def _get_domain_id_for_list_request(self, request):
"""Get the domain_id for a v3 list call.
If we running with multiple domain drivers, then the caller must
specify a domain_id either as a filter or as part of the token scope.
"""
if not CONF.identity.domain_specific_drivers_enabled:
# We don't need to specify a domain ID in this case
return
domain_id = request.params.get('domain_id')
if domain_id:
return domain_id
token_ref = authorization.get_token_ref(request.context_dict)
if token_ref.domain_scoped:
return token_ref.domain_id
elif token_ref.project_scoped:
return token_ref.project_domain_id
else:
msg = _('No domain information specified as part of list request')
LOG.warning(msg)
raise exception.Unauthorized(msg)
def _get_domain_id_for_list_request(self, request):
"""Get the domain_id for a v3 list call.
If we running with multiple domain drivers, then the caller must
specify a domain_id either as a filter or as part of the token scope.
"""
if not CONF.identity.domain_specific_drivers_enabled:
# We don't need to specify a domain ID in this case
return
domain_id = request.params.get('domain_id')
if domain_id:
return domain_id
token_ref = authorization.get_token_ref(request.context_dict)
if token_ref.domain_scoped:
return token_ref.domain_id
elif token_ref.project_scoped:
return token_ref.project_domain_id
else:
msg = _('No domain information specified as part of list request')
LOG.warning(msg)
raise exception.Unauthorized(msg)
def delete_consumer(self, request, consumer_id):
user_token_ref = authorization.get_token_ref(request.context_dict)
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
self.oauth_api.delete_consumer(
consumer_id, initiator=request.audit_initiator
)
def delete_consumer(self, request, consumer_id):
user_token_ref = authorization.get_token_ref(request.context_dict)
payload = {
'user_id': user_token_ref.user_id,
'consumer_id': consumer_id
}
_emit_user_oauth_consumer_token_invalidate(payload)
self.oauth_api.delete_consumer(consumer_id,
initiator=request.audit_initiator)
def _assert_identity(self, context, user_id):
"""Check that the provided token belongs to the user.
:param context: standard context
:param user_id: id of user
:raises keystone.exception.Forbidden: when token is invalid
"""
token_ref = authorization.get_token_ref(context)
if token_ref.user_id != user_id:
raise exception.Forbidden(_('Token belongs to another user'))
def _assert_identity(self, context, user_id):
"""Check that the provided token belongs to the user.
:param context: standard context
:param user_id: id of user
:raises keystone.exception.Forbidden: when token is invalid
"""
token_ref = authorization.get_token_ref(context)
if token_ref.user_id != user_id:
raise exception.Forbidden(_('Token belongs to another user'))
def authorize_request_token(self, request, request_token_id, roles):
"""An authenticated user is going to authorize a request token.
As a security precaution, the requested roles must match those in
the request token. Because this is in a CLI-only world at the moment,
there is not another easy way to make sure the user knows which roles
are being requested before authorizing.
"""
if request.context.is_delegated_auth:
raise exception.Forbidden(
_('Cannot authorize a request token'
' with a token issued via delegation.'))
req_token = self.oauth_api.get_request_token(request_token_id)
expires_at = req_token['expires_at']
if expires_at:
now = timeutils.utcnow()
expires = timeutils.normalize_time(
timeutils.parse_isotime(expires_at))
if now > expires:
raise exception.Unauthorized(_('Request token is expired'))
# put the roles in a set for easy comparison
authed_roles = set()
for role in roles:
authed_roles.add(role['id'])
# verify the authorizing user has the roles
user_token = authorization.get_token_ref(request.context_dict)
user_id = user_token.user_id
project_id = req_token['requested_project_id']
user_roles = self.assignment_api.get_roles_for_user_and_project(
user_id, project_id)
cred_set = set(user_roles)
if not cred_set.issuperset(authed_roles):
msg = _('authorizing user does not have role required')
raise exception.Unauthorized(message=msg)
# create list of just the id's for the backend
role_ids = list(authed_roles)
# finally authorize the token
authed_token = self.oauth_api.authorize_request_token(
request_token_id, user_id, role_ids)
to_return = {'token': {'oauth_verifier': authed_token['verifier']}}
return to_return
def authorize_request_token(self, request, request_token_id, roles):
"""An authenticated user is going to authorize a request token.
As a security precaution, the requested roles must match those in
the request token. Because this is in a CLI-only world at the moment,
there is not another easy way to make sure the user knows which roles
are being requested before authorizing.
"""
if request.context.is_delegated_auth:
raise exception.Forbidden(
_('Cannot authorize a request token'
' with a token issued via delegation.'))
req_token = self.oauth_api.get_request_token(request_token_id)
expires_at = req_token['expires_at']
if expires_at:
now = timeutils.utcnow()
expires = timeutils.normalize_time(
timeutils.parse_isotime(expires_at))
if now > expires:
raise exception.Unauthorized(_('Request token is expired'))
# put the roles in a set for easy comparison
authed_roles = set()
for role in roles:
authed_roles.add(role['id'])
# verify the authorizing user has the roles
user_token = authorization.get_token_ref(request.context_dict)
user_id = user_token.user_id
project_id = req_token['requested_project_id']
user_roles = self.assignment_api.get_roles_for_user_and_project(
user_id, project_id)
cred_set = set(user_roles)
if not cred_set.issuperset(authed_roles):
msg = _('authorizing user does not have role required')
raise exception.Unauthorized(message=msg)
# create list of just the id's for the backend
role_ids = list(authed_roles)
# finally authorize the token
authed_token = self.oauth_api.authorize_request_token(
request_token_id, user_id, role_ids)
to_return = {'token': {'oauth_verifier': authed_token['verifier']}}
return to_return
def get_projects_for_token(self, request, **kw):
"""Get valid tenants for token based on token used to authenticate.
Pulls the token from the context, validates it and gets the valid
tenants for the user in the token.
Doesn't care about token scopedness.
"""
token_ref = authorization.get_token_ref(request.context_dict)
tenant_refs = (
self.assignment_api.list_projects_for_user(token_ref.user_id))
tenant_refs = [self.v3_to_v2_project(ref) for ref in tenant_refs
if ref['domain_id'] == CONF.identity.default_domain_id]
params = {
'limit': request.params.get('limit'),
'marker': request.params.get('marker'),
}
return self.format_project_list(tenant_refs, **params)
def get_projects_for_token(self, request, **kw):
"""Get valid tenants for token based on token used to authenticate.
Pulls the token from the context, validates it and gets the valid
tenants for the user in the token.
Doesn't care about token scopedness.
"""
token_ref = authorization.get_token_ref(request.context_dict)
tenant_refs = (self.assignment_api.list_projects_for_user(
token_ref.user_id))
tenant_refs = [
self.v3_to_v2_project(ref) for ref in tenant_refs
if ref['domain_id'] == CONF.identity.default_domain_id
]
params = {
'limit': request.params.get('limit'),
'marker': request.params.get('marker'),
}
return self.format_project_list(tenant_refs, **params)
