Beispiel #1
0
    def create_request_token(self, request):
        oauth_headers = oauth1.get_oauth_headers(request.headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        requested_project_id = request.headers.get('Requested-Project-Id')

        if not consumer_id:
            raise exception.ValidationError(
                attribute='oauth_consumer_key', target='request')
        if not requested_project_id:
            raise exception.ValidationError(
                attribute='requested_project_id', target='request')

        # NOTE(stevemar): Ensure consumer and requested project exist
        self.resource_api.get_project(requested_project_id)
        self.oauth_api.get_consumer(consumer_id)

        url = self.base_url(request.context_dict, request.context_dict['path'])

        req_headers = {'Requested-Project-Id': requested_project_id}
        req_headers.update(request.headers)
        request_verifier = oauth1.RequestTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        h, b, s = request_verifier.create_request_token_response(
            url,
            http_method='POST',
            body=request.params,
            headers=req_headers)

        if (not b) or int(s) > 399:
            msg = _('Invalid signature')
            raise exception.Unauthorized(message=msg)

        request_token_duration = CONF.oauth1.request_token_duration
        initiator = notifications._get_request_audit_info(request.context_dict)
        token_ref = self.oauth_api.create_request_token(consumer_id,
                                                        requested_project_id,
                                                        request_token_duration,
                                                        initiator)

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
                  % {'key': token_ref['id'],
                     'secret': token_ref['request_secret']})

        if CONF.oauth1.request_token_duration:
            expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
            result += expiry_bit

        headers = [('Content-Type', 'application/x-www-urlformencoded')]
        response = wsgi.render_response(
            result,
            status=(http_client.CREATED,
                    http_client.responses[http_client.CREATED]),
            headers=headers)

        return response
Beispiel #2
0
    def create_request_token(self, request):
        oauth_headers = oauth1.get_oauth_headers(request.headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        requested_project_id = request.headers.get('Requested-Project-Id')

        if not consumer_id:
            raise exception.ValidationError(
                attribute='oauth_consumer_key', target='request')
        if not requested_project_id:
            raise exception.ValidationError(
                attribute='requested_project_id', target='request')

        # NOTE(stevemar): Ensure consumer and requested project exist
        self.resource_api.get_project(requested_project_id)
        self.oauth_api.get_consumer(consumer_id)

        url = self.base_url(request.context_dict, request.context_dict['path'])

        req_headers = {'Requested-Project-Id': requested_project_id}
        req_headers.update(request.headers)
        request_verifier = oauth1.RequestTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        h, b, s = request_verifier.create_request_token_response(
            url,
            http_method='POST',
            body=request.params,
            headers=req_headers)

        if (not b) or int(s) > 399:
            msg = _('Invalid signature')
            raise exception.Unauthorized(message=msg)

        request_token_duration = CONF.oauth1.request_token_duration
        initiator = notifications._get_request_audit_info(request.context_dict)
        token_ref = self.oauth_api.create_request_token(consumer_id,
                                                        requested_project_id,
                                                        request_token_duration,
                                                        initiator)

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
                  % {'key': token_ref['id'],
                     'secret': token_ref['request_secret']})

        if CONF.oauth1.request_token_duration:
            expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
            result += expiry_bit

        headers = [('Content-Type', 'application/x-www-form-urlencoded')]
        response = wsgi.render_response(
            result,
            status=(http_client.CREATED,
                    http_client.responses[http_client.CREATED]),
            headers=headers)

        return response
Beispiel #3
0
    def post(self):
        oauth_headers = oauth1.get_oauth_headers(flask.request.headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        requested_project_id = flask.request.headers.get(
            'Requested-Project-Id')

        if not consumer_id:
            raise exception.ValidationError(attribute='oauth_consumer_key',
                                            target='request')
        if not requested_project_id:
            raise exception.ValidationError(attribute='Requested-Project-Id',
                                            target='request')

        # NOTE(stevemar): Ensure consumer and requested project exist
        PROVIDERS.resource_api.get_project(requested_project_id)
        PROVIDERS.oauth_api.get_consumer(consumer_id)

        url = _update_url_scheme()
        req_headers = {'Requested-Project-Id': requested_project_id}
        req_headers.update(flask.request.headers)
        request_verifier = oauth1.RequestTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        h, b, s = request_verifier.create_request_token_response(
            url,
            http_method='POST',
            body=flask.request.args,
            headers=req_headers)
        if not b:
            msg = _('Invalid signature')
            raise exception.Unauthorized(message=msg)
        # show the details of the failure.
        oauth1.validate_oauth_params(b)
        request_token_duration = CONF.oauth1.request_token_duration
        token_ref = PROVIDERS.oauth_api.create_request_token(
            consumer_id,
            requested_project_id,
            request_token_duration,
            initiator=ks_flask.build_audit_initiator())

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {
            'key': token_ref['id'],
            'secret': token_ref['request_secret']
        })

        if CONF.oauth1.request_token_duration > 0:
            expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
            result += expiry_bit

        resp = flask.make_response(result, http_client.CREATED)
        resp.headers['Content-Type'] = 'application/x-www-form-urlencoded'
        return resp
Beispiel #4
0
    def create_request_token(self, context):
        headers = context["headers"]
        oauth_headers = oauth1.get_oauth_headers(headers)
        consumer_id = oauth_headers.get("oauth_consumer_key")
        requested_project_id = headers.get("Requested-Project-Id")

        if not consumer_id:
            raise exception.ValidationError(attribute="oauth_consumer_key", target="request")
        if not requested_project_id:
            raise exception.ValidationError(attribute="requested_project_id", target="request")

        # NOTE(stevemar): Ensure consumer and requested project exist
        self.resource_api.get_project(requested_project_id)
        self.oauth_api.get_consumer(consumer_id)

        url = self.base_url(context, context["path"])

        req_headers = {"Requested-Project-Id": requested_project_id}
        req_headers.update(headers)
        request_verifier = oauth1.RequestTokenEndpoint(
            request_validator=validator.OAuthValidator(), token_generator=oauth1.token_generator
        )
        h, b, s = request_verifier.create_request_token_response(
            url, http_method="POST", body=context["query_string"], headers=req_headers
        )

        if (not b) or int(s) > 399:
            msg = _("Invalid signature")
            raise exception.Unauthorized(message=msg)

        request_token_duration = CONF.oauth1.request_token_duration
        initiator = notifications._get_request_audit_info(context)
        token_ref = self.oauth_api.create_request_token(
            consumer_id, requested_project_id, request_token_duration, initiator
        )

        result = "oauth_token=%(key)s&oauth_token_secret=%(secret)s" % {
            "key": token_ref["id"],
            "secret": token_ref["request_secret"],
        }

        if CONF.oauth1.request_token_duration:
            expiry_bit = "&oauth_expires_at=%s" % token_ref["expires_at"]
            result += expiry_bit

        headers = [("Content-Type", "application/x-www-urlformencoded")]
        response = wsgi.render_response(result, status=(201, "Created"), headers=headers)

        return response
Beispiel #5
0
    def post(self):
        oauth_headers = oauth1.get_oauth_headers(flask.request.headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        requested_project_id = flask.request.headers.get(
            'Requested-Project-Id')

        if not consumer_id:
            raise exception.ValidationError(
                attribute='oauth_consumer_key', target='request')
        if not requested_project_id:
            raise exception.ValidationError(
                attribute='Requested-Project-Id', target='request')

        # NOTE(stevemar): Ensure consumer and requested project exist
        PROVIDERS.resource_api.get_project(requested_project_id)
        PROVIDERS.oauth_api.get_consumer(consumer_id)

        url = _update_url_scheme()
        req_headers = {'Requested-Project-Id': requested_project_id}
        req_headers.update(flask.request.headers)
        request_verifier = oauth1.RequestTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        h, b, s = request_verifier.create_request_token_response(
            url, http_method='POST', body=flask.request.args,
            headers=req_headers)
        if not b:
            msg = _('Invalid signature')
            raise exception.Unauthorized(message=msg)
        # show the details of the failure.
        oauth1.validate_oauth_params(b)
        request_token_duration = CONF.oauth1.request_token_duration
        token_ref = PROVIDERS.oauth_api.create_request_token(
            consumer_id,
            requested_project_id,
            request_token_duration,
            initiator=notifications.build_audit_initiator())

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
                  % {'key': token_ref['id'],
                     'secret': token_ref['request_secret']})

        if CONF.oauth1.request_token_duration > 0:
            expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
            result += expiry_bit

        resp = flask.make_response(result, http_client.CREATED)
        resp.headers['Content-Type'] = 'application/x-www-form-urlencoded'
        return resp
Beispiel #6
0
    def authenticate(self, request, auth_payload):
        """Turn a signed request with an access key into a keystone token."""
        response_data = {}
        oauth_headers = oauth.get_oauth_headers(request.headers)
        access_token_id = oauth_headers.get('oauth_token')

        if not access_token_id:
            raise exception.ValidationError(
                attribute='oauth_token', target='request')

        acc_token = self.oauth_api.get_access_token(access_token_id)

        expires_at = acc_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Access token is expired'))

        url = controller.V3Controller.base_url(request.context_dict,
                                               request.path_info)
        access_verifier = oauth.ResourceEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth.token_generator)
        result, request = access_verifier.validate_protected_resource_request(
            url,
            http_method='POST',
            body=request.params,
            headers=request.headers,
            realms=None
        )
        if not result:
            msg = _('Could not validate the access token')
            raise exception.Unauthorized(msg)
        response_data['user_id'] = acc_token['authorizing_user_id']
        response_data['access_token_id'] = access_token_id
        response_data['project_id'] = acc_token['project_id']

        return base.AuthHandlerResponse(status=True, response_body=None,
                                        response_data=response_data)
Beispiel #7
0
    def authenticate(self, request, auth_payload):
        """Turn a signed request with an access key into a keystone token."""
        response_data = {}
        oauth_headers = oauth.get_oauth_headers(request.headers)
        access_token_id = oauth_headers.get('oauth_token')

        if not access_token_id:
            raise exception.ValidationError(
                attribute='oauth_token', target='request')

        acc_token = PROVIDERS.oauth_api.get_access_token(access_token_id)

        expires_at = acc_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Access token is expired'))

        url = controller.V3Controller.base_url(request.context_dict,
                                               request.path_info)
        access_verifier = oauth.ResourceEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth.token_generator)
        result, request = access_verifier.validate_protected_resource_request(
            url,
            http_method='POST',
            body=request.params,
            headers=request.headers,
            realms=None
        )
        if not result:
            msg = _('Could not validate the access token')
            raise exception.Unauthorized(msg)
        response_data['user_id'] = acc_token['authorizing_user_id']
        response_data['access_token_id'] = access_token_id
        response_data['project_id'] = acc_token['project_id']

        return base.AuthHandlerResponse(status=True, response_body=None,
                                        response_data=response_data)
Beispiel #8
0
    def authenticate(self, context, auth_info, auth_context):
        """Turn a signed request with an access key into a keystone token."""
        headers = context['headers']
        oauth_headers = oauth.get_oauth_headers(headers)
        access_token_id = oauth_headers.get('oauth_token')

        if not access_token_id:
            raise exception.ValidationError(
                attribute='oauth_token', target='request')

        acc_token = self.oauth_api.get_access_token(access_token_id)

        expires_at = acc_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Access token is expired'))

        url = controller.V3Controller.base_url(context, context['path'])
        access_verifier = oauth.ResourceEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth.token_generator)
        result, request = access_verifier.validate_protected_resource_request(
            url,
            http_method='POST',
            body=context['query_string'],
            headers=headers,
            realms=None
        )
        if not result:
            msg = _('Could not validate the access token')
            raise exception.Unauthorized(msg)
        auth_context['user_id'] = acc_token['authorizing_user_id']
        auth_context['access_token_id'] = access_token_id
        auth_context['project_id'] = acc_token['project_id']
Beispiel #9
0
    def authenticate(self, context, auth_info, auth_context):
        """Turn a signed request with an access key into a keystone token."""
        headers = context['headers']
        oauth_headers = oauth.get_oauth_headers(headers)
        access_token_id = oauth_headers.get('oauth_token')

        if not access_token_id:
            raise exception.ValidationError(attribute='oauth_token',
                                            target='request')

        acc_token = self.oauth_api.get_access_token(access_token_id)

        expires_at = acc_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Access token is expired'))

        url = controller.V3Controller.base_url(context, context['path'])
        access_verifier = oauth.ResourceEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth.token_generator)
        result, request = access_verifier.validate_protected_resource_request(
            url,
            http_method='POST',
            body=context['query_string'],
            headers=headers,
            realms=None)
        if not result:
            msg = _('Could not validate the access token')
            raise exception.Unauthorized(msg)
        auth_context['user_id'] = acc_token['authorizing_user_id']
        auth_context['access_token_id'] = access_token_id
        auth_context['project_id'] = acc_token['project_id']
Beispiel #10
0
    def create_access_token(self, request):
        oauth_headers = oauth1.get_oauth_headers(request.headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        request_token_id = oauth_headers.get('oauth_token')
        oauth_verifier = oauth_headers.get('oauth_verifier')

        if not consumer_id:
            raise exception.ValidationError(attribute='oauth_consumer_key',
                                            target='request')
        if not request_token_id:
            raise exception.ValidationError(attribute='oauth_token',
                                            target='request')
        if not oauth_verifier:
            raise exception.ValidationError(attribute='oauth_verifier',
                                            target='request')

        req_token = self.oauth_api.get_request_token(request_token_id)

        expires_at = req_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Request token is expired'))

        access_verifier = oauth1.AccessTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        try:
            h, b, s = access_verifier.create_access_token_response(
                request.url,
                http_method='POST',
                body=request.params,
                headers=request.headers)
        except NotImplementedError:
            # Client key or request token validation failed, since keystone
            # does not yet support dummy client or dummy request token,
            # so we will raise Unauthorized exception instead.
            try:
                self.oauth_api.get_consumer(consumer_id)
            except exception.NotFound:
                msg = _('Provided consumer does not exist.')
                LOG.warning(msg)
                raise exception.Unauthorized(message=msg)
            if req_token['consumer_id'] != consumer_id:
                msg = _('Provided consumer key does not match stored '
                        'consumer key.')
                LOG.warning(msg)
                raise exception.Unauthorized(message=msg)
        # The response body is empty since either one of the following reasons
        if not b:
            if req_token['verifier'] != oauth_verifier:
                msg = _('Provided verifier does not match stored verifier')
            else:
                msg = _('Invalid signature.')
            LOG.warning(msg)
            raise exception.Unauthorized(message=msg)
        # show the details of the failure.
        oauth1.validate_oauth_params(b)
        if not req_token.get('authorizing_user_id'):
            msg = _('Request Token does not have an authorizing user id.')
            LOG.warning(msg)
            raise exception.Unauthorized(message=msg)

        access_token_duration = CONF.oauth1.access_token_duration
        token_ref = self.oauth_api.create_access_token(
            request_token_id,
            access_token_duration,
            initiator=request.audit_initiator)

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {
            'key': token_ref['id'],
            'secret': token_ref['access_secret']
        })

        if CONF.oauth1.access_token_duration > 0:
            expiry_bit = '&oauth_expires_at=%s' % (token_ref['expires_at'])
            result += expiry_bit

        headers = [('Content-Type', 'application/x-www-form-urlencoded')]
        response = wsgi.render_response(
            result,
            status=(http_client.CREATED,
                    http_client.responses[http_client.CREATED]),
            headers=headers)

        return response
Beispiel #11
0
    def create_access_token(self, context):
        headers = context['headers']
        oauth_headers = oauth1.get_oauth_headers(headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        request_token_id = oauth_headers.get('oauth_token')
        oauth_verifier = oauth_headers.get('oauth_verifier')

        if not consumer_id:
            raise exception.ValidationError(
                attribute='oauth_consumer_key', target='request')
        if not request_token_id:
            raise exception.ValidationError(
                attribute='oauth_token', target='request')
        if not oauth_verifier:
            raise exception.ValidationError(
                attribute='oauth_verifier', target='request')

        req_token = self.oauth_api.get_request_token(
            request_token_id)

        expires_at = req_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Request token is expired'))

        url = self.base_url(context, context['path'])

        access_verifier = oauth1.AccessTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        h, b, s = access_verifier.create_access_token_response(
            url,
            http_method='POST',
            body=context['query_string'],
            headers=headers)
        params = oauth1.extract_non_oauth_params(b)
        if params:
            msg = _('There should not be any non-oauth parameters')
            raise exception.Unauthorized(message=msg)

        if req_token['consumer_id'] != consumer_id:
            msg = _('provided consumer key does not match stored consumer key')
            raise exception.Unauthorized(message=msg)

        if req_token['verifier'] != oauth_verifier:
            msg = _('provided verifier does not match stored verifier')
            raise exception.Unauthorized(message=msg)

        if req_token['id'] != request_token_id:
            msg = _('provided request key does not match stored request key')
            raise exception.Unauthorized(message=msg)

        if not req_token.get('authorizing_user_id'):
            msg = _('Request Token does not have an authorizing user id')
            raise exception.Unauthorized(message=msg)

        access_token_duration = CONF.oauth1.access_token_duration
        initiator = notifications._get_request_audit_info(context)
        token_ref = self.oauth_api.create_access_token(request_token_id,
                                                       access_token_duration,
                                                       initiator)

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
                  % {'key': token_ref['id'],
                     'secret': token_ref['access_secret']})

        if CONF.oauth1.access_token_duration:
            expiry_bit = '&oauth_expires_at=%s' % (token_ref['expires_at'])
            result += expiry_bit

        headers = [('Content-Type', 'application/x-www-urlformencoded')]
        response = wsgi.render_response(result,
                                        status=(201, 'Created'),
                                        headers=headers)

        return response
Beispiel #12
0
    def create_access_token(self, context):
        headers = context["headers"]
        oauth_headers = oauth1.get_oauth_headers(headers)
        consumer_id = oauth_headers.get("oauth_consumer_key")
        request_token_id = oauth_headers.get("oauth_token")
        oauth_verifier = oauth_headers.get("oauth_verifier")

        if not consumer_id:
            raise exception.ValidationError(attribute="oauth_consumer_key", target="request")
        if not request_token_id:
            raise exception.ValidationError(attribute="oauth_token", target="request")
        if not oauth_verifier:
            raise exception.ValidationError(attribute="oauth_verifier", target="request")

        req_token = self.oauth_api.get_request_token(request_token_id)

        expires_at = req_token["expires_at"]
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_("Request token is expired"))

        url = self.base_url(context, context["path"])

        access_verifier = oauth1.AccessTokenEndpoint(
            request_validator=validator.OAuthValidator(), token_generator=oauth1.token_generator
        )
        h, b, s = access_verifier.create_access_token_response(
            url, http_method="POST", body=context["query_string"], headers=headers
        )
        params = oauth1.extract_non_oauth_params(b)
        if params:
            msg = _("There should not be any non-oauth parameters")
            raise exception.Unauthorized(message=msg)

        if req_token["consumer_id"] != consumer_id:
            msg = _("provided consumer key does not match stored consumer key")
            raise exception.Unauthorized(message=msg)

        if req_token["verifier"] != oauth_verifier:
            msg = _("provided verifier does not match stored verifier")
            raise exception.Unauthorized(message=msg)

        if req_token["id"] != request_token_id:
            msg = _("provided request key does not match stored request key")
            raise exception.Unauthorized(message=msg)

        if not req_token.get("authorizing_user_id"):
            msg = _("Request Token does not have an authorizing user id")
            raise exception.Unauthorized(message=msg)

        access_token_duration = CONF.oauth1.access_token_duration
        initiator = notifications._get_request_audit_info(context)
        token_ref = self.oauth_api.create_access_token(request_token_id, access_token_duration, initiator)

        result = "oauth_token=%(key)s&oauth_token_secret=%(secret)s" % {
            "key": token_ref["id"],
            "secret": token_ref["access_secret"],
        }

        if CONF.oauth1.access_token_duration:
            expiry_bit = "&oauth_expires_at=%s" % (token_ref["expires_at"])
            result += expiry_bit

        headers = [("Content-Type", "application/x-www-urlformencoded")]
        response = wsgi.render_response(result, status=(201, "Created"), headers=headers)

        return response
Beispiel #13
0
    def create_access_token(self, request):
        headers = request.context_dict['headers']
        oauth_headers = oauth1.get_oauth_headers(headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        request_token_id = oauth_headers.get('oauth_token')
        oauth_verifier = oauth_headers.get('oauth_verifier')

        if not consumer_id:
            raise exception.ValidationError(attribute='oauth_consumer_key',
                                            target='request')
        if not request_token_id:
            raise exception.ValidationError(attribute='oauth_token',
                                            target='request')
        if not oauth_verifier:
            raise exception.ValidationError(attribute='oauth_verifier',
                                            target='request')

        req_token = self.oauth_api.get_request_token(request_token_id)

        expires_at = req_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Request token is expired'))

        url = self.base_url(request.context_dict, request.context_dict['path'])

        access_verifier = oauth1.AccessTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        h, b, s = access_verifier.create_access_token_response(
            url,
            http_method='POST',
            body=request.context_dict['query_string'],
            headers=headers)
        params = oauth1.extract_non_oauth_params(b)
        if params:
            msg = _('There should not be any non-oauth parameters')
            raise exception.Unauthorized(message=msg)

        if req_token['consumer_id'] != consumer_id:
            msg = _('provided consumer key does not match stored consumer key')
            raise exception.Unauthorized(message=msg)

        if req_token['verifier'] != oauth_verifier:
            msg = _('provided verifier does not match stored verifier')
            raise exception.Unauthorized(message=msg)

        if req_token['id'] != request_token_id:
            msg = _('provided request key does not match stored request key')
            raise exception.Unauthorized(message=msg)

        if not req_token.get('authorizing_user_id'):
            msg = _('Request Token does not have an authorizing user id')
            raise exception.Unauthorized(message=msg)

        access_token_duration = CONF.oauth1.access_token_duration
        initiator = notifications._get_request_audit_info(request.context_dict)
        token_ref = self.oauth_api.create_access_token(request_token_id,
                                                       access_token_duration,
                                                       initiator)

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {
            'key': token_ref['id'],
            'secret': token_ref['access_secret']
        })

        if CONF.oauth1.access_token_duration:
            expiry_bit = '&oauth_expires_at=%s' % (token_ref['expires_at'])
            result += expiry_bit

        headers = [('Content-Type', 'application/x-www-urlformencoded')]
        response = wsgi.render_response(result,
                                        status=(201, 'Created'),
                                        headers=headers)

        return response
Beispiel #14
0
    def create_access_token(self, request):
        oauth_headers = oauth1.get_oauth_headers(request.headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        request_token_id = oauth_headers.get('oauth_token')
        oauth_verifier = oauth_headers.get('oauth_verifier')

        if not consumer_id:
            raise exception.ValidationError(
                attribute='oauth_consumer_key', target='request')
        if not request_token_id:
            raise exception.ValidationError(
                attribute='oauth_token', target='request')
        if not oauth_verifier:
            raise exception.ValidationError(
                attribute='oauth_verifier', target='request')

        req_token = self.oauth_api.get_request_token(
            request_token_id)

        expires_at = req_token['expires_at']
        if expires_at:
            now = timeutils.utcnow()
            expires = timeutils.normalize_time(
                timeutils.parse_isotime(expires_at))
            if now > expires:
                raise exception.Unauthorized(_('Request token is expired'))

        url = self.base_url(request.context_dict, request.context_dict['path'])

        access_verifier = oauth1.AccessTokenEndpoint(
            request_validator=validator.OAuthValidator(),
            token_generator=oauth1.token_generator)
        try:
            h, b, s = access_verifier.create_access_token_response(
                url,
                http_method='POST',
                body=request.params,
                headers=request.headers)
        except NotImplementedError:
            # Client key or request token validation failed, since keystone
            # does not yet support dummy client or dummy request token,
            # so we will raise Unauthorized exception instead.
            try:
                self.oauth_api.get_consumer(consumer_id)
            except exception.NotFound:
                msg = _('Provided consumer does not exist.')
                LOG.warning(msg)
                raise exception.Unauthorized(message=msg)
            if req_token['consumer_id'] != consumer_id:
                msg = _('Provided consumer key does not match stored '
                        'consumer key.')
                LOG.warning(msg)
                raise exception.Unauthorized(message=msg)
        # The response body is empty since either one of the following reasons
        if not b:
            if req_token['verifier'] != oauth_verifier:
                msg = _('Provided verifier does not match stored verifier')
            else:
                msg = _('Invalid signature.')
            LOG.warning(msg)
            raise exception.Unauthorized(message=msg)
        # show the details of the failure.
        oauth1.validate_oauth_params(b)
        if not req_token.get('authorizing_user_id'):
            msg = _('Request Token does not have an authorizing user id.')
            LOG.warning(msg)
            raise exception.Unauthorized(message=msg)

        access_token_duration = CONF.oauth1.access_token_duration
        token_ref = self.oauth_api.create_access_token(
            request_token_id,
            access_token_duration,
            initiator=request.audit_initiator
        )

        result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
                  % {'key': token_ref['id'],
                     'secret': token_ref['access_secret']})

        if CONF.oauth1.access_token_duration:
            expiry_bit = '&oauth_expires_at=%s' % (token_ref['expires_at'])
            result += expiry_bit

        headers = [('Content-Type', 'application/x-www-form-urlencoded')]
        response = wsgi.render_response(
            result,
            status=(http_client.CREATED,
                    http_client.responses[http_client.CREATED]),
            headers=headers)

        return response