Refactor auth_uri handling

The auth_uri setting is the value that's returned on auth failure in the WWW-Authenticate header. It's not actually used by auth_token to communicate with the identity server, so the IdentityServer class doesn't need to know what the setting is for the auth_token middleware. IdentityServer only needs to know how to provide the default auth uri (based on how IdentityServer is configured) to the auth_token middleware in case auth_uri isn't specified. This change is moving things around to clarify how the auth_uri is used. Change-Id: I97aeef5721a044422929c72e9e53898822bcdabf
author: Brant Knudson <bknudson@us.ibm.com> 2015-02-08 11:31:56 -0600
committer: Brant Knudson <bknudson@us.ibm.com> 2015-02-08 11:31:56 -0600
commit: 5cfdb6f17f5b3e27abfa05478f04d4e9aea0b200 (patch)
tree: 82697f94681544da925f01c9568169345220f384
parent: 1c16d18ff60c11a8eb49693384fea2f5f957fea0 (diff)
download: keystonemiddleware-5cfdb6f17f5b3e27abfa05478f04d4e9aea0b200.tar.gz
2 files changed, 26 insertions, 21 deletions
diff --git a/keystonemiddleware/auth_token.py b/keystonemiddleware/auth_token.py
index d2b6be3..62d69a5 100644
--- a/keystonemiddleware/auth_token.py
+++ b/keystonemiddleware/auth_token.py
@@ -711,6 +711,18 @@ class AuthProtocol(object):
 
         self._identity_server = self._create_identity_server()
 
+        self._auth_uri = self._conf_get('auth_uri')
+        if not self._auth_uri:
+            self._LOG.warning(
+                _LW('Configuring auth_uri to point to the public identity '
+                    'endpoint is required; clients may not be able to '
+                    'authenticate against an admin endpoint'))
+
+            # FIXME(dolph): drop support for this fallback behavior as
+            # documented in bug 1207517.
+
+            self._auth_uri = self._identity_server.auth_uri
+
         # signing
         self._signing_dirname = self._conf_get('signing_dir')
         if self._signing_dirname is None:
@@ -891,7 +903,7 @@ class AuthProtocol(object):
 
     @property
     def _reject_auth_headers(self):
-        header_val = 'Keystone uri=\'%s\'' % self._identity_server.auth_uri
+        header_val = 'Keystone uri=\'%s\'' % self._auth_uri
         return [('WWW-Authenticate', header_val)]
 
     def _reject_request(self, env, start_response):
@@ -1356,7 +1368,6 @@ class AuthProtocol(object):
             self._LOG,
             adap,
             include_service_catalog=self._include_service_catalog,
-            auth_uri=self._conf_get('auth_uri'),
             requested_auth_version=auth_version)
 
     def _token_cache_factory(self):
@@ -1453,33 +1464,27 @@ class _IdentityServer(object):
 
     """
 
-    def __init__(self, log, adap, include_service_catalog=None, auth_uri=None,
+    def __init__(self, log, adap, include_service_catalog=None,
                  requested_auth_version=None):
         self._LOG = log
         self._adapter = adap
         self._include_service_catalog = include_service_catalog
         self._requested_auth_version = requested_auth_version
 
-        if auth_uri is None:
-            self._LOG.warning(
-                _LW('Configuring auth_uri to point to the public identity '
-                    'endpoint is required; clients may not be able to '
-                    'authenticate against an admin endpoint'))
-
-            # FIXME(dolph): drop support for this fallback behavior as
-            # documented in bug 1207517.
-            auth_uri = adap.get_endpoint(interface=auth.AUTH_INTERFACE)
+        # Built on-demand with self._request_strategy.
+        self._request_strategy_obj = None
 
-            # NOTE(jamielennox): This weird stripping of the prefix hack is
-            # only relevant to the legacy case. We urljoin '/' to get just the
-            # base URI as this is the original behaviour.
-            if isinstance(adap.auth, _AuthTokenPlugin):
-                auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/')
+    @property
+    def auth_uri(self):
+        auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE)
 
-        self.auth_uri = auth_uri
+        # NOTE(jamielennox): This weird stripping of the prefix hack is
+        # only relevant to the legacy case. We urljoin '/' to get just the
+        # base URI as this is the original behaviour.
+        if isinstance(self._adapter.auth, _AuthTokenPlugin):
+            auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/')
 
-        # Built on-demand with self._request_strategy.
-        self._request_strategy_obj = None
+        return auth_uri
 
     @property
     def auth_version(self):
diff --git a/keystonemiddleware/tests/test_auth_token_middleware.py b/keystonemiddleware/tests/test_auth_token_middleware.py
index 7811f0d..803e173 100644
--- a/keystonemiddleware/tests/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/test_auth_token_middleware.py
@@ -663,7 +663,7 @@ class CommonAuthTokenMiddlewareTest(object):
         self.set_middleware(conf=conf)
         expected_auth_uri = 'http://[2001:2013:1:f101::1]:1234'
         self.assertEqual(expected_auth_uri,
-                         self.middleware._identity_server.auth_uri)
+                         self.middleware._auth_uri)
 
     def assert_valid_request_200(self, token, with_catalog=True):
         req = webob.Request.blank('/')
author	Brant Knudson <bknudson@us.ibm.com>	2015-02-08 11:31:56 -0600
committer	Brant Knudson <bknudson@us.ibm.com>	2015-02-08 11:31:56 -0600
commit	5cfdb6f17f5b3e27abfa05478f04d4e9aea0b200 (patch)
tree	82697f94681544da925f01c9568169345220f384
parent	1c16d18ff60c11a8eb49693384fea2f5f957fea0 (diff)
download	keystonemiddleware-5cfdb6f17f5b3e27abfa05478f04d4e9aea0b200.tar.gz