From 50003a107d48053683229e81ea20c989f3f5c0a2 Mon Sep 17 00:00:00 2001
From: Devananda van der Veen <devananda.vdv@gmail.com>
Date: Tue, 15 Jul 2014 15:35:45 -0700
Subject: [PATCH] Use auth_token from keystonemiddleware

auth_token middleware in python-keystoneclient is deprecated and has
been moved to the keystonemiddleware repo.

This patch updates Ironic to use the new keystonemiddleware package.

Change-Id: Ifb48996867f9f51c4dbedde0e0d9476c2d2818b4
Closes-Bug: #1342274
---
 etc/ironic/ironic.conf.sample         |  2 +-
 ironic/api/acl.py                     | 21 ++-------------------
 ironic/api/middleware/auth_token.py   |  4 ++--
 ironic/common/keystone.py             |  4 ++--
 ironic/common/neutron.py              |  2 --
 ironic/tests/api/base.py              |  6 ++++--
 ironic/tests/api/test_acl.py          |  7 +++++--
 requirements.txt                      |  1 +
 tools/config/oslo.config.generator.rc |  2 +-
 9 files changed, 18 insertions(+), 31 deletions(-)

diff --git a/etc/ironic/ironic.conf.sample b/etc/ironic/ironic.conf.sample
index 823795e747..59d34d24bf 100644
--- a/etc/ironic/ironic.conf.sample
+++ b/etc/ironic/ironic.conf.sample
@@ -854,7 +854,7 @@
 [keystone_authtoken]
 
 #
-# Options defined in keystoneclient.middleware.auth_token
+# Options defined in keystonemiddleware.auth_token
 #
 
 # Prefix to prepend at the beginning of the path. Deprecated,
diff --git a/ironic/api/acl.py b/ironic/api/acl.py
index b9bf8fc0d4..a22a64910b 100644
--- a/ironic/api/acl.py
+++ b/ironic/api/acl.py
@@ -18,36 +18,19 @@
 
 """Access Control Lists (ACL's) control access the API server."""
 
-from keystoneclient.middleware import auth_token as keystone_auth_token
-from oslo.config import cfg
-
 from ironic.api.middleware import auth_token
 
 
-OPT_GROUP_NAME = 'keystone_authtoken'
-
-
-def register_opts(conf):
-    """Register keystoneclient middleware options
-
-    :param conf: Ironic settings.
-    """
-    conf.register_opts(keystone_auth_token.opts, group=OPT_GROUP_NAME)
-    keystone_auth_token.CONF = conf
-
-
 def install(app, conf, public_routes):
     """Install ACL check on application.
 
     :param app: A WSGI applicatin.
-    :param conf: Settings. Must include OPT_GROUP_NAME section.
+    :param conf: Settings. Dict'ified and passed to keystonemiddleware
     :param public_routes: The list of the routes which will be allowed to
                           access without authentication.
     :return: The same WSGI application with ACL installed.
 
     """
-    register_opts(cfg.CONF)
-    keystone_config = dict(conf.get(OPT_GROUP_NAME))
     return auth_token.AuthTokenMiddleware(app,
-                                          conf=keystone_config,
+                                          conf=dict(conf),
                                           public_api_routes=public_routes)
diff --git a/ironic/api/middleware/auth_token.py b/ironic/api/middleware/auth_token.py
index 9cad079b3c..d30f5d9ab9 100644
--- a/ironic/api/middleware/auth_token.py
+++ b/ironic/api/middleware/auth_token.py
@@ -14,7 +14,7 @@
 
 import re
 
-from keystoneclient.middleware import auth_token
+from keystonemiddleware import auth_token
 
 from ironic.common import exception
 from ironic.common import utils
@@ -54,6 +54,6 @@ class AuthTokenMiddleware(auth_token.AuthProtocol):
                                        self.public_api_routes))
 
         if env['is_public_api']:
-            return self.app(env, start_response)
+            return self._app(env, start_response)
 
         return super(AuthTokenMiddleware, self).__call__(env, start_response)
diff --git a/ironic/common/keystone.py b/ironic/common/keystone.py
index f64da1bcf0..c197c231ad 100644
--- a/ironic/common/keystone.py
+++ b/ironic/common/keystone.py
@@ -13,14 +13,14 @@
 # under the License.
 
 from keystoneclient import exceptions as ksexception
+# NOTE(deva): import auth_token so oslo.config pulls in keystone_authtoken
+from keystonemiddleware import auth_token  # noqa
 from oslo.config import cfg
 from six.moves.urllib import parse
 
-from ironic.api import acl
 from ironic.common import exception
 
 CONF = cfg.CONF
-acl.register_opts(CONF)
 
 
 def get_service_url(service_type='baremetal', endpoint_type='internal'):
diff --git a/ironic/common/neutron.py b/ironic/common/neutron.py
index 22360b13e6..621267b17b 100644
--- a/ironic/common/neutron.py
+++ b/ironic/common/neutron.py
@@ -20,7 +20,6 @@ from neutronclient.common import exceptions as neutron_client_exc
 from neutronclient.v2_0 import client as clientv20
 from oslo.config import cfg
 
-from ironic.api import acl
 from ironic.common import exception
 from ironic.common import keystone
 from ironic.drivers.modules import ssh
@@ -46,7 +45,6 @@ neutron_opts = [
 CONF = cfg.CONF
 CONF.import_opt('my_ip', 'ironic.netconf')
 CONF.register_opts(neutron_opts, group='neutron')
-acl.register_opts(CONF)
 LOG = logging.getLogger(__name__)
 
 
diff --git a/ironic/tests/api/base.py b/ironic/tests/api/base.py
index 472f953ac0..0f0a640885 100644
--- a/ironic/tests/api/base.py
+++ b/ironic/tests/api/base.py
@@ -20,12 +20,13 @@
 #       ceilometer/tests/api/__init__.py). This should be oslo'ified:
 #       https://bugs.launchpad.net/ironic/+bug/1255115.
 
+# NOTE(deva): import auth_token so we can override a config option
+from keystonemiddleware import auth_token  # noqa
 from oslo.config import cfg
 import pecan
 import pecan.testing
 from six.moves.urllib import parse as urlparse
 
-from ironic.api import acl
 from ironic.db import api as dbapi
 from ironic.tests.db import base
 
@@ -42,7 +43,8 @@ class FunctionalTest(base.DbTestCase):
 
     def setUp(self):
         super(FunctionalTest, self).setUp()
-        cfg.CONF.set_override("auth_version", "v2.0", group=acl.OPT_GROUP_NAME)
+        cfg.CONF.set_override("auth_version", "v2.0",
+                              group='keystone_authtoken')
         self.app = self._make_app()
         self.dbapi = dbapi.get_instance()
 
diff --git a/ironic/tests/api/test_acl.py b/ironic/tests/api/test_acl.py
index 413601ff23..d4b410aca0 100644
--- a/ironic/tests/api/test_acl.py
+++ b/ironic/tests/api/test_acl.py
@@ -18,9 +18,11 @@ are blocked or allowed to be processed.
 
 import mock
 
+# NOTE(deva): import auth_token so we can override a config option
+from keystonemiddleware import auth_token  # noqa
+
 from oslo.config import cfg
 
-from ironic.api import acl
 from ironic.db import api as db_api
 from ironic.tests.api import base
 from ironic.tests.api import utils
@@ -46,7 +48,8 @@ class TestACL(base.FunctionalTest):
                                                 **param)
 
     def _make_app(self):
-        cfg.CONF.set_override('cache', 'fake.cache', group=acl.OPT_GROUP_NAME)
+        cfg.CONF.set_override('cache', 'fake.cache',
+                              group='keystone_authtoken')
         return super(TestACL, self)._make_app(enable_acl=True)
 
     def test_non_authenticated(self):
diff --git a/requirements.txt b/requirements.txt
index 98bc82c5d3..a7b65c913c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -31,6 +31,7 @@ six>=1.7.0
 jsonpatch>=1.1
 WSME>=0.6
 Jinja2
+keystonemiddleware>=1.0.0
 oslo.messaging>=1.4.0.0a3
 retrying>=1.2.2 # Apache-2.0
 posix_ipc
diff --git a/tools/config/oslo.config.generator.rc b/tools/config/oslo.config.generator.rc
index e18556a86e..0e1325b9ca 100644
--- a/tools/config/oslo.config.generator.rc
+++ b/tools/config/oslo.config.generator.rc
@@ -1,2 +1,2 @@
 export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging'
-export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=keystoneclient.middleware.auth_token
+export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=keystonemiddleware.auth_token