def process_request(self, request):
"""Process request.
If this method returns a value then that value will be used as the
response. The next application down the stack will not be executed and
process_response will not be called.
Otherwise, the next application down the stack will be executed and
process_response will be called with the generated response.
By default this method does not return a value.
:param request: Incoming request
:type request: _request.AuthTokenRequest
"""
request.remove_auth_headers()
user_auth_ref = None
serv_auth_ref = None
if request.user_token:
self.log.debug('Authenticating user token')
try:
data, user_auth_ref = self._do_fetch_token(request.user_token)
self._validate_token(user_auth_ref)
self._confirm_token_bind(user_auth_ref, request)
except exc.InvalidToken:
self.log.info(_LI('Invalid user token'))
request.user_token_valid = False
else:
request.user_token_valid = True
request.environ['keystone.token_info'] = data
if request.service_token:
self.log.debug('Authenticating service token')
try:
_, serv_auth_ref = self._do_fetch_token(request.service_token)
self._validate_token(serv_auth_ref)
self._confirm_token_bind(serv_auth_ref, request)
except exc.InvalidToken:
self.log.info(_LI('Invalid service token'))
request.service_token_valid = False
else:
request.service_token_valid = True
p = _user_plugin.UserAuthPlugin(user_auth_ref, serv_auth_ref)
request.environ['keystone.token_auth'] = p
def process_request(self, request):
"""Process request.
If this method returns a value then that value will be used as the
response. The next application down the stack will not be executed and
process_response will not be called.
Otherwise, the next application down the stack will be executed and
process_response will be called with the generated response.
By default this method does not return a value.
:param request: Incoming request
:type request: _request.AuthTokenRequest
"""
user_auth_ref = None
serv_auth_ref = None
allow_expired = False
if request.service_token:
self.log.debug('Authenticating service token')
try:
_, serv_auth_ref = self._do_fetch_token(request.service_token)
self._validate_token(serv_auth_ref)
self._confirm_token_bind(serv_auth_ref, request)
except ksm_exceptions.InvalidToken:
self.log.info('Invalid service token')
request.service_token_valid = False
else:
# FIXME(jamielennox): The new behaviour for service tokens is
# that they have to pass the policy check to be allowed.
# Previously any token was accepted here. For now we will
# continue to mark service tokens as valid if they are valid
# but we will only allow service role tokens to do
# allow_expired. In future we should reject any token that
# isn't a service token here.
role_names = set(serv_auth_ref.role_names)
check = self._service_token_roles.intersection(role_names)
role_check_passed = bool(check)
# if service_token_role_required then the service token is only
# valid if the roles check out. Otherwise at this point it is
# true because keystone has already validated it.
if self._service_token_roles_required:
request.service_token_valid = role_check_passed
else:
if not self._service_token_warning_emitted:
self.log.warning('A valid token was submitted as '
'a service token, but it was not '
'a valid service token. This is '
'incorrect but backwards '
'compatible behaviour. This will '
'be removed in future releases.')
# prevent log spam on every single request
self._service_token_warning_emitted = True
request.service_token_valid = True
# allow_expired always requires passing the role check.
allow_expired = role_check_passed
if request.user_token:
self.log.debug('Authenticating user token')
try:
data, user_auth_ref = self._do_fetch_token(
request.user_token,
allow_expired=allow_expired)
self._validate_token(user_auth_ref,
allow_expired=allow_expired)
if not request.service_token:
self._confirm_token_bind(user_auth_ref, request)
except ksm_exceptions.InvalidToken:
self.log.info('Invalid user token')
request.user_token_valid = False
else:
request.user_token_valid = True
request.token_info = data
request.token_auth = _user_plugin.UserAuthPlugin(user_auth_ref,
serv_auth_ref)
def __call__(self, env, start_response):
"""Handle incoming request.
Authenticate send downstream on success. Reject request if
we can't authenticate.
"""
def _fmt_msg(env):
msg = ('user: user_id %s, project_id %s, roles %s '
'service: user_id %s, project_id %s, roles %s' % (
env.get('HTTP_X_USER_ID'), env.get('HTTP_X_PROJECT_ID'),
env.get('HTTP_X_ROLES'),
env.get('HTTP_X_SERVICE_USER_ID'),
env.get('HTTP_X_SERVICE_PROJECT_ID'),
env.get('HTTP_X_SERVICE_ROLES')))
return msg
self._token_cache.initialize(env)
self._remove_auth_headers(env)
try:
user_auth_ref = None
serv_auth_ref = None
try:
self._LOG.debug('Authenticating user token')
user_token = self._get_user_token_from_header(env)
user_token_info = self._validate_token(user_token, env)
user_auth_ref = access.AccessInfo.factory(
body=user_token_info,
auth_token=user_token)
env['keystone.token_info'] = user_token_info
user_headers = self._build_user_headers(user_auth_ref,
user_token_info)
self._add_headers(env, user_headers)
except exc.InvalidToken:
if self._delay_auth_decision:
self._LOG.info(
_LI('Invalid user token - deferring reject '
'downstream'))
self._add_headers(env, {'X-Identity-Status': 'Invalid'})
else:
self._LOG.info(
_LI('Invalid user token - rejecting request'))
return self._reject_request(env, start_response)
try:
self._LOG.debug('Authenticating service token')
serv_token = self._get_service_token_from_header(env)
if serv_token is not None:
serv_token_info = self._validate_token(
serv_token, env)
serv_auth_ref = access.AccessInfo.factory(
body=serv_token_info,
auth_token=serv_token)
serv_headers = self._build_service_headers(serv_token_info)
self._add_headers(env, serv_headers)
except exc.InvalidToken:
if self._delay_auth_decision:
self._LOG.info(
_LI('Invalid service token - deferring reject '
'downstream'))
self._add_headers(env,
{'X-Service-Identity-Status': 'Invalid'})
else:
self._LOG.info(
_LI('Invalid service token - rejecting request'))
return self._reject_request(env, start_response)
env['keystone.token_auth'] = _user_plugin.UserAuthPlugin(
user_auth_ref, serv_auth_ref)
except exc.ServiceError as e:
self._LOG.critical(_LC('Unable to obtain admin token: %s'), e)
return self._do_503_error(env, start_response)
self._LOG.debug("Received request from %s", _fmt_msg(env))
return self._call_app(env, start_response)
