Add keystone middleware wrapper to pecan app

Adds keystone middleware to enforce authentication if
auth_strategy is set to keystone.

Partially-Implements: blueprint wsgi-pecan-switch
Change-Id: I59a97579b1f2397597a127f02d00e99468f1e4a0

diff --git a/neutron/newapi/app.py b/neutron/newapi/app.py
index f434c3deac3efa4de6d94a2844345bd8f543034d..517f2690ecfeb30b3bbc2e487ecec6980f37a27c 100644 (file)
--- a/neutron/newapi/app.py
+++ b/neutron/newapi/app.py
@@ -13,10 +13,14 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from keystonemiddleware import auth_token
 from oslo_config import cfg
 from oslo_middleware import request_id
 import pecan
 
+from neutron.common import exceptions as n_exc
+
+
 CONF = cfg.CONF
 CONF.import_opt('bind_host', 'neutron.common.config')
 CONF.import_opt('bind_port', 'neutron.common.config')
@@ -52,4 +56,11 @@ def setup_app(*args, **kwargs):
 
 def _wrap_app(app):
     app = request_id.RequestId(app)
+    if cfg.CONF.auth_strategy == 'noauth':
+        pass
+    elif cfg.CONF.auth_strategy == 'keystone':
+        app = auth_token.AuthProtocol(app, {})
+    else:
+        raise n_exc.InvalidConfigurationOption(
+            opt_name='auth_strategy', opt_value=cfg.CONF.auth_strategy)
     return app

diff --git a/neutron/tests/functional/newapi/test_functional.py b/neutron/tests/functional/newapi/test_functional.py
index cf87425fa82807705776247c7aa3f8692f7656a8..0dde0bf9f9292d38176dd6b77da588c95685011b 100644 (file)
--- a/neutron/tests/functional/newapi/test_functional.py
+++ b/neutron/tests/functional/newapi/test_functional.py
@@ -15,10 +15,13 @@
 
 import os
 
+from oslo_config import cfg
 from oslo_utils import uuidutils
 from pecan import set_config
 from pecan.testing import load_test_app
+import testtools
 
+from neutron.common import exceptions as n_exc
 from neutron.tests.unit import testlib_api
 
 
@@ -28,11 +31,18 @@ class PecanFunctionalTest(testlib_api.SqlTestCase):
         self.setup_coreplugin('neutron.plugins.ml2.plugin.Ml2Plugin')
         super(PecanFunctionalTest, self).setUp()
         self.addCleanup(set_config, {}, overwrite=True)
+        self.set_config_overrides()
+        self.setup_app()
+
+    def setup_app(self):
         self.app = load_test_app(os.path.join(
             os.path.dirname(__file__),
             'config.py'
         ))
 
+    def set_config_overrides(self):
+        cfg.CONF.set_override('auth_strategy', 'noauth')
+
 
 class TestV2Controller(PecanFunctionalTest):
 
@@ -76,3 +86,25 @@ class TestRequestID(PecanFunctionalTest):
             response.headers['x-openstack-request-id'].startswith('req-'))
         id_part = response.headers['x-openstack-request-id'].split('req-')[1]
         self.assertTrue(uuidutils.is_uuid_like(id_part))
+
+
+class TestKeystoneAuth(PecanFunctionalTest):
+
+    def set_config_overrides(self):
+        # default auth strategy is keystone so we pass
+        pass
+
+    def test_auth_enforced(self):
+        response = self.app.get('/', expect_errors=True)
+        self.assertEqual(response.status_int, 401)
+
+
+class TestInvalidAuth(PecanFunctionalTest):
+    def setup_app(self):
+        # disable normal app setup since it will fail
+        pass
+
+    def test_invalid_auth_strategy(self):
+        cfg.CONF.set_override('auth_strategy', 'badvalue')
+        with testtools.ExpectedException(n_exc.InvalidConfigurationOption):
+            load_test_app(os.path.join(os.path.dirname(__file__), 'config.py'))