| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The "insecure" option was being treated as a bool when it was
actually provided as a string. The fix is to parse the string to
a bool.
Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
Closes-Bug: 1411063
|
| |
|
|
| |
Change-Id: I2058893b3ec7f41085dade54d01a4b53fd86d8e9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Swift configures auth_token purely by paste options, not oslo.config.
This means that we cannot rely on purely using the keystoneclient
load_from_config_options for auth plugins.
Copy the logic from keystoneclient regarding auth plugin loading from
config files and make it specific to the _conf_get that auth_token
middleware uses so that the auth plugin options obey options from paste
as other options do.
This will be replaced with a keystoneclient helper as soon as possible,
however we want to fix the swift issue before that happens and we will
still be compatible going forward.
Change-Id: I54ac4c566cb798196ea18e24d4ce868450f269f3
Closes-Bug: #1428900
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch modifies AuthProtocol to defer authentication
to a downstream service if an invalid service token is found
and delay_auth_decision is True. This makes the behavior for
an invalid service token similar to that for an invalid user
token.
This is required by Swift because multiple auth middlewares
may co-exist, and auth_token will currently deny a request
on detecting an invalid service token when that service token
is in fact intended to be validated by another downstream auth
middleware. This is precisely the configuration used in
devstack which configures both authtoken and tempauth in
the Swift proxy pipeline [1].
Swift support for service tokens is currently in review [2]
and functional tests will not pass using devstack without the
change proposed here.
[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
DocImpact
SecurityImpact
Closes-Bug: #1422389
Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b
|
| | |
| |
| |
| | |
Change-Id: I7c4436b148dc15d1bcebd3c6c129a014f463aade
|
| | |
| |
| |
| | |
Change-Id: I1433ecec9d844a31481d315465634ecdede780ae
|
| | |
| |
| |
| |
| |
| |
| | |
Move the UserAuthPlugin and helper classes into their own file.
Change-Id: Idd782aa9940fedd1d294b167769496937ab6749b
Implements: bp refactor-extract-module
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Extract the IdentityServer class and its helpers into their own file. As
part of this I extracted a few small functions into the _utils file as
they didn't really belong with IdentitServer.
Change-Id: I16bff5200c5687f364e7ec2cc87ba8fc8aaab277
Implements: bp refactor-extract-module
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Extract the two types of TokenCache and its helper classes to their
own file.
Change-Id: If8d703597b4dd1c578eaf5adc24e97962d5f08a2
Implements: bp refactor-extract-module
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Extract the default auth plugin into its own file. In future I'd like to
move the whole auth loading process into this file - however I have some
ideas for changing around how config works I'd like to do first.
Change-Id: I90c2f9e55947a436374ff54465e15caffdf9925d
Implements: bp refactor-extract-module
|
| |/
|
|
|
|
|
| |
Extract the revocations client and test code to their own file.
Change-Id: Ib5955cf4efea6b95d29b6ec722eabcf755688e65
Implements: bp refactor-extract-module
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Extract the SigningDirectory class into its own file and its own test
files.
Change-Id: I48631c9abea06da81409b6bd805e0f68bfe87a9f
Implements: bp refactor-extract-module
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Extract all the common exceptions from auth_token middleware and put it
into its own file. This is first to prove the concept and as exceptions
will be the most shared component of the other modules.
Change-Id: I5436404788d38c0fee87960139a413af780f0c34
Implements: bp refactor-extract-module
|
| |/
|
|
| |
Change-Id: Ida3527eaa50a5f0fd6e4bcb60892e0826510a22a
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
In preparation for splitting auth_token into files we move everything
into its own folder and verify that it still works, and establish a
separate testing directory.
Change-Id: I4f3aad706e2e9fa1b984b022858adabb552258e2
Implements: bp refactor-extract-module
|
| |/
|
|
| |
Change-Id: I053e8e8cef32f93b807921123d96f29c31cc72c8
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This moves the revocation list members from AuthProtocol to their
own class in auth_token.
bp refactor-extract-class
Change-Id: I756b92dee310fab7678fa800a833d6b13fd7e50a
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The signing directory code was scattered around the AuthProtocol
class. To make the AuthProtocol class cleaner, the signing directory
code is pulled into its own class.
bp refactor-extract-class
Change-Id: Ibc657bba234f480f0b4a051819768f413b7cafc5
|
| | |
| |
| |
| | |
Change-Id: I3c12a9ab3e784ac0c7aad5cc1286701a14e667e7
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
currently, the logic to create audit events is contained in pyCADF.
this makes it extremely difficult to modify as changes often require
edits to two different libraries, and subsequent releases of two
different libraries. additionally, it makes it impossible to test the
full path. this patch attempts to minimise the chaos.
Change-Id: Ic0ca193139acaa751cd96e7fadad2223a84088c8
|
| |\ \ \
| |_|/
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This auth plugin is already going to be distributed to everyone so that
they can use it to talk to use the current authentication to talk to
other services. Given that it knows everything that auth_token
middleware knows it may as well be the base for generating policy
contexts.
Implements: bp auth-context-object
Change-Id: I15e3517e854ef110987e392510c6de0f14645a59
|
| |\ \ \
| |/ /
|/| | |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The auth_uri setting is the value that's returned on auth failure
in the WWW-Authenticate header. It's not actually used by auth_token
to communicate with the identity server, so the IdentityServer
class doesn't need to know what the setting is for the auth_token
middleware. IdentityServer only needs to know how to provide the
default auth uri (based on how IdentityServer is configured) to the
auth_token middleware in case auth_uri isn't specified.
This change is moving things around to clarify how the auth_uri is
used.
Change-Id: I97aeef5721a044422929c72e9e53898822bcdabf
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently, _get_token_expiration method returns a normalized time,
at the same time, _confirm_token_not_expired method returns an isotime.
We will cache the expire time returned by the two methods in the
_TokenCache object. But _TokenCache object treats it as an isotime when
getting cache.
There are two issues here:
1. _get_token_expiration should return isotime too
2. expires should be returned in one place rather than in two places
which is a gap make expires in different time-forms
Closes-Bug: #1413093
Change-Id: I85dbaaed0c761ff2f4bcc960df94a4e106af1730
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Sync code to oslo level 9a1970b3708114cc52f89a7b4d048eeae9140fef
This updates memorycache and removes context.
Change-Id: Ic43457ad60371422cab57de9f3ebac962ddbfb4d
|
| |\ \ \ \
| |/ / /
| | / /
| |/ /
|/| | |
|
| | |/
| |
| |
| |
| |
| | |
We should use oslo.context instead of the code from oslo-incubator.
Change-Id: I3a1c4d379d20a1afd86a2f2e60d40bc4c7715546
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Authmiddleware should fallback to purely online validation when
fetching certificate config failed or fetching revocation list failed.
Change-Id: I532e667cc26bbeb9bbd03605b9fb7ea7ebf14afa
Closes-Bug: #1384898
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Testing the delay_auth_decision for truth values is no longer necessary
as we do _conf_value_types_convert to convert paste string values into
those expected by the oslo.config options.
Change-Id: Ifa8be05830923a831a319bf291b7647ba0bbe781
|
| | |_|/
|/| |
| | |
| | | |
Change-Id: I8ed78c7b2740f44872c6bbcb84297fa63bbdcadc
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
More unit tests run when python-memcached is installed, so add it to
test-requirements.txt.
python-memcached doesn't work on py3k so it can't be in the test
requirements for the python3 jobs.
Closes-Bug: #1411003
Change-Id: I08036c7665421987da9dfd19f6f1e18dc5918f96
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The F821 "undefined name" rule wasn't enforced as it should be. This
is an important one since undefined names raise exceptions.
The H304 "no relative imports" also wasn't enforced.
Change-Id: If7fb6705c916b6df389590c9a48696e8850f328b
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
oslo_config moved out of the oslo namespace.
bp drop-namespace-packages
Change-Id: Ia8b9b2a47bcfabe7a6aea67f243285028c981ba2
|
| |\ \ \ \ \ \
| |/ / / / / |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
oslo_serialization moved out of the oslo namespace.
bp drop-namespace-packages
Change-Id: Iff3c62018d5008f9451dd54a8cf63700c9b61f5d
|
