Add validation of app cred access rules

This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.

bp whitelist-extension-for-app-creds

Depends-On: https://review.opendev.org/670377

Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88

1 files changed, 4 insertions, 0 deletions

diff --git a/keystonemiddleware/auth_token/_opts.py b/keystonemiddleware/auth_token/_opts.py
index b551407..f16d3f8 100644
--- a/keystonemiddleware/auth_token/_opts.py
+++ b/keystonemiddleware/auth_token/_opts.py
@@ -178,6 +178,10 @@ _OPTS = [
                 ' service tokens pass that don\'t pass the service_token_roles'
                 ' check as valid. Setting this true will become the default'
                 ' in a future release and should be enabled if possible.'),
+    cfg.StrOpt('service_type',
+               help='The name or type of the service as it appears in the'
+               ' service catalog. This is used to validate tokens that have'
+               ' restricted access rules.'),
 ]