def setUpModule(self):
    signing_path = CMSDIR
    with open(os.path.join(signing_path, 'auth_token_scoped.pem')) as f:
        self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read())
    with open(os.path.join(signing_path, 'auth_token_unscoped.pem')) as f:
        self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read())
    with open(os.path.join(signing_path, 'auth_token_revoked.pem')) as f:
        self.REVOKED_TOKEN = cms.cms_to_token(f.read())
    self.REVOKED_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_TOKEN)
    with open(os.path.join(signing_path, 'revocation_list.json')) as f:
        self.REVOCATION_LIST = jsonutils.loads(f.read())
    with open(os.path.join(signing_path, 'revocation_list.pem')) as f:
        self.VALID_SIGNED_REVOCATION_LIST = jsonutils.dumps(
            {'signed': f.read()})
    self.SIGNED_TOKEN_SCOPED_KEY =\
        cms.cms_hash_token(self.SIGNED_TOKEN_SCOPED)
    self.SIGNED_TOKEN_UNSCOPED_KEY =\
        cms.cms_hash_token(self.SIGNED_TOKEN_UNSCOPED)

    self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = {
        'access': {
            'token': {
                'id': self.SIGNED_TOKEN_SCOPED_KEY,
            },
            'user': {
                'id': 'user_id1',
                'name': 'user_name1',
                'tenantId': 'tenant_id1',
                'tenantName': 'tenant_name1',
                'roles': [
                    {'name': 'role1'},
                    {'name': 'role2'},
                ],
            },
        },
    }

    self.TOKEN_RESPONSES[SIGNED_TOKEN_UNSCOPED_KEY] = {
        'access': {
            'token': {
                'id': SIGNED_TOKEN_UNSCOPED_KEY,
            },
            'user': {
                'id': 'user_id1',
                'name': 'user_name1',
                'roles': [
                    {'name': 'role1'},
                    {'name': 'role2'},
                ],
            },
        },
    },
Beispiel #2
0
 def test_list_keystone_tokens_by_consumer(self):
     self.test_oauth_flow()
     tokens = self.token_api.list_tokens(self.user_id,
                                         consumer_id=self.consumer.key)
     keystone_token_uuid = cms.cms_hash_token(self.keystone_token_id)
     self.assertTrue(len(tokens) > 0)
     self.assertTrue(keystone_token_uuid in tokens)
Beispiel #3
0
 def test_list_keystone_tokens_by_consumer(self):
     self.test_oauth_flow()
     tokens = self.token_api.list_tokens(self.user_id,
                                         consumer_id=self.consumer.key)
     keystone_token_uuid = cms.cms_hash_token(self.keystone_token_id)
     self.assertTrue(len(tokens) > 0)
     self.assertTrue(keystone_token_uuid in tokens)
Beispiel #4
0
    def _validate_user_token(self, user_token, retry=True):
        """Authenticate user using PKI

        :param user_token: user's token id
        :param retry: Ignored, as it is not longer relevant
        :return uncrypted body of the token if the token is valid
        :raise InvalidUserToken if token is rejected
        :no longer raises ServiceError since it no longer makes RPC

        """
        try:
            token_id = cms.cms_hash_token(user_token)
            cached = self._cache_get(token_id)
            if cached:
                return cached
            if cms.is_ans1_token(user_token):
                verified = self.verify_signed_token(user_token)
                data = json.loads(verified)
            else:
                data = self.verify_uuid_token(user_token, retry)
            self._cache_put(token_id, data)
            return data
        except Exception as e:
            LOG.debug('Token validation failure.', exc_info=True)
            self._cache_store_invalid(user_token)
            LOG.warn("Authorization failed for token %s", user_token)
            raise InvalidUserToken('Token authorization failed')
Beispiel #5
0
 def token_to_key(self, token_id):
     """ Converts PKI tokens to their short form used for keys in
     Database tables, memcached, and other lookup tables.
     returns: if given a  PKI token, returns its hashed value
              Otherwise, returns the passed-in value if given a UUID or
              hash of a token.
     """
     return cms.cms_hash_token(token_id)
Beispiel #6
0
 def token_to_key(self, token_id):
     """ Converts PKI tokens to their short form used for keys in
     Database tables, memcached, and other lookup tables.
     returns: if given a  PKI token, returns its hashed value
              Otherwise, returns the passed-in value if given a UUID or
              hash of a token.
     """
     return cms.cms_hash_token(token_id)
Beispiel #7
0
def unique_id(token_id):
    """Return a unique ID for a token.

    The returned value is useful as the primary key of a database table,
    memcache store, or other lookup table.

    :returns: Given a PKI token, returns it's hashed value. Otherwise, returns
              the passed-in value (such as a UUID token ID or an existing
              hash).
    """
    return cms.cms_hash_token(token_id)
Beispiel #8
0
def unique_id(token_id):
    """Return a unique ID for a token.

    The returned value is useful as the primary key of a database table,
    memcache store, or other lookup table.

    :returns: Given a PKI token, returns it's hashed value. Otherwise, returns
              the passed-in value (such as a UUID token ID or an existing
              hash).
    """
    return cms.cms_hash_token(token_id)
Beispiel #9
0
    def __init__(self, token_id, token_data):
        self.token_data = token_data
        if 'token' in token_data and 'methods' in token_data['token']:
            super(KeystoneToken, self).__init__(**token_data['token'])
            self.version = V3
        else:
            raise exception.UnsupportedTokenVersionException()
        self.token_id = token_id
        self.short_id = cms.cms_hash_token(token_id,
                                           mode=CONF.token.hash_algorithm)

        if self.project_scoped and self.domain_scoped:
            raise exception.UnexpectedError(_('Found invalid token: scoped to '
                                              'both project and domain.'))