + + self.adfsplugin._access_service_provider(self.session) + response = self.adfsplugin.authenticated_response + + self.assertEqual(client_fixtures.AUTH_RESPONSE_HEADERS, + response.headers) + + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN['token'], + response.json()['token']) + + def test_end_to_end_workflow(self): + self.requests_mock.post(self.IDENTITY_PROVIDER_URL, + content=self.ADFS_SECURITY_TOKEN_RESPONSE, + status_code=200) + self.requests_mock.post(self.SP_ENDPOINT, + headers={"set-cookie": 'x'}, + status_code=302) + self.requests_mock.get(self.FEDERATION_AUTH_URL, + json=saml2_fixtures.UNSCOPED_TOKEN, + headers=client_fixtures.AUTH_RESPONSE_HEADERS) + + # NOTE(marek-denis): We need to mimic this until self.requests_mock can + # issue cookies properly. + cookie = requests.cookies.create_cookie( + name=self.getUniqueString(), value=self.getUniqueString()) + self.session.session.cookies.set_cookie(cookie) + + token, token_json = self.adfsplugin._get_unscoped_token(self.session) + self.assertEqual(token, client_fixtures.AUTH_SUBJECT_TOKEN) + self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN['token'], token_json) + + +class SAMLGenerationTests(utils.ClientTestCase): + + def setUp(self): + super(SAMLGenerationTests, self).setUp() + self.manager = self.client.federation.saml + self.SAML2_FULL_URL = ''.join([self.TEST_URL, + saml_manager.SAML2_ENDPOINT]) + self.ECP_FULL_URL = ''.join([self.TEST_URL, + saml_manager.ECP_ENDPOINT]) + + def test_saml_create(self): + """Test that a token can be exchanged for a SAML assertion.""" + token_id = uuid.uuid4().hex + service_provider_id = uuid.uuid4().hex + + # Mock the returned text for '/auth/OS-FEDERATION/saml2 + self.requests_mock.post(self.SAML2_FULL_URL, + text=saml2_fixtures.TOKEN_BASED_SAML) + + text = self.manager.create_saml_assertion(service_provider_id, + token_id) + + # Ensure returned text is correct + self.assertEqual(saml2_fixtures.TOKEN_BASED_SAML, text) + + # Ensure request headers and body are correct + req_json = self.requests_mock.last_request.json() + self.assertEqual(token_id, req_json['auth']['identity']['token']['id']) + self.assertEqual(service_provider_id, + req_json['auth']['scope']['service_provider']['id']) + self.assertRequestHeaderEqual('Content-Type', 'application/json') + + def test_ecp_create(self): + """Test that a token can be exchanged for an ECP wrapped assertion.""" + token_id = uuid.uuid4().hex + service_provider_id = uuid.uuid4().hex + + # Mock returned text for '/auth/OS-FEDERATION/saml2/ecp + self.requests_mock.post(self.ECP_FULL_URL, + text=saml2_fixtures.TOKEN_BASED_ECP) + + text = self.manager.create_ecp_assertion(service_provider_id, + token_id) + + # Ensure returned text is correct + self.assertEqual(saml2_fixtures.TOKEN_BASED_ECP, text) + + # Ensure request headers and body are correct + req_json = self.requests_mock.last_request.json() + self.assertEqual(token_id, req_json['auth']['identity']['token']['id']) + self.assertEqual(service_provider_id, + req_json['auth']['scope']['service_provider']['id']) + self.assertRequestHeaderEqual('Content-Type', 'application/json') diff --git a/keystoneclient/tests/unit/v3/test_client.py b/keystoneclient/tests/unit/v3/test_client.py new file mode 100644 index 000000000..82088fdfc --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_client.py @@ -0,0 +1,270 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import copy +import uuid + +from oslo_serialization import jsonutils + +from keystoneauth1 import session as auth_session +from keystoneclient.auth import token_endpoint +from keystoneclient import exceptions +from keystoneclient import session +from keystoneclient.tests.unit.v3 import client_fixtures +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import client + + +class KeystoneClientTest(utils.TestCase): + + def test_unscoped_init(self): + token = client_fixtures.unscoped_token() + self.stub_auth(json=token) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(user_domain_name=token.user_domain_name, + username=token.user_name, + password='password', + auth_url=self.TEST_URL) + self.assertIsNotNone(c.auth_ref) + self.assertFalse(c.auth_ref.domain_scoped) + self.assertFalse(c.auth_ref.project_scoped) + self.assertEqual(token.user_id, c.auth_user_id) + self.assertFalse(c.has_service_catalog()) + + self.assertEqual(token.user_id, c.get_user_id(session=None)) + self.assertIsNone(c.get_project_id(session=None)) + + def test_domain_scoped_init(self): + token = client_fixtures.domain_scoped_token() + self.stub_auth(json=token) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(user_id=token.user_id, + password='password', + domain_name=token.domain_name, + auth_url=self.TEST_URL) + self.assertIsNotNone(c.auth_ref) + self.assertTrue(c.auth_ref.domain_scoped) + self.assertFalse(c.auth_ref.project_scoped) + self.assertEqual(token.user_id, c.auth_user_id) + self.assertEqual(token.domain_id, c.auth_domain_id) + + def test_project_scoped_init(self): + token = client_fixtures.project_scoped_token() + self.stub_auth(json=token), + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(user_id=token.user_id, + password='password', + user_domain_name=token.user_domain_name, + project_name=token.project_name, + auth_url=self.TEST_URL) + self.assertIsNotNone(c.auth_ref) + self.assertFalse(c.auth_ref.domain_scoped) + self.assertTrue(c.auth_ref.project_scoped) + self.assertEqual(token.user_id, c.auth_user_id) + self.assertEqual(token.project_id, c.auth_tenant_id) + self.assertEqual(token.user_id, c.get_user_id(session=None)) + self.assertEqual(token.project_id, c.get_project_id(session=None)) + + def test_auth_ref_load(self): + token = client_fixtures.project_scoped_token() + self.stub_auth(json=token) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(user_id=token.user_id, + password='password', + project_id=token.project_id, + auth_url=self.TEST_URL) + cache = jsonutils.dumps(c.auth_ref) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + new_client = client.Client(auth_ref=jsonutils.loads(cache)) + self.assertIsNotNone(new_client.auth_ref) + self.assertFalse(new_client.auth_ref.domain_scoped) + self.assertTrue(new_client.auth_ref.project_scoped) + self.assertEqual(token.user_name, new_client.username) + self.assertIsNone(new_client.password) + self.assertEqual(new_client.management_url, + 'http://admin:35357/v3') + + def test_auth_ref_load_with_overridden_arguments(self): + new_auth_url = 'https://newkeystone.com/v3' + + user_id = uuid.uuid4().hex + user_name = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + first = client_fixtures.project_scoped_token(user_id=user_id, + user_name=user_name, + project_id=project_id) + second = client_fixtures.project_scoped_token(user_id=user_id, + user_name=user_name, + project_id=project_id) + self.stub_auth(json=first) + self.stub_auth(json=second, base_url=new_auth_url) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(user_id=user_id, + password='password', + project_id=project_id, + auth_url=self.TEST_URL) + cache = jsonutils.dumps(c.auth_ref) + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + new_client = client.Client(auth_ref=jsonutils.loads(cache), + auth_url=new_auth_url) + self.assertIsNotNone(new_client.auth_ref) + self.assertFalse(new_client.auth_ref.domain_scoped) + self.assertTrue(new_client.auth_ref.project_scoped) + self.assertEqual(new_auth_url, new_client.auth_url) + self.assertEqual(user_name, new_client.username) + self.assertIsNone(new_client.password) + self.assertEqual(new_client.management_url, + 'http://admin:35357/v3') + + def test_trust_init(self): + token = client_fixtures.trust_token() + self.stub_auth(json=token) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + c = client.Client(user_domain_name=token.user_domain_name, + username=token.user_name, + password='password', + auth_url=self.TEST_URL, + trust_id=token.trust_id) + self.assertIsNotNone(c.auth_ref) + self.assertFalse(c.auth_ref.domain_scoped) + self.assertFalse(c.auth_ref.project_scoped) + self.assertEqual(token.trust_id, c.auth_ref.trust_id) + self.assertEqual(token.trustee_user_id, c.auth_ref.trustee_user_id) + self.assertEqual(token.trustor_user_id, c.auth_ref.trustor_user_id) + self.assertTrue(c.auth_ref.trust_scoped) + self.assertEqual(token.user_id, c.auth_user_id) + + def test_init_err_no_auth_url(self): + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + self.assertRaises(exceptions.AuthorizationFailure, + client.Client, + username='exampleuser', + password='password') + + def _management_url_is_updated(self, fixture, **kwargs): + second = copy.deepcopy(fixture) + first_url = 'http://admin:35357/v3' + second_url = "http://secondurl:%d/v3'" + + for entry in second['token']['catalog']: + if entry['type'] == 'identity': + entry['endpoints'] = [{ + 'url': second_url % 5000, + 'region': 'RegionOne', + 'interface': 'public' + }, { + 'url': second_url % 5000, + 'region': 'RegionOne', + 'interface': 'internal' + }, { + 'url': second_url % 35357, + 'region': 'RegionOne', + 'interface': 'admin' + }] + + self.stub_auth(response_list=[{'json': fixture}, {'json': second}]) + + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cl = client.Client(username='exampleuser', + password='password', + auth_url=self.TEST_URL, + **kwargs) + self.assertEqual(cl.management_url, first_url) + + with self.deprecations.expect_deprecations_here(): + cl.authenticate() + self.assertEqual(cl.management_url, second_url % 35357) + + def test_management_url_is_updated_with_project(self): + self._management_url_is_updated(client_fixtures.project_scoped_token(), + project_name='exampleproject') + + def test_management_url_is_updated_with_domain(self): + self._management_url_is_updated(client_fixtures.domain_scoped_token(), + domain_name='exampledomain') + + def test_client_with_region_name_passes_to_service_catalog(self): + # NOTE(jamielennox): this is deprecated behaviour that should be + # removed ASAP, however must remain compatible. + self.deprecations.expect_deprecations() + + self.stub_auth(json=client_fixtures.auth_response_body()) + + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL, + region_name='North') + self.assertEqual(cl.service_catalog.url_for(service_type='image'), + 'http://glance.north.host/glanceapi/public') + + cl = client.Client(username='exampleuser', + password='password', + project_name='exampleproject', + auth_url=self.TEST_URL, + region_name='South') + self.assertEqual(cl.service_catalog.url_for(service_type='image'), + 'http://glance.south.host/glanceapi/public') + + def test_client_without_auth_params(self): + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + self.assertRaises(exceptions.AuthorizationFailure, + client.Client, + project_name='exampleproject', + auth_url=self.TEST_URL) + + def test_client_params(self): + with self.deprecations.expect_deprecations_here(): + sess = session.Session() + auth = token_endpoint.Token('a', 'b') + + opts = {'auth': auth, + 'connect_retries': 50, + 'endpoint_override': uuid.uuid4().hex, + 'interface': uuid.uuid4().hex, + 'region_name': uuid.uuid4().hex, + 'service_name': uuid.uuid4().hex, + 'user_agent': uuid.uuid4().hex, + } + + cl = client.Client(session=sess, **opts) + + for k, v in opts.items(): + self.assertEqual(v, getattr(cl._adapter, k)) + + self.assertEqual('identity', cl._adapter.service_type) + self.assertEqual((3, 0), cl._adapter.version) + + def test_empty_service_catalog_param(self): + # Client().service_catalog should return None if the client is not + # authenticated + sess = auth_session.Session() + cl = client.Client(session=sess) + self.assertIsNone(cl.service_catalog) diff --git a/keystoneclient/tests/v3/test_credentials.py b/keystoneclient/tests/unit/v3/test_credentials.py similarity index 59% rename from keystoneclient/tests/v3/test_credentials.py rename to keystoneclient/tests/unit/v3/test_credentials.py index d6ad4555c..0efc3dfbf 100644 --- a/keystoneclient/tests/v3/test_credentials.py +++ b/keystoneclient/tests/unit/v3/test_credentials.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import credentials -class CredentialTests(utils.TestCase, utils.CrudTests): +class CredentialTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(CredentialTests, self).setUp() self.key = 'credential' @@ -31,23 +31,3 @@ def new_ref(self, **kwargs): kwargs.setdefault('type', uuid.uuid4().hex) kwargs.setdefault('user_id', uuid.uuid4().hex) return kwargs - - @staticmethod - def _ref_data_not_blob(ref): - ret_ref = ref.copy() - ret_ref['data'] = ref['blob'] - del ret_ref['blob'] - return ret_ref - - def test_create_data_not_blob(self): - # Test create operation with previous, deprecated "data" argument, - # which should be translated into "blob" at the API call level - req_ref = self.new_ref() - api_ref = self._ref_data_not_blob(req_ref) - self.test_create(api_ref, req_ref) - - def test_update_data_not_blob(self): - # Likewise test update operation with data instead of blob argument - req_ref = self.new_ref() - api_ref = self._ref_data_not_blob(req_ref) - self.test_update(api_ref, req_ref) diff --git a/keystoneclient/tests/v3/test_discover.py b/keystoneclient/tests/unit/v3/test_discover.py similarity index 82% rename from keystoneclient/tests/v3/test_discover.py rename to keystoneclient/tests/unit/v3/test_discover.py index 08e5358dd..f54b2f9c4 100644 --- a/keystoneclient/tests/v3/test_discover.py +++ b/keystoneclient/tests/unit/v3/test_discover.py @@ -11,7 +11,7 @@ # under the License. from keystoneclient.generic import client -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils class DiscoverKeystoneTests(utils.UnauthenticatedTestCase): @@ -27,12 +27,12 @@ def setUp(self): "href": "http://127.0.0.1:5000/v3.0/", }, {"rel": "describedby", "type": "text/html", - "href": "http://docs.openstack.org/api/" + "href": "https://docs.openstack.org/api/" "openstack-identity-service/3/" "content/", }, {"rel": "describedby", "type": "application/pdf", - "href": "http://docs.openstack.org/api/" + "href": "https://docs.openstack.org/api/" "openstack-identity-service/3/" "identity-dev-guide-3.pdf", }, ]}, @@ -44,12 +44,12 @@ def setUp(self): "href": "http://127.0.0.1:5000/v2.0/", }, {"rel": "describedby", "type": "text/html", - "href": "http://docs.openstack.org/api/" + "href": "https://docs.openstack.org/api/" "openstack-identity-service/2.0/" "content/", }, {"rel": "describedby", "type": "application/pdf", - "href": "http://docs.openstack.org/api/" + "href": "https://docs.openstack.org/api/" "openstack-identity-service/2.0/" "identity-dev-guide-2.0.pdf", } ]}], @@ -61,11 +61,13 @@ def setUp(self): } def test_get_version_local(self): - self.requests.register_uri('GET', "http://localhost:35357/", - status_code=300, - json=self.TEST_RESPONSE_DICT) + self.requests_mock.get("http://localhost:35357/", + status_code=300, + json=self.TEST_RESPONSE_DICT) - cs = client.Client() + # Creating a HTTPClient not using session is deprecated. + with self.deprecations.expect_deprecations_here(): + cs = client.Client() versions = cs.discover() self.assertIsInstance(versions, dict) self.assertIn('message', versions) diff --git a/keystoneclient/tests/unit/v3/test_domain_configs.py b/keystoneclient/tests/unit/v3/test_domain_configs.py new file mode 100644 index 000000000..2a7df0927 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_domain_configs.py @@ -0,0 +1,96 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient import exceptions +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import domain_configs + + +class DomainConfigsTests(utils.ClientTestCase, utils.CrudTests): + """Test domain config database management.""" + + def setUp(self): + super(DomainConfigsTests, self).setUp() + self.key = 'config' + self.model = domain_configs.DomainConfig + self.manager = self.client.domain_configs + + def new_ref(self, **kwargs): + config_groups = {'identity': {uuid.uuid4().hex: uuid.uuid4().hex}, + 'ldap': {uuid.uuid4().hex: uuid.uuid4().hex}} + kwargs.setdefault('config', config_groups) + return kwargs + + def _assert_resource_attributes(self, resource, req_ref): + for attr in req_ref: + self.assertEqual( + getattr(resource, attr), + req_ref[attr], + 'Expected different %s' % attr) + + def test_create(self): + domain_id = uuid.uuid4().hex + config = self.new_ref() + + self.stub_url('PUT', + parts=['domains', domain_id, 'config'], + json=config, status_code=201) + res = self.manager.create(domain_id, config) + self._assert_resource_attributes(res, config['config']) + self.assertEntityRequestBodyIs(config) + + def test_update(self): + domain_id = uuid.uuid4().hex + config = self.new_ref() + + self.stub_url('PATCH', + parts=['domains', domain_id, 'config'], + json=config, status_code=200) + res = self.manager.update(domain_id, config) + self._assert_resource_attributes(res, config['config']) + self.assertEntityRequestBodyIs(config) + + def test_get(self): + domain_id = uuid.uuid4().hex + config = self.new_ref() + config = config['config'] + + self.stub_entity('GET', + parts=['domains', domain_id, 'config'], + entity=config) + res = self.manager.get(domain_id) + self._assert_resource_attributes(res, config) + + def test_delete(self): + domain_id = uuid.uuid4().hex + self.stub_url('DELETE', + parts=['domains', domain_id, 'config'], + status_code=204) + self.manager.delete(domain_id) + + def test_list(self): + # List not supported for domain config + self.assertRaises(exceptions.MethodNotImplemented, self.manager.list) + + def test_list_by_id(self): + # List not supported for domain config + self.assertRaises(exceptions.MethodNotImplemented, self.manager.list) + + def test_list_params(self): + # List not supported for domain config + self.assertRaises(exceptions.MethodNotImplemented, self.manager.list) + + def test_find(self): + # Find not supported for domain config + self.assertRaises(exceptions.MethodNotImplemented, self.manager.find) diff --git a/keystoneclient/tests/v3/test_domains.py b/keystoneclient/tests/unit/v3/test_domains.py similarity index 77% rename from keystoneclient/tests/v3/test_domains.py rename to keystoneclient/tests/unit/v3/test_domains.py index e86971ac0..72a7b8833 100644 --- a/keystoneclient/tests/v3/test_domains.py +++ b/keystoneclient/tests/unit/v3/test_domains.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import domains -class DomainTests(utils.TestCase, utils.CrudTests): +class DomainTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(DomainTests, self).setUp() self.key = 'domain' @@ -30,6 +30,12 @@ def new_ref(self, **kwargs): kwargs.setdefault('name', uuid.uuid4().hex) return kwargs + def test_filter_for_default_domain_by_id(self): + ref = self.new_ref(id='default') + super(DomainTests, self).test_list_by_id( + ref=ref, + id=ref['id']) + def test_list_filter_name(self): super(DomainTests, self).test_list(name='adomain123') @@ -41,3 +47,7 @@ def test_list_filter_disabled(self): expected_query = {'enabled': '0'} super(DomainTests, self).test_list(expected_query=expected_query, enabled=False) + + def test_update_enabled_defaults_to_none(self): + super(DomainTests, self).test_update( + req_ref={'name': uuid.uuid4().hex}) diff --git a/keystoneclient/tests/unit/v3/test_ec2.py b/keystoneclient/tests/unit/v3/test_ec2.py new file mode 100644 index 000000000..66679f605 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_ec2.py @@ -0,0 +1,107 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import ec2 + + +class EC2Tests(utils.ClientTestCase): + + def test_create(self): + user_id = 'usr' + tenant_id = 'tnt' + req_body = { + "tenant_id": tenant_id, + } + resp_body = { + "credential": { + "access": "access", + "secret": "secret", + "tenant_id": tenant_id, + "created": "12/12/12", + "enabled": True, + } + } + self.stub_url('POST', ['users', user_id, 'credentials', + 'OS-EC2'], json=resp_body) + + cred = self.client.ec2.create(user_id, tenant_id) + self.assertIsInstance(cred, ec2.EC2) + self.assertEqual(cred.tenant_id, tenant_id) + self.assertEqual(cred.enabled, True) + self.assertEqual(cred.access, 'access') + self.assertEqual(cred.secret, 'secret') + self.assertRequestBodyIs(json=req_body) + + def test_get(self): + user_id = 'usr' + tenant_id = 'tnt' + resp_body = { + "credential": { + "access": "access", + "secret": "secret", + "tenant_id": tenant_id, + "created": "12/12/12", + "enabled": True, + } + } + self.stub_url('GET', ['users', user_id, 'credentials', + 'OS-EC2', 'access'], json=resp_body) + + cred = self.client.ec2.get(user_id, 'access') + self.assertIsInstance(cred, ec2.EC2) + self.assertEqual(cred.tenant_id, tenant_id) + self.assertEqual(cred.enabled, True) + self.assertEqual(cred.access, 'access') + self.assertEqual(cred.secret, 'secret') + + def test_list(self): + user_id = 'usr' + tenant_id = 'tnt' + resp_body = { + "credentials": { + "values": [ + { + "access": "access", + "secret": "secret", + "tenant_id": tenant_id, + "created": "12/12/12", + "enabled": True, + }, + { + "access": "another", + "secret": "key", + "tenant_id": tenant_id, + "created": "12/12/31", + "enabled": True, + } + ] + } + } + self.stub_url('GET', ['users', user_id, 'credentials', + 'OS-EC2'], json=resp_body) + + creds = self.client.ec2.list(user_id) + self.assertEqual(len(creds), 2) + cred = creds[0] + self.assertIsInstance(cred, ec2.EC2) + self.assertEqual(cred.tenant_id, tenant_id) + self.assertEqual(cred.enabled, True) + self.assertEqual(cred.access, 'access') + self.assertEqual(cred.secret, 'secret') + + def test_delete(self): + user_id = 'usr' + access = 'access' + self.stub_url('DELETE', ['users', user_id, 'credentials', + 'OS-EC2', access], status_code=204) + self.client.ec2.delete(user_id, access) diff --git a/keystoneclient/tests/unit/v3/test_endpoint_filter.py b/keystoneclient/tests/unit/v3/test_endpoint_filter.py new file mode 100644 index 000000000..62e89cb35 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_endpoint_filter.py @@ -0,0 +1,293 @@ +# Copyright 2014 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient.tests.unit.v3 import utils + + +class EndpointTestUtils(object): + """Mixin class with shared methods between Endpoint Filter & Policy.""" + + def new_ref(self, **kwargs): + # copied from CrudTests as we need to create endpoint and project + # refs for our tests. EndpointFilter is not exactly CRUD API. + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('enabled', True) + return kwargs + + def new_endpoint_ref(self, **kwargs): + # copied from EndpointTests as we need endpoint refs for our tests + kwargs = self.new_ref(**kwargs) + kwargs.setdefault('interface', 'public') + kwargs.setdefault('region', uuid.uuid4().hex) + kwargs.setdefault('service_id', uuid.uuid4().hex) + kwargs.setdefault('url', uuid.uuid4().hex) + return kwargs + + def new_endpoint_group_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('name', uuid.uuid4().hex) + kwargs.setdefault('description', uuid.uuid4().hex) + kwargs.setdefault('filters') + return kwargs + + +class EndpointFilterTests(utils.ClientTestCase, EndpointTestUtils): + """Test project-endpoint associations (a.k.a. EndpointFilter Extension). + + Endpoint filter provides associations between service endpoints and + projects. These assciations are then used to create ad-hoc catalogs for + each project-scoped token request. + + """ + + def setUp(self): + super(EndpointFilterTests, self).setUp() + self.manager = self.client.endpoint_filter + + def new_project_ref(self, **kwargs): + # copied from ProjectTests as we need project refs for our tests + kwargs = self.new_ref(**kwargs) + kwargs.setdefault('domain_id', uuid.uuid4().hex) + kwargs.setdefault('name', uuid.uuid4().hex) + return kwargs + + def test_add_endpoint_to_project_via_id(self): + endpoint_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.stub_url('PUT', + [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, + 'endpoints', endpoint_id], + status_code=201) + + self.manager.add_endpoint_to_project(project=project_id, + endpoint=endpoint_id) + + def test_add_endpoint_to_project_via_obj(self): + project_ref = self.new_project_ref() + endpoint_ref = self.new_endpoint_ref() + project = self.client.projects.resource_class(self.client.projects, + project_ref, + loaded=True) + endpoint = self.client.endpoints.resource_class(self.client.endpoints, + endpoint_ref, + loaded=True) + + self.stub_url('PUT', + [self.manager.OS_EP_FILTER_EXT, + 'projects', project_ref['id'], + 'endpoints', endpoint_ref['id']], + status_code=201) + + self.manager.add_endpoint_to_project(project=project, + endpoint=endpoint) + + def test_delete_endpoint_from_project(self): + endpoint_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.stub_url('DELETE', + [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, + 'endpoints', endpoint_id], + status_code=201) + + self.manager.delete_endpoint_from_project(project=project_id, + endpoint=endpoint_id) + + def test_check_endpoint_in_project(self): + endpoint_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.stub_url('HEAD', + [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, + 'endpoints', endpoint_id], + status_code=201) + + self.manager.check_endpoint_in_project(project=project_id, + endpoint=endpoint_id) + + def test_list_endpoints_for_project(self): + project_id = uuid.uuid4().hex + endpoints = {'endpoints': [self.new_endpoint_ref(), + self.new_endpoint_ref()]} + self.stub_url('GET', + [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, + 'endpoints'], + json=endpoints, + status_code=200) + + endpoints_resp = self.manager.list_endpoints_for_project( + project=project_id) + + expected_endpoint_ids = [ + endpoint['id'] for endpoint in endpoints['endpoints']] + actual_endpoint_ids = [endpoint.id for endpoint in endpoints_resp] + self.assertEqual(expected_endpoint_ids, actual_endpoint_ids) + + def test_list_projects_for_endpoint(self): + endpoint_id = uuid.uuid4().hex + projects = {'projects': [self.new_project_ref(), + self.new_project_ref()]} + self.stub_url('GET', + [self.manager.OS_EP_FILTER_EXT, 'endpoints', endpoint_id, + 'projects'], + json=projects, + status_code=200) + + projects_resp = self.manager.list_projects_for_endpoint( + endpoint=endpoint_id) + + expected_project_ids = [ + project['id'] for project in projects['projects']] + actual_project_ids = [project.id for project in projects_resp] + self.assertEqual(expected_project_ids, actual_project_ids) + + def test_list_projects_for_endpoint_group(self): + endpoint_group_id = uuid.uuid4().hex + projects = {'projects': [self.new_project_ref(), + self.new_project_ref()]} + self.stub_url('GET', + [self.manager.OS_EP_FILTER_EXT, 'endpoint_groups', + endpoint_group_id, 'projects'], + json=projects, + status_code=200) + + projects_resp = self.manager.list_projects_for_endpoint_group( + endpoint_group=endpoint_group_id) + + expected_project_ids = [ + project['id'] for project in projects['projects']] + actual_project_ids = [project.id for project in projects_resp] + self.assertEqual(expected_project_ids, actual_project_ids) + + def test_list_projects_for_endpoint_group_value_error(self): + self.assertRaises(ValueError, + self.manager.list_projects_for_endpoint_group, + endpoint_group='') + self.assertRaises(ValueError, + self.manager.list_projects_for_endpoint_group, + endpoint_group=None) + + def test_list_endpoint_groups_for_project(self): + project_id = uuid.uuid4().hex + endpoint_groups = { + 'endpoint_groups': [self.new_endpoint_group_ref(), + self.new_endpoint_group_ref()]} + self.stub_url('GET', + [self.manager.OS_EP_FILTER_EXT, 'projects', + project_id, 'endpoint_groups'], + json=endpoint_groups, + status_code=200) + + endpoint_groups_resp = self.manager.list_endpoint_groups_for_project( + project=project_id) + + expected_endpoint_group_ids = [ + endpoint_group['id'] for endpoint_group + in endpoint_groups['endpoint_groups'] + ] + actual_endpoint_group_ids = [ + endpoint_group.id for endpoint_group in endpoint_groups_resp + ] + self.assertEqual(expected_endpoint_group_ids, + actual_endpoint_group_ids) + + def test_list_endpoint_groups_for_project_value_error(self): + for value in ('', None): + self.assertRaises(ValueError, + self.manager.list_endpoint_groups_for_project, + project=value) + + def test_add_endpoint_group_to_project(self): + endpoint_group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.stub_url('PUT', + [self.manager.OS_EP_FILTER_EXT, 'endpoint_groups', + endpoint_group_id, 'projects', project_id], + status_code=201) + + self.manager.add_endpoint_group_to_project( + project=project_id, endpoint_group=endpoint_group_id) + + def test_add_endpoint_group_to_project_value_error(self): + for value in ('', None): + self.assertRaises(ValueError, + self.manager.add_endpoint_group_to_project, + project=value, + endpoint_group=value) + self.assertRaises(ValueError, + self.manager.add_endpoint_group_to_project, + project=uuid.uuid4().hex, + endpoint_group=value) + self.assertRaises(ValueError, + self.manager.add_endpoint_group_to_project, + project=value, + endpoint_group=uuid.uuid4().hex) + + def test_check_endpoint_group_in_project(self): + endpoint_group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.stub_url('HEAD', + [self.manager.OS_EP_FILTER_EXT, 'endpoint_groups', + endpoint_group_id, 'projects', project_id], + status_code=201) + + self.manager.check_endpoint_group_in_project( + project=project_id, endpoint_group=endpoint_group_id) + + def test_check_endpoint_group_in_project_value_error(self): + for value in ('', None): + self.assertRaises(ValueError, + self.manager.check_endpoint_group_in_project, + project=value, + endpoint_group=value) + self.assertRaises(ValueError, + self.manager.check_endpoint_group_in_project, + project=uuid.uuid4().hex, + endpoint_group=value) + self.assertRaises(ValueError, + self.manager.check_endpoint_group_in_project, + project=value, + endpoint_group=uuid.uuid4().hex) + + def test_delete_endpoint_group_from_project(self): + endpoint_group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.stub_url('DELETE', + [self.manager.OS_EP_FILTER_EXT, 'endpoint_groups', + endpoint_group_id, 'projects', project_id], + status_code=201) + + self.manager.delete_endpoint_group_from_project( + project=project_id, endpoint_group=endpoint_group_id) + + def test_delete_endpoint_group_from_project_value_error(self): + for value in ('', None): + self.assertRaises(ValueError, + self.manager.delete_endpoint_group_from_project, + project=value, + endpoint_group=value) + self.assertRaises(ValueError, + self.manager.delete_endpoint_group_from_project, + project=uuid.uuid4().hex, + endpoint_group=value) + self.assertRaises(ValueError, + self.manager.delete_endpoint_group_from_project, + project=value, + endpoint_group=uuid.uuid4().hex) diff --git a/keystoneclient/tests/unit/v3/test_endpoint_groups.py b/keystoneclient/tests/unit/v3/test_endpoint_groups.py new file mode 100644 index 000000000..364fd53c2 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_endpoint_groups.py @@ -0,0 +1,34 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import endpoint_groups + + +class EndpointGroupTests(utils.ClientTestCase, utils.CrudTests): + + def setUp(self): + super(EndpointGroupTests, self).setUp() + self.key = 'endpoint_group' + self.collection_key = 'endpoint_groups' + self.model = endpoint_groups.EndpointGroup + self.manager = self.client.endpoint_groups + self.path_prefix = 'OS-EP-FILTER' + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('name', uuid.uuid4().hex) + kwargs.setdefault('filters', '{"interface": "public"}') + kwargs.setdefault('description', uuid.uuid4().hex) + return kwargs diff --git a/keystoneclient/tests/unit/v3/test_endpoint_policy.py b/keystoneclient/tests/unit/v3/test_endpoint_policy.py new file mode 100644 index 000000000..69d90ae5a --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_endpoint_policy.py @@ -0,0 +1,242 @@ +# Copyright 2014 IBM Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient.tests.unit.v3 import test_endpoint_filter +from keystoneclient.tests.unit.v3 import utils + + +class EndpointPolicyTests(utils.ClientTestCase, + test_endpoint_filter.EndpointTestUtils): + """Test policy-endpoint associations (a.k.a. EndpointPolicy Extension).""" + + def setUp(self): + super(EndpointPolicyTests, self).setUp() + self.manager = self.client.endpoint_policy + + def new_policy_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('type', uuid.uuid4().hex) + kwargs.setdefault('blob', uuid.uuid4().hex) + return kwargs + + def new_region_ref(self, **kwargs): + kwargs = self.new_ref(**kwargs) + return kwargs + + def new_service_ref(self, **kwargs): + kwargs = self.new_ref(**kwargs) + kwargs.setdefault('name', uuid.uuid4().hex) + kwargs.setdefault('type', uuid.uuid4().hex) + return kwargs + + def _crud_policy_association_for_endpoint_via_id( + self, http_action, manager_action): + policy_id = uuid.uuid4().hex + endpoint_id = uuid.uuid4().hex + + self.stub_url(http_action, + ['policies', policy_id, self.manager.OS_EP_POLICY_EXT, + 'endpoints', endpoint_id], + status_code=204) + manager_action(policy=policy_id, endpoint=endpoint_id) + + def _crud_policy_association_for_endpoint_via_obj( + self, http_action, manager_action): + policy_ref = self.new_policy_ref() + endpoint_ref = self.new_endpoint_ref() + policy = self.client.policies.resource_class( + self.client.policies, policy_ref, loaded=True) + endpoint = self.client.endpoints.resource_class( + self.client.endpoints, endpoint_ref, loaded=True) + + self.stub_url(http_action, + ['policies', policy_ref['id'], + self.manager.OS_EP_POLICY_EXT, + 'endpoints', endpoint_ref['id']], + status_code=204) + manager_action(policy=policy, endpoint=endpoint) + + def test_create_policy_association_for_endpoint_via_id(self): + self._crud_policy_association_for_endpoint_via_id( + 'PUT', self.manager.create_policy_association_for_endpoint) + + def test_create_policy_association_for_endpoint_via_obj(self): + self._crud_policy_association_for_endpoint_via_obj( + 'PUT', self.manager.create_policy_association_for_endpoint) + + def test_check_policy_association_for_endpoint_via_id(self): + self._crud_policy_association_for_endpoint_via_id( + 'HEAD', self.manager.check_policy_association_for_endpoint) + + def test_check_policy_association_for_endpoint_via_obj(self): + self._crud_policy_association_for_endpoint_via_obj( + 'HEAD', self.manager.check_policy_association_for_endpoint) + + def test_delete_policy_association_for_endpoint_via_id(self): + self._crud_policy_association_for_endpoint_via_id( + 'DELETE', self.manager.delete_policy_association_for_endpoint) + + def test_delete_policy_association_for_endpoint_via_obj(self): + self._crud_policy_association_for_endpoint_via_obj( + 'DELETE', self.manager.delete_policy_association_for_endpoint) + + def _crud_policy_association_for_service_via_id( + self, http_action, manager_action): + policy_id = uuid.uuid4().hex + service_id = uuid.uuid4().hex + + self.stub_url(http_action, + ['policies', policy_id, self.manager.OS_EP_POLICY_EXT, + 'services', service_id], + status_code=204) + manager_action(policy=policy_id, service=service_id) + + def _crud_policy_association_for_service_via_obj( + self, http_action, manager_action): + policy_ref = self.new_policy_ref() + service_ref = self.new_service_ref() + policy = self.client.policies.resource_class( + self.client.policies, policy_ref, loaded=True) + service = self.client.services.resource_class( + self.client.services, service_ref, loaded=True) + + self.stub_url(http_action, + ['policies', policy_ref['id'], + self.manager.OS_EP_POLICY_EXT, + 'services', service_ref['id']], + status_code=204) + manager_action(policy=policy, service=service) + + def test_create_policy_association_for_service_via_id(self): + self._crud_policy_association_for_service_via_id( + 'PUT', self.manager.create_policy_association_for_service) + + def test_create_policy_association_for_service_via_obj(self): + self._crud_policy_association_for_service_via_obj( + 'PUT', self.manager.create_policy_association_for_service) + + def test_check_policy_association_for_service_via_id(self): + self._crud_policy_association_for_service_via_id( + 'HEAD', self.manager.check_policy_association_for_service) + + def test_check_policy_association_for_service_via_obj(self): + self._crud_policy_association_for_service_via_obj( + 'HEAD', self.manager.check_policy_association_for_service) + + def test_delete_policy_association_for_service_via_id(self): + self._crud_policy_association_for_service_via_id( + 'DELETE', self.manager.delete_policy_association_for_service) + + def test_delete_policy_association_for_service_via_obj(self): + self._crud_policy_association_for_service_via_obj( + 'DELETE', self.manager.delete_policy_association_for_service) + + def _crud_policy_association_for_region_and_service_via_id( + self, http_action, manager_action): + policy_id = uuid.uuid4().hex + region_id = uuid.uuid4().hex + service_id = uuid.uuid4().hex + + self.stub_url(http_action, + ['policies', policy_id, self.manager.OS_EP_POLICY_EXT, + 'services', service_id, 'regions', region_id], + status_code=204) + manager_action(policy=policy_id, region=region_id, service=service_id) + + def _crud_policy_association_for_region_and_service_via_obj( + self, http_action, manager_action): + policy_ref = self.new_policy_ref() + region_ref = self.new_region_ref() + service_ref = self.new_service_ref() + policy = self.client.policies.resource_class( + self.client.policies, policy_ref, loaded=True) + region = self.client.regions.resource_class( + self.client.regions, region_ref, loaded=True) + service = self.client.services.resource_class( + self.client.services, service_ref, loaded=True) + + self.stub_url(http_action, + ['policies', policy_ref['id'], + self.manager.OS_EP_POLICY_EXT, + 'services', service_ref['id'], + 'regions', region_ref['id']], + status_code=204) + manager_action(policy=policy, region=region, service=service) + + def test_create_policy_association_for_region_and_service_via_id(self): + self._crud_policy_association_for_region_and_service_via_id( + 'PUT', + self.manager.create_policy_association_for_region_and_service) + + def test_create_policy_association_for_region_and_service_via_obj(self): + self._crud_policy_association_for_region_and_service_via_obj( + 'PUT', + self.manager.create_policy_association_for_region_and_service) + + def test_check_policy_association_for_region_and_service_via_id(self): + self._crud_policy_association_for_region_and_service_via_id( + 'HEAD', + self.manager.check_policy_association_for_region_and_service) + + def test_check_policy_association_for_region_and_service_via_obj(self): + self._crud_policy_association_for_region_and_service_via_obj( + 'HEAD', + self.manager.check_policy_association_for_region_and_service) + + def test_delete_policy_association_for_region_and_service_via_id(self): + self._crud_policy_association_for_region_and_service_via_id( + 'DELETE', + self.manager.delete_policy_association_for_region_and_service) + + def test_delete_policy_association_for_region_and_service_via_obj(self): + self._crud_policy_association_for_region_and_service_via_obj( + 'DELETE', + self.manager.delete_policy_association_for_region_and_service) + + def test_get_policy_for_endpoint(self): + endpoint_id = uuid.uuid4().hex + expected_policy = self.new_policy_ref() + + self.stub_url('GET', + ['endpoints', endpoint_id, self.manager.OS_EP_POLICY_EXT, + 'policy'], + json={'policy': expected_policy}, + status_code=200) + + policy_resp = self.manager.get_policy_for_endpoint( + endpoint=endpoint_id) + + self.assertEqual(expected_policy['id'], policy_resp.id) + self.assertEqual(expected_policy['blob'], policy_resp.blob) + self.assertEqual(expected_policy['type'], policy_resp.type) + + def test_list_endpoints_for_policy(self): + policy_id = uuid.uuid4().hex + endpoints = {'endpoints': [self.new_endpoint_ref(), + self.new_endpoint_ref()]} + self.stub_url('GET', + ['policies', policy_id, self.manager.OS_EP_POLICY_EXT, + 'endpoints'], + json=endpoints, + status_code=200) + + endpoints_resp = self.manager.list_endpoints_for_policy( + policy=policy_id) + + expected_endpoint_ids = [ + endpoint['id'] for endpoint in endpoints['endpoints']] + actual_endpoint_ids = [endpoint.id for endpoint in endpoints_resp] + self.assertEqual(expected_endpoint_ids, actual_endpoint_ids) diff --git a/keystoneclient/tests/v3/test_endpoints.py b/keystoneclient/tests/unit/v3/test_endpoints.py similarity index 81% rename from keystoneclient/tests/v3/test_endpoints.py rename to keystoneclient/tests/unit/v3/test_endpoints.py index 5319373ef..40fc03be8 100644 --- a/keystoneclient/tests/v3/test_endpoints.py +++ b/keystoneclient/tests/unit/v3/test_endpoints.py @@ -13,11 +13,11 @@ import uuid from keystoneclient import exceptions -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import endpoints -class EndpointTests(utils.TestCase, utils.CrudTests): +class EndpointTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(EndpointTests, self).setUp() self.key = 'endpoint' @@ -89,3 +89,16 @@ def test_list_invalid_interface(self): expected_path = 'v3/%s?interface=%s' % (self.collection_key, interface) self.assertRaises(exceptions.ValidationError, self.manager.list, expected_path=expected_path, interface=interface) + + def test_list_filtered_by_region(self): + region_id = uuid.uuid4().hex + ref_list = [self.new_ref(region=region_id), + self.new_ref(region=region_id)] + expected_path = 'v3/%s?region_id=%s' % (self.collection_key, region_id) + expected_query = {'region_id': region_id} + + # Validate passing either region or region_id result to the API call. + self.test_list(ref_list=ref_list, expected_path=expected_path, + expected_query=expected_query, region=region_id) + self.test_list(ref_list=ref_list, expected_path=expected_path, + expected_query=expected_query, region_id=region_id) diff --git a/keystoneclient/tests/unit/v3/test_federation.py b/keystoneclient/tests/unit/v3/test_federation.py new file mode 100644 index 000000000..08391c7c1 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_federation.py @@ -0,0 +1,825 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import copy +import fixtures +import uuid + +from keystoneauth1 import exceptions +from keystoneauth1 import fixture +from keystoneauth1.identity import v3 +from keystoneauth1 import session +from keystoneauth1.tests.unit import k2k_fixtures +from testtools import matchers + +from keystoneclient import access +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import client +from keystoneclient.v3.contrib.federation import base +from keystoneclient.v3.contrib.federation import identity_providers +from keystoneclient.v3.contrib.federation import mappings +from keystoneclient.v3.contrib.federation import protocols +from keystoneclient.v3.contrib.federation import service_providers +from keystoneclient.v3 import domains +from keystoneclient.v3 import projects + + +class IdentityProviderTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(IdentityProviderTests, self).setUp() + self.key = 'identity_provider' + self.collection_key = 'identity_providers' + self.model = identity_providers.IdentityProvider + self.manager = self.client.federation.identity_providers + self.path_prefix = 'OS-FEDERATION' + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('description', uuid.uuid4().hex) + kwargs.setdefault('enabled', True) + return kwargs + + def test_positional_parameters_expect_fail(self): + """Ensure CrudManager raises TypeError exceptions. + + After passing wrong number of positional arguments + an exception should be raised. + + Operations to be tested: + * create() + * get() + * list() + * delete() + * update() + + """ + POS_PARAM_1 = uuid.uuid4().hex + POS_PARAM_2 = uuid.uuid4().hex + POS_PARAM_3 = uuid.uuid4().hex + + PARAMETERS = { + 'create': (POS_PARAM_1, POS_PARAM_2), + 'get': (POS_PARAM_1, POS_PARAM_2), + 'list': (POS_PARAM_1, POS_PARAM_2), + 'update': (POS_PARAM_1, POS_PARAM_2, POS_PARAM_3), + 'delete': (POS_PARAM_1, POS_PARAM_2) + } + + for f_name, args in PARAMETERS.items(): + self.assertRaises(TypeError, getattr(self.manager, f_name), + *args) + + def test_create(self): + ref = self.new_ref() + req_ref = ref.copy() + req_ref.pop('id') + + self.stub_entity('PUT', entity=ref, id=ref['id'], status_code=201) + + returned = self.manager.create(**ref) + self.assertIsInstance(returned, self.model) + for attr in req_ref: + self.assertEqual( + getattr(returned, attr), + req_ref[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs(req_ref) + + +class MappingTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(MappingTests, self).setUp() + self.key = 'mapping' + self.collection_key = 'mappings' + self.model = mappings.Mapping + self.manager = self.client.federation.mappings + self.path_prefix = 'OS-FEDERATION' + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('rules', [uuid.uuid4().hex, + uuid.uuid4().hex]) + return kwargs + + def test_create(self): + ref = self.new_ref() + manager_ref = ref.copy() + mapping_id = manager_ref.pop('id') + req_ref = ref.copy() + + self.stub_entity('PUT', entity=req_ref, id=mapping_id, + status_code=201) + + returned = self.manager.create(mapping_id=mapping_id, **manager_ref) + self.assertIsInstance(returned, self.model) + for attr in req_ref: + self.assertEqual( + getattr(returned, attr), + req_ref[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs(manager_ref) + + +class ProtocolTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(ProtocolTests, self).setUp() + self.key = 'protocol' + self.collection_key = 'protocols' + self.model = protocols.Protocol + self.manager = self.client.federation.protocols + self.path_prefix = 'OS-FEDERATION/identity_providers' + + def _transform_to_response(self, ref): + """Construct a response body from a dictionary.""" + response = copy.deepcopy(ref) + del response['identity_provider'] + return response + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('mapping_id', uuid.uuid4().hex) + kwargs.setdefault('identity_provider', uuid.uuid4().hex) + return kwargs + + def build_parts(self, idp_id, protocol_id=None): + """Build array used to construct mocking URL. + + Construct and return array with URL parts later used + by methods like utils.TestCase.stub_entity(). + Example of URL: + ``OS-FEDERATION/identity_providers/{idp_id}/ + protocols/{protocol_id}`` + + """ + parts = ['OS-FEDERATION', 'identity_providers', + idp_id, 'protocols'] + if protocol_id: + parts.append(protocol_id) + return parts + + def test_build_url_provide_base_url(self): + base_url = uuid.uuid4().hex + parameters = {'base_url': base_url} + url = self.manager.build_url(dict_args_in_out=parameters) + self.assertEqual('/'.join([base_url, self.collection_key]), url) + + def test_build_url_w_idp_id(self): + """Test whether kwargs ``base_url`` discards object's base_url. + + This test shows, that when ``base_url`` is specified in the + dict_args_in_out dictionary, values like ``identity_provider_id`` + are not taken into consideration while building the url. + + """ + base_url, identity_provider_id = uuid.uuid4().hex, uuid.uuid4().hex + parameters = { + 'base_url': base_url, + 'identity_provider_id': identity_provider_id + } + url = self.manager.build_url(dict_args_in_out=parameters) + self.assertEqual('/'.join([base_url, self.collection_key]), url) + + def test_build_url_default_base_url(self): + identity_provider_id = uuid.uuid4().hex + parameters = { + 'identity_provider_id': identity_provider_id + } + + url = self.manager.build_url(dict_args_in_out=parameters) + self.assertEqual( + '/'.join([self.manager.base_url, identity_provider_id, + self.manager.collection_key]), url) + + def test_create(self): + """Test creating federation protocol tied to an Identity Provider. + + URL to be tested: PUT /OS-FEDERATION/identity_providers/ + $identity_provider/protocols/$protocol + + """ + ref = self.new_ref() + expected = self._transform_to_response(ref) + parts = self.build_parts( + idp_id=ref['identity_provider'], + protocol_id=ref['id']) + self.stub_entity('PUT', entity=expected, + parts=parts, status_code=201) + returned = self.manager.create( + protocol_id=ref['id'], + identity_provider=ref['identity_provider'], + mapping=ref['mapping_id']) + self.assertEqual(expected, returned.to_dict()) + request_body = {'mapping_id': ref['mapping_id']} + self.assertEntityRequestBodyIs(request_body) + + def test_get(self): + """Fetch federation protocol object. + + URL to be tested: GET /OS-FEDERATION/identity_providers/ + $identity_provider/protocols/$protocol + + """ + ref = self.new_ref() + expected = self._transform_to_response(ref) + + parts = self.build_parts( + idp_id=ref['identity_provider'], + protocol_id=ref['id']) + self.stub_entity('GET', entity=expected, + parts=parts, status_code=201) + + returned = self.manager.get(ref['identity_provider'], + ref['id']) + self.assertIsInstance(returned, self.model) + self.assertEqual(expected, returned.to_dict()) + + def test_delete(self): + """Delete federation protocol object. + + URL to be tested: DELETE /OS-FEDERATION/identity_providers/ + $identity_provider/protocols/$protocol + + """ + ref = self.new_ref() + parts = self.build_parts( + idp_id=ref['identity_provider'], + protocol_id=ref['id']) + + self.stub_entity('DELETE', parts=parts, status_code=204) + + self.manager.delete(ref['identity_provider'], + ref['id']) + + def test_list(self): + """Test listing all federation protocols tied to the Identity Provider. + + URL to be tested: GET /OS-FEDERATION/identity_providers/ + $identity_provider/protocols + + """ + def _ref_protocols(): + return { + 'id': uuid.uuid4().hex, + 'mapping_id': uuid.uuid4().hex + } + + ref = self.new_ref() + expected = [_ref_protocols() for _ in range(3)] + parts = self.build_parts(idp_id=ref['identity_provider']) + self.stub_entity('GET', parts=parts, + entity=expected, status_code=200) + + returned = self.manager.list(ref['identity_provider']) + for obj, ref_obj in zip(returned, expected): + self.assertEqual(obj.to_dict(), ref_obj) + + def test_list_by_id(self): + # The test in the parent class needs to be overridden because it + # assumes globally unique IDs, which is not the case with protocol IDs + # (which are contextualized per identity provider). + ref = self.new_ref() + super(ProtocolTests, self).test_list_by_id( + ref=ref, + identity_provider=ref['identity_provider'], + id=ref['id']) + + def test_list_params(self): + request_args = self.new_ref() + filter_kwargs = {uuid.uuid4().hex: uuid.uuid4().hex} + parts = self.build_parts(request_args['identity_provider']) + + # Return HTTP 401 as we don't accept such requests. + self.stub_entity('GET', parts=parts, status_code=401) + self.assertRaises(exceptions.Unauthorized, + self.manager.list, + request_args['identity_provider'], + **filter_kwargs) + self.assertQueryStringContains(**filter_kwargs) + + def test_update(self): + """Test updating federation protocol. + + URL to be tested: PATCH /OS-FEDERATION/identity_providers/ + $identity_provider/protocols/$protocol + + """ + ref = self.new_ref() + expected = self._transform_to_response(ref) + + parts = self.build_parts( + idp_id=ref['identity_provider'], + protocol_id=ref['id']) + + self.stub_entity('PATCH', parts=parts, + entity=expected, status_code=200) + + returned = self.manager.update(ref['identity_provider'], + ref['id'], + mapping=ref['mapping_id']) + self.assertIsInstance(returned, self.model) + self.assertEqual(expected, returned.to_dict()) + request_body = {'mapping_id': ref['mapping_id']} + self.assertEntityRequestBodyIs(request_body) + + +class EntityManagerTests(utils.ClientTestCase): + def test_create_object_expect_fail(self): + self.assertRaises(TypeError, + base.EntityManager, + self.client) + + +class FederationProjectTests(utils.ClientTestCase): + + def setUp(self): + super(FederationProjectTests, self).setUp() + self.key = 'project' + self.collection_key = 'projects' + self.model = projects.Project + self.manager = self.client.federation.projects + self.URL = "%s%s" % (self.TEST_URL, '/auth/projects') + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('domain_id', uuid.uuid4().hex) + kwargs.setdefault('enabled', True) + kwargs.setdefault('name', uuid.uuid4().hex) + return kwargs + + def test_list_accessible_projects(self): + projects_ref = [self.new_ref(), self.new_ref()] + projects_json = { + self.collection_key: [self.new_ref(), self.new_ref()] + } + self.requests_mock.get(self.URL, json=projects_json) + returned_list = self.manager.list() + + self.assertEqual(len(projects_ref), len(returned_list)) + for project in returned_list: + self.assertIsInstance(project, self.model) + + +class K2KFederatedProjectTests(utils.TestCase): + + TEST_ROOT_URL = 'http://127.0.0.1:5000/' + TEST_URL = '%s%s' % (TEST_ROOT_URL, 'v3') + TEST_PASS = 'password' + REQUEST_ECP_URL = TEST_URL + '/auth/OS-FEDERATION/saml2/ecp' + + SP_ID = 'sp1' + SP_ROOT_URL = 'https://example.com/v3' + SP_URL = 'https://example.com/Shibboleth.sso/SAML2/ECP' + SP_AUTH_URL = (SP_ROOT_URL + + '/OS-FEDERATION/identity_providers' + '/testidp/protocols/saml2/auth') + + def setUp(self): + super(K2KFederatedProjectTests, self).setUp() + self.token_v3 = fixture.V3Token() + self.token_v3.add_service_provider( + self.SP_ID, self.SP_AUTH_URL, self.SP_URL) + self.session = session.Session() + self.collection_key = 'projects' + self.model = projects.Project + self.URL = '%s%s' % (self.SP_ROOT_URL, '/auth/projects') + self.k2kplugin = self.get_plugin() + self._mock_k2k_flow_urls() + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('domain_id', uuid.uuid4().hex) + kwargs.setdefault('enabled', True) + kwargs.setdefault('name', uuid.uuid4().hex) + return kwargs + + def _get_base_plugin(self): + self.stub_url('POST', ['auth', 'tokens'], + headers={'X-Subject-Token': uuid.uuid4().hex}, + json=self.token_v3) + return v3.Password(self.TEST_URL, + username=self.TEST_USER, + password=self.TEST_PASS) + + def _mock_k2k_flow_urls(self): + # We need to check the auth versions available + self.requests_mock.get( + self.TEST_URL, + json={'version': fixture.V3Discovery(self.TEST_URL)}, + headers={'Content-Type': 'application/json'}) + + # The identity provider receives a request for an ECP wrapped + # assertion. This assertion contains the user authentication info + # and will be presented to the service provider + self.requests_mock.register_uri( + 'POST', + self.REQUEST_ECP_URL, + content=k2k_fixtures.ECP_ENVELOPE.encode(), + headers={'Content-Type': 'application/vnd.paos+xml'}, + status_code=200) + + # The service provider is presented with the ECP wrapped assertion + # generated by the identity provider and should return a redirect + # (302 or 303) upon successful authentication + self.requests_mock.register_uri( + 'POST', + self.SP_URL, + content=k2k_fixtures.TOKEN_BASED_ECP.encode(), + headers={'Content-Type': 'application/vnd.paos+xml'}, + status_code=302) + + # Should not follow the redirect URL, but use the auth_url attribute + self.requests_mock.register_uri( + 'GET', + self.SP_AUTH_URL, + json=k2k_fixtures.UNSCOPED_TOKEN, + headers={'X-Subject-Token': k2k_fixtures.UNSCOPED_TOKEN_HEADER}) + + def get_plugin(self, **kwargs): + kwargs.setdefault('base_plugin', self._get_base_plugin()) + kwargs.setdefault('service_provider', self.SP_ID) + return v3.Keystone2Keystone(**kwargs) + + def test_list_projects(self): + k2k_client = client.Client(session=self.session, auth=self.k2kplugin) + self.requests_mock.get(self.URL, json={ + self.collection_key: [self.new_ref(), self.new_ref()] + }) + self.requests_mock.get(self.SP_ROOT_URL, json={ + 'version': fixture.discovery.V3Discovery(self.SP_ROOT_URL) + }) + returned_list = k2k_client.federation.projects.list() + + self.assertThat(returned_list, matchers.HasLength(2)) + for project in returned_list: + self.assertIsInstance(project, self.model) + + +class FederationDomainTests(utils.ClientTestCase): + + def setUp(self): + super(FederationDomainTests, self).setUp() + self.key = 'domain' + self.collection_key = 'domains' + self.model = domains.Domain + self.manager = self.client.federation.domains + + self.URL = "%s%s" % (self.TEST_URL, '/auth/domains') + + def new_ref(self, **kwargs): + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('enabled', True) + kwargs.setdefault('name', uuid.uuid4().hex) + kwargs.setdefault('description', uuid.uuid4().hex) + return kwargs + + def test_list_accessible_domains(self): + domains_ref = [self.new_ref(), self.new_ref()] + domains_json = { + self.collection_key: domains_ref + } + self.requests_mock.get(self.URL, json=domains_json) + returned_list = self.manager.list() + self.assertEqual(len(domains_ref), len(returned_list)) + for domain in returned_list: + self.assertIsInstance(domain, self.model) + + +class FederatedTokenTests(utils.ClientTestCase): + + def setUp(self): + super(FederatedTokenTests, self).setUp() + token = fixture.V3FederationToken() + token.set_project_scope() + token.add_role() + self.federated_token = access.AccessInfo.factory(body=token) + + def test_federated_property_federated_token(self): + """Check if is_federated property returns expected value.""" + self.assertTrue(self.federated_token.is_federated) + + def test_get_user_domain_name(self): + """Ensure a federated user's domain name does not exist.""" + self.assertIsNone(self.federated_token.user_domain_name) + + def test_get_user_domain_id(self): + """Ensure a federated user's domain ID does not exist.""" + self.assertEqual('Federated', self.federated_token.user_domain_id) + + +class ServiceProviderTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(ServiceProviderTests, self).setUp() + self.key = 'service_provider' + self.collection_key = 'service_providers' + self.model = service_providers.ServiceProvider + self.manager = self.client.federation.service_providers + self.path_prefix = 'OS-FEDERATION' + + def new_ref(self, **kwargs): + kwargs.setdefault('auth_url', uuid.uuid4().hex) + kwargs.setdefault('description', uuid.uuid4().hex) + kwargs.setdefault('enabled', True) + kwargs.setdefault('id', uuid.uuid4().hex) + kwargs.setdefault('sp_url', uuid.uuid4().hex) + return kwargs + + def test_positional_parameters_expect_fail(self): + """Ensure CrudManager raises TypeError exceptions. + + After passing wrong number of positional arguments + an exception should be raised. + + Operations to be tested: + * create() + * get() + * list() + * delete() + * update() + + """ + POS_PARAM_1 = uuid.uuid4().hex + POS_PARAM_2 = uuid.uuid4().hex + POS_PARAM_3 = uuid.uuid4().hex + + PARAMETERS = { + 'create': (POS_PARAM_1, POS_PARAM_2), + 'get': (POS_PARAM_1, POS_PARAM_2), + 'list': (POS_PARAM_1, POS_PARAM_2), + 'update': (POS_PARAM_1, POS_PARAM_2, POS_PARAM_3), + 'delete': (POS_PARAM_1, POS_PARAM_2) + } + + for f_name, args in PARAMETERS.items(): + self.assertRaises(TypeError, getattr(self.manager, f_name), + *args) + + def test_create(self): + ref = self.new_ref() + + # req_ref argument allows you to specify a different + # signature for the request when the manager does some + # conversion before doing the request (e.g. converting + # from datetime object to timestamp string) + req_ref = ref.copy() + req_ref.pop('id') + + self.stub_entity('PUT', entity=ref, id=ref['id'], status_code=201) + + returned = self.manager.create(**ref) + self.assertIsInstance(returned, self.model) + for attr in req_ref: + self.assertEqual( + getattr(returned, attr), + req_ref[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs(req_ref) + + +class IdentityProviderRequestIdTests(utils.TestRequestId): + + def setUp(self): + super(IdentityProviderRequestIdTests, self).setUp() + self.mgr = identity_providers.IdentityProviderManager(self.client) + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get_identity_provider(self): + body = {"identity_provider": {"name": "admin"}} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get("admin") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/admin') + + def test_list_identity_provider(self): + body = {"identity_providers": [{"name": "admin"}]} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.list() + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('OS-FEDERATION/identity_providers?') + + def test_create_identity_provider(self): + body = {"identity_provider": {"name": "admin"}} + self._mock_request_method(method='post', body=body) + put_mock = self._mock_request_method(method='put', body=body) + + response = self.mgr.create(id="admin", description='fake') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + put_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/admin', + body={'identity_provider': {'description': 'fake'}}) + + def test_update_identity_provider(self): + body = {"identity_provider": {"name": "admin"}} + patch_mock = self._mock_request_method(method='patch', body=body) + self._mock_request_method(method='post', body=body) + + response = self.mgr.update("admin") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + patch_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/admin', body={ + 'identity_provider': {}}) + + def test_delete_identity_provider(self): + get_mock = self._mock_request_method(method='delete') + + _, resp = self.mgr.delete("admin") + self.assertEqual(resp.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/admin') + + +class MappingRequestIdTests(utils.TestRequestId): + + def setUp(self): + super(MappingRequestIdTests, self).setUp() + self.mgr = mappings.MappingManager(self.client) + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get_mapping(self): + body = {"mapping": {"name": "admin"}} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get("admin") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('OS-FEDERATION/mappings/admin') + + def test_list_mapping(self): + body = {"mappings": [{"name": "admin"}]} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.list() + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('OS-FEDERATION/mappings?') + + def test_create_mapping(self): + body = {"mapping": {"name": "admin"}} + self._mock_request_method(method='post', body=body) + put_mock = self._mock_request_method(method='put', body=body) + + response = self.mgr.create(mapping_id="admin", description='fake') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + put_mock.assert_called_once_with( + 'OS-FEDERATION/mappings/admin', body={ + 'mapping': {'description': 'fake'}}) + + def test_update_mapping(self): + body = {"mapping": {"name": "admin"}} + patch_mock = self._mock_request_method(method='patch', body=body) + self._mock_request_method(method='post', body=body) + + response = self.mgr.update("admin") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + patch_mock.assert_called_once_with( + 'OS-FEDERATION/mappings/admin', body={'mapping': {}}) + + def test_delete_mapping(self): + get_mock = self._mock_request_method(method='delete') + + _, resp = self.mgr.delete("admin") + self.assertEqual(resp.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('OS-FEDERATION/mappings/admin') + + +class ProtocolRequestIdTests(utils.TestRequestId): + + def setUp(self): + super(ProtocolRequestIdTests, self).setUp() + self.mgr = protocols.ProtocolManager(self.client) + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get_protocol(self): + body = {"protocol": {"name": "admin"}} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get("admin", "protocol") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/admin/protocols/protocol') + + def test_list_protocol(self): + body = {"protocols": [{"name": "admin"}]} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.list("identity_provider") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/identity_provider/protocols?') + + def test_create_protocol(self): + body = {"protocol": {"name": "admin"}} + self._mock_request_method(method='post', body=body) + put_mock = self._mock_request_method(method='put', body=body) + + response = self.mgr.create( + protocol_id="admin", identity_provider='fake', mapping='fake') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + put_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/fake/protocols/admin', body={ + 'protocol': {'mapping_id': 'fake'}}) + + def test_update_protocol(self): + body = {"protocol": {"name": "admin"}} + patch_mock = self._mock_request_method(method='patch', body=body) + self._mock_request_method(method='post', body=body) + + response = self.mgr.update(protocol="admin", identity_provider='fake', + mapping='fake') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + patch_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/fake/protocols/admin', body={ + 'protocol': {'mapping_id': 'fake'}}) + + def test_delete_protocol(self): + get_mock = self._mock_request_method(method='delete') + + _, resp = self.mgr.delete("identity_provider", "protocol") + self.assertEqual(resp.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/identity_providers/' + 'identity_provider/protocols/protocol') + + +class ServiceProviderRequestIdTests(utils.TestRequestId): + + def setUp(self): + super(ServiceProviderRequestIdTests, self).setUp() + self.mgr = service_providers.ServiceProviderManager(self.client) + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get_service_provider(self): + body = {"service_provider": {"name": "admin"}} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get("provider") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/service_providers/provider') + + def test_list_service_provider(self): + body = {"service_providers": [{"name": "admin"}]} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.list() + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('OS-FEDERATION/service_providers?') + + def test_create_service_provider(self): + body = {"service_provider": {"name": "admin"}} + self._mock_request_method(method='post', body=body) + put_mock = self._mock_request_method(method='put', body=body) + + response = self.mgr.create(id='provider') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + put_mock.assert_called_once_with( + 'OS-FEDERATION/service_providers/provider', body={ + 'service_provider': {}}) + + def test_update_service_provider(self): + body = {"service_provider": {"name": "admin"}} + patch_mock = self._mock_request_method(method='patch', body=body) + self._mock_request_method(method='post', body=body) + + response = self.mgr.update("provider") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + patch_mock.assert_called_once_with( + 'OS-FEDERATION/service_providers/provider', body={ + 'service_provider': {}}) + + def test_delete_service_provider(self): + get_mock = self._mock_request_method(method='delete') + + _, resp = self.mgr.delete("provider") + self.assertEqual(resp.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + 'OS-FEDERATION/service_providers/provider') diff --git a/keystoneclient/tests/v3/test_groups.py b/keystoneclient/tests/unit/v3/test_groups.py similarity index 95% rename from keystoneclient/tests/v3/test_groups.py rename to keystoneclient/tests/unit/v3/test_groups.py index 7fa087051..90fff0e63 100644 --- a/keystoneclient/tests/v3/test_groups.py +++ b/keystoneclient/tests/unit/v3/test_groups.py @@ -14,11 +14,11 @@ import uuid -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import groups -class GroupTests(utils.TestCase, utils.CrudTests): +class GroupTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(GroupTests, self).setUp() self.key = 'group' diff --git a/keystoneclient/tests/unit/v3/test_limits.py b/keystoneclient/tests/unit/v3/test_limits.py new file mode 100644 index 000000000..0dca67d9b --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_limits.py @@ -0,0 +1,77 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import limits + + +class LimitTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(LimitTests, self).setUp() + self.key = 'limit' + self.collection_key = 'limits' + self.model = limits.Limit + self.manager = self.client.limits + + def new_ref(self, **kwargs): + ref = { + 'id': uuid.uuid4().hex, + 'project_id': uuid.uuid4().hex, + 'service_id': uuid.uuid4().hex, + 'resource_name': uuid.uuid4().hex, + 'resource_limit': 15, + 'description': uuid.uuid4().hex + } + ref.update(kwargs) + return ref + + def test_create(self): + # This test overrides the generic test case provided by the CrudTests + # class because the limits API supports creating multiple limits in a + # single POST request. As a result, it returns the limits as a list of + # all the created limits from the request. This is different from what + # the base test_create() method assumes about keystone's API. The + # changes here override the base test to closely model how the actual + # limit API behaves. + ref = self.new_ref() + manager_ref = ref.copy() + manager_ref.pop('id') + req_ref = [manager_ref.copy()] + + self.stub_entity('POST', entity=req_ref, status_code=201) + + returned = self.manager.create(**utils.parameterize(manager_ref)) + self.assertIsInstance(returned, self.model) + + expected_limit = req_ref.pop() + for attr in expected_limit: + self.assertEqual( + getattr(returned, attr), + expected_limit[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs([expected_limit]) + + def test_list_filter_by_service(self): + service_id = uuid.uuid4().hex + expected_query = {'service_id': service_id} + self.test_list(expected_query=expected_query, service=service_id) + + def test_list_filtered_by_resource_name(self): + resource_name = uuid.uuid4().hex + self.test_list(resource_name=resource_name) + + def test_list_filtered_by_region(self): + region_id = uuid.uuid4().hex + expected_query = {'region_id': region_id} + self.test_list(expected_query=expected_query, region=region_id) diff --git a/keystoneclient/tests/v3/test_oauth1.py b/keystoneclient/tests/unit/v3/test_oauth1.py similarity index 73% rename from keystoneclient/tests/v3/test_oauth1.py rename to keystoneclient/tests/unit/v3/test_oauth1.py index 0dc9c2a80..a15d94b83 100644 --- a/keystoneclient/tests/v3/test_oauth1.py +++ b/keystoneclient/tests/unit/v3/test_oauth1.py @@ -11,38 +11,34 @@ # See the License for the specific language governing permissions and # limitations under the License. +from unittest import mock + +import fixtures +from urllib import parse as urlparse import uuid -import mock -import six -from six.moves.urllib import parse as urlparse from testtools import matchers -from keystoneclient.openstack.common import timeutils from keystoneclient import session -from keystoneclient.tests.v3 import client_fixtures -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import client_fixtures +from keystoneclient.tests.unit.v3 import utils +from keystoneclient import utils as client_utils from keystoneclient.v3.contrib.oauth1 import access_tokens from keystoneclient.v3.contrib.oauth1 import auth from keystoneclient.v3.contrib.oauth1 import consumers from keystoneclient.v3.contrib.oauth1 import request_tokens try: - import oauthlib from oauthlib import oauth1 except ImportError: oauth1 = None -class BaseTest(utils.TestCase): +class ConsumerTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): - super(BaseTest, self).setUp() if oauth1 is None: self.skipTest('oauthlib package not available') - -class ConsumerTests(BaseTest, utils.CrudTests): - def setUp(self): super(ConsumerTests, self).setUp() self.key = 'consumer' self.collection_key = 'consumers' @@ -80,7 +76,7 @@ def test_description_not_included(self): self.assertEqual(consumer_id, consumer.id) -class TokenTests(BaseTest): +class TokenTests(object): def _new_oauth_token(self): key = uuid.uuid4().hex secret = uuid.uuid4().hex @@ -90,7 +86,7 @@ def _new_oauth_token(self): def _new_oauth_token_with_expires_at(self): key, secret, token = self._new_oauth_token() - expires_at = timeutils.strtime() + expires_at = client_utils.strtime() params = {'oauth_token': key, 'oauth_token_secret': secret, 'oauth_expires_at': expires_at} @@ -98,25 +94,18 @@ def _new_oauth_token_with_expires_at(self): return (key, secret, expires_at, token) def _validate_oauth_headers(self, auth_header, oauth_client): - """Assert that the data in the headers matches the data + """Validate data in the headers. + + Assert that the data in the headers matches the data that is produced from oauthlib. """ - self.assertThat(auth_header, matchers.StartsWith('OAuth ')) - auth_header = auth_header[len('OAuth '):] - # NOTE(stevemar): In newer versions of oauthlib there is - # an additional argument for getting oauth parameters. - # Adding a conditional here to revert back to no arguments - # if an earlier version is detected. - if tuple(oauthlib.__version__.split('.')) > ('0', '6', '1'): - header_params = oauth_client.get_oauth_params(None) - else: - header_params = oauth_client.get_oauth_params() - parameters = dict(header_params) + parameters = dict( + oauth1.rfc5849.utils.parse_authorization_header(auth_header)) self.assertEqual('HMAC-SHA1', parameters['oauth_signature_method']) self.assertEqual('1.0', parameters['oauth_version']) - self.assertIsInstance(parameters['oauth_nonce'], six.string_types) + self.assertIsInstance(parameters['oauth_nonce'], str) self.assertEqual(oauth_client.client_key, parameters['oauth_consumer_key']) if oauth_client.resource_owner_key: @@ -128,14 +117,14 @@ def _validate_oauth_headers(self, auth_header, oauth_client): if oauth_client.callback_uri: self.assertEqual(oauth_client.callback_uri, parameters['oauth_callback']) - if oauth_client.timestamp: - self.assertEqual(oauth_client.timestamp, - parameters['oauth_timestamp']) return parameters -class RequestTokenTests(TokenTests): +class RequestTokenTests(utils.ClientTestCase, TokenTests): def setUp(self): + if oauth1 is None: + self.skipTest('oauthlib package not available') + super(RequestTokenTests, self).setUp() self.model = request_tokens.RequestToken self.manager = self.client.oauth1.request_tokens @@ -182,8 +171,8 @@ def test_create_request_token(self): self.assertEqual(request_secret, request_token.secret) # Assert that the project id is in the header - self.assertRequestHeaderEqual('requested_project_id', project_id) - req_headers = self.requests.last_request.headers + self.assertRequestHeaderEqual('requested-project-id', project_id) + req_headers = self.requests_mock.last_request.headers oauth_client = oauth1.Client(consumer_key, client_secret=consumer_secret, @@ -193,8 +182,11 @@ def test_create_request_token(self): oauth_client) -class AccessTokenTests(TokenTests): +class AccessTokenTests(utils.ClientTestCase, TokenTests): def setUp(self): + if oauth1 is None: + self.skipTest('oauthlib package not available') + super(AccessTokenTests, self).setUp() self.manager = self.client.oauth1.access_tokens self.model = access_tokens.AccessToken @@ -223,19 +215,19 @@ def test_create_access_token_expires_at(self): self.assertEqual(access_secret, access_token.secret) self.assertEqual(expires_at, access_token.expires) - req_headers = self.requests.last_request.headers + req_headers = self.requests_mock.last_request.headers oauth_client = oauth1.Client(consumer_key, client_secret=consumer_secret, resource_owner_key=request_key, resource_owner_secret=request_secret, signature_method=oauth1.SIGNATURE_HMAC, - verifier=verifier, - timestamp=expires_at) + verifier=verifier) + self._validate_oauth_headers(req_headers['Authorization'], oauth_client) -class AuthenticateWithOAuthTests(TokenTests): +class AuthenticateWithOAuthTests(utils.TestCase, TokenTests): def setUp(self): super(AuthenticateWithOAuthTests, self).setUp() if oauth1 is None: @@ -255,12 +247,13 @@ def test_oauth_authenticate_success(self): "access_token_id": access_key} self.stub_auth(json=oauth_token) - a = auth.OAuth(self.TEST_URL, consumer_key=consumer_key, - consumer_secret=consumer_secret, - access_key=access_key, - access_secret=access_secret) - s = session.Session(auth=a) - t = s.get_token() + with self.deprecations.expect_deprecations_here(): + a = auth.OAuth(self.TEST_URL, consumer_key=consumer_key, + consumer_secret=consumer_secret, + access_key=access_key, + access_secret=access_secret) + s = session.Session(auth=a) + t = s.get_token() self.assertEqual(self.TEST_TOKEN, t) OAUTH_REQUEST_BODY = { @@ -275,7 +268,7 @@ def test_oauth_authenticate_success(self): self.assertRequestBodyIs(json=OAUTH_REQUEST_BODY) # Assert that the headers have the same oauthlib data - req_headers = self.requests.last_request.headers + req_headers = self.requests_mock.last_request.headers oauth_client = oauth1.Client(consumer_key, client_secret=consumer_secret, resource_owner_key=access_key, @@ -285,6 +278,53 @@ def test_oauth_authenticate_success(self): oauth_client) +class OauthRequestIdTests(utils.TestRequestId, TokenTests): + + def setUp(self): + super(OauthRequestIdTests, self).setUp() + self.mgr = consumers.ConsumerManager(self.client) + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get_consumers(self): + body = {"consumer": {"name": "admin"}} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get("admin") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('/OS-OAUTH1/consumers/admin') + + def test_create_consumers(self): + body = {"consumer": {"name": "admin"}} + post_mock = self._mock_request_method(method='post', body=body) + + response = self.mgr.create(name="admin", description="fake") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + post_mock.assert_called_once_with('/OS-OAUTH1/consumers', body={ + 'consumer': {'name': 'admin', 'description': 'fake'}}) + + def test_update_consumers(self): + body = {"consumer": {"name": "admin"}} + patch_mock = self._mock_request_method(method='patch', body=body) + self._mock_request_method(method='post', body=body) + + response = self.mgr.update("admin", "demo") + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + patch_mock.assert_called_once_with('/OS-OAUTH1/consumers/admin', body={ + 'consumer': {'description': 'demo'}}) + + def test_delete_consumers(self): + get_mock = self._mock_request_method(method='delete') + + _, resp = self.mgr.delete("admin") + self.assertEqual(resp.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with('/OS-OAUTH1/consumers/admin') + + class TestOAuthLibModule(utils.TestCase): def test_no_oauthlib_installed(self): diff --git a/keystoneclient/tests/v3/test_policies.py b/keystoneclient/tests/unit/v3/test_policies.py similarity index 90% rename from keystoneclient/tests/v3/test_policies.py rename to keystoneclient/tests/unit/v3/test_policies.py index 45bce7191..47be4838d 100644 --- a/keystoneclient/tests/v3/test_policies.py +++ b/keystoneclient/tests/unit/v3/test_policies.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import policies -class PolicyTests(utils.TestCase, utils.CrudTests): +class PolicyTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(PolicyTests, self).setUp() self.key = 'policy' diff --git a/keystoneclient/tests/unit/v3/test_projects.py b/keystoneclient/tests/unit/v3/test_projects.py new file mode 100644 index 000000000..99186f17f --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_projects.py @@ -0,0 +1,469 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import fixtures +import uuid + +from keystoneauth1 import exceptions as ksa_exceptions + +from keystoneclient import exceptions as ksc_exceptions +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import projects + + +class ProjectTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(ProjectTests, self).setUp() + self.key = 'project' + self.collection_key = 'projects' + self.model = projects.Project + self.manager = self.client.projects + + def new_ref(self, **kwargs): + kwargs = super(ProjectTests, self).new_ref(**kwargs) + return self._new_project_ref(ref=kwargs) + + def _new_project_ref(self, ref=None): + ref = ref or {} + ref.setdefault('domain_id', uuid.uuid4().hex) + ref.setdefault('enabled', True) + ref.setdefault('name', uuid.uuid4().hex) + return ref + + def test_list_projects_for_user(self): + ref_list = [self.new_ref(), self.new_ref()] + user_id = uuid.uuid4().hex + + self.stub_entity('GET', + ['users', user_id, self.collection_key], + entity=ref_list) + + returned_list = self.manager.list(user=user_id) + self.assertEqual(len(ref_list), len(returned_list)) + [self.assertIsInstance(r, self.model) for r in returned_list] + + def test_list_projects_for_domain(self): + ref_list = [self.new_ref(), self.new_ref()] + domain_id = uuid.uuid4().hex + + self.stub_entity('GET', [self.collection_key], entity=ref_list) + + returned_list = self.manager.list(domain=domain_id) + self.assertEqual(len(ref_list), len(returned_list)) + [self.assertIsInstance(r, self.model) for r in returned_list] + + self.assertQueryStringIs('domain_id=%s' % domain_id) + + def test_list_projects_for_parent(self): + ref_list = [self.new_ref(), self.new_ref()] + parent_id = uuid.uuid4().hex + + self.stub_entity('GET', [self.collection_key], entity=ref_list) + + returned_list = self.manager.list(parent=parent_id) + self.assertEqual(len(ref_list), len(returned_list)) + [self.assertIsInstance(r, self.model) for r in returned_list] + + self.assertQueryStringIs('parent_id=%s' % parent_id) + + def test_create_with_parent(self): + parent_ref = self.new_ref() + parent_ref['parent_id'] = uuid.uuid4().hex + parent = self.test_create(ref=parent_ref) + parent.id = parent_ref['id'] + + # Create another project under 'parent' in the hierarchy + ref = self.new_ref() + ref['parent_id'] = parent.id + + child_ref = ref.copy() + del child_ref['parent_id'] + child_ref['parent'] = parent + + # test_create() pops the 'id' of the mocked response + del ref['id'] + + # Resource objects may peform lazy-loading. The create() method of + # ProjectManager will try to access the 'uuid' attribute of the parent + # object, which will trigger a call to fetch the Resource attributes. + self.stub_entity('GET', id=parent_ref['id'], entity=parent_ref) + self.test_create(ref=child_ref, req_ref=ref) + + def test_create_with_parent_id(self): + ref = self._new_project_ref() + ref['parent_id'] = uuid.uuid4().hex + + self.stub_entity('POST', entity=ref, status_code=201) + + returned = self.manager.create(name=ref['name'], + domain=ref['domain_id'], + parent_id=ref['parent_id']) + + self.assertIsInstance(returned, self.model) + for attr in ref: + self.assertEqual( + getattr(returned, attr), + ref[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs(ref) + + def test_create_with_parent_and_parent_id(self): + ref = self._new_project_ref() + ref['parent_id'] = uuid.uuid4().hex + + self.stub_entity('POST', entity=ref, status_code=201) + + # Should ignore the 'parent_id' argument since we are also passing + # 'parent' + returned = self.manager.create(name=ref['name'], + domain=ref['domain_id'], + parent=ref['parent_id'], + parent_id=uuid.uuid4().hex) + + self.assertIsInstance(returned, self.model) + for attr in ref: + self.assertEqual( + getattr(returned, attr), + ref[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs(ref) + + def _create_projects_hierarchy(self, hierarchy_size=3): + """Create a project hierarchy with specified size. + + :param hierarchy_size: the desired hierarchy size, default is 3. + + :returns: a list of the projects in the created hierarchy. + + """ + ref = self.new_ref() + project_id = ref['id'] + projects = [ref] + + for i in range(1, hierarchy_size): + new_ref = self.new_ref() + new_ref['parent_id'] = project_id + projects.append(new_ref) + project_id = new_ref['id'] + + return projects + + def test_get_with_subtree_as_ids(self): + projects = self._create_projects_hierarchy() + ref = projects[0] + + # We will query for projects[0] subtree, it should include projects[1] + # and projects[2] structured like the following: + # { + # projects[1]: { + # projects[2]: None + # } + # } + ref['subtree'] = { + projects[1]['id']: { + projects[2]['id']: None + } + } + + self.stub_entity('GET', id=ref['id'], entity=ref) + + returned = self.manager.get(ref['id'], subtree_as_ids=True) + self.assertQueryStringIs('subtree_as_ids') + self.assertEqual(ref['subtree'], returned.subtree) + + def test_get_with_parents_as_ids(self): + projects = self._create_projects_hierarchy() + ref = projects[2] + + # We will query for projects[2] parents, it should include projects[1] + # and projects[0] structured like the following: + # { + # projects[1]: { + # projects[0]: None + # } + # } + ref['parents'] = { + projects[1]['id']: { + projects[0]['id']: None + } + } + + self.stub_entity('GET', id=ref['id'], entity=ref) + + returned = self.manager.get(ref['id'], parents_as_ids=True) + self.assertQueryStringIs('parents_as_ids') + self.assertEqual(ref['parents'], returned.parents) + + def test_get_with_parents_as_ids_and_subtree_as_ids(self): + ref = self.new_ref() + projects = self._create_projects_hierarchy() + ref = projects[1] + + # We will query for projects[1] subtree and parents. The subtree should + # include projects[2] and the parents should include projects[2]. + ref['parents'] = { + projects[0]['id']: None + } + ref['subtree'] = { + projects[2]['id']: None + } + + self.stub_entity('GET', id=ref['id'], entity=ref) + + returned = self.manager.get(ref['id'], + parents_as_ids=True, + subtree_as_ids=True) + self.assertQueryStringIs('subtree_as_ids&parents_as_ids') + self.assertEqual(ref['parents'], returned.parents) + self.assertEqual(ref['subtree'], returned.subtree) + + def test_get_with_subtree_as_list(self): + projects = self._create_projects_hierarchy() + ref = projects[0] + + ref['subtree_as_list'] = [] + for i in range(1, len(projects)): + ref['subtree_as_list'].append(projects[i]) + + self.stub_entity('GET', id=ref['id'], entity=ref) + + returned = self.manager.get(ref['id'], subtree_as_list=True) + self.assertQueryStringIs('subtree_as_list') + for i in range(1, len(projects)): + for attr in projects[i]: + child = getattr(returned, 'subtree_as_list')[i - 1] + self.assertEqual( + child[attr], + projects[i][attr], + 'Expected different %s' % attr) + + def test_get_with_parents_as_list(self): + projects = self._create_projects_hierarchy() + ref = projects[2] + + ref['parents_as_list'] = [] + for i in range(0, len(projects) - 1): + ref['parents_as_list'].append(projects[i]) + + self.stub_entity('GET', id=ref['id'], entity=ref) + + returned = self.manager.get(ref['id'], parents_as_list=True) + self.assertQueryStringIs('parents_as_list') + for i in range(0, len(projects) - 1): + for attr in projects[i]: + parent = getattr(returned, 'parents_as_list')[i] + self.assertEqual( + parent[attr], + projects[i][attr], + 'Expected different %s' % attr) + + def test_get_with_parents_as_list_and_subtree_as_list(self): + ref = self.new_ref() + projects = self._create_projects_hierarchy() + ref = projects[1] + + ref['parents_as_list'] = [projects[0]] + ref['subtree_as_list'] = [projects[2]] + + self.stub_entity('GET', id=ref['id'], entity=ref) + + returned = self.manager.get(ref['id'], + parents_as_list=True, + subtree_as_list=True) + self.assertQueryStringIs('subtree_as_list&parents_as_list') + + for attr in projects[0]: + parent = getattr(returned, 'parents_as_list')[0] + self.assertEqual( + parent[attr], + projects[0][attr], + 'Expected different %s' % attr) + + for attr in projects[2]: + child = getattr(returned, 'subtree_as_list')[0] + self.assertEqual( + child[attr], + projects[2][attr], + 'Expected different %s' % attr) + + def test_get_with_invalid_parameters_combination(self): + # subtree_as_list and subtree_as_ids can not be included at the + # same time in the call. + self.assertRaises(ksc_exceptions.ValidationError, + self.manager.get, + project=uuid.uuid4().hex, + subtree_as_list=True, + subtree_as_ids=True) + + # parents_as_list and parents_as_ids can not be included at the + # same time in the call. + self.assertRaises(ksc_exceptions.ValidationError, + self.manager.get, + project=uuid.uuid4().hex, + parents_as_list=True, + parents_as_ids=True) + + def test_update_with_parent_project(self): + ref = self.new_ref() + ref['parent_id'] = uuid.uuid4().hex + + self.stub_entity('PATCH', id=ref['id'], entity=ref, status_code=403) + req_ref = ref.copy() + req_ref.pop('id') + + # NOTE(rodrigods): this is the expected behaviour of the Identity + # server, a different implementation might not fail this request. + self.assertRaises(ksa_exceptions.Forbidden, self.manager.update, + ref['id'], **utils.parameterize(req_ref)) + + def test_add_tag(self): + ref = self.new_ref() + tag_name = "blue" + + self.stub_url("PUT", + parts=[self.collection_key, ref['id'], "tags", tag_name], + status_code=201) + self.manager.add_tag(ref['id'], tag_name) + + def test_update_tags(self): + new_tags = ["blue", "orange"] + ref = self.new_ref() + + self.stub_url("PUT", + parts=[self.collection_key, ref['id'], "tags"], + json={"tags": new_tags}, + status_code=200) + + ret = self.manager.update_tags(ref['id'], new_tags) + self.assertEqual(ret, new_tags) + + def test_delete_tag(self): + ref = self.new_ref() + tag_name = "blue" + + self.stub_url("DELETE", + parts=[self.collection_key, ref['id'], "tags", tag_name], + status_code=204) + + self.manager.delete_tag(ref['id'], tag_name) + + def test_delete_all_tags(self): + ref = self.new_ref() + + self.stub_url("PUT", + parts=[self.collection_key, ref['id'], "tags"], + json={"tags": []}, + status_code=200) + + ret = self.manager.update_tags(ref['id'], []) + self.assertEqual([], ret) + + def test_list_tags(self): + ref = self.new_ref() + tags = ["blue", "orange", "green"] + + self.stub_url("GET", + parts=[self.collection_key, ref['id'], "tags"], + json={"tags": tags}, + status_code=200) + + ret_tags = self.manager.list_tags(ref['id']) + self.assertEqual(tags, ret_tags) + + def test_check_tag(self): + ref = self.new_ref() + + tag_name = "blue" + self.stub_url("HEAD", + parts=[self.collection_key, ref['id'], "tags", tag_name], + status_code=204) + self.assertTrue(self.manager.check_tag(ref['id'], tag_name)) + + no_tag = "orange" + self.stub_url("HEAD", + parts=[self.collection_key, ref['id'], "tags", no_tag], + status_code=404) + self.assertFalse(self.manager.check_tag(ref['id'], no_tag)) + + def _build_project_response(self, tags): + project_id = uuid.uuid4().hex + ret = {"projects": [ + {"is_domain": False, + "description": "", + "tags": tags, + "enabled": True, + "id": project_id, + "parent_id": "default", + "domain_id": "default", + "name": project_id} + ]} + return ret + + +class ProjectsRequestIdTests(utils.TestRequestId): + + url = "/projects" + + def setUp(self): + super(ProjectsRequestIdTests, self).setUp() + self.mgr = projects.ProjectManager(self.client) + self.mgr.resource_class = projects.Project + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_get_project(self): + body = {"project": {"name": "admin"}} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get(project='admin') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with(self.url + '/admin') + + def test_create_project(self): + body = {"project": {"name": "admin", "domain": "admin"}} + post_mock = self._mock_request_method(method='post', body=body) + + response = self.mgr.create('admin', 'admin') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + post_mock.assert_called_once_with(self.url, body={'project': { + 'name': 'admin', 'enabled': True, 'domain_id': 'admin'}}) + + def test_list_project(self): + body = {"projects": [{"name": "admin"}, {"name": "admin"}]} + get_mock = self._mock_request_method(method='get', body=body) + + returned_list = self.mgr.list() + self.assertEqual(returned_list.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with(self.url + '?') + + def test_update_project(self): + body = {"project": {"name": "admin"}} + patch_mock = self._mock_request_method(method='patch', body=body) + + put_mock = self._mock_request_method(method='put', body=body) + + response = self.mgr.update("admin", domain='demo') + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + patch_mock.assert_called_once_with(self.url + '/admin', body={ + 'project': {'domain_id': 'demo'}}) + self.assertFalse(put_mock.called) + + def test_delete_project(self): + get_mock = self._mock_request_method(method='delete') + + _, resp = self.mgr.delete("admin") + self.assertEqual(resp.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with(self.url + '/admin') diff --git a/keystoneclient/tests/v3/test_regions.py b/keystoneclient/tests/unit/v3/test_regions.py similarity index 79% rename from keystoneclient/tests/v3/test_regions.py rename to keystoneclient/tests/unit/v3/test_regions.py index c539aa75c..90ddfdc64 100644 --- a/keystoneclient/tests/v3/test_regions.py +++ b/keystoneclient/tests/unit/v3/test_regions.py @@ -14,11 +14,11 @@ import uuid -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import regions -class RegionTests(utils.TestCase, utils.CrudTests): +class RegionTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(RegionTests, self).setUp() self.key = 'region' @@ -31,3 +31,7 @@ def new_ref(self, **kwargs): kwargs.setdefault('enabled', True) kwargs.setdefault('id', uuid.uuid4().hex) return kwargs + + def test_update_enabled_defaults_to_none(self): + super(RegionTests, self).test_update( + req_ref={'description': uuid.uuid4().hex}) diff --git a/keystoneclient/tests/unit/v3/test_registered_limits.py b/keystoneclient/tests/unit/v3/test_registered_limits.py new file mode 100644 index 000000000..1f612f8bb --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_registered_limits.py @@ -0,0 +1,76 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import registered_limits + + +class RegisteredLimitTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(RegisteredLimitTests, self).setUp() + self.key = 'registered_limit' + self.collection_key = 'registered_limits' + self.model = registered_limits.RegisteredLimit + self.manager = self.client.registered_limits + + def new_ref(self, **kwargs): + ref = { + 'id': uuid.uuid4().hex, + 'service_id': uuid.uuid4().hex, + 'resource_name': uuid.uuid4().hex, + 'default_limit': 10, + 'description': uuid.uuid4().hex + } + ref.update(kwargs) + return ref + + def test_create(self): + # This test overrides the generic test case provided by the CrudTests + # class because the registered limits API supports creating multiple + # limits in a single POST request. As a result, it returns the + # registered limits as a list of all the created limits from the + # request. This is different from what the base test_create() method + # assumes about keystone's API. The changes here override the base test + # to closely model how the actual registered limit API behaves. + ref = self.new_ref() + manager_ref = ref.copy() + manager_ref.pop('id') + req_ref = [manager_ref.copy()] + + self.stub_entity('POST', entity=req_ref, status_code=201) + + returned = self.manager.create(**utils.parameterize(manager_ref)) + self.assertIsInstance(returned, self.model) + + expected_limit = req_ref.pop() + for attr in expected_limit: + self.assertEqual( + getattr(returned, attr), + expected_limit[attr], + 'Expected different %s' % attr) + self.assertEntityRequestBodyIs([expected_limit]) + + def test_list_filter_by_service(self): + service_id = uuid.uuid4().hex + expected_query = {'service_id': service_id} + self.test_list(expected_query=expected_query, service=service_id) + + def test_list_filter_resource_name(self): + resource_name = uuid.uuid4().hex + self.test_list(resource_name=resource_name) + + def test_list_filter_region(self): + region_id = uuid.uuid4().hex + expected_query = {'region_id': region_id} + self.test_list(expected_query=expected_query, region=region_id) diff --git a/keystoneclient/tests/v3/test_role_assignments.py b/keystoneclient/tests/unit/v3/test_role_assignments.py similarity index 61% rename from keystoneclient/tests/v3/test_role_assignments.py rename to keystoneclient/tests/unit/v3/test_role_assignments.py index f47d9ec60..39b4b2355 100644 --- a/keystoneclient/tests/v3/test_role_assignments.py +++ b/keystoneclient/tests/unit/v3/test_role_assignments.py @@ -11,11 +11,11 @@ # under the License. from keystoneclient import exceptions -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import role_assignments -class RoleAssignmentsTests(utils.TestCase, utils.CrudTests): +class RoleAssignmentsTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(RoleAssignmentsTests, self).setUp() @@ -23,6 +23,32 @@ def setUp(self): self.collection_key = 'role_assignments' self.model = role_assignments.RoleAssignment self.manager = self.client.role_assignments + self.TEST_USER_SYSTEM_LIST = [{ + 'role': { + 'id': self.TEST_ROLE_ID + }, + 'scope': { + 'system': { + 'all': True + } + }, + 'user': { + 'id': self.TEST_USER_ID + } + }] + self.TEST_GROUP_SYSTEM_LIST = [{ + 'role': { + 'id': self.TEST_ROLE_ID + }, + 'scope': { + 'system': { + 'all': True + } + }, + 'group': { + 'id': self.TEST_GROUP_ID + } + }] self.TEST_USER_DOMAIN_LIST = [{ 'role': { 'id': self.TEST_ROLE_ID @@ -65,12 +91,23 @@ def setUp(self): self.TEST_ALL_RESPONSE_LIST = (self.TEST_USER_PROJECT_LIST + self.TEST_GROUP_PROJECT_LIST + - self.TEST_USER_DOMAIN_LIST) + self.TEST_USER_DOMAIN_LIST + + self.TEST_USER_SYSTEM_LIST + + self.TEST_GROUP_SYSTEM_LIST) def _assert_returned_list(self, ref_list, returned_list): self.assertEqual(len(ref_list), len(returned_list)) [self.assertIsInstance(r, self.model) for r in returned_list] + def test_list_by_id(self): + # It doesn't make sense to "list role assignments by ID" at all, given + # that they don't have globally unique IDs in the first place. But + # calling RoleAssignmentsManager.list(id=...) should still raise a + # TypeError when given an unexpected keyword argument 'id', so we don't + # actually have to modify the test in the superclass... I just wanted + # to make a note here in case the superclass changes. + super(RoleAssignmentsTests, self).test_list_by_id() + def test_list_params(self): ref_list = self.TEST_USER_PROJECT_LIST self.stub_entity('GET', @@ -112,6 +149,22 @@ def test_project_assignments_list(self): kwargs = {'scope.project.id': self.TEST_TENANT_ID} self.assertQueryStringContains(**kwargs) + def test_project_assignments_list_include_subtree(self): + ref_list = self.TEST_GROUP_PROJECT_LIST + self.TEST_USER_PROJECT_LIST + self.stub_entity('GET', + [self.collection_key, + '?scope.project.id=%s&include_subtree=True' % + self.TEST_TENANT_ID], + entity=ref_list) + + returned_list = self.manager.list(project=self.TEST_TENANT_ID, + include_subtree=True) + self._assert_returned_list(ref_list, returned_list) + + kwargs = {'scope.project.id': self.TEST_TENANT_ID, + 'include_subtree': 'True'} + self.assertQueryStringContains(**kwargs) + def test_domain_assignments_list(self): ref_list = self.TEST_USER_DOMAIN_LIST self.stub_entity('GET', @@ -125,6 +178,50 @@ def test_domain_assignments_list(self): kwargs = {'scope.domain.id': self.TEST_DOMAIN_ID} self.assertQueryStringContains(**kwargs) + def test_system_assignment_list(self): + ref_list = self.TEST_USER_SYSTEM_LIST + self.TEST_GROUP_SYSTEM_LIST + + self.stub_entity('GET', + [self.collection_key, '?scope.system=all'], + entity=ref_list) + + returned_list = self.manager.list(system='all') + self._assert_returned_list(ref_list, returned_list) + + kwargs = {'scope.system': 'all'} + self.assertQueryStringContains(**kwargs) + + def test_system_assignment_list_for_user(self): + ref_list = self.TEST_USER_SYSTEM_LIST + + self.stub_entity('GET', + [self.collection_key, + '?user.id=%s&scope.system=all' % self.TEST_USER_ID], + entity=ref_list) + + returned_list = self.manager.list(system='all', user=self.TEST_USER_ID) + self._assert_returned_list(ref_list, returned_list) + + kwargs = {'scope.system': 'all', 'user.id': self.TEST_USER_ID} + self.assertQueryStringContains(**kwargs) + + def test_system_assignment_list_for_group(self): + ref_list = self.TEST_GROUP_SYSTEM_LIST + + self.stub_entity( + 'GET', + [self.collection_key, + '?group.id=%s&scope.system=all' % self.TEST_GROUP_ID], + entity=ref_list) + + returned_list = self.manager.list( + system='all', group=self.TEST_GROUP_ID + ) + self._assert_returned_list(ref_list, returned_list) + + kwargs = {'scope.system': 'all', 'group.id': self.TEST_GROUP_ID} + self.assertQueryStringContains(**kwargs) + def test_group_assignments_list(self): ref_list = self.TEST_GROUP_PROJECT_LIST self.stub_entity('GET', @@ -164,6 +261,18 @@ def test_effective_assignments_list(self): kwargs = {'effective': 'True'} self.assertQueryStringContains(**kwargs) + def test_include_names_assignments_list(self): + ref_list = self.TEST_ALL_RESPONSE_LIST + self.stub_entity('GET', + [self.collection_key, + '?include_names=True'], + entity=ref_list) + + returned_list = self.manager.list(include_names=True) + self._assert_returned_list(ref_list, returned_list) + kwargs = {'include_names': 'True'} + self.assertQueryStringContains(**kwargs) + def test_role_assignments_list(self): ref_list = self.TEST_ALL_RESPONSE_LIST self.stub_entity('GET', @@ -177,6 +286,21 @@ def test_role_assignments_list(self): kwargs = {'role.id': self.TEST_ROLE_ID} self.assertQueryStringContains(**kwargs) + def test_role_assignments_inherited_list(self): + ref_list = self.TEST_ALL_RESPONSE_LIST + self.stub_entity('GET', + [self.collection_key, + '?scope.OS-INHERIT:inherited_to=projects'], + entity=ref_list + ) + + returned_list = self.manager.list( + os_inherit_extension_inherited_to='projects') + self._assert_returned_list(ref_list, returned_list) + + query_string = 'scope.OS-INHERIT:inherited_to=projects' + self.assertQueryStringIs(query_string) + def test_domain_and_project_list(self): # Should only accept either domain or project, never both self.assertRaises(exceptions.ValidationError, diff --git a/keystoneclient/tests/unit/v3/test_roles.py b/keystoneclient/tests/unit/v3/test_roles.py new file mode 100644 index 000000000..0e531e736 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_roles.py @@ -0,0 +1,824 @@ +# Copyright 2012 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneclient import exceptions +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3 import roles +from testtools import matchers + + +class RoleTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(RoleTests, self).setUp() + self.key = 'role' + self.collection_key = 'roles' + self.model = roles.Role + self.manager = self.client.roles + + def new_ref(self, **kwargs): + kwargs = super(RoleTests, self).new_ref(**kwargs) + kwargs.setdefault('name', uuid.uuid4().hex) + return kwargs + + def _new_domain_ref(self, **kwargs): + kwargs.setdefault('enabled', True) + kwargs.setdefault('name', uuid.uuid4().hex) + return kwargs + + def test_create_with_domain_id(self): + ref = self.new_ref() + ref['domain_id'] = uuid.uuid4().hex + self.test_create(ref=ref) + + def test_create_with_domain(self): + ref = self.new_ref() + domain_ref = self._new_domain_ref() + domain_ref['id'] = uuid.uuid4().hex + ref['domain_id'] = domain_ref['id'] + + self.stub_entity('POST', entity=ref, status_code=201) + returned = self.manager.create(name=ref['name'], + domain=domain_ref) + self.assertIsInstance(returned, self.model) + for attr in ref: + self.assertEqual( + getattr(returned, attr), + ref[attr], + 'Expected different %s' % attr) + + def test_domain_role_grant(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['domains', domain_id, 'users', user_id, + self.collection_key, ref['id']], + status_code=201) + + self.manager.grant(role=ref['id'], domain=domain_id, user=user_id) + + def test_domain_role_grant_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'domains', domain_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=201) + + self.manager.grant(role=ref['id'], domain=domain_id, user=user_id, + os_inherit_extension_inherited=True) + + def test_project_role_grant_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'projects', project_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.grant(role=ref['id'], project=project_id, user=user_id, + os_inherit_extension_inherited=True) + + def test_domain_group_role_grant(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['domains', domain_id, 'groups', group_id, + self.collection_key, ref['id']], + status_code=201) + + self.manager.grant(role=ref['id'], domain=domain_id, group=group_id) + + def test_domain_group_role_grant_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=201) + + self.manager.grant(role=ref['id'], domain=domain_id, group=group_id, + os_inherit_extension_inherited=True) + + def test_project_group_role_grant_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'projects', project_id, 'groups', + group_id, self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.grant(role=ref['id'], project=project_id, group=group_id, + os_inherit_extension_inherited=True) + + def test_domain_role_list(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['domains', domain_id, 'users', user_id, + self.collection_key], entity=ref_list) + + self.manager.list(domain=domain_id, user=user_id) + + def test_domain_role_list_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'domains', domain_id, 'users', user_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(domain=domain_id, user=user_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + + def test_project_user_role_list_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'projects', project_id, 'users', user_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(project=project_id, user=user_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + + def test_domain_group_role_list(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['domains', domain_id, 'groups', group_id, + self.collection_key], entity=ref_list) + + self.manager.list(domain=domain_id, group=group_id) + + def test_domain_group_role_list_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'domains', domain_id, 'groups', group_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(domain=domain_id, group=group_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + + def test_project_group_role_list_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'projects', project_id, 'groups', group_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(project=project_id, group=group_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + + def test_domain_role_check(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['domains', domain_id, 'users', user_id, + self.collection_key, ref['id']], + status_code=204) + + self.manager.check(role=ref['id'], domain=domain_id, + user=user_id) + + def test_domain_role_check_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'domains', domain_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], domain=domain_id, + user=user_id, os_inherit_extension_inherited=True) + + def test_project_role_check_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'projects', project_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], project=project_id, + user=user_id, os_inherit_extension_inherited=True) + + def test_domain_group_role_check(self): + return + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['domains', domain_id, 'groups', group_id, + self.collection_key, ref['id']], + status_code=204) + + self.manager.check(role=ref['id'], domain=domain_id, group=group_id) + + def test_domain_group_role_check_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'domains', domain_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], domain=domain_id, + group=group_id, os_inherit_extension_inherited=True) + + def test_project_group_role_check_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'projects', project_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], project=project_id, + group=group_id, os_inherit_extension_inherited=True) + + def test_domain_role_revoke(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['domains', domain_id, 'users', user_id, + self.collection_key, ref['id']], + status_code=204) + + self.manager.revoke(role=ref['id'], domain=domain_id, user=user_id) + + def test_domain_group_role_revoke(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['domains', domain_id, 'groups', group_id, + self.collection_key, ref['id']], + status_code=204) + + self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id) + + def test_domain_role_revoke_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'domains', domain_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.revoke(role=ref['id'], domain=domain_id, + user=user_id, os_inherit_extension_inherited=True) + + def test_project_role_revoke_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'projects', project_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.revoke(role=ref['id'], project=project_id, + user=user_id, os_inherit_extension_inherited=True) + + def test_domain_group_role_revoke_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=200) + + self.manager.revoke(role=ref['id'], domain=domain_id, + group=group_id, + os_inherit_extension_inherited=True) + + def test_project_group_role_revoke_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'projects', project_id, 'groups', + group_id, self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.revoke(role=ref['id'], project=project_id, + group=group_id, + os_inherit_extension_inherited=True) + + def test_project_role_grant(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['projects', project_id, 'users', user_id, + self.collection_key, ref['id']], + status_code=201) + + self.manager.grant(role=ref['id'], project=project_id, user=user_id) + + def test_project_group_role_grant(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['projects', project_id, 'groups', group_id, + self.collection_key, ref['id']], + status_code=201) + + self.manager.grant(role=ref['id'], project=project_id, group=group_id) + + def test_project_role_list(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['projects', project_id, 'users', user_id, + self.collection_key], entity=ref_list) + + self.manager.list(project=project_id, user=user_id) + + def test_project_group_role_list(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['projects', project_id, 'groups', group_id, + self.collection_key], entity=ref_list) + + self.manager.list(project=project_id, group=group_id) + + def test_project_role_check(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['projects', project_id, 'users', user_id, + self.collection_key, ref['id']], + status_code=200) + + self.manager.check(role=ref['id'], project=project_id, user=user_id) + + def test_project_group_role_check(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['projects', project_id, 'groups', group_id, + self.collection_key, ref['id']], + status_code=200) + + self.manager.check(role=ref['id'], project=project_id, group=group_id) + + def test_project_role_revoke(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['projects', project_id, 'users', user_id, + self.collection_key, ref['id']], + status_code=204) + + self.manager.revoke(role=ref['id'], project=project_id, user=user_id) + + def test_project_group_role_revoke(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['projects', project_id, 'groups', group_id, + self.collection_key, ref['id']], + status_code=204) + + self.manager.revoke(role=ref['id'], project=project_id, group=group_id) + + def test_domain_project_role_grant_fails(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.assertRaises( + exceptions.ValidationError, + self.manager.grant, + role=ref['id'], + domain=domain_id, + project=project_id, + user=user_id) + + def test_domain_project_role_list_fails(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + + self.assertRaises( + exceptions.ValidationError, + self.manager.list, + domain=domain_id, + project=project_id, + user=user_id) + + def test_domain_project_role_check_fails(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.assertRaises( + exceptions.ValidationError, + self.manager.check, + role=ref['id'], + domain=domain_id, + project=project_id, + user=user_id) + + def test_domain_project_role_revoke_fails(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.assertRaises( + exceptions.ValidationError, + self.manager.revoke, + role=ref['id'], + domain=domain_id, + project=project_id, + user=user_id) + + def test_user_group_role_grant_fails(self): + user_id = uuid.uuid4().hex + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.assertRaises( + exceptions.ValidationError, + self.manager.grant, + role=ref['id'], + project=project_id, + group=group_id, + user=user_id) + + def test_user_group_role_list_fails(self): + user_id = uuid.uuid4().hex + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + + self.assertRaises( + exceptions.ValidationError, + self.manager.list, + project=project_id, + group=group_id, + user=user_id) + + def test_user_group_role_check_fails(self): + user_id = uuid.uuid4().hex + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.assertRaises( + exceptions.ValidationError, + self.manager.check, + role=ref['id'], + project=project_id, + group=group_id, + user=user_id) + + def test_user_group_role_revoke_fails(self): + user_id = uuid.uuid4().hex + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.assertRaises( + exceptions.ValidationError, + self.manager.revoke, + role=ref['id'], + project=project_id, + group=group_id, + user=user_id) + + +class DeprecatedImpliedRoleTests(utils.ClientTestCase): + def setUp(self): + super(DeprecatedImpliedRoleTests, self).setUp() + self.key = 'role' + self.collection_key = 'roles' + self.model = roles.Role + self.manager = self.client.roles + + def test_implied_create(self): + prior_id = uuid.uuid4().hex + prior_name = uuid.uuid4().hex + implied_id = uuid.uuid4().hex + implied_name = uuid.uuid4().hex + + mock_response = { + "role_inference": { + "implies": { + "id": implied_id, + "links": {"self": "http://host/v3/roles/%s" % implied_id}, + "name": implied_name + }, + "prior_role": { + "id": prior_id, + "links": {"self": "http://host/v3/roles/%s" % prior_id}, + "name": prior_name + } + } + } + + self.stub_url('PUT', + ['roles', prior_id, 'implies', implied_id], + json=mock_response, + status_code=201) + + with self.deprecations.expect_deprecations_here(): + manager_result = self.manager.create_implied(prior_id, implied_id) + self.assertIsInstance(manager_result, roles.InferenceRule) + self.assertEqual(mock_response['role_inference']['implies'], + manager_result.implies) + self.assertEqual(mock_response['role_inference']['prior_role'], + manager_result.prior_role) + + +class ImpliedRoleTests(utils.ClientTestCase, utils.CrudTests): + def setUp(self): + super(ImpliedRoleTests, self).setUp() + self.key = 'role_inference' + self.collection_key = 'role_inferences' + self.model = roles.InferenceRule + self.manager = self.client.inference_rules + + def test_check(self): + prior_role_id = uuid.uuid4().hex + implied_role_id = uuid.uuid4().hex + self.stub_url('HEAD', + ['roles', prior_role_id, 'implies', implied_role_id], + status_code=204) + + result = self.manager.check(prior_role_id, implied_role_id) + self.assertTrue(result) + + def test_get(self): + prior_id = uuid.uuid4().hex + prior_name = uuid.uuid4().hex + implied_id = uuid.uuid4().hex + implied_name = uuid.uuid4().hex + + mock_response = { + "role_inference": { + "implies": { + "id": implied_id, + "links": {"self": "http://host/v3/roles/%s" % implied_id}, + "name": implied_name + }, + "prior_role": { + "id": prior_id, + "links": {"self": "http://host/v3/roles/%s" % prior_id}, + "name": prior_name + } + } + } + + self.stub_url('GET', + ['roles', prior_id, 'implies', implied_id], + json=mock_response, + status_code=200) + + manager_result = self.manager.get(prior_id, implied_id) + self.assertIsInstance(manager_result, roles.InferenceRule) + self.assertEqual(mock_response['role_inference']['implies'], + manager_result.implies) + self.assertEqual(mock_response['role_inference']['prior_role'], + manager_result.prior_role) + + def test_create(self): + prior_id = uuid.uuid4().hex + prior_name = uuid.uuid4().hex + implied_id = uuid.uuid4().hex + implied_name = uuid.uuid4().hex + + mock_response = { + "role_inference": { + "implies": { + "id": implied_id, + "links": {"self": "http://host/v3/roles/%s" % implied_id}, + "name": implied_name + }, + "prior_role": { + "id": prior_id, + "links": {"self": "http://host/v3/roles/%s" % prior_id}, + "name": prior_name + } + } + } + + self.stub_url('PUT', + ['roles', prior_id, 'implies', implied_id], + json=mock_response, + status_code=201) + + manager_result = self.manager.create(prior_id, implied_id) + + self.assertIsInstance(manager_result, roles.InferenceRule) + self.assertEqual(mock_response['role_inference']['implies'], + manager_result.implies) + self.assertEqual(mock_response['role_inference']['prior_role'], + manager_result.prior_role) + + def test_delete(self): + prior_role_id = uuid.uuid4().hex + implied_role_id = uuid.uuid4().hex + self.stub_url('DELETE', + ['roles', prior_role_id, 'implies', implied_role_id], + status_code=204) + + status, body = self.manager.delete(prior_role_id, implied_role_id) + self.assertEqual(204, status.status_code) + self.assertIsNone(body) + + def test_list_role_inferences(self): + prior_id = uuid.uuid4().hex + prior_name = uuid.uuid4().hex + implied_id = uuid.uuid4().hex + implied_name = uuid.uuid4().hex + + mock_response = { + "role_inferences": [{ + "implies": [{ + "id": implied_id, + "links": {"self": "http://host/v3/roles/%s" % implied_id}, + "name": implied_name + }], + "prior_role": { + "id": prior_id, + "links": {"self": "http://host/v3/roles/%s" % prior_id}, + "name": prior_name + } + }] + } + + self.stub_url('GET', + ['role_inferences'], + json=mock_response, + status_code=200) + manager_result = self.manager.list_inference_roles() + self.assertEqual(1, len(manager_result)) + self.assertIsInstance(manager_result[0], roles.InferenceRule) + self.assertEqual(mock_response['role_inferences'][0]['implies'], + manager_result[0].implies) + self.assertEqual(mock_response['role_inferences'][0]['prior_role'], + manager_result[0].prior_role) + + def test_list(self): + prior_id = uuid.uuid4().hex + prior_name = uuid.uuid4().hex + implied_id = uuid.uuid4().hex + implied_name = uuid.uuid4().hex + + mock_response = { + "role_inference": { + "implies": [{ + "id": implied_id, + "links": {"self": "http://host/v3/roles/%s" % implied_id}, + "name": implied_name + }], + "prior_role": { + "id": prior_id, + "links": {"self": "http://host/v3/roles/%s" % prior_id}, + "name": prior_name + } + }, + "links": {"self": "http://host/v3/roles/%s/implies" % prior_id} + } + + self.stub_url('GET', + ['roles', prior_id, 'implies'], + json=mock_response, + status_code=200) + + manager_result = self.manager.list(prior_id) + self.assertIsInstance(manager_result, roles.InferenceRule) + self.assertEqual(1, len(manager_result.implies)) + self.assertEqual(mock_response['role_inference']['implies'], + manager_result.implies) + self.assertEqual(mock_response['role_inference']['prior_role'], + manager_result.prior_role) + + def test_update(self): + # Update not supported for rule inferences + self.assertRaises(exceptions.MethodNotImplemented, self.manager.update) + + def test_find(self): + # Find not supported for rule inferences + self.assertRaises(exceptions.MethodNotImplemented, self.manager.find) + + def test_put(self): + # Put not supported for rule inferences + self.assertRaises(exceptions.MethodNotImplemented, self.manager.put) + + def test_list_params(self): + # Put not supported for rule inferences + self.skipTest("list params not supported by rule inferences") diff --git a/keystoneclient/tests/v3/test_service_catalog.py b/keystoneclient/tests/unit/v3/test_service_catalog.py similarity index 76% rename from keystoneclient/tests/v3/test_service_catalog.py rename to keystoneclient/tests/unit/v3/test_service_catalog.py index 7a96c3a25..bdd92cebd 100644 --- a/keystoneclient/tests/v3/test_service_catalog.py +++ b/keystoneclient/tests/unit/v3/test_service_catalog.py @@ -10,19 +10,22 @@ # License for the specific language governing permissions and limitations # under the License. +from keystoneauth1 import fixture + from keystoneclient import access from keystoneclient import exceptions -from keystoneclient.tests.v3 import client_fixtures -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit import utils as test_utils +from keystoneclient.tests.unit.v3 import client_fixtures +from keystoneclient.tests.unit.v3 import utils class ServiceCatalogTest(utils.TestCase): def setUp(self): super(ServiceCatalogTest, self).setUp() self.AUTH_RESPONSE_BODY = client_fixtures.auth_response_body() - self.RESPONSE = utils.TestResponse({ - "headers": client_fixtures.AUTH_RESPONSE_HEADERS - }) + self.RESPONSE = test_utils.test_response( + headers=client_fixtures.AUTH_RESPONSE_HEADERS + ) self.north_endpoints = {'public': 'http://glance.north.host/glanceapi/public', @@ -65,16 +68,20 @@ def test_service_catalog_endpoints(self): def test_service_catalog_regions(self): self.AUTH_RESPONSE_BODY['token']['region_name'] = "North" - auth_ref = access.AccessInfo.factory(self.RESPONSE, - self.AUTH_RESPONSE_BODY) + # Setting region_name on the catalog is deprecated. + with self.deprecations.expect_deprecations_here(): + auth_ref = access.AccessInfo.factory(self.RESPONSE, + self.AUTH_RESPONSE_BODY) sc = auth_ref.service_catalog url = sc.url_for(service_type='image', endpoint_type='public') self.assertEqual(url, "http://glance.north.host/glanceapi/public") self.AUTH_RESPONSE_BODY['token']['region_name'] = "South" - auth_ref = access.AccessInfo.factory(self.RESPONSE, - self.AUTH_RESPONSE_BODY) + # Setting region_name on the catalog is deprecated. + with self.deprecations.expect_deprecations_here(): + auth_ref = access.AccessInfo.factory(self.RESPONSE, + self.AUTH_RESPONSE_BODY) sc = auth_ref.service_catalog url = sc.url_for(service_type='image', endpoint_type='internal') self.assertEqual(url, "http://glance.south.host/glanceapi/internal") @@ -148,7 +155,9 @@ def test_servcie_catalog_get_url_region_names(self): def test_service_catalog_param_overrides_body_region(self): self.AUTH_RESPONSE_BODY['token']['region_name'] = "North" - auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) + # Passing region_name to service catalog is deprecated. + with self.deprecations.expect_deprecations_here(): + auth_ref = access.AccessInfo.factory(None, self.AUTH_RESPONSE_BODY) sc = auth_ref.service_catalog url = sc.url_for(service_type='image') @@ -216,3 +225,55 @@ def test_service_catalog_without_name(self): self.assertRaises(exceptions.EndpointNotFound, ab_sc.url_for, service_type='compute', service_name='NotExist', endpoint_type='public') + + +class ServiceCatalogV3Test(ServiceCatalogTest): + + def test_building_a_service_catalog(self): + auth_ref = access.AccessInfo.factory(self.RESPONSE, + self.AUTH_RESPONSE_BODY) + sc = auth_ref.service_catalog + + self.assertEqual(sc.url_for(service_type='compute'), + 'https://compute.north.host/novapi/public') + self.assertEqual(sc.url_for(service_type='compute', + endpoint_type='internal'), + 'https://compute.north.host/novapi/internal') + + self.assertRaises(exceptions.EndpointNotFound, sc.url_for, 'region_id', + 'South', service_type='compute') + + def test_service_catalog_endpoints(self): + auth_ref = access.AccessInfo.factory(self.RESPONSE, + self.AUTH_RESPONSE_BODY) + sc = auth_ref.service_catalog + + public_ep = sc.get_endpoints(service_type='compute', + endpoint_type='public') + self.assertEqual(public_ep['compute'][0]['region_id'], 'North') + self.assertEqual(public_ep['compute'][0]['url'], + 'https://compute.north.host/novapi/public') + + def test_service_catalog_multiple_service_types(self): + token = fixture.V3Token() + token.set_project_scope() + + for i in range(3): + s = token.add_service('compute') + s.add_standard_endpoints(public='public-%d' % i, + admin='admin-%d' % i, + internal='internal-%d' % i, + region='region-%d' % i) + + auth_ref = access.AccessInfo.factory(resp=None, body=token) + + urls = auth_ref.service_catalog.get_urls(service_type='compute', + endpoint_type='public') + + self.assertEqual(set(['public-0', 'public-1', 'public-2']), set(urls)) + + urls = auth_ref.service_catalog.get_urls(service_type='compute', + endpoint_type='public', + region_name='region-1') + + self.assertEqual(('public-1', ), urls) diff --git a/keystoneclient/tests/v3/test_services.py b/keystoneclient/tests/unit/v3/test_services.py similarity index 63% rename from keystoneclient/tests/v3/test_services.py rename to keystoneclient/tests/unit/v3/test_services.py index d271afe08..9bda5dbb5 100644 --- a/keystoneclient/tests/v3/test_services.py +++ b/keystoneclient/tests/unit/v3/test_services.py @@ -12,11 +12,11 @@ import uuid -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import services -class ServiceTests(utils.TestCase, utils.CrudTests): +class ServiceTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(ServiceTests, self).setUp() self.key = 'service' @@ -30,3 +30,15 @@ def new_ref(self, **kwargs): kwargs.setdefault('type', uuid.uuid4().hex) kwargs.setdefault('enabled', True) return kwargs + + def test_list_filter_name(self): + filter_name = uuid.uuid4().hex + expected_query = {'name': filter_name} + super(ServiceTests, self).test_list(expected_query=expected_query, + name=filter_name) + + def test_list_filter_type(self): + filter_type = uuid.uuid4().hex + expected_query = {'type': filter_type} + super(ServiceTests, self).test_list(expected_query=expected_query, + type=filter_type) diff --git a/keystoneclient/tests/unit/v3/test_simple_cert.py b/keystoneclient/tests/unit/v3/test_simple_cert.py new file mode 100644 index 000000000..a059f08d7 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_simple_cert.py @@ -0,0 +1,73 @@ +# Copyright 2014 IBM Corp. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import fixtures +import testresources + +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit.v3 import utils +from keystoneclient.v3.contrib import simple_cert + + +class SimpleCertTests(utils.ClientTestCase, testresources.ResourcedTestCase): + + resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] + + def test_get_ca_certificate(self): + self.stub_url('GET', ['OS-SIMPLE-CERT', 'ca'], + headers={'Content-Type': 'application/x-pem-file'}, + text=self.examples.SIGNING_CA) + res = self.client.simple_cert.get_ca_certificates() + self.assertEqual(self.examples.SIGNING_CA, res) + + def test_get_certificates(self): + self.stub_url('GET', ['OS-SIMPLE-CERT', 'certificates'], + headers={'Content-Type': 'application/x-pem-file'}, + text=self.examples.SIGNING_CERT) + res = self.client.simple_cert.get_certificates() + self.assertEqual(self.examples.SIGNING_CERT, res) + + +class SimpleCertRequestIdTests(utils.TestRequestId): + + def setUp(self): + super(SimpleCertRequestIdTests, self).setUp() + self.mgr = simple_cert.SimpleCertManager(self.client) + + def _mock_request_method(self, method=None, body=None): + return self.useFixture(fixtures.MockPatchObject( + self.client, method, autospec=True, + return_value=(self.resp, body)) + ).mock + + def test_list_ca_certificates(self): + body = {"certificates": [{"name": "admin"}, {"name": "admin2"}]} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get_ca_certificates() + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + '/OS-SIMPLE-CERT/ca', authenticated=False) + + def test_list_certificates(self): + body = {"certificates": [{"name": "admin"}, {"name": "admin2"}]} + get_mock = self._mock_request_method(method='get', body=body) + + response = self.mgr.get_certificates() + self.assertEqual(response.request_ids[0], self.TEST_REQUEST_ID) + get_mock.assert_called_once_with( + '/OS-SIMPLE-CERT/certificates', authenticated=False) + + +def load_tests(loader, tests, pattern): + return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/unit/v3/test_tokens.py b/keystoneclient/tests/unit/v3/test_tokens.py new file mode 100644 index 000000000..1a8fd6831 --- /dev/null +++ b/keystoneclient/tests/unit/v3/test_tokens.py @@ -0,0 +1,158 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from keystoneauth1 import exceptions +import testresources + +from keystoneclient import access +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit.v3 import utils + + +class TokenTests(utils.ClientTestCase, testresources.ResourcedTestCase): + + resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] + + def test_revoke_token_with_token_id(self): + token_id = uuid.uuid4().hex + self.stub_url('DELETE', ['/auth/tokens'], status_code=204) + self.client.tokens.revoke_token(token_id) + self.assertRequestHeaderEqual('X-Subject-Token', token_id) + + def test_revoke_token_with_access_info_instance(self): + token_id = uuid.uuid4().hex + token_ref = self.examples.TOKEN_RESPONSES[ + self.examples.v3_UUID_TOKEN_DEFAULT] + token = access.AccessInfoV3(token_id, token_ref['token']) + self.stub_url('DELETE', ['/auth/tokens'], status_code=204) + self.client.tokens.revoke_token(token) + self.assertRequestHeaderEqual('X-Subject-Token', token_id) + + def test_get_revoked(self): + sample_revoked_response = {'signed': '-----BEGIN CMS-----\nMIIB...'} + self.stub_url('GET', ['auth', 'tokens', 'OS-PKI', 'revoked'], + json=sample_revoked_response) + resp = self.client.tokens.get_revoked() + self.assertQueryStringIs() + self.assertEqual(sample_revoked_response, resp) + + def test_get_revoked_audit_id_only(self): + # When get_revoked(audit_id_only=True) then ?audit_id_only is set on + # the request. + sample_revoked_response = { + 'revoked': [ + { + 'audit_id': uuid.uuid4().hex, + 'expires': '2016-01-21T15:53:52Z', + }, + ], + } + self.stub_url('GET', ['auth', 'tokens', 'OS-PKI', 'revoked'], + json=sample_revoked_response) + resp = self.client.tokens.get_revoked(audit_id_only=True) + self.assertQueryStringIs('audit_id_only') + self.assertEqual(sample_revoked_response, resp) + + def test_validate_token_with_token_id(self): + # Can validate a token passing a string token ID. + token_id = uuid.uuid4().hex + token_ref = self.examples.TOKEN_RESPONSES[ + self.examples.v3_UUID_TOKEN_DEFAULT] + self.stub_url('GET', ['auth', 'tokens'], + headers={'X-Subject-Token': token_id, }, json=token_ref) + + token_data = self.client.tokens.get_token_data(token_id) + self.assertEqual(token_data, token_ref) + + access_info = self.client.tokens.validate(token_id) + + self.assertRequestHeaderEqual('X-Subject-Token', token_id) + self.assertIsInstance(access_info, access.AccessInfoV3) + self.assertEqual(token_id, access_info.auth_token) + + def test_validate_token_with_access_info(self): + # Can validate a token passing an access info. + token_id = uuid.uuid4().hex + token_ref = self.examples.TOKEN_RESPONSES[ + self.examples.v3_UUID_TOKEN_DEFAULT] + token = access.AccessInfoV3(token_id, token_ref['token']) + self.stub_url('GET', ['auth', 'tokens'], + headers={'X-Subject-Token': token_id, }, json=token_ref) + access_info = self.client.tokens.validate(token) + + self.assertRequestHeaderEqual('X-Subject-Token', token_id) + self.assertIsInstance(access_info, access.AccessInfoV3) + self.assertEqual(token_id, access_info.auth_token) + + def test_validate_token_invalid(self): + # When the token is invalid the server typically returns a 404. + token_id = uuid.uuid4().hex + self.stub_url('GET', ['auth', 'tokens'], status_code=404) + + self.assertRaises(exceptions.NotFound, + self.client.tokens.get_token_data, token_id) + self.assertRaises(exceptions.NotFound, + self.client.tokens.validate, token_id) + + def test_validate_token_catalog(self): + # Can validate a token and a catalog is requested by default. + token_id = uuid.uuid4().hex + token_ref = self.examples.TOKEN_RESPONSES[ + self.examples.v3_UUID_TOKEN_DEFAULT] + self.stub_url('GET', ['auth', 'tokens'], + headers={'X-Subject-Token': token_id, }, json=token_ref) + + token_data = self.client.tokens.get_token_data(token_id) + self.assertQueryStringIs() + self.assertIn('catalog', token_data['token']) + + access_info = self.client.tokens.validate(token_id) + + self.assertQueryStringIs() + self.assertTrue(access_info.has_service_catalog()) + + def test_validate_token_nocatalog(self): + # Can validate a token and request no catalog. + token_id = uuid.uuid4().hex + token_ref = self.examples.TOKEN_RESPONSES[ + self.examples.v3_UUID_TOKEN_UNSCOPED] + self.stub_url('GET', ['auth', 'tokens'], + headers={'X-Subject-Token': token_id, }, json=token_ref) + + token_data = self.client.tokens.get_token_data(token_id) + self.assertQueryStringIs() + self.assertNotIn('catalog', token_data['token']) + + access_info = self.client.tokens.validate(token_id, + include_catalog=False) + + self.assertQueryStringIs('nocatalog') + self.assertFalse(access_info.has_service_catalog()) + + def test_validate_token_allow_expired(self): + token_id = uuid.uuid4().hex + token_ref = self.examples.TOKEN_RESPONSES[ + self.examples.v3_UUID_TOKEN_UNSCOPED] + self.stub_url('GET', ['auth', 'tokens'], + headers={'X-Subject-Token': token_id, }, json=token_ref) + + self.client.tokens.validate(token_id) + self.assertQueryStringIs() + + self.client.tokens.validate(token_id, allow_expired=True) + self.assertQueryStringIs('allow_expired=1') + + +def load_tests(loader, tests, pattern): + return testresources.OptimisingTestSuite(tests) diff --git a/keystoneclient/tests/v3/test_trusts.py b/keystoneclient/tests/unit/v3/test_trusts.py similarity index 81% rename from keystoneclient/tests/v3/test_trusts.py rename to keystoneclient/tests/unit/v3/test_trusts.py index 15e934888..1c74ac9b9 100644 --- a/keystoneclient/tests/v3/test_trusts.py +++ b/keystoneclient/tests/unit/v3/test_trusts.py @@ -13,13 +13,14 @@ import uuid +from oslo_utils import timeutils + from keystoneclient import exceptions -from keystoneclient.openstack.common import timeutils -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3.contrib import trusts -class TrustTests(utils.TestCase, utils.CrudTests): +class TrustTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(TrustTests, self).setUp() self.key = 'trust' @@ -54,6 +55,7 @@ def test_create_roles(self): ref['trustee_user_id'] = uuid.uuid4().hex ref['impersonation'] = False req_ref = ref.copy() + req_ref.pop('id') # Note the TrustManager takes a list of role_names, and converts # internally to the slightly odd list-of-dict API format, so we @@ -62,6 +64,22 @@ def test_create_roles(self): req_ref['roles'] = [{'name': 'atestrole'}] super(TrustTests, self).test_create(ref=ref, req_ref=req_ref) + def test_create_role_id_and_names(self): + ref = self.new_ref() + ref['trustor_user_id'] = uuid.uuid4().hex + ref['trustee_user_id'] = uuid.uuid4().hex + ref['impersonation'] = False + req_ref = ref.copy() + req_ref.pop('id') + + # Note the TrustManager takes a list of role_names, and converts + # internally to the slightly odd list-of-dict API format, so we + # have to pass the expected request data to allow correct stubbing + ref['role_names'] = ['atestrole'] + ref['role_ids'] = [uuid.uuid4().hex] + req_ref['roles'] = [{'name': 'atestrole'}, {'id': ref['role_ids'][0]}] + super(TrustTests, self).test_create(ref=ref, req_ref=req_ref) + def test_create_expires(self): ref = self.new_ref() ref['trustor_user_id'] = uuid.uuid4().hex @@ -70,6 +88,7 @@ def test_create_expires(self): ref['expires_at'] = timeutils.parse_isotime( '2013-03-04T12:00:01.000000Z') req_ref = ref.copy() + req_ref.pop('id') # Note the TrustManager takes a datetime.datetime object for # expires_at, and converts it internally into an iso format datestamp @@ -89,6 +108,7 @@ def test_create_roles_imp(self): ref['trustee_user_id'] = uuid.uuid4().hex ref['impersonation'] = True req_ref = ref.copy() + req_ref.pop('id') ref['role_names'] = ['atestrole'] req_ref['roles'] = [{'name': 'atestrole'}] super(TrustTests, self).test_create(ref=ref, req_ref=req_ref) diff --git a/keystoneclient/tests/v3/test_users.py b/keystoneclient/tests/unit/v3/test_users.py similarity index 84% rename from keystoneclient/tests/v3/test_users.py rename to keystoneclient/tests/unit/v3/test_users.py index f11bef2be..a7f03f9ce 100644 --- a/keystoneclient/tests/v3/test_users.py +++ b/keystoneclient/tests/unit/v3/test_users.py @@ -12,14 +12,15 @@ # License for the specific language governing permissions and limitations # under the License. +from unittest import mock import uuid from keystoneclient import exceptions -from keystoneclient.tests.v3 import utils +from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import users -class UserTests(utils.TestCase, utils.CrudTests): +class UserTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(UserTests, self).setUp() self.key = 'user' @@ -111,6 +112,7 @@ def test_create_doesnt_log_password(self): def test_create_with_project(self): # Can create a user with the deprecated project option rather than # default_project_id. + self.deprecations.expect_deprecations() ref = self.new_ref() self.stub_entity('POST', [self.collection_key], @@ -135,6 +137,8 @@ def test_create_with_project(self): def test_create_with_project_and_default_project(self): # Can create a user with the deprecated project and default_project_id. # The backend call should only pass the default_project_id. + self.deprecations.expect_deprecations() + ref = self.new_ref() self.stub_entity('POST', @@ -180,6 +184,8 @@ def test_update_doesnt_log_password(self): def test_update_with_project(self): # Can update a user with the deprecated project option rather than # default_project_id. + self.deprecations.expect_deprecations() + ref = self.new_ref() req_ref = ref.copy() req_ref.pop('id') @@ -203,6 +209,8 @@ def test_update_with_project(self): self.assertEntityRequestBodyIs(req_ref) def test_update_with_project_and_default_project(self, ref=None): + self.deprecations.expect_deprecations() + ref = self.new_ref() req_ref = ref.copy() req_ref.pop('id') @@ -230,8 +238,8 @@ def test_update_password(self): new_password = uuid.uuid4().hex self.stub_url('POST', - [self.collection_key, self.TEST_USER, 'password']) - self.client.user_id = self.TEST_USER + [self.collection_key, self.TEST_USER_ID, 'password']) + self.client.user_id = self.TEST_USER_ID self.manager.update_password(old_password, new_password) exp_req_body = { @@ -240,12 +248,34 @@ def test_update_password(self): } } - self.assertEqual(self.TEST_URL + '/users/test/password', - self.requests.last_request.url) + self.assertEqual( + '%s/users/%s/password' % (self.TEST_URL, self.TEST_USER_ID), + self.requests_mock.last_request.url) self.assertRequestBodyIs(json=exp_req_body) self.assertNotIn(old_password, self.logger.output) self.assertNotIn(new_password, self.logger.output) + def test_update_password_with_no_hardcoded_endpoint_filter(self): + # test to ensure the 'endpoint_filter' parameter is not being + # passed from the manager. Endpoint filtering should be done at + # the Session, not the individual managers. + old_password = uuid.uuid4().hex + new_password = uuid.uuid4().hex + expected_params = {'user': {'password': new_password, + 'original_password': old_password}} + user_password_update_path = '/users/%s/password' % self.TEST_USER_ID + + self.client.user_id = self.TEST_USER_ID + # NOTE(gyee): user manager subclass keystoneclient.base.Manager + # and utilize the _update() method in the base class to interface + # with the client session to perform the update. In the case, we + # just need to make sure the 'endpoint_filter' parameter is not + # there. + with mock.patch('keystoneclient.base.Manager._update') as m: + self.manager.update_password(old_password, new_password) + m.assert_called_with(user_password_update_path, expected_params, + method='POST', log=False) + def test_update_password_with_bad_inputs(self): old_password = uuid.uuid4().hex new_password = uuid.uuid4().hex diff --git a/keystoneclient/tests/v3/utils.py b/keystoneclient/tests/unit/v3/utils.py similarity index 71% rename from keystoneclient/tests/v3/utils.py rename to keystoneclient/tests/unit/v3/utils.py index 092940396..cb3839a9c 100644 --- a/keystoneclient/tests/v3/utils.py +++ b/keystoneclient/tests/unit/v3/utils.py @@ -10,20 +10,20 @@ # License for the specific language governing permissions and limitations # under the License. +import requests import uuid -import six -from six.moves.urllib import parse as urlparse +from urllib import parse as urlparse -from keystoneclient.tests import utils +from keystoneauth1.identity import v3 +from keystoneauth1 import session +from keystoneclient.tests.unit import client_fixtures +from keystoneclient.tests.unit import utils from keystoneclient.v3 import client -TestResponse = utils.TestResponse - - def parameterize(ref): - """Rewrites attributes to match the kwarg naming convention in client. + """Rewrite attributes to match the kwarg naming convention in client. >>> parameterize({'project_id': 0}) {'project': 0} @@ -48,6 +48,7 @@ class UnauthenticatedTestCase(utils.TestCase): class TestCase(UnauthenticatedTestCase): TEST_ADMIN_IDENTITY_ENDPOINT = "http://127.0.0.1:35357/v3" + TEST_PUBLIC_IDENTITY_ENDPOINT = "http://127.0.0.1:5000/v3" TEST_SERVICE_CATALOG = [{ "endpoints": [{ @@ -127,15 +128,8 @@ class TestCase(UnauthenticatedTestCase): "type": "object-store" }] - def setUp(self): - super(TestCase, self).setUp() - self.client = client.Client(username=self.TEST_USER, - token=self.TEST_TOKEN, - tenant_name=self.TEST_TENANT_NAME, - auth_url=self.TEST_URL, - endpoint=self.TEST_URL) - def stub_auth(self, subject_token=None, **kwargs): + if not subject_token: subject_token = self.TEST_TOKEN @@ -152,6 +146,44 @@ def stub_auth(self, subject_token=None, **kwargs): self.stub_url('POST', ['auth', 'tokens'], **kwargs) +class ClientTestCase(utils.ClientTestCaseMixin, TestCase): + + ORIGINAL_CLIENT_TYPE = 'original' + KSC_SESSION_CLIENT_TYPE = 'ksc-session' + KSA_SESSION_CLIENT_TYPE = 'ksa-session' + + scenarios = [ + ( + ORIGINAL_CLIENT_TYPE, { + 'client_fixture_class': client_fixtures.OriginalV3, + 'client_type': ORIGINAL_CLIENT_TYPE + } + ), + ( + KSC_SESSION_CLIENT_TYPE, { + 'client_fixture_class': client_fixtures.KscSessionV3, + 'client_type': KSC_SESSION_CLIENT_TYPE + } + ), + ( + KSA_SESSION_CLIENT_TYPE, { + 'client_fixture_class': client_fixtures.KsaSessionV3, + 'client_type': KSA_SESSION_CLIENT_TYPE + } + ) + + ] + + @property + def is_original_client(self): + return self.client_type == self.ORIGINAL_CLIENT_TYPE + + @property + def is_session_client(self): + return self.client_type in (self.KSC_SESSION_CLIENT_TYPE, + self.KSA_SESSION_CLIENT_TYPE) + + class CrudTests(object): key = None collection_key = None @@ -194,6 +226,8 @@ def assertEntityRequestBodyIs(self, entity): self.assertRequestBodyIs(json=self.encode(entity)) def test_create(self, ref=None, req_ref=None): + deprecations = self.useFixture(client_fixtures.Deprecations()) + deprecations.expect_deprecations() ref = ref or self.new_ref() manager_ref = ref.copy() manager_ref.pop('id') @@ -202,8 +236,11 @@ def test_create(self, ref=None, req_ref=None): # signature for the request when the manager does some # conversion before doing the request (e.g. converting # from datetime object to timestamp string) - req_ref = (req_ref or ref).copy() - req_ref.pop('id') + if req_ref: + req_ref = req_ref.copy() + else: + req_ref = ref.copy() + req_ref.pop('id') self.stub_entity('POST', entity=req_ref, status_code=201) @@ -216,6 +253,9 @@ def test_create(self, ref=None, req_ref=None): 'Expected different %s' % attr) self.assertEntityRequestBodyIs(req_ref) + # The entity created here may be used in other test cases + return returned + def test_get(self, ref=None): ref = ref or self.new_ref() @@ -239,32 +279,41 @@ def _get_expected_path(self, expected_path=None): return expected_path + def test_list_by_id(self, ref=None, **filter_kwargs): + """Test ``entities.list(id=x)`` being rewritten as ``GET /v3/entities/x``. # noqa + + This tests an edge case of each manager's list() implementation, to + ensure that it "does the right thing" when users call ``.list()`` + when they should have used ``.get()``. + + """ + if 'id' not in filter_kwargs: + ref = ref or self.new_ref() + filter_kwargs['id'] = ref['id'] + + self.assertRaises(TypeError, self.manager.list, **filter_kwargs) + def test_list(self, ref_list=None, expected_path=None, expected_query=None, **filter_kwargs): ref_list = ref_list or [self.new_ref(), self.new_ref()] expected_path = self._get_expected_path(expected_path) - self.requests.register_uri('GET', - urlparse.urljoin(self.TEST_URL, - expected_path), - json=self.encode(ref_list)) + self.requests_mock.get(urlparse.urljoin(self.TEST_URL, expected_path), + json=self.encode(ref_list)) returned_list = self.manager.list(**filter_kwargs) self.assertEqual(len(ref_list), len(returned_list)) [self.assertIsInstance(r, self.model) for r in returned_list] - # register_uri doesn't match the querystring component, so we have to - # explicitly test the querystring component passed by the manager - parts = urlparse.urlparse(self.requests.last_request.url) - qs_args = urlparse.parse_qs(parts.query) + qs_args = self.requests_mock.last_request.qs qs_args_expected = expected_query or filter_kwargs - for key, value in six.iteritems(qs_args_expected): + for key, value in qs_args_expected.items(): self.assertIn(key, qs_args) - # The httppretty.querystring value is a list - # Note we convert the value to a string, as the query string - # is always a string and the filter_kwargs may contain non-string - # values, for example a boolean, causing the comaprison to fail. - self.assertIn(str(value), qs_args[key]) + # The querystring value is a list. Note we convert the value to a + # string and lower, as the query string is always a string and the + # filter_kwargs may contain non-string values, for example a + # boolean, causing the comaprison to fail. + self.assertIn(str(value).lower(), qs_args[key]) # Also check that no query string args exist which are not expected for key in qs_args: @@ -275,10 +324,8 @@ def test_list_params(self): filter_kwargs = {uuid.uuid4().hex: uuid.uuid4().hex} expected_path = self._get_expected_path() - self.requests.register_uri('GET', - urlparse.urljoin(self.TEST_URL, - expected_path), - json=self.encode(ref_list)) + self.requests_mock.get(urlparse.urljoin(self.TEST_URL, expected_path), + json=self.encode(ref_list)) self.manager.list(**filter_kwargs) self.assertQueryStringContains(**filter_kwargs) @@ -303,6 +350,8 @@ def test_find(self, ref=None): self.assertQueryStringIs('') def test_update(self, ref=None, req_ref=None): + deprecations = self.useFixture(client_fixtures.Deprecations()) + deprecations.expect_deprecations() ref = ref or self.new_ref() self.stub_entity('PATCH', id=ref['id'], entity=ref) @@ -311,8 +360,11 @@ def test_update(self, ref=None, req_ref=None): # signature for the request when the manager does some # conversion before doing the request (e.g. converting # from datetime object to timestamp string) - req_ref = (req_ref or ref).copy() - req_ref.pop('id') + if req_ref: + req_ref = req_ref.copy() + else: + req_ref = ref.copy() + req_ref.pop('id') returned = self.manager.update(ref['id'], **parameterize(req_ref)) self.assertIsInstance(returned, self.model) @@ -328,3 +380,17 @@ def test_delete(self, ref=None): self.stub_entity('DELETE', id=ref['id'], status_code=204) self.manager.delete(ref['id']) + + +class TestRequestId(TestCase): + resp = requests.Response() + TEST_REQUEST_ID = uuid.uuid4().hex + resp.headers['x-openstack-request-id'] = TEST_REQUEST_ID + + def setUp(self): + super(TestRequestId, self).setUp() + auth = v3.Token(auth_url='http://127.0.0.1:5000', + token=self.TEST_TOKEN) + session_ = session.Session(auth=auth) + self.client = client.Client(session=session_, + include_metadata='True')._adapter diff --git a/keystoneclient/tests/v2_0/test_client.py b/keystoneclient/tests/v2_0/test_client.py deleted file mode 100644 index 61d2cd2e2..000000000 --- a/keystoneclient/tests/v2_0/test_client.py +++ /dev/null @@ -1,153 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import json - -from keystoneclient import exceptions -from keystoneclient import fixture -from keystoneclient.tests.v2_0 import client_fixtures -from keystoneclient.tests.v2_0 import utils -from keystoneclient.v2_0 import client - - -class KeystoneClientTest(utils.TestCase): - - def test_unscoped_init(self): - self.stub_auth(json=client_fixtures.unscoped_token()) - - c = client.Client(username='exampleuser', - password='password', - auth_url=self.TEST_URL) - self.assertIsNotNone(c.auth_ref) - self.assertFalse(c.auth_ref.scoped) - self.assertFalse(c.auth_ref.domain_scoped) - self.assertFalse(c.auth_ref.project_scoped) - self.assertIsNone(c.auth_ref.trust_id) - self.assertFalse(c.auth_ref.trust_scoped) - - def test_scoped_init(self): - self.stub_auth(json=client_fixtures.project_scoped_token()) - - c = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL) - self.assertIsNotNone(c.auth_ref) - self.assertTrue(c.auth_ref.scoped) - self.assertTrue(c.auth_ref.project_scoped) - self.assertFalse(c.auth_ref.domain_scoped) - self.assertIsNone(c.auth_ref.trust_id) - self.assertFalse(c.auth_ref.trust_scoped) - - def test_auth_ref_load(self): - self.stub_auth(json=client_fixtures.project_scoped_token()) - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL) - cache = json.dumps(cl.auth_ref) - new_client = client.Client(auth_ref=json.loads(cache)) - self.assertIsNotNone(new_client.auth_ref) - self.assertTrue(new_client.auth_ref.scoped) - self.assertTrue(new_client.auth_ref.project_scoped) - self.assertFalse(new_client.auth_ref.domain_scoped) - self.assertIsNone(new_client.auth_ref.trust_id) - self.assertFalse(new_client.auth_ref.trust_scoped) - self.assertEqual(new_client.username, 'exampleuser') - self.assertIsNone(new_client.password) - self.assertEqual(new_client.management_url, - 'http://admin:35357/v2.0') - - def test_auth_ref_load_with_overridden_arguments(self): - self.stub_auth(json=client_fixtures.project_scoped_token()) - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL) - cache = json.dumps(cl.auth_ref) - new_auth_url = "http://new-public:5000/v2.0" - new_client = client.Client(auth_ref=json.loads(cache), - auth_url=new_auth_url) - self.assertIsNotNone(new_client.auth_ref) - self.assertTrue(new_client.auth_ref.scoped) - self.assertTrue(new_client.auth_ref.scoped) - self.assertTrue(new_client.auth_ref.project_scoped) - self.assertFalse(new_client.auth_ref.domain_scoped) - self.assertIsNone(new_client.auth_ref.trust_id) - self.assertFalse(new_client.auth_ref.trust_scoped) - self.assertEqual(new_client.auth_url, new_auth_url) - self.assertEqual(new_client.username, 'exampleuser') - self.assertIsNone(new_client.password) - self.assertEqual(new_client.management_url, - 'http://admin:35357/v2.0') - - def test_init_err_no_auth_url(self): - self.assertRaises(exceptions.AuthorizationFailure, - client.Client, - username='exampleuser', - password='password') - - def test_management_url_is_updated(self): - first = fixture.V2Token() - first.set_scope() - admin_url = 'http://admin:35357/v2.0' - second_url = 'http://secondurl:35357/v2.0' - - s = first.add_service('identity') - s.add_endpoint(public='http://public.com:5000/v2.0', - admin=admin_url) - - second = fixture.V2Token() - second.set_scope() - s = second.add_service('identity') - s.add_endpoint(public='http://secondurl:5000/v2.0', - admin=second_url) - - self.stub_auth(response_list=[{'json': first}, {'json': second}]) - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL) - self.assertEqual(cl.management_url, admin_url) - - cl.authenticate() - self.assertEqual(cl.management_url, second_url) - - def test_client_with_region_name_passes_to_service_catalog(self): - # NOTE(jamielennox): this is deprecated behaviour that should be - # removed ASAP, however must remain compatible. - self.stub_auth(json=client_fixtures.auth_response_body()) - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL, - region_name='North') - self.assertEqual(cl.service_catalog.url_for(service_type='image'), - 'https://image.north.host/v1/') - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL, - region_name='South') - self.assertEqual(cl.service_catalog.url_for(service_type='image'), - 'https://image.south.host/v1/') - - def test_client_without_auth_params(self): - self.assertRaises(exceptions.AuthorizationFailure, - client.Client, - tenant_name='exampleproject', - auth_url=self.TEST_URL) diff --git a/keystoneclient/tests/v2_0/test_shell.py b/keystoneclient/tests/v2_0/test_shell.py deleted file mode 100644 index 5f80fc1da..000000000 --- a/keystoneclient/tests/v2_0/test_shell.py +++ /dev/null @@ -1,452 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import sys - -import mock -import six -from testtools import matchers - -from keystoneclient import fixture -from keystoneclient.tests.v2_0 import utils - - -DEFAULT_USERNAME = 'username' -DEFAULT_PASSWORD = 'password' -DEFAULT_TENANT_ID = 'tenant_id' -DEFAULT_TENANT_NAME = 'tenant_name' -DEFAULT_AUTH_URL = 'http://127.0.0.1:5000/v2.0/' -DEFAULT_ADMIN_URL = 'http://127.0.0.1:35357/v2.0/' - - -class ShellTests(utils.TestCase): - - TEST_URL = DEFAULT_ADMIN_URL - - def setUp(self): - """Patch os.environ to avoid required auth info.""" - - super(ShellTests, self).setUp() - - self.old_environment = os.environ.copy() - os.environ = { - 'OS_USERNAME': DEFAULT_USERNAME, - 'OS_PASSWORD': DEFAULT_PASSWORD, - 'OS_TENANT_ID': DEFAULT_TENANT_ID, - 'OS_TENANT_NAME': DEFAULT_TENANT_NAME, - 'OS_AUTH_URL': DEFAULT_AUTH_URL, - } - import keystoneclient.shell - self.shell = keystoneclient.shell.OpenStackIdentityShell() - - self.token = fixture.V2Token() - self.token.set_scope() - svc = self.token.add_service('identity') - svc.add_endpoint(public=DEFAULT_AUTH_URL, - admin=DEFAULT_ADMIN_URL) - - self.stub_auth(json=self.token, base_url=DEFAULT_AUTH_URL) - - def tearDown(self): - os.environ = self.old_environment - super(ShellTests, self).tearDown() - - def run_command(self, cmd): - orig = sys.stdout - try: - sys.stdout = six.StringIO() - if isinstance(cmd, list): - self.shell.main(cmd) - else: - self.shell.main(cmd.split()) - except SystemExit: - exc_type, exc_value, exc_traceback = sys.exc_info() - self.assertEqual(exc_value.code, 0) - finally: - out = sys.stdout.getvalue() - sys.stdout.close() - sys.stdout = orig - return out - - def assert_called(self, method, path, base_url=TEST_URL): - self.assertEqual(method, self.requests.last_request.method) - self.assertEqual(base_url + path.lstrip('/'), - self.requests.last_request.url) - - def test_user_list(self): - self.stub_url('GET', ['users'], json={'users': []}) - self.run_command('user-list') - self.assert_called('GET', '/users') - - def test_user_create(self): - self.stub_url('POST', ['users'], json={'user': {}}) - self.run_command('user-create --name new-user') - - self.assert_called('POST', '/users') - self.assertRequestBodyIs(json={'user': {'email': None, - 'password': None, - 'enabled': True, - 'name': 'new-user', - 'tenantId': None}}) - - @mock.patch('sys.stdin', autospec=True) - def test_user_create_password_prompt(self, mock_stdin): - self.stub_url('POST', ['users'], json={'user': {}}) - - with mock.patch('getpass.getpass') as mock_getpass: - mock_getpass.return_value = 'newpass' - self.run_command('user-create --name new-user --pass') - - self.assert_called('POST', '/users') - self.assertRequestBodyIs(json={'user': {'email': None, - 'password': 'newpass', - 'enabled': True, - 'name': 'new-user', - 'tenantId': None}}) - - def test_user_get(self): - self.stub_url('GET', ['users', '1'], - json={'user': {'id': '1'}}) - self.run_command('user-get 1') - self.assert_called('GET', '/users/1') - - def test_user_delete(self): - self.stub_url('GET', ['users', '1'], - json={'user': {'id': '1'}}) - self.stub_url('DELETE', ['users', '1']) - self.run_command('user-delete 1') - self.assert_called('DELETE', '/users/1') - - def test_user_password_update(self): - self.stub_url('GET', ['users', '1'], - json={'user': {'id': '1'}}) - self.stub_url('PUT', ['users', '1', 'OS-KSADM', 'password']) - self.run_command('user-password-update --pass newpass 1') - self.assert_called('PUT', '/users/1/OS-KSADM/password') - - def test_user_update(self): - self.stub_url('PUT', ['users', '1']) - self.stub_url('GET', ['users', '1'], - json={"user": {"tenantId": "1", - "enabled": "true", - "id": "1", - "name": "username"}}) - - self.run_command('user-update --name new-user1' - ' --email user@email.com --enabled true 1') - self.assert_called('PUT', '/users/1') - self.assertRequestBodyIs(json={'user': {'id': '1', - 'email': 'user@email.com', - 'enabled': True, - 'name': 'new-user1'}}) - - required = 'User not updated, no arguments present.' - out = self.run_command('user-update 1') - self.assertThat(out, matchers.MatchesRegex(required)) - - self.run_command(['user-update', '--email', '', '1']) - self.assert_called('PUT', '/users/1') - self.assertRequestBodyIs(json={'user': {'id': '1', 'email': ''}}) - - def test_role_create(self): - self.stub_url('POST', ['OS-KSADM', 'roles'], json={'role': {}}) - self.run_command('role-create --name new-role') - self.assert_called('POST', '/OS-KSADM/roles') - self.assertRequestBodyIs(json={"role": {"name": "new-role"}}) - - def test_role_get(self): - self.stub_url('GET', ['OS-KSADM', 'roles', '1'], - json={'role': {'id': '1'}}) - self.run_command('role-get 1') - self.assert_called('GET', '/OS-KSADM/roles/1') - - def test_role_list(self): - self.stub_url('GET', ['OS-KSADM', 'roles'], json={'roles': []}) - self.run_command('role-list') - self.assert_called('GET', '/OS-KSADM/roles') - - def test_role_delete(self): - self.stub_url('GET', ['OS-KSADM', 'roles', '1'], - json={'role': {'id': '1'}}) - self.stub_url('DELETE', ['OS-KSADM', 'roles', '1']) - self.run_command('role-delete 1') - self.assert_called('DELETE', '/OS-KSADM/roles/1') - - def test_user_role_add(self): - self.stub_url('GET', ['users', '1'], - json={'user': {'id': '1'}}) - self.stub_url('GET', ['OS-KSADM', 'roles', '1'], - json={'role': {'id': '1'}}) - - self.stub_url('PUT', ['users', '1', 'roles', 'OS-KSADM', '1']) - self.run_command('user-role-add --user_id 1 --role_id 1') - self.assert_called('PUT', '/users/1/roles/OS-KSADM/1') - - def test_user_role_list(self): - self.stub_url('GET', ['tenants', self.token.tenant_id], - json={'tenant': {'id': self.token.tenant_id}}) - self.stub_url('GET', ['tenants', self.token.tenant_id, - 'users', self.token.user_id, 'roles'], - json={'roles': []}) - - url = '/tenants/%s/users/%s/roles' % (self.token.tenant_id, - self.token.user_id) - - self.run_command('user-role-list --user_id %s --tenant-id %s' % - (self.token.user_id, self.token.tenant_id)) - self.assert_called('GET', url) - - self.run_command('user-role-list --user_id %s' % self.token.user_id) - self.assert_called('GET', url) - - self.run_command('user-role-list') - self.assert_called('GET', url) - - def test_user_role_remove(self): - self.stub_url('GET', ['users', '1'], - json={'user': {'id': 1}}) - self.stub_url('GET', ['OS-KSADM', 'roles', '1'], - json={'role': {'id': 1}}) - self.stub_url('DELETE', - ['users', '1', 'roles', 'OS-KSADM', '1']) - - self.run_command('user-role-remove --user_id 1 --role_id 1') - self.assert_called('DELETE', '/users/1/roles/OS-KSADM/1') - - def test_tenant_create(self): - self.stub_url('POST', ['tenants'], json={'tenant': {}}) - self.run_command('tenant-create --name new-tenant') - self.assertRequestBodyIs(json={"tenant": {"enabled": True, - "name": "new-tenant", - "description": None}}) - - def test_tenant_get(self): - self.stub_url('GET', ['tenants', '2'], json={'tenant': {}}) - self.run_command('tenant-get 2') - self.assert_called('GET', '/tenants/2') - - def test_tenant_list(self): - self.stub_url('GET', ['tenants'], json={'tenants': []}) - self.run_command('tenant-list') - self.assert_called('GET', '/tenants') - - def test_tenant_update(self): - self.stub_url('GET', ['tenants', '1'], - json={'tenant': {'id': '1'}}) - self.stub_url('GET', ['tenants', '2'], - json={'tenant': {'id': '2'}}) - self.stub_url('POST', ['tenants', '2'], - json={'tenant': {'id': '2'}}) - self.run_command('tenant-update' - ' --name new-tenant1 --enabled false' - ' --description desc 2') - self.assert_called('POST', '/tenants/2') - self.assertRequestBodyIs(json={"tenant": {"enabled": False, - "id": "2", - "description": "desc", - "name": "new-tenant1"}}) - - required = 'Tenant not updated, no arguments present.' - out = self.run_command('tenant-update 1') - self.assertThat(out, matchers.MatchesRegex(required)) - - def test_tenant_delete(self): - self.stub_url('GET', ['tenants', '2'], - json={'tenant': {'id': '2'}}) - self.stub_url('DELETE', ['tenants', '2']) - self.run_command('tenant-delete 2') - self.assert_called('DELETE', '/tenants/2') - - def test_service_create(self): - self.stub_url('POST', ['OS-KSADM', 'services'], - json={'OS-KSADM:service': {}}) - self.run_command('service-create --name service1 --type compute') - self.assert_called('POST', '/OS-KSADM/services') - json = {"OS-KSADM:service": {"type": "compute", - "name": "service1", - "description": None}} - self.assertRequestBodyIs(json=json) - - def test_service_get(self): - self.stub_url('GET', ['OS-KSADM', 'services', '1'], - json={'OS-KSADM:service': {'id': '1'}}) - self.run_command('service-get 1') - self.assert_called('GET', '/OS-KSADM/services/1') - - def test_service_list(self): - self.stub_url('GET', ['OS-KSADM', 'services'], - json={'OS-KSADM:services': []}) - self.run_command('service-list') - self.assert_called('GET', '/OS-KSADM/services') - - def test_service_delete(self): - self.stub_url('GET', ['OS-KSADM', 'services', '1'], - json={'OS-KSADM:service': {'id': 1}}) - self.stub_url('DELETE', ['OS-KSADM', 'services', '1']) - self.run_command('service-delete 1') - self.assert_called('DELETE', '/OS-KSADM/services/1') - - def test_catalog(self): - self.run_command('catalog') - self.run_command('catalog --service compute') - - def test_ec2_credentials_create(self): - self.stub_url('POST', - ['users', self.token.user_id, 'credentials', 'OS-EC2'], - json={'credential': {}}) - - url = '/users/%s/credentials/OS-EC2' % self.token.user_id - self.run_command('ec2-credentials-create --tenant-id 1 ' - '--user-id %s' % self.token.user_id) - self.assert_called('POST', url) - self.assertRequestBodyIs(json={'tenant_id': '1'}) - - self.run_command('ec2-credentials-create --tenant-id 1') - self.assert_called('POST', url) - self.assertRequestBodyIs(json={'tenant_id': '1'}) - - self.run_command('ec2-credentials-create') - self.assert_called('POST', url) - self.assertRequestBodyIs(json={'tenant_id': self.token.tenant_id}) - - def test_ec2_credentials_delete(self): - self.stub_url('DELETE', - ['users', self.token.user_id, - 'credentials', 'OS-EC2', '2']) - self.run_command('ec2-credentials-delete --access 2 --user-id %s' % - self.token.user_id) - - url = '/users/%s/credentials/OS-EC2/2' % self.token.user_id - self.assert_called('DELETE', url) - - self.run_command('ec2-credentials-delete --access 2') - self.assert_called('DELETE', url) - - def test_ec2_credentials_list(self): - self.stub_url('GET', - ['users', self.token.user_id, 'credentials', 'OS-EC2'], - json={'credentials': []}) - self.run_command('ec2-credentials-list --user-id %s' - % self.token.user_id) - - url = '/users/%s/credentials/OS-EC2' % self.token.user_id - self.assert_called('GET', url) - - self.run_command('ec2-credentials-list') - self.assert_called('GET', url) - - def test_ec2_credentials_get(self): - self.stub_url('GET', - ['users', '1', 'credentials', 'OS-EC2', '2'], - json={'credential': {}}) - self.run_command('ec2-credentials-get --access 2 --user-id 1') - self.assert_called('GET', '/users/1/credentials/OS-EC2/2') - - def test_bootstrap(self): - user = {'user': {'id': '1'}} - role = {'role': {'id': '1'}} - tenant = {'tenant': {'id': '1'}} - - token = fixture.V2Token(user_id=1, tenant_id=1) - token.add_role(id=1) - svc = token.add_service('identity') - svc.add_endpoint(public=DEFAULT_AUTH_URL, - admin=DEFAULT_ADMIN_URL) - - self.stub_auth(json=token) - - self.stub_url('POST', ['OS-KSADM', 'roles'], json=role) - self.stub_url('GET', ['OS-KSADM', 'roles', '1'], json=role) - self.stub_url('POST', ['tenants'], json=tenant) - self.stub_url('GET', ['tenants', '1'], json=tenant) - self.stub_url('POST', ['users'], json=user) - self.stub_url('GET', ['users', '1'], json=user) - self.stub_url('PUT', - ['tenants', '1', 'users', '1', 'roles', 'OS-KSADM', '1'], - json=role) - - self.run_command('bootstrap --user-name new-user' - ' --pass 1 --role-name admin' - ' --tenant-name new-tenant') - - def called_anytime(method, path, json=None): - for r in self.requests.request_history: - if not r.method == method: - continue - if not r.url == self.TEST_URL + path: - continue - - if json: - last_request_body = r.body.decode('utf-8') - json_body = jsonutils.loads(last_request_body) - - if not json_body == json: - continue - - return True - - return False - - called_anytime('POST', '/users', {'user': {'email': None, - 'password': '1', - 'enabled': True, - 'name': 'new-user', - 'tenantId': None}}) - - called_anytime('POST', '/tenants', {"tenant": {"enabled": True, - "name": "new-tenant", - "description": None}}) - - called_anytime('POST', '/OS-KSADM/roles', - {"role": {"name": "new-role"}}) - - called_anytime('PUT', '/tenants/1/users/1/roles/OS-KSADM/1') - - def test_bash_completion(self): - self.run_command('bash-completion') - - def test_help(self): - out = self.run_command('help') - required = 'usage: keystone' - self.assertThat(out, matchers.MatchesRegex(required)) - - def test_password_update(self): - self.stub_url('PATCH', - ['OS-KSCRUD', 'users', self.token.user_id], - base_url=DEFAULT_AUTH_URL) - self.run_command('password-update --current-password oldpass' - ' --new-password newpass') - self.assert_called('PATCH', - '/OS-KSCRUD/users/%s' % self.token.user_id, - base_url=DEFAULT_AUTH_URL) - self.assertRequestBodyIs(json={'user': {'original_password': 'oldpass', - 'password': 'newpass'}}) - - def test_endpoint_create(self): - self.stub_url('GET', ['OS-KSADM', 'services', '1'], - json={'OS-KSADM:service': {'id': '1'}}) - self.stub_url('POST', ['endpoints'], json={'endpoint': {}}) - self.run_command('endpoint-create --service-id 1 ' - '--publicurl=http://example.com:1234/go') - self.assert_called('POST', '/endpoints') - json = {'endpoint': {'adminurl': None, - 'service_id': '1', - 'region': 'regionOne', - 'internalurl': None, - 'publicurl': "http://example.com:1234/go"}} - self.assertRequestBodyIs(json=json) - - def test_endpoint_list(self): - self.stub_url('GET', ['endpoints'], json={'endpoints': []}) - self.run_command('endpoint-list') - self.assert_called('GET', '/endpoints') diff --git a/keystoneclient/tests/v3/test_auth_saml2.py b/keystoneclient/tests/v3/test_auth_saml2.py deleted file mode 100644 index 712c7f771..000000000 --- a/keystoneclient/tests/v3/test_auth_saml2.py +++ /dev/null @@ -1,377 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import uuid - -from lxml import etree -from oslo.config import fixture as config - -from keystoneclient.auth import conf -from keystoneclient.contrib.auth.v3 import saml2 -from keystoneclient import exceptions -from keystoneclient import session -from keystoneclient.tests.v3 import client_fixtures -from keystoneclient.tests.v3 import saml2_fixtures -from keystoneclient.tests.v3 import utils - - -class AuthenticateviaSAML2Tests(utils.TestCase): - - GROUP = 'auth' - - class _AuthenticatedResponse(object): - headers = { - 'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER - } - - def json(self): - return saml2_fixtures.UNSCOPED_TOKEN - - class _AuthenticatedResponseInvalidJson(_AuthenticatedResponse): - - def json(self): - raise ValueError() - - class _AuthentiatedResponseMissingTokenID(_AuthenticatedResponse): - headers = {} - - def setUp(self): - super(AuthenticateviaSAML2Tests, self).setUp() - - self.conf_fixture = self.useFixture(config.Config()) - conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) - - self.session = session.Session() - - self.ECP_SP_EMPTY_REQUEST_HEADERS = { - 'Accept': 'text/html; application/vnd.paos+xml', - 'PAOS': ('ver="urn:liberty:paos:2003-08";' - '"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"') - } - - self.ECP_SP_SAML2_REQUEST_HEADERS = { - 'Content-Type': 'application/vnd.paos+xml' - } - - self.ECP_SAML2_NAMESPACES = { - 'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp', - 'S': 'http://schemas.xmlsoap.org/soap/envelope/', - 'paos': 'urn:liberty:paos:2003-08' - } - self.ECP_RELAY_STATE = '//ecp:RelayState' - self.ECP_SERVICE_PROVIDER_CONSUMER_URL = ('/S:Envelope/S:Header/paos:' - 'Request/' - '@responseConsumerURL') - self.ECP_IDP_CONSUMER_URL = ('/S:Envelope/S:Header/ecp:Response/' - '@AssertionConsumerServiceURL') - self.IDENTITY_PROVIDER = 'testidp' - self.IDENTITY_PROVIDER_URL = 'http://local.url' - self.PROTOCOL = 'saml2' - self.FEDERATION_AUTH_URL = '%s/%s' % ( - self.TEST_URL, - 'OS-FEDERATION/identity_providers/testidp/protocols/saml2/auth') - self.SHIB_CONSUMER_URL = ('https://openstack4.local/' - 'Shibboleth.sso/SAML2/ECP') - - self.saml2plugin = saml2.Saml2UnscopedToken( - self.TEST_URL, - self.IDENTITY_PROVIDER, self.IDENTITY_PROVIDER_URL, - self.TEST_USER, self.TEST_TOKEN) - - def make_oneline(self, s): - return etree.tostring(etree.XML(s)).replace(b'\n', b'') - - def test_conf_params(self): - section = uuid.uuid4().hex - identity_provider = uuid.uuid4().hex - identity_provider_url = uuid.uuid4().hex - username = uuid.uuid4().hex - password = uuid.uuid4().hex - self.conf_fixture.config(auth_section=section, group=self.GROUP) - conf.register_conf_options(self.conf_fixture.conf, group=self.GROUP) - - self.conf_fixture.register_opts(saml2.Saml2UnscopedToken.get_options(), - group=section) - self.conf_fixture.config(auth_plugin='v3unscopedsaml', - identity_provider=identity_provider, - identity_provider_url=identity_provider_url, - username=username, - password=password, - group=section) - - a = conf.load_from_conf_options(self.conf_fixture.conf, self.GROUP) - self.assertEqual(identity_provider, a.identity_provider) - self.assertEqual(identity_provider_url, a.identity_provider_url) - self.assertEqual(username, a.username) - self.assertEqual(password, a.password) - - def test_initial_sp_call(self): - """Test initial call, expect SOAP message.""" - self.requests.register_uri( - 'GET', - self.FEDERATION_AUTH_URL, - content=self.make_oneline(saml2_fixtures.SP_SOAP_RESPONSE)) - a = self.saml2plugin._send_service_provider_request(self.session) - - self.assertFalse(a) - - fixture_soap_response = self.make_oneline( - saml2_fixtures.SP_SOAP_RESPONSE) - - sp_soap_response = self.make_oneline( - etree.tostring(self.saml2plugin.saml2_authn_request)) - - error_msg = "Expected %s instead of %s" % (fixture_soap_response, - sp_soap_response) - - self.assertEqual(fixture_soap_response, sp_soap_response, error_msg) - - self.assertEqual( - self.saml2plugin.sp_response_consumer_url, self.SHIB_CONSUMER_URL, - "Expected consumer_url set to %s instead of %s" % ( - self.SHIB_CONSUMER_URL, - str(self.saml2plugin.sp_response_consumer_url))) - - def test_initial_sp_call_when_saml_authenticated(self): - self.requests.register_uri( - 'GET', - self.FEDERATION_AUTH_URL, - json=saml2_fixtures.UNSCOPED_TOKEN, - headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) - - a = self.saml2plugin._send_service_provider_request(self.session) - self.assertTrue(a) - self.assertEqual( - saml2_fixtures.UNSCOPED_TOKEN['token'], - self.saml2plugin.authenticated_response.json()['token']) - self.assertEqual( - saml2_fixtures.UNSCOPED_TOKEN_HEADER, - self.saml2plugin.authenticated_response.headers['X-Subject-Token']) - - def test_get_unscoped_token_when_authenticated(self): - self.requests.register_uri( - 'GET', - self.FEDERATION_AUTH_URL, - json=saml2_fixtures.UNSCOPED_TOKEN, - headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER, - 'Content-Type': 'application/json'}) - - token, token_body = self.saml2plugin._get_unscoped_token(self.session) - self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN['token'], token_body) - - self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN_HEADER, token) - - def test_initial_sp_call_invalid_response(self): - """Send initial SP HTTP request and receive wrong server response.""" - self.requests.register_uri('GET', - self.FEDERATION_AUTH_URL, - text='NON XML RESPONSE') - - self.assertRaises( - exceptions.AuthorizationFailure, - self.saml2plugin._send_service_provider_request, - self.session) - - def test_send_authn_req_to_idp(self): - self.requests.register_uri('POST', - self.IDENTITY_PROVIDER_URL, - content=saml2_fixtures.SAML2_ASSERTION) - - self.saml2plugin.sp_response_consumer_url = self.SHIB_CONSUMER_URL - self.saml2plugin.saml2_authn_request = etree.XML( - saml2_fixtures.SP_SOAP_RESPONSE) - self.saml2plugin._send_idp_saml2_authn_request(self.session) - - idp_response = self.make_oneline(etree.tostring( - self.saml2plugin.saml2_idp_authn_response)) - - saml2_assertion_oneline = self.make_oneline( - saml2_fixtures.SAML2_ASSERTION) - error = "Expected %s instead of %s" % (saml2_fixtures.SAML2_ASSERTION, - idp_response) - self.assertEqual(idp_response, saml2_assertion_oneline, error) - - def test_fail_basicauth_idp_authentication(self): - self.requests.register_uri('POST', - self.IDENTITY_PROVIDER_URL, - status_code=401) - - self.saml2plugin.sp_response_consumer_url = self.SHIB_CONSUMER_URL - self.saml2plugin.saml2_authn_request = etree.XML( - saml2_fixtures.SP_SOAP_RESPONSE) - self.assertRaises( - exceptions.Unauthorized, - self.saml2plugin._send_idp_saml2_authn_request, - self.session) - - def test_mising_username_password_in_plugin(self): - self.assertRaises(TypeError, - saml2.Saml2UnscopedToken, - self.TEST_URL, self.IDENTITY_PROVIDER, - self.IDENTITY_PROVIDER_URL) - - def test_send_authn_response_to_sp(self): - self.requests.register_uri( - 'POST', - self.SHIB_CONSUMER_URL, - json=saml2_fixtures.UNSCOPED_TOKEN, - headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) - - self.saml2plugin.relay_state = etree.XML( - saml2_fixtures.SP_SOAP_RESPONSE).xpath( - self.ECP_RELAY_STATE, namespaces=self.ECP_SAML2_NAMESPACES)[0] - - self.saml2plugin.saml2_idp_authn_response = etree.XML( - saml2_fixtures.SAML2_ASSERTION) - - self.saml2plugin.idp_response_consumer_url = self.SHIB_CONSUMER_URL - self.saml2plugin._send_service_provider_saml2_authn_response( - self.session) - token_json = self.saml2plugin.authenticated_response.json()['token'] - token = self.saml2plugin.authenticated_response.headers[ - 'X-Subject-Token'] - self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN['token'], - token_json) - - self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN_HEADER, - token) - - def test_consumer_url_mismatch_success(self): - self.saml2plugin._check_consumer_urls( - self.session, self.SHIB_CONSUMER_URL, - self.SHIB_CONSUMER_URL) - - def test_consumer_url_mismatch(self): - self.requests.register_uri('POST', self.SHIB_CONSUMER_URL) - invalid_consumer_url = uuid.uuid4().hex - self.assertRaises( - exceptions.ValidationError, - self.saml2plugin._check_consumer_urls, - self.session, self.SHIB_CONSUMER_URL, - invalid_consumer_url) - - def test_custom_302_redirection(self): - self.requests.register_uri( - 'POST', - self.SHIB_CONSUMER_URL, - text='BODY', - headers={'location': self.FEDERATION_AUTH_URL}, - status_code=302) - - self.requests.register_uri( - 'GET', - self.FEDERATION_AUTH_URL, - json=saml2_fixtures.UNSCOPED_TOKEN, - headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER}) - - self.session.redirect = False - response = self.session.post( - self.SHIB_CONSUMER_URL, data='CLIENT BODY') - self.assertEqual(302, response.status_code) - self.assertEqual(self.FEDERATION_AUTH_URL, - response.headers['location']) - - response = self.saml2plugin._handle_http_302_ecp_redirect( - self.session, response, 'GET') - - self.assertEqual(self.FEDERATION_AUTH_URL, response.request.url) - self.assertEqual('GET', response.request.method) - - def test_end_to_end_workflow(self): - self.requests.register_uri( - 'GET', - self.FEDERATION_AUTH_URL, - content=self.make_oneline(saml2_fixtures.SP_SOAP_RESPONSE)) - - self.requests.register_uri('POST', - self.IDENTITY_PROVIDER_URL, - content=saml2_fixtures.SAML2_ASSERTION) - - self.requests.register_uri( - 'POST', - self.SHIB_CONSUMER_URL, - json=saml2_fixtures.UNSCOPED_TOKEN, - headers={'X-Subject-Token': saml2_fixtures.UNSCOPED_TOKEN_HEADER, - 'Content-Type': 'application/json'}) - - self.session.redirect = False - response = self.saml2plugin.get_auth_ref(self.session) - self.assertEqual(saml2_fixtures.UNSCOPED_TOKEN_HEADER, - response.auth_token) - - -class ScopeFederationTokenTests(AuthenticateviaSAML2Tests): - - TEST_TOKEN = client_fixtures.AUTH_SUBJECT_TOKEN - - def setUp(self): - super(ScopeFederationTokenTests, self).setUp() - - self.PROJECT_SCOPED_TOKEN_JSON = client_fixtures.project_scoped_token() - self.PROJECT_SCOPED_TOKEN_JSON['methods'] = ['saml2'] - - # for better readibility - self.TEST_TENANT_ID = self.PROJECT_SCOPED_TOKEN_JSON.project_id - self.TEST_TENANT_NAME = self.PROJECT_SCOPED_TOKEN_JSON.project_name - - self.DOMAIN_SCOPED_TOKEN_JSON = client_fixtures.domain_scoped_token() - self.DOMAIN_SCOPED_TOKEN_JSON['methods'] = ['saml2'] - - # for better readibility - self.TEST_DOMAIN_ID = self.DOMAIN_SCOPED_TOKEN_JSON.domain_id - self.TEST_DOMAIN_NAME = self.DOMAIN_SCOPED_TOKEN_JSON.domain_name - - self.saml2_scope_plugin = saml2.Saml2ScopedToken( - self.TEST_URL, saml2_fixtures.UNSCOPED_TOKEN_HEADER, - project_id=self.TEST_TENANT_ID) - - def test_scope_saml2_token_to_project(self): - self.stub_auth(json=self.PROJECT_SCOPED_TOKEN_JSON) - - token = self.saml2_scope_plugin.get_auth_ref(self.session) - self.assertTrue(token.project_scoped, "Received token is not scoped") - self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, token.auth_token) - self.assertEqual(self.TEST_TENANT_ID, token.project_id) - self.assertEqual(self.TEST_TENANT_NAME, token.project_name) - - def test_scope_saml2_token_to_invalid_project(self): - self.stub_auth(status_code=401) - self.saml2_scope_plugin.project_id = uuid.uuid4().hex - self.saml2_scope_plugin.project_name = None - self.assertRaises(exceptions.Unauthorized, - self.saml2_scope_plugin.get_auth_ref, - self.session) - - def test_scope_saml2_token_to_invalid_domain(self): - self.stub_auth(status_code=401) - self.saml2_scope_plugin.project_id = None - self.saml2_scope_plugin.project_name = None - self.saml2_scope_plugin.domain_id = uuid.uuid4().hex - self.saml2_scope_plugin.domain_name = None - self.assertRaises(exceptions.Unauthorized, - self.saml2_scope_plugin.get_auth_ref, - self.session) - - def test_scope_saml2_token_to_domain(self): - self.stub_auth(json=self.DOMAIN_SCOPED_TOKEN_JSON) - token = self.saml2_scope_plugin.get_auth_ref(self.session) - self.assertTrue(token.domain_scoped, "Received token is not scoped") - self.assertEqual(client_fixtures.AUTH_SUBJECT_TOKEN, token.auth_token) - self.assertEqual(self.TEST_DOMAIN_ID, token.domain_id) - self.assertEqual(self.TEST_DOMAIN_NAME, token.domain_name) - - def test_dont_set_project_nor_domain(self): - self.saml2_scope_plugin.project_id = None - self.saml2_scope_plugin.domain_id = None - self.assertRaises(exceptions.ValidationError, - saml2.Saml2ScopedToken, - self.TEST_URL, client_fixtures.AUTH_SUBJECT_TOKEN) diff --git a/keystoneclient/tests/v3/test_client.py b/keystoneclient/tests/v3/test_client.py deleted file mode 100644 index 640ee76e7..000000000 --- a/keystoneclient/tests/v3/test_client.py +++ /dev/null @@ -1,197 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import copy -import json - -from keystoneclient import exceptions -from keystoneclient.tests.v3 import client_fixtures -from keystoneclient.tests.v3 import utils -from keystoneclient.v3 import client - - -class KeystoneClientTest(utils.TestCase): - - def test_unscoped_init(self): - self.stub_auth(json=client_fixtures.unscoped_token()) - - c = client.Client(user_domain_name='exampledomain', - username='exampleuser', - password='password', - auth_url=self.TEST_URL) - self.assertIsNotNone(c.auth_ref) - self.assertFalse(c.auth_ref.domain_scoped) - self.assertFalse(c.auth_ref.project_scoped) - self.assertEqual(c.auth_user_id, - 'c4da488862bd435c9e6c0275a0d0e49a') - - def test_domain_scoped_init(self): - self.stub_auth(json=client_fixtures.domain_scoped_token()) - - c = client.Client(user_id='c4da488862bd435c9e6c0275a0d0e49a', - password='password', - domain_name='exampledomain', - auth_url=self.TEST_URL) - self.assertIsNotNone(c.auth_ref) - self.assertTrue(c.auth_ref.domain_scoped) - self.assertFalse(c.auth_ref.project_scoped) - self.assertEqual(c.auth_user_id, - 'c4da488862bd435c9e6c0275a0d0e49a') - self.assertEqual(c.auth_domain_id, - '8e9283b7ba0b1038840c3842058b86ab') - - def test_project_scoped_init(self): - self.stub_auth(json=client_fixtures.project_scoped_token()), - - c = client.Client(user_id='c4da488862bd435c9e6c0275a0d0e49a', - password='password', - user_domain_name='exampledomain', - project_name='exampleproject', - auth_url=self.TEST_URL) - self.assertIsNotNone(c.auth_ref) - self.assertFalse(c.auth_ref.domain_scoped) - self.assertTrue(c.auth_ref.project_scoped) - self.assertEqual(c.auth_user_id, - 'c4da488862bd435c9e6c0275a0d0e49a') - self.assertEqual(c.auth_tenant_id, - '225da22d3ce34b15877ea70b2a575f58') - - def test_auth_ref_load(self): - self.stub_auth(json=client_fixtures.project_scoped_token()) - - c = client.Client(user_id='c4da488862bd435c9e6c0275a0d0e49a', - password='password', - project_id='225da22d3ce34b15877ea70b2a575f58', - auth_url=self.TEST_URL) - cache = json.dumps(c.auth_ref) - new_client = client.Client(auth_ref=json.loads(cache)) - self.assertIsNotNone(new_client.auth_ref) - self.assertFalse(new_client.auth_ref.domain_scoped) - self.assertTrue(new_client.auth_ref.project_scoped) - self.assertEqual(new_client.username, 'exampleuser') - self.assertIsNone(new_client.password) - self.assertEqual(new_client.management_url, - 'http://admin:35357/v3') - - def test_auth_ref_load_with_overridden_arguments(self): - new_auth_url = 'https://newkeystone.com/v3' - - self.stub_auth(json=client_fixtures.project_scoped_token()) - self.stub_auth(json=client_fixtures.project_scoped_token(), - base_url=new_auth_url) - - c = client.Client(user_id='c4da488862bd435c9e6c0275a0d0e49a', - password='password', - project_id='225da22d3ce34b15877ea70b2a575f58', - auth_url=self.TEST_URL) - cache = json.dumps(c.auth_ref) - new_client = client.Client(auth_ref=json.loads(cache), - auth_url=new_auth_url) - self.assertIsNotNone(new_client.auth_ref) - self.assertFalse(new_client.auth_ref.domain_scoped) - self.assertTrue(new_client.auth_ref.project_scoped) - self.assertEqual(new_client.auth_url, new_auth_url) - self.assertEqual(new_client.username, 'exampleuser') - self.assertIsNone(new_client.password) - self.assertEqual(new_client.management_url, - 'http://admin:35357/v3') - - def test_trust_init(self): - self.stub_auth(json=client_fixtures.trust_token()) - - c = client.Client(user_domain_name='exampledomain', - username='exampleuser', - password='password', - auth_url=self.TEST_URL, - trust_id='fe0aef') - self.assertIsNotNone(c.auth_ref) - self.assertFalse(c.auth_ref.domain_scoped) - self.assertFalse(c.auth_ref.project_scoped) - self.assertEqual(c.auth_ref.trust_id, 'fe0aef') - self.assertEqual(c.auth_ref.trustee_user_id, '0ca8f6') - self.assertEqual(c.auth_ref.trustor_user_id, 'bd263c') - self.assertTrue(c.auth_ref.trust_scoped) - self.assertEqual(c.auth_user_id, '0ca8f6') - - def test_init_err_no_auth_url(self): - self.assertRaises(exceptions.AuthorizationFailure, - client.Client, - username='exampleuser', - password='password') - - def _management_url_is_updated(self, fixture, **kwargs): - second = copy.deepcopy(fixture) - first_url = 'http://admin:35357/v3' - second_url = "http://secondurl:%d/v3'" - - for entry in second['token']['catalog']: - if entry['type'] == 'identity': - entry['endpoints'] = [{ - 'url': second_url % 5000, - 'region': 'RegionOne', - 'interface': 'public' - }, { - 'url': second_url % 5000, - 'region': 'RegionOne', - 'interface': 'internal' - }, { - 'url': second_url % 35357, - 'region': 'RegionOne', - 'interface': 'admin' - }] - - self.stub_auth(response_list=[{'json': fixture}, {'json': second}]) - - cl = client.Client(username='exampleuser', - password='password', - auth_url=self.TEST_URL, - **kwargs) - self.assertEqual(cl.management_url, first_url) - - cl.authenticate() - self.assertEqual(cl.management_url, second_url % 35357) - - def test_management_url_is_updated_with_project(self): - self._management_url_is_updated(client_fixtures.project_scoped_token(), - project_name='exampleproject') - - def test_management_url_is_updated_with_domain(self): - self._management_url_is_updated(client_fixtures.domain_scoped_token(), - domain_name='exampledomain') - - def test_client_with_region_name_passes_to_service_catalog(self): - # NOTE(jamielennox): this is deprecated behaviour that should be - # removed ASAP, however must remain compatible. - - self.stub_auth(json=client_fixtures.auth_response_body()) - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL, - region_name='North') - self.assertEqual(cl.service_catalog.url_for(service_type='image'), - 'http://glance.north.host/glanceapi/public') - - cl = client.Client(username='exampleuser', - password='password', - tenant_name='exampleproject', - auth_url=self.TEST_URL, - region_name='South') - self.assertEqual(cl.service_catalog.url_for(service_type='image'), - 'http://glance.south.host/glanceapi/public') - - def test_client_without_auth_params(self): - self.assertRaises(exceptions.AuthorizationFailure, - client.Client, - project_name='exampleproject', - auth_url=self.TEST_URL) diff --git a/keystoneclient/tests/v3/test_endpoint_filter.py b/keystoneclient/tests/v3/test_endpoint_filter.py deleted file mode 100644 index f4be431a9..000000000 --- a/keystoneclient/tests/v3/test_endpoint_filter.py +++ /dev/null @@ -1,145 +0,0 @@ -# Copyright 2014 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import uuid - -from keystoneclient.tests.v3 import utils - - -class EndpointFilterTests(utils.TestCase): - """Test project-endpoint associations (a.k.a. EndpointFilter Extension). - - Endpoint filter provides associations between service endpoints and - projects. These assciations are then used to create ad-hoc catalogs for - each project-scoped token request. - - """ - - def setUp(self): - super(EndpointFilterTests, self).setUp() - self.manager = self.client.endpoint_filter - - def new_ref(self, **kwargs): - # copied from CrudTests as we need to create endpoint and project - # refs for our tests. EndpointFilter is not exactly CRUD API. - kwargs.setdefault('id', uuid.uuid4().hex) - kwargs.setdefault('enabled', True) - return kwargs - - def new_endpoint_ref(self, **kwargs): - # copied from EndpointTests as we need endpoint refs for our tests - kwargs = self.new_ref(**kwargs) - kwargs.setdefault('interface', 'public') - kwargs.setdefault('region', uuid.uuid4().hex) - kwargs.setdefault('service_id', uuid.uuid4().hex) - kwargs.setdefault('url', uuid.uuid4().hex) - return kwargs - - def new_project_ref(self, **kwargs): - # copied from ProjectTests as we need project refs for our tests - kwargs = self.new_ref(**kwargs) - kwargs.setdefault('domain_id', uuid.uuid4().hex) - kwargs.setdefault('name', uuid.uuid4().hex) - return kwargs - - def test_add_endpoint_to_project_via_id(self): - endpoint_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - - self.stub_url('PUT', - [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, - 'endpoints', endpoint_id], - status_code=201) - - self.manager.add_endpoint_to_project(project=project_id, - endpoint=endpoint_id) - - def test_add_endpoint_to_project_via_obj(self): - project_ref = self.new_project_ref() - endpoint_ref = self.new_endpoint_ref() - project = self.client.projects.resource_class(self.client.projects, - project_ref, - loaded=True) - endpoint = self.client.endpoints.resource_class(self.client.endpoints, - endpoint_ref, - loaded=True) - - self.stub_url('PUT', - [self.manager.OS_EP_FILTER_EXT, - 'projects', project_ref['id'], - 'endpoints', endpoint_ref['id']], - status_code=201) - - self.manager.add_endpoint_to_project(project=project, - endpoint=endpoint) - - def test_delete_endpoint_from_project(self): - endpoint_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - - self.stub_url('DELETE', - [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, - 'endpoints', endpoint_id], - status_code=201) - - self.manager.delete_endpoint_from_project(project=project_id, - endpoint=endpoint_id) - - def test_check_endpoint_in_project(self): - endpoint_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - - self.stub_url('HEAD', - [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, - 'endpoints', endpoint_id], - status_code=201) - - self.manager.check_endpoint_in_project(project=project_id, - endpoint=endpoint_id) - - def test_list_endpoints_for_project(self): - project_id = uuid.uuid4().hex - endpoints = {'endpoints': [self.new_endpoint_ref(), - self.new_endpoint_ref()]} - self.stub_url('GET', - [self.manager.OS_EP_FILTER_EXT, 'projects', project_id, - 'endpoints'], - json=endpoints, - status_code=200) - - endpoints_resp = self.manager.list_endpoints_for_project( - project=project_id) - - expected_endpoint_ids = [ - endpoint['id'] for endpoint in endpoints['endpoints']] - actual_endpoint_ids = [endpoint.id for endpoint in endpoints_resp] - self.assertEqual(expected_endpoint_ids, actual_endpoint_ids) - - def test_list_projects_for_endpoint(self): - endpoint_id = uuid.uuid4().hex - projects = {'projects': [self.new_project_ref(), - self.new_project_ref()]} - self.stub_url('GET', - [self.manager.OS_EP_FILTER_EXT, 'endpoints', endpoint_id, - 'projects'], - json=projects, - status_code=200) - - projects_resp = self.manager.list_projects_for_endpoint( - endpoint=endpoint_id) - - expected_project_ids = [ - project['id'] for project in projects['projects']] - actual_project_ids = [project.id for project in projects_resp] - self.assertEqual(expected_project_ids, actual_project_ids) diff --git a/keystoneclient/tests/v3/test_federation.py b/keystoneclient/tests/v3/test_federation.py deleted file mode 100644 index 15926481c..000000000 --- a/keystoneclient/tests/v3/test_federation.py +++ /dev/null @@ -1,387 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import copy -import uuid - -from keystoneclient import exceptions -from keystoneclient.tests.v3 import utils -from keystoneclient.v3.contrib.federation import base -from keystoneclient.v3.contrib.federation import identity_providers -from keystoneclient.v3.contrib.federation import mappings -from keystoneclient.v3.contrib.federation import protocols -from keystoneclient.v3 import domains -from keystoneclient.v3 import projects - - -class IdentityProviderTests(utils.TestCase, utils.CrudTests): - def setUp(self): - super(IdentityProviderTests, self).setUp() - self.key = 'identity_provider' - self.collection_key = 'identity_providers' - self.model = identity_providers.IdentityProvider - self.manager = self.client.federation.identity_providers - self.path_prefix = 'OS-FEDERATION' - - def new_ref(self, **kwargs): - kwargs.setdefault('id', uuid.uuid4().hex) - kwargs.setdefault('description', uuid.uuid4().hex) - kwargs.setdefault('enabled', True) - return kwargs - - def test_positional_parameters_expect_fail(self): - """Ensure CrudManager raises TypeError exceptions. - - After passing wrong number of positional arguments - an exception should be raised. - - Operations to be tested: - * create() - * get() - * list() - * delete() - * update() - - """ - POS_PARAM_1 = uuid.uuid4().hex - POS_PARAM_2 = uuid.uuid4().hex - POS_PARAM_3 = uuid.uuid4().hex - - PARAMETERS = { - 'create': (POS_PARAM_1, POS_PARAM_2), - 'get': (POS_PARAM_1, POS_PARAM_2), - 'list': (POS_PARAM_1, POS_PARAM_2), - 'update': (POS_PARAM_1, POS_PARAM_2, POS_PARAM_3), - 'delete': (POS_PARAM_1, POS_PARAM_2) - } - - for f_name, args in PARAMETERS.items(): - self.assertRaises(TypeError, getattr(self.manager, f_name), - *args) - - def test_create(self, ref=None, req_ref=None): - ref = ref or self.new_ref() - - # req_ref argument allows you to specify a different - # signature for the request when the manager does some - # conversion before doing the request (e.g. converting - # from datetime object to timestamp string) - req_ref = (req_ref or ref).copy() - req_ref.pop('id') - - self.stub_entity('PUT', entity=ref, id=ref['id'], status_code=201) - - returned = self.manager.create(**ref) - self.assertIsInstance(returned, self.model) - for attr in req_ref: - self.assertEqual( - getattr(returned, attr), - req_ref[attr], - 'Expected different %s' % attr) - self.assertEntityRequestBodyIs(req_ref) - - -class MappingTests(utils.TestCase, utils.CrudTests): - def setUp(self): - super(MappingTests, self).setUp() - self.key = 'mapping' - self.collection_key = 'mappings' - self.model = mappings.Mapping - self.manager = self.client.federation.mappings - self.path_prefix = 'OS-FEDERATION' - - def new_ref(self, **kwargs): - kwargs.setdefault('id', uuid.uuid4().hex) - kwargs.setdefault('rules', [uuid.uuid4().hex, - uuid.uuid4().hex]) - return kwargs - - def test_create(self, ref=None, req_ref=None): - ref = ref or self.new_ref() - manager_ref = ref.copy() - mapping_id = manager_ref.pop('id') - - # req_ref argument allows you to specify a different - # signature for the request when the manager does some - # conversion before doing the request (e.g. converting - # from datetime object to timestamp string) - req_ref = (req_ref or ref).copy() - - self.stub_entity('PUT', entity=req_ref, id=mapping_id, - status_code=201) - - returned = self.manager.create(mapping_id=mapping_id, **manager_ref) - self.assertIsInstance(returned, self.model) - for attr in req_ref: - self.assertEqual( - getattr(returned, attr), - req_ref[attr], - 'Expected different %s' % attr) - self.assertEntityRequestBodyIs(manager_ref) - - -class ProtocolTests(utils.TestCase, utils.CrudTests): - def setUp(self): - super(ProtocolTests, self).setUp() - self.key = 'protocol' - self.collection_key = 'protocols' - self.model = protocols.Protocol - self.manager = self.client.federation.protocols - self.path_prefix = 'OS-FEDERATION/identity_providers' - - def _transform_to_response(self, ref): - """Rebuild dictionary so it can be used as a - reference response body. - - """ - response = copy.deepcopy(ref) - response['id'] = response.pop('protocol_id') - del response['identity_provider'] - return response - - def new_ref(self, **kwargs): - kwargs.setdefault('mapping', uuid.uuid4().hex) - kwargs.setdefault('identity_provider', uuid.uuid4().hex) - kwargs.setdefault('protocol_id', uuid.uuid4().hex) - return kwargs - - def build_parts(self, identity_provider, protocol_id=None): - """Build array used to construct mocking URL. - - Construct and return array with URL parts later used - by methods like utils.TestCase.stub_entity(). - Example of URL: - ``OS-FEDERATION/identity_providers/{idp_id}/ - protocols/{protocol_id}`` - - """ - parts = ['OS-FEDERATION', 'identity_providers', - identity_provider, 'protocols'] - if protocol_id: - parts.append(protocol_id) - return parts - - def test_build_url_provide_base_url(self): - base_url = uuid.uuid4().hex - parameters = {'base_url': base_url} - url = self.manager.build_url(dict_args_in_out=parameters) - self.assertEqual('/'.join([base_url, self.collection_key]), url) - - def test_build_url_w_idp_id(self): - """Test whether kwargs ``base_url`` discards object's base_url - - This test shows, that when ``base_url`` is specified in the - dict_args_in_out dictionary, values like ``identity_provider_id`` - are not taken into consideration while building the url. - - """ - base_url, identity_provider_id = uuid.uuid4().hex, uuid.uuid4().hex - parameters = { - 'base_url': base_url, - 'identity_provider_id': identity_provider_id - } - url = self.manager.build_url(dict_args_in_out=parameters) - self.assertEqual('/'.join([base_url, self.collection_key]), url) - - def test_build_url_default_base_url(self): - identity_provider_id = uuid.uuid4().hex - parameters = { - 'identity_provider_id': identity_provider_id - } - - url = self.manager.build_url(dict_args_in_out=parameters) - self.assertEqual( - '/'.join([self.manager.base_url, identity_provider_id, - self.manager.collection_key]), url) - - def test_create(self): - """Test creating federation protocol tied to an Identity Provider. - - URL to be tested: PUT /OS-FEDERATION/identity_providers/ - $identity_provider/protocols/$protocol - - """ - request_args = self.new_ref() - expected = self._transform_to_response(request_args) - parts = self.build_parts(request_args['identity_provider'], - request_args['protocol_id']) - self.stub_entity('PUT', entity=expected, - parts=parts, status_code=201) - returned = self.manager.create(**request_args) - self.assertEqual(expected, returned.to_dict()) - request_body = {'mapping_id': request_args['mapping']} - self.assertEntityRequestBodyIs(request_body) - - def test_get(self): - """Fetch federation protocol object. - - URL to be tested: GET /OS-FEDERATION/identity_providers/ - $identity_provider/protocols/$protocol - - """ - request_args = self.new_ref() - expected = self._transform_to_response(request_args) - - parts = self.build_parts(request_args['identity_provider'], - request_args['protocol_id']) - self.stub_entity('GET', entity=expected, - parts=parts, status_code=201) - - returned = self.manager.get(request_args['identity_provider'], - request_args['protocol_id']) - self.assertIsInstance(returned, self.model) - self.assertEqual(expected, returned.to_dict()) - - def test_delete(self): - """Delete federation protocol object. - - URL to be tested: DELETE /OS-FEDERATION/identity_providers/ - $identity_provider/protocols/$protocol - - """ - request_args = self.new_ref() - parts = self.build_parts(request_args['identity_provider'], - request_args['protocol_id']) - - self.stub_entity('DELETE', parts=parts, status_code=204) - - self.manager.delete(request_args['identity_provider'], - request_args['protocol_id']) - - def test_list(self): - """Test listing all federation protocols tied to the Identity Provider. - - URL to be tested: GET /OS-FEDERATION/identity_providers/ - $identity_provider/protocols - - """ - def _ref_protocols(): - return { - 'id': uuid.uuid4().hex, - 'mapping_id': uuid.uuid4().hex - } - - request_args = self.new_ref() - expected = [_ref_protocols() for _ in range(3)] - parts = self.build_parts(request_args['identity_provider']) - self.stub_entity('GET', parts=parts, - entity=expected, status_code=200) - - returned = self.manager.list(request_args['identity_provider']) - for obj, ref_obj in zip(returned, expected): - self.assertEqual(obj.to_dict(), ref_obj) - - def test_list_params(self): - request_args = self.new_ref() - filter_kwargs = {uuid.uuid4().hex: uuid.uuid4().hex} - parts = self.build_parts(request_args['identity_provider']) - - # Return HTTP 401 as we don't accept such requests. - self.stub_entity('GET', parts=parts, status_code=401) - self.assertRaises(exceptions.Unauthorized, - self.manager.list, - request_args['identity_provider'], - **filter_kwargs) - self.assertQueryStringContains(**filter_kwargs) - - def test_update(self): - """Test updating federation protocol - - URL to be tested: PATCH /OS-FEDERATION/identity_providers/ - $identity_provider/protocols/$protocol - - """ - request_args = self.new_ref() - expected = self._transform_to_response(request_args) - - parts = self.build_parts(request_args['identity_provider'], - request_args['protocol_id']) - - self.stub_entity('PATCH', parts=parts, - entity=expected, status_code=200) - - returned = self.manager.update(request_args['identity_provider'], - request_args['protocol_id'], - mapping=request_args['mapping']) - self.assertIsInstance(returned, self.model) - self.assertEqual(expected, returned.to_dict()) - request_body = {'mapping_id': request_args['mapping']} - self.assertEntityRequestBodyIs(request_body) - - -class EntityManagerTests(utils.TestCase): - def test_create_object_expect_fail(self): - self.assertRaises(TypeError, - base.EntityManager, - self.client) - - -class FederationProjectTests(utils.TestCase): - - def setUp(self): - super(FederationProjectTests, self).setUp() - self.key = 'project' - self.collection_key = 'projects' - self.model = projects.Project - self.manager = self.client.federation.projects - self.URL = "%s%s" % (self.TEST_URL, '/OS-FEDERATION/projects') - - def new_ref(self, **kwargs): - kwargs.setdefault('id', uuid.uuid4().hex) - kwargs.setdefault('domain_id', uuid.uuid4().hex) - kwargs.setdefault('enabled', True) - kwargs.setdefault('name', uuid.uuid4().hex) - return kwargs - - def test_list_accessible_projects(self): - projects_ref = [self.new_ref(), self.new_ref()] - projects_json = { - self.collection_key: [self.new_ref(), self.new_ref()] - } - self.requests.register_uri('GET', self.URL, - json=projects_json, status_code=200) - returned_list = self.manager.list() - - self.assertEqual(len(projects_ref), len(returned_list)) - for project in returned_list: - self.assertIsInstance(project, self.model) - - -class FederationDomainTests(utils.TestCase): - - def setUp(self): - super(FederationDomainTests, self).setUp() - self.key = 'domain' - self.collection_key = 'domains' - self.model = domains.Domain - self.manager = self.client.federation.domains - - self.URL = "%s%s" % (self.TEST_URL, '/OS-FEDERATION/domains') - - def new_ref(self, **kwargs): - kwargs.setdefault('id', uuid.uuid4().hex) - kwargs.setdefault('enabled', True) - kwargs.setdefault('name', uuid.uuid4().hex) - kwargs.setdefault('description', uuid.uuid4().hex) - return kwargs - - def test_list_accessible_domains(self): - domains_ref = [self.new_ref(), self.new_ref()] - domains_json = { - self.collection_key: domains_ref - } - self.requests.register_uri('GET', self.URL, - json=domains_json, status_code=200) - returned_list = self.manager.list() - self.assertEqual(len(domains_ref), len(returned_list)) - for domain in returned_list: - self.assertIsInstance(domain, self.model) diff --git a/keystoneclient/tests/v3/test_projects.py b/keystoneclient/tests/v3/test_projects.py deleted file mode 100644 index 8087e424e..000000000 --- a/keystoneclient/tests/v3/test_projects.py +++ /dev/null @@ -1,57 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import uuid - -from keystoneclient.tests.v3 import utils -from keystoneclient.v3 import projects - - -class ProjectTests(utils.TestCase, utils.CrudTests): - def setUp(self): - super(ProjectTests, self).setUp() - self.key = 'project' - self.collection_key = 'projects' - self.model = projects.Project - self.manager = self.client.projects - - def new_ref(self, **kwargs): - kwargs = super(ProjectTests, self).new_ref(**kwargs) - kwargs.setdefault('domain_id', uuid.uuid4().hex) - kwargs.setdefault('enabled', True) - kwargs.setdefault('name', uuid.uuid4().hex) - return kwargs - - def test_list_projects_for_user(self): - ref_list = [self.new_ref(), self.new_ref()] - user_id = uuid.uuid4().hex - - self.stub_entity('GET', - ['users', user_id, self.collection_key], - entity=ref_list) - - returned_list = self.manager.list(user=user_id) - self.assertEqual(len(ref_list), len(returned_list)) - [self.assertIsInstance(r, self.model) for r in returned_list] - - def test_list_projects_for_domain(self): - ref_list = [self.new_ref(), self.new_ref()] - domain_id = uuid.uuid4().hex - - self.stub_entity('GET', [self.collection_key], - entity=ref_list) - - returned_list = self.manager.list(domain=domain_id) - self.assertEqual(len(ref_list), len(returned_list)) - [self.assertIsInstance(r, self.model) for r in returned_list] - - self.assertQueryStringIs('domain_id=%s' % domain_id) diff --git a/keystoneclient/tests/v3/test_roles.py b/keystoneclient/tests/v3/test_roles.py deleted file mode 100644 index 151a337d0..000000000 --- a/keystoneclient/tests/v3/test_roles.py +++ /dev/null @@ -1,331 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import uuid - -from keystoneclient import exceptions -from keystoneclient.tests.v3 import utils -from keystoneclient.v3 import roles - - -class RoleTests(utils.TestCase, utils.CrudTests): - def setUp(self): - super(RoleTests, self).setUp() - self.key = 'role' - self.collection_key = 'roles' - self.model = roles.Role - self.manager = self.client.roles - - def new_ref(self, **kwargs): - kwargs = super(RoleTests, self).new_ref(**kwargs) - kwargs.setdefault('name', uuid.uuid4().hex) - return kwargs - - def test_domain_role_grant(self): - user_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('PUT', - ['domains', domain_id, 'users', user_id, - self.collection_key, ref['id']], - status_code=201) - - self.manager.grant(role=ref['id'], domain=domain_id, user=user_id) - - def test_domain_group_role_grant(self): - group_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('PUT', - ['domains', domain_id, 'groups', group_id, - self.collection_key, ref['id']], - status_code=201) - - self.manager.grant(role=ref['id'], domain=domain_id, group=group_id) - - def test_domain_role_list(self): - user_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref_list = [self.new_ref(), self.new_ref()] - - self.stub_entity('GET', - ['domains', domain_id, 'users', user_id, - self.collection_key], entity=ref_list) - - self.manager.list(domain=domain_id, user=user_id) - - def test_domain_group_role_list(self): - group_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref_list = [self.new_ref(), self.new_ref()] - - self.stub_entity('GET', - ['domains', domain_id, 'groups', group_id, - self.collection_key], entity=ref_list) - - self.manager.list(domain=domain_id, group=group_id) - - def test_domain_role_check(self): - user_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('HEAD', - ['domains', domain_id, 'users', user_id, - self.collection_key, ref['id']], - status_code=204) - - self.manager.check(role=ref['id'], domain=domain_id, - user=user_id) - - def test_domain_group_role_check(self): - return - group_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('HEAD', - ['domains', domain_id, 'groups', group_id, - self.collection_key, ref['id']], - status_code=204) - - self.manager.check(role=ref['id'], domain=domain_id, group=group_id) - - def test_domain_role_revoke(self): - user_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('DELETE', - ['domains', domain_id, 'users', user_id, - self.collection_key, ref['id']], - status_code=204) - - self.manager.revoke(role=ref['id'], domain=domain_id, user=user_id) - - def test_domain_group_role_revoke(self): - group_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('DELETE', - ['domains', domain_id, 'groups', group_id, - self.collection_key, ref['id']], - status_code=204) - - self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id) - - def test_project_role_grant(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('PUT', - ['projects', project_id, 'users', user_id, - self.collection_key, ref['id']], - status_code=201) - - self.manager.grant(role=ref['id'], project=project_id, user=user_id) - - def test_project_group_role_grant(self): - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('PUT', - ['projects', project_id, 'groups', group_id, - self.collection_key, ref['id']], - status_code=201) - - self.manager.grant(role=ref['id'], project=project_id, group=group_id) - - def test_project_role_list(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref_list = [self.new_ref(), self.new_ref()] - - self.stub_entity('GET', - ['projects', project_id, 'users', user_id, - self.collection_key], entity=ref_list) - - self.manager.list(project=project_id, user=user_id) - - def test_project_group_role_list(self): - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref_list = [self.new_ref(), self.new_ref()] - - self.stub_entity('GET', - ['projects', project_id, 'groups', group_id, - self.collection_key], entity=ref_list) - - self.manager.list(project=project_id, group=group_id) - - def test_project_role_check(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('HEAD', - ['projects', project_id, 'users', user_id, - self.collection_key, ref['id']], - status_code=200) - - self.manager.check(role=ref['id'], project=project_id, user=user_id) - - def test_project_group_role_check(self): - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('HEAD', - ['projects', project_id, 'groups', group_id, - self.collection_key, ref['id']], - status_code=200) - - self.manager.check(role=ref['id'], project=project_id, group=group_id) - - def test_project_role_revoke(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('DELETE', - ['projects', project_id, 'users', user_id, - self.collection_key, ref['id']], - status_code=204) - - self.manager.revoke(role=ref['id'], project=project_id, user=user_id) - - def test_project_group_role_revoke(self): - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.stub_url('DELETE', - ['projects', project_id, 'groups', group_id, - self.collection_key, ref['id']], - status_code=204) - - self.manager.revoke(role=ref['id'], project=project_id, group=group_id) - - def test_domain_project_role_grant_fails(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.assertRaises( - exceptions.ValidationError, - self.manager.grant, - role=ref['id'], - domain=domain_id, - project=project_id, - user=user_id) - - def test_domain_project_role_list_fails(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - - self.assertRaises( - exceptions.ValidationError, - self.manager.list, - domain=domain_id, - project=project_id, - user=user_id) - - def test_domain_project_role_check_fails(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.assertRaises( - exceptions.ValidationError, - self.manager.check, - role=ref['id'], - domain=domain_id, - project=project_id, - user=user_id) - - def test_domain_project_role_revoke_fails(self): - user_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - domain_id = uuid.uuid4().hex - ref = self.new_ref() - - self.assertRaises( - exceptions.ValidationError, - self.manager.revoke, - role=ref['id'], - domain=domain_id, - project=project_id, - user=user_id) - - def test_user_group_role_grant_fails(self): - user_id = uuid.uuid4().hex - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.assertRaises( - exceptions.ValidationError, - self.manager.grant, - role=ref['id'], - project=project_id, - group=group_id, - user=user_id) - - def test_user_group_role_list_fails(self): - user_id = uuid.uuid4().hex - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - - self.assertRaises( - exceptions.ValidationError, - self.manager.list, - project=project_id, - group=group_id, - user=user_id) - - def test_user_group_role_check_fails(self): - user_id = uuid.uuid4().hex - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.assertRaises( - exceptions.ValidationError, - self.manager.check, - role=ref['id'], - project=project_id, - group=group_id, - user=user_id) - - def test_user_group_role_revoke_fails(self): - user_id = uuid.uuid4().hex - group_id = uuid.uuid4().hex - project_id = uuid.uuid4().hex - ref = self.new_ref() - - self.assertRaises( - exceptions.ValidationError, - self.manager.revoke, - role=ref['id'], - project=project_id, - group=group_id, - user=user_id) diff --git a/keystoneclient/tests/v3/test_tokens.py b/keystoneclient/tests/v3/test_tokens.py deleted file mode 100644 index f608d6d4a..000000000 --- a/keystoneclient/tests/v3/test_tokens.py +++ /dev/null @@ -1,35 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import uuid - -from keystoneclient import access -from keystoneclient.tests import client_fixtures -from keystoneclient.tests.v3 import utils - - -class TokenTests(utils.TestCase): - - def test_revoke_token_with_token_id(self): - token_id = uuid.uuid4().hex - self.stub_url('DELETE', ['/auth/tokens'], status_code=204) - self.client.tokens.revoke_token(token_id) - self.assertRequestHeaderEqual('X-Subject-Token', token_id) - - def test_revoke_token_with_access_info_instance(self): - token_id = uuid.uuid4().hex - examples = self.useFixture(client_fixtures.Examples()) - token_ref = examples.TOKEN_RESPONSES[examples.v3_UUID_TOKEN_DEFAULT] - token = access.AccessInfoV3(token_id, token_ref['token']) - self.stub_url('DELETE', ['/auth/tokens'], status_code=204) - self.client.tokens.revoke_token(token) - self.assertRequestHeaderEqual('X-Subject-Token', token_id) diff --git a/keystoneclient/utils.py b/keystoneclient/utils.py index d3342f48f..1c31f2bd3 100644 --- a/keystoneclient/utils.py +++ b/keystoneclient/utils.py @@ -10,146 +10,71 @@ # License for the specific language governing permissions and limitations # under the License. -import functools import getpass import hashlib -import inspect -import logging import sys -import prettytable -import six +from keystoneauth1 import exceptions as ksa_exceptions +from oslo_utils import timeutils -from keystoneclient import exceptions -from keystoneclient.openstack.common import strutils - - -logger = logging.getLogger(__name__) - - -# Decorator for cli-args -def arg(*args, **kwargs): - def _decorator(func): - # Because of the semantics of decorator composition if we just append - # to the options list positional options will appear to be backwards. - func.__dict__.setdefault('arguments', []).insert(0, (args, kwargs)) - return func - return _decorator - - -def pretty_choice_list(l): - return ', '.join("'%s'" % i for i in l) - - -def print_list(objs, fields, formatters={}, order_by=None): - pt = prettytable.PrettyTable([f for f in fields], - caching=False, print_empty=False) - pt.aligns = ['l' for f in fields] - - for o in objs: - row = [] - for field in fields: - if field in formatters: - row.append(formatters[field](o)) - else: - field_name = field.lower().replace(' ', '_') - data = getattr(o, field_name, '') - if data is None: - data = '' - row.append(data) - pt.add_row(row) - - if order_by is None: - order_by = fields[0] - encoded = strutils.safe_encode(pt.get_string(sortby=order_by)) - if six.PY3: - encoded = encoded.decode() - print(encoded) - - -def _word_wrap(string, max_length=0): - """wrap long strings to be no longer than max_length.""" - if max_length <= 0: - return string - return '\n'.join([string[i:i + max_length] for i in - range(0, len(string), max_length)]) - - -def print_dict(d, wrap=0): - """pretty table prints dictionaries. - - Wrap values to max_length wrap if wrap>0 - """ - pt = prettytable.PrettyTable(['Property', 'Value'], - caching=False, print_empty=False) - pt.aligns = ['l', 'l'] - for (prop, value) in six.iteritems(d): - if value is None: - value = '' - value = _word_wrap(value, max_length=wrap) - pt.add_row([prop, value]) - encoded = strutils.safe_encode(pt.get_string(sortby='Property')) - if six.PY3: - encoded = encoded.decode() - print(encoded) +from keystoneclient import exceptions as ksc_exceptions def find_resource(manager, name_or_id): """Helper for the _find_* methods.""" - # first try the entity as a string try: return manager.get(name_or_id) - except (exceptions.NotFound): + except (ksa_exceptions.NotFound): # nosec(cjschaef): try to find + # 'name_or_id' as a bytes instead pass # finally try to find entity by name try: - if isinstance(name_or_id, six.binary_type): + if isinstance(name_or_id, bytes): name_or_id = name_or_id.decode('utf-8', 'strict') return manager.find(name=name_or_id) - except exceptions.NotFound: + except ksa_exceptions.NotFound: msg = ("No %s with a name or ID of '%s' exists." % (manager.resource_class.__name__.lower(), name_or_id)) - raise exceptions.CommandError(msg) - except exceptions.NoUniqueMatch: + raise ksc_exceptions.CommandError(msg) + except ksc_exceptions.NoUniqueMatch: msg = ("Multiple %s matches found for '%s', use an ID to be more" " specific." % (manager.resource_class.__name__.lower(), name_or_id)) - raise exceptions.CommandError(msg) - + raise ksc_exceptions.CommandError(msg) -def unauthenticated(f): - """Adds 'unauthenticated' attribute to decorated function. - Usage:: - - @unauthenticated - def mymethod(f): - ... - """ - f.unauthenticated = True - return f +def hash_signed_token(signed_text, mode='md5'): + hash_ = hashlib.new(mode) + hash_.update(signed_text) + return hash_.hexdigest() -def isunauthenticated(f): - """Checks to see if the function is marked as not requiring authentication - with the @unauthenticated decorator. +def prompt_user_password(): + """Prompt user for a password. - Returns True if decorator is set to True, False otherwise. + Prompt for a password if stdin is a tty. """ - return getattr(f, 'unauthenticated', False) + password = None + # If stdin is a tty, try prompting for the password + if hasattr(sys.stdin, 'isatty') and sys.stdin.isatty(): + # Check for Ctl-D + try: + password = getpass.getpass('Password: ') + except EOFError: # nosec(cjschaef): return password, which is None if + # password was not found + pass -def hash_signed_token(signed_text, mode='md5'): - hash_ = hashlib.new(mode) - hash_.update(signed_text) - return hash_.hexdigest() + return password def prompt_for_password(): - """Prompt user for password if not provided so the password - doesn't show up in the bash history. + """Prompt user for password if not provided. + + Prompt is used so the password doesn't show up in the + bash history. """ if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()): # nothing to do @@ -165,156 +90,33 @@ def prompt_for_password(): return -class positional(object): - """A decorator which enforces only some args may be passed positionally. - - This idea and some of the code was taken from the oauth2 client of the - google-api client. - - This decorator makes it easy to support Python 3 style key-word only - parameters. For example, in Python 3 it is possible to write:: - - def fn(pos1, *, kwonly1, kwonly2=None): - ... - - All named parameters after * must be a keyword:: - - fn(10, 'kw1', 'kw2') # Raises exception. - fn(10, kwonly1='kw1', kwonly2='kw2') # Ok. - - To replicate this behaviour with the positional decorator you simply - specify how many arguments may be passed positionally. To replicate the - example above:: - - @positional(1) - def fn(pos1, kwonly1=None, kwonly2=None): - ... - - If no default value is provided to a keyword argument, it becomes a - required keyword argument:: - - @positional(0) - def fn(required_kw): - ... - - This must be called with the keyword parameter:: - - fn() # Raises exception. - fn(10) # Raises exception. - fn(required_kw=10) # Ok. - - When defining instance or class methods always remember that in python the - first positional argument passed is always the instance so you will need to - account for `self` and `cls`:: - - class MyClass(object): - - @positional(2) - def my_method(self, pos1, kwonly1=None): - ... - - @classmethod - @positional(2) - def my_method(cls, pos1, kwonly1=None): - ... - - If you would prefer not to account for `self` and `cls` you can use the - `method` and `classmethod` helpers which do not consider the initial - positional argument. So the following class is exactly the same as the one - above:: - - class MyClass(object): - - @positional.method(1) - def my_method(self, pos1, kwonly1=None): - ... - - @positional.classmethod(1) - def my_method(cls, pos1, kwonly1=None): - ... - - If a value isn't provided to the decorator then it will enforce that - every variable without a default value will be required to be a kwarg:: - - @positional() - def fn(pos1, kwonly1=None): - ... - - fn(10) # Ok. - fn(10, 20) # Raises exception. - fn(10, kwonly1=20) # Ok. - - This behaviour will work with the `positional.method` and - `positional.classmethod` helper functions as well:: - - class MyClass(object): - - @positional.classmethod() - def my_method(cls, pos1, kwonly1=None): - ... - - MyClass.my_method(10) # Ok. - MyClass.my_method(10, 20) # Raises exception. - MyClass.my_method(10, kwonly1=20) # Ok. - - For compatibility reasons you may wish to not always raise an exception so - a WARN mode is available. Rather than raise an exception a warning message - will be logged:: - - @positional(1, enforcement=positional.WARN): - def fn(pos1, kwonly=1): - ... - - Available modes are: - - - positional.EXCEPT - the default, raise an exception. - - positional.WARN - log a warning on mistake. - """ - - EXCEPT = 'except' - WARN = 'warn' - - def __init__(self, max_positional_args=None, enforcement=EXCEPT): - self._max_positional_args = max_positional_args - self._enforcement = enforcement - - @classmethod - def method(cls, max_positional_args=None, enforcement=EXCEPT): - if max_positional_args is not None: - max_positional_args += 1 - - def f(func): - return cls(max_positional_args, enforcement)(func) - return f - - @classmethod - def classmethod(cls, *args, **kwargs): - def f(func): - return classmethod(cls.method(*args, **kwargs)(func)) - return f - - def __call__(self, func): - if self._max_positional_args is None: - spec = inspect.getargspec(func) - self._max_positional_args = len(spec.args) - len(spec.defaults) - - plural = '' if self._max_positional_args == 1 else 's' - - @functools.wraps(func) - def inner(*args, **kwargs): - if len(args) > self._max_positional_args: - message = ('%(name)s takes at most %(max)d positional ' - 'argument%(plural)s (%(given)d given)' % - {'name': func.__name__, - 'max': self._max_positional_args, - 'given': len(args), - 'plural': plural}) - - if self._enforcement == self.EXCEPT: - raise TypeError(message) - elif self._enforcement == self.WARN: - logger.warn(message) - - return func(*args, **kwargs) - - return inner +_ISO8601_TIME_FORMAT_SUBSECOND = '%Y-%m-%dT%H:%M:%S.%f' +_ISO8601_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S' + + +def isotime(at=None, subsecond=False): + """Stringify time in ISO 8601 format.""" + # Python provides a similar instance method for datetime.datetime objects + # called isoformat(). The format of the strings generated by isoformat() + # have a couple of problems: + # 1) The strings generated by isotime are used in tokens and other public + # APIs that we can't change without a deprecation period. The strings + # generated by isoformat are not the same format, so we can't just + # change to it. + # 2) The strings generated by isoformat do not include the microseconds if + # the value happens to be 0. This will likely show up as random failures + # as parsers may be written to always expect microseconds, and it will + # parse correctly most of the time. + if not at: + at = timeutils.utcnow() + st = at.strftime(_ISO8601_TIME_FORMAT + if not subsecond + else _ISO8601_TIME_FORMAT_SUBSECOND) + tz = at.tzinfo.tzname(None) if at.tzinfo else 'UTC' + st += ('Z' if (tz == 'UTC' or tz == 'UTC+00:00') else tz) + return st + + +def strtime(at=None): + at = at or timeutils.utcnow() + return at.strftime(timeutils.PERFECT_TIME_FORMAT) diff --git a/keystoneclient/v2_0/__init__.py b/keystoneclient/v2_0/__init__.py index f99be3bb6..23382fea1 100644 --- a/keystoneclient/v2_0/__init__.py +++ b/keystoneclient/v2_0/__init__.py @@ -1,7 +1,6 @@ -# flake8: noqa -from keystoneclient.v2_0.client import Client +from keystoneclient.v2_0.client import Client # noqa -__all__ = [ +__all__ = ( 'client', -] +) diff --git a/keystoneclient/v2_0/certificates.py b/keystoneclient/v2_0/certificates.py new file mode 100644 index 000000000..2c69dfb3d --- /dev/null +++ b/keystoneclient/v2_0/certificates.py @@ -0,0 +1,40 @@ +# Copyright 2014 IBM Corp. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +class CertificatesManager(object): + """Manager for certificates.""" + + def __init__(self, client): + self._client = client + + def get_ca_certificate(self): + """Get CA certificate. + + :returns: PEM-formatted string. + :rtype: str + + """ + resp, body = self._client.get('/certificates/ca', authenticated=False) + return resp.text + + def get_signing_certificate(self): + """Get signing certificate. + + :returns: PEM-formatted string. + :rtype: str + + """ + resp, body = self._client.get('/certificates/signing', + authenticated=False) + return resp.text diff --git a/keystoneclient/v2_0/client.py b/keystoneclient/v2_0/client.py index 793e5cd34..904f76935 100644 --- a/keystoneclient/v2_0/client.py +++ b/keystoneclient/v2_0/client.py @@ -14,10 +14,13 @@ # under the License. import logging +import warnings from keystoneclient.auth.identity import v2 as v2_auth from keystoneclient import exceptions from keystoneclient import httpclient +from keystoneclient.i18n import _ +from keystoneclient.v2_0 import certificates from keystoneclient.v2_0 import ec2 from keystoneclient.v2_0 import endpoints from keystoneclient.v2_0 import extensions @@ -77,6 +80,11 @@ class Client(httpclient.HTTPClient): If debug is enabled, it may show passwords in plain text as a part of its output. + .. warning:: + + Constructing an instance of this class without a session is + deprecated as of the 1.7.0 release and will be removed in the + 2.0.0 release. The client can be created and used like a user or in a strictly bootstrap mode. Normal operation expects a username, password, auth_url, @@ -85,11 +93,15 @@ class Client(httpclient.HTTPClient): Example:: + >>> from keystoneauth1.identity import v2 + >>> from keystoneauth1 import session >>> from keystoneclient.v2_0 import client - >>> keystone = client.Client(username=USER, - ... password=PASS, - ... tenant_name=TENANT_NAME, - ... auth_url=KEYSTONE_URL) + >>> auth = v2.Password(auth_url=KEYSTONE_URL, + ... username=USER, + ... password=PASS, + ... tenant_name=TENANT_NAME) + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) >>> keystone.tenants.list() ... >>> user = keystone.users.get(USER_ID) @@ -100,11 +112,15 @@ class Client(httpclient.HTTPClient): returns as a dictionary-like-object so that you can export and cache it, re-using it when initiating another client:: + >>> from keystoneauth1.identity import v2 + >>> from keystoneauth1 import session >>> from keystoneclient.v2_0 import client - >>> keystone = client.Client(username=USER, - ... password=PASS, - ... tenant_name=TENANT_NAME, - ... auth_url=KEYSTONE_URL) + >>> auth = v2.Password(auth_url=KEYSTONE_URL, + ... username=USER, + ... password=PASS, + ... tenant_name=TENANT_NAME) + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) >>> auth_ref = keystone.auth_ref >>> # pickle or whatever you like here >>> new_client = client.Client(auth_ref=auth_ref) @@ -116,10 +132,13 @@ class Client(httpclient.HTTPClient): Example:: + >>> from keystoneauth1.identity import v2 + >>> from keystoneauth1 import session >>> from keystoneclient.v2_0 import client - >>> admin_client = client.Client( - ... token='12345secret7890', - ... endpoint='http://localhost:35357/v2.0') + >>> auth = v2.Token(auth_url='http://localhost:35357/v2.0', + ... token='12345secret7890') + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) >>> keystone.tenants.list() """ @@ -128,18 +147,28 @@ class Client(httpclient.HTTPClient): def __init__(self, **kwargs): """Initialize a new client for the Keystone v2.0 API.""" + if not kwargs.get('session'): + warnings.warn( + 'Constructing an instance of the ' + 'keystoneclient.v2_0.client.Client class without a session is ' + 'deprecated as of the 1.7.0 release and may be removed in ' + 'the 2.0.0 release.', DeprecationWarning) + super(Client, self).__init__(**kwargs) - self.endpoints = endpoints.EndpointManager(self) - self.extensions = extensions.ExtensionManager(self) - self.roles = roles.RoleManager(self) - self.services = services.ServiceManager(self) - self.tokens = tokens.TokenManager(self) - self.users = users.UserManager(self, self.roles) - self.tenants = tenants.TenantManager(self, self.roles, self.users) + self.certificates = certificates.CertificatesManager(self._adapter) + self.endpoints = endpoints.EndpointManager(self._adapter) + self.extensions = extensions.ExtensionManager(self._adapter) + self.roles = roles.RoleManager(self._adapter) + self.services = services.ServiceManager(self._adapter) + self.tokens = tokens.TokenManager(self._adapter) + self.users = users.UserManager(self._adapter, self.roles) + + self.tenants = tenants.TenantManager(self._adapter, + self.roles, self.users) # extensions - self.ec2 = ec2.CredentialsManager(self) + self.ec2 = ec2.CredentialsManager(self._adapter) # DEPRECATED: if session is passed then we go to the new behaviour of # authenticating on the first required call. @@ -158,12 +187,12 @@ def get_raw_token_from_identity_service(self, auth_url, username=None, password. :returns: access.AccessInfo if authentication was successful. - :raises: AuthorizationFailure if unable to authenticate or validate - the existing authorization token + :raises keystoneclient.exceptions.AuthorizationFailure: if unable to + authenticate or validate the existing authorization token """ try: if auth_url is None: - raise ValueError("Cannot authenticate without an auth_url") + raise ValueError(_("Cannot authenticate without an auth_url")) new_kwargs = {'trust_id': trust_id, 'tenant_id': project_id or tenant_id, @@ -175,7 +204,7 @@ def get_raw_token_from_identity_service(self, auth_url, username=None, plugin = v2_auth.Password(auth_url, username, password, **new_kwargs) else: - msg = 'A username and password or token is required.' + msg = _('A username and password or token is required.') raise exceptions.AuthorizationFailure(msg) return plugin.get_auth_ref(self.session) @@ -183,8 +212,9 @@ def get_raw_token_from_identity_service(self, auth_url, username=None, _logger.debug("Authorization Failed.") raise except exceptions.EndpointNotFound: - msg = 'There was no suitable authentication url for this request' + msg = ( + _('There was no suitable authentication url for this request')) raise exceptions.AuthorizationFailure(msg) except Exception as e: - raise exceptions.AuthorizationFailure("Authorization Failed: " - "%s" % e) + raise exceptions.AuthorizationFailure( + _("Authorization Failed: %s") % e) diff --git a/keystoneclient/v2_0/ec2.py b/keystoneclient/v2_0/ec2.py index 0baf224f9..0abe98b07 100644 --- a/keystoneclient/v2_0/ec2.py +++ b/keystoneclient/v2_0/ec2.py @@ -18,6 +18,7 @@ class EC2(base.Resource): def __repr__(self): + """Return string representation of EC2 resource information.""" return "" % self._info def delete(self): @@ -32,11 +33,10 @@ def create(self, user_id, tenant_id): :rtype: object of type :class:`EC2` """ - params = {'tenant_id': tenant_id} - return self._create('/users/%s/credentials/OS-EC2' % user_id, - params, "credential") + return self._post('/users/%s/credentials/OS-EC2' % user_id, + params, "credential") def list(self, user_id): """Get a list of access/secret pairs for a user_id. diff --git a/keystoneclient/v2_0/endpoints.py b/keystoneclient/v2_0/endpoints.py index 35bda258f..13ac399d1 100644 --- a/keystoneclient/v2_0/endpoints.py +++ b/keystoneclient/v2_0/endpoints.py @@ -18,7 +18,9 @@ class Endpoint(base.Resource): """Represents a Keystone endpoint.""" + def __repr__(self): + """Return string representation of endpoint resource information.""" return "" % self._info @@ -39,7 +41,7 @@ def create(self, region, service_id, publicurl, adminurl=None, 'publicurl': publicurl, 'adminurl': adminurl, 'internalurl': internalurl}} - return self._create('/endpoints', body, 'endpoint') + return self._post('/endpoints', body, 'endpoint') def delete(self, id): """Delete an endpoint.""" diff --git a/keystoneclient/v2_0/extensions.py b/keystoneclient/v2_0/extensions.py index b805d31de..f1c402700 100644 --- a/keystoneclient/v2_0/extensions.py +++ b/keystoneclient/v2_0/extensions.py @@ -15,7 +15,9 @@ class Extension(base.Resource): """Represents an Identity API extension.""" + def __repr__(self): + """Return string representation of extension resource information.""" return "" % self._info diff --git a/keystoneclient/v2_0/roles.py b/keystoneclient/v2_0/roles.py index 3fc47e96f..b91808446 100644 --- a/keystoneclient/v2_0/roles.py +++ b/keystoneclient/v2_0/roles.py @@ -19,7 +19,9 @@ class Role(base.Resource): """Represents a Keystone role.""" + def __repr__(self): + """Return string representation of role resource information.""" return "" % self._info def delete(self): @@ -28,6 +30,7 @@ def delete(self): class RoleManager(base.ManagerWithFind): """Manager class for manipulating Keystone roles.""" + resource_class = Role def get(self, role): @@ -36,7 +39,7 @@ def get(self, role): def create(self, name): """Create a role.""" params = {"role": {"name": name}} - return self._create('/OS-KSADM/roles', params, "role") + return self._post('/OS-KSADM/roles', params, "role") def delete(self, role): """Delete a role.""" @@ -56,7 +59,7 @@ def roles_for_user(self, user, tenant=None): return self._list("/users/%s/roles" % user_id, "roles") def add_user_role(self, user, role, tenant=None): - """Adds a role to a user. + """Add a role to a user. If tenant is specified, the role is added just for that tenant, otherwise the role is added globally. @@ -72,7 +75,7 @@ def add_user_role(self, user, role, tenant=None): return self._update(route % (user_id, role_id), None, "roles") def remove_user_role(self, user, role, tenant=None): - """Removes a role from a user. + """Remove a role from a user. If tenant is specified, the role is removed just for that tenant, otherwise the role is removed from the user's global roles. diff --git a/keystoneclient/v2_0/services.py b/keystoneclient/v2_0/services.py index adb740d57..8f20b4daa 100644 --- a/keystoneclient/v2_0/services.py +++ b/keystoneclient/v2_0/services.py @@ -19,12 +19,15 @@ class Service(base.Resource): """Represents a Keystone service.""" + def __repr__(self): + """Return string representation of service resource information.""" return "" % self._info class ServiceManager(base.ManagerWithFind): """Manager class for manipulating Keystone services.""" + resource_class = Service def list(self): @@ -35,12 +38,12 @@ def get(self, id): """Retrieve a service by id.""" return self._get("/OS-KSADM/services/%s" % id, "OS-KSADM:service") - def create(self, name, service_type, description): + def create(self, name, service_type, description=None): """Create a new service.""" body = {"OS-KSADM:service": {'name': name, 'type': service_type, 'description': description}} - return self._create("/OS-KSADM/services", body, "OS-KSADM:service") + return self._post("/OS-KSADM/services", body, "OS-KSADM:service") def delete(self, id): """Delete a service.""" diff --git a/keystoneclient/v2_0/shell.py b/keystoneclient/v2_0/shell.py deleted file mode 100755 index 5d8d2652c..000000000 --- a/keystoneclient/v2_0/shell.py +++ /dev/null @@ -1,545 +0,0 @@ -# Copyright 2010 Jacob Kaplan-Moss -# Copyright 2011 OpenStack Foundation -# Copyright 2011 Nebula, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -""" -This module is pending deprecation in favor of python-openstackclient. - -Bug fixes are welcome, but new features should be exposed to the CLI by -python-openstackclient after being added to the python-keystoneclient library. - -""" - -import argparse -import getpass -import sys - -import six - -from keystoneclient.openstack.common import strutils -from keystoneclient import utils -from keystoneclient.v2_0 import client - - -CLIENT_CLASS = client.Client -ASK_FOR_PASSWORD = object() - - -def require_service_catalog(f): - msg = ('Configuration error: Client configured to run without a service ' - 'catalog. Run the client using --os-auth-url or OS_AUTH_URL, ' - 'instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example.') - - def wrapped(kc, args): - if not kc.has_service_catalog(): - raise Exception(msg) - return f(kc, args) - - # Change __doc__ attribute back to origin function's __doc__ - wrapped.__doc__ = f.__doc__ - - return wrapped - - -@utils.arg('--tenant', '--tenant-id', metavar='', - help='Tenant; lists all users if not specified.') -@utils.arg('--tenant_id', help=argparse.SUPPRESS) -def do_user_list(kc, args): - """List users.""" - if args.tenant: - tenant_id = utils.find_resource(kc.tenants, args.tenant).id - else: - tenant_id = None - users = kc.users.list(tenant_id=tenant_id) - utils.print_list(users, ['id', 'name', 'enabled', 'email'], - order_by='name') - - -@utils.arg('user', metavar='', help='Name or ID of user to display.') -def do_user_get(kc, args): - """Display user details.""" - user = utils.find_resource(kc.users, args.user) - utils.print_dict(user._info) - - -@utils.arg('--name', metavar='', required=True, - help='New user name (must be unique).') -@utils.arg('--tenant', '--tenant-id', metavar='', - help='New user default tenant.') -@utils.arg('--tenant_id', help=argparse.SUPPRESS) -@utils.arg('--pass', metavar='', dest='passwd', nargs='?', - const=ASK_FOR_PASSWORD, help='New user password; ' - 'required for some auth backends.') -@utils.arg('--email', metavar='', - help='New user email address.') -@utils.arg('--enabled', metavar='', default=True, - help='Initial user enabled status. Default is true.') -def do_user_create(kc, args): - """Create new user.""" - if args.tenant: - tenant_id = utils.find_resource(kc.tenants, args.tenant).id - elif args.tenant_id: - tenant_id = args.tenant_id - else: - tenant_id = None - new_passwd = args.passwd - if args.passwd is ASK_FOR_PASSWORD: - new_passwd = utils.prompt_for_password() - user = kc.users.create(args.name, new_passwd, args.email, - tenant_id=tenant_id, - enabled=strutils.bool_from_string(args.enabled)) - utils.print_dict(user._info) - - -@utils.arg('--name', metavar='', - help='Desired new user name.') -@utils.arg('--email', metavar='', - help='Desired new email address.') -@utils.arg('--enabled', metavar='', - help='Enable or disable user.') -@utils.arg('user', metavar='', help='Name or ID of user to update.') -def do_user_update(kc, args): - """Update user's name, email, and enabled status.""" - kwargs = {} - if args.name: - kwargs['name'] = args.name - if args.email is not None: - kwargs['email'] = args.email - if args.enabled: - kwargs['enabled'] = strutils.bool_from_string(args.enabled) - - if not len(kwargs): - print("User not updated, no arguments present.") - return - - user = utils.find_resource(kc.users, args.user) - try: - kc.users.update(user, **kwargs) - print('User has been updated.') - except Exception as e: - print('Unable to update user: %s' % e) - - -@utils.arg('--pass', metavar='', dest='passwd', required=False, - help='Desired new password.') -@utils.arg('user', metavar='', - help='Name or ID of user to update password.') -def do_user_password_update(kc, args): - """Update user password.""" - user = utils.find_resource(kc.users, args.user) - new_passwd = args.passwd or utils.prompt_for_password() - if new_passwd is None: - msg = ("\nPlease specify password using the --pass option " - "or using the prompt") - sys.exit(msg) - kc.users.update_password(user, new_passwd) - - -@utils.arg('--current-password', metavar='', - dest='currentpasswd', required=False, help='Current password, ' - 'Defaults to the password as set by --os-password or ' - 'env[OS_PASSWORD].') -@utils.arg('--new-password ', metavar='', dest='newpasswd', - required=False, help='Desired new password.') -def do_password_update(kc, args): - """Update own password.""" - - # we are prompting for these passwords if they are not passed in - # this gives users the option not to have their password - # appear in bash history etc.. - currentpasswd = args.os_password - if args.currentpasswd is not None: - currentpasswd = args.currentpasswd - if currentpasswd is None: - currentpasswd = getpass.getpass('Current Password: ') - - newpasswd = args.newpasswd - while newpasswd is None: - passwd1 = getpass.getpass('New Password: ') - passwd2 = getpass.getpass('Repeat New Password: ') - if passwd1 == passwd2: - newpasswd = passwd1 - - kc.users.update_own_password(currentpasswd, newpasswd) - - if args.os_password != newpasswd: - print("You should update the password you are using to authenticate " - "to match your new password") - - -@utils.arg('user', metavar='', help='Name or ID of user to delete.') -def do_user_delete(kc, args): - """Delete user.""" - user = utils.find_resource(kc.users, args.user) - kc.users.delete(user) - - -def do_tenant_list(kc, args): - """List all tenants.""" - tenants = kc.tenants.list() - utils.print_list(tenants, ['id', 'name', 'enabled'], order_by='name') - - -@utils.arg('tenant', metavar='', - help='Name or ID of tenant to display.') -def do_tenant_get(kc, args): - """Display tenant details.""" - tenant = utils.find_resource(kc.tenants, args.tenant) - utils.print_dict(tenant._info) - - -@utils.arg('--name', metavar='', required=True, - help='New tenant name (must be unique).') -@utils.arg('--description', metavar='', default=None, - help='Description of new tenant. Default is none.') -@utils.arg('--enabled', metavar='', default=True, - help='Initial tenant enabled status. Default is true.') -def do_tenant_create(kc, args): - """Create new tenant.""" - tenant = kc.tenants.create(args.name, - description=args.description, - enabled=strutils.bool_from_string(args.enabled)) - utils.print_dict(tenant._info) - - -@utils.arg('--name', metavar='', - help='Desired new name of tenant.') -@utils.arg('--description', metavar='', default=None, - help='Desired new description of tenant.') -@utils.arg('--enabled', metavar='', - help='Enable or disable tenant.') -@utils.arg('tenant', metavar='', - help='Name or ID of tenant to update.') -def do_tenant_update(kc, args): - """Update tenant name, description, enabled status.""" - tenant = utils.find_resource(kc.tenants, args.tenant) - kwargs = {} - if args.name: - kwargs.update({'name': args.name}) - if args.description is not None: - kwargs.update({'description': args.description}) - if args.enabled: - kwargs.update({'enabled': strutils.bool_from_string(args.enabled)}) - - if kwargs == {}: - print("Tenant not updated, no arguments present.") - return - tenant.update(**kwargs) - - -@utils.arg('tenant', metavar='', - help='Name or ID of tenant to delete.') -def do_tenant_delete(kc, args): - """Delete tenant.""" - tenant = utils.find_resource(kc.tenants, args.tenant) - kc.tenants.delete(tenant) - - -@utils.arg('--name', metavar='', required=True, - help='Name of new service (must be unique).') -@utils.arg('--type', metavar='', required=True, - help='Service type (one of: identity, compute, network, ' - 'image, object-store, or other service identifier string).') -@utils.arg('--description', metavar='', - help='Description of service.') -def do_service_create(kc, args): - """Add service to Service Catalog.""" - service = kc.services.create(args.name, - args.type, - args.description) - utils.print_dict(service._info) - - -def do_service_list(kc, args): - """List all services in Service Catalog.""" - services = kc.services.list() - utils.print_list(services, ['id', 'name', 'type', 'description'], - order_by='name') - - -@utils.arg('service', metavar='', - help='Name or ID of service to display.') -def do_service_get(kc, args): - """Display service from Service Catalog.""" - service = utils.find_resource(kc.services, args.service) - utils.print_dict(service._info) - - -@utils.arg('service', metavar='', - help='Name or ID of service to delete.') -def do_service_delete(kc, args): - """Delete service from Service Catalog.""" - service = utils.find_resource(kc.services, args.service) - kc.services.delete(service.id) - - -def do_role_list(kc, args): - """List all roles.""" - roles = kc.roles.list() - utils.print_list(roles, ['id', 'name'], order_by='name') - - -@utils.arg('role', metavar='', help='Name or ID of role to display.') -def do_role_get(kc, args): - """Display role details.""" - role = utils.find_resource(kc.roles, args.role) - utils.print_dict(role._info) - - -@utils.arg('--name', metavar='', required=True, - help='Name of new role.') -def do_role_create(kc, args): - """Create new role.""" - role = kc.roles.create(args.name) - utils.print_dict(role._info) - - -@utils.arg('role', metavar='', help='Name or ID of role to delete.') -def do_role_delete(kc, args): - """Delete role.""" - role = utils.find_resource(kc.roles, args.role) - kc.roles.delete(role) - - -@utils.arg('--user', '--user-id', '--user_id', metavar='', - required=True, help='Name or ID of user.') -@utils.arg('--role', '--role-id', '--role_id', metavar='', - required=True, help='Name or ID of role.') -@utils.arg('--tenant', '--tenant-id', metavar='', - help='Name or ID of tenant.') -@utils.arg('--tenant_id', help=argparse.SUPPRESS) -def do_user_role_add(kc, args): - """Add role to user.""" - user = utils.find_resource(kc.users, args.user) - role = utils.find_resource(kc.roles, args.role) - if args.tenant: - tenant = utils.find_resource(kc.tenants, args.tenant) - elif args.tenant_id: - tenant = args.tenant_id - else: - tenant = None - kc.roles.add_user_role(user, role, tenant) - - -@utils.arg('--user', '--user-id', '--user_id', metavar='', - required=True, help='Name or ID of user.') -@utils.arg('--role', '--role-id', '--role_id', metavar='', - required=True, help='Name or ID of role.') -@utils.arg('--tenant', '--tenant-id', metavar='', - help='Name or ID of tenant.') -@utils.arg('--tenant_id', help=argparse.SUPPRESS) -def do_user_role_remove(kc, args): - """Remove role from user.""" - user = utils.find_resource(kc.users, args.user) - role = utils.find_resource(kc.roles, args.role) - if args.tenant: - tenant = utils.find_resource(kc.tenants, args.tenant) - elif args.tenant_id: - tenant = args.tenant_id - else: - tenant = None - kc.roles.remove_user_role(user, role, tenant) - - -@utils.arg('--user', '--user-id', metavar='', - help='List roles granted to specified user.') -@utils.arg('--user_id', help=argparse.SUPPRESS) -@utils.arg('--tenant', '--tenant-id', metavar='', - help='List only roles granted on specified tenant.') -@utils.arg('--tenant_id', help=argparse.SUPPRESS) -def do_user_role_list(kc, args): - """List roles granted to a user.""" - if args.tenant: - tenant_id = utils.find_resource(kc.tenants, args.tenant).id - elif args.tenant_id: - tenant_id = args.tenant_id - else: - # use the authenticated tenant id as a default - tenant_id = kc.auth_tenant_id - - if args.user: - user_id = utils.find_resource(kc.users, args.user).id - elif args.user_id: - user_id = args.user_id - else: - # use the authenticated user id as a default - user_id = kc.auth_user_id - roles = kc.roles.roles_for_user(user=user_id, tenant=tenant_id) - - # this makes the command output a bit more intuitive - for role in roles: - role.user_id = user_id - role.tenant_id = tenant_id - - utils.print_list(roles, ['id', 'name', 'user_id', 'tenant_id'], - order_by='name') - - -@utils.arg('--user-id', metavar='', - help='User ID for which to create credentials. If not specified, ' - 'the authenticated user will be used.') -@utils.arg('--user_id', help=argparse.SUPPRESS) -@utils.arg('--tenant-id', metavar='', - help='Tenant ID for which to create credentials. If not ' - 'specified, the authenticated tenant ID will be used.') -@utils.arg('--tenant_id', help=argparse.SUPPRESS) -def do_ec2_credentials_create(kc, args): - """Create EC2-compatible credentials for user per tenant.""" - if not args.tenant_id: - # use the authenticated tenant id as a default - args.tenant_id = kc.auth_tenant_id - if not args.user_id: - # use the authenticated user id as a default - args.user_id = kc.auth_user_id - credentials = kc.ec2.create(args.user_id, args.tenant_id) - utils.print_dict(credentials._info) - - -@utils.arg('--user-id', metavar='', help='User ID.') -@utils.arg('--user_id', help=argparse.SUPPRESS) -@utils.arg('--access', metavar='', required=True, - help='Access Key.') -def do_ec2_credentials_get(kc, args): - """Display EC2-compatible credentials.""" - if not args.user_id: - # use the authenticated user id as a default - args.user_id = kc.auth_user_id - cred = kc.ec2.get(args.user_id, args.access) - if cred: - utils.print_dict(cred._info) - - -@utils.arg('--user-id', metavar='', help='User ID.') -@utils.arg('--user_id', help=argparse.SUPPRESS) -def do_ec2_credentials_list(kc, args): - """List EC2-compatible credentials for a user.""" - if not args.user_id: - # use the authenticated user id as a default - args.user_id = kc.auth_user_id - credentials = kc.ec2.list(args.user_id) - for cred in credentials: - try: - cred.tenant = getattr(kc.tenants.get(cred.tenant_id), 'name') - except Exception: - # FIXME(dtroyer): Retrieving the tenant name fails for normal - # users; stuff in the tenant_id instead. - cred.tenant = cred.tenant_id - utils.print_list(credentials, ['tenant', 'access', 'secret']) - - -@utils.arg('--user-id', metavar='', help='User ID.') -@utils.arg('--user_id', help=argparse.SUPPRESS) -@utils.arg('--access', metavar='', required=True, - help='Access Key.') -def do_ec2_credentials_delete(kc, args): - """Delete EC2-compatible credentials.""" - if not args.user_id: - # use the authenticated user id as a default - args.user_id = kc.auth_user_id - try: - kc.ec2.delete(args.user_id, args.access) - print('Credential has been deleted.') - except Exception as e: - print('Unable to delete credential: %s' % e) - - -@utils.arg('--service', metavar='', default=None, - help='Service type to return.') -@require_service_catalog -def do_catalog(kc, args): - """List service catalog, possibly filtered by service.""" - endpoints = kc.service_catalog.get_endpoints(service_type=args.service) - for (service, service_endpoints) in six.iteritems(endpoints): - if len(service_endpoints) > 0: - print("Service: %s" % service) - for ep in service_endpoints: - utils.print_dict(ep) - - -@utils.arg('--service', metavar='', required=True, - help='Service type to select.') -@utils.arg('--endpoint-type', metavar='', default='publicURL', - help='Endpoint type to select.') -@utils.arg('--endpoint_type', default='publicURL', - help=argparse.SUPPRESS) -@utils.arg('--attr', metavar='', - help='Service attribute to match for selection.') -@utils.arg('--value', metavar='', - help='Value of attribute to match.') -@require_service_catalog -def do_endpoint_get(kc, args): - """Find endpoint filtered by a specific attribute or service type.""" - kwargs = { - 'service_type': args.service, - 'endpoint_type': args.endpoint_type, - } - - if args.attr and args.value: - kwargs.update({'attr': args.attr, 'filter_value': args.value}) - elif args.attr or args.value: - print('Both --attr and --value required.') - return - - url = kc.service_catalog.url_for(**kwargs) - utils.print_dict({'%s.%s' % (args.service, args.endpoint_type): url}) - - -def do_endpoint_list(kc, args): - """List configured service endpoints.""" - endpoints = kc.endpoints.list() - utils.print_list(endpoints, - ['id', 'region', 'publicurl', - 'internalurl', 'adminurl', 'service_id']) - - -@utils.arg('--region', metavar='', - help='Endpoint region.', default='regionOne') -@utils.arg('--service', '--service-id', '--service_id', - metavar='', required=True, - help='Name or ID of service associated with endpoint.') -@utils.arg('--publicurl', metavar='', required=True, - help='Public URL endpoint.') -@utils.arg('--adminurl', metavar='', - help='Admin URL endpoint.') -@utils.arg('--internalurl', metavar='', - help='Internal URL endpoint.') -def do_endpoint_create(kc, args): - """Create a new endpoint associated with a service.""" - service_id = utils.find_resource(kc.services, args.service).id - endpoint = kc.endpoints.create(args.region, - service_id, - args.publicurl, - args.adminurl, - args.internalurl) - utils.print_dict(endpoint._info) - - -@utils.arg('id', metavar='', help='ID of endpoint to delete.') -def do_endpoint_delete(kc, args): - """Delete a service endpoint.""" - try: - kc.endpoints.delete(args.id) - print('Endpoint has been deleted.') - except Exception: - print('Unable to delete endpoint.') - - -@utils.arg('--wrap', metavar='', default=0, - help='Wrap PKI tokens to a specified length, or 0 to disable.') -@require_service_catalog -def do_token_get(kc, args): - """Display the current user token.""" - utils.print_dict(kc.service_catalog.get_token(), - wrap=int(args.wrap)) diff --git a/keystoneclient/v2_0/tenants.py b/keystoneclient/v2_0/tenants.py index 79d98d559..91731c45e 100644 --- a/keystoneclient/v2_0/tenants.py +++ b/keystoneclient/v2_0/tenants.py @@ -14,16 +14,15 @@ # License for the specific language governing permissions and limitations # under the License. -import six -from six.moves import urllib +from keystoneauth1 import plugin +import urllib.parse -from keystoneclient import auth from keystoneclient import base from keystoneclient import exceptions class Tenant(base.Resource): - """Represents a Keystone tenant + """Represents a Keystone tenant. Attributes: * id: a uuid that identifies the tenant @@ -32,7 +31,9 @@ class Tenant(base.Resource): * enabled: boolean to indicate if tenant is enabled """ + def __repr__(self): + """Return string representation of tenant resource information.""" return "" % self._info def delete(self): @@ -72,6 +73,7 @@ def list_users(self): class TenantManager(base.ManagerWithFind): """Manager class for manipulating Keystone tenants.""" + resource_class = Tenant def __init__(self, client, role_manager, user_manager): @@ -89,11 +91,11 @@ def create(self, tenant_name, description=None, enabled=True, **kwargs): "enabled": enabled}} # Allow Extras Passthru and ensure we don't clobber primary arguments. - for k, v in six.iteritems(kwargs): + for k, v in kwargs.items(): if k not in params['tenant']: params['tenant'][k] = v - return self._create('/tenants', params, "tenant") + return self._post('/tenants', params, "tenant") def list(self, limit=None, marker=None): """Get a list of tenants. @@ -105,7 +107,6 @@ def list(self, limit=None, marker=None): :rtype: list of :class:`Tenant` """ - params = {} if limit: params['limit'] = limit @@ -122,7 +123,7 @@ def list(self, limit=None, marker=None): try: tenant_list = self._list('/tenants%s' % query, 'tenants') except exceptions.EndpointNotFound: - endpoint_filter = {'interface': auth.AUTH_INTERFACE} + endpoint_filter = {'interface': plugin.AUTH_INTERFACE} tenant_list = self._list('/tenants%s' % query, 'tenants', endpoint_filter=endpoint_filter) @@ -140,12 +141,12 @@ def update(self, tenant_id, tenant_name=None, description=None, body['tenant']['description'] = description # Allow Extras Passthru and ensure we don't clobber primary arguments. - for k, v in six.iteritems(kwargs): + for k, v in kwargs.items(): if k not in body['tenant']: body['tenant'][k] = v # Keystone's API uses a POST rather than a PUT here. - return self._create("/tenants/%s" % tenant_id, body, "tenant") + return self._post("/tenants/%s" % tenant_id, body, "tenant") def delete(self, tenant): """Delete a tenant.""" diff --git a/keystoneclient/v2_0/tokens.py b/keystoneclient/v2_0/tokens.py index e5a21d428..14c054eeb 100644 --- a/keystoneclient/v2_0/tokens.py +++ b/keystoneclient/v2_0/tokens.py @@ -10,14 +10,17 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient import auth +from keystoneauth1 import exceptions +from keystoneauth1 import plugin + +from keystoneclient import access from keystoneclient import base -from keystoneclient import exceptions -from keystoneclient import utils +from keystoneclient.i18n import _ class Token(base.Resource): def __repr__(self): + """Return string representation of resource information.""" return "" % self._info @property @@ -36,7 +39,6 @@ def tenant(self): class TokenManager(base.Manager): resource_class = Token - @utils.positional(enforcement=utils.positional.WARN) def authenticate(self, username=None, tenant_id=None, tenant_name=None, password=None, token=None, return_raw=False): if token: @@ -45,7 +47,8 @@ def authenticate(self, username=None, tenant_id=None, tenant_name=None, params = {"auth": {"passwordCredentials": {"username": username, "password": password}}} else: - raise ValueError('A username and password or token is required.') + raise ValueError( + _('A username and password or token is required.')) if tenant_id: params['auth']['tenantId'] = tenant_id elif tenant_name: @@ -58,10 +61,10 @@ def authenticate(self, username=None, tenant_id=None, tenant_name=None, # no endpoint that can satisfy the request (eg an unscoped token) then # issue it against the auth_url. try: - token_ref = self._create(*args, **kwargs) + token_ref = self._post(*args, **kwargs) except exceptions.EndpointNotFound: - kwargs['endpoint_filter'] = {'interface': auth.AUTH_INTERFACE} - token_ref = self._create(*args, **kwargs) + kwargs['endpoint_filter'] = {'interface': plugin.AUTH_INTERFACE} + token_ref = self._post(*args, **kwargs) return token_ref @@ -70,3 +73,53 @@ def delete(self, token): def endpoints(self, token): return self._get("/tokens/%s/endpoints" % base.getid(token), "token") + + def validate(self, token): + """Validate a token. + + :param token: Token to be validated. + + :rtype: :py:class:`.Token` + + """ + return self._get('/tokens/%s' % base.getid(token), 'access') + + def get_token_data(self, token): + """Fetch the data about a token from the identity server. + + :param str token: The token id. + + :rtype: dict + """ + url = '/tokens/%s' % token + resp, body = self.client.get(url) + return body + + def validate_access_info(self, token): + """Validate a token. + + :param token: Token to be validated. This can be an instance of + :py:class:`keystoneclient.access.AccessInfo` or a string + token_id. + + :rtype: :py:class:`keystoneclient.access.AccessInfoV2` + + """ + def calc_id(token): + if isinstance(token, access.AccessInfo): + return token.auth_token + return base.getid(token) + + token_id = calc_id(token) + body = self.get_token_data(token_id) + return access.AccessInfo.factory(auth_token=token_id, body=body) + + def get_revoked(self): + """Return the revoked tokens response. + + The response will be a dict containing 'signed' which is a CMS-encoded + document. + + """ + resp, body = self.client.get('/tokens/revoked') + return body diff --git a/keystoneclient/v2_0/users.py b/keystoneclient/v2_0/users.py index df488f541..706dafcdc 100644 --- a/keystoneclient/v2_0/users.py +++ b/keystoneclient/v2_0/users.py @@ -14,14 +14,15 @@ # License for the specific language governing permissions and limitations # under the License. -from six.moves import urllib - from keystoneclient import base +import urllib.parse class User(base.Resource): """Represents a Keystone user.""" + def __repr__(self): + """Return string representation of user resource information.""" return "" % self._info def delete(self): @@ -33,6 +34,7 @@ def list_roles(self, tenant=None): class UserManager(base.ManagerWithFind): """Manager class for manipulating Keystone users.""" + resource_class = User def __init__(self, client, role_manager): @@ -50,22 +52,19 @@ def update(self, user, **kwargs): # FIXME(gabriel): "tenantId" seems to be accepted by the API but # fails to actually update the default tenant. params = {"user": kwargs} - params['user']['id'] = base.getid(user) url = "/users/%s" % base.getid(user) return self._update(url, params, "user") def update_enabled(self, user, enabled): """Update enabled-ness.""" - params = {"user": {"id": base.getid(user), - "enabled": enabled}} + params = {"user": {"enabled": enabled}} self._update("/users/%s/OS-KSADM/enabled" % base.getid(user), params, "user") def update_password(self, user, password): """Update password.""" - params = {"user": {"id": base.getid(user), - "password": password}} + params = {"user": {"password": password}} return self._update("/users/%s/OS-KSADM/password" % base.getid(user), params, "user", log=False) @@ -75,16 +74,16 @@ def update_own_password(self, origpasswd, passwd): params = {"user": {"password": passwd, "original_password": origpasswd}} - return self._update("/OS-KSCRUD/users/%s" % self.api.user_id, params, + return self._update("/OS-KSCRUD/users/%s" % self.client.user_id, + params, response_key="access", method="PATCH", - management=False, + endpoint_filter={'interface': 'public'}, log=False) def update_tenant(self, user, tenant): """Update default tenant.""" - params = {"user": {"id": base.getid(user), - "tenantId": base.getid(tenant)}} + params = {"user": {"tenantId": base.getid(tenant)}} # FIXME(ja): seems like a bad url - default tenant is an attribute # not a subresource!??? @@ -99,7 +98,7 @@ def create(self, name, password=None, email=None, "tenantId": tenant_id, "email": email, "enabled": enabled}} - return self._create('/users', params, "user", log=not bool(password)) + return self._post('/users', params, "user", log=not bool(password)) def delete(self, user): """Delete a user.""" @@ -110,7 +109,6 @@ def list(self, tenant_id=None, limit=None, marker=None): :rtype: list of :class:`User` """ - params = {} if limit: params['limit'] = int(limit) diff --git a/keystoneclient/v3/__init__.py b/keystoneclient/v3/__init__.py index 4685f9f69..fcb00e066 100644 --- a/keystoneclient/v3/__init__.py +++ b/keystoneclient/v3/__init__.py @@ -1,7 +1,7 @@ -# flake8: noqa -from keystoneclient.v3.client import Client +from keystoneclient.v3.client import Client # noqa -__all__ = [ + +__all__ = ( 'client', -] +) diff --git a/keystoneclient/v3/access_rules.py b/keystoneclient/v3/access_rules.py new file mode 100644 index 000000000..78fd0159e --- /dev/null +++ b/keystoneclient/v3/access_rules.py @@ -0,0 +1,118 @@ +# Copyright 2019 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base +from keystoneclient import exceptions +from keystoneclient.i18n import _ + + +class AccessRule(base.Resource): + """Represents an Identity access rule for application credentials. + + Attributes: + * id: a uuid that identifies the access rule + * method: The request method that the application credential is + permitted to use for a given API endpoint + * path: The API path that the application credential is permitted to + access + * service: The service type identifier for the service that the + application credential is permitted to access + + """ + + pass + + +class AccessRuleManager(base.CrudManager): + """Manager class for manipulating Identity access rules.""" + + resource_class = AccessRule + collection_key = 'access_rules' + key = 'access_rule' + + def get(self, access_rule, user=None): + """Retrieve an access rule. + + :param access_rule: the access rule to be retrieved from the + server + :type access_rule: str or + :class:`keystoneclient.v3.access_rules.AccessRule` + :param string user: User ID + + :returns: the specified access rule + :rtype: + :class:`keystoneclient.v3.access_rules.AccessRule` + + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(AccessRuleManager, self).get( + access_rule_id=base.getid(access_rule)) + + def list(self, user=None, **kwargs): + """List access rules. + + :param string user: User ID + + :returns: a list of access rules + :rtype: list of + :class:`keystoneclient.v3.access_rules.AccessRule` + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(AccessRuleManager, self).list(**kwargs) + + def find(self, user=None, **kwargs): + """Find an access rule with attributes matching ``**kwargs``. + + :param string user: User ID + + :returns: a list of matching access rules + :rtype: list of + :class:`keystoneclient.v3.access_rules.AccessRule` + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(AccessRuleManager, self).find(**kwargs) + + def delete(self, access_rule, user=None): + """Delete an access rule. + + :param access_rule: the access rule to be deleted + :type access_rule: str or + :class:`keystoneclient.v3.access_rules.AccessRule` + :param string user: User ID + + :returns: response object with 204 status + :rtype: :class:`requests.models.Response` + + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(AccessRuleManager, self).delete( + access_rule_id=base.getid(access_rule)) + + def update(self): + raise exceptions.MethodNotImplemented( + _('Access rules are immutable, updating is not' + ' supported.')) + + def create(self): + raise exceptions.MethodNotImplemented( + _('Access rules can only be created as attributes of application ' + 'credentials.')) diff --git a/keystoneclient/v3/application_credentials.py b/keystoneclient/v3/application_credentials.py new file mode 100644 index 000000000..3e9286279 --- /dev/null +++ b/keystoneclient/v3/application_credentials.py @@ -0,0 +1,173 @@ +# Copyright 2018 SUSE Linux GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base +from keystoneclient import exceptions +from keystoneclient.i18n import _ +from keystoneclient import utils + + +class ApplicationCredential(base.Resource): + """Represents an Identity application credential. + + Attributes: + * id: a uuid that identifies the application credential + * user: the user who owns the application credential + * name: application credential name + * secret: application credential secret + * description: application credential description + * expires_at: expiry time + * roles: role assignments on the project + * unrestricted: whether the application credential has restrictions + applied + * access_rules: a list of access rules defining what API requests the + application credential may be used for + + """ + + pass + + +class ApplicationCredentialManager(base.CrudManager): + """Manager class for manipulating Identity application credentials.""" + + resource_class = ApplicationCredential + collection_key = 'application_credentials' + key = 'application_credential' + + def create(self, name, user=None, secret=None, description=None, + expires_at=None, roles=None, + unrestricted=False, access_rules=None, **kwargs): + """Create a credential. + + :param string name: application credential name + :param string user: User ID + :param secret: application credential secret + :param description: application credential description + :param datetime.datetime expires_at: expiry time + :param List roles: list of roles on the project. Maybe a list of IDs + or a list of dicts specifying role name and domain + :param bool unrestricted: whether the application credential has + restrictions applied + :param List access_rules: a list of dicts representing access rules + + :returns: the created application credential + :rtype: + :class:`keystoneclient.v3.application_credentials.ApplicationCredential` + + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + # Convert roles list into list-of-dict API format + role_list = [] + if roles: + if not isinstance(roles, list): + roles = [roles] + for role in roles: + if isinstance(role, str): + role_list.extend([{'id': role}]) + elif isinstance(role, dict): + role_list.extend([role]) + else: + msg = (_("Roles must be a list of IDs or role dicts.")) + raise exceptions.CommandError(msg) + + if not role_list: + role_list = None + + # Convert datetime.datetime expires_at to iso format string + if expires_at: + expires_str = utils.isotime(at=expires_at, subsecond=True) + else: + expires_str = None + + return super(ApplicationCredentialManager, self).create( + name=name, + secret=secret, + description=description, + expires_at=expires_str, + roles=role_list, + unrestricted=unrestricted, + access_rules=access_rules, + **kwargs) + + def get(self, application_credential, user=None): + """Retrieve an application credential. + + :param application_credential: the credential to be retrieved from the + server + :type applicationcredential: str or + :class:`keystoneclient.v3.application_credentials.ApplicationCredential` + + :returns: the specified application credential + :rtype: + :class:`keystoneclient.v3.application_credentials.ApplicationCredential` + + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(ApplicationCredentialManager, self).get( + application_credential_id=base.getid(application_credential)) + + def list(self, user=None, **kwargs): + """List application credentials. + + :param string user: User ID + + :returns: a list of application credentials + :rtype: list of + :class:`keystoneclient.v3.application_credentials.ApplicationCredential` + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(ApplicationCredentialManager, self).list(**kwargs) + + def find(self, user=None, **kwargs): + """Find an application credential with attributes matching ``**kwargs``. # noqa + + :param string user: User ID + + :returns: a list of matching application credentials + :rtype: list of + :class:`keystoneclient.v3.application_credentials.ApplicationCredential` + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(ApplicationCredentialManager, self).find(**kwargs) + + def delete(self, application_credential, user=None): + """Delete an application credential. + + :param application_credential: the application credential to be deleted + :type credential: str or + :class:`keystoneclient.v3.application_credentials.ApplicationCredential` + + :returns: response object with 204 status + :rtype: :class:`requests.models.Response` + + """ + user = user or self.client.user_id + self.base_url = '/users/%(user)s' % {'user': user} + + return super(ApplicationCredentialManager, self).delete( + application_credential_id=base.getid(application_credential)) + + def update(self): + raise exceptions.MethodNotImplemented( + _('Application credentials are immutable, updating is not' + ' supported.')) diff --git a/keystoneclient/v3/auth.py b/keystoneclient/v3/auth.py new file mode 100644 index 000000000..4d85e24ea --- /dev/null +++ b/keystoneclient/v3/auth.py @@ -0,0 +1,92 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneauth1 import exceptions +from keystoneauth1 import plugin + +from keystoneclient import base +from keystoneclient.v3 import domains +from keystoneclient.v3 import projects +from keystoneclient.v3 import system + + +Domain = domains.Domain +Project = projects.Project +System = system.System + + +class AuthManager(base.Manager): + """Retrieve auth context specific information. + + The information returned by the auth routes is entirely dependent on the + authentication information provided by the user. + """ + + _PROJECTS_URL = '/auth/projects' + _DOMAINS_URL = '/auth/domains' + _SYSTEM_URL = '/auth/system' + + def projects(self): + """List projects that the specified token can be rescoped to. + + :returns: a list of projects. + :rtype: list of :class:`keystoneclient.v3.projects.Project` + + """ + try: + return self._list(self._PROJECTS_URL, + 'projects', + obj_class=Project) + except exceptions.EndpointNotFound: + endpoint_filter = {'interface': plugin.AUTH_INTERFACE} + return self._list(self._PROJECTS_URL, + 'projects', + obj_class=Project, + endpoint_filter=endpoint_filter) + + def domains(self): + """List Domains that the specified token can be rescoped to. + + :returns: a list of domains. + :rtype: list of :class:`keystoneclient.v3.domains.Domain`. + + """ + try: + return self._list(self._DOMAINS_URL, + 'domains', + obj_class=Domain) + except exceptions.EndpointNotFound: + endpoint_filter = {'interface': plugin.AUTH_INTERFACE} + return self._list(self._DOMAINS_URL, + 'domains', + obj_class=Domain, + endpoint_filter=endpoint_filter) + + def systems(self): + """List Systems that the specified token can be rescoped to. + + At the moment this is either empty or "all". + + :returns: a list of systems. + :rtype: list of :class:`keystoneclient.v3.systems.System`. + + """ + try: + return self._list(self._SYSTEM_URL, + 'system', + obj_class=System) + except exceptions.EndpointNotFound: + endpoint_filter = {'interface': plugin.AUTH_INTERFACE} + return self._list(self._SYSTEM_URL, + 'system', + obj_class=System, + endpoint_filter=endpoint_filter) diff --git a/keystoneclient/v3/client.py b/keystoneclient/v3/client.py index 316588ce9..e99b06549 100644 --- a/keystoneclient/v3/client.py +++ b/keystoneclient/v3/client.py @@ -14,22 +14,35 @@ # under the License. import logging +import warnings + +from oslo_serialization import jsonutils from keystoneclient.auth.identity import v3 as v3_auth from keystoneclient import exceptions from keystoneclient import httpclient -from keystoneclient.openstack.common import jsonutils +from keystoneclient.i18n import _ +from keystoneclient.v3 import access_rules +from keystoneclient.v3 import application_credentials +from keystoneclient.v3 import auth from keystoneclient.v3.contrib import endpoint_filter +from keystoneclient.v3.contrib import endpoint_policy from keystoneclient.v3.contrib import federation from keystoneclient.v3.contrib import oauth1 +from keystoneclient.v3.contrib import simple_cert from keystoneclient.v3.contrib import trusts from keystoneclient.v3 import credentials +from keystoneclient.v3 import domain_configs from keystoneclient.v3 import domains +from keystoneclient.v3 import ec2 +from keystoneclient.v3 import endpoint_groups from keystoneclient.v3 import endpoints from keystoneclient.v3 import groups +from keystoneclient.v3 import limits from keystoneclient.v3 import policies from keystoneclient.v3 import projects from keystoneclient.v3 import regions +from keystoneclient.v3 import registered_limits from keystoneclient.v3 import role_assignments from keystoneclient.v3 import roles from keystoneclient.v3 import services @@ -41,8 +54,10 @@ class Client(httpclient.HTTPClient): - """Client for the OpenStack Identity API v3. + r"""Client for the OpenStack Identity API v3. + :param session: Session for requests. (optional) + :type session: keystoneauth1.session.Session :param string user_id: User ID for authentication. (optional) :param string username: Username for authentication. (optional) :param string user_domain_id: User's domain ID for authentication. @@ -60,11 +75,13 @@ class Client(httpclient.HTTPClient): :param string project_domain_name: Project's domain name for project scoping. (optional) :param string tenant_name: Tenant name. (optional) - The tenant_name keyword argument is deprecated, - use project_name instead. + The tenant_name keyword argument is deprecated + as of the 1.7.0 release in favor of project_name + and may be removed in the 2.0.0 release. :param string tenant_id: Tenant id. (optional) - The tenant_id keyword argument is deprecated, - use project_id instead. + The tenant_id keyword argument is deprecated as of + the 1.7.0 release in favor of project_id and may + be removed in the 2.0.0 release. :param string auth_url: Identity service endpoint for authorization. :param string region_name: Name of a region to select when choosing an endpoint from the service catalog. @@ -75,16 +92,25 @@ class Client(httpclient.HTTPClient): :param integer timeout: Allows customization of the timeout for client http requests. (optional) + .. warning:: + + Constructing an instance of this class without a session is + deprecated as of the 1.7.0 release and will be removed in the + 2.0.0 release. + Example:: + >>> from keystoneauth1.identity import v3 + >>> from keystoneauth1 import session >>> from keystoneclient.v3 import client - >>> keystone = client.Client(user_domain_name=DOMAIN_NAME, - ... username=USER, - ... password=PASS, - ... project_domain_name=PROJECT_DOMAIN_NAME, - ... project_name=PROJECT_NAME, - ... auth_url=KEYSTONE_URL) - ... + >>> auth = v3.Password(user_domain_name=DOMAIN_NAME, + ... username=USER, + ... password=PASS, + ... project_domain_name=PROJECT_DOMAIN_NAME, + ... project_name=PROJECT_NAME, + ... auth_url=KEYSTONE_URL) + >>> sess = session.Session(auth=auth) + >>> keystone = client.Client(session=sess) >>> keystone.projects.list() ... >>> user = keystone.users.get(USER_ID) @@ -96,10 +122,28 @@ class Client(httpclient.HTTPClient): :py:class:`keystoneclient.v3.credentials.CredentialManager` + .. py:attribute:: domain_configs + + :py:class:`keystoneclient.v3.domain_configs.DomainConfigManager` + + .. py:attribute:: ec2 + + :py:class:`keystoneclient.v3.ec2.EC2Manager` + .. py:attribute:: endpoint_filter :py:class:`keystoneclient.v3.contrib.endpoint_filter.\ -EndpointFilterManager` + EndpointFilterManager` + + .. py:attribute:: endpoint_groups + + :py:class:`keystoneclient.v3.endpoint_groups.\ + EndpointGroupManager` + + .. py:attribute:: endpoint_policy + + :py:class:`keystoneclient.v3.contrib.endpoint_policy.\ + EndpointPolicyManager` .. py:attribute:: endpoints @@ -117,6 +161,10 @@ class Client(httpclient.HTTPClient): :py:class:`keystoneclient.v3.groups.GroupManager` + .. py:attribute:: limits + + :py:class:`keystoneclient.v3.limits.LimitManager` + .. py:attribute:: oauth1 :py:class:`keystoneclient.v3.contrib.oauth1.core.OAuthManager` @@ -129,6 +177,10 @@ class Client(httpclient.HTTPClient): :py:class:`keystoneclient.v3.regions.RegionManager` + .. py:attribute:: registered_limits + + :py:class:`keystoneclient.v3.registered_limits.RegisteredLimitManager` + .. py:attribute:: role_assignments :py:class:`keystoneclient.v3.role_assignments.RoleAssignmentManager` @@ -137,6 +189,10 @@ class Client(httpclient.HTTPClient): :py:class:`keystoneclient.v3.roles.RoleManager` + .. py:attribute:: simple_cert + + :py:class:`keystoneclient.v3.contrib.simple_cert.SimpleCertManager` + .. py:attribute:: services :py:class:`keystoneclient.v3.services.ServiceManager` @@ -161,22 +217,49 @@ def __init__(self, **kwargs): """Initialize a new client for the Keystone v3 API.""" super(Client, self).__init__(**kwargs) - self.credentials = credentials.CredentialManager(self) - self.endpoint_filter = endpoint_filter.EndpointFilterManager(self) - self.endpoints = endpoints.EndpointManager(self) - self.domains = domains.DomainManager(self) - self.federation = federation.FederationManager(self) - self.groups = groups.GroupManager(self) - self.oauth1 = oauth1.create_oauth_manager(self) - self.policies = policies.PolicyManager(self) - self.projects = projects.ProjectManager(self) - self.regions = regions.RegionManager(self) - self.role_assignments = role_assignments.RoleAssignmentManager(self) - self.roles = roles.RoleManager(self) - self.services = services.ServiceManager(self) - self.tokens = tokens.TokenManager(self) - self.trusts = trusts.TrustManager(self) - self.users = users.UserManager(self) + if not kwargs.get('session'): + warnings.warn( + 'Constructing an instance of the ' + 'keystoneclient.v3.client.Client class without a session is ' + 'deprecated as of the 1.7.0 release and may be removed in ' + 'the 2.0.0 release.', DeprecationWarning) + + self.access_rules = ( + access_rules.AccessRuleManager(self._adapter) + ) + self.application_credentials = ( + application_credentials.ApplicationCredentialManager(self._adapter) + ) + self.auth = auth.AuthManager(self._adapter) + self.credentials = credentials.CredentialManager(self._adapter) + self.ec2 = ec2.EC2Manager(self._adapter) + self.endpoint_filter = endpoint_filter.EndpointFilterManager( + self._adapter) + self.endpoint_groups = endpoint_groups.EndpointGroupManager( + self._adapter) + self.endpoint_policy = endpoint_policy.EndpointPolicyManager( + self._adapter) + self.endpoints = endpoints.EndpointManager(self._adapter) + self.domain_configs = domain_configs.DomainConfigManager(self._adapter) + self.domains = domains.DomainManager(self._adapter) + self.federation = federation.FederationManager(self._adapter) + self.groups = groups.GroupManager(self._adapter) + self.limits = limits.LimitManager(self._adapter) + self.oauth1 = oauth1.create_oauth_manager(self._adapter) + self.policies = policies.PolicyManager(self._adapter) + self.projects = projects.ProjectManager(self._adapter) + self.registered_limits = registered_limits.RegisteredLimitManager( + self._adapter) + self.regions = regions.RegionManager(self._adapter) + self.role_assignments = ( + role_assignments.RoleAssignmentManager(self._adapter)) + self.roles = roles.RoleManager(self._adapter) + self.inference_rules = roles.InferenceRuleManager(self._adapter) + self.services = services.ServiceManager(self._adapter) + self.simple_cert = simple_cert.SimpleCertManager(self._adapter) + self.tokens = tokens.TokenManager(self._adapter) + self.trusts = trusts.TrustManager(self._adapter) + self.users = users.UserManager(self._adapter) # DEPRECATED: if session is passed then we go to the new behaviour of # authenticating on the first required call. @@ -195,7 +278,7 @@ def process_token(self, **kwargs): if self.auth_ref.domain_scoped: if not self.auth_ref.domain_id: raise exceptions.AuthorizationFailure( - "Token didn't provide domain_id") + _("Token didn't provide domain_id")) self._process_management_url(kwargs.get('region_name')) self.domain_name = self.auth_ref.domain_name self.domain_id = self.auth_ref.domain_id @@ -220,14 +303,16 @@ def get_raw_token_from_identity_service(self, auth_url, user_id=None, be used in the request. :returns: access.AccessInfo if authentication was successful. - :raises: AuthorizationFailure if unable to authenticate or validate - the existing authorization token - :raises: Unauthorized if authentication fails due to invalid token + :rtype: :class:`keystoneclient.access.AccessInfoV3` + :raises keystoneclient.exceptions.AuthorizationFailure: if unable to + authenticate or validate the existing authorization token. + :raises keystoneclient.exceptions.Unauthorized: if authentication fails + due to invalid token. """ try: if auth_url is None: - raise ValueError("Cannot authenticate without an auth_url") + raise ValueError(_("Cannot authenticate without an auth_url")) auth_methods = [] @@ -243,7 +328,7 @@ def get_raw_token_from_identity_service(self, auth_url, user_id=None, auth_methods.append(m) if not auth_methods: - msg = 'A user and password or token is required.' + msg = _('A user and password or token is required.') raise exceptions.AuthorizationFailure(msg) plugin = v3_auth.Auth(auth_url, auth_methods, @@ -260,8 +345,9 @@ def get_raw_token_from_identity_service(self, auth_url, user_id=None, _logger.debug('Authorization failed.') raise except exceptions.EndpointNotFound: - msg = 'There was no suitable authentication url for this request' + msg = _('There was no suitable authentication url for this' + ' request') raise exceptions.AuthorizationFailure(msg) except Exception as e: - raise exceptions.AuthorizationFailure('Authorization failed: ' - '%s' % e) + raise exceptions.AuthorizationFailure( + _('Authorization failed: %s') % e) diff --git a/keystoneclient/v3/contrib/__init__.py b/keystoneclient/v3/contrib/__init__.py index 79b89d1a0..576bd6218 100644 --- a/keystoneclient/v3/contrib/__init__.py +++ b/keystoneclient/v3/contrib/__init__.py @@ -1,3 +1,2 @@ -__all__ = [ -] +__all__ = tuple() diff --git a/keystoneclient/v3/contrib/endpoint_filter.py b/keystoneclient/v3/contrib/endpoint_filter.py index c0a1eefc8..26d5a8745 100644 --- a/keystoneclient/v3/contrib/endpoint_filter.py +++ b/keystoneclient/v3/contrib/endpoint_filter.py @@ -14,10 +14,20 @@ from keystoneclient import base from keystoneclient import exceptions +from keystoneclient.i18n import _ +from keystoneclient.v3 import endpoint_groups +from keystoneclient.v3 import endpoints +from keystoneclient.v3 import projects class EndpointFilterManager(base.Manager): - """Manager class for manipulating project-endpoint associations.""" + """Manager class for manipulating project-endpoint associations. + + Project-endpoint associations can be with endpoints directly or via + endpoint groups. + + """ + OS_EP_FILTER_EXT = '/OS-EP-FILTER' def _build_base_url(self, project=None, endpoint=None): @@ -31,7 +41,24 @@ def _build_base_url(self, project=None, endpoint=None): elif endpoint_id: api_path = '/endpoints/%s/projects' % (endpoint_id) else: - msg = 'Must specify a project, an endpoint, or both' + msg = _('Must specify a project, an endpoint, or both') + raise exceptions.ValidationError(msg) + + return self.OS_EP_FILTER_EXT + api_path + + def _build_group_base_url(self, project=None, endpoint_group=None): + project_id = base.getid(project) + endpoint_group_id = base.getid(endpoint_group) + + if project_id and endpoint_group_id: + api_path = '/endpoint_groups/%s/projects/%s' % ( + endpoint_group_id, project_id) + elif project_id: + api_path = '/projects/%s/endpoint_groups' % (project_id) + elif endpoint_group_id: + api_path = '/endpoint_groups/%s/projects' % (endpoint_group_id) + else: + msg = _('Must specify a project, an endpoint group, or both') raise exceptions.ValidationError(msg) return self.OS_EP_FILTER_EXT + api_path @@ -39,7 +66,7 @@ def _build_base_url(self, project=None, endpoint=None): def add_endpoint_to_project(self, project, endpoint): """Create a project-endpoint association.""" if not (project and endpoint): - raise ValueError('project and endpoint are required') + raise ValueError(_('project and endpoint are required')) base_url = self._build_base_url(project=project, endpoint=endpoint) @@ -48,16 +75,16 @@ def add_endpoint_to_project(self, project, endpoint): def delete_endpoint_from_project(self, project, endpoint): """Remove a project-endpoint association.""" if not (project and endpoint): - raise ValueError('project and endpoint are required') + raise ValueError(_('project and endpoint are required')) base_url = self._build_base_url(project=project, endpoint=endpoint) return super(EndpointFilterManager, self)._delete(url=base_url) def check_endpoint_in_project(self, project, endpoint): - """Checks if project-endpoint association exist.""" + """Check if project-endpoint association exists.""" if not (project and endpoint): - raise ValueError('project and endpoint are required') + raise ValueError(_('project and endpoint are required')) base_url = self._build_base_url(project=project, endpoint=endpoint) @@ -66,21 +93,71 @@ def check_endpoint_in_project(self, project, endpoint): def list_endpoints_for_project(self, project): """List all endpoints for a given project.""" if not project: - raise ValueError('project is required') + raise ValueError(_('project is required')) base_url = self._build_base_url(project=project) return super(EndpointFilterManager, self)._list( base_url, - self.client.endpoints.collection_key, - obj_class=self.client.endpoints.resource_class) + endpoints.EndpointManager.collection_key, + obj_class=endpoints.EndpointManager.resource_class) def list_projects_for_endpoint(self, endpoint): """List all projects for a given endpoint.""" if not endpoint: - raise ValueError('endpoint is required') + raise ValueError(_('endpoint is required')) base_url = self._build_base_url(endpoint=endpoint) return super(EndpointFilterManager, self)._list( base_url, - self.client.projects.collection_key, - obj_class=self.client.projects.resource_class) + projects.ProjectManager.collection_key, + obj_class=projects.ProjectManager.resource_class) + + def add_endpoint_group_to_project(self, endpoint_group, project): + """Create a project-endpoint group association.""" + if not (project and endpoint_group): + raise ValueError(_('project and endpoint_group are required')) + + base_url = self._build_group_base_url(project=project, + endpoint_group=endpoint_group) + return super(EndpointFilterManager, self)._put(url=base_url) + + def delete_endpoint_group_from_project(self, endpoint_group, project): + """Remove a project-endpoint group association.""" + if not (project and endpoint_group): + raise ValueError(_('project and endpoint_group are required')) + + base_url = self._build_group_base_url(project=project, + endpoint_group=endpoint_group) + return super(EndpointFilterManager, self)._delete(url=base_url) + + def check_endpoint_group_in_project(self, endpoint_group, project): + """Check if project-endpoint group association exists.""" + if not (project and endpoint_group): + raise ValueError(_('project and endpoint_group are required')) + + base_url = self._build_group_base_url(project=project, + endpoint_group=endpoint_group) + return super(EndpointFilterManager, self)._head(url=base_url) + + def list_endpoint_groups_for_project(self, project): + """List all endpoint groups for a given project.""" + if not project: + raise ValueError(_('project is required')) + + base_url = self._build_group_base_url(project=project) + + return super(EndpointFilterManager, self)._list( + base_url, + 'endpoint_groups', + obj_class=endpoint_groups.EndpointGroupManager.resource_class) + + def list_projects_for_endpoint_group(self, endpoint_group): + """List all projects associated with a given endpoint group.""" + if not endpoint_group: + raise ValueError(_('endpoint_group is required')) + + base_url = self._build_group_base_url(endpoint_group=endpoint_group) + return super(EndpointFilterManager, self)._list( + base_url, + projects.ProjectManager.collection_key, + obj_class=projects.ProjectManager.resource_class) diff --git a/keystoneclient/v3/contrib/endpoint_policy.py b/keystoneclient/v3/contrib/endpoint_policy.py new file mode 100644 index 000000000..c65b1fbc7 --- /dev/null +++ b/keystoneclient/v3/contrib/endpoint_policy.py @@ -0,0 +1,156 @@ +# Copyright 2014 IBM Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base +from keystoneclient.i18n import _ +from keystoneclient.v3 import endpoints +from keystoneclient.v3 import policies + + +class EndpointPolicyManager(base.Manager): + """Manager class for manipulating endpoint-policy associations.""" + + OS_EP_POLICY_EXT = 'OS-ENDPOINT-POLICY' + + def _act_on_policy_association_for_endpoint( + self, policy, endpoint, action): + if not (policy and endpoint): + raise ValueError(_('policy and endpoint are required')) + + policy_id = base.getid(policy) + endpoint_id = base.getid(endpoint) + url = ('/policies/%(policy_id)s/%(ext_name)s' + '/endpoints/%(endpoint_id)s') % { + 'policy_id': policy_id, + 'ext_name': self.OS_EP_POLICY_EXT, + 'endpoint_id': endpoint_id} + return action(url=url) + + def create_policy_association_for_endpoint(self, policy, endpoint): + """Create an association between a policy and an endpoint.""" + return self._act_on_policy_association_for_endpoint( + policy, endpoint, self._put) + + def check_policy_association_for_endpoint(self, policy, endpoint): + """Check an association between a policy and an endpoint.""" + return self._act_on_policy_association_for_endpoint( + policy, endpoint, self._head) + + def delete_policy_association_for_endpoint(self, policy, endpoint): + """Delete an association between a policy and an endpoint.""" + return self._act_on_policy_association_for_endpoint( + policy, endpoint, self._delete) + + def _act_on_policy_association_for_service(self, policy, service, action): + if not (policy and service): + raise ValueError(_('policy and service are required')) + + policy_id = base.getid(policy) + service_id = base.getid(service) + url = ('/policies/%(policy_id)s/%(ext_name)s' + '/services/%(service_id)s') % { + 'policy_id': policy_id, + 'ext_name': self.OS_EP_POLICY_EXT, + 'service_id': service_id} + return action(url=url) + + def create_policy_association_for_service(self, policy, service): + """Create an association between a policy and a service.""" + return self._act_on_policy_association_for_service( + policy, service, self._put) + + def check_policy_association_for_service(self, policy, service): + """Check an association between a policy and a service.""" + return self._act_on_policy_association_for_service( + policy, service, self._head) + + def delete_policy_association_for_service(self, policy, service): + """Delete an association between a policy and a service.""" + return self._act_on_policy_association_for_service( + policy, service, self._delete) + + def _act_on_policy_association_for_region_and_service( + self, policy, region, service, action): + if not (policy and region and service): + raise ValueError(_('policy, region and service are required')) + + policy_id = base.getid(policy) + region_id = base.getid(region) + service_id = base.getid(service) + url = ('/policies/%(policy_id)s/%(ext_name)s' + '/services/%(service_id)s/regions/%(region_id)s') % { + 'policy_id': policy_id, + 'ext_name': self.OS_EP_POLICY_EXT, + 'service_id': service_id, + 'region_id': region_id} + return action(url=url) + + def create_policy_association_for_region_and_service( + self, policy, region, service): + """Create an association between a policy and a service in a region.""" + return self._act_on_policy_association_for_region_and_service( + policy, region, service, self._put) + + def check_policy_association_for_region_and_service( + self, policy, region, service): + """Check an association between a policy and a service in a region.""" + return self._act_on_policy_association_for_region_and_service( + policy, region, service, self._head) + + def delete_policy_association_for_region_and_service( + self, policy, region, service): + """Delete an association between a policy and a service in a region.""" + return self._act_on_policy_association_for_region_and_service( + policy, region, service, self._delete) + + def get_policy_for_endpoint(self, endpoint): + """Get the effective policy for an endpoint. + + :param endpoint: endpoint object or ID + + :returns: policies.Policy object + + """ + if not endpoint: + raise ValueError(_('endpoint is required')) + + endpoint_id = base.getid(endpoint) + url = ('/endpoints/%(endpoint_id)s/%(ext_name)s/policy') % { + 'endpoint_id': endpoint_id, + 'ext_name': self.OS_EP_POLICY_EXT} + + resp, body = self.client.get(url) + return self._prepare_return_value( + resp, policies.Policy(self, body[policies.PolicyManager.key], + loaded=True)) + + def list_endpoints_for_policy(self, policy): + """List endpoints with the effective association to a policy. + + :param policy: policy object or ID + + :returns: list of endpoints that are associated with the policy + + """ + if not policy: + raise ValueError(_('policy is required')) + + policy_id = base.getid(policy) + url = ('/policies/%(policy_id)s/%(ext_name)s/endpoints') % { + 'policy_id': policy_id, + 'ext_name': self.OS_EP_POLICY_EXT} + return self._list( + url, + endpoints.EndpointManager.collection_key, + obj_class=endpoints.EndpointManager.resource_class) diff --git a/keystoneclient/v3/contrib/federation/__init__.py b/keystoneclient/v3/contrib/federation/__init__.py index 8d31b75e3..ee9bcef98 100644 --- a/keystoneclient/v3/contrib/federation/__init__.py +++ b/keystoneclient/v3/contrib/federation/__init__.py @@ -10,4 +10,4 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient.v3.contrib.federation.core import * # flake8: noqa +from keystoneclient.v3.contrib.federation.core import * # noqa diff --git a/keystoneclient/v3/contrib/federation/base.py b/keystoneclient/v3/contrib/federation/base.py index 0160170ea..c09bc2267 100644 --- a/keystoneclient/v3/contrib/federation/base.py +++ b/keystoneclient/v3/contrib/federation/base.py @@ -12,28 +12,28 @@ import abc -import six +from keystoneauth1 import exceptions +from keystoneauth1 import plugin -from keystoneclient.auth import base as base_auth from keystoneclient import base -from keystoneclient import exceptions -@six.add_metaclass(abc.ABCMeta) -class EntityManager(base.Manager): +class EntityManager(base.Manager, metaclass=abc.ABCMeta): """Manager class for listing federated accessible objects.""" + resource_class = None - @abc.abstractproperty + @property + @abc.abstractmethod def object_type(self): raise exceptions.MethodNotImplemented def list(self): - url = '/OS-FEDERATION/%s' % self.object_type + url = '/auth/%s' % self.object_type try: tenant_list = self._list(url, self.object_type) - except exceptions.EndpointNotFound: - endpoint_filter = {'interface': base_auth.AUTH_INTERFACE} + except exceptions.CatalogException: + endpoint_filter = {'interface': plugin.AUTH_INTERFACE} tenant_list = self._list(url, self.object_type, endpoint_filter=endpoint_filter) return tenant_list diff --git a/keystoneclient/v3/contrib/federation/core.py b/keystoneclient/v3/contrib/federation/core.py index 76c5dc75d..2e12cf607 100644 --- a/keystoneclient/v3/contrib/federation/core.py +++ b/keystoneclient/v3/contrib/federation/core.py @@ -15,6 +15,8 @@ from keystoneclient.v3.contrib.federation import mappings from keystoneclient.v3.contrib.federation import projects from keystoneclient.v3.contrib.federation import protocols +from keystoneclient.v3.contrib.federation import saml +from keystoneclient.v3.contrib.federation import service_providers class FederationManager(object): @@ -25,3 +27,5 @@ def __init__(self, api): self.protocols = protocols.ProtocolManager(api) self.projects = projects.ProjectManager(api) self.domains = domains.DomainManager(api) + self.saml = saml.SamlManager(api) + self.service_providers = service_providers.ServiceProviderManager(api) diff --git a/keystoneclient/v3/contrib/federation/identity_providers.py b/keystoneclient/v3/contrib/federation/identity_providers.py index 242d5d962..221ec11f4 100644 --- a/keystoneclient/v3/contrib/federation/identity_providers.py +++ b/keystoneclient/v3/contrib/federation/identity_providers.py @@ -11,16 +11,16 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class IdentityProvider(base.Resource): - """Object representing Identity Provider container + """Object representing Identity Provider container. Attributes: * id: user-defined unique string identifying Identity Provider. """ + pass @@ -38,7 +38,6 @@ def _build_url_and_put(self, **kwargs): return self._update(url, body=body, response_key=self.key, method='PUT') - @utils.positional.method(0) def create(self, id, **kwargs): """Create Identity Provider object. @@ -46,19 +45,25 @@ def create(self, id, **kwargs): PUT /OS-FEDERATION/identity_providers/$identity_provider :param id: unique id of the identity provider. + :param kwargs: optional attributes: description (str), domain_id (str), + enabled (boolean) and remote_ids (list). + :returns: an IdentityProvider resource object. + :rtype: :py:class:`keystoneclient.v3.federation.IdentityProvider` """ return self._build_url_and_put(identity_provider_id=id, **kwargs) def get(self, identity_provider): - """Fetch Identity Provider object + """Fetch Identity Provider object. Utilize Keystone URI: GET /OS-FEDERATION/identity_providers/$identity_provider :param identity_provider: an object with identity_provider_id stored inside. + :returns: an IdentityProvider resource object. + :rtype: :py:class:`keystoneclient.v3.federation.IdentityProvider` """ return super(IdentityProviderManager, self).get( @@ -70,6 +75,9 @@ def list(self, **kwargs): Utilize Keystone URI: GET /OS-FEDERATION/identity_providers + :returns: a list of IdentityProvider resource objects. + :rtype: List + """ return super(IdentityProviderManager, self).list(**kwargs) @@ -81,6 +89,8 @@ def update(self, identity_provider, **kwargs): :param identity_provider: an object with identity_provider_id stored inside. + :returns: an IdentityProvider resource object. + :rtype: :py:class:`keystoneclient.v3.federation.IdentityProvider` """ return super(IdentityProviderManager, self).update( @@ -92,8 +102,8 @@ def delete(self, identity_provider): Utilize Keystone URI: DELETE /OS-FEDERATION/identity_providers/$identity_provider - :param identity_provider: an object with identity_provider_id - stored inside. + :param identity_provider: the Identity Provider ID itself or an object + with it stored inside. """ return super(IdentityProviderManager, self).delete( diff --git a/keystoneclient/v3/contrib/federation/mappings.py b/keystoneclient/v3/contrib/federation/mappings.py index d0c033f13..a0e54ae6f 100644 --- a/keystoneclient/v3/contrib/federation/mappings.py +++ b/keystoneclient/v3/contrib/federation/mappings.py @@ -11,16 +11,16 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Mapping(base.Resource): - """An object representing mapping container + """An object representing mapping container. Attributes: * id: user defined unique string identifying mapping. """ + pass @@ -39,7 +39,6 @@ def _build_url_and_put(self, **kwargs): response_key=self.key, method='PUT') - @utils.positional.method(0) def create(self, mapping_id, **kwargs): """Create federation mapping. @@ -48,35 +47,30 @@ def create(self, mapping_id, **kwargs): :param mapping_id: user defined string identifier of the federation mapping. - :param rules: a JSON dictionary with list a list - of mapping rules. - - Example of the ``rules``:: - - { - "mapping": { - "rules": [ - { - "local": [ - { - "group": { - "id": "0cd5e9" - } - } - ], - "remote": [ - { - "type": "orgPersonType", - "not_any_of": [ - "Contractor", - "Guest" - ] - } - ] - } - ] - } - } + :param rules: a list of mapping rules. + + Example of the ``rules`` parameter:: + + [ + { + "local": [ + { + "group": { + "id": "0cd5e9" + } + } + ], + "remote": [ + { + "type": "orgPersonType", + "not_any_of": [ + "Contractor", + "Guest" + ] + } + ] + } + ] """ return self._build_url_and_put( @@ -99,7 +93,7 @@ def list(self, **kwargs): """List all federation mappings. Utilize Identity API operation: - GET /OS-FEDERATION/mappings/$mapping_id + GET /OS-FEDERATION/mappings """ return super(MappingManager, self).list(**kwargs) @@ -112,35 +106,31 @@ def update(self, mapping, **kwargs): :param mapping: a Mapping type object with mapping id stored inside. - :param rules: a JSON dictionary with list a list - of mapping rules. - - Example of the ``rules``:: - - { - "mapping": { - "rules": [ - { - "local": [ - { - "group": { - "id": "0cd5e9" - } - } - ], - "remote": [ - { - "type": "orgPersonType", - "not_any_of": [ - "Contractor", - "Guest" - ] - } - ] - } - ] - } - } + :param rules: a list of mapping rules. + + Example of the ``rules`` parameter:: + + + [ + { + "local": [ + { + "group": { + "id": "0cd5e9" + } + } + ], + "remote": [ + { + "type": "orgPersonType", + "not_any_of": [ + "Contractor", + "Guest" + ] + } + ] + } + ] """ return super(MappingManager, self).update( diff --git a/keystoneclient/v3/contrib/federation/protocols.py b/keystoneclient/v3/contrib/federation/protocols.py index 97d88297b..4fad689fe 100644 --- a/keystoneclient/v3/contrib/federation/protocols.py +++ b/keystoneclient/v3/contrib/federation/protocols.py @@ -11,7 +11,6 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Protocol(base.Resource): @@ -22,6 +21,7 @@ class Protocol(base.Resource): federation protocol. """ + pass @@ -35,7 +35,6 @@ class ProtocolManager(base.CrudManager): def build_url(self, dict_args_in_out=None): """Build URL for federation protocols.""" - if dict_args_in_out is None: dict_args_in_out = {} @@ -56,7 +55,6 @@ def _build_url_and_put(self, request_body=None, **kwargs): response_key=self.key, method='PUT') - @utils.positional.method(3) def create(self, protocol_id, identity_provider, mapping, **kwargs): """Create federation protocol object and tie to the Identity Provider. diff --git a/keystoneclient/v3/contrib/federation/saml.py b/keystoneclient/v3/contrib/federation/saml.py new file mode 100644 index 000000000..435e45dc6 --- /dev/null +++ b/keystoneclient/v3/contrib/federation/saml.py @@ -0,0 +1,79 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +SAML2_ENDPOINT = '/auth/OS-FEDERATION/saml2' +ECP_ENDPOINT = '/auth/OS-FEDERATION/saml2/ecp' + + +class SamlManager(base.Manager): + """Manager class for creating SAML assertions.""" + + def create_saml_assertion(self, service_provider, token_id): + """Create a SAML assertion from a token. + + Equivalent Identity API call: + POST /auth/OS-FEDERATION/saml2 + + :param service_provider: Service Provider resource. + :type service_provider: string + :param token_id: Token to transform to SAML assertion. + :type token_id: string + + :returns: SAML representation of token_id + :rtype: string + """ + headers, body = self._create_common_request(service_provider, token_id) + resp, body = self.client.post(SAML2_ENDPOINT, json=body, + headers=headers) + return self._prepare_return_value(resp, resp.text) + + def create_ecp_assertion(self, service_provider, token_id): + """Create an ECP wrapped SAML assertion from a token. + + Equivalent Identity API call: + POST /auth/OS-FEDERATION/saml2/ecp + + :param service_provider: Service Provider resource. + :type service_provider: string + :param token_id: Token to transform to SAML assertion. + :type token_id: string + + :returns: SAML representation of token_id, wrapped in ECP envelope + :rtype: string + """ + headers, body = self._create_common_request(service_provider, token_id) + resp, body = self.client.post(ECP_ENDPOINT, json=body, + headers=headers) + return self._prepare_return_value(resp, resp.text) + + def _create_common_request(self, service_provider, token_id): + headers = {'Content-Type': 'application/json'} + body = { + 'auth': { + 'identity': { + 'methods': ['token'], + 'token': { + 'id': token_id + } + }, + 'scope': { + 'service_provider': { + 'id': base.getid(service_provider) + } + } + } + } + + return (headers, body) diff --git a/keystoneclient/v3/contrib/federation/service_providers.py b/keystoneclient/v3/contrib/federation/service_providers.py new file mode 100644 index 000000000..fed1257d1 --- /dev/null +++ b/keystoneclient/v3/contrib/federation/service_providers.py @@ -0,0 +1,103 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +class ServiceProvider(base.Resource): + """Object representing Service Provider container. + + Attributes: + * id: user-defined unique string identifying Service Provider. + * sp_url: the shibboleth endpoint of a Service Provider. + * auth_url: the authentication url of Service Provider. + + """ + + pass + + +class ServiceProviderManager(base.CrudManager): + """Manager class for manipulating Service Providers.""" + + resource_class = ServiceProvider + collection_key = 'service_providers' + key = 'service_provider' + base_url = 'OS-FEDERATION' + + def _build_url_and_put(self, **kwargs): + url = self.build_url(dict_args_in_out=kwargs) + body = {self.key: kwargs} + return self._update(url, body=body, response_key=self.key, + method='PUT') + + def create(self, id, **kwargs): + """Create Service Provider object. + + Utilize Keystone URI: + ``PUT /OS-FEDERATION/service_providers/{id}`` + + :param id: unique id of the service provider. + + """ + return self._build_url_and_put(service_provider_id=id, + **kwargs) + + def get(self, service_provider): + """Fetch Service Provider object. + + Utilize Keystone URI: + ``GET /OS-FEDERATION/service_providers/{id}`` + + :param service_provider: an object with service_provider_id + stored inside. + + """ + return super(ServiceProviderManager, self).get( + service_provider_id=base.getid(service_provider)) + + def list(self, **kwargs): + """List all Service Providers. + + Utilize Keystone URI: + ``GET /OS-FEDERATION/service_providers`` + + """ + return super(ServiceProviderManager, self).list(**kwargs) + + def update(self, service_provider, **kwargs): + """Update the existing Service Provider object on the server. + + Only properties provided to the function are being updated. + + Utilize Keystone URI: + ``PATCH /OS-FEDERATION/service_providers/{id}`` + + :param service_provider: an object with service_provider_id + stored inside. + + """ + return super(ServiceProviderManager, self).update( + service_provider_id=base.getid(service_provider), **kwargs) + + def delete(self, service_provider): + """Delete Service Provider object. + + Utilize Keystone URI: + ``DELETE /OS-FEDERATION/service_providers/{id}`` + + :param service_provider: an object with service_provider_id + stored inside. + + """ + return super(ServiceProviderManager, self).delete( + service_provider_id=base.getid(service_provider)) diff --git a/keystoneclient/v3/contrib/oauth1/access_tokens.py b/keystoneclient/v3/contrib/oauth1/access_tokens.py index ea27797b2..a64c5dddc 100644 --- a/keystoneclient/v3/contrib/oauth1/access_tokens.py +++ b/keystoneclient/v3/contrib/oauth1/access_tokens.py @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -from __future__ import unicode_literals +from keystoneauth1 import plugin from keystoneclient import base from keystoneclient.v3.contrib.oauth1 import utils @@ -28,6 +28,7 @@ class AccessToken(base.Resource): class AccessTokenManager(base.CrudManager): """Manager class for manipulating identity OAuth access tokens.""" + resource_class = AccessToken def create(self, consumer_key, consumer_secret, request_key, @@ -39,8 +40,11 @@ def create(self, consumer_key, consumer_secret, request_key, resource_owner_secret=request_secret, signature_method=oauth1.SIGNATURE_HMAC, verifier=verifier) - url = self.client.auth_url.rstrip("/") + endpoint - url, headers, body = oauth_client.sign(url, http_method='POST') + url = self.client.get_endpoint(interface=plugin.AUTH_INTERFACE).rstrip( + '/') + url, headers, body = oauth_client.sign(url + endpoint, + http_method='POST') resp, body = self.client.post(endpoint, headers=headers) token = utils.get_oauth_token_from_body(resp.content) - return self.resource_class(self, token) + return self._prepare_return_value(resp, + self.resource_class(self, token)) diff --git a/keystoneclient/v3/contrib/oauth1/auth.py b/keystoneclient/v3/contrib/oauth1/auth.py index 028203e0d..bd4a152e2 100644 --- a/keystoneclient/v3/contrib/oauth1/auth.py +++ b/keystoneclient/v3/contrib/oauth1/auth.py @@ -20,18 +20,18 @@ class OAuthMethod(v3.AuthMethod): + """OAuth based authentication method. + + :param string consumer_key: Consumer key. + :param string consumer_secret: Consumer secret. + :param string access_key: Access token key. + :param string access_secret: Access token secret. + """ _method_parameters = ['consumer_key', 'consumer_secret', 'access_key', 'access_secret'] def __init__(self, **kwargs): - """Construct an OAuth based authentication method. - - :param string consumer_key: Consumer key. - :param string consumer_secret: Consumer secret. - :param string access_key: Access token key. - :param string access_secret: Access token secret. - """ super(OAuthMethod, self).__init__(**kwargs) if oauth1 is None: raise NotImplementedError('optional package oauthlib' diff --git a/keystoneclient/v3/contrib/oauth1/consumers.py b/keystoneclient/v3/contrib/oauth1/consumers.py index 25e8ca191..5c81ff47f 100644 --- a/keystoneclient/v3/contrib/oauth1/consumers.py +++ b/keystoneclient/v3/contrib/oauth1/consumers.py @@ -22,11 +22,13 @@ class Consumer(base.Resource): * id: a uuid that identifies the consumer * description: a short description of the consumer """ + pass class ConsumerManager(base.CrudManager): """Manager class for manipulating identity consumers.""" + resource_class = Consumer collection_key = 'consumers' key = 'consumer' diff --git a/keystoneclient/v3/contrib/oauth1/core.py b/keystoneclient/v3/contrib/oauth1/core.py index 36823f02d..4b0278e13 100644 --- a/keystoneclient/v3/contrib/oauth1/core.py +++ b/keystoneclient/v3/contrib/oauth1/core.py @@ -11,6 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +from keystoneclient.i18n import _ from keystoneclient.v3.contrib.oauth1 import access_tokens from keystoneclient.v3.contrib.oauth1 import consumers from keystoneclient.v3.contrib.oauth1 import request_tokens @@ -57,8 +58,9 @@ class OAuthManagerOptionalImportProxy(object): """ def __getattribute__(self, name): + """Return error when name is related to oauthlib and not exist.""" if name in ('access_tokens', 'consumers', 'request_tokens'): raise NotImplementedError( - 'To use %r oauthlib must be installed' % name) + _('To use %r oauthlib must be installed') % name) return super(OAuthManagerOptionalImportProxy, self).__getattribute__(name) diff --git a/keystoneclient/v3/contrib/oauth1/request_tokens.py b/keystoneclient/v3/contrib/oauth1/request_tokens.py index 27d6d34fc..7494e8349 100644 --- a/keystoneclient/v3/contrib/oauth1/request_tokens.py +++ b/keystoneclient/v3/contrib/oauth1/request_tokens.py @@ -11,9 +11,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -from __future__ import unicode_literals +import urllib.parse as urlparse -from six.moves.urllib import parse as urlparse +from keystoneauth1 import plugin from keystoneclient import base from keystoneclient.v3.contrib.oauth1 import utils @@ -37,6 +37,7 @@ def authorize(self, roles): class RequestTokenManager(base.CrudManager): """Manager class for manipulating identity OAuth request tokens.""" + resource_class = RequestToken def authorize(self, request_token, roles): @@ -49,7 +50,6 @@ def authorize(self, request_token, roles): can be exchanged for an access token. :param roles: a list of roles, that will be delegated to the user. """ - request_id = urlparse.quote(base.getid(request_token)) endpoint = utils.OAUTH_PATH + '/authorize/%s' % (request_id) body = {'roles': [{'id': base.getid(r_id)} for r_id in roles]} @@ -57,14 +57,17 @@ def authorize(self, request_token, roles): def create(self, consumer_key, consumer_secret, project): endpoint = utils.OAUTH_PATH + '/request_token' - headers = {'requested_project_id': base.getid(project)} + headers = {'requested-project-id': base.getid(project)} oauth_client = oauth1.Client(consumer_key, client_secret=consumer_secret, signature_method=oauth1.SIGNATURE_HMAC, callback_uri="oob") - url = self.client.auth_url.rstrip("/") + endpoint - url, headers, body = oauth_client.sign(url, http_method='POST', + url = self.client.get_endpoint(interface=plugin.AUTH_INTERFACE).rstrip( + "/") + url, headers, body = oauth_client.sign(url + endpoint, + http_method='POST', headers=headers) resp, body = self.client.post(endpoint, headers=headers) token = utils.get_oauth_token_from_body(resp.content) - return self.resource_class(self, token) + return self._prepare_return_value(resp, + self.resource_class(self, token)) diff --git a/keystoneclient/v3/contrib/oauth1/utils.py b/keystoneclient/v3/contrib/oauth1/utils.py index bf741ab4e..40a0632af 100644 --- a/keystoneclient/v3/contrib/oauth1/utils.py +++ b/keystoneclient/v3/contrib/oauth1/utils.py @@ -11,23 +11,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -import six -from six.moves.urllib import parse as urlparse +import urllib.parse as urlparse OAUTH_PATH = '/OS-OAUTH1' def get_oauth_token_from_body(body): - """Parse the URL response body to retrieve the oauth token key and secret + """Parse the URL response body to retrieve the oauth token key and secret. The response body will look like: 'oauth_token=12345&oauth_token_secret=67890' with 'oauth_expires_at=2013-03-30T05:27:19.463201' possibly there, too. """ - - if six.PY3: - body = body.decode('utf-8') + body = body.decode('utf-8') credentials = urlparse.parse_qs(body) key = credentials['oauth_token'][0] diff --git a/keystoneclient/v3/contrib/simple_cert.py b/keystoneclient/v3/contrib/simple_cert.py new file mode 100644 index 000000000..6b58b27b3 --- /dev/null +++ b/keystoneclient/v3/contrib/simple_cert.py @@ -0,0 +1,44 @@ +# Copyright 2014 IBM Corp. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +class SimpleCertManager(object): + """Manager for the OS-SIMPLE-CERT extension.""" + + def __init__(self, client): + self._client = client + self.mgr = base.Manager(self._client) + + def get_ca_certificates(self): + """Get CA certificates. + + :returns: PEM-formatted string. + :rtype: str + + """ + resp, body = self._client.get('/OS-SIMPLE-CERT/ca', + authenticated=False) + return self.mgr._prepare_return_value(resp, resp.text) + + def get_certificates(self): + """Get signing certificates. + + :returns: PEM-formatted string. + :rtype: str + + """ + resp, body = self._client.get('/OS-SIMPLE-CERT/certificates', + authenticated=False) + return self.mgr._prepare_return_value(resp, resp.text) diff --git a/keystoneclient/v3/contrib/trusts.py b/keystoneclient/v3/contrib/trusts.py index ed199e6ed..a8ef57909 100644 --- a/keystoneclient/v3/contrib/trusts.py +++ b/keystoneclient/v3/contrib/trusts.py @@ -12,7 +12,8 @@ from keystoneclient import base from keystoneclient import exceptions -from keystoneclient.openstack.common import timeutils +from keystoneclient.i18n import _ +from keystoneclient import utils class Trust(base.Resource): @@ -25,24 +26,27 @@ class Trust(base.Resource): * trustee_user_id: a uuid that identifies the trustee * trustor_user_id: a uuid that identifies the trustor """ + pass class TrustManager(base.CrudManager): """Manager class for manipulating Trusts.""" + resource_class = Trust collection_key = 'trusts' key = 'trust' base_url = '/OS-TRUST' def create(self, trustee_user, trustor_user, role_names=None, - project=None, impersonation=False, expires_at=None, - remaining_uses=None, **kwargs): + role_ids=None, project=None, impersonation=False, + expires_at=None, remaining_uses=None, **kwargs): """Create a Trust. :param string trustee_user: user who is capable of consuming the trust :param string trustor_user: user who's authorization is being delegated :param string role_names: subset of trustor's roles to be granted + :param string role_ids: subset of trustor's roles to be granted :param string project: project which the trustor is delegating :param boolean impersonation: enable explicit impersonation :param datetime.datetime expires_at: expiry time @@ -52,14 +56,18 @@ def create(self, trustee_user, trustor_user, role_names=None, """ # Convert role_names list into list-of-dict API format + roles = [] if role_names: - roles = [{'name': n} for n in role_names] - else: + roles.extend([{'name': n} for n in role_names]) + if role_ids: + roles.extend([{'id': i} for i in role_ids]) + + if not roles: roles = None # Convert datetime.datetime expires_at to iso format string if expires_at: - expires_str = timeutils.isotime(at=expires_at, subsecond=True) + expires_str = utils.isotime(at=expires_at, subsecond=True) else: expires_str = None @@ -74,8 +82,8 @@ def create(self, trustee_user, trustor_user, role_names=None, **kwargs) def update(self): - raise exceptions.MethodNotImplemented('Update not supported' - ' for trusts') + raise exceptions.MethodNotImplemented( + _('Update not supported for trusts')) def list(self, trustee_user=None, trustor_user=None, **kwargs): """List Trusts.""" diff --git a/keystoneclient/v3/credentials.py b/keystoneclient/v3/credentials.py index be28cc51e..70e067001 100644 --- a/keystoneclient/v3/credentials.py +++ b/keystoneclient/v3/credentials.py @@ -15,7 +15,6 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Credential(base.Resource): @@ -23,63 +22,118 @@ class Credential(base.Resource): Attributes: * id: a uuid that identifies the credential + * user_id: user ID to which credential belongs + * type: the type of credential + * blob: the text that represents the credential + * project_id: project ID which limits the scope of the credential """ + pass class CredentialManager(base.CrudManager): """Manager class for manipulating Identity credentials.""" + resource_class = Credential collection_key = 'credentials' key = 'credential' - def _get_data_blob(self, blob, data): - # Ref bug #1259461, the <= 0.4.1 keystoneclient calling convention was - # to pass "data", but the underlying API expects "blob", so - # support both in the python API for backwards compatibility - if blob is not None: - return blob - elif data is not None: - # FIXME(shardy): Passing data is deprecated. Provide an - # appropriate warning. - return data - else: - raise ValueError( - "Credential requires blob to be specified") - - @utils.positional(1, enforcement=utils.positional.WARN) - def create(self, user, type, blob=None, data=None, project=None, **kwargs): + def create(self, user, type, blob, project=None, **kwargs): + """Create a credential. + + :param user: the user to which the credential belongs + :type user: str or :class:`keystoneclient.v3.users.User` + :param str type: the type of the credential, valid values are: + ``ec2``, ``cert`` or ``totp`` + :param str blob: the arbitrary blob of the credential data, to be + parsed according to the type + :param project: the project which limits the scope of the credential, + this attribbute is mandatory if the credential type is + ec2 + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will be passed to the + server + + :returns: the created credential + :rtype: :class:`keystoneclient.v3.credentials.Credential` + + """ return super(CredentialManager, self).create( user_id=base.getid(user), type=type, - blob=self._get_data_blob(blob, data), + blob=blob, project_id=base.getid(project), **kwargs) def get(self, credential): + """Retrieve a credential. + + :param credential: the credential to be retrieved from the server + :type credential: str or + :class:`keystoneclient.v3.credentials.Credential` + + :returns: the specified credential + :rtype: :class:`keystoneclient.v3.credentials.Credential` + + """ return super(CredentialManager, self).get( credential_id=base.getid(credential)) def list(self, **kwargs): """List credentials. - If ``**kwargs`` are provided, then filter credentials with - attributes matching ``**kwargs``. + :param kwargs: If user_id or type is specified then credentials + will be filtered accordingly. + + :returns: a list of credentials + :rtype: list of :class:`keystoneclient.v3.credentials.Credential` + """ return super(CredentialManager, self).list(**kwargs) - @utils.positional(2, enforcement=utils.positional.WARN) - def update(self, credential, user, type=None, blob=None, data=None, - project=None, **kwargs): + def update(self, credential, user, type=None, blob=None, project=None, + **kwargs): + """Update a credential. + + :param credential: the credential to be updated on the server + :type credential: str or + :class:`keystoneclient.v3.credentials.Credential` + :param user: the new user to which the credential belongs + :type user: str or :class:`keystoneclient.v3.users.User` + :param str type: the new type of the credential, valid values are: + ``ec2``, ``cert`` or ``totp`` + :param str blob: the new blob of the credential data + and may be removed in the future release. + :param project: the new project which limits the scope of the + credential, this attribute is mandatory if the + credential type is ec2 + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will be passed to the + server + + :returns: the updated credential + :rtype: :class:`keystoneclient.v3.credentials.Credential` + + """ return super(CredentialManager, self).update( credential_id=base.getid(credential), user_id=base.getid(user), type=type, - blob=self._get_data_blob(blob, data), + blob=blob, project_id=base.getid(project), **kwargs) def delete(self, credential): + """Delete a credential. + + :param credential: the credential to be deleted + :type credential: str or + :class:`keystoneclient.v3.credentials.Credential` + + :returns: response object with 204 status + :rtype: :class:`requests.models.Response` + + """ return super(CredentialManager, self).delete( credential_id=base.getid(credential)) diff --git a/keystoneclient/v3/domain_configs.py b/keystoneclient/v3/domain_configs.py new file mode 100644 index 000000000..4c011bce8 --- /dev/null +++ b/keystoneclient/v3/domain_configs.py @@ -0,0 +1,130 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base +from keystoneclient import exceptions +from keystoneclient.i18n import _ + + +class DomainConfig(base.Resource): + """An object representing a domain config association. + + This resource object does not necessarily contain fixed attributes, as new + attributes are added in the server, they are supported here directly. + The currently supported configs are `identity` and `ldap`. + + """ + + pass + + +class DomainConfigManager(base.Manager): + """Manager class for manipulating domain config associations.""" + + resource_class = DomainConfig + key = 'config' + + def build_url(self, domain): + return '/domains/%s/config' % base.getid(domain) + + def create(self, domain, config): + """Create a config for a domain. + + :param domain: the domain where the config is going to be applied. + :type domain: str or :py:class:`keystoneclient.v3.domains.Domain` + + :param dict config: a dictionary of domain configurations. + + Example of the ``config`` parameter:: + + { + "identity": { + "driver": "ldap" + }, + "ldap": { + "url": "ldap://myldap.com:389/", + "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" + } + } + + :returns: the created domain config returned from server. + :rtype: :class:`keystoneclient.v3.domain_configs.DomainConfig` + + """ + base_url = self.build_url(domain) + body = {self.key: config} + return super(DomainConfigManager, self)._put( + base_url, body=body, response_key=self.key) + + def get(self, domain): + """Get a config for a domain. + + :param domain: the domain for which the config is defined. + :type domain: str or :py:class:`keystoneclient.v3.domains.Domain` + + :returns: the domain config returned from server. + :rtype: :class:`keystoneclient.v3.domain_configs.DomainConfig` + + """ + base_url = self.build_url(domain) + return super(DomainConfigManager, self)._get(base_url, self.key) + + def update(self, domain, config): + """Update a config for a domain. + + :param domain: the domain where the config is going to be updated. + :type domain: str or :py:class:`keystoneclient.v3.domains.Domain` + + :param dict config: a dictionary of domain configurations. + + Example of the ``config`` parameter:: + + { + "identity": { + "driver": "ldap" + }, + "ldap": { + "url": "ldap://myldap.com:389/", + "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" + } + } + + :returns: the updated domain config returned from server. + :rtype: :class:`keystoneclient.v3.domain_configs.DomainConfig` + + """ + base_url = self.build_url(domain) + body = {self.key: config} + return super(DomainConfigManager, self)._patch( + base_url, body=body, response_key=self.key) + + def delete(self, domain): + """Delete a config for a domain. + + :param domain: the domain which the config will be deleted on + the server. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ + base_url = self.build_url(domain) + return super(DomainConfigManager, self)._delete(url=base_url) + + def find(self, **kwargs): + raise exceptions.MethodNotImplemented( + _('Find not supported for domain configs')) + + def list(self, **kwargs): + raise exceptions.MethodNotImplemented( + _('List not supported for domain configs')) diff --git a/keystoneclient/v3/domains.py b/keystoneclient/v3/domains.py index e0d082d07..0f542b8b0 100644 --- a/keystoneclient/v3/domains.py +++ b/keystoneclient/v3/domains.py @@ -15,7 +15,6 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Domain(base.Resource): @@ -23,19 +22,35 @@ class Domain(base.Resource): Attributes: * id: a uuid that identifies the domain + * name: the name of the domain + * description: a description of the domain + * enabled: determines whether the domain is enabled """ + pass class DomainManager(base.CrudManager): """Manager class for manipulating Identity domains.""" + resource_class = Domain collection_key = 'domains' key = 'domain' - @utils.positional(1, enforcement=utils.positional.WARN) def create(self, name, description=None, enabled=True, **kwargs): + """Create a domain. + + :param str name: the name of the domain. + :param str description: a description of the domain. + :param bool enabled: whether the domain is enabled. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created domain returned from server. + :rtype: :class:`keystoneclient.v3.domains.Domain` + + """ return super(DomainManager, self).create( name=name, description=description, @@ -43,14 +58,27 @@ def create(self, name, description=None, enabled=True, **kwargs): **kwargs) def get(self, domain): + """Retrieve a domain. + + :param domain: the domain to be retrieved from the server. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + + :returns: the specified domain returned from server. + :rtype: :class:`keystoneclient.v3.domains.Domain` + + """ return super(DomainManager, self).get( domain_id=base.getid(domain)) def list(self, **kwargs): """List domains. - ``**kwargs`` allows filter criteria to be passed where + :param kwargs: allows filter criteria to be passed where supported by the server. + + :returns: a list of domains. + :rtype: list of :class:`keystoneclient.v3.domains.Domain`. + """ # Ref bug #1267530 we have to pass 0 for False to get the expected # results on all keystone versions @@ -58,9 +86,22 @@ def list(self, **kwargs): kwargs['enabled'] = 0 return super(DomainManager, self).list(**kwargs) - @utils.positional(enforcement=utils.positional.WARN) def update(self, domain, name=None, - description=None, enabled=True, **kwargs): + description=None, enabled=None, **kwargs): + """Update a domain. + + :param domain: the domain to be updated on the server. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param str name: the new name of the domain. + :param str description: the new description of the domain. + :param bool enabled: whether the domain is enabled. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the updated domain returned from server. + :rtype: :class:`keystoneclient.v3.domains.Domain` + + """ return super(DomainManager, self).update( domain_id=base.getid(domain), name=name, @@ -69,5 +110,14 @@ def update(self, domain, name=None, **kwargs) def delete(self, domain): + """Delete a domain. + + :param domain: the domain to be deleted on the server. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(DomainManager, self).delete( domain_id=base.getid(domain)) diff --git a/keystoneclient/v3/ec2.py b/keystoneclient/v3/ec2.py new file mode 100644 index 000000000..d32fbcaa3 --- /dev/null +++ b/keystoneclient/v3/ec2.py @@ -0,0 +1,98 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +class EC2(base.Resource): + """Represents an EC2 resource. + + Attributes: + * id: a string that identifies the EC2 resource. + * user_id: the ID field of a pre-existing user in the backend. + * project_id: the ID field of a pre-existing project in the backend. + * access: a string representing access key of the access/secret pair. + * secret: a string representing the secret of the access/secret pair. + + """ + + def __repr__(self): + """Return string representation of EC2 resource information.""" + return "" % self._info + + +class EC2Manager(base.ManagerWithFind): + + resource_class = EC2 + + def create(self, user_id, project_id): + """Create a new access/secret pair. + + :param user_id: the ID of the user having access/secret pair. + :type user_id: str or :class:`keystoneclient.v3.users.User` + :param project_id: the ID of the project having access/secret pair. + :type project_id: str or :class:`keystoneclient.v3.projects.Project` + + :returns: the created access/secret pair returned from server. + :rtype: :class:`keystoneclient.v3.ec2.EC2` + + """ + # NOTE(jamielennox): Yes, this uses tenant_id as a key even though we + # are in the v3 API. + return self._post('/users/%s/credentials/OS-EC2' % user_id, + body={'tenant_id': project_id}, + response_key="credential") + + def get(self, user_id, access): + """Retrieve an access/secret pair for a given access key. + + :param user_id: the ID of the user whose access/secret pair will be + retrieved from the server. + :type user_id: str or :class:`keystoneclient.v3.users.User` + :param str access: the access key whose access/secret pair will be + retrieved from the server. + + :returns: the specified access/secret pair returned from server. + :rtype: :class:`keystoneclient.v3.ec2.EC2` + + """ + url = "/users/%s/credentials/OS-EC2/%s" % (user_id, base.getid(access)) + return self._get(url, response_key="credential") + + def list(self, user_id): + """List access/secret pairs for a given user. + + :param str user_id: the ID of the user having access/secret pairs will + be listed. + + :returns: a list of access/secret pairs. + :rtype: list of :class:`keystoneclient.v3.ec2.EC2` + + """ + return self._list("/users/%s/credentials/OS-EC2" % user_id, + response_key="credentials") + + def delete(self, user_id, access): + """Delete an access/secret pair. + + :param user_id: the ID of the user whose access/secret pair will be + deleted on the server. + :type user_id: str or :class:`keystoneclient.v3.users.User` + :param str access: the access key whose access/secret pair will be + deleted on the server. + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ + return self._delete("/users/%s/credentials/OS-EC2/%s" % + (user_id, base.getid(access))) diff --git a/keystoneclient/v3/endpoint_groups.py b/keystoneclient/v3/endpoint_groups.py new file mode 100644 index 000000000..f8b47c4d6 --- /dev/null +++ b/keystoneclient/v3/endpoint_groups.py @@ -0,0 +1,136 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +class EndpointGroup(base.Resource): + """Represents an identity endpoint group. + + Attributes: + * id: a UUID that identifies the endpoint group + * name: the endpoint group name + * description: the endpoint group description + * filters: representation of filters in the format of JSON that define + what endpoint entities are part of the group + + """ + + pass + + +class EndpointGroupManager(base.CrudManager): + """Manager class for Endpoint Groups.""" + + resource_class = EndpointGroup + collection_key = 'endpoint_groups' + key = 'endpoint_group' + base_url = 'OS-EP-FILTER' + + def create(self, name, filters, description=None, **kwargs): + """Create an endpoint group. + + :param str name: the name of the endpoint group. + :param str filters: representation of filters in the format of JSON + that define what endpoint entities are part of the + group. + :param str description: a description of the endpoint group. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created endpoint group returned from server. + :rtype: :class:`keystoneclient.v3.endpoint_groups.EndpointGroup` + + """ + return super(EndpointGroupManager, self).create( + name=name, + filters=filters, + description=description, + **kwargs) + + def get(self, endpoint_group): + """Retrieve an endpoint group. + + :param endpoint_group: the endpoint group to be retrieved from the + server. + :type endpoint_group: + str or :class:`keystoneclient.v3.endpoint_groups.EndpointGroup` + + :returns: the specified endpoint group returned from server. + :rtype: :class:`keystoneclient.v3.endpoint_groups.EndpointGroup` + + """ + return super(EndpointGroupManager, self).get( + endpoint_group_id=base.getid(endpoint_group)) + + def check(self, endpoint_group): + """Check if an endpoint group exists. + + :param endpoint_group: the endpoint group to be checked against the + server. + :type endpoint_group: + str or :class:`keystoneclient.v3.endpoint_groups.EndpointGroup` + + :returns: none if the specified endpoint group exists. + + """ + return super(EndpointGroupManager, self).head( + endpoint_group_id=base.getid(endpoint_group)) + + def list(self, **kwargs): + """List endpoint groups. + + Any parameter provided will be passed to the server. + + :returns: a list of endpoint groups. + :rtype: list of + :class:`keystoneclient.v3.endpoint_groups.EndpointGroup`. + + """ + return super(EndpointGroupManager, self).list(**kwargs) + + def update(self, endpoint_group, name=None, filters=None, + description=None, **kwargs): + """Update an endpoint group. + + :param str name: the new name of the endpoint group. + :param str filters: the new representation of filters in the format of + JSON that define what endpoint entities are part of + the group. + :param str description: the new description of the endpoint group. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the updated endpoint group returned from server. + :rtype: :class:`keystoneclient.v3.endpoint_groups.EndpointGroup` + + """ + return super(EndpointGroupManager, self).update( + endpoint_group_id=base.getid(endpoint_group), + name=name, + filters=filters, + description=description, + **kwargs) + + def delete(self, endpoint_group): + """Delete an endpoint group. + + :param endpoint_group: the endpoint group to be deleted on the server. + :type endpoint_group: + str or :class:`keystoneclient.v3.endpoint_groups.EndpointGroup` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ + return super(EndpointGroupManager, self).delete( + endpoint_group_id=base.getid(endpoint_group)) diff --git a/keystoneclient/v3/endpoints.py b/keystoneclient/v3/endpoints.py index 3f9dfbd0a..0452394a5 100644 --- a/keystoneclient/v3/endpoints.py +++ b/keystoneclient/v3/endpoints.py @@ -16,7 +16,7 @@ from keystoneclient import base from keystoneclient import exceptions -from keystoneclient import utils +from keystoneclient.i18n import _ VALID_INTERFACES = ['public', 'admin', 'internal'] @@ -31,27 +31,47 @@ class Endpoint(base.Resource): * region: geographic location of the endpoint * service_id: service to which the endpoint belongs * url: fully qualified service endpoint - * enabled: determines whether the endpoint appears in the catalog + * enabled: determines whether the endpoint appears in the service + catalog """ + pass class EndpointManager(base.CrudManager): """Manager class for manipulating Identity endpoints.""" + resource_class = Endpoint collection_key = 'endpoints' key = 'endpoint' def _validate_interface(self, interface): if interface is not None and interface not in VALID_INTERFACES: - msg = '"interface" must be one of: %s' - msg = msg % ', '.join(VALID_INTERFACES) + msg = _('"interface" must be one of: %s') + msg %= ', '.join(VALID_INTERFACES) raise exceptions.ValidationError(msg) - @utils.positional(1, enforcement=utils.positional.WARN) def create(self, service, url, interface=None, region=None, enabled=True, **kwargs): + """Create an endpoint. + + :param service: the service to which the endpoint belongs. + :type service: str or :class:`keystoneclient.v3.services.Service` + :param str url: the URL of the fully qualified service endpoint. + :param str interface: the network interface of the endpoint. Valid + values are: ``public``, ``admin`` or ``internal``. + :param region: the region to which the endpoint belongs. + :type region: str or :class:`keystoneclient.v3.regions.Region` + :param bool enabled: whether the endpoint is enabled or not, + determining if it appears in the service catalog. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created endpoint returned from server. + :rtype: :class:`keystoneclient.v3.endpoints.Endpoint` + + """ self._validate_interface(interface) return super(EndpointManager, self).create( service_id=base.getid(service), @@ -62,28 +82,70 @@ def create(self, service, url, interface=None, region=None, enabled=True, **kwargs) def get(self, endpoint): + """Retrieve an endpoint. + + :param endpoint: the endpoint to be retrieved from the server. + :type endpoint: str or :class:`keystoneclient.v3.endpoints.Endpoint` + + :returns: the specified endpoint returned from server. + :rtype: :class:`keystoneclient.v3.endpoints.Endpoint` + + """ return super(EndpointManager, self).get( endpoint_id=base.getid(endpoint)) - @utils.positional(enforcement=utils.positional.WARN) def list(self, service=None, interface=None, region=None, enabled=None, - **kwargs): + region_id=None, **kwargs): """List endpoints. - If ``**kwargs`` are provided, then filter endpoints with - attributes matching ``**kwargs``. + :param service: the service of the endpoints to be filtered on. + :type service: str or :class:`keystoneclient.v3.services.Service` + :param str interface: the network interface of the endpoints to be + filtered on. Valid values are: ``public``, + ``admin`` or ``internal``. + :param bool enabled: whether to return enabled or disabled endpoints. + :param str region_id: filter endpoints by the region_id attribute. If + both region and region_id are specified, region + takes precedence. + :param kwargs: any other attribute provided will filter endpoints on. + + :returns: a list of endpoints. + :rtype: list of :class:`keystoneclient.v3.endpoints.Endpoint` + """ + # NOTE(lhcheng): region filter is not supported by keystone, + # region_id should be used instead. Consider removing the + # region argument in the next release. self._validate_interface(interface) return super(EndpointManager, self).list( service_id=base.getid(service), interface=interface, - region=region, + region_id=region_id or base.getid(region), enabled=enabled, **kwargs) - @utils.positional(enforcement=utils.positional.WARN) def update(self, endpoint, service=None, url=None, interface=None, region=None, enabled=None, **kwargs): + """Update an endpoint. + + :param endpoint: the endpoint to be updated on the server. + :type endpoint: str or :class:`keystoneclient.v3.endpoints.Endpoint` + :param service: the new service to which the endpoint belongs. + :type service: str or :class:`keystoneclient.v3.services.Service` + :param str url: the new URL of the fully qualified service endpoint. + :param str interface: the new network interface of the endpoint. Valid + values are: ``public``, ``admin`` or ``internal``. + :param region: the new region to which the endpoint belongs. + :type region: str or :class:`keystoneclient.v3.regions.Region` + :param bool enabled: determining if the endpoint appears in the service + catalog by enabling or disabling it. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the updated endpoint returned from server. + :rtype: :class:`keystoneclient.v3.endpoints.Endpoint` + + """ self._validate_interface(interface) return super(EndpointManager, self).update( endpoint_id=base.getid(endpoint), @@ -95,5 +157,14 @@ def update(self, endpoint, service=None, url=None, interface=None, **kwargs) def delete(self, endpoint): + """Delete an endpoint. + + :param endpoint: the endpoint to be deleted on the server. + :type endpoint: str or :class:`keystoneclient.v3.endpoints.Endpoint` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(EndpointManager, self).delete( endpoint_id=base.getid(endpoint)) diff --git a/keystoneclient/v3/groups.py b/keystoneclient/v3/groups.py index a998323fa..843ad0028 100644 --- a/keystoneclient/v3/groups.py +++ b/keystoneclient/v3/groups.py @@ -15,7 +15,6 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Group(base.Resource): @@ -27,7 +26,7 @@ class Group(base.Resource): * description: group description """ - @utils.positional(enforcement=utils.positional.WARN) + def update(self, name=None, description=None): kwargs = { 'name': name if name is not None else self.name, @@ -47,27 +46,43 @@ def update(self, name=None, description=None): class GroupManager(base.CrudManager): """Manager class for manipulating Identity groups.""" + resource_class = Group collection_key = 'groups' key = 'group' - @utils.positional(1, enforcement=utils.positional.WARN) def create(self, name, domain=None, description=None, **kwargs): + """Create a group. + + :param str name: the name of the group. + :param domain: the domain of the group. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param str description: a description of the group. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created group returned from server. + :rtype: :class:`keystoneclient.v3.groups.Group` + + """ return super(GroupManager, self).create( name=name, domain_id=base.getid(domain), description=description, **kwargs) - @utils.positional(enforcement=utils.positional.WARN) def list(self, user=None, domain=None, **kwargs): """List groups. - If domain or user is provided, then filter groups with - that attribute. + :param user: the user of the groups to be filtered on. + :type user: str or :class:`keystoneclient.v3.users.User` + :param domain: the domain of the groups to be filtered on. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param kwargs: any other attribute provided will filter groups on. + + :returns: a list of groups. + :rtype: list of :class:`keystoneclient.v3.groups.Group`. - If ``**kwargs`` are provided, then filter groups with - attributes matching ``**kwargs``. """ if user: base_url = '/users/%s' % base.getid(user) @@ -79,11 +94,31 @@ def list(self, user=None, domain=None, **kwargs): **kwargs) def get(self, group): + """Retrieve a group. + + :param group: the group to be retrieved from the server. + :type group: str or :class:`keystoneclient.v3.groups.Group` + + :returns: the specified group returned from server. + :rtype: :class:`keystoneclient.v3.groups.Group` + + """ return super(GroupManager, self).get( group_id=base.getid(group)) - @utils.positional(enforcement=utils.positional.WARN) def update(self, group, name=None, description=None, **kwargs): + """Update a group. + + :param group: the group to be updated on the server. + :type group: str or :class:`keystoneclient.v3.groups.Group` + :param str name: the new name of the group. + :param str description: the new description of the group. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the updated group returned from server. + :rtype: :class:`keystoneclient.v3.groups.Group` + + """ return super(GroupManager, self).update( group_id=base.getid(group), name=name, @@ -91,5 +126,14 @@ def update(self, group, name=None, description=None, **kwargs): **kwargs) def delete(self, group): + """Delete a group. + + :param group: the group to be deleted on the server. + :type group: str or :class:`keystoneclient.v3.groups.Group` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(GroupManager, self).delete( group_id=base.getid(group)) diff --git a/keystoneclient/v3/limits.py b/keystoneclient/v3/limits.py new file mode 100644 index 000000000..52b1b886c --- /dev/null +++ b/keystoneclient/v3/limits.py @@ -0,0 +1,150 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +class Limit(base.Resource): + """Represents a project limit. + + Attributes: + * id: a UUID that identifies the project limit + * service_id: a UUID that identifies the service for the limit + * region_id: a UUID that identifies the region for the limit + * project_id: a UUID that identifies the project for the limit + * resource_name: the name of the resource to limit + * resource_limit: the limit to apply to the project + * description: a description for the project limit + + """ + + pass + + +class LimitManager(base.CrudManager): + """Manager class for project limits.""" + + resource_class = Limit + collection_key = 'limits' + key = 'limit' + + def create(self, project, service, resource_name, resource_limit, + description=None, region=None, **kwargs): + """Create a project-specific limit. + + :param project: the project to create a limit for. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param service: the service that owns the resource to limit. + :type service: str or :class:`keystoneclient.v3.services.Service` + :param resource_name: the name of the resource to limit + :type resource_name: str + :param resource_limit: the quantity of the limit + :type resource_limit: int + :param description: a description of the limit + :type description: str + :param region: region the limit applies to + :type region: str or :class:`keystoneclient.v3.regions.Region` + + :returns: a reference of the created limit + :rtype: :class:`keystoneclient.v3.limits.Limit` + + """ + limit_data = base.filter_none( + project_id=base.getid(project), + service_id=base.getid(service), + resource_name=resource_name, + resource_limit=resource_limit, + description=description, + region_id=base.getid(region), + **kwargs + ) + body = {self.collection_key: [limit_data]} + resp, body = self.client.post('/limits', body=body) + limit = body[self.collection_key].pop() + return self._prepare_return_value(resp, + self.resource_class( + self, limit)) + + def update(self, limit, project=None, service=None, resource_name=None, + resource_limit=None, description=None, **kwargs): + """Update a project-specific limit. + + :param limit: a limit to update + :param project: the project ID of the limit to update + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param resource_limit: the limit of the limit's resource to update + :type: resource_limit: int + :param description: a description of the limit + :type description: str + + :returns: a reference of the updated limit. + :rtype: :class:`keystoneclient.v3.limits.Limit` + + """ + return super(LimitManager, self).update( + limit_id=base.getid(limit), + project_id=base.getid(project), + service_id=base.getid(service), + resource_name=resource_name, + resource_limit=resource_limit, + description=description, + **kwargs + ) + + def get(self, limit): + """Retrieve a project limit. + + :param limit: + the project-specific limit to be retrieved. + :type limit: + str or :class:`keystoneclient.v3.limit.Limit` + + :returns: a project-specific limit + :rtype: :class:`keystoneclient.v3.limit.Limit` + + """ + return super(LimitManager, self).get(limit_id=base.getid(limit)) + + def list(self, service=None, region=None, resource_name=None, **kwargs): + """List project-specific limits. + + Any parameter provided will be passed to the server as a filter + + :param service: service to filter limits by + :type service: UUID or :class:`keystoneclient.v3.services.Service` + :param region: region to filter limits by + :type region: UUID or :class:`keystoneclient.v3.regions.Region` + :param resource_name: the name of the resource to filter limits by + :type resource_name: str + + :returns: a list of project-specific limits. + :rtype: list of :class:`keystoneclient.v3.limits.Limit` + + """ + return super(LimitManager, self).list( + service_id=base.getid(service), + region_id=base.getid(region), + resource_name=resource_name, + **kwargs + ) + + def delete(self, limit): + """Delete a project-specific limit. + + :param limit: the project-specific limit to be deleted. + :type limit: str or :class:`keystoneclient.v3.limit.Limit` + + :returns: Response object with 204 status + :rtype: :class:`requests.models.Response` + + """ + return super(LimitManager, self).delete(limit_id=base.getid(limit)) diff --git a/keystoneclient/v3/policies.py b/keystoneclient/v3/policies.py index 78cad9376..32de94e91 100644 --- a/keystoneclient/v3/policies.py +++ b/keystoneclient/v3/policies.py @@ -15,7 +15,6 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Policy(base.Resource): @@ -24,10 +23,10 @@ class Policy(base.Resource): Attributes: * id: a uuid that identifies the policy * blob: a policy document (blob) - * type: the mime type of the policy blob + * type: the MIME type of the policy blob """ - @utils.positional(enforcement=utils.positional.WARN) + def update(self, blob=None, type=None): kwargs = { 'blob': blob if blob is not None else self.blob, @@ -45,37 +44,82 @@ def update(self, blob=None, type=None): class PolicyManager(base.CrudManager): """Manager class for manipulating Identity policies.""" + resource_class = Policy collection_key = 'policies' key = 'policy' - @utils.positional(1, enforcement=utils.positional.WARN) def create(self, blob, type='application/json', **kwargs): + """Create a policy. + + :param str blob: the policy document. + :param str type: the MIME type of the policy blob. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created policy returned from server. + :rtype: :class:`keystoneclient.v3.policies.Policy` + + """ return super(PolicyManager, self).create( blob=blob, type=type, **kwargs) def get(self, policy): + """Retrieve a policy. + + :param policy: the policy to be retrieved from the server. + :type policy: str or :class:`keystoneclient.v3.policies.Policy` + + :returns: the specified policy returned from server. + :rtype: :class:`keystoneclient.v3.policies.Policy` + + """ return super(PolicyManager, self).get( policy_id=base.getid(policy)) def list(self, **kwargs): """List policies. - ``**kwargs`` allows filter criteria to be passed where - supported by the server. + :param kwargs: allows filter criteria to be passed where + supported by the server. + + :returns: a list of policies. + :rtype: list of :class:`keystoneclient.v3.policies.Policy`. + """ return super(PolicyManager, self).list(**kwargs) - @utils.positional(enforcement=utils.positional.WARN) - def update(self, entity, blob=None, type=None, **kwargs): + def update(self, policy, blob=None, type=None, **kwargs): + """Update a policy. + + :param policy: the policy to be updated on the server. + :type policy: str or :class:`keystoneclient.v3.policies.Policy` + :param str blob: the new policy document. + :param str type: the new MIME type of the policy blob. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the updated policy returned from server. + :rtype: :class:`keystoneclient.v3.policies.Policy` + + """ return super(PolicyManager, self).update( - policy_id=base.getid(entity), + policy_id=base.getid(policy), blob=blob, type=type, **kwargs) def delete(self, policy): + """Delete a policy. + + :param policy: the policy to be deleted on the server. + :type policy: str or :class:`keystoneclient.v3.policies.Policy` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(PolicyManager, self).delete( policy_id=base.getid(policy)) diff --git a/keystoneclient/v3/projects.py b/keystoneclient/v3/projects.py index ffc9f3233..4ba94bf03 100644 --- a/keystoneclient/v3/projects.py +++ b/keystoneclient/v3/projects.py @@ -14,8 +14,11 @@ # License for the specific language governing permissions and limitations # under the License. +import urllib.parse + from keystoneclient import base -from keystoneclient import utils +from keystoneclient import exceptions +from keystoneclient.i18n import _ class Project(base.Resource): @@ -26,9 +29,14 @@ class Project(base.Resource): * name: project name * description: project description * enabled: boolean to indicate if project is enabled + * parent_id: a uuid representing this project's parent in hierarchy + * parents: a list or a structured dict containing the parents of this + project in the hierarchy + * subtree: a list or a structured dict containing the subtree of this + project in the hierarchy """ - @utils.positional(enforcement=utils.positional.WARN) + def update(self, name=None, description=None, enabled=None): kwargs = { 'name': name if name is not None else self.name, @@ -46,15 +54,57 @@ def update(self, name=None, description=None, enabled=None): return retval + def add_tag(self, tag): + self.manager.add_tag(self, tag) + + def update_tags(self, tags): + return self.manager.update_tags(self, tags) + + def delete_tag(self, tag): + self.manager.delete_tag(self, tag) + + def delete_all_tags(self): + return self.manager.update_tags(self, []) + + def list_tags(self): + return self.manager.list_tags(self) + + def check_tag(self, tag): + return self.manager.check_tag(self, tag) + class ProjectManager(base.CrudManager): """Manager class for manipulating Identity projects.""" + resource_class = Project collection_key = 'projects' key = 'project' - @utils.positional(1, enforcement=utils.positional.WARN) - def create(self, name, domain, description=None, enabled=True, **kwargs): + def create(self, name, domain, description=None, + enabled=True, parent=None, **kwargs): + """Create a project. + + :param str name: the name of the project. + :param domain: the domain of the project. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param str description: the description of the project. + :param bool enabled: whether the project is enabled. + :param parent: the parent of the project in the hierarchy. + :type parent: str or :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created project returned from server. + :rtype: :class:`keystoneclient.v3.projects.Project` + + """ + # NOTE(rodrigods): the API must be backwards compatible, so if an + # application was passing a 'parent_id' before as kwargs, the call + # should not fail. If both 'parent' and 'parent_id' are provided, + # 'parent' will be preferred. + if parent: + kwargs['parent_id'] = base.getid(parent) + return super(ProjectManager, self).create( domain_id=base.getid(domain), name=name, @@ -62,29 +112,137 @@ def create(self, name, domain, description=None, enabled=True, **kwargs): enabled=enabled, **kwargs) - @utils.positional(enforcement=utils.positional.WARN) - def list(self, domain=None, user=None, **kwargs): + def list(self, domain=None, user=None, parent=None, **kwargs): """List projects. - If domain or user are provided, then filter projects with - those attributes. + :param domain: the domain of the projects to be filtered on. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param user: filter in projects the specified user has role + assignments on. + :type user: str or :class:`keystoneclient.v3.users.User` + :param parent: filter in projects the specified project is a parent + for + :type parent: str or :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will filter projects on. + Project tags filter keyword: ``tags``, ``tags_any``, + ``not_tags``, and ``not_tags_any``. tag attribute type + string. Pass in a comma separated string to filter + with multiple tags. + + :returns: a list of projects. + :rtype: list of :class:`keystoneclient.v3.projects.Project` - If ``**kwargs`` are provided, then filter projects with - attributes matching ``**kwargs``. """ base_url = '/users/%s' % base.getid(user) if user else None - return super(ProjectManager, self).list( + projects = super(ProjectManager, self).list( base_url=base_url, domain_id=base.getid(domain), + parent_id=base.getid(parent), + fallback_to_auth=True, **kwargs) - def get(self, project): - return super(ProjectManager, self).get( - project_id=base.getid(project)) + base_response = None + list_data = projects + if self.client.include_metadata: + base_response = projects + list_data = projects.data + base_response.data = list_data + + for p in list_data: + p.tags = getattr(p, 'tags', []) + + if self.client.include_metadata: + base_response.data = list_data + + return base_response if self.client.include_metadata else list_data + + def _check_not_parents_as_ids_and_parents_as_list(self, parents_as_ids, + parents_as_list): + if parents_as_ids and parents_as_list: + msg = _('Specify either parents_as_ids or parents_as_list ' + 'parameters, not both') + raise exceptions.ValidationError(msg) + + def _check_not_subtree_as_ids_and_subtree_as_list(self, subtree_as_ids, + subtree_as_list): + if subtree_as_ids and subtree_as_list: + msg = _('Specify either subtree_as_ids or subtree_as_list ' + 'parameters, not both') + raise exceptions.ValidationError(msg) + + def get(self, project, subtree_as_list=False, parents_as_list=False, + subtree_as_ids=False, parents_as_ids=False): + """Retrieve a project. + + :param project: the project to be retrieved from the server. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param bool subtree_as_list: retrieve projects below this project in + the hierarchy as a flat list. It only + includes the projects in which the current + user has role assignments on. + :param bool parents_as_list: retrieve projects above this project in + the hierarchy as a flat list. It only + includes the projects in which the current + user has role assignments on. + :param bool subtree_as_ids: retrieve the IDs from the projects below + this project in the hierarchy as a + structured dictionary. + :param bool parents_as_ids: retrieve the IDs from the projects above + this project in the hierarchy as a + structured dictionary. + :returns: the specified project returned from server. + :rtype: :class:`keystoneclient.v3.projects.Project` + + :raises keystoneclient.exceptions.ValidationError: if subtree_as_list + and subtree_as_ids or parents_as_list and parents_as_ids are + included at the same time in the call. + + """ + self._check_not_parents_as_ids_and_parents_as_list( + parents_as_ids, parents_as_list) + self._check_not_subtree_as_ids_and_subtree_as_list( + subtree_as_ids, subtree_as_list) + + # According to the API spec, the query params are key only + query_params = [] + if subtree_as_list: + query_params.append('subtree_as_list') + if subtree_as_ids: + query_params.append('subtree_as_ids') + if parents_as_list: + query_params.append('parents_as_list') + if parents_as_ids: + query_params.append('parents_as_ids') + + query = self.build_key_only_query(query_params) + dict_args = {'project_id': base.getid(project)} + url = self.build_url(dict_args_in_out=dict_args) + p = self._get(url + query, self.key) + p.tags = getattr(p, 'tags', []) + return p + + def find(self, **kwargs): + p = super(ProjectManager, self).find(**kwargs) + p.tags = getattr(p, 'tags', []) + return p - @utils.positional(enforcement=utils.positional.WARN) def update(self, project, name=None, domain=None, description=None, enabled=None, **kwargs): + """Update a project. + + :param project: the project to be updated on the server. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param str name: the new name of the project. + :param domain: the new domain of the project. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param str description: the new description of the project. + :param bool enabled: whether the project is enabled. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the updated project returned from server. + :rtype: :class:`keystoneclient.v3.projects.Project` + + """ return super(ProjectManager, self).update( project_id=base.getid(project), domain_id=base.getid(domain), @@ -94,5 +252,84 @@ def update(self, project, name=None, domain=None, description=None, **kwargs) def delete(self, project): + """Delete a project. + + :param project: the project to be deleted on the server. + :type project: str or :class:`keystoneclient.v3.projects.Project` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(ProjectManager, self).delete( project_id=base.getid(project)) + + def add_tag(self, project, tag): + """Add a tag to a project. + + :param project: project to add a tag to. + :param tag: str name of tag. + + """ + url = "/projects/%s/tags/%s" % (base.getid(project), + urllib.parse.quote(tag)) + return self._put(url) + + def update_tags(self, project, tags): + """Update tag list of a project. + + Replaces current tag list with list specified in tags parameter. + + :param project: project to update. + :param tags: list of str tag names to add to the project + + :returns: list of tags + + """ + url = "/projects/%s/tags" % base.getid(project) + for tag in tags: + tag = urllib.parse.quote(tag) + resp, body = self.client.put(url, body={"tags": tags}) + return self._prepare_return_value(resp, body['tags']) + + def delete_tag(self, project, tag): + """Remove tag from project. + + :param projectd: project to remove tag from. + :param tag: str name of tag to remove from project + + """ + return self._delete( + "/projects/%s/tags/%s" % (base.getid(project), + urllib.parse.quote(tag))) + + def list_tags(self, project): + """List tags associated with project. + + :param project: project to list tags for. + + :returns: list of str tag names + + """ + url = "/projects/%s/tags" % base.getid(project) + resp, body = self.client.get(url) + return self._prepare_return_value(resp, body['tags']) + + def check_tag(self, project, tag): + """Check if tag is associated with project. + + :param project: project to check tags for. + :param tag: str name of tag + + :returns: true if tag is associated, false otherwise + + """ + url = "/projects/%s/tags/%s" % (base.getid(project), + urllib.parse.quote(tag)) + try: + resp, body = self.client.head(url) + # no errors means found the tag + return self._prepare_return_value(resp, True) + except exceptions.HttpError as ex: + # return false with request_id if include_metadata=True + return self._prepare_return_value(ex.response, False) diff --git a/keystoneclient/v3/regions.py b/keystoneclient/v3/regions.py index de925e34d..0538a6656 100644 --- a/keystoneclient/v3/regions.py +++ b/keystoneclient/v3/regions.py @@ -10,6 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. +from debtcollector import removals from keystoneclient import base @@ -18,34 +19,43 @@ class Region(base.Resource): Attributes: * id: a string that identifies the region. - * description: a string that describes the region. Optional. - * parent_region_id: string that is the id field for an pre-existing - region in the backend. Allows for hierarchical region - organization + * description: a string that describes the region. + * parent_region_id: a pre-existing region in the backend or its ID + field. Allows for hierarchical region organization. * enabled: determines whether the endpoint appears in the catalog. - Defaults to True """ + pass class RegionManager(base.CrudManager): - """Manager class for manipulating Identity endpoints.""" + """Manager class for manipulating Identity regions.""" + resource_class = Region collection_key = 'regions' key = 'region' + @removals.removed_kwarg( + 'enabled', + message='The enabled parameter is deprecated.', + version='3.18.0', + removal_version='4.0.0') def create(self, id=None, description=None, enabled=True, parent_region=None, **kwargs): - """Create a Catalog region. + """Create a region. - :param id: a string that identifies the region. If not specified - a unique identifier will be assigned to the region. - :param description: a string that describes the region. - :param parent_region: string that is the id field for a - pre-existing region in the backend. Allows for hierarchical - region organization. - :param enabled: determines whether the endpoint appears in the - catalog. + :param str id: the unique identifier of the region. If not specified an + ID will be created by the server. + :param str description: the description of the region. + :param bool enabled: whether the region is enabled or not, determining + if it appears in the catalog. + :param parent_region: the parent of the region in the hierarchy. + :type parent_region: str or :class:`keystoneclient.v3.regions.Region` + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created region returned from server. + :rtype: :class:`keystoneclient.v3.regions.Region` """ return super(RegionManager, self).create( @@ -53,29 +63,50 @@ def create(self, id=None, description=None, enabled=True, parent_region_id=base.getid(parent_region), **kwargs) def get(self, region): + """Retrieve a region. + + :param region: the region to be retrieved from the server. + :type region: str or :class:`keystoneclient.v3.regions.Region` + + :returns: the specified region returned from server. + :rtype: :class:`keystoneclient.v3.regions.Region` + + """ return super(RegionManager, self).get( region_id=base.getid(region)) def list(self, **kwargs): """List regions. - If ``**kwargs`` are provided, then filter regions with - attributes matching ``**kwargs``. + :param kwargs: any attributes provided will filter regions on. + + :returns: a list of regions. + :rtype: list of :class:`keystoneclient.v3.regions.Region`. + """ return super(RegionManager, self).list( **kwargs) - def update(self, region, description=None, enabled=True, + @removals.removed_kwarg( + 'enabled', + message='The enabled parameter is deprecated.', + version='3.18.0', + removal_version='4.0.0') + def update(self, region, description=None, enabled=None, parent_region=None, **kwargs): - """Update a Catalog region. + """Update a region. - :param region: a string that identifies the region. - :param description: a string that describes the region. - :param parent_region: string that is the id field for a - pre-existing region in the backend. Allows for hierarchical - region organization. - :param enabled: determines whether the endpoint appears in the - catalog. Defaults to True + :param region: the region to be updated on the server. + :type region: str or :class:`keystoneclient.v3.regions.Region` + :param str description: the new description of the region. + :param bool enabled: determining if the region appears in the catalog + by enabling or disabling it. + :param parent_region: the new parent of the region in the hierarchy. + :type parent_region: str or :class:`keystoneclient.v3.regions.Region` + :param kwargs: any other attribute provided will be passed to server. + + :returns: the updated region returned from server. + :rtype: :class:`keystoneclient.v3.regions.Region` """ return super(RegionManager, self).update( @@ -86,5 +117,14 @@ def update(self, region, description=None, enabled=True, **kwargs) def delete(self, region): + """Delete a region. + + :param region: the region to be deleted on the server. + :type region: str or :class:`keystoneclient.v3.regions.Region` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(RegionManager, self).delete( region_id=base.getid(region)) diff --git a/keystoneclient/v3/registered_limits.py b/keystoneclient/v3/registered_limits.py new file mode 100644 index 000000000..088aadc9e --- /dev/null +++ b/keystoneclient/v3/registered_limits.py @@ -0,0 +1,160 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient import base + + +class RegisteredLimit(base.Resource): + """Represents a registered limit. + + Attributes: + * id: a UUID that identifies the registered limit + * service_id: a UUID that identifies the service for the limit + * region_id: a UUID that identifies the region for the limit + * resource_name: the name of the resource to limit + * default_limit: the default limit for projects to assume + * description: a description of the registered limit + + """ + + pass + + +class RegisteredLimitManager(base.CrudManager): + """Manager class for registered limits.""" + + resource_class = RegisteredLimit + collection_key = 'registered_limits' + key = 'registered_limit' + + def create(self, service, resource_name, default_limit, + description=None, region=None, **kwargs): + """Create a registered limit. + + :param service: a UUID that identifies the service for the limit. + :type service: str + :param resource_name: the name of the resource to limit. + :type resource_name: str + :param default_limit: the default limit for projects to assume. + :type default_limit: int + :param description: a string that describes the limit + :type description: str + :param region: a UUID that identifies the region for the limit. + :type region: str + + :returns: a reference of the created registered limit. + :rtype: :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + + """ + # NOTE(lbragstad): Keystone's registered limit API supports creation of + # limits in batches. This client accepts a single limit and passes it + # to the identity service as a list of a single item. + limit_data = base.filter_none( + service_id=base.getid(service), + resource_name=resource_name, + default_limit=default_limit, + description=description, + region_id=base.getid(region), + **kwargs + ) + body = {self.collection_key: [limit_data]} + resp, body = self.client.post('/registered_limits', body=body) + registered_limit = body[self.collection_key].pop() + return self._prepare_return_value(resp, + self.resource_class( + self, registered_limit)) + + def update(self, registered_limit, service=None, resource_name=None, + default_limit=None, description=None, region=None, **kwargs): + """Update a registered limit. + + :param registered_limit: + the UUID or reference of the registered limit to update. + :param registered_limit: + str or :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + :param service: a UUID that identifies the service for the limit. + :type service: str + :param resource_name: the name of the resource to limit. + :type resource_name: str + :param default_limit: the default limit for projects to assume. + :type default_limit: int + :param description: a string that describes the limit + :type description: str + :param region: a UUID that identifies the region for the limit. + :type region: str + + :returns: a reference of the updated registered limit. + :rtype: :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + + """ + return super(RegisteredLimitManager, self).update( + registered_limit_id=base.getid(registered_limit), + service_id=base.getid(service), + resource_name=resource_name, + default_limit=default_limit, + description=description, + region=region, + **kwargs + ) + + def get(self, registered_limit): + """Retrieve a registered limit. + + :param registered_limit: the registered limit to get. + :type registered_limit: + str or :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + + :returns: a specific registered limit. + :rtype: :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + + """ + return super(RegisteredLimitManager, self).get( + registered_limit_id=base.getid(registered_limit)) + + def list(self, service=None, resource_name=None, region=None, **kwargs): + """List registered limits. + + Any parameter provided will be passed to the server as a filter. + + :param service: filter registered limits by service + :type service: a UUID or :class:`keystoneclient.v3.services.Service` + :param resource_name: filter registered limits by resource name + :type resource_name: str + :param region: filter registered limits by region + :type region: a UUID or :class:`keystoneclient.v3.regions.Region` + + :returns: a list of registered limits. + :rtype: list of + :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + + """ + return super(RegisteredLimitManager, self).list( + service_id=base.getid(service), + resource_name=resource_name, + region_id=base.getid(region), + **kwargs) + + def delete(self, registered_limit): + """Delete a registered limit. + + :param registered_limit: the registered limit to delete. + :type registered_limit: + str or :class:`keystoneclient.v3.registered_limits.RegisteredLimit` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ + registered_limit_id = base.getid(registered_limit) + return super(RegisteredLimitManager, self).delete( + registered_limit_id=registered_limit_id + ) diff --git a/keystoneclient/v3/role_assignments.py b/keystoneclient/v3/role_assignments.py index 5394c3d21..ce1e550a0 100644 --- a/keystoneclient/v3/role_assignments.py +++ b/keystoneclient/v3/role_assignments.py @@ -12,10 +12,10 @@ from keystoneclient import base from keystoneclient import exceptions +from keystoneclient.i18n import _ class RoleAssignment(base.Resource): - """Represents an Identity role assignment. Attributes: @@ -25,29 +25,47 @@ class RoleAssignment(base.Resource): * scope: an object which has either a project or domain object containing an uuid """ + pass class RoleAssignmentManager(base.CrudManager): - """Manager class for manipulating Identity roles assignments.""" + resource_class = RoleAssignment collection_key = 'role_assignments' key = 'role_assignment' def _check_not_user_and_group(self, user, group): if user and group: - msg = 'Specify either a user or group, not both' + msg = _('Specify either a user or group, not both') raise exceptions.ValidationError(msg) def _check_not_domain_and_project(self, domain, project): if domain and project: - msg = 'Specify either a domain or project, not both' + msg = _('Specify either a domain or project, not both') raise exceptions.ValidationError(msg) - def list(self, user=None, group=None, project=None, domain=None, role=None, - effective=False): - """Lists role assignments. + def _check_not_system_and_domain(self, system, domain): + if system and domain: + msg = _('Specify either system or domain, not both') + raise exceptions.ValidationError(msg) + + def _check_not_system_and_project(self, system, project): + if system and project: + msg = _('Specify either system or project, not both') + raise exceptions.ValidationError(msg) + + def _check_system_value(self, system): + if system and system != 'all': + msg = _("Only a system scope of 'all' is currently supported") + raise exceptions.ValidationError(msg) + + def list(self, user=None, group=None, project=None, domain=None, + system=False, role=None, effective=False, + os_inherit_extension_inherited_to=None, include_subtree=False, + include_names=False): + """List role assignments. If no arguments are provided, all role assignments in the system will be listed. @@ -62,13 +80,23 @@ def list(self, user=None, group=None, project=None, domain=None, role=None, (optional) :param domain: Domain to be used as query filter. (optional) + :param system: Boolean to be used to filter system assignments. + (optional) :param role: Role to be used as query filter. (optional) :param boolean effective: return effective role assignments. (optional) + :param string os_inherit_extension_inherited_to: + return inherited role assignments for either 'projects' or + 'domains'. (optional) + :param boolean include_subtree: Include subtree (optional) + :param boolean include_names: Display names instead + of IDs. (optional) """ - self._check_not_user_and_group(user, group) self._check_not_domain_and_project(domain, project) + self._check_not_system_and_domain(system, domain) + self._check_not_system_and_project(system, project) + self._check_system_value(system) query_params = {} if user: @@ -79,33 +107,42 @@ def list(self, user=None, group=None, project=None, domain=None, role=None, query_params['scope.project.id'] = base.getid(project) if domain: query_params['scope.domain.id'] = base.getid(domain) + if system: + query_params['scope.system'] = system if role: query_params['role.id'] = base.getid(role) if effective: query_params['effective'] = effective + if include_names: + query_params['include_names'] = include_names + if os_inherit_extension_inherited_to: + query_params['scope.OS-INHERIT:inherited_to'] = ( + os_inherit_extension_inherited_to) + if include_subtree: + query_params['include_subtree'] = include_subtree return super(RoleAssignmentManager, self).list(**query_params) def create(self, **kwargs): - raise exceptions.MethodNotImplemented('Create not supported for' - ' role assignments') + raise exceptions.MethodNotImplemented( + _('Create not supported for role assignments')) def update(self, **kwargs): - raise exceptions.MethodNotImplemented('Update not supported for' - ' role assignments') + raise exceptions.MethodNotImplemented( + _('Update not supported for role assignments')) def get(self, **kwargs): - raise exceptions.MethodNotImplemented('Get not supported for' - ' role assignments') + raise exceptions.MethodNotImplemented( + _('Get not supported for role assignments')) def find(self, **kwargs): - raise exceptions.MethodNotImplemented('Find not supported for' - ' role assignments') + raise exceptions.MethodNotImplemented( + _('Find not supported for role assignments')) def put(self, **kwargs): - raise exceptions.MethodNotImplemented('Put not supported for' - ' role assignments') + raise exceptions.MethodNotImplemented( + _('Put not supported for role assignments')) def delete(self, **kwargs): - raise exceptions.MethodNotImplemented('Delete not supported for' - ' role assignments') + raise exceptions.MethodNotImplemented( + _('Delete not supported for role assignments')) diff --git a/keystoneclient/v3/roles.py b/keystoneclient/v3/roles.py index 40c624a47..3364bd88b 100644 --- a/keystoneclient/v3/roles.py +++ b/keystoneclient/v3/roles.py @@ -14,9 +14,11 @@ # License for the specific language governing permissions and limitations # under the License. +from debtcollector import removals + from keystoneclient import base from keystoneclient import exceptions -from keystoneclient import utils +from keystoneclient.i18n import _ class Role(base.Resource): @@ -25,18 +27,35 @@ class Role(base.Resource): Attributes: * id: a uuid that identifies the role * name: user-facing identifier + * domain: optional domain for the role + + """ + + pass + + +class InferenceRule(base.Resource): + """Represents a rule that states one role implies another. + + Attributes: + * prior_role: this role implies the other + * implied_role: this role is implied by the other """ + pass class RoleManager(base.CrudManager): """Manager class for manipulating Identity roles.""" + resource_class = Role collection_key = 'roles' key = 'role' + deprecation_msg = 'keystoneclient.v3.roles.InferenceRuleManager' - def _role_grants_base_url(self, user, group, domain, project): + def _role_grants_base_url(self, user, group, system, domain, project, + use_inherit_extension): # When called, we have already checked that only one of user & group # and one of domain & project have been specified params = {} @@ -47,6 +66,21 @@ def _role_grants_base_url(self, user, group, domain, project): elif domain: params['domain_id'] = base.getid(domain) base_url = '/domains/%(domain_id)s' + elif system: + if system == 'all': + base_url = '/system' + else: + # NOTE(lbragstad): If we've made it this far, a user is + # attempting to do something with system scope that isn't + # supported yet (e.g. 'all' is currently the only supported + # system scope). In the future that may change but until then + # we should fail like we would if a user provided a bogus + # project name or domain ID. + msg = _("Only a system scope of 'all' is currently supported") + raise exceptions.ValidationError(msg) + + if use_inherit_extension: + base_url = '/OS-INHERIT' + base_url if user: params['user_id'] = base.getid(user) @@ -57,93 +91,481 @@ def _role_grants_base_url(self, user, group, domain, project): return base_url % params - def _require_domain_xor_project(self, domain, project): - if domain and project: - msg = 'Specify either a domain or project, not both' - raise exceptions.ValidationError(msg) - elif not (domain or project): - msg = 'Must specify either a domain or project' - raise exceptions.ValidationError(msg) + def _enforce_mutually_exclusive_group(self, system, domain, project): + if not system: + if domain and project: + msg = _('Specify either a domain or project, not both') + raise exceptions.ValidationError(msg) + elif not (domain or project): + msg = _('Must specify either system, domain, or project') + raise exceptions.ValidationError(msg) + elif system: + if domain and project: + msg = _( + 'Specify either system, domain, or project, not all three.' + ) + raise exceptions.ValidationError(msg) + if domain: + msg = _('Specify either system or a domain, not both') + raise exceptions.ValidationError(msg) + if project: + msg = _('Specify either a system or project, not both') + raise exceptions.ValidationError(msg) def _require_user_xor_group(self, user, group): if user and group: - msg = 'Specify either a user or group, not both' + msg = _('Specify either a user or group, not both') raise exceptions.ValidationError(msg) elif not (user or group): - msg = 'Must specify either a user or group' + msg = _('Must specify either a user or group') raise exceptions.ValidationError(msg) - @utils.positional(1, enforcement=utils.positional.WARN) - def create(self, name, **kwargs): + def create(self, name, domain=None, **kwargs): + """Create a role. + + :param str name: the name of the role. + :param domain: the domain of the role. If a value is passed it is a + domain-scoped role, otherwise it's a global role. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created role returned from server. + :rtype: :class:`keystoneclient.v3.roles.Role` + + """ + domain_id = None + if domain: + domain_id = base.getid(domain) + return super(RoleManager, self).create( name=name, + domain_id=domain_id, **kwargs) def get(self, role): - return super(RoleManager, self).get( - role_id=base.getid(role)) + """Retrieve a role. - @utils.positional(enforcement=utils.positional.WARN) - def list(self, user=None, group=None, domain=None, project=None, **kwargs): - """Lists roles and role grants. + :param role: the role to be retrieved from the server. + :type role: str or :class:`keystoneclient.v3.roles.Role` - If no arguments are provided, all roles in the system will be - listed. + :returns: the specified role returned from server. + :rtype: :class:`keystoneclient.v3.roles.Role` - If a user or group is specified, you must also specify either a - domain or project to list role grants on that pair. And if - ``**kwargs`` are provided, then also filter roles with - attributes matching ``**kwargs``. """ + return super(RoleManager, self).get(role_id=base.getid(role)) + + def list(self, user=None, group=None, system=None, domain=None, + project=None, os_inherit_extension_inherited=False, **kwargs): + """List roles and role grants. + :param user: filter in role grants for the specified user on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: filter in role grants for the specified group on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type group: str or :class:`keystoneclient.v3.groups.Group` + :param domain: filter in role grants on the specified domain. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param project: filter in role grants on the specified project. Either + user or group must be specified. Project, domain and + system are mutually exclusive. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param bool os_inherit_extension_inherited: OS-INHERIT will be used. + It provides the ability for + projects to inherit role + assignments from their + domains or from parent + projects in the hierarchy. + :param kwargs: any other attribute provided will filter roles on. + + :returns: a list of roles. + :rtype: list of :class:`keystoneclient.v3.roles.Role` + + """ + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' if user or group: self._require_user_xor_group(user, group) - self._require_domain_xor_project(domain, project) + self._enforce_mutually_exclusive_group(system, domain, project) - return super(RoleManager, self).list( - base_url=self._role_grants_base_url(user, group, - domain, project), - **kwargs) + base_url = self._role_grants_base_url( + user, group, system, domain, project, + os_inherit_extension_inherited + ) + return super(RoleManager, self).list(base_url=base_url, + **kwargs) return super(RoleManager, self).list(**kwargs) - @utils.positional(enforcement=utils.positional.WARN) def update(self, role, name=None, **kwargs): + """Update a role. + + :param role: the role to be updated on the server. + :type role: str or :class:`keystoneclient.v3.roles.Role` + :param str name: the new name of the role. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the updated role returned from server. + :rtype: :class:`keystoneclient.v3.roles.Role` + + """ return super(RoleManager, self).update( role_id=base.getid(role), name=name, **kwargs) def delete(self, role): + """Delete a role. + + When a role is deleted all the role inferences that have deleted role + as prior role will be deleted as well. + + :param role: the role to be deleted on the server. + :type role: str or :class:`keystoneclient.v3.roles.Role` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(RoleManager, self).delete( role_id=base.getid(role)) - @utils.positional(enforcement=utils.positional.WARN) - def grant(self, role, user=None, group=None, domain=None, project=None): - """Grants a role to a user or group on a domain or project.""" - self._require_domain_xor_project(domain, project) + def grant(self, role, user=None, group=None, system=None, domain=None, + project=None, os_inherit_extension_inherited=False, **kwargs): + """Grant a role to a user or group on a domain or project. + + :param role: the role to be granted on the server. + :type role: str or :class:`keystoneclient.v3.roles.Role` + :param user: the specified user to have the role granted on a resource. + Domain or project must be specified. User and group are + mutually exclusive. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: the specified group to have the role granted on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type group: str or :class:`keystoneclient.v3.groups.Group` + :param system: system information to grant the role on. Project, + domain, and system are mutually exclusive. + :type system: str + :param domain: the domain in which the role will be granted. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param project: the project in which the role will be granted. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param bool os_inherit_extension_inherited: OS-INHERIT will be used. + It provides the ability for + projects to inherit role + assignments from their + domains or from parent + projects in the hierarchy. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the granted role returned from server. + :rtype: :class:`keystoneclient.v3.roles.Role` + + """ + self._enforce_mutually_exclusive_group(system, domain, project) self._require_user_xor_group(user, group) - return super(RoleManager, self).put( - base_url=self._role_grants_base_url(user, group, domain, project), - role_id=base.getid(role)) + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' + + base_url = self._role_grants_base_url( + user, group, system, domain, project, + os_inherit_extension_inherited) + return super(RoleManager, self).put(base_url=base_url, + role_id=base.getid(role), + **kwargs) + + def check(self, role, user=None, group=None, system=None, domain=None, + project=None, os_inherit_extension_inherited=False, **kwargs): + """Check if a user or group has a role on a domain or project. + + :param user: check for role grants for the specified user on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: check for role grants for the specified group on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type group: str or :class:`keystoneclient.v3.groups.Group` + :param system: check for role grants on the system. Project, domain, + and system are mutually exclusive. + :type system: str + :param domain: check for role grants on the specified domain. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param project: check for role grants on the specified project. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param bool os_inherit_extension_inherited: OS-INHERIT will be used. + It provides the ability for + projects to inherit role + assignments from their + domains or from parent + projects in the hierarchy. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the specified role returned from server if it exists. + :rtype: :class:`keystoneclient.v3.roles.Role` - @utils.positional(enforcement=utils.positional.WARN) - def check(self, role, user=None, group=None, domain=None, project=None): - """Checks if a user or group has a role on a domain or project.""" - self._require_domain_xor_project(domain, project) + :returns: Response object with 204 status if specified role + doesn't exist. + :rtype: :class:`requests.models.Response` + + """ + self._enforce_mutually_exclusive_group(system, domain, project) self._require_user_xor_group(user, group) + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' + + base_url = self._role_grants_base_url( + user, group, system, domain, project, + os_inherit_extension_inherited) return super(RoleManager, self).head( - base_url=self._role_grants_base_url(user, group, domain, project), - role_id=base.getid(role)) + base_url=base_url, + role_id=base.getid(role), + os_inherit_extension_inherited=os_inherit_extension_inherited, + **kwargs) + + def revoke(self, role, user=None, group=None, system=None, domain=None, + project=None, os_inherit_extension_inherited=False, **kwargs): + """Revoke a role from a user or group on a domain or project. - @utils.positional(enforcement=utils.positional.WARN) - def revoke(self, role, user=None, group=None, domain=None, project=None): - """Revokes a role from a user or group on a domain or project.""" - self._require_domain_xor_project(domain, project) + :param user: revoke role grants for the specified user on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: revoke role grants for the specified group on a + resource. Domain or project must be specified. + User and group are mutually exclusive. + :type group: str or :class:`keystoneclient.v3.groups.Group` + :param system: revoke role grants on the system. Project, domain, and + system are mutually exclusive. + :type system: str + :param domain: revoke role grants on the specified domain. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param project: revoke role grants on the specified project. Either + user or group must be specified. Project, domain, and + system are mutually exclusive. + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param bool os_inherit_extension_inherited: OS-INHERIT will be used. + It provides the ability for + projects to inherit role + assignments from their + domains or from parent + projects in the hierarchy. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the revoked role returned from server. + :rtype: list of :class:`keystoneclient.v3.roles.Role` + + """ + self._enforce_mutually_exclusive_group(system, domain, project) self._require_user_xor_group(user, group) + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' + + base_url = self._role_grants_base_url( + user, group, system, domain, project, + os_inherit_extension_inherited) return super(RoleManager, self).delete( - base_url=self._role_grants_base_url(user, group, domain, project), - role_id=base.getid(role)) + base_url=base_url, + role_id=base.getid(role), + os_inherit_extension_inherited=os_inherit_extension_inherited, + **kwargs) + + @removals.remove(message='Use %s.create instead.' % deprecation_msg, + version='3.9.0', removal_version='4.0.0') + def create_implied(self, prior_role, implied_role, **kwargs): + return InferenceRuleManager(self.client).create(prior_role, + implied_role) + + @removals.remove(message='Use %s.delete instead.' % deprecation_msg, + version='3.9.0', removal_version='4.0.0') + def delete_implied(self, prior_role, implied_role, **kwargs): + return InferenceRuleManager(self.client).delete(prior_role, + implied_role) + + @removals.remove(message='Use %s.get instead.' % deprecation_msg, + version='3.9.0', removal_version='4.0.0') + def get_implied(self, prior_role, implied_role, **kwargs): + return InferenceRuleManager(self.client).get(prior_role, + implied_role) + + @removals.remove(message='Use %s.check instead.' % deprecation_msg, + version='3.9.0', removal_version='4.0.0') + def check_implied(self, prior_role, implied_role, **kwargs): + return InferenceRuleManager(self.client).check(prior_role, + implied_role) + + @removals.remove(message='Use %s.list_inference_roles' % deprecation_msg, + version='3.9.0', removal_version='4.0.0') + def list_role_inferences(self, **kwargs): + return InferenceRuleManager(self.client).list_inference_roles() + + +class InferenceRuleManager(base.CrudManager): + """Manager class for manipulating Identity inference rules.""" + + resource_class = InferenceRule + collection_key = 'role_inferences' + key = 'role_inference' + + def _implied_role_url_tail(self, prior_role, implied_role): + base_url = ('/%(prior_role_id)s/implies/%(implied_role_id)s' % + {'prior_role_id': base.getid(prior_role), + 'implied_role_id': base.getid(implied_role)}) + return base_url + + def create(self, prior_role, implied_role): + """Create an inference rule. + + An inference rule is comprised of two roles, a prior role and an + implied role. The prior role will imply the implied role. + + Valid HTTP return codes: + + * 201: Resource is created successfully + * 404: A role cannot be found + * 409: The inference rule already exists + + :param prior_role: the role which implies ``implied_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + :param implied_role: the role which is implied by ``prior_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + + :returns: a newly created role inference returned from server. + :rtype: :class:`keystoneclient.v3.roles.InferenceRule` + + """ + url_tail = self._implied_role_url_tail(prior_role, implied_role) + _resp, body = self.client.put("/roles" + url_tail) + return self._prepare_return_value( + _resp, self.resource_class(self, body['role_inference'])) + + def delete(self, prior_role, implied_role): + """Delete an inference rule. + + When deleting an inference rule, both roles are required. Note that + neither role is deleted, only the inference relationship is dissolved. + + Valid HTTP return codes: + + * 204: Delete request is accepted + * 404: A role cannot be found + + :param prior_role: the role which implies ``implied_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + :param implied_role: the role which is implied by ``prior_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ + url_tail = self._implied_role_url_tail(prior_role, implied_role) + return self._delete("/roles" + url_tail) + + def get(self, prior_role, implied_role): + """Retrieve an inference rule. + + Valid HTTP return codes: + + * 200: Inference rule is returned + * 404: A role cannot be found + + :param prior_role: the role which implies ``implied_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + :param implied_role: the role which is implied by ``prior_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + + :returns: the specified role inference returned from server. + :rtype: :class:`keystoneclient.v3.roles.InferenceRule` + + """ + url_tail = self._implied_role_url_tail(prior_role, implied_role) + _resp, body = self.client.get("/roles" + url_tail) + return self._prepare_return_value( + _resp, self.resource_class(self, body['role_inference'])) + + def list(self, prior_role): + """List all roles that a role may imply. + + Valid HTTP return codes: + + * 200: List of inference rules are returned + * 404: A role cannot be found + + :param prior_role: the role which implies ``implied_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + + :returns: the specified role inference returned from server. + :rtype: :class:`keystoneclient.v3.roles.InferenceRule` + + """ + url_tail = ('/%s/implies' % base.getid(prior_role)) + _resp, body = self.client.get("/roles" + url_tail) + return self._prepare_return_value( + _resp, self.resource_class(self, body['role_inference'])) + + def check(self, prior_role, implied_role): + """Check if an inference rule exists. + + Valid HTTP return codes: + + * 204: The rule inference exists + * 404: A role cannot be found + + :param prior_role: the role which implies ``implied_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + :param implied_role: the role which is implied by ``prior_role``. + :type role: str or :class:`keystoneclient.v3.roles.Role` + + :returns: response object with 204 status returned from server. + :rtype: :class:`requests.models.Response` + + """ + url_tail = self._implied_role_url_tail(prior_role, implied_role) + return self._head("/roles" + url_tail) + + def list_inference_roles(self): + """List all rule inferences. + + Valid HTTP return codes: + + * 200: All inference rules are returned + + :param kwargs: attributes provided will be passed to the server. + + :returns: a list of inference rules. + :rtype: list of :class:`keystoneclient.v3.roles.InferenceRule` + + """ + return super(InferenceRuleManager, self).list() + + def update(self, **kwargs): + raise exceptions.MethodNotImplemented( + _('Update not supported for rule inferences')) + + def find(self, **kwargs): + raise exceptions.MethodNotImplemented( + _('Find not supported for rule inferences')) + + def put(self, **kwargs): + raise exceptions.MethodNotImplemented( + _('Put not supported for rule inferences')) diff --git a/keystoneclient/v3/services.py b/keystoneclient/v3/services.py index e0fd2c876..631940e80 100644 --- a/keystoneclient/v3/services.py +++ b/keystoneclient/v3/services.py @@ -15,7 +15,6 @@ # under the License. from keystoneclient import base -from keystoneclient import utils class Service(base.Resource): @@ -23,44 +22,114 @@ class Service(base.Resource): Attributes: * id: a uuid that identifies the service - * name: user-facing name of the service (e.g. Keystone) - * type: 'compute', 'identity', etc + * name: the user-facing name of the service (e.g. Keystone) + * description: a description of the service + * type: the type of the service (e.g. 'compute', 'identity') * enabled: determines whether the service appears in the catalog """ + pass class ServiceManager(base.CrudManager): """Manager class for manipulating Identity services.""" + resource_class = Service collection_key = 'services' key = 'service' - @utils.positional(1, enforcement=utils.positional.WARN) - def create(self, name, type, enabled=True, description=None, **kwargs): + def create(self, name, type=None, + enabled=True, description=None, **kwargs): + """Create a service. + + :param str name: the name of the service. + :param str type: the type of the service. + :param bool enabled: whether the service appears in the catalog. + :param str description: the description of the service. + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created service returned from server. + :rtype: :class:`keystoneclient.v3.services.Service` + + """ + type_arg = type or kwargs.pop('service_type', None) return super(ServiceManager, self).create( name=name, - type=type, + type=type_arg, description=description, enabled=enabled, **kwargs) def get(self, service): + """Retrieve a service. + + :param service: the service to be retrieved from the server. + :type service: str or :class:`keystoneclient.v3.services.Service` + + :returns: the specified service returned from server. + :rtype: :class:`keystoneclient.v3.services.Service` + + """ return super(ServiceManager, self).get( service_id=base.getid(service)) - @utils.positional(enforcement=utils.positional.WARN) + def list(self, name=None, type=None, **kwargs): + """List services. + + :param str name: the name of the services to be filtered on. + :param str type: the type of the services to be filtered on. + :param kwargs: any other attribute provided will filter services on. + + :returns: a list of services. + :rtype: list of :class:`keystoneclient.v3.services.Service` + + """ + type_arg = type or kwargs.pop('service_type', None) + return super(ServiceManager, self).list( + name=name, + type=type_arg, + **kwargs) + def update(self, service, name=None, type=None, enabled=None, description=None, **kwargs): + """Update a service. + + :param service: the service to be updated on the server. + :type service: str or :class:`keystoneclient.v3.services.Service` + :param str name: the new name of the service. + :param str type: the new type of the service. + :param bool enabled: whether the service appears in the catalog. + :param str description: the new description of the service. + :param kwargs: any other attribute provided will be passed to server. + + :returns: the updated service returned from server. + :rtype: :class:`keystoneclient.v3.services.Service` + + """ + type_arg = type or kwargs.pop('service_type', None) return super(ServiceManager, self).update( service_id=base.getid(service), name=name, - type=type, + type=type_arg, description=description, enabled=enabled, **kwargs) - def delete(self, service): + def delete(self, service=None, id=None): + """Delete a service. + + :param service: the service to be deleted on the server. + :type service: str or :class:`keystoneclient.v3.services.Service` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ + if service: + service_id = base.getid(service) + else: + service_id = id return super(ServiceManager, self).delete( - service_id=base.getid(service)) + service_id=service_id) diff --git a/keystoneclient/openstack/common/__init__.py b/keystoneclient/v3/system.py similarity index 69% rename from keystoneclient/openstack/common/__init__.py rename to keystoneclient/v3/system.py index d1223eaf7..8d3edafdd 100644 --- a/keystoneclient/openstack/common/__init__.py +++ b/keystoneclient/v3/system.py @@ -1,3 +1,5 @@ +# Copyright 2021 OpenStack Foundation +# All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain @@ -11,7 +13,14 @@ # License for the specific language governing permissions and limitations # under the License. -import six +from keystoneclient import base -six.add_move(six.MovedModule('mox', 'mox', 'mox3.mox')) +class System(base.Resource): + """Represents the deployment system, with all the services in it. + + Attributes: + * all: boolean + """ + + pass diff --git a/keystoneclient/v3/tokens.py b/keystoneclient/v3/tokens.py index 85735bfc2..7e0cb07a8 100644 --- a/keystoneclient/v3/tokens.py +++ b/keystoneclient/v3/tokens.py @@ -14,6 +14,13 @@ from keystoneclient import base +def _calc_id(token): + if isinstance(token, access.AccessInfo): + return token.auth_token + + return base.getid(token) + + class TokenManager(object): """Manager class for manipulating Identity tokens.""" @@ -23,14 +30,92 @@ def __init__(self, client): def revoke_token(self, token): """Revoke a token. - :param token: Token to be revoked. This can be an instance of - :py:class:`keystoneclient.access.AccessInfo` or a string - token_id. - """ + :param token: The token to be revoked. + :type token: str or :class:`keystoneclient.access.AccessInfo` - if isinstance(token, access.AccessInfo): - token_id = token.auth_token - else: - token_id = base.getid(token) + """ + token_id = _calc_id(token) headers = {'X-Subject-Token': token_id} return self._client.delete('/auth/tokens', headers=headers) + + def get_revoked(self, audit_id_only=False): + """Get revoked tokens list. + + :param bool audit_id_only: If true, the server is requested to not send + token IDs, but only audit IDs instead. + **New in version 2.2.0.** + :returns: A dict containing ``signed`` which is a CMS formatted string + if the server signed the response. If `audit_id_only` is true + then the response may be a dict containing ``revoked`` which + is the list of token audit IDs and expiration times. + :rtype: dict + + """ + path = '/auth/tokens/OS-PKI/revoked' + if audit_id_only: + path += '?audit_id_only' + resp, body = self._client.get(path) + return body + + def get_token_data(self, token, include_catalog=True, allow_expired=False, + access_rules_support=None): + """Fetch the data about a token from the identity server. + + :param str token: The ID of the token to be fetched. + :param bool include_catalog: Whether the service catalog should be + included in the response. + :param allow_expired: If True the token will be validated and returned + if it has already expired. + :param access_rules_support: Version number indicating that the client + is capable of enforcing keystone + access rules, if unset this client + does not support access rules. + :type access_rules_support: float + + :rtype: dict + + """ + headers = {'X-Subject-Token': token} + if access_rules_support: + headers['OpenStack-Identity-Access-Rules'] = access_rules_support + flags = [] + + url = '/auth/tokens' + + if not include_catalog: + flags.append('nocatalog') + if allow_expired: + flags.append('allow_expired=1') + + if flags: + url = '%s?%s' % (url, '&'.join(flags)) + + resp, body = self._client.get(url, headers=headers) + return body + + def validate(self, token, include_catalog=True, allow_expired=False, + access_rules_support=None): + """Validate a token. + + :param token: The token to be validated. + :type token: str or :class:`keystoneclient.access.AccessInfo` + :param include_catalog: If False, the response is requested to not + include the catalog. + :param allow_expired: If True the token will be validated and returned + if it has already expired. + :type allow_expired: bool + :param access_rules_support: Version number indicating that the client + is capable of enforcing keystone + access rules, if unset this client + does not support access rules. + :type access_rules_support: float + + :rtype: :class:`keystoneclient.access.AccessInfoV3` + + """ + token_id = _calc_id(token) + body = self.get_token_data(token_id, + include_catalog=include_catalog, + allow_expired=allow_expired, + access_rules_support=access_rules_support) + return access.AccessInfo.factory(auth_token=token_id, body=body) diff --git a/keystoneclient/v3/users.py b/keystoneclient/v3/users.py index 140c785cb..90cd51c45 100644 --- a/keystoneclient/v3/users.py +++ b/keystoneclient/v3/users.py @@ -14,13 +14,11 @@ # License for the specific language governing permissions and limitations # under the License. -import logging +from debtcollector import renames from keystoneclient import base from keystoneclient import exceptions -from keystoneclient import utils - -LOG = logging.getLogger(__name__) +from keystoneclient.i18n import _ class User(base.Resource): @@ -30,36 +28,57 @@ class User(base.Resource): * id: a uuid that identifies the user """ + pass class UserManager(base.CrudManager): """Manager class for manipulating Identity users.""" + resource_class = User collection_key = 'users' key = 'user' def _require_user_and_group(self, user, group): if not (user and group): - msg = 'Specify both a user and a group' + msg = _('Specify both a user and a group') raise exceptions.ValidationError(msg) - @utils.positional(1, enforcement=utils.positional.WARN) + @renames.renamed_kwarg('project', 'default_project', version='1.7.0', + removal_version='2.0.0') def create(self, name, domain=None, project=None, password=None, email=None, description=None, enabled=True, default_project=None, **kwargs): """Create a user. + :param str name: the name of the user. + :param domain: the domain of the user. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param project: the default project of the user. + (deprecated, see warning below) + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param str password: the password for the user. + :param str email: the email address of the user. + :param str description: a description of the user. + :param bool enabled: whether the user is enabled. + :param default_project: the default project of the user. + :type default_project: str or + :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will be passed to the + server. + + :returns: the created user returned from server. + :rtype: :class:`keystoneclient.v3.users.User` + .. warning:: - The project argument is deprecated, use default_project instead. + The project argument is deprecated as of the 1.7.0 release in favor + of default_project and may be removed in the 2.0.0 release. + + If both default_project and project is provided, the default_project + will be used. - If both default_project and project is provided, the default_project - will be used. """ - if project: - LOG.warning("The project argument is deprecated, " - "use default_project instead.") default_project_id = base.getid(default_project) or base.getid(project) user_data = base.filter_none(name=name, domain_id=base.getid(domain), @@ -70,30 +89,40 @@ def create(self, name, domain=None, project=None, password=None, enabled=enabled, **kwargs) - return self._create('/users', {'user': user_data}, 'user', - log=not bool(password)) + return self._post('/users', {'user': user_data}, 'user', + log=not bool(password)) - @utils.positional(enforcement=utils.positional.WARN) + @renames.renamed_kwarg('project', 'default_project', version='1.7.0', + removal_version='2.0.0') def list(self, project=None, domain=None, group=None, default_project=None, **kwargs): """List users. - If project, domain or group are provided, then filter - users with those attributes. - - If ``**kwargs`` are provided, then filter users with - attributes matching ``**kwargs``. + :param project: the default project of the users to be filtered on. + (deprecated, see warning below) + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param domain: the domain of the users to be filtered on. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param group: the group in which the users are member of. + :type group: str or :class:`keystoneclient.v3.groups.Group` + :param default_project: the default project of the users to be filtered + on. + :type default_project: str or + :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will filter users on. + + :returns: a list of users. + :rtype: list of :class:`keystoneclient.v3.users.User`. .. warning:: - The project argument is deprecated, use default_project instead. + The project argument is deprecated as of the 1.7.0 release in favor + of default_project and may be removed in the 2.0.0 release. + + If both default_project and project is provided, the default_project + will be used. - If both default_project and project is provided, the default_project - will be used. """ - if project: - LOG.warning("The project argument is deprecated, " - "use default_project instead.") default_project_id = base.getid(default_project) or base.getid(project) if group: base_url = '/groups/%s' % base.getid(group) @@ -107,25 +136,54 @@ def list(self, project=None, domain=None, group=None, default_project=None, **kwargs) def get(self, user): + """Retrieve a user. + + :param user: the user to be retrieved from the server. + :type user: str or :class:`keystoneclient.v3.users.User` + + :returns: the specified user returned from server. + :rtype: :class:`keystoneclient.v3.users.User` + + """ return super(UserManager, self).get( user_id=base.getid(user)) - @utils.positional(enforcement=utils.positional.WARN) + @renames.renamed_kwarg('project', 'default_project', version='1.7.0', + removal_version='2.0.0') def update(self, user, name=None, domain=None, project=None, password=None, email=None, description=None, enabled=None, default_project=None, **kwargs): """Update a user. + :param user: the user to be updated on the server. + :type user: str or :class:`keystoneclient.v3.users.User` + :param str name: the new name of the user. + :param domain: the new domain of the user. + :type domain: str or :class:`keystoneclient.v3.domains.Domain` + :param project: the new default project of the user. + (deprecated, see warning below) + :type project: str or :class:`keystoneclient.v3.projects.Project` + :param str password: the new password of the user. + :param str email: the new email of the user. + :param str description: the newdescription of the user. + :param bool enabled: whether the user is enabled. + :param default_project: the new default project of the user. + :type default_project: str or + :class:`keystoneclient.v3.projects.Project` + :param kwargs: any other attribute provided will be passed to server. + + :returns: the updated user returned from server. + :rtype: :class:`keystoneclient.v3.users.User` + .. warning:: - The project argument is deprecated, use default_project instead. + The project argument is deprecated as of the 1.7.0 release in favor + of default_project and may be removed in the 2.0.0 release. + + If both default_project and project is provided, the default_project + will be used. - If both default_project and project is provided, the default_project - will be used. """ - if project: - LOG.warning("The project argument is deprecated, " - "use default_project instead.") default_project_id = base.getid(default_project) or base.getid(project) user_data = base.filter_none(name=name, domain_id=base.getid(domain), @@ -143,24 +201,42 @@ def update(self, user, name=None, domain=None, project=None, password=None, log=False) def update_password(self, old_password, new_password): - """Update the password for the user the token belongs to.""" + """Update the password for the user the token belongs to. + + :param str old_password: the user's old password + :param str new_password: the user's new password + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ if not (old_password and new_password): - msg = 'Specify both the current password and a new password' + msg = _('Specify both the current password and a new password') raise exceptions.ValidationError(msg) if old_password == new_password: - msg = 'Old password and new password must be different.' + msg = _('Old password and new password must be different.') raise exceptions.ValidationError(msg) params = {'user': {'password': new_password, 'original_password': old_password}} - base_url = '/users/%s/password' % self.api.user_id + base_url = '/users/%s/password' % self.client.user_id - return self._update(base_url, params, method='POST', management=False, - log=False) + return self._update(base_url, params, method='POST', log=False) def add_to_group(self, user, group): + """Add the specified user as a member of the specified group. + + :param user: the user to be added to the group. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: the group to put the user in. + :type group: str or :class:`keystoneclient.v3.groups.Group` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ self._require_user_and_group(user, group) base_url = '/groups/%s' % base.getid(group) @@ -169,6 +245,17 @@ def add_to_group(self, user, group): user_id=base.getid(user)) def check_in_group(self, user, group): + """Check if the specified user is a member of the specified group. + + :param user: the user to be verified in the group. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: the group to check the user in. + :type group: str or :class:`keystoneclient.v3.groups.Group` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ self._require_user_and_group(user, group) base_url = '/groups/%s' % base.getid(group) @@ -177,6 +264,17 @@ def check_in_group(self, user, group): user_id=base.getid(user)) def remove_from_group(self, user, group): + """Remove the specified user from the specified group. + + :param user: the user to be removed from the group. + :type user: str or :class:`keystoneclient.v3.users.User` + :param group: the group to remove the user from. + :type group: str or :class:`keystoneclient.v3.groups.Group` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ self._require_user_and_group(user, group) base_url = '/groups/%s' % base.getid(group) @@ -185,5 +283,14 @@ def remove_from_group(self, user, group): user_id=base.getid(user)) def delete(self, user): + """Delete a user. + + :param user: the user to be deleted on the server. + :type user: str or :class:`keystoneclient.v3.users.User` + + :returns: Response object with 204 status. + :rtype: :class:`requests.models.Response` + + """ return super(UserManager, self).delete( user_id=base.getid(user)) diff --git a/openstack-common.conf b/openstack-common.conf deleted file mode 100644 index 586aac37a..000000000 --- a/openstack-common.conf +++ /dev/null @@ -1,12 +0,0 @@ -[DEFAULT] - -# The list of modules to copy from oslo-incubator -module=apiclient -module=install_venv_common -module=jsonutils -module=memorycache -module=strutils -module=timeutils - -# The base module to hold the copy of openstack.common -base=keystoneclient diff --git a/playbooks/run-ds-tox.yaml b/playbooks/run-ds-tox.yaml new file mode 100644 index 000000000..b414b747c --- /dev/null +++ b/playbooks/run-ds-tox.yaml @@ -0,0 +1,5 @@ +- hosts: all + roles: + - run-devstack + - ensure-tox + - tox diff --git a/playbooks/tox-post.yaml b/playbooks/tox-post.yaml new file mode 100644 index 000000000..7f0cb1982 --- /dev/null +++ b/playbooks/tox-post.yaml @@ -0,0 +1,4 @@ +- hosts: all + roles: + - fetch-tox-output + - fetch-subunit-output diff --git a/keystoneclient/tests/generic/__init__.py b/releasenotes/notes/.placeholder similarity index 100% rename from keystoneclient/tests/generic/__init__.py rename to releasenotes/notes/.placeholder diff --git a/releasenotes/notes/Add-allow-expired-flag-to-validate-25b8914f4deb359b.yaml b/releasenotes/notes/Add-allow-expired-flag-to-validate-25b8914f4deb359b.yaml new file mode 100644 index 000000000..6a3f6cadd --- /dev/null +++ b/releasenotes/notes/Add-allow-expired-flag-to-validate-25b8914f4deb359b.yaml @@ -0,0 +1,5 @@ +--- +features: + - Added a ``allow_expired`` argument to ``validate`` and ``get_token_data`` + in `keystoneclient.v3.tokens`. Setting this to ``True``, allos for a token + validation query to fetch expired tokens. diff --git a/releasenotes/notes/add-support-for-limits-6f883d6d3054a500.yaml b/releasenotes/notes/add-support-for-limits-6f883d6d3054a500.yaml new file mode 100644 index 000000000..623d96de2 --- /dev/null +++ b/releasenotes/notes/add-support-for-limits-6f883d6d3054a500.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Added support for managing project-specific limits. The ``POST`` API for + limits in keystone supports batch creation, but the client implementation + does not. Creation for limits using the client must be done one at a time. diff --git a/releasenotes/notes/add-support-for-registered-limits-d83b888ea65a614b.yaml b/releasenotes/notes/add-support-for-registered-limits-d83b888ea65a614b.yaml new file mode 100644 index 000000000..114d95bce --- /dev/null +++ b/releasenotes/notes/add-support-for-registered-limits-d83b888ea65a614b.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Added support for managing registered limits. The ``POST`` API for + registered limits in keystone supports batch creation, but the client + implementation does not. Creation of registered limits using the client + must be done one at a time. diff --git a/releasenotes/notes/bp-application-credentials-27728ded876d7d5a.yaml b/releasenotes/notes/bp-application-credentials-27728ded876d7d5a.yaml new file mode 100644 index 000000000..c67357c49 --- /dev/null +++ b/releasenotes/notes/bp-application-credentials-27728ded876d7d5a.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Adds support for creating, reading, and deleting application credentials. + With application credentials, a user can grant their applications limited + access to their cloud resources. Applications can use keystoneauth with + the `v3applicationcredential` auth plugin to authenticate with keystone + without needing the user's password. diff --git a/releasenotes/notes/bp-domain-config-9566e672a98f4e7f.yaml b/releasenotes/notes/bp-domain-config-9566e672a98f4e7f.yaml new file mode 100644 index 000000000..e6ae2b08d --- /dev/null +++ b/releasenotes/notes/bp-domain-config-9566e672a98f4e7f.yaml @@ -0,0 +1,7 @@ +--- +features: + - Added support for ``domain configs``. A user can now + upload domain specific configurations to keytone + using the client. See ``client.domain_configs.create``, + ``client.domain_configs.delete``, ``client.domain_configs.get`` + and ``client.domain_configs.update``. diff --git a/releasenotes/notes/bp-pci-dss-query-password-expired-users-b0c4b1bbdcf33f16.yaml b/releasenotes/notes/bp-pci-dss-query-password-expired-users-b0c4b1bbdcf33f16.yaml new file mode 100644 index 000000000..2699a7f5b --- /dev/null +++ b/releasenotes/notes/bp-pci-dss-query-password-expired-users-b0c4b1bbdcf33f16.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Added ability to filter on multiple values with the same parameter key. + For example, we can now filter on user names that contain both ``test`` and + ``user`` using ``keystone.users.list(name__contains=['test', 'user'])``. diff --git a/releasenotes/notes/bp-whitelist-extension-for-app-creds-d03526e52e3edcce.yaml b/releasenotes/notes/bp-whitelist-extension-for-app-creds-d03526e52e3edcce.yaml new file mode 100644 index 000000000..9c7dc2bf1 --- /dev/null +++ b/releasenotes/notes/bp-whitelist-extension-for-app-creds-d03526e52e3edcce.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds support for creating access rules as an attribute of application + credentials as well as for retrieving and deleting them. diff --git a/releasenotes/notes/bug-1615076-26962c85aeaf288c.yaml b/releasenotes/notes/bug-1615076-26962c85aeaf288c.yaml new file mode 100644 index 000000000..6af51e4f1 --- /dev/null +++ b/releasenotes/notes/bug-1615076-26962c85aeaf288c.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - | + The region resource in Keystone never support or contain "enabled" property. + Thus the property is deprecated and will be removed in future versions. diff --git a/releasenotes/notes/bug-1616105-cc8b85eb056e99e2.yaml b/releasenotes/notes/bug-1616105-cc8b85eb056e99e2.yaml new file mode 100644 index 000000000..e9c1c9c3d --- /dev/null +++ b/releasenotes/notes/bug-1616105-cc8b85eb056e99e2.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - > + [`bug 1616105 `_] + Only log the response body when the ``Content-Type`` header is set to + ``application/json``. This avoids logging large binary objects (such as + images). Other ``Content-Type`` will not be logged. Additional + ``Content-Type`` strings can be added as required. diff --git a/releasenotes/notes/bug-1641674-4862454115265e76.yaml b/releasenotes/notes/bug-1641674-4862454115265e76.yaml new file mode 100644 index 000000000..19c8ecc34 --- /dev/null +++ b/releasenotes/notes/bug-1641674-4862454115265e76.yaml @@ -0,0 +1,8 @@ +--- +prelude: > + Keystone Client now supports endpoint group filtering. +features: + - | + Support for handling the relationship between endpoint groups and projects + has been added. It is now possible to list, associate, check and + disassociate endpoint groups that have access to a project. diff --git a/releasenotes/notes/bug-1654847-d2e9df994c7b617f.yaml b/releasenotes/notes/bug-1654847-d2e9df994c7b617f.yaml new file mode 100644 index 000000000..5d066e906 --- /dev/null +++ b/releasenotes/notes/bug-1654847-d2e9df994c7b617f.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + The ``X-Service-Token`` header value is now properly masked, and is + displayed as a hash value, in the log. diff --git a/releasenotes/notes/deprecated_auth-d2a2bf537bdb88d3.yaml b/releasenotes/notes/deprecated_auth-d2a2bf537bdb88d3.yaml new file mode 100644 index 000000000..fd08a910b --- /dev/null +++ b/releasenotes/notes/deprecated_auth-d2a2bf537bdb88d3.yaml @@ -0,0 +1,12 @@ +--- +deprecations: + - > + [`blueprint deprecate-to-ksa `_] + Several modules related to authentication in keystoneclient have been + deprecated in favor of [`keystoneauth `_] + These modules include: ``keystoneclient.session``, ``keystoneclient.adapter``, + ``keystoneclient.httpclient``, ``keystoneclient.auth.base``, + ``keystoneclient.auth.cli``, ``keystoneclient.auth.conf``, + ``keystoneclient.auth.identity.base``, and ``keystoneclient.auth.token_endpoint``. + Tips for migrating to `keystoneauth` have been + [`documented `_]. diff --git a/releasenotes/notes/drop-py-2-7-5ac18e82de83fcfa.yaml b/releasenotes/notes/drop-py-2-7-5ac18e82de83fcfa.yaml new file mode 100644 index 000000000..b97748489 --- /dev/null +++ b/releasenotes/notes/drop-py-2-7-5ac18e82de83fcfa.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Python 2.7 support has been dropped. Last release of python-keystoneclient + to support python 2.7 is OpenStack Train. The minimum version of Python now + supported is Python 3.6. \ No newline at end of file diff --git a/releasenotes/notes/drop-python-3-6-and-3-7-ef1e107897dde8f4.yaml b/releasenotes/notes/drop-python-3-6-and-3-7-ef1e107897dde8f4.yaml new file mode 100644 index 000000000..db420d739 --- /dev/null +++ b/releasenotes/notes/drop-python-3-6-and-3-7-ef1e107897dde8f4.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Python 3.6 & 3.7 support has been dropped. The minimum version of Python now + supported is Python 3.8. diff --git a/releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml b/releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml new file mode 100644 index 000000000..e00ccae18 --- /dev/null +++ b/releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml @@ -0,0 +1,3 @@ +--- +features: + - support for implied roles in v3 API. diff --git a/releasenotes/notes/ksc_2.1.0-739ded9c4c3f8aaa.yaml b/releasenotes/notes/ksc_2.1.0-739ded9c4c3f8aaa.yaml new file mode 100644 index 000000000..e95c939be --- /dev/null +++ b/releasenotes/notes/ksc_2.1.0-739ded9c4c3f8aaa.yaml @@ -0,0 +1,17 @@ +--- +fixes: + - > + [`bug 1462694 `_] + Add support for `include_subtree` in list_role_assignments. + - > + [`bug 1526686 `_] + Replace textwrap with faster code in cms functions. + - > + [`bug 1457702 `_] + Change default endpoint to public for keystone v3. + - > + [`bug 1520244 `_] + Support `truncated` flag returned from server. +other: + - > + Support v2 parameters for the v3 service create method. diff --git a/releasenotes/notes/list_projects_filtered_by_the_parent_project-a873974f197c1e37.yaml b/releasenotes/notes/list_projects_filtered_by_the_parent_project-a873974f197c1e37.yaml new file mode 100644 index 000000000..988dca5e3 --- /dev/null +++ b/releasenotes/notes/list_projects_filtered_by_the_parent_project-a873974f197c1e37.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Now keystone client supports to list projects which belongs to the given + parent project. diff --git a/releasenotes/notes/list_role_assignment_names-7e1b7eb8c2d22d7c.yaml b/releasenotes/notes/list_role_assignment_names-7e1b7eb8c2d22d7c.yaml new file mode 100644 index 000000000..499306a4a --- /dev/null +++ b/releasenotes/notes/list_role_assignment_names-7e1b7eb8c2d22d7c.yaml @@ -0,0 +1,6 @@ +--- +features: + - > + [`bug 1479569 `_] + With the ``include_names`` parameter set to True the names of the role assignments + are returned with the entities IDs. (GET /role_assignments?include_names=True) diff --git a/releasenotes/notes/project-tags-1f8a32d389951e7a.yaml b/releasenotes/notes/project-tags-1f8a32d389951e7a.yaml new file mode 100644 index 000000000..c0c868cbe --- /dev/null +++ b/releasenotes/notes/project-tags-1f8a32d389951e7a.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + [`blueprint project-tags `_] + The keystoneclient now supports project tags feature in keystone. This + allows operators to use the client to associate tags to a project, + retrieve tags associated with a project, delete tags associated with a + project, and filter projects based on tags. diff --git a/releasenotes/notes/remove-credentials-data-46ab3c3c248047cf.yaml b/releasenotes/notes/remove-credentials-data-46ab3c3c248047cf.yaml new file mode 100644 index 000000000..01ebe3e10 --- /dev/null +++ b/releasenotes/notes/remove-credentials-data-46ab3c3c248047cf.yaml @@ -0,0 +1,8 @@ +--- +prelude: > + The ``data`` argument for creating and updating credentials has + been removed. +other: + - The ``data`` argument for creating and updating credentials was + deprecated in the 1.7.0 release. It has been replaced by the + ``blob`` argument. diff --git a/releasenotes/notes/remove-middleware-eef8c40117b465aa.yaml b/releasenotes/notes/remove-middleware-eef8c40117b465aa.yaml new file mode 100644 index 000000000..cd9859cca --- /dev/null +++ b/releasenotes/notes/remove-middleware-eef8c40117b465aa.yaml @@ -0,0 +1,10 @@ +--- +prelude: > + keystoneclient.middleware has been removed. +critical: + - > + [`bug 1449066 `_] + The `keystoneclient.middleware` module has been removed in favor of the + keystonemiddleware library. The aforementioned module has been deprecated + since keystoneclient v0.10.0 which was included in the Juno release + of OpenStack. diff --git a/releasenotes/notes/remove-py38-2e39854190447827.yaml b/releasenotes/notes/remove-py38-2e39854190447827.yaml new file mode 100644 index 000000000..040316360 --- /dev/null +++ b/releasenotes/notes/remove-py38-2e39854190447827.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Support for Python 3.8 has been removed. Now the minimum python version + supported is 3.9 . diff --git a/releasenotes/notes/remove-py39-a294c2d7335b646e.yaml b/releasenotes/notes/remove-py39-a294c2d7335b646e.yaml new file mode 100644 index 000000000..eaf3014b9 --- /dev/null +++ b/releasenotes/notes/remove-py39-a294c2d7335b646e.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Support for Python 3.9 has been removed. Now Python 3.10 is the minimum + version supported. diff --git a/releasenotes/notes/remove_apiclient_exceptions-0cd5c8d16aa09a22.yaml b/releasenotes/notes/remove_apiclient_exceptions-0cd5c8d16aa09a22.yaml new file mode 100644 index 000000000..24a25d7e3 --- /dev/null +++ b/releasenotes/notes/remove_apiclient_exceptions-0cd5c8d16aa09a22.yaml @@ -0,0 +1,5 @@ +--- +other: + - > + Removed `keystoneclient.apiclient.exceptions`. This file was deprecated + in v0.7.1 and has now been replaced by `keystoneclient.exceptions`. diff --git a/releasenotes/notes/remove_apiclient_exceptions-6580003a885db286.yaml b/releasenotes/notes/remove_apiclient_exceptions-6580003a885db286.yaml new file mode 100644 index 000000000..1fbe6b72b --- /dev/null +++ b/releasenotes/notes/remove_apiclient_exceptions-6580003a885db286.yaml @@ -0,0 +1,10 @@ +--- +prelude: > + keystoneclient.apiclient has been removed. +critical: + - > + [`bug 1526651 `_] + The `keystoneclient.apiclient` module has been removed in favor of + `keystoneclient.exceptions`. The aforementioned module has been deprecated + since keystoneclient v0.7.1 which was inclued in the Juno release + of OpenStack. diff --git a/releasenotes/notes/remove_cli-d2c4435ba6a09b79.yaml b/releasenotes/notes/remove_cli-d2c4435ba6a09b79.yaml new file mode 100644 index 000000000..c1428096c --- /dev/null +++ b/releasenotes/notes/remove_cli-d2c4435ba6a09b79.yaml @@ -0,0 +1,7 @@ +--- +prelude: > + The ``keystone`` CLI has been removed. +other: + - The ``keystone`` CLI has been removed, using the ``openstack`` + CLI is recommended. This feature has been deprecated since the + Liberty release of Keystone. diff --git a/releasenotes/notes/removed-generic-client-ff505b2b01bc9302.yaml b/releasenotes/notes/removed-generic-client-ff505b2b01bc9302.yaml new file mode 100644 index 000000000..61b9d17ac --- /dev/null +++ b/releasenotes/notes/removed-generic-client-ff505b2b01bc9302.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - Deprecate the `keystoneclient.generic` client. This client used to be able + to determine available API versions and some basics around installed + extensions however the APIs were never upgraded for the v3 API. It doesn't + seem to be used in the openstack ecosystem. diff --git a/releasenotes/notes/return-request-id-to-caller-97fa269ad626f8c1.yaml b/releasenotes/notes/return-request-id-to-caller-97fa269ad626f8c1.yaml new file mode 100644 index 000000000..8ef4701db --- /dev/null +++ b/releasenotes/notes/return-request-id-to-caller-97fa269ad626f8c1.yaml @@ -0,0 +1,13 @@ +--- +features: + - > + [`blueprint return-request-id-to-caller + `_] + Instantiating client with ``include_metadata=True`` will cause manager response to return data + along with request_ids for better tracing. Refer [`using-api-v3 + `_] + + + Added support to return "x-openstack-request-id" header in request_ids attribute if + ``include_metadata=True``. Also, for APIs which return response as None, client will return request_ids + as well if ``include_metadata`` is True. \ No newline at end of file diff --git a/releasenotes/notes/switch-default-interface-v3-dcd7167196ace531.yaml b/releasenotes/notes/switch-default-interface-v3-dcd7167196ace531.yaml new file mode 100644 index 000000000..90709c097 --- /dev/null +++ b/releasenotes/notes/switch-default-interface-v3-dcd7167196ace531.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + For sessions using the v3 Identity API, the default interface has been + switched from ``admin`` to ``public``. This allows deployments to get rid + of the admin endpoint, which functionally is no longer necessary with the + v3 API. diff --git a/releasenotes/source/2023.1.rst b/releasenotes/source/2023.1.rst new file mode 100644 index 000000000..2c9a36fae --- /dev/null +++ b/releasenotes/source/2023.1.rst @@ -0,0 +1,6 @@ +=========================== +2023.1 Series Release Notes +=========================== + +.. release-notes:: + :branch: unmaintained/2023.1 diff --git a/releasenotes/source/2023.2.rst b/releasenotes/source/2023.2.rst new file mode 100644 index 000000000..a4838d7d0 --- /dev/null +++ b/releasenotes/source/2023.2.rst @@ -0,0 +1,6 @@ +=========================== +2023.2 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2023.2 diff --git a/releasenotes/source/2024.1.rst b/releasenotes/source/2024.1.rst new file mode 100644 index 000000000..6896656be --- /dev/null +++ b/releasenotes/source/2024.1.rst @@ -0,0 +1,6 @@ +=========================== +2024.1 Series Release Notes +=========================== + +.. release-notes:: + :branch: unmaintained/2024.1 diff --git a/releasenotes/source/2024.2.rst b/releasenotes/source/2024.2.rst new file mode 100644 index 000000000..aaebcbc8c --- /dev/null +++ b/releasenotes/source/2024.2.rst @@ -0,0 +1,6 @@ +=========================== +2024.2 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2024.2 diff --git a/releasenotes/source/2025.1.rst b/releasenotes/source/2025.1.rst new file mode 100644 index 000000000..3add0e53a --- /dev/null +++ b/releasenotes/source/2025.1.rst @@ -0,0 +1,6 @@ +=========================== +2025.1 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2025.1 diff --git a/releasenotes/source/2026.1.rst b/releasenotes/source/2026.1.rst new file mode 100644 index 000000000..3d2861580 --- /dev/null +++ b/releasenotes/source/2026.1.rst @@ -0,0 +1,6 @@ +=========================== +2026.1 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2026.1 diff --git a/keystoneclient/tests/v2_0/__init__.py b/releasenotes/source/_static/.placeholder similarity index 100% rename from keystoneclient/tests/v2_0/__init__.py rename to releasenotes/source/_static/.placeholder diff --git a/keystoneclient/tests/v3/__init__.py b/releasenotes/source/_templates/.placeholder similarity index 100% rename from keystoneclient/tests/v3/__init__.py rename to releasenotes/source/_templates/.placeholder diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py new file mode 100644 index 000000000..f2ae6a44e --- /dev/null +++ b/releasenotes/source/conf.py @@ -0,0 +1,262 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# keystoneclient Release Notes documentation build configuration file, created +# by sphinx-quickstart on Tue Nov 3 17:40:50 2015. +# +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ + 'openstackdocstheme', + 'reno.sphinxext', +] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +copyright = '2015, Keystone Developers' + +# Release notes are version independent. +# The full version, including alpha/beta/rc tags. +release = '' +# The short X.Y version. +version = '' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = [] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'native' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'openstackdocs' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +# html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'KeystoneClientReleaseNotesdoc' + + +# -- Options for LaTeX output --------------------------------------------- + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + ('index', 'keystoneclientReleaseNotes.tex', + 'keystoneclient Release Notes Documentation', + 'Keystone Developers', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('index', 'keystoneclientreleasenotes', + 'keystoneclient Release Notes Documentation', + ['Keystone Developers'], 1) +] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'keystoneclientReleaseNotes', + 'keystoneclient Release Notes Documentation', + 'Keystone Developers', 'keystoneclientReleaseNotes', + 'Python bindings for the OpenStack Identity service.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False + +# -- Options for Internationalization output ------------------------------ +locale_dirs = ['locale/'] + +# -- Options for openstackdocstheme ------------------------------------------- +openstackdocs_repo_name = 'openstack/python-keystoneclient' +openstackdocs_bug_project = 'python-keystoneclient' +openstackdocs_bug_tag = '' diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst new file mode 100644 index 000000000..8f0142a8f --- /dev/null +++ b/releasenotes/source/index.rst @@ -0,0 +1,28 @@ +============================== + keystoneclient Release Notes +============================== + +.. toctree:: + :maxdepth: 1 + + unreleased + 2026.1 + 2025.1 + 2024.2 + 2024.1 + 2023.2 + 2023.1 + zed + yoga + xena + wallaby + victoria + ussuri + train + stein + rocky + queens + pike + ocata + newton + mitaka diff --git a/releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po b/releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po new file mode 100644 index 000000000..aede2504e --- /dev/null +++ b/releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po @@ -0,0 +1,57 @@ +# Gérald LONLAS , 2016. #zanata +msgid "" +msgstr "" +"Project-Id-Version: keystoneclient Release Notes 3.12.1\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2017-07-24 15:13+0000\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"PO-Revision-Date: 2016-10-22 06:08+0000\n" +"Last-Translator: Gérald LONLAS \n" +"Language-Team: French\n" +"Language: fr\n" +"X-Generator: Zanata 3.9.6\n" +"Plural-Forms: nplurals=2; plural=(n > 1)\n" + +msgid "2.1.0" +msgstr "2.1.0" + +msgid "2.2.0" +msgstr "2.2.0" + +msgid "2.3.0" +msgstr "2.3.0" + +msgid "3.0.0" +msgstr "3.0.0" + +msgid "3.6.0" +msgstr "3.6.0" + +msgid "Bug Fixes" +msgstr "Corrections de bugs" + +msgid "Critical Issues" +msgstr "Erreurs critiques" + +msgid "Current Series Release Notes" +msgstr "Note de la release actuelle" + +msgid "Deprecation Notes" +msgstr "Notes dépréciées " + +msgid "Mitaka Series Release Notes" +msgstr "Note de release pour Mitaka" + +msgid "New Features" +msgstr "Nouvelles fonctionnalités" + +msgid "Newton Series Release Notes" +msgstr "Note de release pour Newton" + +msgid "Other Notes" +msgstr "Autres notes" + +msgid "keystoneclient Release Notes" +msgstr "Note de release pour keystoneclient" diff --git a/releasenotes/source/mitaka.rst b/releasenotes/source/mitaka.rst new file mode 100644 index 000000000..e54560965 --- /dev/null +++ b/releasenotes/source/mitaka.rst @@ -0,0 +1,6 @@ +=================================== + Mitaka Series Release Notes +=================================== + +.. release-notes:: + :branch: origin/stable/mitaka diff --git a/releasenotes/source/newton.rst b/releasenotes/source/newton.rst new file mode 100644 index 000000000..7b7d7352b --- /dev/null +++ b/releasenotes/source/newton.rst @@ -0,0 +1,6 @@ +============================= + Newton Series Release Notes +============================= + +.. release-notes:: + :branch: origin/stable/newton diff --git a/releasenotes/source/ocata.rst b/releasenotes/source/ocata.rst new file mode 100644 index 000000000..9515f6cf0 --- /dev/null +++ b/releasenotes/source/ocata.rst @@ -0,0 +1,6 @@ +============================ + Ocata Series Release Notes +============================ + +.. release-notes:: + :branch: origin/stable/ocata diff --git a/releasenotes/source/pike.rst b/releasenotes/source/pike.rst new file mode 100644 index 000000000..e43bfc0ce --- /dev/null +++ b/releasenotes/source/pike.rst @@ -0,0 +1,6 @@ +=================================== + Pike Series Release Notes +=================================== + +.. release-notes:: + :branch: stable/pike diff --git a/releasenotes/source/queens.rst b/releasenotes/source/queens.rst new file mode 100644 index 000000000..36ac6160c --- /dev/null +++ b/releasenotes/source/queens.rst @@ -0,0 +1,6 @@ +=================================== + Queens Series Release Notes +=================================== + +.. release-notes:: + :branch: stable/queens diff --git a/releasenotes/source/rocky.rst b/releasenotes/source/rocky.rst new file mode 100644 index 000000000..40dd517b7 --- /dev/null +++ b/releasenotes/source/rocky.rst @@ -0,0 +1,6 @@ +=================================== + Rocky Series Release Notes +=================================== + +.. release-notes:: + :branch: stable/rocky diff --git a/releasenotes/source/stein.rst b/releasenotes/source/stein.rst new file mode 100644 index 000000000..efaceb667 --- /dev/null +++ b/releasenotes/source/stein.rst @@ -0,0 +1,6 @@ +=================================== + Stein Series Release Notes +=================================== + +.. release-notes:: + :branch: stable/stein diff --git a/releasenotes/source/train.rst b/releasenotes/source/train.rst new file mode 100644 index 000000000..7fa1088ac --- /dev/null +++ b/releasenotes/source/train.rst @@ -0,0 +1,6 @@ +=================================== + Train Series Release Notes +=================================== + +.. release-notes:: + :branch: stable/train diff --git a/releasenotes/source/unreleased.rst b/releasenotes/source/unreleased.rst new file mode 100644 index 000000000..cd22aabcc --- /dev/null +++ b/releasenotes/source/unreleased.rst @@ -0,0 +1,5 @@ +============================== + Current Series Release Notes +============================== + +.. release-notes:: diff --git a/releasenotes/source/ussuri.rst b/releasenotes/source/ussuri.rst new file mode 100644 index 000000000..e21e50e0c --- /dev/null +++ b/releasenotes/source/ussuri.rst @@ -0,0 +1,6 @@ +=========================== +Ussuri Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/ussuri diff --git a/releasenotes/source/victoria.rst b/releasenotes/source/victoria.rst new file mode 100644 index 000000000..8ce933419 --- /dev/null +++ b/releasenotes/source/victoria.rst @@ -0,0 +1,6 @@ +============================= +Victoria Series Release Notes +============================= + +.. release-notes:: + :branch: unmaintained/victoria diff --git a/releasenotes/source/wallaby.rst b/releasenotes/source/wallaby.rst new file mode 100644 index 000000000..bcf35c5f8 --- /dev/null +++ b/releasenotes/source/wallaby.rst @@ -0,0 +1,6 @@ +============================ +Wallaby Series Release Notes +============================ + +.. release-notes:: + :branch: unmaintained/wallaby diff --git a/releasenotes/source/xena.rst b/releasenotes/source/xena.rst new file mode 100644 index 000000000..d19eda488 --- /dev/null +++ b/releasenotes/source/xena.rst @@ -0,0 +1,6 @@ +========================= +Xena Series Release Notes +========================= + +.. release-notes:: + :branch: unmaintained/xena diff --git a/releasenotes/source/yoga.rst b/releasenotes/source/yoga.rst new file mode 100644 index 000000000..43cafdea8 --- /dev/null +++ b/releasenotes/source/yoga.rst @@ -0,0 +1,6 @@ +========================= +Yoga Series Release Notes +========================= + +.. release-notes:: + :branch: unmaintained/yoga diff --git a/releasenotes/source/zed.rst b/releasenotes/source/zed.rst new file mode 100644 index 000000000..6cc2b1554 --- /dev/null +++ b/releasenotes/source/zed.rst @@ -0,0 +1,6 @@ +======================== +Zed Series Release Notes +======================== + +.. release-notes:: + :branch: unmaintained/zed diff --git a/requirements.txt b/requirements.txt index 18fd2d0aa..1b69b9833 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,11 +1,14 @@ -pbr>=0.6,!=0.7,<1.0 +# Requirements lower bounds listed here are our best effort to keep them up to +# date but we do not test them so no guarantee of having them all correct. If +# you find any incorrect lower bounds, let us know or propose a fix. +pbr>=2.0.0 # Apache-2.0 -argparse -Babel>=1.3 -iso8601>=0.1.9 -netaddr>=0.7.6 -oslo.config>=1.4.0.0a3 -PrettyTable>=0.7,<0.8 -requests>=1.2.1 -six>=1.7.0 -stevedore>=0.14 +debtcollector>=1.2.0 # Apache-2.0 +keystoneauth1>=3.4.0 # Apache-2.0 +oslo.config>=5.2.0 # Apache-2.0 +oslo.i18n>=3.15.3 # Apache-2.0 +oslo.serialization>=2.18.0 # Apache-2.0 +oslo.utils>=3.33.0 # Apache-2.0 +requests>=2.14.2 # Apache-2.0 +stevedore>=1.20.0 # Apache-2.0 +packaging>=20.4 # BSD diff --git a/run_tests.sh b/run_tests.sh deleted file mode 100755 index ecfb32568..000000000 --- a/run_tests.sh +++ /dev/null @@ -1,187 +0,0 @@ -#!/bin/bash - -set -eu - -function usage { - echo "Usage: $0 [OPTION]..." - echo "Run python-keystoneclient test suite" - echo "" - echo " -V, --virtual-env Always use virtualenv. Install automatically if not present" - echo " -N, --no-virtual-env Don't use virtualenv. Run tests in local environment" - echo " -s, --no-site-packages Isolate the virtualenv from the global Python environment" - echo " -x, --stop Stop running tests after the first error or failure." - echo " -f, --force Force a clean re-build of the virtual environment. Useful when dependencies have been added." - echo " -u, --update Update the virtual environment with any newer package versions" - echo " -p, --pep8 Just run flake8" - echo " -P, --no-pep8 Don't run flake8" - echo " -c, --coverage Generate coverage report" - echo " -d, --debug Run tests with testtools instead of testr. This allows you to use the debugger." - echo " -h, --help Print this usage message" - echo " --hide-elapsed Don't print the elapsed time for each test along with slow test list" - echo "" - echo "Note: with no options specified, the script will try to run the tests in a virtual environment," - echo " If no virtualenv is found, the script will ask if you would like to create one. If you " - echo " prefer to run tests NOT in a virtual environment, simply pass the -N option." - exit -} - -function process_option { - case "$1" in - -h|--help) usage;; - -V|--virtual-env) always_venv=1; never_venv=0;; - -N|--no-virtual-env) always_venv=0; never_venv=1;; - -s|--no-site-packages) no_site_packages=1;; - -f|--force) force=1;; - -u|--update) update=1;; - -p|--pep8) just_flake8=1;; - -P|--no-pep8) no_flake8=1;; - -c|--coverage) coverage=1;; - -d|--debug) debug=1;; - -*) testropts="$testropts $1";; - *) testrargs="$testrargs $1" - esac -} - -venv=.venv -with_venv=tools/with_venv.sh -always_venv=0 -never_venv=0 -force=0 -no_site_packages=0 -installvenvopts= -testrargs= -testropts= -wrapper="" -just_flake8=0 -no_flake8=0 -coverage=0 -debug=0 -update=0 - -LANG=en_US.UTF-8 -LANGUAGE=en_US:en -LC_ALL=C -OS_STDOUT_NOCAPTURE=False -OS_STDERR_NOCAPTURE=False - -for arg in "$@"; do - process_option $arg -done - -if [ $no_site_packages -eq 1 ]; then - installvenvopts="--no-site-packages" -fi - - -function run_tests { - # Cleanup *.pyc - ${wrapper} find . -type f -name "*.pyc" -delete - - if [ $debug -eq 1 ]; then - if [ "$testropts" = "" ] && [ "$testrargs" = "" ]; then - # Default to running all tests if specific test is not - # provided. - testrargs="discover ./keystoneclient/tests" - fi - ${wrapper} python -m testtools.run $testropts $testrargs - - # Short circuit because all of the testr and coverage stuff - # below does not make sense when running testtools.run for - # debugging purposes. - return $? - fi - - if [ $coverage -eq 1 ]; then - TESTRTESTS="$TESTRTESTS --coverage" - else - TESTRTESTS="$TESTRTESTS" - fi - - # Just run the test suites in current environment - set +e - testrargs=`echo "$testrargs" | sed -e's/^\s*\(.*\)\s*$/\1/'` - TESTRTESTS="$TESTRTESTS --testr-args='$testropts $testrargs'" - echo "Running \`${wrapper} $TESTRTESTS\`" - bash -c "${wrapper} $TESTRTESTS" - RESULT=$? - set -e - - copy_subunit_log - - if [ $coverage -eq 1 ]; then - echo "Generating coverage report in covhtml/" - # Don't compute coverage for common code, which is tested elsewhere - ${wrapper} coverage combine - ${wrapper} coverage html -d covhtml -i - fi - - return $RESULT -} - -function copy_subunit_log { - LOGNAME=`cat .testrepository/next-stream` - LOGNAME=$(($LOGNAME - 1)) - LOGNAME=".testrepository/${LOGNAME}" - cp $LOGNAME subunit.log -} - -function run_flake8 { - echo "Running flake8 ..." - srcfiles="keystoneclient" - # Just run Flake8 in current environment - ${wrapper} flake8 ${srcfiles} -} - -TESTRTESTS="python setup.py testr" - -if [ $never_venv -eq 0 ] -then - # Remove the virtual environment if --force used - if [ $force -eq 1 ]; then - echo "Cleaning virtualenv..." - rm -rf ${venv} - fi - if [ $update -eq 1 ]; then - echo "Updating virtualenv..." - python tools/install_venv.py - fi - if [ -e ${venv} ]; then - wrapper="${with_venv}" - else - if [ $always_venv -eq 1 ]; then - # Automatically install the virtualenv - python tools/install_venv.py $installvenvopts - wrapper="${with_venv}" - else - echo -e "No virtual environment found...create one? (Y/n) \c" - read use_ve - if [ "x$use_ve" = "xY" -o "x$use_ve" = "x" -o "x$use_ve" = "xy" ]; then - # Install the virtualenv and run the test suite in it - python tools/install_venv.py $installvenvopts - wrapper=${with_venv} - fi - fi - fi -fi - -# Delete old coverage data from previous runs -if [ $coverage -eq 1 ]; then - ${wrapper} coverage erase -fi - -if [ $just_flake8 -eq 1 ]; then - run_flake8 - exit -fi - -run_tests - -# NOTE(sirp): we only want to run flake8 when we're running the full-test suite, -# not when we're running tests individually. To handle this, we need to -# distinguish between options (testropts), which begin with a '-', and -# arguments (testrargs). -if [ -z "$testrargs" ]; then - if [ $no_flake8 -eq 0 ]; then - run_flake8 - fi -fi diff --git a/setup.cfg b/setup.cfg index ec8042d63..037fe1c57 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,11 +1,12 @@ [metadata] name = python-keystoneclient summary = Client Library for OpenStack Identity -description-file = +description_file = README.rst author = OpenStack -author-email = openstack-dev@lists.openstack.org -home-page = http://www.openstack.org/ +author_email = openstack-discuss@lists.openstack.org +home_page = https://docs.openstack.org/python-keystoneclient/latest/ +python_requires = >=3.10 classifier = Environment :: OpenStack Intended Audience :: Information Technology @@ -13,52 +14,25 @@ classifier = License :: OSI Approved :: Apache Software License Operating System :: POSIX :: Linux Programming Language :: Python - Programming Language :: Python :: 2 - Programming Language :: Python :: 2.7 - Programming Language :: Python :: 2.6 Programming Language :: Python :: 3 - Programming Language :: Python :: 3.3 + Programming Language :: Python :: 3.10 + Programming Language :: Python :: 3.11 + Programming Language :: Python :: 3.12 [files] packages = keystoneclient [entry_points] -console_scripts = - keystone = keystoneclient.shell:main - keystoneclient.auth.plugin = + password = keystoneclient.auth.identity.generic:Password + token = keystoneclient.auth.identity.generic:Token + admin_token = keystoneclient.auth.token_endpoint:Token v2password = keystoneclient.auth.identity.v2:Password v2token = keystoneclient.auth.identity.v2:Token v3password = keystoneclient.auth.identity.v3:Password v3token = keystoneclient.auth.identity.v3:Token + v3oidcpassword = keystoneclient.contrib.auth.v3.oidc:OidcPassword v3unscopedsaml = keystoneclient.contrib.auth.v3.saml2:Saml2UnscopedToken v3scopedsaml = keystoneclient.contrib.auth.v3.saml2:Saml2ScopedToken - -[build_sphinx] -source-dir = doc/source -build-dir = doc/build -all_files = 1 - -[pbr] -warnerrors = True - -[upload_sphinx] -upload-dir = doc/build/html - -[compile_catalog] -directory = keystoneclient/locale -domain = keystoneclient - -[update_catalog] -domain = keystoneclient -output_dir = keystoneclient/locale -input_file = keystoneclient/locale/keystoneclient.pot - -[extract_messages] -keywords = _ gettext ngettext l_ lazy_gettext -mapping_file = babel.cfg -output_file = keystoneclient/locale/keystoneclient.pot - -[wheel] -universal = 1 + v3unscopedadfs = keystoneclient.contrib.auth.v3.saml2:ADFSUnscopedToken diff --git a/setup.py b/setup.py index 736375744..cd35c3c35 100644 --- a/setup.py +++ b/setup.py @@ -1,4 +1,3 @@ -#!/usr/bin/env python # Copyright (c) 2013 Hewlett-Packard Development Company, L.P. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -14,17 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT import setuptools -# In python < 2.7.4, a lazy loading of package `pbr` will break -# setuptools if some other modules registered functions in `atexit`. -# solution from: http://bugs.python.org/issue15881#msg170215 -try: - import multiprocessing # noqa -except ImportError: - pass - setuptools.setup( - setup_requires=['pbr'], + setup_requires=['pbr>=2.0.0'], pbr=True) diff --git a/test-requirements.txt b/test-requirements.txt index da16dae09..238690c65 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,18 +1,18 @@ -hacking>=0.8.0,<0.9 +hacking>=6.1.0,<6.2.0 # Apache-2.0 -coverage>=3.6 -discover -fixtures>=0.3.14 -keyring>=2.1,!=3.3 -lxml>=2.3 -mock>=1.0 -mox3>=0.7.0 -oauthlib>=0.6 -oslosphinx -pycrypto>=2.6 -requests-mock>=0.4.0 # Apache-2.0 -sphinx>=1.1.2,!=1.2.0,<1.3 -testrepository>=0.0.18 -testresources>=0.2.4 -testtools>=0.9.34 -WebOb>=1.2.3 +coverage>=4.0 # Apache-2.0 +fixtures>=3.0.0 # Apache-2.0/BSD +keyring>=5.5.1 # MIT/PSF +lxml>=4.5.0 # BSD +oauthlib>=0.6.2 # BSD +openstacksdk>=0.10.0 # Apache-2.0 +oslotest>=3.2.0 # Apache-2.0 +requests-mock>=1.2.0 # Apache-2.0 +tempest>=17.1.0 # Apache-2.0 +stestr>=2.0.0 # Apache-2.0 +testresources>=2.0.0 # Apache-2.0/BSD +testscenarios>=0.4 # Apache-2.0/BSD +testtools>=2.2.0 # MIT + +# Bandit security code scanner +bandit>=1.1.0 # Apache-2.0 diff --git a/tools/debug_helper.sh b/tools/debug_helper.sh deleted file mode 100755 index b80b10cf5..000000000 --- a/tools/debug_helper.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -TMP_DIR=`mktemp -d` || exit 1 -trap "rm -rf $TMP_DIR" EXIT - -ALL_TESTS=$TMP_DIR/all_tests -TESTS_TO_RUN=$TMP_DIR/ksc_to_run - -python -m testtools.run discover -t ./ ./keystoneclient/tests --list > $ALL_TESTS - -if [ "$1" ] -then - grep "$1" < $ALL_TESTS > $TESTS_TO_RUN -else - mv $ALL_TESTS $TESTS_TO_RUN -fi - -python -m testtools.run discover --load-list $TESTS_TO_RUN diff --git a/tools/install_venv.py b/tools/install_venv.py deleted file mode 100644 index 511e6dd74..000000000 --- a/tools/install_venv.py +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Copyright 2010 OpenStack Foundation -# Copyright 2013 IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import sys - -import install_venv_common as install_venv # noqa - - -def print_help(venv, root): - help = """ - Openstack development environment setup is complete. - - Openstack development uses virtualenv to track and manage Python - dependencies while in development and testing. - - To activate the Openstack virtualenv for the extent of your current shell - session you can run: - - $ source %s/bin/activate - - Or, if you prefer, you can run commands in the virtualenv on a case by case - basis by running: - - $ %s/tools/with_venv.sh - - Also, make test will automatically use the virtualenv. - """ - print(help % (venv, root)) - - -def main(argv): - root = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) - - if os.environ.get('tools_path'): - root = os.environ['tools_path'] - venv = os.path.join(root, '.venv') - if os.environ.get('venv'): - venv = os.environ['venv'] - - pip_requires = os.path.join(root, 'requirements.txt') - test_requires = os.path.join(root, 'test-requirements.txt') - py_version = "python%s.%s" % (sys.version_info[0], sys.version_info[1]) - project = 'python-keystoneclient' - install = install_venv.InstallVenv(root, venv, pip_requires, test_requires, - py_version, project) - options = install.parse_args(argv) - install.check_python_version() - install.check_dependencies() - install.create_virtualenv(no_site_packages=options.no_site_packages) - install.install_dependencies() - print_help(venv, root) - -if __name__ == '__main__': - main(sys.argv) diff --git a/tools/install_venv_common.py b/tools/install_venv_common.py deleted file mode 100644 index e279159ab..000000000 --- a/tools/install_venv_common.py +++ /dev/null @@ -1,172 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# Copyright 2013 IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Provides methods needed by installation script for OpenStack development -virtual environments. - -Since this script is used to bootstrap a virtualenv from the system's Python -environment, it should be kept strictly compatible with Python 2.6. - -Synced in from openstack-common -""" - -from __future__ import print_function - -import optparse -import os -import subprocess -import sys - - -class InstallVenv(object): - - def __init__(self, root, venv, requirements, - test_requirements, py_version, - project): - self.root = root - self.venv = venv - self.requirements = requirements - self.test_requirements = test_requirements - self.py_version = py_version - self.project = project - - def die(self, message, *args): - print(message % args, file=sys.stderr) - sys.exit(1) - - def check_python_version(self): - if sys.version_info < (2, 6): - self.die("Need Python Version >= 2.6") - - def run_command_with_code(self, cmd, redirect_output=True, - check_exit_code=True): - """Runs a command in an out-of-process shell. - - Returns the output of that command. Working directory is self.root. - """ - if redirect_output: - stdout = subprocess.PIPE - else: - stdout = None - - proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout) - output = proc.communicate()[0] - if check_exit_code and proc.returncode != 0: - self.die('Command "%s" failed.\n%s', ' '.join(cmd), output) - return (output, proc.returncode) - - def run_command(self, cmd, redirect_output=True, check_exit_code=True): - return self.run_command_with_code(cmd, redirect_output, - check_exit_code)[0] - - def get_distro(self): - if (os.path.exists('/etc/fedora-release') or - os.path.exists('/etc/redhat-release')): - return Fedora( - self.root, self.venv, self.requirements, - self.test_requirements, self.py_version, self.project) - else: - return Distro( - self.root, self.venv, self.requirements, - self.test_requirements, self.py_version, self.project) - - def check_dependencies(self): - self.get_distro().install_virtualenv() - - def create_virtualenv(self, no_site_packages=True): - """Creates the virtual environment and installs PIP. - - Creates the virtual environment and installs PIP only into the - virtual environment. - """ - if not os.path.isdir(self.venv): - print('Creating venv...', end=' ') - if no_site_packages: - self.run_command(['virtualenv', '-q', '--no-site-packages', - self.venv]) - else: - self.run_command(['virtualenv', '-q', self.venv]) - print('done.') - else: - print("venv already exists...") - pass - - def pip_install(self, *args): - self.run_command(['tools/with_venv.sh', - 'pip', 'install', '--upgrade'] + list(args), - redirect_output=False) - - def install_dependencies(self): - print('Installing dependencies with pip (this can take a while)...') - - # First things first, make sure our venv has the latest pip and - # setuptools and pbr - self.pip_install('pip>=1.4') - self.pip_install('setuptools') - self.pip_install('pbr') - - self.pip_install('-r', self.requirements, '-r', self.test_requirements) - - def parse_args(self, argv): - """Parses command-line arguments.""" - parser = optparse.OptionParser() - parser.add_option('-n', '--no-site-packages', - action='store_true', - help="Do not inherit packages from global Python " - "install.") - return parser.parse_args(argv[1:])[0] - - -class Distro(InstallVenv): - - def check_cmd(self, cmd): - return bool(self.run_command(['which', cmd], - check_exit_code=False).strip()) - - def install_virtualenv(self): - if self.check_cmd('virtualenv'): - return - - if self.check_cmd('easy_install'): - print('Installing virtualenv via easy_install...', end=' ') - if self.run_command(['easy_install', 'virtualenv']): - print('Succeeded') - return - else: - print('Failed') - - self.die('ERROR: virtualenv not found.\n\n%s development' - ' requires virtualenv, please install it using your' - ' favorite package management tool' % self.project) - - -class Fedora(Distro): - """This covers all Fedora-based distributions. - - Includes: Fedora, RHEL, CentOS, Scientific Linux - """ - - def check_pkg(self, pkg): - return self.run_command_with_code(['rpm', '-q', pkg], - check_exit_code=False)[1] == 0 - - def install_virtualenv(self): - if self.check_cmd('virtualenv'): - return - - if not self.check_pkg('python-virtualenv'): - self.die("Please install 'python-virtualenv'.") - - super(Fedora, self).install_virtualenv() diff --git a/tools/keystone.bash_completion b/tools/keystone.bash_completion deleted file mode 100644 index d18668b99..000000000 --- a/tools/keystone.bash_completion +++ /dev/null @@ -1,27 +0,0 @@ -# bash completion for openstack keystone - -_keystone_opts="" # lazy init -_keystone_flags="" # lazy init -_keystone_opts_exp="" # lazy init -_keystone() -{ - local cur prev kbc - COMPREPLY=() - cur="${COMP_WORDS[COMP_CWORD]}" - prev="${COMP_WORDS[COMP_CWORD-1]}" - - if [ "x$_keystone_opts" == "x" ] ; then - kbc="`keystone bash-completion | sed -e "s/ -h / /"`" - _keystone_opts="`echo "$kbc" | sed -e "s/--[a-z0-9_-]*//g" -e "s/[ ][ ]*/ /g"`" - _keystone_flags="`echo " $kbc" | sed -e "s/ [^-][^-][a-z0-9_-]*//g" -e "s/[ ][ ]*/ /g"`" - _keystone_opts_exp="`echo $_keystone_opts | sed -e "s/[ ]/|/g"`" - fi - - if [[ " ${COMP_WORDS[@]} " =~ " "($_keystone_opts_exp)" " && "$prev" != "help" ]] ; then - COMPREPLY=($(compgen -W "${_keystone_flags}" -- ${cur})) - else - COMPREPLY=($(compgen -W "${_keystone_opts}" -- ${cur})) - fi - return 0 -} -complete -F _keystone keystone diff --git a/tools/with_venv.sh b/tools/with_venv.sh deleted file mode 100755 index c8d2940fc..000000000 --- a/tools/with_venv.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -TOOLS=`dirname $0` -VENV=$TOOLS/../.venv -source $VENV/bin/activate && $@ diff --git a/tox.ini b/tox.ini index 9781c354e..e69fc3559 100644 --- a/tox.ini +++ b/tox.ini @@ -1,48 +1,100 @@ [tox] -minversion = 1.6 +minversion = 3.18.0 skipsdist = True -envlist = py26,py27,py33,pep8 +envlist = py3,pep8,releasenotes +ignore_basepython_conflict = True [testenv] usedevelop = True -install_command = pip install -U {opts} {packages} -setenv = VIRTUAL_ENV={envdir} - OS_STDOUT_NOCAPTURE=False +setenv = OS_STDOUT_NOCAPTURE=False OS_STDERR_NOCAPTURE=False -deps = -r{toxinidir}/requirements.txt - -r{toxinidir}/test-requirements.txt -commands = python setup.py testr --testr-args='{posargs}' +deps = + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt +commands = find . -type f -name "*.pyc" -delete + stestr run --slowest {posargs} +allowlist_externals = find +basepython = python3 [testenv:pep8] commands = flake8 + bandit -r keystoneclient -x tests -n5 + +[testenv:bandit] +# NOTE(browne): This is required for the integration test job of the bandit +# project. Please do not remove. +commands = bandit -r keystoneclient -x tests -n5 [testenv:venv] commands = {posargs} [testenv:cover] -commands = python setup.py testr --coverage --testr-args='{posargs}' - -[tox:jenkins] -downloadcache = ~/cache/pip +setenv = + PYTHON=coverage run --source keystoneclient --parallel-mode +commands = + stestr run {posargs} + coverage combine + coverage html -d cover + coverage xml -o cover/coverage.xml + coverage report [testenv:debug] +commands = oslo_debug_helper -t keystoneclient/tests {posargs} -commands = - {toxinidir}/tools/debug_helper.sh {posargs} +[testenv:functional] +setenv = {[testenv]setenv} + OS_TEST_PATH=./keystoneclient/tests/functional +passenv = OS_* [flake8] -# F821: undefined name -# H304: no relative imports -# H803 Commit message should not end with a period (do not remove per list discussion) -# H405: multi line docstring summary not separated with an empty line -# E122: continuation line missing indentation or outdented -ignore = F821,H304,H803,H405,E122 +# D100: Missing docstring in public module +# D101: Missing docstring in public class +# D102: Missing docstring in public method +# D103: Missing docstring in public function +# D104: Missing docstring in public package +# D107: Missing docstring in __init__ +# D203: 1 blank line required before class docstring (deprecated in pep257) +# D401 First line should be in imperative mood; try rephrasing +# W504 line break after binary operator +ignore = D100,D101,D102,D103,D104,D107,D203,D401,W504 show-source = True -exclude = .venv,.tox,dist,doc,*egg,build,*openstack/common* +exclude = .venv,.tox,dist,doc,*egg,build [testenv:docs] -commands= - python setup.py build_sphinx +commands = sphinx-build -W -b html doc/source doc/build/html +deps = + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -r{toxinidir}/doc/requirements.txt + -r{toxinidir}/requirements.txt + +[testenv:pdf-docs] +deps = {[testenv:docs]deps} +allowlist_externals = + make + rm +commands = + rm -rf doc/build/pdf + sphinx-build -W -b latex doc/source doc/build/pdf + make -C doc/build/pdf + +[testenv:releasenotes] +commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html +deps = + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -r{toxinidir}/doc/requirements.txt + +[hacking] +import_exceptions = + keystoneclient.i18n + +[testenv:bindep] +# Do not install any requirements. We want this to be fast and work even if +# system dependencies are missing, since it's used to tell you what system +# dependencies are missing! This also means that bindep must be installed +# separately, outside of the requirements files. +deps = bindep +commands = bindep test