diff options
author | Brant Knudson <bknudson@us.ibm.com> | 2015-02-08 11:31:56 -0600 |
---|---|---|
committer | Brant Knudson <bknudson@us.ibm.com> | 2015-02-08 11:31:56 -0600 |
commit | 5cfdb6f17f5b3e27abfa05478f04d4e9aea0b200 (patch) | |
tree | 82697f94681544da925f01c9568169345220f384 | |
parent | 1c16d18ff60c11a8eb49693384fea2f5f957fea0 (diff) | |
download | keystonemiddleware-5cfdb6f17f5b3e27abfa05478f04d4e9aea0b200.tar.gz |
Refactor auth_uri handling
The auth_uri setting is the value that's returned on auth failure
in the WWW-Authenticate header. It's not actually used by auth_token
to communicate with the identity server, so the IdentityServer
class doesn't need to know what the setting is for the auth_token
middleware. IdentityServer only needs to know how to provide the
default auth uri (based on how IdentityServer is configured) to the
auth_token middleware in case auth_uri isn't specified.
This change is moving things around to clarify how the auth_uri is
used.
Change-Id: I97aeef5721a044422929c72e9e53898822bcdabf
-rw-r--r-- | keystonemiddleware/auth_token.py | 45 | ||||
-rw-r--r-- | keystonemiddleware/tests/test_auth_token_middleware.py | 2 |
2 files changed, 26 insertions, 21 deletions
diff --git a/keystonemiddleware/auth_token.py b/keystonemiddleware/auth_token.py index d2b6be3..62d69a5 100644 --- a/keystonemiddleware/auth_token.py +++ b/keystonemiddleware/auth_token.py @@ -711,6 +711,18 @@ class AuthProtocol(object): self._identity_server = self._create_identity_server() + self._auth_uri = self._conf_get('auth_uri') + if not self._auth_uri: + self._LOG.warning( + _LW('Configuring auth_uri to point to the public identity ' + 'endpoint is required; clients may not be able to ' + 'authenticate against an admin endpoint')) + + # FIXME(dolph): drop support for this fallback behavior as + # documented in bug 1207517. + + self._auth_uri = self._identity_server.auth_uri + # signing self._signing_dirname = self._conf_get('signing_dir') if self._signing_dirname is None: @@ -891,7 +903,7 @@ class AuthProtocol(object): @property def _reject_auth_headers(self): - header_val = 'Keystone uri=\'%s\'' % self._identity_server.auth_uri + header_val = 'Keystone uri=\'%s\'' % self._auth_uri return [('WWW-Authenticate', header_val)] def _reject_request(self, env, start_response): @@ -1356,7 +1368,6 @@ class AuthProtocol(object): self._LOG, adap, include_service_catalog=self._include_service_catalog, - auth_uri=self._conf_get('auth_uri'), requested_auth_version=auth_version) def _token_cache_factory(self): @@ -1453,33 +1464,27 @@ class _IdentityServer(object): """ - def __init__(self, log, adap, include_service_catalog=None, auth_uri=None, + def __init__(self, log, adap, include_service_catalog=None, requested_auth_version=None): self._LOG = log self._adapter = adap self._include_service_catalog = include_service_catalog self._requested_auth_version = requested_auth_version - if auth_uri is None: - self._LOG.warning( - _LW('Configuring auth_uri to point to the public identity ' - 'endpoint is required; clients may not be able to ' - 'authenticate against an admin endpoint')) - - # FIXME(dolph): drop support for this fallback behavior as - # documented in bug 1207517. - auth_uri = adap.get_endpoint(interface=auth.AUTH_INTERFACE) + # Built on-demand with self._request_strategy. + self._request_strategy_obj = None - # NOTE(jamielennox): This weird stripping of the prefix hack is - # only relevant to the legacy case. We urljoin '/' to get just the - # base URI as this is the original behaviour. - if isinstance(adap.auth, _AuthTokenPlugin): - auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/') + @property + def auth_uri(self): + auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE) - self.auth_uri = auth_uri + # NOTE(jamielennox): This weird stripping of the prefix hack is + # only relevant to the legacy case. We urljoin '/' to get just the + # base URI as this is the original behaviour. + if isinstance(self._adapter.auth, _AuthTokenPlugin): + auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/') - # Built on-demand with self._request_strategy. - self._request_strategy_obj = None + return auth_uri @property def auth_version(self): diff --git a/keystonemiddleware/tests/test_auth_token_middleware.py b/keystonemiddleware/tests/test_auth_token_middleware.py index 7811f0d..803e173 100644 --- a/keystonemiddleware/tests/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/test_auth_token_middleware.py @@ -663,7 +663,7 @@ class CommonAuthTokenMiddlewareTest(object): self.set_middleware(conf=conf) expected_auth_uri = 'http://[2001:2013:1:f101::1]:1234' self.assertEqual(expected_auth_uri, - self.middleware._identity_server.auth_uri) + self.middleware._auth_uri) def assert_valid_request_200(self, token, with_catalog=True): req = webob.Request.blank('/') |