def test_provider_token_expiration_validation(self):
token = token_model.TokenModel()
token.issued_at = "2013-05-21T00:02:43.941473Z"
token.expires_at = utils.isotime(CURRENT_DATE)
self.assertRaises(exception.TokenNotFound,
PROVIDERS.token_provider_api._is_valid_token, token)
token = token_model.TokenModel()
token.issued_at = "2013-05-21T00:02:43.941473Z"
token.expires_at = utils.isotime(timeutils.utcnow() + FUTURE_DELTA)
self.assertIsNone(PROVIDERS.token_provider_api._is_valid_token(token))
def _validate_token(self, token_id):
(user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
federated_group_ids, identity_provider_id, protocol_id,
access_token_id, app_cred_id, issued_at,
expires_at) = self.driver.validate_token(token_id)
token = token_model.TokenModel()
token.user_id = user_id
token.methods = methods
if len(audit_ids) > 1:
token.parent_audit_id = audit_ids.pop()
token.audit_id = audit_ids.pop()
token.system = system
token.domain_id = domain_id
token.project_id = project_id
token.trust_id = trust_id
token.access_token_id = access_token_id
token.application_credential_id = app_cred_id
token.expires_at = expires_at
if federated_group_ids is not None:
token.is_federated = True
token.identity_provider_id = identity_provider_id
token.protocol_id = protocol_id
token.federated_groups = federated_group_ids
token.mint(token_id, issued_at)
return token
def test_unable_to_verify_token_with_missing_public_key(self):
# create token, signing with private key
token = token_model.TokenModel()
token.methods = ['password']
token.user_id = uuid.uuid4().hex
token.audit_id = provider.random_urlsafe_str()
token.expires_at = utils.isotime(
provider.default_expire_time(), subsecond=True
)
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
# remove the public key for the token we just created
current_pub_key = os.path.join(
CONF.jwt_tokens.jws_public_key_repository, 'public.pem'
)
os.remove(current_pub_key)
# create additional public keys
for _ in range(2):
private_key_path = os.path.join(
CONF.jwt_tokens.jws_private_key_repository,
uuid.uuid4().hex
)
pub_key_path = os.path.join(
CONF.jwt_tokens.jws_public_key_repository,
uuid.uuid4().hex
)
jwt_utils.create_jws_keypair(private_key_path, pub_key_path)
# validate token and ensure it returns a 404
self.assertRaises(
exception.TokenNotFound,
self.provider.validate_token,
token_id
)
def issue_token(self, user_id, method_names, expires_at=None,
system=None, project_id=None, domain_id=None,
auth_context=None, trust_id=None, app_cred_id=None,
parent_audit_id=None):
# NOTE(lbragstad): Grab a blank token object and use composition to
# build the token according to the authentication and authorization
# context. This cuts down on the amount of logic we have to stuff into
# the TokenModel's __init__() method.
token = token_model.TokenModel()
token.methods = method_names
token.system = system
token.domain_id = domain_id
token.project_id = project_id
token.trust_id = trust_id
token.application_credential_id = app_cred_id
token.audit_id = random_urlsafe_str()
token.parent_audit_id = parent_audit_id
if auth_context:
if constants.IDENTITY_PROVIDER in auth_context:
token.is_federated = True
token.protocol_id = auth_context[constants.PROTOCOL]
idp_id = auth_context[constants.IDENTITY_PROVIDER]
if isinstance(idp_id, bytes):
idp_id = idp_id.decode('utf-8')
token.identity_provider_id = idp_id
token.user_id = auth_context['user_id']
token.federated_groups = [
{'id': group} for group in auth_context['group_ids']
]
if 'access_token_id' in auth_context:
token.access_token_id = auth_context['access_token_id']
if not token.user_id:
token.user_id = user_id
token.user_domain_id = token.user['domain_id']
if isinstance(expires_at, datetime.datetime):
token.expires_at = utils.isotime(expires_at, subsecond=True)
if isinstance(expires_at, six.string_types):
token.expires_at = expires_at
elif not expires_at:
token.expires_at = utils.isotime(
default_expire_time(), subsecond=True
)
token_id, issued_at = self.driver.generate_id_and_issued_at(token)
token.mint(token_id, issued_at)
# cache the token object and with ID
if CONF.token.cache_on_issue or CONF.token.caching:
# NOTE(amakarov): here and above TOKENS_REGION is to be passed
# to serve as required positional "self" argument. It's ignored,
# so I've put it here for convenience - any placeholder is fine.
self._validate_token.set(token, self, token.id)
return token
def setUp(self):
super(TestTokenSerialization, self).setUp()
self.admin_user_id = self.bootstrapper.admin_user_id
self.admin_username = self.bootstrapper.admin_username
self.admin_password = self.bootstrapper.admin_password
self.project_id = self.bootstrapper.project_id
self.project_name = self.bootstrapper.project_name
self.admin_role_id = self.bootstrapper.admin_role_id
self.member_role_id = self.bootstrapper.member_role_id
self.reader_role_id = self.bootstrapper.reader_role_id
self.token_id = uuid.uuid4().hex
issued_at = datetime.datetime.utcnow()
self.issued_at = ks_utils.isotime(at=issued_at, subsecond=True)
# Reach into the cache registry and pull out an instance of the
# _TokenModelHandler so that we can interact and test it directly (as
# opposed to using PROVIDERS or managers to invoke it).
token_handler_id = token_model._TokenModelHandler.identity
self.token_handler = _context_cache._registry.get(token_handler_id)
self.exp_token = token_model.TokenModel()
self.exp_token.user_id = self.admin_user_id
self.exp_token.project_id = self.project_id
self.exp_token.mint(self.token_id, self.issued_at)
def _build_tokenless_auth_context(self, request):
"""Build the authentication context.
The context is built from the attributes provided in the env,
such as certificate and scope attributes.
"""
tokenless_helper = tokenless_auth.TokenlessAuthHelper(request.environ)
(domain_id, project_id, trust_ref, unscoped, system) = (
tokenless_helper.get_scope())
user_ref = tokenless_helper.get_mapped_user(
project_id,
domain_id)
# NOTE(gyee): if it is an ephemeral user, the
# given X.509 SSL client cert does not need to map to
# an existing user.
if user_ref['type'] == federation_utils.UserType.EPHEMERAL:
auth_context = {}
auth_context['group_ids'] = user_ref['group_ids']
auth_context[federation_constants.IDENTITY_PROVIDER] = (
user_ref[federation_constants.IDENTITY_PROVIDER])
auth_context[federation_constants.PROTOCOL] = (
user_ref[federation_constants.PROTOCOL])
if domain_id and project_id:
msg = _('Scoping to both domain and project is not allowed')
raise ValueError(msg)
if domain_id:
auth_context['domain_id'] = domain_id
if project_id:
auth_context['project_id'] = project_id
auth_context['roles'] = user_ref['roles']
else:
# it's the local user, so token data is needed.
token = token_model.TokenModel()
token.user_id = user_ref['id']
token.methods = [CONF.tokenless_auth.protocol]
token.domain_id = domain_id
token.project_id = project_id
auth_context = {'user_id': user_ref['id']}
auth_context['is_delegated_auth'] = False
if domain_id:
auth_context['domain_id'] = domain_id
if project_id:
auth_context['project_id'] = project_id
auth_context['roles'] = [role['name'] for role in token.roles]
return auth_context
def test_verify_token_with_multiple_public_keys_present(self):
token = token_model.TokenModel()
token.methods = ['password']
token.user_id = uuid.uuid4().hex
token.audit_id = provider.random_urlsafe_str()
token.expires_at = utils.isotime(
provider.default_expire_time(), subsecond=True
)
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
for _ in range(2):
private_key_path = os.path.join(
CONF.jwt_tokens.jws_private_key_repository,
uuid.uuid4().hex
)
pub_key_path = os.path.join(
CONF.jwt_tokens.jws_public_key_repository,
uuid.uuid4().hex
)
jwt_utils.create_jws_keypair(private_key_path, pub_key_path)
# make sure we iterate through all public keys on disk and we can still
# validate the token
self.provider.validate_token(token_id)
