Ejemplo n.º 1
0
 def _populate_token_dates(self, token_data, expires=None, trust=None):
     if not expires:
         expires = token.default_expire_time()
     if not isinstance(expires, basestring):
         expires = timeutils.isotime(expires, subsecond=True)
     token_data['expires_at'] = expires
     token_data['issued_at'] = timeutils.isotime(subsecond=True)
Ejemplo n.º 2
0
 def _populate_token_dates(self, token_data, expires=None, trust=None,
                           issued_at=None):
     if not expires:
         expires = provider.default_expire_time()
     if not isinstance(expires, six.string_types):
         expires = timeutils.isotime(expires, subsecond=True)
     token_data['expires_at'] = expires
     token_data['issued_at'] = (issued_at or
                                timeutils.isotime(subsecond=True))
Ejemplo n.º 3
0
 def to_dict(self):
     keys = ["user_id", "role_id", "domain_id", "project_id"]
     event = dict((key, self.__dict__[key]) for key in keys if self.__dict__[key] is not None)
     if self.trust_id is not None:
         event["OS-TRUST:trust_id"] = self.trust_id
     if self.consumer_id is not None:
         event["OS-OAUTH1:consumer_id"] = self.consumer_id
     if self.consumer_id is not None:
         event["OS-OAUTH1:access_token_id"] = self.access_token_id
     if self.expires_at is not None:
         event["expires_at"] = timeutils.isotime(self.expires_at, subsecond=True)
     if self.issued_before is not None:
         event["issued_before"] = timeutils.isotime(self.issued_before, subsecond=True)
     return event
Ejemplo n.º 4
0
 def _populate_token(self, token_data, expires=None):
     if not expires:
         expires = token_module.default_expire_time()
     if not isinstance(expires, unicode):
         expires = timeutils.isotime(expires)
     token_data['expires'] = expires
     token_data['issued_at'] = timeutils.strtime()
Ejemplo n.º 5
0
def create_v3_token():
    return {
        "token": {
            "expires_at": timeutils.isotime(CURRENT_DATE + FUTURE_DELTA),
            "issued_at": "2013-05-21T00:02:43.941473Z",
        }
    }
Ejemplo n.º 6
0
def create_v3_token():
    return {
        "token": {
            "expires_at": timeutils.isotime(CURRENT_DATE + FUTURE_DELTA),
            "issued_at": "2013-05-21T00:02:43.941473Z",
        }
    }
Ejemplo n.º 7
0
    def create_request_token(self, consumer_id, roles, project_id,
                             token_duration):
        expiry_date = None
        if token_duration:
            now = timeutils.utcnow()
            future = now + datetime.timedelta(seconds=token_duration)
            expiry_date = timeutils.isotime(future, subsecond=True)

        ref = {}
        request_token_id = uuid.uuid4().hex
        ref['id'] = request_token_id
        ref['request_secret'] = uuid.uuid4().hex
        ref['verifier'] = None
        ref['authorizing_user_id'] = None
        ref['requested_project_id'] = project_id
        ref['requested_roles'] = roles
        ref['consumer_id'] = consumer_id
        ref['expires_at'] = expiry_date
        self.db.set('request_token-%s' % request_token_id, ref)

        # add req token to the list that containers the consumers req tokens
        consumer_requests = set(
            self.db.get('consumer-%s-requests' % consumer_id, []))
        consumer_requests.add(request_token_id)
        self.db.set('consumer-%s-requests' % consumer_id,
                    list(consumer_requests))
        return ref
Ejemplo n.º 8
0
    def _create_response(self, issuer, status, assertion, recipient):
        """Create an object that represents a SAML Response.

        <ns0:Response
          Destination="http://beta.com/Shibboleth.sso/SAML2/POST"
          ID="c5954543230e4e778bc5b92923a0512d"
          IssueInstant="2014-07-30T03:19:45Z"
          Version="2.0" />
            <ns0:Issuer> ... </ns0:Issuer>
            <ns0:Assertion> ... </ns0:Assertion>
            <ns0:Status> ... </ns0:Status>
        </ns0:Response>

        :return: XML <Response> object

        """
        response = samlp.Response()
        response.id = uuid.uuid4().hex
        response.destination = recipient
        response.issue_instant = timeutils.isotime()
        response.version = '2.0'
        response.issuer = issuer
        response.status = status
        response.assertion = assertion
        return response
Ejemplo n.º 9
0
    def _create_assertion(self, issuer, signature, subject, authn_statement,
                          attribute_statement):
        """Create an object that represents a SAML Assertion.

        <ns0:Assertion
          ID="35daed258ba647ba8962e9baff4d6a46"
          IssueInstant="2014-06-11T15:45:58Z"
          Version="2.0">
            <ns0:Issuer> ... </ns0:Issuer>
            <ns1:Signature> ... </ns1:Signature>
            <ns0:Subject> ... </ns0:Subject>
            <ns0:AuthnStatement> ... </ns0:AuthnStatement>
            <ns0:AttributeStatement> ... </ns0:AttributeStatement>
        </ns0:Assertion>

        :return: XML <Assertion> object

        """
        assertion = saml.Assertion()
        assertion.id = self.assertion_id
        assertion.issue_instant = timeutils.isotime()
        assertion.version = '2.0'
        assertion.issuer = issuer
        assertion.signature = signature
        assertion.subject = subject
        assertion.authn_statement = authn_statement
        assertion.attribute_statement = attribute_statement
        return assertion
Ejemplo n.º 10
0
    def _add_to_revocation_list(self, data, lock):
        filtered_list = []
        revoked_token_data = {}

        current_time = self._get_current_time()
        expires = data['expires']

        if isinstance(expires, six.string_types):
            expires = timeutils.parse_isotime(expires)

        expires = timeutils.normalize_time(expires)

        if expires < current_time:
            LOG.warning(
                _('Token `%s` is expired, not adding to the '
                  'revocation list.'), data['id'])
            return

        revoked_token_data['expires'] = timeutils.isotime(expires,
                                                          subsecond=True)
        revoked_token_data['id'] = data['id']

        token_list = self._get_key_or_default(self.revocation_key, default=[])
        if not isinstance(token_list, list):
            # NOTE(morganfainberg): In the case that the revocation list is not
            # in a format we understand, reinitialize it. This is an attempt to
            # not allow the revocation list to be completely broken if
            # somehow the key is changed outside of keystone (e.g. memcache
            # that is shared by multiple applications). Logging occurs at error
            # level so that the cloud administrators have some awareness that
            # the revocation_list needed to be cleared out. In all, this should
            # be recoverable. Keystone cannot control external applications
            # from changing a key in some backends, however, it is possible to
            # gracefully handle and notify of this event.
            LOG.error(
                _('Reinitializing revocation list due to error '
                  'in loading revocation list from backend.  '
                  'Expected `list` type got `%(type)s`. Old '
                  'revocation list data: %(list)r'), {
                      'type': type(token_list),
                      'list': token_list
                  })
            token_list = []

        # NOTE(morganfainberg): on revocation, cleanup the expired entries, try
        # to keep the list of tokens revoked at the minimum.
        for token_data in token_list:
            try:
                expires_at = timeutils.normalize_time(
                    timeutils.parse_isotime(token_data['expires']))
            except ValueError:
                LOG.warning(
                    _('Removing `%s` from revocation list due to '
                      'invalid expires data in revocation list.'),
                    token_data.get('id', 'INVALID_TOKEN_DATA'))
                continue
            if expires_at > current_time:
                filtered_list.append(token_data)
        filtered_list.append(revoked_token_data)
        self._set_key(self.revocation_key, filtered_list, lock)
Ejemplo n.º 11
0
 def assertReportedEventMatchesRecorded(self, event, sample, before_time):
     after_time = timeutils.utcnow()
     event_issued_before = timeutils.normalize_time(
         timeutils.parse_isotime(event['issued_before']))
     self.assertTrue(
         before_time <= event_issued_before,
         'invalid event issued_before time; %s is not later than %s.' % (
             timeutils.isotime(event_issued_before, subsecond=True),
             timeutils.isotime(before_time, subsecond=True)))
     self.assertTrue(
         event_issued_before <= after_time,
         'invalid event issued_before time; %s is not earlier than %s.' % (
             timeutils.isotime(event_issued_before, subsecond=True),
             timeutils.isotime(after_time, subsecond=True)))
     del (event['issued_before'])
     self.assertEqual(sample, event)
Ejemplo n.º 12
0
    def _create_response(self, issuer, status, assertion, recipient):
        """Create an object that represents a SAML Response.

        <ns0:Response
          Destination="http://beta.com/Shibboleth.sso/SAML2/POST"
          ID="c5954543230e4e778bc5b92923a0512d"
          IssueInstant="2014-07-30T03:19:45Z"
          Version="2.0" />
            <ns0:Issuer> ... </ns0:Issuer>
            <ns0:Assertion> ... </ns0:Assertion>
            <ns0:Status> ... </ns0:Status>
        </ns0:Response>

        :return: XML <Response> object

        """
        response = samlp.Response()
        response.id = uuid.uuid4().hex
        response.destination = recipient
        response.issue_instant = timeutils.isotime()
        response.version = '2.0'
        response.issuer = issuer
        response.status = status
        response.assertion = assertion
        return response
Ejemplo n.º 13
0
 def assertReportedEventMatchesRecorded(self, event, sample, before_time):
     after_time = timeutils.utcnow()
     event_issued_before = timeutils.normalize_time(
         timeutils.parse_isotime(event['issued_before']))
     self.assertTrue(
         before_time <= event_issued_before,
         'invalid event issued_before time; %s is not later than %s.' %
         (timeutils.isotime(event_issued_before, subsecond=True),
          timeutils.isotime(before_time, subsecond=True)))
     self.assertTrue(
         event_issued_before <= after_time,
         'invalid event issued_before time; %s is not earlier than %s.' %
         (timeutils.isotime(event_issued_before, subsecond=True),
          timeutils.isotime(after_time, subsecond=True)))
     del (event['issued_before'])
     self.assertEqual(sample, event)
Ejemplo n.º 14
0
 def format_token(cls, token_ref, roles_ref, catalog_ref=None):
     user_ref = token_ref['user']
     metadata_ref = token_ref['metadata']
     expires = token_ref['expires']
     if expires is not None:
         if not isinstance(expires, unicode):
             expires = timeutils.isotime(expires)
     o = {'access': {'token': {'id': token_ref['id'],
                               'expires': expires,
                               'issued_at': timeutils.strtime()
                               },
                     'user': {'id': user_ref['id'],
                              'name': user_ref['name'],
                              'username': user_ref['name'],
                              'roles': roles_ref,
                              'roles_links': metadata_ref.get('roles_links',
                                                              [])
                              }
                     }
          }
     if 'tenant' in token_ref and token_ref['tenant']:
         token_ref['tenant']['enabled'] = True
         o['access']['token']['tenant'] = token_ref['tenant']
     if catalog_ref is not None:
         o['access']['serviceCatalog'] = Auth.format_catalog(catalog_ref)
     if metadata_ref:
         if 'is_admin' in metadata_ref:
             o['access']['metadata'] = {'is_admin':
                                        metadata_ref['is_admin']}
         else:
             o['access']['metadata'] = {'is_admin': 0}
     if 'roles' in metadata_ref:
             o['access']['metadata']['roles'] = metadata_ref['roles']
     return o
Ejemplo n.º 15
0
Archivo: sql.py Proyecto: iele/keystone 
    def create_access_token(self, request_token_id, token_duration,
                            access_token_id=None, access_token_secret=None):
        if access_token_id is None:
            access_token_id = uuid.uuid4().hex
        if access_token_secret is None:
            access_token_secret = uuid.uuid4().hex
        session = sql.get_session()
        with session.begin():
            req_token_ref = self._get_request_token(session, request_token_id)
            token_dict = req_token_ref.to_dict()

            expiry_date = None
            if token_duration:
                now = timeutils.utcnow()
                future = now + datetime.timedelta(seconds=token_duration)
                expiry_date = timeutils.isotime(future, subsecond=True)

            # add Access Token
            ref = {}
            ref['id'] = access_token_id
            ref['access_secret'] = access_token_secret
            ref['authorizing_user_id'] = token_dict['authorizing_user_id']
            ref['project_id'] = token_dict['requested_project_id']
            ref['role_ids'] = token_dict['role_ids']
            ref['consumer_id'] = token_dict['consumer_id']
            ref['expires_at'] = expiry_date
            token_ref = AccessToken.from_dict(ref)
            session.add(token_ref)

            # remove request token, it's been used
            session.delete(req_token_ref)

        return token_ref.to_dict()
Ejemplo n.º 16
0
 def format_token(cls, token_ref, roles_ref, catalog_ref=None):
     user_ref = token_ref["user"]
     metadata_ref = token_ref["metadata"]
     expires = token_ref["expires"]
     if expires is not None:
         if not isinstance(expires, unicode):
             expires = timeutils.isotime(expires)
     o = {
         "access": {
             "token": {"id": token_ref["id"], "expires": expires, "issued_at": timeutils.strtime()},
             "user": {
                 "id": user_ref["id"],
                 "name": user_ref["name"],
                 "username": user_ref["name"],
                 "roles": roles_ref,
                 "roles_links": metadata_ref.get("roles_links", []),
             },
         }
     }
     if "tenant" in token_ref and token_ref["tenant"]:
         token_ref["tenant"]["enabled"] = True
         o["access"]["token"]["tenant"] = token_ref["tenant"]
     if catalog_ref is not None:
         o["access"]["serviceCatalog"] = Auth.format_catalog(catalog_ref)
     if metadata_ref:
         if "is_admin" in metadata_ref:
             o["access"]["metadata"] = {"is_admin": metadata_ref["is_admin"]}
         else:
             o["access"]["metadata"] = {"is_admin": 0}
     if "roles" in metadata_ref:
         o["access"]["metadata"]["roles"] = metadata_ref["roles"]
     return o
Ejemplo n.º 17
0
    def create_access_token(self, request_token_id, token_duration):
        session = self.get_session()
        with session.begin():
            req_token_ref = self._get_request_token(session, request_token_id)
            token_dict = req_token_ref.to_dict()

            expiry_date = None
            if token_duration:
                now = timeutils.utcnow()
                future = now + datetime.timedelta(seconds=token_duration)
                expiry_date = timeutils.isotime(future, subsecond=True)

            # add Access Token
            ref = {}
            access_token_id = uuid.uuid4().hex
            ref['id'] = access_token_id
            ref['access_secret'] = uuid.uuid4().hex
            ref['authorizing_user_id'] = token_dict['authorizing_user_id']
            ref['project_id'] = token_dict['requested_project_id']
            ref['requested_roles'] = token_dict['requested_roles']
            ref['consumer_id'] = token_dict['consumer_id']
            ref['expires_at'] = expiry_date
            token_ref = AccessToken.from_dict(ref)
            session.add(token_ref)

            # remove request token, it's been used
            q = session.query(RequestToken)
            q = q.filter_by(id=request_token_id)
            q.delete(False)
            session.delete(req_token_ref)

            session.flush()
        return token_ref.to_dict()
Ejemplo n.º 18
0
    def create_access_token(self, request_token_id, token_duration,
                            access_token_id=None, access_token_secret=None):
        if access_token_id is None:
            access_token_id = uuid.uuid4().hex
        if access_token_secret is None:
            access_token_secret = uuid.uuid4().hex
        session = sql.get_session()
        with session.begin():
            req_token_ref = self._get_request_token(session, request_token_id)
            token_dict = req_token_ref.to_dict()

            expiry_date = None
            if token_duration:
                now = timeutils.utcnow()
                future = now + datetime.timedelta(seconds=token_duration)
                expiry_date = timeutils.isotime(future, subsecond=True)

            # add Access Token
            ref = {}
            ref['id'] = access_token_id
            ref['access_secret'] = access_token_secret
            ref['authorizing_user_id'] = token_dict['authorizing_user_id']
            ref['project_id'] = token_dict['requested_project_id']
            ref['role_ids'] = token_dict['role_ids']
            ref['consumer_id'] = token_dict['consumer_id']
            ref['expires_at'] = expiry_date
            token_ref = AccessToken.from_dict(ref)
            session.add(token_ref)

            # remove request token, it's been used
            session.delete(req_token_ref)

        return token_ref.to_dict()
Ejemplo n.º 19
0
 def list_trusts(self, context):
     query = context['query_string']
     trusts = []
     if not query:
         self.assert_admin(context)
         trusts += self.trust_api.list_trusts()
     if 'trustor_user_id' in query:
         user_id = query['trustor_user_id']
         calling_user_id = self._get_user_id(context)
         if user_id != calling_user_id:
             raise exception.Forbidden()
         trusts += (self.trust_api.list_trusts_for_trustor(user_id))
     if 'trustee_user_id' in query:
         user_id = query['trustee_user_id']
         calling_user_id = self._get_user_id(context)
         if user_id != calling_user_id:
             raise exception.Forbidden()
         trusts += self.trust_api.list_trusts_for_trustee(user_id)
     for trust in trusts:
         # get_trust returns roles, list_trusts does not
         # It seems in some circumstances, roles does not
         # exist in the query response, so check first
         if 'roles' in trust:
             del trust['roles']
         if trust.get('expires_at') is not None:
             trust['expires_at'] = (timeutils.isotime(trust['expires_at'],
                                                      subsecond=True))
     return TrustV3.wrap_collection(context, trusts)
Ejemplo n.º 20
0
    def _create_assertion(self, issuer, signature, subject, authn_statement,
                          attribute_statement):
        """Create an object that represents a SAML Assertion.

        <ns0:Assertion
          ID="35daed258ba647ba8962e9baff4d6a46"
          IssueInstant="2014-06-11T15:45:58Z"
          Version="2.0">
            <ns0:Issuer> ... </ns0:Issuer>
            <ns1:Signature> ... </ns1:Signature>
            <ns0:Subject> ... </ns0:Subject>
            <ns0:AuthnStatement> ... </ns0:AuthnStatement>
            <ns0:AttributeStatement> ... </ns0:AttributeStatement>
        </ns0:Assertion>

        :return: XML <Assertion> object

        """
        assertion = saml.Assertion()
        assertion.id = self.assertion_id
        assertion.issue_instant = timeutils.isotime()
        assertion.version = '2.0'
        assertion.issuer = issuer
        assertion.signature = signature
        assertion.subject = subject
        assertion.authn_statement = authn_statement
        assertion.attribute_statement = attribute_statement
        return assertion
Ejemplo n.º 21
0
 def list_trusts(self, context):
     query = context['query_string']
     trusts = []
     if not query:
         self.assert_admin(context)
         trusts += self.trust_api.list_trusts()
     if 'trustor_user_id' in query:
         user_id = query['trustor_user_id']
         calling_user_id = self._get_user_id(context)
         if user_id != calling_user_id:
             raise exception.Forbidden()
         trusts += (self.trust_api.
                    list_trusts_for_trustor(user_id))
     if 'trustee_user_id' in query:
         user_id = query['trustee_user_id']
         calling_user_id = self._get_user_id(context)
         if user_id != calling_user_id:
             raise exception.Forbidden()
         trusts += self.trust_api.list_trusts_for_trustee(user_id)
     for trust in trusts:
         # get_trust returns roles, list_trusts does not
         # It seems in some circumstances, roles does not
         # exist in the query response, so check first
         if 'roles' in trust:
             del trust['roles']
         if trust.get('expires_at') is not None:
             trust['expires_at'] = (timeutils.isotime
                                    (trust['expires_at'],
                                     subsecond=True))
     return TrustV3.wrap_collection(context, trusts)
Ejemplo n.º 22
0
    def create_request_token(self, consumer_id, roles,
                             project_id, token_duration):
        expiry_date = None
        if token_duration:
            now = timeutils.utcnow()
            future = now + datetime.timedelta(seconds=token_duration)
            expiry_date = timeutils.isotime(future, subsecond=True)

        ref = {}
        request_token_id = uuid.uuid4().hex
        ref['id'] = request_token_id
        ref['request_secret'] = uuid.uuid4().hex
        ref['verifier'] = None
        ref['authorizing_user_id'] = None
        ref['requested_project_id'] = project_id
        ref['requested_roles'] = roles
        ref['consumer_id'] = consumer_id
        ref['expires_at'] = expiry_date
        self.db.set('request_token-%s' % request_token_id, ref)

        # add req token to the list that containers the consumers req tokens
        consumer_requests = set(self.db.get('consumer-%s-requests' %
                                            consumer_id, []))
        consumer_requests.add(request_token_id)
        self.db.set('consumer-%s-requests' %
                    consumer_id, list(consumer_requests))
        return ref
Ejemplo n.º 23
0
    def create_request_token(self,
                             consumer_id,
                             project_id,
                             token_duration,
                             request_token_id=None,
                             request_token_secret=None):
        if request_token_id is None:
            request_token_id = uuid.uuid4().hex
        if request_token_secret is None:
            request_token_secret = uuid.uuid4().hex
        expiry_date = None
        if token_duration:
            now = timeutils.utcnow()
            future = now + datetime.timedelta(seconds=token_duration)
            expiry_date = timeutils.isotime(future, subsecond=True)

        ref = {}
        ref['id'] = request_token_id
        ref['request_secret'] = request_token_secret
        ref['verifier'] = None
        ref['authorizing_user_id'] = None
        ref['requested_project_id'] = project_id
        ref['role_ids'] = None
        ref['consumer_id'] = consumer_id
        ref['expires_at'] = expiry_date
        session = db_session.get_session()
        with session.begin():
            token_ref = RequestToken.from_dict(ref)
            session.add(token_ref)
        return token_ref.to_dict()
Ejemplo n.º 24
0
    def create_access_token(self, request_token_id, token_duration):
        session = self.get_session()
        with session.begin():
            req_token_ref = self._get_request_token(session, request_token_id)
            token_dict = req_token_ref.to_dict()

            expiry_date = None
            if token_duration:
                now = timeutils.utcnow()
                future = now + datetime.timedelta(seconds=token_duration)
                expiry_date = timeutils.isotime(future, subsecond=True)

            # add Access Token
            ref = {}
            access_token_id = uuid.uuid4().hex
            ref['id'] = access_token_id
            ref['access_secret'] = uuid.uuid4().hex
            ref['authorizing_user_id'] = token_dict['authorizing_user_id']
            ref['project_id'] = token_dict['requested_project_id']
            ref['requested_roles'] = token_dict['requested_roles']
            ref['consumer_id'] = token_dict['consumer_id']
            ref['expires_at'] = expiry_date
            token_ref = AccessToken.from_dict(ref)
            session.add(token_ref)

            # remove request token, it's been used
            q = session.query(RequestToken)
            q = q.filter_by(id=request_token_id)
            q.delete(False)
            session.delete(req_token_ref)

            session.flush()
        return token_ref.to_dict()
Ejemplo n.º 25
0
Archivo: sql.py Proyecto: iele/keystone 
    def create_request_token(self, consumer_id, project_id, token_duration,
                             request_token_id=None, request_token_secret=None):
        if request_token_id is None:
            request_token_id = uuid.uuid4().hex
        if request_token_secret is None:
            request_token_secret = uuid.uuid4().hex
        expiry_date = None
        if token_duration:
            now = timeutils.utcnow()
            future = now + datetime.timedelta(seconds=token_duration)
            expiry_date = timeutils.isotime(future, subsecond=True)

        ref = {}
        ref['id'] = request_token_id
        ref['request_secret'] = request_token_secret
        ref['verifier'] = None
        ref['authorizing_user_id'] = None
        ref['requested_project_id'] = project_id
        ref['role_ids'] = None
        ref['consumer_id'] = consumer_id
        ref['expires_at'] = expiry_date
        session = sql.get_session()
        with session.begin():
            token_ref = RequestToken.from_dict(ref)
            session.add(token_ref)
        return token_ref.to_dict()
Ejemplo n.º 26
0
    def _fill_in_roles(self, context, trust, global_roles):
        if trust.get('expires_at') is not None:
            trust['expires_at'] = (timeutils.isotime(trust['expires_at'],
                                                     subsecond=True))

        if not 'roles' in trust:
            trust['roles'] = []
        trust_full_roles = []
        for trust_role in trust['roles']:
            if isinstance(trust_role, basestring):
                trust_role = {'id': trust_role}
            matching_roles = [
                x for x in global_roles if x['id'] == trust_role['id']
            ]
            if matching_roles:
                full_role = identity.controllers.RoleV3.wrap_member(
                    context, matching_roles[0])['role']
                trust_full_roles.append(full_role)
        trust['roles'] = trust_full_roles
        trust['roles_links'] = {
            'self':
            (CONF.public_endpoint % CONF + "trusts/%s/roles" % trust['id']),
            'next': None,
            'previous': None
        }
Ejemplo n.º 27
0
 def to_dict(self):
     keys = ['user_id', 'role_id', 'domain_id', 'project_id']
     event = dict((key, self.__dict__[key]) for key in keys
                  if self.__dict__[key] is not None)
     if self.trust_id is not None:
         event['OS-TRUST:trust_id'] = self.trust_id
     if self.consumer_id is not None:
         event['OS-OAUTH1:consumer_id'] = self.consumer_id
     if self.consumer_id is not None:
         event['OS-OAUTH1:access_token_id'] = self.access_token_id
     if self.expires_at is not None:
         event['expires_at'] = timeutils.isotime(self.expires_at,
                                                 subsecond=True)
     if self.issued_before is not None:
         event['issued_before'] = timeutils.isotime(self.issued_before,
                                                    subsecond=True)
     return event
Ejemplo n.º 28
0
def create_v3_token():
    return {
        "token": {
            'methods': [],
            "expires_at": timeutils.isotime(timeutils.utcnow() + FUTURE_DELTA),
            "issued_at": "2013-05-21T00:02:43.941473Z",
        }
    }
Ejemplo n.º 29
0
def create_v3_token():
    return {
        "token": {
            "methods": [],
            "expires_at": timeutils.isotime(timeutils.utcnow() + FUTURE_DELTA),
            "issued_at": "2013-05-21T00:02:43.941473Z",
        }
    }
Ejemplo n.º 30
0
 def test_revoke_by_expiration_project_and_domain_fails(self):
     user_id = _new_id()
     expires_at = timeutils.isotime(_future_time(), subsecond=True)
     domain_id = _new_id()
     project_id = _new_id()
     self.assertThat(
         lambda: self.revoke_api.revoke_by_expiration(
             user_id, expires_at, domain_id=domain_id,
             project_id=project_id),
         matchers.raises(exception.UnexpectedError))
Ejemplo n.º 31
0
def create_v2_token():
    return {
        "access": {
            "token": {
                "expires": timeutils.isotime(timeutils.utcnow() + FUTURE_DELTA),
                "issued_at": "2013-05-21T00:02:43.941473Z",
                "tenant": {"enabled": True, "id": "01257", "name": "service"},
            }
        }
    }
Ejemplo n.º 32
0
    def _add_to_revocation_list(self, data, lock):
        filtered_list = []
        revoked_token_data = {}

        current_time = self._get_current_time()
        expires = data['expires']

        if isinstance(expires, six.string_types):
            expires = timeutils.parse_isotime(expires)

        expires = timeutils.normalize_time(expires)

        if expires < current_time:
            LOG.warning(_('Token `%s` is expired, not adding to the '
                          'revocation list.'), data['id'])
            return

        revoked_token_data['expires'] = timeutils.isotime(expires,
                                                          subsecond=True)
        revoked_token_data['id'] = data['id']

        token_list = self._get_key_or_default(self.revocation_key, default=[])
        if not isinstance(token_list, list):
            # NOTE(morganfainberg): In the case that the revocation list is not
            # in a format we understand, reinitialize it. This is an attempt to
            # not allow the revocation list to be completely broken if
            # somehow the key is changed outside of keystone (e.g. memcache
            # that is shared by multiple applications). Logging occurs at error
            # level so that the cloud administrators have some awareness that
            # the revocation_list needed to be cleared out. In all, this should
            # be recoverable. Keystone cannot control external applications
            # from changing a key in some backends, however, it is possible to
            # gracefully handle and notify of this event.
            LOG.error(_('Reinitializing revocation list due to error '
                        'in loading revocation list from backend.  '
                        'Expected `list` type got `%(type)s`. Old '
                        'revocation list data: %(list)r'),
                      {'type': type(token_list), 'list': token_list})
            token_list = []

        # NOTE(morganfainberg): on revocation, cleanup the expired entries, try
        # to keep the list of tokens revoked at the minimum.
        for token_data in token_list:
            try:
                expires_at = timeutils.normalize_time(
                    timeutils.parse_isotime(token_data['expires']))
            except ValueError:
                LOG.warning(_('Removing `%s` from revocation list due to '
                              'invalid expires data in revocation list.'),
                            token_data.get('id', 'INVALID_TOKEN_DATA'))
                continue
            if expires_at > current_time:
                filtered_list.append(token_data)
        filtered_list.append(revoked_token_data)
        self._set_key(self.revocation_key, filtered_list, lock)
Ejemplo n.º 33
0
 def test_revoked_token_in_list(self):
     user_id = uuid.uuid4().hex
     expires_at = token.default_expire_time()
     sample = self._blank_event()
     sample['user_id'] = unicode(user_id)
     sample['expires_at'] = unicode(timeutils.isotime(expires_at))
     before_time = timeutils.utcnow()
     self.revoke_api.revoke_by_expiration(user_id, expires_at)
     resp = self.get('/OS-REVOKE/events')
     events = resp.json_body['events']
     self.assertEqual(len(events), 1)
     self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
Ejemplo n.º 34
0
 def test_revoked_token_in_list(self):
     user_id = uuid.uuid4().hex
     expires_at = provider.default_expire_time()
     sample = self._blank_event()
     sample['user_id'] = six.text_type(user_id)
     sample['expires_at'] = six.text_type(timeutils.isotime(expires_at))
     before_time = timeutils.utcnow()
     self.revoke_api.revoke_by_expiration(user_id, expires_at)
     resp = self.get('/OS-REVOKE/events')
     events = resp.json_body['events']
     self.assertEqual(len(events), 1)
     self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
Ejemplo n.º 35
0
 def to_dict(self):
     keys = ['user_id',
             'role_id',
             'domain_id',
             'domain_scope_id',
             'project_id',
             ]
     event = dict((key, self.__dict__[key]) for key in keys
                  if self.__dict__[key] is not None)
     if self.trust_id is not None:
         event['OS-TRUST:trust_id'] = self.trust_id
     if self.consumer_id is not None:
         event['OS-OAUTH1:consumer_id'] = self.consumer_id
     if self.consumer_id is not None:
         event['OS-OAUTH1:access_token_id'] = self.access_token_id
     if self.expires_at is not None:
         event['expires_at'] = timeutils.isotime(self.expires_at)
     if self.issued_before is not None:
         event['issued_before'] = timeutils.isotime(self.issued_before,
                                                    subsecond=True)
     return event
Ejemplo n.º 36
0
    def revocation_list(self, context, auth=None):
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t["expires"]
            if not (expires and isinstance(expires, unicode)):
                t["expires"] = timeutils.isotime(expires)
        data = {"revoked": tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile)

        return {"signed": signed_text}
Ejemplo n.º 37
0
 def test_revoke_by_expiration_project_and_domain_fails(self):
     user_id = _new_id()
     expires_at = timeutils.isotime(_future_time(), subsecond=True)
     domain_id = _new_id()
     project_id = _new_id()
     self.assertThat(
         lambda: self.revoke_api.revoke_by_expiration(user_id,
                                                      expires_at,
                                                      domain_id=domain_id,
                                                      project_id=project_id
                                                      ),
         matchers.raises(exception.UnexpectedError))
Ejemplo n.º 38
0
    def revocation_list(self, context, auth=None):
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, six.text_type)):
                t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
Ejemplo n.º 39
0
def create_v2_token():
    return {
        "access": {
            "token": {
                "expires": timeutils.isotime(CURRENT_DATE + FUTURE_DELTA),
                "issued_at": "2013-05-21T00:02:43.941473Z",
                "tenant": {
                    "enabled": True,
                    "id": "01257",
                    "name": "service"
                }
            }
        }
    }
Ejemplo n.º 40
0
    def revocation_list(self, context, auth=None):
        if not CONF.token.revoke_by_id:
            raise exception.Gone()
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t["expires"]
            if expires and isinstance(expires, datetime.datetime):
                t["expires"] = timeutils.isotime(expires)
        data = {"revoked": tokens}
        json_data = jsonutils.dumps(data)
        signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile)

        return {"signed": signed_text}
Ejemplo n.º 41
0
    def test_cleanup_user_index_on_create(self):
        user_id = six.text_type(uuid.uuid4().hex)
        valid_token_id, data = self.create_token_sample_data(user_id=user_id)
        expired_token_id, expired_data = self.create_token_sample_data(
            user_id=user_id)

        expire_delta = datetime.timedelta(seconds=86400)

        # NOTE(morganfainberg): Directly access the data cache since we need to
        # get expired tokens as well as valid tokens. token_api.list_tokens()
        # will not return any expired tokens in the list.
        user_key = self.token_api.driver._prefix_user_id(user_id)
        user_token_list = self.token_api.driver._store.get(user_key)
        valid_token_ref = self.token_api.get_token(valid_token_id)
        expired_token_ref = self.token_api.get_token(expired_token_id)
        expected_user_token_list = [
            (valid_token_id,
             timeutils.isotime(valid_token_ref['expires'], subsecond=True)),
            (expired_token_id,
             timeutils.isotime(expired_token_ref['expires'], subsecond=True))
        ]
        self.assertEqual(expected_user_token_list, user_token_list)
        new_expired_data = (expired_token_id,
                            timeutils.isotime(
                                (timeutils.utcnow() - expire_delta),
                                subsecond=True))
        self._update_user_token_index_direct(user_key, expired_token_id,
                                             new_expired_data)
        valid_token_id_2, valid_data_2 = self.create_token_sample_data(
            user_id=user_id)
        valid_token_ref_2 = self.token_api.get_token(valid_token_id_2)
        expected_user_token_list = [
            (valid_token_id,
             timeutils.isotime(valid_token_ref['expires'], subsecond=True)),
            (valid_token_id_2,
             timeutils.isotime(valid_token_ref_2['expires'], subsecond=True))
        ]
        user_token_list = self.token_api.driver._store.get(user_key)
        self.assertEqual(expected_user_token_list, user_token_list)

        # Test that revoked tokens are removed from the list on create.
        self.token_api.delete_token(valid_token_id_2)
        new_token_id, data = self.create_token_sample_data(user_id=user_id)
        new_token_ref = self.token_api.get_token(new_token_id)
        expected_user_token_list = [
            (valid_token_id,
             timeutils.isotime(valid_token_ref['expires'], subsecond=True)),
            (new_token_id,
             timeutils.isotime(new_token_ref['expires'], subsecond=True))
        ]
        user_token_list = self.token_api.driver._store.get(user_key)
        self.assertEqual(expected_user_token_list, user_token_list)
Ejemplo n.º 42
0
    def revocation_list(self, context, auth=None):
        self.assert_admin(context)
        tokens = self.token_api.list_revoked_tokens(context)

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, unicode)):
                    t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data,
                                        CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
Ejemplo n.º 43
0
    def revocation_list(self, context, auth=None):
        if not CONF.token.revoke_by_id:
            raise exception.Gone()
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t['expires']
            if expires and isinstance(expires, datetime.datetime):
                t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
Ejemplo n.º 44
0
 def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
     user_ref = token_ref['user']
     metadata_ref = token_ref['metadata']
     if roles_ref is None:
         roles_ref = []
     expires = token_ref.get('expires', token.default_expire_time())
     if expires is not None:
         if not isinstance(expires, unicode):
             expires = timeutils.isotime(expires)
     o = {
         'access': {
             'token': {
                 'id': token_ref['id'],
                 'expires': expires,
                 'issued_at': timeutils.strtime()
             },
             'user': {
                 'id': user_ref['id'],
                 'name': user_ref['name'],
                 'username': user_ref['name'],
                 'roles': roles_ref,
                 'roles_links': metadata_ref.get('roles_links', [])
             }
         }
     }
     if 'bind' in token_ref:
         o['access']['token']['bind'] = token_ref['bind']
     if 'tenant' in token_ref and token_ref['tenant']:
         token_ref['tenant']['enabled'] = True
         o['access']['token']['tenant'] = token_ref['tenant']
     if catalog_ref is not None:
         o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
             catalog_ref)
     if metadata_ref:
         if 'is_admin' in metadata_ref:
             o['access']['metadata'] = {
                 'is_admin': metadata_ref['is_admin']
             }
         else:
             o['access']['metadata'] = {'is_admin': 0}
     if 'roles' in metadata_ref:
         o['access']['metadata']['roles'] = metadata_ref['roles']
     if CONF.trust.enabled and 'trust_id' in metadata_ref:
         o['access']['trust'] = {
             'trustee_user_id': metadata_ref['trustee_user_id'],
             'id': metadata_ref['trust_id']
         }
     return o
Ejemplo n.º 45
0
    def _fill_in_roles(self, context, trust, global_roles):
        if trust.get("expires_at") is not None:
            trust["expires_at"] = timeutils.isotime(trust["expires_at"], subsecond=True)

        if "roles" not in trust:
            trust["roles"] = []
        trust_full_roles = []
        for trust_role in trust["roles"]:
            if isinstance(trust_role, basestring):
                trust_role = {"id": trust_role}
            matching_roles = [x for x in global_roles if x["id"] == trust_role["id"]]
            if matching_roles:
                full_role = identity.controllers.RoleV3.wrap_member(context, matching_roles[0])["role"]
                trust_full_roles.append(full_role)
        trust["roles"] = trust_full_roles
        trust["roles_links"] = {"self": (self.base_url() + "/%s/roles" % trust["id"]), "next": None, "previous": None}
Ejemplo n.º 46
0
    def revocation_list(self, context, auth=None):
        if not CONF.token.revoke_by_id:
            raise exception.Gone()
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, six.text_type)):
                    t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data,
                                        CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
Ejemplo n.º 47
0
    def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
        user_ref = token_ref['user']
        metadata_ref = token_ref['metadata']
        if roles_ref is None:
            roles_ref = []
        expires = token_ref.get('expires', token.default_expire_time())
        if expires is not None:
            if not isinstance(expires, six.text_type):
                expires = timeutils.isotime(expires)
        o = {'access': {'token': {'id': token_ref['id'],
                                  'expires': expires,
                                  'issued_at': timeutils.strtime()
                                  },
                        'user': {'id': user_ref['id'],
                                 'name': user_ref['name'],
                                 'username': user_ref['name'],
                                 'roles': roles_ref,
                                 'roles_links': metadata_ref.get('roles_links',
                                                                 [])
                                 }
                        }
             }
        if 'bind' in token_ref:
            o['access']['token']['bind'] = token_ref['bind']
        if 'tenant' in token_ref and token_ref['tenant']:
            token_ref['tenant']['enabled'] = True
            o['access']['token']['tenant'] = token_ref['tenant']
        if catalog_ref is not None:
            o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
                catalog_ref)
        if metadata_ref:
            if 'is_admin' in metadata_ref:
                o['access']['metadata'] = {'is_admin':
                                           metadata_ref['is_admin']}
            else:
                o['access']['metadata'] = {'is_admin': 0}
        if 'roles' in metadata_ref:
            o['access']['metadata']['roles'] = metadata_ref['roles']
        if CONF.trust.enabled and 'trust_id' in metadata_ref:
            o['access']['trust'] = {'trustee_user_id':
                                    metadata_ref['trustee_user_id'],
                                    'id': metadata_ref['trust_id']
                                    }
	# Kerberos 
	#o['access']['kerberos'] = token_ref['kerberos']

        return o
Ejemplo n.º 48
0
    def test_cleanup_user_index_on_create(self):
        user_id = six.text_type(uuid.uuid4().hex)
        valid_token_id, data = self.create_token_sample_data(user_id=user_id)
        expired_token_id, expired_data = self.create_token_sample_data(
            user_id=user_id)

        expire_delta = datetime.timedelta(seconds=86400)

        # NOTE(morganfainberg): Directly access the data cache since we need to
        # get expired tokens as well as valid tokens. token_api.list_tokens()
        # will not return any expired tokens in the list.
        user_key = self.token_api.driver._prefix_user_id(user_id)
        user_token_list = self.token_api.driver._store.get(user_key)
        valid_token_ref = self.token_api.get_token(valid_token_id)
        expired_token_ref = self.token_api.get_token(expired_token_id)
        expected_user_token_list = [
            (valid_token_id, timeutils.isotime(valid_token_ref['expires'],
                                               subsecond=True)),
            (expired_token_id, timeutils.isotime(expired_token_ref['expires'],
                                                 subsecond=True))]
        self.assertEqual(user_token_list, expected_user_token_list)
        new_expired_data = (expired_token_id,
                            timeutils.isotime(
                                (timeutils.utcnow() - expire_delta),
                                subsecond=True))
        self._update_user_token_index_direct(user_key, expired_token_id,
                                             new_expired_data)
        valid_token_id_2, valid_data_2 = self.create_token_sample_data(
            user_id=user_id)
        valid_token_ref_2 = self.token_api.get_token(valid_token_id_2)
        expected_user_token_list = [
            (valid_token_id, timeutils.isotime(valid_token_ref['expires'],
                                               subsecond=True)),
            (valid_token_id_2, timeutils.isotime(valid_token_ref_2['expires'],
                                                 subsecond=True))]
        user_token_list = self.token_api.driver._store.get(user_key)
        self.assertEqual(user_token_list, expected_user_token_list)

        # Test that revoked tokens are removed from the list on create.
        self.token_api.delete_token(valid_token_id_2)
        new_token_id, data = self.create_token_sample_data(user_id=user_id)
        new_token_ref = self.token_api.get_token(new_token_id)
        expected_user_token_list = [
            (valid_token_id, timeutils.isotime(valid_token_ref['expires'],
                                               subsecond=True)),
            (new_token_id, timeutils.isotime(new_token_ref['expires'],
                                             subsecond=True))]
        user_token_list = self.token_api.driver._store.get(user_key)
        self.assertEqual(user_token_list, expected_user_token_list)
Ejemplo n.º 49
0
    def create_token(self, token_id, data):
        """Create a token by id and data.

        It is assumed the caller has performed data validation on the "data"
        parameter.
        """
        data_copy = copy.deepcopy(data)
        ptk = self._prefix_token_id(token_id)
        if not data_copy.get('expires'):
            data_copy['expires'] = token.default_expire_time()
        if not data_copy.get('user_id'):
            data_copy['user_id'] = data_copy['user']['id']

        # NOTE(morganfainberg): for ease of manipulating the data without
        # concern about the backend, always store the value(s) in the
        # index as the isotime (string) version so this is where the string is
        # built.
        expires_str = timeutils.isotime(data_copy['expires'], subsecond=True)

        self._set_key(ptk, data_copy)
        user_id = data['user']['id']
        user_key = self._prefix_user_id(user_id)
        self._update_user_token_list(user_key, token_id, expires_str)
        if CONF.trust.enabled and data.get('trust_id'):
            # NOTE(morganfainberg): If trusts are enabled and this is a trust
            # scoped token, we add the token to the trustee list as well.  This
            # allows password changes of the trustee to also expire the token.
            # There is no harm in placing the token in multiple lists, as
            # _list_tokens is smart enough to handle almost any case of
            # valid/invalid/expired for a given token.
            token_data = data_copy['token_data']
            if data_copy['token_version'] == token.provider.V2:
                trustee_user_id = token_data['access']['trust'][
                    'trustee_user_id']
            elif data_copy['token_version'] == token.provider.V3:
                trustee_user_id = token_data['OS-TRUST:trust'][
                    'trustee_user_id']
            else:
                raise token.provider.UnsupportedTokenVersionException(
                    _('Unknown token version %s') %
                    data_copy.get('token_version'))

            trustee_key = self._prefix_user_id(trustee_user_id)
            self._update_user_token_list(trustee_key, token_id, expires_str)

        return data_copy
Ejemplo n.º 50
0
    def create_access_token(self, request_id, token_duration):
        request_token = self.db.get('request_token-%s' % request_id)

        expiry_date = None
        if token_duration:
            now = timeutils.utcnow()
            future = now + datetime.timedelta(seconds=token_duration)
            expiry_date = timeutils.isotime(future, subsecond=True)

        ref = {}
        access_token_id = uuid.uuid4().hex
        ref['id'] = access_token_id
        ref['access_secret'] = uuid.uuid4().hex
        ref['authorizing_user_id'] = request_token['authorizing_user_id']
        ref['project_id'] = request_token['requested_project_id']
        ref['requested_roles'] = request_token['requested_roles']
        ref['consumer_id'] = request_token['consumer_id']
        ref['expires_at'] = expiry_date
        self.db.set('access_token-%s' % access_token_id, ref)

        #add access token id to user authorizations list too
        user_id = request_token['authorizing_user_id']
        user_auth_list = set(self.db.get('auth_list-%s' % user_id, []))
        user_auth_list.add(access_token_id)
        self.db.set('auth_list-%s' % user_id, list(user_auth_list))

        #delete request token from table, it has been exchanged
        self.db.get('request_token-%s' % request_id)
        self.db.delete('request_token-%s' % request_id)

        #add access token to the list that containers the consumers acc tokens
        consumer_id = request_token['consumer_id']
        consumer_accesses = set(self.db.get('consumer-%s-accesses' %
                                            consumer_id, []))
        consumer_accesses.add(access_token_id)
        self.db.set('consumer-%s-accesses' %
                    consumer_id, list(consumer_accesses))

        # remove the used up request token id from consumer req list
        consumer_requests = set(self.db.get('consumer-%s-requests' %
                                            consumer_id, []))
        consumer_requests.remove(request_id)
        self.db.set('consumer-%s-requests' %
                    consumer_id, list(consumer_requests))

        return ref
Ejemplo n.º 51
0
    def create_token(self, token_id, data):
        """Create a token by id and data.

        It is assumed the caller has performed data validation on the "data"
        parameter.
        """
        data_copy = copy.deepcopy(data)
        ptk = self._prefix_token_id(token_id)
        if not data_copy.get('expires'):
            data_copy['expires'] = provider.default_expire_time()
        if not data_copy.get('user_id'):
            data_copy['user_id'] = data_copy['user']['id']

        # NOTE(morganfainberg): for ease of manipulating the data without
        # concern about the backend, always store the value(s) in the
        # index as the isotime (string) version so this is where the string is
        # built.
        expires_str = timeutils.isotime(data_copy['expires'], subsecond=True)

        self._set_key(ptk, data_copy)
        user_id = data['user']['id']
        user_key = self._prefix_user_id(user_id)
        self._update_user_token_list(user_key, token_id, expires_str)
        if CONF.trust.enabled and data.get('trust_id'):
            # NOTE(morganfainberg): If trusts are enabled and this is a trust
            # scoped token, we add the token to the trustee list as well.  This
            # allows password changes of the trustee to also expire the token.
            # There is no harm in placing the token in multiple lists, as
            # _list_tokens is smart enough to handle almost any case of
            # valid/invalid/expired for a given token.
            token_data = data_copy['token_data']
            if data_copy['token_version'] == token.provider.V2:
                trustee_user_id = token_data['access']['trust'][
                    'trustee_user_id']
            elif data_copy['token_version'] == token.provider.V3:
                trustee_user_id = token_data['OS-TRUST:trust'][
                    'trustee_user_id']
            else:
                raise token.provider.UnsupportedTokenVersionException(
                    _('Unknown token version %s') %
                    data_copy.get('token_version'))

            trustee_key = self._prefix_user_id(trustee_user_id)
            self._update_user_token_list(trustee_key, token_id, expires_str)

        return data_copy
Ejemplo n.º 52
0
    def create_access_token(self, request_id, token_duration):
        request_token = self.db.get('request_token-%s' % request_id)

        expiry_date = None
        if token_duration:
            now = timeutils.utcnow()
            future = now + datetime.timedelta(seconds=token_duration)
            expiry_date = timeutils.isotime(future, subsecond=True)

        ref = {}
        access_token_id = uuid.uuid4().hex
        ref['id'] = access_token_id
        ref['access_secret'] = uuid.uuid4().hex
        ref['authorizing_user_id'] = request_token['authorizing_user_id']
        ref['project_id'] = request_token['requested_project_id']
        ref['requested_roles'] = request_token['requested_roles']
        ref['consumer_id'] = request_token['consumer_id']
        ref['expires_at'] = expiry_date
        self.db.set('access_token-%s' % access_token_id, ref)

        #add access token id to user authorizations list too
        user_id = request_token['authorizing_user_id']
        user_auth_list = set(self.db.get('auth_list-%s' % user_id, []))
        user_auth_list.add(access_token_id)
        self.db.set('auth_list-%s' % user_id, list(user_auth_list))

        #delete request token from table, it has been exchanged
        self.db.get('request_token-%s' % request_id)
        self.db.delete('request_token-%s' % request_id)

        #add access token to the list that containers the consumers acc tokens
        consumer_id = request_token['consumer_id']
        consumer_accesses = set(
            self.db.get('consumer-%s-accesses' % consumer_id, []))
        consumer_accesses.add(access_token_id)
        self.db.set('consumer-%s-accesses' % consumer_id,
                    list(consumer_accesses))

        # remove the used up request token id from consumer req list
        consumer_requests = set(
            self.db.get('consumer-%s-requests' % consumer_id, []))
        consumer_requests.remove(request_id)
        self.db.set('consumer-%s-requests' % consumer_id,
                    list(consumer_requests))

        return ref
Ejemplo n.º 53
0
 def _format_token(self, token_ref, roles_ref, catalog_ref=None):
     user_ref = token_ref['user']
     metadata_ref = token_ref['metadata']
     expires = token_ref['expires']
     if expires is not None:
         if not isinstance(expires, unicode):
             expires = timeutils.isotime(expires)
     o = {
         'access': {
             'token': {
                 'id': token_ref['id'],
                 'expires': expires,
                 'issued_at': timeutils.strtime()
             },
             'user': {
                 'id': user_ref['id'],
                 'name': user_ref['name'],
                 'username': user_ref['name'],
                 'roles': roles_ref,
                 'roles_links': metadata_ref.get('roles_links', [])
             }
         }
     }
     if 'tenant' in token_ref and token_ref['tenant']:
         token_ref['tenant']['enabled'] = True
         o['access']['token']['tenant'] = token_ref['tenant']
     if catalog_ref is not None:
         o['access']['serviceCatalog'] = self._format_catalog(catalog_ref)
     if metadata_ref:
         if 'is_admin' in metadata_ref:
             o['access']['metadata'] = {
                 'is_admin': metadata_ref['is_admin']
             }
         else:
             o['access']['metadata'] = {'is_admin': 0}
     if 'roles' in metadata_ref:
         o['access']['metadata']['roles'] = metadata_ref['roles']
     return o
Ejemplo n.º 54
0
    def _fill_in_roles(self, context, trust, all_roles):
        if trust.get('expires_at') is not None:
            trust['expires_at'] = (timeutils.isotime
                                   (trust['expires_at'],
                                    subsecond=True))

        if 'roles' not in trust:
            trust['roles'] = []
        trust_full_roles = []
        for trust_role in trust['roles']:
            if isinstance(trust_role, six.string_types):
                trust_role = {'id': trust_role}
            matching_roles = [x for x in all_roles
                              if x['id'] == trust_role['id']]
            if matching_roles:
                full_role = assignment.controllers.RoleV3.wrap_member(
                    context, matching_roles[0])['role']
                trust_full_roles.append(full_role)
        trust['roles'] = trust_full_roles
        trust['roles_links'] = {
            'self': (self.base_url(context) + "/%s/roles" % trust['id']),
            'next': None,
            'previous': None}
Ejemplo n.º 55
0
    def _create_authn_statement(self, issuer, expiration_time):
        """Create an object that represents a SAML AuthnStatement.

        <ns0:AuthnStatement xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion"
          AuthnInstant="2014-07-30T03:04:25Z" SessionIndex="47335964efb"
          SessionNotOnOrAfter="2014-07-30T03:04:26Z">
            <ns0:AuthnContext>
                <ns0:AuthnContextClassRef>
                  urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </ns0:AuthnContextClassRef>
                <ns0:AuthenticatingAuthority>
                  https://acme.com/FIM/sps/openstack/saml20
                </ns0:AuthenticatingAuthority>
            </ns0:AuthnContext>
        </ns0:AuthnStatement>

        :return: XML <AuthnStatement> object

        """
        authn_statement = saml.AuthnStatement()
        authn_statement.authn_instant = timeutils.isotime()
        authn_statement.session_index = uuid.uuid4().hex
        authn_statement.session_not_on_or_after = expiration_time

        authn_context = saml.AuthnContext()
        authn_context_class = saml.AuthnContextClassRef()
        authn_context_class.set_text(saml.AUTHN_PASSWORD)

        authn_authority = saml.AuthenticatingAuthority()
        authn_authority.set_text(issuer)
        authn_context.authn_context_class_ref = authn_context_class
        authn_context.authenticating_authority = authn_authority

        authn_statement.authn_context = authn_context

        return authn_statement
Ejemplo n.º 56
0
    def _authenticate_token(self, context, auth):
        """Try to authenticate using an already existing token.

        Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
        """
        if 'token' not in auth:
            raise exception.ValidationError(attribute='token', target='auth')

        if "id" not in auth['token']:
            raise exception.ValidationError(attribute="id", target="token")

        old_token = auth['token']['id']
        if len(old_token) > CONF.max_token_size:
            raise exception.ValidationSizeError(attribute='token',
                                                size=CONF.max_token_size)

        try:
            old_token_ref = self.token_api.get_token(context=context,
                                                     token_id=old_token)
        except exception.NotFound as e:
            raise exception.Unauthorized(e)

        #A trust token cannot be used to get another token
        if 'trust' in old_token_ref:
            raise exception.Forbidden()
        if 'trust_id' in old_token_ref['metadata']:
            raise exception.Forbidden()

        user_ref = old_token_ref['user']
        user_id = user_ref['id']
        if not CONF.trust.enabled and 'trust_id' in auth:
            raise exception.Forbidden('Trusts are disabled.')
        elif CONF.trust.enabled and 'trust_id' in auth:
            trust_ref = self.trust_api.get_trust(context, auth['trust_id'])
            if trust_ref is None:
                raise exception.Forbidden()
            if user_id != trust_ref['trustee_user_id']:
                raise exception.Forbidden()
            if ('expires' in trust_ref) and (trust_ref['expires']):
                expiry = trust_ref['expires']
                if expiry < timeutils.parse_isotime(timeutils.isotime()):
                    raise exception.Forbidden()()
            user_id = trust_ref['trustor_user_id']
            trustor_user_ref = (self.identity_api.get_user(
                context=context, user_id=trust_ref['trustor_user_id']))
            if not trustor_user_ref['enabled']:
                raise exception.Forbidden()()
            trustee_user_ref = self.identity_api.get_user(
                context, trust_ref['trustee_user_id'])
            if not trustee_user_ref['enabled']:
                raise exception.Forbidden()()
            if trust_ref['impersonation'] == 'True':
                current_user_ref = trustor_user_ref
            else:
                current_user_ref = trustee_user_ref

        else:
            current_user_ref = self.identity_api.get_user(context=context,
                                                          user_id=user_id)

        tenant_id = self._get_project_id_from_auth(context, auth)

        tenant_ref = self._get_project_ref(context, user_id, tenant_id)
        metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)

        # TODO (henry-nash) If no tenant was specified, instead check
        # for a domain and find any related user/group roles

        self._append_roles(
            metadata_ref,
            self._get_group_metadata_ref(context, user_id, tenant_id))

        expiry = old_token_ref['expires']
        if CONF.trust.enabled and 'trust_id' in auth:
            trust_id = auth['trust_id']
            trust_roles = []
            for role in trust_ref['roles']:
                if not 'roles' in metadata_ref:
                    raise exception.Forbidden()()
                if role['id'] in metadata_ref['roles']:
                    trust_roles.append(role['id'])
                else:
                    raise exception.Forbidden()
            if 'expiry' in trust_ref and trust_ref['expiry']:
                trust_expiry = timeutils.parse_isotime(trust_ref['expiry'])
                if trust_expiry < expiry:
                    expiry = trust_expiry
            metadata_ref['roles'] = trust_roles
            metadata_ref['trustee_user_id'] = trust_ref['trustee_user_id']
            metadata_ref['trust_id'] = trust_id

        return (current_user_ref, tenant_ref, metadata_ref, expiry)
Ejemplo n.º 57
0
def _future_time_string():
    expire_delta = datetime.timedelta(seconds=1000)
    future_time = timeutils.utcnow() + expire_delta
    return timeutils.isotime(future_time)
Ejemplo n.º 58
0
    def _authenticate_token(self, context, auth):
        """Try to authenticate using an already existing token.

        Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
        """
        if 'token' not in auth:
            raise exception.ValidationError(attribute='token', target='auth')

        if "id" not in auth['token']:
            raise exception.ValidationError(attribute="id", target="token")

        old_token = auth['token']['id']
        if len(old_token) > CONF.max_token_size:
            raise exception.ValidationSizeError(attribute='token',
                                                size=CONF.max_token_size)

        try:
            old_token_ref = self.token_api.get_token(old_token)
        except exception.NotFound as e:
            raise exception.Unauthorized(e)

        wsgi.validate_token_bind(context, old_token_ref)

        #A trust token cannot be used to get another token
        if 'trust' in old_token_ref:
            raise exception.Forbidden()
        if 'trust_id' in old_token_ref['metadata']:
            raise exception.Forbidden()

        user_ref = old_token_ref['user']
        user_id = user_ref['id']
        if not CONF.trust.enabled and 'trust_id' in auth:
            raise exception.Forbidden('Trusts are disabled.')
        elif CONF.trust.enabled and 'trust_id' in auth:
            trust_ref = self.trust_api.get_trust(auth['trust_id'])
            if trust_ref is None:
                raise exception.Forbidden()
            if user_id != trust_ref['trustee_user_id']:
                raise exception.Forbidden()
            if ('expires' in trust_ref) and (trust_ref['expires']):
                expiry = trust_ref['expires']
                if expiry < timeutils.parse_isotime(timeutils.isotime()):
                    raise exception.Forbidden()()
            user_id = trust_ref['trustor_user_id']
            trustor_user_ref = self.identity_api.get_user(
                trust_ref['trustor_user_id'])
            if not trustor_user_ref['enabled']:
                raise exception.Forbidden()()
            trustee_user_ref = self.identity_api.get_user(
                trust_ref['trustee_user_id'])
            if not trustee_user_ref['enabled']:
                raise exception.Forbidden()()
            self.trust_api.consume_use(auth['trust_id'])

            if trust_ref['impersonation'] is True:
                current_user_ref = trustor_user_ref
            else:
                current_user_ref = trustee_user_ref

        else:
            current_user_ref = self.identity_api.get_user(user_id)

        metadata_ref = {}
        tenant_id = self._get_project_id_from_auth(auth)
        tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
            user_id, tenant_id)

        expiry = old_token_ref['expires']
        if CONF.trust.enabled and 'trust_id' in auth:
            trust_id = auth['trust_id']
            trust_roles = []
            for role in trust_ref['roles']:
                if 'roles' not in metadata_ref:
                    raise exception.Forbidden()()
                if role['id'] in metadata_ref['roles']:
                    trust_roles.append(role['id'])
                else:
                    raise exception.Forbidden()
            if 'expiry' in trust_ref and trust_ref['expiry']:
                trust_expiry = timeutils.parse_isotime(trust_ref['expiry'])
                if trust_expiry < expiry:
                    expiry = trust_expiry
            metadata_ref['roles'] = trust_roles
            metadata_ref['trustee_user_id'] = trust_ref['trustee_user_id']
            metadata_ref['trust_id'] = trust_id

        bind = old_token_ref.get('bind')

        return (current_user_ref, tenant_ref, metadata_ref, expiry, bind)
Ejemplo n.º 59
0
                                             FUTURE_DELTA),
                "issued_at": "2013-05-21T00:02:43.941473Z",
                "tenant": {
                    "enabled": True,
                    "id": "01257",
                    "name": "service"
                }
            }
        }
    }


SAMPLE_V2_TOKEN_EXPIRED = {
    "access": {
        "token": {
            "expires": timeutils.isotime(CURRENT_DATE),
            "issued_at": "2013-05-21T00:02:43.941473Z",
            "tenant": {
                "enabled": True,
                "id": "01257",
                "name": "service"
            }
        }
    }
}


def create_v3_token():
    return {
        "token": {
            'methods': [],
Ejemplo n.º 60
0
 def _determine_expiration_time(self, expires_in):
     if expires_in is None:
         expires_in = CONF.saml.assertion_expiration_time
     now = timeutils.utcnow()
     future = now + datetime.timedelta(seconds=expires_in)
     return timeutils.isotime(future, subsecond=True)