Moving authentication from keystoneclient to keystoneauth

Currently OpenStackClient uses keystoneclient for authentication.
This change will update OpenStackClient to use keystoneauth for
authentication.

All dependant test have been updated.

Updating how auth_ref is set in the tests to use KSA fixtures had
some racy side-effects.  The user_role_list tests failed when they
picked up an auth_ref that was a fixture.  This exposed a weakness
in ListUserRole that needed to be fixed at the same time re
handling of unscoped tokens and options.

Change-Id: I4ddb2dbbb3bf2ab37494468eaf65cef9213a6e00
Closes-Bug: 1533369

5 files changed, 73 insertions, 45 deletions

diff --git a/openstackclient/identity/v2_0/catalog.py b/openstackclient/identity/v2_0/catalog.py
index c8f48cb6..33692a0d 100644
--- a/openstackclient/identity/v2_0/catalog.py
+++ b/openstackclient/identity/v2_0/catalog.py
@@ -16,6 +16,7 @@
 import six
 
 from openstackclient.common import command
+from openstackclient.common import exceptions
 from openstackclient.common import utils
 from openstackclient.i18n import _
 
@@ -41,13 +42,14 @@ class ListCatalog(command.Lister):
 
     def take_action(self, parsed_args):
 
-        # This is ugly because if auth hasn't happened yet we need
-        # to trigger it here.
-        sc = self.app.client_manager.session.auth.get_auth_ref(
-            self.app.client_manager.session,
-        ).service_catalog
+        # Trigger auth if it has not happened yet
+        auth_ref = self.app.client_manager.auth_ref
+        if not auth_ref:
+            raise exceptions.AuthorizationFailure(
+                "Only an authorized user may issue a new token."
+            )
 
-        data = sc.get_data()
+        data = auth_ref.service_catalog.catalog
         columns = ('Name', 'Type', 'Endpoints')
         return (columns,
                 (utils.get_dict_properties(
@@ -72,14 +74,15 @@ class ShowCatalog(command.ShowOne):
 
     def take_action(self, parsed_args):
 
-        # This is ugly because if auth hasn't happened yet we need
-        # to trigger it here.
-        sc = self.app.client_manager.session.auth.get_auth_ref(
-            self.app.client_manager.session,
-        ).service_catalog
+        # Trigger auth if it has not happened yet
+        auth_ref = self.app.client_manager.auth_ref
+        if not auth_ref:
+            raise exceptions.AuthorizationFailure(
+                "Only an authorized user may issue a new token."
+            )
 
         data = None
-        for service in sc.get_data():
+        for service in auth_ref.service_catalog.catalog:
             if (service.get('name') == parsed_args.service or
                     service.get('type') == parsed_args.service):
                 data = service
@@ -91,6 +94,6 @@ class ShowCatalog(command.ShowOne):
         if not data:
             self.app.log.error(_('service %s not found\n') %
                                parsed_args.service)
-            return ([], [])
+            return ((), ())
 
         return zip(*sorted(six.iteritems(data)))
diff --git a/openstackclient/identity/v2_0/role.py b/openstackclient/identity/v2_0/role.py
index 6b014d86..0f8da992 100644
--- a/openstackclient/identity/v2_0/role.py
+++ b/openstackclient/identity/v2_0/role.py
@@ -231,18 +231,19 @@ class ListUserRole(command.Lister):
         # Project and user are required, if not included in command args
         # default to the values used for authentication.  For token-flow
         # authentication they must be included on the command line.
+        if (not parsed_args.project and
+                self.app.client_manager.auth_ref.project_id):
+            parsed_args.project = auth_ref.project_id
         if not parsed_args.project:
-            if self.app.client_manager.auth_ref:
-                parsed_args.project = auth_ref.project_id
-            else:
-                msg = _("Project must be specified")
-                raise exceptions.CommandError(msg)
+            msg = _("Project must be specified")
+            raise exceptions.CommandError(msg)
+
+        if (not parsed_args.user and
+                self.app.client_manager.auth_ref.user_id):
+            parsed_args.user = auth_ref.user_id
         if not parsed_args.user:
-            if self.app.client_manager.auth_ref:
-                parsed_args.user = auth_ref.user_id
-            else:
-                msg = _("User must be specified")
-                raise exceptions.CommandError(msg)
+            msg = _("User must be specified")
+            raise exceptions.CommandError(msg)
 
         project = utils.find_resource(
             identity_client.tenants,
diff --git a/openstackclient/identity/v2_0/token.py b/openstackclient/identity/v2_0/token.py
index f435d7ce..d708749d 100644
--- a/openstackclient/identity/v2_0/token.py
+++ b/openstackclient/identity/v2_0/token.py
@@ -18,6 +18,7 @@
 import six
 
 from openstackclient.common import command
+from openstackclient.common import exceptions
 from openstackclient.i18n import _
 
 
@@ -32,11 +33,21 @@ class IssueToken(command.ShowOne):
         return parser
 
     def take_action(self, parsed_args):
+        auth_ref = self.app.client_manager.auth_ref
+        if not auth_ref:
+            raise exceptions.AuthorizationFailure(
+                "Only an authorized user may issue a new token.")
 
-        token = self.app.client_manager.auth_ref.service_catalog.get_token()
-        if 'tenant_id' in token:
-            token['project_id'] = token.pop('tenant_id')
-        return zip(*sorted(six.iteritems(token)))
+        data = {}
+        if auth_ref.auth_token:
+            data['id'] = auth_ref.auth_token
+        if auth_ref.expires:
+            data['expires'] = auth_ref.expires
+        if auth_ref.project_id:
+            data['project_id'] = auth_ref.project_id
+        if auth_ref.user_id:
+            data['user_id'] = auth_ref.user_id
+        return zip(*sorted(six.iteritems(data)))
 
 
 class RevokeToken(command.Command):
diff --git a/openstackclient/identity/v3/catalog.py b/openstackclient/identity/v3/catalog.py
index 4c794692..c2b4359d 100644
--- a/openstackclient/identity/v3/catalog.py
+++ b/openstackclient/identity/v3/catalog.py
@@ -16,6 +16,7 @@
 import six
 
 from openstackclient.common import command
+from openstackclient.common import exceptions
 from openstackclient.common import utils
 from openstackclient.i18n import _
 
@@ -36,13 +37,14 @@ class ListCatalog(command.Lister):
 
     def take_action(self, parsed_args):
 
-        # This is ugly because if auth hasn't happened yet we need
-        # to trigger it here.
-        sc = self.app.client_manager.session.auth.get_auth_ref(
-            self.app.client_manager.session,
-        ).service_catalog
+        # Trigger auth if it has not happened yet
+        auth_ref = self.app.client_manager.auth_ref
+        if not auth_ref:
+            raise exceptions.AuthorizationFailure(
+                "Only an authorized user may issue a new token."
+            )
 
-        data = sc.get_data()
+        data = auth_ref.service_catalog.catalog
         columns = ('Name', 'Type', 'Endpoints')
         return (columns,
                 (utils.get_dict_properties(
@@ -67,14 +69,15 @@ class ShowCatalog(command.ShowOne):
 
     def take_action(self, parsed_args):
 
-        # This is ugly because if auth hasn't happened yet we need
-        # to trigger it here.
-        sc = self.app.client_manager.session.auth.get_auth_ref(
-            self.app.client_manager.session,
-        ).service_catalog
+        # Trigger auth if it has not happened yet
+        auth_ref = self.app.client_manager.auth_ref
+        if not auth_ref:
+            raise exceptions.AuthorizationFailure(
+                "Only an authorized user may issue a new token."
+            )
 
         data = None
-        for service in sc.get_data():
+        for service in auth_ref.service_catalog.catalog:
             if (service.get('name') == parsed_args.service or
                     service.get('type') == parsed_args.service):
                 data = dict(service)
@@ -86,6 +89,6 @@ class ShowCatalog(command.ShowOne):
         if not data:
             self.app.log.error(_('service %s not found\n') %
                                parsed_args.service)
-            return ([], [])
+            return ((), ())
 
         return zip(*sorted(six.iteritems(data)))
diff --git a/openstackclient/identity/v3/token.py b/openstackclient/identity/v3/token.py
index 56a7497c..cc399363 100644
--- a/openstackclient/identity/v3/token.py
+++ b/openstackclient/identity/v3/token.py
@@ -174,13 +174,23 @@ class IssueToken(command.ShowOne):
         return parser
 
     def take_action(self, parsed_args):
-        if not self.app.client_manager.auth_ref:
+        auth_ref = self.app.client_manager.auth_ref
+        if not auth_ref:
             raise exceptions.AuthorizationFailure(
                 _("Only an authorized user may issue a new token."))
-        token = self.app.client_manager.auth_ref.service_catalog.get_token()
-        if 'tenant_id' in token:
-            token['project_id'] = token.pop('tenant_id')
-        return zip(*sorted(six.iteritems(token)))
+
+        data = {}
+        if auth_ref.auth_token:
+            data['id'] = auth_ref.auth_token
+        if auth_ref.expires:
+            data['expires'] = auth_ref.expires
+        if auth_ref.project_id:
+            data['project_id'] = auth_ref.project_id
+        if auth_ref.user_id:
+            data['user_id'] = auth_ref.user_id
+        if auth_ref.domain_id:
+            data['domain_id'] = auth_ref.domain_id
+        return zip(*sorted(six.iteritems(data)))
 
 
 class RevokeToken(command.Command):