diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 35734284..8979ad07 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -156,6 +156,11 @@ delay_auth_decision = False # Keystone server details auth_uri = http://keystonehost:35357/ +# Identity Service API version to use. This is appended to the auth_uri. +# Historically this defaulted to "2.0", but most modern deployments +# should use "3". +auth_version = 2.0 + # Connect/read timeout to use when communicating with Keystone http_timeout = 10.0 diff --git a/swift3/s3_token_middleware.py b/swift3/s3_token_middleware.py index f86c5ce6..d1646c32 100644 --- a/swift3/s3_token_middleware.py +++ b/swift3/s3_token_middleware.py @@ -160,6 +160,7 @@ def __init__(self, app, conf): if parsed.query or parsed.fragment or '@' in parsed.netloc: raise ConfigFileError('Invalid auth_uri; must not include ' 'username, query, or fragment') + self._request_uri += '/v%s/s3tokens' % conf.get('auth_version', '2.0') # SSL insecure = config_true_value(conf.get('insecure')) @@ -194,7 +195,7 @@ def _deny_request(self, code): def _json_request(self, creds_json): headers = {'Content-Type': 'application/json'} try: - response = requests.post('%s/v2.0/s3tokens' % self._request_uri, + response = requests.post(self._request_uri, headers=headers, data=creds_json, verify=self._verify, timeout=self._timeout) diff --git a/swift3/test/unit/test_s3_token_middleware.py b/swift3/test/unit/test_s3_token_middleware.py index c7414bba..b99e3d96 100644 --- a/swift3/test/unit/test_s3_token_middleware.py +++ b/swift3/test/unit/test_s3_token_middleware.py @@ -284,6 +284,28 @@ def test_authorized_http(self): req.get_response(self.middleware) self._assert_authorized(req) + def test_authorized_v3(self): + protocol = 'http' + host = 'fakehost' + port = 35357 + self.requests_mock.post( + '%s://%s:%s/v3/s3tokens' % (protocol, host, port), + status_code=201, json=GOOD_RESPONSE_V2) + + self.middleware = ( + s3_token.filter_factory({'auth_protocol': 'http', + 'auth_host': host, + 'auth_port': port, + 'auth_version': '3'})(self.app)) + req = Request.blank('/v1/AUTH_cfa/c/o') + req.environ['swift3.auth_details'] = { + 'access_key': u'access', + 'signature': u'signature', + 'string_to_sign': u'token', + } + req.get_response(self.middleware) + self._assert_authorized(req) + def test_authorized_trailing_slash(self): self.middleware = s3_token.filter_factory({ 'auth_uri': self.TEST_AUTH_URI + '/'})(self.app) @@ -355,20 +377,44 @@ def test_insecure_option(self): middleware = s3_token.filter_factory(config)(self.app) self.assertIs('false_ind', middleware._verify) + def test_auth_version(self): + for conf, expected in [ + # if provided just host/scheme, tack on the default + # version/endpoint like before + ({'auth_uri': 'https://example.com'}, + 'https://example.com/v2.0/s3tokens'), + # if provided a version-specific URI, trust it + ({'auth_uri': 'https://example.com:5000', + 'auth_version': '2.0'}, + 'https://example.com:5000/v2.0/s3tokens'), + ({'auth_uri': 'http://example.com', 'auth_version': '3'}, + 'http://example.com/v3/s3tokens'), + # even try to allow for future versions + ({'auth_uri': 'http://example.com', 'auth_version': '4.25'}, + 'http://example.com/v4.25/s3tokens'), + # keystone running under mod_wsgi often has a path prefix + ({'auth_uri': 'https://example.com/identity'}, + 'https://example.com/identity/v2.0/s3tokens'), + # doesn't really work to include version in auth_uri + ({'auth_uri': 'https://example.com/v2.0'}, + 'https://example.com/v2.0/v2.0/s3tokens')]: + middleware = s3_token.filter_factory(conf)(self.app) + self.assertEqual(expected, middleware._request_uri) + def test_ipv6_auth_host_option(self): config = {} ipv6_addr = '::FFFF:129.144.52.38' - identity_uri = 'https://[::FFFF:129.144.52.38]:35357' + request_uri = 'https://[::FFFF:129.144.52.38]:35357/v2.0/s3tokens' # Raw IPv6 address should work config['auth_host'] = ipv6_addr middleware = s3_token.filter_factory(config)(self.app) - self.assertEqual(identity_uri, middleware._request_uri) + self.assertEqual(request_uri, middleware._request_uri) # ...as should workarounds already in use config['auth_host'] = '[%s]' % ipv6_addr middleware = s3_token.filter_factory(config)(self.app) - self.assertEqual(identity_uri, middleware._request_uri) + self.assertEqual(request_uri, middleware._request_uri) # ... with no config, we should get config error del config['auth_host'] @@ -742,6 +788,28 @@ def test_authorized_http(self): req.get_response(self.middleware) self._assert_authorized(req) + def test_authorized_v3(self): + protocol = 'http' + host = 'fakehost' + port = 35357 + self.requests_mock.post( + '%s://%s:%s/v3/s3tokens' % (protocol, host, port), + status_code=201, json=GOOD_RESPONSE_V3) + + self.middleware = ( + s3_token.filter_factory({'auth_protocol': 'http', + 'auth_host': host, + 'auth_port': port, + 'auth_version': '3'})(self.app)) + req = Request.blank('/v1/AUTH_cfa/c/o') + req.environ['swift3.auth_details'] = { + 'access_key': u'access', + 'signature': u'signature', + 'string_to_sign': u'token', + } + req.get_response(self.middleware) + self._assert_authorized(req) + def test_authorized_trailing_slash(self): self.middleware = s3_token.filter_factory({ 'auth_uri': self.TEST_AUTH_URI + '/'})(self.app)