Added a mock for the Pouta endpoint that exchanges a pouta_access_tok…

…en for an unscoped Keystone token

README.md

@@ -1,7 +1,7 @@
 # Openstack swift and keystone container image
 
 This container makes it easy to run *integration tests* against OpenStack Keystone and OpenStack Swift object storage.
-It is not suitable for production. 
+It is not suitable for production.
 
 The container starts both a swift and a keystone service so that integration
 tests can run against a single Docker container.
@@ -17,6 +17,9 @@ This container is based on `python:3.9-slim` and installs tarballs from
 Furthermore, the image includes [s6-overlay](https://github.com/just-containers/s6-overlay)
 to manage processes.
 
+## Pouta Access Token
+A python script is added to mock the feature in Pouta in which a token from AAI's userinfo can be exchanged for an unscoped token that works with Openstack Keystone. The python server is running in port 5001 and also proxies all other requests to port 5000, meaning all Keystone endpoints work in port 5001 as well.
+
 ## How to use this container
 Build the image with
 
@@ -58,7 +61,7 @@ The container comes with 2 preconfigured projects:
 - service (Service test project) | swift admin user
 - swift-project (Swift test project) | swift admin user
 
-### Keystone Identity v3 accounts 
+### Keystone Identity v3 accounts
 Default endpoint http://127.0.0.1:5000/v3
 
 #### Administrative account
@@ -106,7 +109,7 @@ Keystone Identity v3
 
 TempAuth
 
-    http http://127.0.0.1:8080/auth/v1.0 X-Storage-User:test:tester X-Storage-Pass:testing 
+    http http://127.0.0.1:8080/auth/v1.0 X-Storage-User:test:tester X-Storage-Pass:testing
 
 ## Sample curl commands
 
@@ -120,7 +123,7 @@ TempAuth
 
 ## S3 API
 
-This image also comes with S3 API enabled. To use it, generate credentials and use them to authenticate against the S3 API. 
+This image also comes with S3 API enabled. To use it, generate credentials and use them to authenticate against the S3 API.
 Below is an example using the credentials with [`s3cmd`](https://github.com/s3tools/s3cmd).
 
 The swift <-> S3 compatibility has its [limitations described here](https://opendev.org/openstack/swift/src/branch/stable/wallaby/doc/source/s3_compat.rst).
@@ -160,7 +163,7 @@ $ s3cmd -c s3.cfg mb s3://config
 Bucket 's3://config/' created
 
 # upload the config file
-$ s3cmd -c s3.cfg put s3.cfg s3://config/s3.cfg 
+$ s3cmd -c s3.cfg put s3.cfg s3://config/s3.cfg
 upload: 's3.cfg' -> 's3://config/s3.cfg'  [1 of 1]
  176 of 176   100% in    0s     3.33 KB/s  done
 

docker/rootfs/etc/s6-overlay/s6-rc.d/pouta-token/run

@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+from flask import Flask, request, jsonify
+from urllib.parse import urlparse
+
+import os
+import requests
+
+keystone_url = os.environ.get("OS_AUTH_URL", "http://127.0.0.1:5000/v3")
+keystone_port = urlparse(keystone_url).port
+
+app = Flask(__name__)
+
+
+@app.route('/', defaults={'path': ''})
+@app.route("/<string:path>")
+@app.route('/<path:path>', methods=["GET", "POST", "PUT", "DELETE"])
+def proxy(path):
+    url = f'http://localhost:{keystone_port}/{path}'
+
+    response = requests.request(
+        method=request.method,
+        url=url,
+        headers=request.headers,
+        data=request.get_data(),
+        allow_redirects=True
+    )
+
+    return (response.content, response.status_code, response.headers.items())
+
+
+@app.route('/v3/OS-FEDERATION/identity_providers/oauth2_authentication/protocols/openid/auth', methods=['GET'])
+def pouta_to_unscoped():
+    pouta_token = ""
+    auth_header = request.headers.get('Authorization')
+    if auth_header:
+        pouta_token = auth_header.split(" ")[1]
+
+    auth_data = {
+        "auth": {
+            "identity": {
+                "methods": [
+                    "token"
+                ],
+                "token": {
+                    "id": pouta_token
+                }
+            }
+        }
+    }
+
+    target_url = keystone_url+'/auth/tokens'
+    headers = {'Content-Type': 'application/json'}
+
+    # Forward to Keystone which should return an unscoped token
+    response = requests.post(target_url, json=auth_data, headers=headers)
+
+    return (response.content, response.status_code, response.headers.items())
+
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5001)

docker/rootfs/etc/s6-overlay/s6-rc.d/pouta-token/type

@@ -0,0 +1 @@
+longrun