Beispiel #1
0
 def _get_token_ref(self, context, token_id, belongs_to=None):
     token_ref = self.token_api.get_token(token_id)
     if cms.is_ans1_token(token_id):
         verified_token = cms.cms_verify(cms.token_to_cms(token_id),
                                         CONF.signing.certfile,
                                         CONF.signing.ca_certs)
         token_ref = json.loads(verified_token)
     if belongs_to:
         assert token_ref['project']['id'] == belongs_to
     return token_ref
Beispiel #2
0
 def _get_token_ref(self, context, token_id, belongs_to=None):
     token_ref = self.token_api.get_token(context=context,
                                          token_id=token_id)
     if cms.is_ans1_token(token_id):
         verified_token = cms.cms_verify(cms.token_to_cms(token_id),
                                         CONF.signing.certfile,
                                         CONF.signing.ca_certs)
         token_ref = json.loads(verified_token)
     if belongs_to:
         assert token_ref['project']['id'] == belongs_to
     return token_ref
 def validate(self, response, realm_id):
     catalog_api = catalog.controllers.EndpointV3()
     context = {}
     context['is_admin'] = True
     context['query_string'] = {}
     context['query_string']['service_id'] = realm_id
     context['interface'] = 'adminurl'
     context['path'] = ""
     endpoints = catalog_api.list_endpoints(context)
     for e in endpoints['endpoints']:
         creds = e["creds"]
         if e['interface'] == 'admin':
             endpoint = e['url']+'/tokens/'
         if e['interface'] == 'public':
             post_endpoint = e['url']+'/tokens'
     token_id = response['access']['token']['id']
     if not cms.is_ans1_token(token_id):
         auth_req = {"auth":{}}
         auth_req["auth"]["tenantName"] = "service"
         auth_req['auth']['passwordCredentials'] = {"username": creds["user"], "password": creds["pass"]}
         auth_token = self.request(post_endpoint, data=auth_req, method="POST")
         header = {"X-Auth-Token": auth_token['access']['token']['id']}
         validatedResponse = self.request(keystoneEndpoint=endpoint, data=token_id, method="GET", header=header)
     else:
         cert_file = tempfile.NamedTemporaryFile()
         cert_file.write(self.format_certdata(creds["certdata"]))
         cert_file.flush()
         cacert_file = tempfile.NamedTemporaryFile()
         cacert_file.write(self.format_certdata(creds["cacert"]))
         cacert_file.flush()
         data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),cert_file.name,cacert_file.name))
         cert_file.close()
         cacert_file.close()
         data['access']['token']['user'] = data['access']['user']
         data['access']['token']['metadata'] = data['access']['metadata']
         validatedResponse = data
     validatedAttributes = {}
     for r in validatedResponse['access']['user']['roles']:
         if validatedAttributes.get('role') is None:
             validatedAttributes['role'] = []
     validatedAttributes['role'].append(r['name'])
     validatedAttributes['project'] = [validatedResponse['access']['token']['tenant']['name']]
     username = validatedResponse['access']['user']['name']
     expires = validatedResponse['access']['token']['expires']
     return username, expires, self.check_issuers(validatedAttributes, realm_id)
Beispiel #4
0
    def cms_verify(self, data):
        """Verifies the signature of the provided data's IAW CMS syntax.

        If either of the certificate files are missing, fetch them and
        retry.
        """
        while True:
            try:
                output = cms.cms_verify(data, self.signing_cert_file_name,
                                        self.ca_file_name)
            except subprocess.CalledProcessError as err:
                if self.cert_file_missing(err, self.signing_cert_file_name):
                    self.fetch_signing_cert()
                    continue
                if self.cert_file_missing(err, self.ca_file_name):
                    self.fetch_ca_cert()
                    continue
                raise err
            return output
    def cms_verify(self, data):
        """Verifies the signature of the provided data's IAW CMS syntax.

        If either of the certificate files are missing, fetch them and
        retry.
        """
        while True:
            try:
                output = cms.cms_verify(data, self.signing_cert_file_name,
                                        self.ca_file_name)
            except subprocess.CalledProcessError as err:
                if self.cert_file_missing(err, self.signing_cert_file_name):
                    self.fetch_signing_cert()
                    continue
                if self.cert_file_missing(err, self.ca_file_name):
                    self.fetch_ca_cert()
                    continue
                raise err
            return output
Beispiel #6
0
    def _get_token_ref(self, context, token_id, belongs_to=None):
        """Returns a token if a valid one exists.

        Optionally, limited to a token owned by a specific tenant.

        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)

        if cms.is_ans1_token(token_id):
            data = json.loads(
                cms.cms_verify(cms.token_to_cms(token_id), config.CONF.signing.certfile, config.CONF.signing.ca_certs)
            )
            data["access"]["token"]["user"] = data["access"]["user"]
            data["access"]["token"]["metadata"] = data["access"]["metadata"]
            if belongs_to:
                assert data["access"]["token"]["tenant"]["id"] == belongs_to
            token_ref = data["access"]["token"]
        else:
            token_ref = self.token_api.get_token(context=context, token_id=token_id)
        return token_ref
Beispiel #7
0
    def _get_token_ref(self, context, token_id, belongs_to=None):
        """Returns a token if a valid one exists.

        Optionally, limited to a token owned by a specific tenant.

        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)

        if len(token_id) > cms.UUID_TOKEN_LENGTH:
            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
                                             config.CONF.signing.certfile,
                                             config.CONF.signing.ca_certs))
            data['access']['token']['user'] = data['access']['user']
            data['access']['token']['metadata'] = data['access']['metadata']
            if belongs_to:
                assert data['access']['token']['tenant']['id'] == belongs_to
            token_ref = data['access']['token']
        else:
            token_ref = self.token_api.get_token(context=context,
                                                 token_id=token_id)
        return token_ref
Beispiel #8
0
    def verify_signed_token(self, signed_text):
        """
            Converts a block of Base64 encoding to strict PEM format
            and verifies the signature of the contensts IAW CMS syntax
            If either of the certificate files are missing, fetch them
            and retry
        """

        formatted = cms.token_to_cms(signed_text)

        while True:
            try:
                output = cms.cms_verify(formatted, self.signing_cert_file_name,
                                        self.ca_file_name)
            except subprocess.CalledProcessError as err:
                if self.cert_file_missing(err, self.signing_cert_file_name):
                    self.fetch_signing_cert()
                    continue
                if self.cert_file_missing(err, self.ca_file_name):
                    self.fetch_ca_cert()
                    continue
                raise err
            return output
Beispiel #9
0
    def _get_token_ref(self, context, token_id, belongs_to=None):
        """Returns a token if a valid one exists.

        Optionally, limited to a token owned by a specific tenant.

        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)

        if len(token_id) > cms.UUID_TOKEN_LENGTH:
            data = json.loads(
                cms.cms_verify(cms.token_to_cms(token_id),
                               config.CONF.signing.certfile,
                               config.CONF.signing.ca_certs))
            data['access']['token']['user'] = data['access']['user']
            data['access']['token']['metadata'] = data['access']['metadata']
            if belongs_to:
                assert data['access']['token']['tenant']['id'] == belongs_to
            token_ref = data['access']['token']
        else:
            token_ref = self.token_api.get_token(context=context,
                                                 token_id=token_id)
        return token_ref