Assign X-Auth-Url header in a separate middleware

authtoken middleware's current purpose is to set X-Auth-Url header to a
value read from heat.conf.

Since this value is not really related to anything the keystone
middleware does and is instead read from a config file, it makes sense
to move it from the authtoken middleware into its own middleware

This change is the first step to grouping all X-Auth-Url related logic
into one single middleware as opposed to have it scattered (or possibly
repeated) in auth_token and auth_password. For example, auth_password
also has some logic around it related to multi-cloud, which can be
extracted and moved to auth_url middleware in a later patch, so that all
handling of X-Auth-Url occurs in one place.

Also, by extracting the X-Auth-Url logic, it allows cloud
providers to remove auth_token or auth_password without side-effects.

Closes-Bug: #1259364
Change-Id: Ieb251c18aa091391a28a90c495b61cf41436f8b9

etc/heat/api-paste.ini

@@ -1,7 +1,7 @@
 
 # heat-api pipeline
 [pipeline:heat-api]
-pipeline = faultwrap ssl versionnegotiation authtoken context apiv1app
+pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app
 
 # heat-api pipeline for standalone heat
 # ie. uses alternative auth backend that authenticates users against keystone
@@ -78,9 +78,13 @@ paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:sslmiddleware_filter
 
+# Middleware to set auth_url header appropriately
+[filter:authurl]
+paste.filter_factory = heat.common.auth_url:filter_factory
+
 # Auth middleware that validates token against keystone
 [filter:authtoken]
-paste.filter_factory = heat.common.auth_token:filter_factory
+paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
 
 # Auth middleware that validates username/password against keystone
 [filter:authpassword]

heat/common/auth_url.py

@@ -0,0 +1,49 @@
+# Copyright 2013 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo.config import cfg
+
+from heat.common import wsgi
+from heat.openstack.common import importutils
+
+
+class AuthUrlFilter(wsgi.Middleware):
+
+    def __init__(self, app, conf):
+        super(AuthUrlFilter, self).__init__(app)
+        self.conf = conf
+        self.auth_url = self._get_auth_url()
+
+    def _get_auth_url(self):
+        if 'auth_uri' in self.conf:
+            return self.conf['auth_uri']
+        else:
+            # Import auth_token to have keystone_authtoken settings setup.
+            auth_token_module = 'keystoneclient.middleware.auth_token'
+            importutils.import_module(auth_token_module)
+            return cfg.CONF.keystone_authtoken.auth_uri
+
+    def process_request(self, req):
+        req.headers['X-Auth-Url'] = self.auth_url
+        return None
+
+
+def filter_factory(global_conf, **local_conf):
+    conf = global_conf.copy()
+    conf.update(local_conf)
+
+    def auth_url_filter(app):
+        return AuthUrlFilter(app, conf)
+    return auth_url_filter

heat/tests/test_auth_url.py

@@ -0,0 +1,63 @@
+# Copyright 2013 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import mock
+import webob
+
+from heat.common import auth_url
+from heat.tests.common import HeatTestCase
+
+
+class FakeApp(object):
+    """This represents a WSGI app protected by our auth middleware."""
+
+    def __call__(self, environ, start_response):
+        """Assert that headers are correctly set up when finally called."""
+        resp = webob.Response()
+        resp.body = 'SUCCESS'
+        return resp(environ, start_response)
+
+
+class AuthUrlFilterTest(HeatTestCase):
+
+    def setUp(self):
+        super(AuthUrlFilterTest, self).setUp()
+        self.app = FakeApp()
+        self.config = {'auth_uri': 'foobar'}
+
+    @mock.patch.object(auth_url.cfg, 'CONF')
+    def test_adds_default_auth_url_from_keystone_authtoken(self, mock_cfg):
+        self.config = {}
+        mock_cfg.keystone_authtoken.auth_uri = 'foobar'
+        mock_cfg.auth_password.multi_cloud = False
+        self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
+        req = webob.Request.blank('/tenant_id/')
+        self.middleware(req)
+        self.assertIn('X-Auth-Url', req.headers)
+        self.assertEqual('foobar', req.headers['X-Auth-Url'])
+
+    def test_overwrites_auth_url_from_headers_with_local_config(self):
+        self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
+        req = webob.Request.blank('/tenant_id/')
+        req.headers['X-Auth-Url'] = 'should_be_overwritten'
+        self.middleware(req)
+        self.assertEqual('foobar', req.headers['X-Auth-Url'])
+
+    def test_reads_auth_url_from_local_config(self):
+        self.middleware = auth_url.AuthUrlFilter(self.app, self.config)
+        req = webob.Request.blank('/tenant_id/')
+        self.middleware(req)
+        self.assertIn('X-Auth-Url', req.headers)
+        self.assertEqual('foobar', req.headers['X-Auth-Url'])