From 9f09abe7039af395db80dd176ed323defc0c9733 Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Thu, 29 Oct 2015 04:35:17 -0400
Subject: [PATCH] Disable PKI token Provider

If a server has the PKI or PKIZ providers enabled, it
will replace them with the UUID Provider.  If a deployer
then wants to ignore the insecure aspects of PKI tokens,
they can use the insecure_pki[z] provider in its place.

Closes-Bug: #1490804

Change-Id: I154ff15afafc7cbb0e11329bd6cd09dd6fc60c0f
---
 keystone/common/config.py                  |  2 +-
 keystone/tests/unit/test_cert_setup.py     |  2 +-
 keystone/tests/unit/test_token_provider.py | 12 +++++++-----
 keystone/tests/unit/test_v3_auth.py        | 10 +++++-----
 keystone/token/providers/pki.py            |  7 ++++++-
 keystone/token/providers/pkiz.py           |  7 ++++++-
 setup.cfg                                  |  2 ++
 7 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/keystone/common/config.py b/keystone/common/config.py
index c480c9e..a7ccc4f 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -253,7 +253,7 @@ FILE_OPTIONS = {
                    help='Controls the token construction, validation, and '
                         'revocation operations. Entrypoint in the '
                         'keystone.token.provider namespace. Core providers '
-                        'are [fernet|pkiz|pki|uuid].'),
+                        'are [fernet|uuid].'),
         cfg.StrOpt('driver',
                    default='sql',
                    help='Entrypoint for the token persistence backend driver '
diff --git a/keystone/tests/unit/test_cert_setup.py b/keystone/tests/unit/test_cert_setup.py
index 47a9981..6e13590 100644
--- a/keystone/tests/unit/test_cert_setup.py
+++ b/keystone/tests/unit/test_cert_setup.py
@@ -69,7 +69,7 @@ class CertSetupTestCase(rest.RestfulTestCase):
             ca_certs=ca_certs,
             certfile=os.path.join(CERTDIR, 'keystone.pem'),
             keyfile=os.path.join(KEYDIR, 'keystonekey.pem'))
-        self.config_fixture.config(group='token', provider='pkiz')
+        self.config_fixture.config(group='token', provider='insecure_pkiz')
 
     def test_can_handle_missing_certs(self):
         controller = token.controllers.Auth()
diff --git a/keystone/tests/unit/test_token_provider.py b/keystone/tests/unit/test_token_provider.py
index f60f7d5..3d5a1d9 100644
--- a/keystone/tests/unit/test_token_provider.py
+++ b/keystone/tests/unit/test_token_provider.py
@@ -749,12 +749,14 @@ class TestTokenProvider(unit.TestCase):
         self.assertIsInstance(token.provider.Manager().driver, uuid.Provider)
 
         dependency.reset()
-        self.config_fixture.config(group='token', provider='pki')
-        self.assertIsInstance(token.provider.Manager().driver, pki.Provider)
+        self.config_fixture.config(group='token', provider='insecure_pki')
+        self.assertIsInstance(token.provider.Manager().driver,
+                              pki.InsecureProvider)
 
         dependency.reset()
-        self.config_fixture.config(group='token', provider='pkiz')
-        self.assertIsInstance(token.provider.Manager().driver, pkiz.Provider)
+        self.config_fixture.config(group='token', provider='insecure_pkiz')
+        self.assertIsInstance(token.provider.Manager().driver,
+                              pkiz.InsecureProvider)
 
         dependency.reset()
         self.config_fixture.config(group='token', provider='fernet')
@@ -810,7 +812,7 @@ class PKIProviderTests(object):
         self.config_fixture.config(group='signing',
                                    keyfile='--please-break-me')
 
-        provider = pki.Provider()
+        provider = pki.InsecureProvider()
         token_data = {}
         self.assertRaises(exception.UnexpectedError,
                           provider._get_token_id,
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 7bc6b89..fd6b32e 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -505,7 +505,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
 class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
     def config_overrides(self):
         super(TestPKITokenAPIs, self).config_overrides()
-        self.config_fixture.config(group='token', provider='pki')
+        self.config_fixture.config(group='token', provider='insecure_pki')
 
     def setUp(self):
         super(TestPKITokenAPIs, self).setUp()
@@ -566,7 +566,7 @@ class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
 class TestPKIZTokenAPIs(TestPKITokenAPIs):
     def config_overrides(self):
         super(TestPKIZTokenAPIs, self).config_overrides()
-        self.config_fixture.config(group='token', provider='pkiz')
+        self.config_fixture.config(group='token', provider='insecure_pkiz')
 
     def verify_token(self, *args, **kwargs):
         return cms.pkiz_verify(*args, **kwargs)
@@ -757,7 +757,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
         self.config_fixture.config(group='revoke', driver='kvs')
         self.config_fixture.config(
             group='token',
-            provider='pki',
+            provider='insecure_pki',
             revoke_by_id=False)
 
     def setUp(self):
@@ -1523,7 +1523,7 @@ class TestTokenRevokeApi(TestTokenRevokeById):
         self.config_fixture.config(group='revoke', driver='kvs')
         self.config_fixture.config(
             group='token',
-            provider='pki',
+            provider='insecure_pki',
             revoke_by_id=False)
 
     def assertValidDeletedProjectResponse(self, events_response, project_id):
@@ -3169,7 +3169,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
         self.config_fixture.config(group='revoke', driver='kvs')
         self.config_fixture.config(
             group='token',
-            provider='pki',
+            provider='insecure_pki',
             revoke_by_id=False)
         self.config_fixture.config(group='trust', enabled=True)
 
diff --git a/keystone/token/providers/pki.py b/keystone/token/providers/pki.py
index af8dc73..65da845 100644
--- a/keystone/token/providers/pki.py
+++ b/keystone/token/providers/pki.py
@@ -24,6 +24,7 @@ from keystone.common import utils
 from keystone import exception
 from keystone.i18n import _, _LE
 from keystone.token.providers import common
+from keystone.token.providers import uuid
 
 
 CONF = cfg.CONF
@@ -31,7 +32,11 @@ CONF = cfg.CONF
 LOG = log.getLogger(__name__)
 
 
-class Provider(common.BaseProvider):
+class Provider(uuid.Provider):
+    pass
+
+
+class InsecureProvider(common.BaseProvider):
     def _get_token_id(self, token_data):
         try:
             # force conversion to a string as the keystone client cms code
diff --git a/keystone/token/providers/pkiz.py b/keystone/token/providers/pkiz.py
index b4e3191..32c76c1 100644
--- a/keystone/token/providers/pkiz.py
+++ b/keystone/token/providers/pkiz.py
@@ -22,6 +22,7 @@ from keystone.common import utils
 from keystone import exception
 from keystone.i18n import _
 from keystone.token.providers import common
+from keystone.token.providers import uuid
 
 
 CONF = cfg.CONF
@@ -30,7 +31,11 @@ LOG = log.getLogger(__name__)
 ERROR_MESSAGE = _('Unable to sign token.')
 
 
-class Provider(common.BaseProvider):
+class Provider(uuid.Provider):
+    pass
+
+
+class InsecureProvider(common.BaseProvider):
     def _get_token_id(self, token_data):
         try:
             # force conversion to a string as the keystone client cms code
diff --git a/setup.cfg b/setup.cfg
index dde0ea4..b8c6577 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -151,6 +151,8 @@ keystone.token.provider =
     uuid = keystone.token.providers.uuid:Provider
     pki = keystone.token.providers.pki:Provider
     pkiz = keystone.token.providers.pkiz:Provider
+    insecure_pki = keystone.token.providers.pki:InsecureProvider
+    insecure_pkiz = keystone.token.providers.pkiz:InsecureProvider
 
 keystone.trust =
     sql = keystone.trust.backends.sql:Trust
-- 
2.4.3