Pull out keystone validation into validator class

2017-02-09 16:30:07 -08:00 · 2017-02-09 16:30:07 -08:00 · 678f868bc4
commit 678f868bc4
parent c55ddf7341
3 changed files with 95 additions and 41 deletions
--- a/util/config/validator.py
+++ b/util/config/validator.py
@ -15,9 +15,6 @@ from boot import setup_jwt_proxy
 from data.database import validate_database_url
 from data.users import LDAP_CERT_FILENAME
 from data.users.externaljwt import ExternalJWTAuthN
-from data.users.externalldap import LDAPConnection, LDAPUsers
-from data.users.keystone import get_keystone_users
-from storage import get_storage_driver
 from oauth.services.github import GithubOAuthService
 from oauth.services.google import GoogleOAuthService
 from oauth.services.gitlab import GitLabOAuthService
@ -31,6 +28,7 @@ from util.config.validators.validate_redis import RedisValidator
 from util.config.validators.validate_storage import StorageValidator
 from util.config.validators.validate_email import EmailValidator
 from util.config.validators.validate_ldap import LDAPValidator
+from util.config.validators.validate_keystone import KeystoneValidator

 logger = logging.getLogger(__name__)

@ -293,43 +291,6 @@ def _validate_jwt(config, user_obj, password):
                                      'properly: %s' % err_msg)


-def _validate_keystone(config, user_obj, password):
-  """ Validates the Keystone authentication system. """
-  if config.get('AUTHENTICATION_TYPE', 'Database') != 'Keystone':
-    return
-
-  auth_url = config.get('KEYSTONE_AUTH_URL')
-  auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
-  admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
-  admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
-  admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
-
-  if not auth_url:
-    raise ConfigValidationException('Missing authentication URL')
-
-  if not admin_username:
-    raise ConfigValidationException('Missing admin username')
-
-  if not admin_password:
-    raise ConfigValidationException('Missing admin password')
-
-  if not admin_tenant:
-    raise ConfigValidationException('Missing admin tenant')
-
-  requires_email = config.get('FEATURE_MAILING', True)
-  users = get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant,
-                             requires_email)
-
-  # Verify that the superuser exists. If not, raise an exception.
-  username = user_obj.username
-  (result, err_msg) = users.verify_credentials(username, password)
-  if not result:
-    msg = ('Verification of superuser %s failed: %s \n\nThe user either does not ' +
-           'exist in the remote authentication system ' +
-           'OR Keystone auth is misconfigured.') % (username, err_msg)
-    raise ConfigValidationException(msg)
-
-
 def _validate_signer(config, user_obj, _):
  """ Validates the GPG public+private key pair used for signing converted ACIs. """
  if config.get('SIGNING_ENGINE') is None:
@ -420,7 +381,7 @@ VALIDATORS = {
  'ssl': _validate_ssl,
  LDAPValidator.name: LDAPValidator.validate,
  'jwt': _validate_jwt,
-  'keystone': _validate_keystone,
+  KeystoneValidator.name: KeystoneValidator.validate,
  'signer': _validate_signer,
  'security-scanner': _validate_security_scanner,
  'bittorrent': _validate_bittorrent,