--- /dev/null
+Description: Subclass keystone middleware to set headers
+ Replace old forked auth_token with a subclass of keystoneclient middleware.
+ The advantages of moving to keystoneclient middleware:
+ - can use v3 (or v2) keystone api
+ - PKI tokens
+ - token revocation
+ .
+ The subclass sets the following headers to be consumed by our request context
+ filter:
+ - X-Admin-User
+ - X-Admin-Pass
+ - X-Admin-Tenant-Name
+ - X-Auth-Url
+Author: Steve Baker <steve@stevebaker.org>
+Origin: upstream, https://github.com/openstack/heat/commit/cfda18b43e2e5782e5595e54f4a48f30b860e5dd
+Last-Update: 2013-05-23
+
+--- heat-2013.1.orig/heat/common/auth_token.py
++++ heat-2013.1/heat/common/auth_token.py
+@@ -15,509 +15,24 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+-"""
+-TOKEN-BASED AUTH MIDDLEWARE
+-
+-This WSGI component:
+-
+-* Verifies that incoming client requests have valid tokens by validating
+- tokens with the auth service.
+-* Rejects unauthenticated requests UNLESS it is in 'delay_auth_decision'
+- mode, which means the final decision is delegated to the downstream WSGI
+- component (usually the OpenStack service)
+-* Collects and forwards identity information based on a valid token
+- such as user name, tenant, etc
+-
+-Refer to: http://keystone.openstack.org/middlewarearchitecture.html
+-
+-HEADERS
+--------
+-
+-* Headers starting with HTTP\_ is a standard http header
+-* Headers starting with HTTP_X is an extended http header
+-
+-Coming in from initial call from client or customer
+-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+-
+-HTTP_X_AUTH_TOKEN
+- The client token being passed in.
+-
+-HTTP_X_STORAGE_TOKEN
+- The client token being passed in (legacy Rackspace use) to support
+- swift/cloud files
+-
+-Used for communication between components
+-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+-
+-WWW-Authenticate
+- HTTP header returned to a user indicating which endpoint to use
+- to retrieve a new token
+-
+-What we add to the request for use by the OpenStack service
+-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+-
+-HTTP_X_IDENTITY_STATUS
+- 'Confirmed' or 'Invalid'
+- The underlying service will only see a value of 'Invalid' if the Middleware
+- is configured to run in 'delay_auth_decision' mode
+-
+-HTTP_X_TENANT_ID
+- Identity service managed unique identifier, string
+-
+-HTTP_X_TENANT_NAME
+- Unique tenant identifier, string
+-
+-HTTP_X_USER_ID
+- Identity-service managed unique identifier, string
+-
+-HTTP_X_USER_NAME
+- Unique user identifier, string
+-
+-HTTP_X_ROLES
+- Comma delimited list of case-sensitive Roles
+-
+-HTTP_X_TENANT
+- *Deprecated* in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME
+- Keystone-assigned unique identifier, deprecated
+-
+-HTTP_X_USER
+- *Deprecated* in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME
+- Unique user name, string
+-
+-HTTP_X_ROLE
+- *Deprecated* in favor of HTTP_X_ROLES
+- This is being renamed, and the new header contains the same data.
+-
+-"""
+-
+-import httplib
+-import json
+ import logging
+-import time
+-
+-import webob
+-import webob.exc
+-
++from keystoneclient.middleware import auth_token
+
+ LOG = logging.getLogger(__name__)
+
+
+-class InvalidUserToken(Exception):
+- pass
+-
+-
+-class ServiceError(Exception):
+- pass
+-
+-
+-class AuthProtocol(object):
+- """Auth Middleware that handles authenticating client calls."""
+-
+- def __init__(self, app, conf):
+- LOG.info('Starting keystone auth_token middleware')
+- self.conf = conf
+- self.app = app
+-
+- # delay_auth_decision means we still allow unauthenticated requests
+- # through and we let the downstream service make the final decision
+- self.delay_auth_decision = int(conf.get('delay_auth_decision', 0))
+-
+- # where to find the auth service (we use this to validate tokens)
+- self.auth_host = conf.get('auth_host')
+- self.auth_port = int(conf.get('auth_port', 35357))
+- auth_protocol = conf.get('auth_protocol', 'https')
+- if auth_protocol == 'http':
+- self.http_client_class = httplib.HTTPConnection
+- else:
+- self.http_client_class = httplib.HTTPSConnection
+-
+- default_auth_uri = '%s://%s:%s' % (auth_protocol,
+- self.auth_host,
+- self.auth_port)
+- self.auth_uri = conf.get('auth_uri', default_auth_uri)
+-
+- # Credentials used to verify this component with the Auth service since
+- # validating tokens is a privileged call
+- self.admin_token = conf.get('admin_token')
+- self.admin_user = conf.get('admin_user')
+- self.admin_password = conf.get('admin_password')
+- self.admin_tenant_name = conf.get('admin_tenant_name', 'admin')
+-
+- # Token caching via memcache
+- self._cache = None
+- self._iso8601 = None
+- memcache_servers = conf.get('memcache_servers')
+- # By default the token will be cached for 5 minutes
+- self.token_cache_time = conf.get('token_cache_time', 300)
+- if memcache_servers:
+- try:
+- import memcache
+- import iso8601
+- LOG.info('Using memcache for caching token')
+- self._cache = memcache.Client(memcache_servers.split(','))
+- self._iso8601 = iso8601
+- except NameError as e:
+- LOG.warn('disabled caching due to missing libraries %s', e)
+-
+- def __call__(self, env, start_response):
+- """Handle incoming request.
+-
+- Authenticate send downstream on success. Reject request if
+- we can't authenticate.
+-
+- """
+- LOG.debug('Authenticating user token')
+- try:
+- self._remove_auth_headers(env)
+- user_token = self._get_user_token_from_header(env)
+- token_info = self._validate_user_token(user_token)
+- user_headers = self._build_user_headers(token_info)
+- self._add_headers(env, user_headers)
+- return self.app(env, start_response)
+-
+- except InvalidUserToken:
+- if self.delay_auth_decision:
+- LOG.info('Invalid user token - deferring reject downstream')
+- self._add_headers(env, {'X-Identity-Status': 'Invalid'})
+- return self.app(env, start_response)
+- else:
+- LOG.info('Invalid user token - rejecting request')
+- return self._reject_request(env, start_response)
+-
+- except ServiceError, e:
+- LOG.critical('Unable to obtain admin token: %s' % e)
+- resp = webob.exc.HTTPServiceUnavailable()
+- return resp(env, start_response)
+-
+- def _remove_auth_headers(self, env):
+- """Remove headers so a user can't fake authentication.
+-
+- :param env: wsgi request environment
+-
+- """
+- auth_headers = (
+- 'X-Identity-Status',
+- 'X-Tenant-Id',
+- 'X-Tenant-Name',
+- 'X-User-Id',
+- 'X-User-Name',
+- 'X-Roles',
+- # Deprecated
+- 'X-User',
+- 'X-Tenant',
+- 'X-Role',
+- )
+- LOG.debug('Removing headers from request environment: %s' %
+- ','.join(auth_headers))
+- self._remove_headers(env, auth_headers)
+-
+- def _get_user_token_from_header(self, env):
+- """Get token id from request.
+-
+- :param env: wsgi request environment
+- :return token id
+- :raises InvalidUserToken if no token is provided in request
+-
+- """
+- token = self._get_header(env, 'X-Auth-Token',
+- self._get_header(env, 'X-Storage-Token'))
+- if token:
+- return token
+- else:
+- LOG.warn("Unable to find authentication token in headers: %s", env)
+- raise InvalidUserToken('Unable to find token in headers')
+-
+- def _reject_request(self, env, start_response):
+- """Redirect client to auth server.
+-
+- :param env: wsgi request environment
+- :param start_response: wsgi response callback
+- :returns HTTPUnauthorized http response
+-
+- """
+- headers = [('WWW-Authenticate', 'Keystone uri=\'%s\'' % self.auth_uri)]
+- resp = webob.exc.HTTPUnauthorized('Authentication required', headers)
+- return resp(env, start_response)
+-
+- def get_admin_token(self):
+- """Return admin token, possibly fetching a new one.
+-
+- :return admin token id
+- :raise ServiceError when unable to retrieve token from keystone
+-
+- """
+- if not self.admin_token:
+- self.admin_token = self._request_admin_token()
+-
+- return self.admin_token
+-
+- def _get_http_connection(self):
+- return self.http_client_class(self.auth_host, self.auth_port)
+-
+- def _json_request(self, method, path, body=None, additional_headers=None):
+- """HTTP request helper used to make json requests.
+-
+- :param method: http method
+- :param path: relative request url
+- :param body: dict to encode to json as request body. Optional.
+- :param additional_headers: dict of additional headers to send with
+- http request. Optional.
+- :return (http response object, response body parsed as json)
+- :raise ServerError when unable to communicate with keystone
+-
+- """
+- conn = self._get_http_connection()
+-
+- kwargs = {
+- 'headers': {
+- 'Content-type': 'application/json',
+- 'Accept': 'application/json',
+- },
+- }
+-
+- if additional_headers:
+- kwargs['headers'].update(additional_headers)
+-
+- if body:
+- kwargs['body'] = json.dumps(body)
+-
+- try:
+- conn.request(method, path, **kwargs)
+- response = conn.getresponse()
+- body = response.read()
+- except Exception, e:
+- LOG.error('HTTP connection exception: %s' % e)
+- raise ServiceError('Unable to communicate with keystone')
+- finally:
+- conn.close()
+-
+- try:
+- data = json.loads(body)
+- except ValueError:
+- LOG.debug('Keystone did not return json-encoded body')
+- data = {}
+-
+- return response, data
+-
+- def _request_admin_token(self):
+- """Retrieve new token as admin user from keystone.
+-
+- :return token id upon success
+- :raises ServerError when unable to communicate with keystone
+-
+- """
+- params = {
+- 'auth': {
+- 'passwordCredentials': {
+- 'username': self.admin_user,
+- 'password': self.admin_password,
+- },
+- 'tenantName': self.admin_tenant_name,
+- }
+- }
+-
+- response, data = self._json_request('POST',
+- '/v2.0/tokens',
+- body=params)
+-
+- try:
+- token = data['access']['token']['id']
+- assert token
+- return token
+- except (AssertionError, KeyError):
+- LOG.warn("Unexpected response from keystone service: %s", data)
+- raise ServiceError('invalid json response')
+-
+- def _validate_user_token(self, user_token, retry=True):
+- """Authenticate user token with keystone.
+-
+- :param user_token: user's token id
+- :param retry: flag that forces the middleware to retry
+- user authentication when an indeterminate
+- response is received. Optional.
+- :return token object received from keystone on success
+- :raise InvalidUserToken if token is rejected
+- :raise ServiceError if unable to authenticate token
+-
+- """
+- cached = self._cache_get(user_token)
+- if cached:
+- return cached
+-
+- headers = {'X-Auth-Token': self.get_admin_token()}
+- response, data = self._json_request('GET',
+- '/v2.0/tokens/%s' % user_token,
+- additional_headers=headers)
+-
+- if response.status == 200:
+- self._cache_put(user_token, data)
+- return data
+- if response.status == 404:
+- # FIXME(ja): I'm assuming the 404 status means that user_token is
+- # invalid - not that the admin_token is invalid
+- self._cache_store_invalid(user_token)
+- LOG.warn("Authorization failed for token %s", user_token)
+- raise InvalidUserToken('Token authorization failed')
+- if response.status == 401:
+- LOG.info('Keystone rejected admin token %s, resetting', headers)
+- self.admin_token = None
+- else:
+- LOG.error('Bad response code while validating token: %s' %
+- response.status)
+- if retry:
+- LOG.info('Retrying validation')
+- return self._validate_user_token(user_token, False)
+- else:
+- LOG.warn("Invalid user token: %s. Keystone response: %s.",
+- user_token, data)
+-
+- raise InvalidUserToken()
+-
++class AuthProtocol(auth_token.AuthProtocol):
++ """
++ Subclass of keystoneclient auth_token middleware which also
++ sets the 'X-Auth-Url' header to the value specified in the config.
++ """
+ def _build_user_headers(self, token_info):
+- """Convert token object into headers.
+-
+- Build headers that represent authenticated user:
+- * X_IDENTITY_STATUS: Confirmed or Invalid
+- * X_TENANT_ID: id of tenant if tenant is present
+- * X_TENANT_NAME: name of tenant if tenant is present
+- * X_USER_ID: id of user
+- * X_USER_NAME: name of user
+- * X_ROLES: list of roles
+-
+- Additional (deprecated) headers include:
+- * X_USER: name of user
+- * X_TENANT: For legacy compatibility before we had ID and Name
+- * X_ROLE: list of roles
+-
+- :param token_info: token object returned by keystone on authentication
+- :raise InvalidUserToken when unable to parse token object
+-
+- """
+- user = token_info['access']['user']
+- token = token_info['access']['token']
+- roles = ','.join([role['name'] for role in user.get('roles', [])])
+-
+- def get_tenant_info():
+- """Returns a (tenant_id, tenant_name) tuple from context."""
+- def essex():
+- """Essex puts the tenant ID and name on the token."""
+- return (token['tenant']['id'], token['tenant']['name'])
+-
+- def pre_diablo():
+- """Pre-diablo, Keystone only provided tenantId."""
+- return (token['tenantId'], token['tenantId'])
+-
+- def default_tenant():
+- """Assume the user's default tenant."""
+- return (user['tenantId'], user['tenantName'])
+-
+- for method in [essex, pre_diablo, default_tenant]:
+- try:
+- return method()
+- except KeyError:
+- pass
+-
+- raise InvalidUserToken('Unable to determine tenancy.')
+-
+- tenant_id, tenant_name = get_tenant_info()
+-
+- user_id = user['id']
+- user_name = user['name']
+-
+- return {
+- 'X-Identity-Status': 'Confirmed',
+- 'X-Tenant-Id': tenant_id,
+- 'X-Tenant-Name': tenant_name,
+- 'X-User-Id': user_id,
+- 'X-User-Name': user_name,
+- 'X-Roles': roles,
+- # Deprecated
+- 'X-User': user_name,
+- 'X-Tenant': tenant_name,
+- 'X-Role': roles,
+- 'X-Admin-User': self.admin_user,
+- 'X-Admin-Pass': self.admin_password,
+- 'X-Admin-Tenant-Name': self.admin_tenant_name,
+- 'X-Auth-Url': self.conf['auth_uri'],
+- }
+-
+- def _header_to_env_var(self, key):
+- """Convert header to wsgi env variable.
+-
+- :param key: http header name (ex. 'X-Auth-Token')
+- :return wsgi env variable name (ex. 'HTTP_X_AUTH_TOKEN')
+-
+- """
+- return 'HTTP_%s' % (key.replace('-', '_').upper())
+-
+- def _add_headers(self, env, headers):
+- """Add http headers to environment."""
+- for (k, v) in headers.iteritems():
+- env_key = self._header_to_env_var(k)
+- env[env_key] = v
+-
+- def _remove_headers(self, env, keys):
+- """Remove http headers from environment."""
+- for k in keys:
+- env_key = self._header_to_env_var(k)
+- try:
+- del env[env_key]
+- except KeyError:
+- pass
+-
+- def _get_header(self, env, key, default=None):
+- """Get http header from environment."""
+- env_key = self._header_to_env_var(key)
+- return env.get(env_key, default)
+-
+- def _cache_get(self, token):
+- """Return token information from cache.
+-
+- If token is invalid raise InvalidUserToken
+- return token only if fresh (not expired).
+- """
+- if self._cache and token:
+- key = 'tokens/%s' % token
+- cached = self._cache.get(key)
+- if cached == 'invalid':
+- LOG.debug('Cached Token %s is marked unauthorized', token)
+- raise InvalidUserToken('Token authorization failed')
+- if cached:
+- data, expires = cached
+- if time.time() < float(expires):
+- LOG.debug('Returning cached token %s', token)
+- return data
+- else:
+- LOG.debug('Cached Token %s seems expired', token)
+-
+- def _cache_put(self, token, data):
+- """Put token data into the cache.
+-
+- Stores the parsed expire date in cache allowing
+- quick check of token freshness on retrieval.
+- """
+- if self._cache and data:
+- key = 'tokens/%s' % token
+- if 'token' in data.get('access', {}):
+- timestamp = data['access']['token']['expires']
+- expires = self._iso8601.parse_date(timestamp).strftime('%s')
+- else:
+- LOG.error('invalid token format')
+- return
+- LOG.debug('Storing %s token in memcache', token)
+- self._cache.set(key,
+- (data, expires),
+- time=self.token_cache_time)
+-
+- def _cache_store_invalid(self, token):
+- """Store invalid token in cache."""
+- if self._cache:
+- key = 'tokens/%s' % token
+- LOG.debug('Marking token %s as unauthorized in memcache', token)
+- self._cache.set(key,
+- 'invalid',
+- time=self.token_cache_time)
+-
++ rval = super(AuthProtocol, self)._build_user_headers(token_info)
++ rval['X-Auth-Url'] = self.auth_uri
++ rval['X-Admin-User'] = self.admin_user
++ rval['X-Admin-Pass'] = self.admin_password
++ rval['X-Admin-Tenant-Name'] = self.admin_tenant_name
++ return rval
+
+ def filter_factory(global_conf, **local_conf):
+ """Returns a WSGI filter app for use with paste.deploy."""
+--- heat-2013.1.orig/etc/heat/heat-api-cfn-paste.ini
++++ heat-2013.1/etc/heat/heat-api-cfn-paste.ini
+@@ -69,9 +69,6 @@ keystone_ec2_uri = http://localhost:5000
+
+ [filter:authtoken]
+ paste.filter_factory = heat.common.auth_token:filter_factory
+-service_protocol = http
+-service_host = 127.0.0.1
+-service_port = 5000
+ auth_host = 127.0.0.1
+ auth_port = 35357
+ auth_protocol = http
+--- heat-2013.1.orig/etc/heat/heat-api-cloudwatch-paste.ini
++++ heat-2013.1/etc/heat/heat-api-cloudwatch-paste.ini
+@@ -69,9 +69,6 @@ keystone_ec2_uri = http://localhost:5000
+
+ [filter:authtoken]
+ paste.filter_factory = heat.common.auth_token:filter_factory
+-service_protocol = http
+-service_host = 127.0.0.1
+-service_port = 5000
+ auth_host = 127.0.0.1
+ auth_port = 35357
+ auth_protocol = http
+--- heat-2013.1.orig/etc/heat/heat-api-paste.ini
++++ heat-2013.1/etc/heat/heat-api-paste.ini
+@@ -72,13 +72,10 @@ paste.filter_factory = heat.common.conte
+
+ [filter:authtoken]
+ paste.filter_factory = heat.common.auth_token:filter_factory
+-service_protocol = http
+-service_host = 127.0.0.1
+-service_port = 5000
+ auth_host = 127.0.0.1
+ auth_port = 35357
+ auth_protocol = http
+-auth_uri = http://127.0.0.1:35357/v2.0
++auth_uri = http://127.0.0.1:5000/v2.0
+
+ # These must be set to your local values in order for the token
+ # authentication to work.
Code Review / openstack-build / heat-build.git / commitdiff