NoAuth filter for PasteDeploy

Implement a filter usable by PasteDeploy to forge
the headers normally used by keystonemiddleware to signal
a properly authenitcated request. The filter needs to be
added to the pipeline in paste.ini if noauth support is needed
for testing.

- Add PasteDeploy config to disable keystone config loading

Change-Id: Ie33ee86f1ca8209a6d96cf34c41acd7dca848d58

drydock_provisioner/drydock.py

@@ -28,7 +28,7 @@ import drydock_provisioner.objects as objects
 import drydock_provisioner.control.api as api
 
 
-def start_drydock():
+def start_drydock(enable_keystone=True):
     objects.register_all()
 
     # Setup configuration parsing
@@ -38,7 +38,7 @@ def start_drydock():
     ]
 
     config.config_mgr.conf.register_cli_opts(cli_options)
-    config.config_mgr.register_options()
+    config.config_mgr.register_options(enable_keystone=enable_keystone)
     config.config_mgr.conf(sys.argv[1:])
 
     if config.config_mgr.conf.debug:
@@ -110,9 +110,12 @@ def start_drydock():
 
 
 # Initialization compatible with PasteDeploy
-def paste_start_drydock(global_conf, **kwargs):
-    # At this time just ignore everything in the paste configuration and rely on oslo_config
-    return drydock
+def paste_start_drydock(global_conf, disable=None):
+    enable_keystone = True
 
+    if disable is not None:
+        for d in disable.split():
+            if d == 'keystone':
+                enable_keystone = False
 
-drydock = start_drydock()
+    return start_drydock(enable_keystone=enable_keystone)

drydock_provisioner/util.py

@@ -38,3 +38,50 @@ class KeystoneUtils(object):
 
         auth = v3.Password(**auth_info)
         return session.Session(auth=auth)
+
+class NoAuthFilter(object):
+    """PasteDeploy filter for NoAuth to be used in testing."""
+
+    def __init__(self, app, forged_roles):
+        self.app = app
+        self.forged_roles = forged_roles
+
+    def __call__(self, environ, start_response):
+        """Forge headers to make unauthenticated requests look authenticated.
+
+        If the request has a X-AUTH-TOKEN header, assume it is a valid request and
+        noop. Otherwise forge Keystone middleware headers so the request looks valid
+        with the configured forged roles.
+        """
+        if 'HTTP_X_AUTH_TOKEN' in environ:
+            return self.app(environ, start_response)
+
+        environ['HTTP_X_IDENTITY_STATUS'] = 'Confirmed'
+
+        for envvar in ['USER_NAME', 'USER_ID', 'USER_DOMAIN_ID', 'PROJECT_ID',
+                       'PROJECT_DOMAIN_NAME']:
+            varname = "HTTP_X_%s" % envvar
+            environ[varname] = 'noauth'
+
+        if self.forged_roles:
+            if 'admin' in self.forged_roles:
+                environ['HTTP_X_IS_ADMIN_PROJECT'] = 'True'
+            else:
+                environ['HTTP_X_IS_ADMIN_PROJECT'] = 'False'
+            environ['HTTP_X_ROLES'] = ','.join(self.forged_roles)
+        else:
+            environ['HTTP_X_IS_ADMIN_PROJECT'] = 'True'
+            environ['HTTP_X_ROLES'] = 'admin'
+
+        return self.app(environ, start_response)
+
+def noauth_filter_factory(global_conf, forged_roles):
+    """Create a NoAuth paste deploy filter
+
+    :param forged_roles: A space seperated list for roles to forge on requests
+    """
+    forged_roles = forged_roles.split()
+
+    def filter(app):
+        return NoAuthFilter(app, forged_roles)
+    return filter

etc/drydock/noauth-api-paste.ini

@@ -0,0 +1,10 @@
+[app:drydock-api]
+disable = keystone
+paste.app_factory = drydock_provisioner.drydock:paste_start_drydock
+
+[filter:noauth]
+forged_roles = admin
+paste.filter_factory = drydock_provisioner.util:noauth_filter_factory
+
+[pipeline:main]
+pipeline = noauth drydock-api

tests/start_postgres.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+sudo docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:9.5
+sleep 15
+
+psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
+psql -h localhost -c "create database drydock;" postgres postgres
+
+sudo docker run --rm -t --net=host -e DRYDOCK_DB_URL="postgresql+psycopg2://drydock:drydock@localhost:5432/drydock" --entrypoint /usr/local/bin/alembic drydock:latest upgrade head
+export DRYDOCK_DB_URL="postgresql+psycopg2://drydock:drydock@localhost:5432/drydock"