Revert failing tests and use v3 for ec2 tokens

Domain users are not supported anymore on v2, so we need to use v3 by default when authenticating ec2 access. Change-Id: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4 Closes-Bug: #1484086
2015-08-12 16:18:11 +02:00 · 2015-08-12 16:18:11 +02:00 · b36f4da192
commit b36f4da192
parent e668c7a9d7
5 changed files with 29 additions and 39 deletions
--- a/heat/api/aws/ec2token.py
+++ b/heat/api/aws/ec2token.py
@ -77,7 +77,7 @@ class EC2Token(wsgi.Middleware):
    def _conf_get_auth_uri(self):
        auth_uri = self._conf_get('auth_uri')
        if auth_uri:
-            return auth_uri
+            return auth_uri.replace('v2.0', 'v3')
        else:
            # First we check the [clients_keystone] section, and if it is not
            # set we look in [keystone_authtoken]
@ -89,7 +89,9 @@ class EC2Token(wsgi.Middleware):
                # Import auth_token to have keystone_authtoken settings setup.
                # We can use the auth_uri from the keystone_authtoken section
                importutils.import_module('keystonemiddleware.auth_token')
-                return cfg.CONF.keystone_authtoken['auth_uri']
+                auth_uri = cfg.CONF.keystone_authtoken['auth_uri']
+                if auth_uri:
+                    return auth_uri.replace('v2.0', 'v3')

    @staticmethod
    def _conf_get_keystone_ec2_uri(auth_uri):
@ -226,10 +228,11 @@ class EC2Token(wsgi.Middleware):
                                 cert=self.ssl_options['cert'])
        result = response.json()
        try:
-            token_id = result['access']['token']['id']
-            tenant = result['access']['token']['tenant']['name']
-            tenant_id = result['access']['token']['tenant']['id']
-            LOG.info(_LI("AWS authentication successful."))
+            token_id = response.headers['X-Subject-Token']
+            tenant = result['token']['project']['name']
+            tenant_id = result['token']['project']['id']
+            roles = [role['name']
+                     for role in result['token'].get('roles', [])]
        except (AttributeError, KeyError):
            LOG.info(_LI("AWS authentication failure."))
            # Try to extract the reason for failure so we can return the
@ -245,6 +248,8 @@ class EC2Token(wsgi.Middleware):
                raise exception.HeatSignatureError()
            else:
                raise exception.HeatAccessDeniedError()
+        else:
+            LOG.info(_LI("AWS authentication successful."))

        # Authenticated!
        ec2_creds = {'ec2Credentials': {'access': access,
@ -255,8 +260,6 @@ class EC2Token(wsgi.Middleware):
        req.headers['X-Tenant-Id'] = tenant_id
        req.headers['X-Auth-URL'] = auth_uri

-        metadata = result['access'].get('metadata', {})
-        roles = metadata.get('roles', [])
        req.headers['X-Roles'] = ','.join(roles)

        return self.application
--- a/heat/tests/api/aws/test_api_ec2token.py
+++ b/heat/tests/api/aws/test_api_ec2token.py
@ -228,7 +228,7 @@ class Ec2TokenTest(common.HeatTestCase):
        self.assertEqual('xyz', ec2.__call__(dummy_req))

    def _stub_http_connection(self, headers=None, params=None, response=None,
-                              req_url='http://123:5000/v2.0/ec2tokens',
+                              req_url='http://123:5000/v3/ec2tokens',
                              verify=True, cert=None):

        headers = headers or {}
@ -236,6 +236,7 @@ class Ec2TokenTest(common.HeatTestCase):

        class DummyHTTPResponse(object):
            text = response
+            headers = {'X-Subject-Token': 123}

            def json(self):
                return json.loads(self.text)
@ -268,9 +269,8 @@ class Ec2TokenTest(common.HeatTestCase):
                   'HTTP_AUTHORIZATION': auth_str}
        dummy_req = self._dummy_GET_request(environ=req_env)

-        ok_resp = json.dumps({'access': {'token': {
-            'id': 123,
-            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        ok_resp = json.dumps({'token': {
+            'project': {'name': 'tenant', 'id': 'abcd1234'}}})
        self._stub_http_connection(headers={'Authorization': auth_str},
                                   response=ok_resp)
        self.m.ReplayAll()
@ -293,12 +293,12 @@ class Ec2TokenTest(common.HeatTestCase):
                   'HTTP_AUTHORIZATION': auth_str}
        dummy_req = self._dummy_GET_request(environ=req_env)

-        ok_resp = json.dumps({'access': {
+        ok_resp = json.dumps({
            'token': {
                'id': 123,
-                'tenant': {'name': 'tenant', 'id': 'abcd1234'}
-            },
-            'metadata': {'roles': ['aa', 'bb', 'cc']}}})
+                'project': {'name': 'tenant', 'id': 'abcd1234'},
+                'roles': [{'name': 'aa'}, {'name': 'bb'}, {'name': 'cc'}]}
+        })
        self._stub_http_connection(headers={'Authorization': auth_str},
                                   response=ok_resp)
        self.m.ReplayAll()
@ -384,9 +384,8 @@ class Ec2TokenTest(common.HeatTestCase):
                   'PATH_INFO': '/v1'}
        dummy_req = self._dummy_GET_request(params, req_env)

-        ok_resp = json.dumps({'access': {'metadata': {}, 'token': {
-            'id': 123,
-            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        ok_resp = json.dumps({'token': {
+            'project': {'name': 'tenant', 'id': 'abcd1234'}}})
        self._stub_http_connection(response=ok_resp,
                                   params={'AWSAccessKeyId': 'foo'})
        self.m.ReplayAll()
@ -407,9 +406,8 @@ class Ec2TokenTest(common.HeatTestCase):
                   'PATH_INFO': '/v1'}
        dummy_req = self._dummy_GET_request(params, req_env)

-        ok_resp = json.dumps({'access': {'metadata': {}, 'token': {
-            'id': 123,
-            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        ok_resp = json.dumps({'token': {
+            'project': {'name': 'tenant', 'id': 'abcd1234'}}})
        err_msg = "EC2 access key not found."
        err_resp = json.dumps({'error': {'message': err_msg}})

@ -511,9 +509,8 @@ class Ec2TokenTest(common.HeatTestCase):
                   'PATH_INFO': '/v1'}
        dummy_req = self._dummy_GET_request(params, req_env)

-        ok_resp = json.dumps({'access': {'metadata': {}, 'token': {
-            'id': 123,
-            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        ok_resp = json.dumps({'token': {
+            'project': {'name': 'tenant', 'id': 'abcd1234'}}})
        self._stub_http_connection(response=ok_resp,
                                   params={'AWSAccessKeyId': 'foo'})
        self.m.ReplayAll()
@ -533,9 +530,8 @@ class Ec2TokenTest(common.HeatTestCase):
                   'PATH_INFO': '/v1'}
        dummy_req = self._dummy_GET_request(params, req_env)

-        ok_resp = json.dumps({'access': {'metadata': {}, 'token': {
-            'id': 123,
-            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        ok_resp = json.dumps({'token': {
+            'project': {'name': 'tenant', 'id': 'abcd1234'}}})
        self._stub_http_connection(response=ok_resp,
                                   params={'AWSAccessKeyId': 'foo'})
        self.m.ReplayAll()
@ -556,9 +552,8 @@ class Ec2TokenTest(common.HeatTestCase):
                   'PATH_INFO': '/v1'}
        dummy_req = self._dummy_GET_request(params, req_env)

-        ok_resp = json.dumps({'access': {'metadata': {}, 'token': {
-            'id': 123,
-            'tenant': {'name': 'tenant', 'id': 'abcd1234'}}}})
+        ok_resp = json.dumps({'token': {
+            'project': {'name': 'tenant', 'id': 'abcd1234'}}})
        self._stub_http_connection(response=ok_resp,
                                   params={'AWSAccessKeyId': 'foo'})
        self.m.ReplayAll()
--- a/heat_integrationtests/functional/test_notifications.py
+++ b/heat_integrationtests/functional/test_notifications.py
@ -16,8 +16,6 @@ from oslo_messaging._drivers import common
 from oslo_messaging import transport
 import requests

-from testtools import testcase
-
 from heat_integrationtests.common import test
 from heat_integrationtests.functional import functional_base

@ -164,7 +162,6 @@ outputs:
        for n in BASIC_NOTIFICATIONS:
            self.assertIn(n, handler.notifications)

-    @testcase.skip('Skipped until keystone fixed #1484086')
    def test_asg_notifications(self):
        stack_identifier = self.stack_create(template=self.asg_template)

--- a/heat_integrationtests/scenario/test_ceilometer_alarm.py
+++ b/heat_integrationtests/scenario/test_ceilometer_alarm.py
@ -11,7 +11,6 @@
 #    under the License.

 from oslo_log import log as logging
-from testtools import testcase

 from heat_integrationtests.common import test
 from heat_integrationtests.scenario import scenario_base
@ -35,7 +34,6 @@ class CeilometerAlarmTest(scenario_base.ScenarioTestsBase):
                                                              actual))
        return actual == expected

-    @testcase.skip('Skipped until keystone fixed #1484086')
    def test_alarm(self):
        """Confirm we can create an alarm and trigger it."""

--- a/heat_integrationtests/scenario/test_server_cfn_init.py
+++ b/heat_integrationtests/scenario/test_server_cfn_init.py
@ -12,8 +12,6 @@

 import json

-from testtools import testcase
-
 from heat_integrationtests.common import exceptions
 from heat_integrationtests.scenario import scenario_base

@ -95,7 +93,6 @@ class CfnInitIntegrationTest(scenario_base.ScenarioTestsBase):
                self._log_console_output(servers=[server])
                raise e

-    @testcase.skip('Skipped until keystone fixed #1484086')
    def test_server_cfn_init(self):
        """
        Check cfn-init and cfn-signal availability on the created server.