¡@
OpenStack Study: core.py**** CubicPower OpenStack Study ****
# Copyright 2012 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import six import webob.dec from keystone.common import authorization from keystone.common import config from keystone.common import serializer from keystone.common import utils from keystone.common import wsgi from keystone import exception from keystone.openstack.common.gettextutils import _ from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.openstack.common import versionutils CONF = config.CONF LOG = log.getLogger(__name__) # Header used to transmit the auth token AUTH_TOKEN_HEADER = 'X-Auth-Token' # Header used to transmit the subject token SUBJECT_TOKEN_HEADER = 'X-Subject-Token' # Environment variable used to pass the request context CONTEXT_ENV = wsgi.CONTEXT_ENV # Environment variable used to pass the request params PARAMS_ENV = wsgi.PARAMS_ENV
**** CubicPower OpenStack Study **** class TokenAuthMiddleware(wsgi.Middleware):
**** CubicPower OpenStack Study **** def process_request(self, request): token = request.headers.get(AUTH_TOKEN_HEADER) context = request.environ.get(CONTEXT_ENV, {}) context['token_id'] = token if SUBJECT_TOKEN_HEADER in request.headers: context['subject_token_id'] = ( request.headers.get(SUBJECT_TOKEN_HEADER)) request.environ[CONTEXT_ENV] = context
**** CubicPower OpenStack Study **** class AdminTokenAuthMiddleware(wsgi.Middleware): """A trivial filter that checks for a pre-
**** CubicPower OpenStack Study **** def process_request(self, request): token = request.headers.get(AUTH_TOKEN_HEADER) context = request.environ.get(CONTEXT_ENV, {}) context['is_admin'] = (token == CONF.admin_token) request.environ[CONTEXT_ENV] = context
**** CubicPower OpenStack Study **** class PostParamsMiddleware(wsgi.Middleware): """Middleware to allow method arguments to be passed as POST parameters. Filters out the parameters `self`, `context` and anything beginning with an underscore. """
**** CubicPower OpenStack Study **** def process_request(self, request): params_parsed = request.params params = {} for k, v in six.iteritems(params_parsed): if k in ('self', 'context'): continue if k.startswith('_'): continue params[k] = v request.environ[PARAMS_ENV] = params
**** CubicPower OpenStack Study **** class JsonBodyMiddleware(wsgi.Middleware): """Middleware to allow method arguments to be passed as serialized JSON. Accepting arguments as JSON is useful for accepting data that may be more complex than simple primitives. In this case we accept it as urlencoded data under the key 'json' as in json= in the POST body. Filters out the parameters `self`, `context` and anything beginning with an underscore. """
**** CubicPower OpenStack Study **** def process_request(self, request): # Abort early if we don't have any work to do params_json = request.body if not params_json: return # Reject unrecognized content types. Empty string indicates # the client did not explicitly set the header if request.content_type not in ('application/json', ''): e = exception.ValidationError(attribute='application/json', target='Content-Type header') return wsgi.render_exception(e, request=request) params_parsed = {} try: params_parsed = jsonutils.loads(params_json) except ValueError: e = exception.ValidationError(attribute='valid JSON', target='request body') return wsgi.render_exception(e, request=request) finally: if not params_parsed: params_parsed = {} params = {} for k, v in six.iteritems(params_parsed): if k in ('self', 'context'): continue if k.startswith('_'): continue params[k] = v request.environ[PARAMS_ENV] = params
**** CubicPower OpenStack Study **** class XmlBodyMiddleware(wsgi.Middleware): """De/serializes XML to/from JSON.""" @versionutils.deprecated( what='keystone.middleware.core.XmlBodyMiddleware', as_of=versionutils.deprecated.ICEHOUSE, in_favor_of='support for "application/json" only', remove_in=+2)
**** CubicPower OpenStack Study **** def __init__(self, *args, **kwargs): super(XmlBodyMiddleware, self).__init__(*args, **kwargs) self.xmlns = None
**** CubicPower OpenStack Study **** def process_request(self, request): """Transform the request from XML to JSON.""" incoming_xml = 'application/xml' in str(request.content_type) if incoming_xml and request.body: request.content_type = 'application/json' try: request.body = jsonutils.dumps( serializer.from_xml(request.body)) except Exception: LOG.exception('Serializer failed') e = exception.ValidationError(attribute='valid XML', target='request body') return wsgi.render_exception(e, request=request)
**** CubicPower OpenStack Study **** def process_response(self, request, response): """Transform the response from JSON to XML.""" outgoing_xml = 'application/xml' in str(request.accept) if outgoing_xml and response.body: response.content_type = 'application/xml' try: body_obj = jsonutils.loads(response.body) response.body = serializer.to_xml(body_obj, xmlns=self.xmlns) except Exception: LOG.exception('Serializer failed') raise exception.Error(message=response.body) return response
**** CubicPower OpenStack Study **** class XmlBodyMiddlewareV2(XmlBodyMiddleware): """De/serializes XML to/from JSON for v2.0 API."""
**** CubicPower OpenStack Study **** def __init__(self, *args, **kwargs): super(XmlBodyMiddlewareV2, self).__init__(*args, **kwargs) self.xmlns = 'http://docs.openstack.org/identity/api/v2.0'
**** CubicPower OpenStack Study **** class XmlBodyMiddlewareV3(XmlBodyMiddleware): """De/serializes XML to/from JSON for v3 API."""
**** CubicPower OpenStack Study **** def __init__(self, *args, **kwargs): super(XmlBodyMiddlewareV3, self).__init__(*args, **kwargs) self.xmlns = 'http://docs.openstack.org/identity/api/v3'
**** CubicPower OpenStack Study **** class NormalizingFilter(wsgi.Middleware): """Middleware filter to handle URL normalization."""
**** CubicPower OpenStack Study **** def process_request(self, request): """Normalizes URLs.""" # Removes a trailing slash from the given path, if any. if (len(request.environ['PATH_INFO']) > 1 and request.environ['PATH_INFO'][-1] == '/'): request.environ['PATH_INFO'] = request.environ['PATH_INFO'][:-1] # Rewrites path to root if no path is given. elif not request.environ['PATH_INFO']: request.environ['PATH_INFO'] = '/'
**** CubicPower OpenStack Study **** class RequestBodySizeLimiter(wsgi.Middleware): """Limit the size of an incoming request."""
**** CubicPower OpenStack Study **** def __init__(self, *args, **kwargs): super(RequestBodySizeLimiter, self).__init__(*args, **kwargs) @webob.dec.wsgify()
**** CubicPower OpenStack Study **** def __call__(self, req): if req.content_length > CONF.max_request_body_size: raise exception.RequestTooLarge() if req.content_length is None and req.is_body_readable: limiter = utils.LimitingReader(req.body_file, CONF.max_request_body_size) req.body_file = limiter return self.application
**** CubicPower OpenStack Study **** class AuthContextMiddleware(wsgi.Middleware): """Build the authentication context from the request auth token."""
**** CubicPower OpenStack Study **** def _build_auth_context(self, request): token_id = request.headers.get(AUTH_TOKEN_HEADER) if token_id == CONF.admin_token: # NOTE(gyee): no need to proceed any further as the special admin # token is being handled by AdminTokenAuthMiddleware. This code # will not be impacted even if AdminTokenAuthMiddleware is removed # from the pipeline as "is_admin" is default to "False". This code # is independent of AdminTokenAuthMiddleware. return {} context = {'token_id': token_id} context['environment'] = request.environ try: token_ref = self.token_api.get_token(token_id) # TODO(ayoung): These two functions return the token in different # formats instead of two calls, only make one. However, the call # to get_token hits the caching layer, and does not validate the # token. In the future, this should be reduced to one call. if not CONF.token.revoke_by_id: self.token_api.token_provider_api.validate_token( context['token_id']) # TODO(gyee): validate_token_bind should really be its own # middleware wsgi.validate_token_bind(context, token_ref) return authorization.token_to_auth_context( token_ref['token_data']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized()
**** CubicPower OpenStack Study **** def process_request(self, request): if AUTH_TOKEN_HEADER not in request.headers: LOG.debug(_('Auth token not in the request header. ' 'Will not build auth context.')) return if authorization.AUTH_CONTEXT_ENV in request.environ: msg = _('Auth context already exists in the request environment') LOG.warning(msg) return auth_context = self._build_auth_context(request) LOG.debug(_('RBAC: auth_context: %s'), auth_context) request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
|