def build_token_values(token_data): token_values = { 'expires_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['expires_at'])), 'issued_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['issued_at'])) } user = token_data.get('user') if user is not None: token_values['user_id'] = user['id'] token_values['identity_domain_id'] = user['domain']['id'] else: token_values['user_id'] = None token_values['identity_domain_id'] = None project = token_data.get('project', token_data.get('tenant')) if project is not None: token_values['project_id'] = project['id'] token_values['assignment_domain_id'] = project['domain']['id'] else: token_values['project_id'] = None token_values['assignment_domain_id'] = None role_list = [] roles = token_data.get('roles') if roles is not None: for role in roles: role_list.append(role['id']) token_values['roles'] = role_list trust = token_data.get('OS-TRUST:trust') if trust is None: token_values['trust_id'] = None token_values['trustor_id'] = None token_values['trustee_id'] = None else: token_values['trust_id'] = trust['id'] token_values['trustor_id'] = trust['trustor_user']['id'] token_values['trustee_id'] = trust['trustee_user']['id'] oauth1 = token_data.get('OS-OAUTH1') if oauth1 is None: token_values['consumer_id'] = None token_values['access_token_id'] = None else: token_values['consumer_id'] = oauth1['consumer_id'] token_values['access_token_id'] = oauth1['access_token_id'] return token_values
def build_token_values(token_data): token_values = { 'expires_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['expires_at'])), 'issued_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['issued_at']))} user = token_data.get('user') if user is not None: token_values['user_id'] = user['id'] token_values['identity_domain_id'] = user['domain']['id'] else: token_values['user_id'] = None token_values['identity_domain_id'] = None project = token_data.get('project', token_data.get('tenant')) if project is not None: token_values['project_id'] = project['id'] token_values['assignment_domain_id'] = project['domain']['id'] else: token_values['project_id'] = None token_values['assignment_domain_id'] = None role_list = [] roles = token_data.get('roles') if roles is not None: for role in roles: role_list.append(role['id']) token_values['roles'] = role_list trust = token_data.get('OS-TRUST:trust') if trust is None: token_values['trust_id'] = None token_values['trustor_id'] = None token_values['trustee_id'] = None else: token_values['trust_id'] = trust['id'] token_values['trustor_id'] = trust['trustor_user']['id'] token_values['trustee_id'] = trust['trustee_user']['id'] oauth1 = token_data.get('OS-OAUTH1') if oauth1 is None: token_values['consumer_id'] = None token_values['access_token_id'] = None else: token_values['consumer_id'] = oauth1['consumer_id'] token_values['access_token_id'] = oauth1['access_token_id'] return token_values
def _request_admin_token(self): """Retrieve new token as admin user from keystone. :return token id upon success :raises ServerError when unable to communicate with keystone """ params = { "auth": { "passwordCredentials": {"username": self.admin_user, "password": self.admin_password}, "tenantName": self.admin_tenant_name, } } response, data = self._json_request("POST", "/v2.0/tokens", body=params) try: token = data["access"]["token"]["id"] expiry = data["access"]["token"]["expires"] assert token assert expiry datetime_expiry = timeutils.parse_isotime(expiry) return (token, timeutils.normalize_time(datetime_expiry)) except (AssertionError, KeyError): self.LOG.warn("Unexpected response from keystone service: %s", data) raise ServiceError("invalid json response") except (ValueError): self.LOG.warn("Unable to parse expiration time from token: %s", data) raise ServiceError("invalid json response")
def test_building_unscoped_accessinfo(self): auth_ref = access.AccessInfo.factory(body=UNSCOPED_TOKEN) self.assertTrue(auth_ref) self.assertIn("token", auth_ref) self.assertIn("serviceCatalog", auth_ref) self.assertFalse(auth_ref["serviceCatalog"]) self.assertEqual(auth_ref.auth_token, "3e2813b7ba0b4006840c3825860b86ed") self.assertEqual(auth_ref.username, "exampleuser") self.assertEqual(auth_ref.user_id, "c4da488862bd435c9e6c0275a0d0e49a") self.assertEqual(auth_ref.tenant_name, None) self.assertEqual(auth_ref.tenant_id, None) self.assertEqual(auth_ref.auth_url, None) self.assertEqual(auth_ref.management_url, None) self.assertFalse(auth_ref.scoped) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) self.assertFalse(auth_ref.trust_scoped) self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) self.assertEqual(auth_ref.user_domain_id, "default") self.assertEqual(auth_ref.user_domain_name, "Default") self.assertEqual(auth_ref.expires, timeutils.parse_isotime(UNSCOPED_TOKEN["access"]["token"]["expires"]))
def test_building_unscoped_accessinfo(self): auth_ref = access.AccessInfo.factory(resp=TOKEN_RESPONSE, body=UNSCOPED_TOKEN) self.assertTrue(auth_ref) self.assertIn('methods', auth_ref) self.assertIn('catalog', auth_ref) self.assertFalse(auth_ref['catalog']) self.assertEqual(auth_ref.auth_token, '3e2813b7ba0b4006840c3825860b86ed') self.assertEqual(auth_ref.username, 'exampleuser') self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') self.assertEqual(auth_ref.project_name, None) self.assertEqual(auth_ref.project_id, None) self.assertEqual(auth_ref.auth_url, None) self.assertEqual(auth_ref.management_url, None) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) self.assertEqual(auth_ref.user_domain_id, '4e6893b7ba0b4006840c3845660b86ed') self.assertEqual(auth_ref.user_domain_name, 'exampledomain') self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) self.assertEqual( auth_ref.expires, timeutils.parse_isotime(UNSCOPED_TOKEN['token']['expires_at']))
def test_building_unscoped_accessinfo(self): auth_ref = access.AccessInfo.factory(body=UNSCOPED_TOKEN) self.assertTrue(auth_ref) self.assertIn('token', auth_ref) self.assertIn('serviceCatalog', auth_ref) self.assertFalse(auth_ref['serviceCatalog']) self.assertEqual(auth_ref.auth_token, '3e2813b7ba0b4006840c3825860b86ed') self.assertEqual(auth_ref.username, 'exampleuser') self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') self.assertEqual(auth_ref.tenant_name, None) self.assertEqual(auth_ref.tenant_id, None) self.assertEqual(auth_ref.auth_url, None) self.assertEqual(auth_ref.management_url, None) self.assertFalse(auth_ref.scoped) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) self.assertFalse(auth_ref.trust_scoped) self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) self.assertEqual(auth_ref.user_domain_id, 'default') self.assertEqual(auth_ref.user_domain_name, 'Default') self.assertEqual(auth_ref.expires, timeutils.parse_isotime( UNSCOPED_TOKEN['access']['token']['expires']))
def expires(self): """ Returns the token expiration (as datetime object) :returns: datetime """ return timeutils.parse_isotime(self['token']['expires'])
def test_building_unscoped_accessinfo(self): auth_ref = access.AccessInfo.factory(body=UNSCOPED_TOKEN) self.assertTrue(auth_ref) self.assertIn('token', auth_ref) self.assertIn('serviceCatalog', auth_ref) self.assertFalse(auth_ref['serviceCatalog']) self.assertEqual(auth_ref.auth_token, '3e2813b7ba0b4006840c3825860b86ed') self.assertEqual(auth_ref.username, 'exampleuser') self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') self.assertEqual(auth_ref.tenant_name, None) self.assertEqual(auth_ref.tenant_id, None) self.assertEqual(auth_ref.auth_url, None) self.assertEqual(auth_ref.management_url, None) self.assertFalse(auth_ref.scoped) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) self.assertFalse(auth_ref.trust_scoped) self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) self.assertEqual(auth_ref.user_domain_id, 'default') self.assertEqual(auth_ref.user_domain_name, 'Default') self.assertEqual( auth_ref.expires, timeutils.parse_isotime( UNSCOPED_TOKEN['access']['token']['expires']))
def _request_admin_token(self): """Retrieve new token as admin user from keystone. :return token id upon success :raises ServerError when unable to communicate with keystone """ params = { 'auth': { 'passwordCredentials': { 'username': self.admin_user, 'password': self.admin_password, }, 'tenantName': self.admin_tenant_name, } } response, data = self._json_request('POST', '/v2.0/tokens', body=params) try: token = data['access']['token']['id'] expiry = data['access']['token']['expires'] assert token assert expiry datetime_expiry = timeutils.parse_isotime(expiry) return (token, timeutils.normalize_time(datetime_expiry)) except (AssertionError, KeyError): LOG.warn("Unexpected response from keystone service: %s", data) raise ServiceError('invalid json response') except (ValueError): LOG.warn("Unable to parse expiration time from token: %s", data) raise ServiceError('invalid json response')
def expires(self): """ Returns the token expiration (as datetime object) :returns: datetime """ return timeutils.parse_isotime(self['token']['expires'])
def test_building_unscoped_accessinfo(self): auth_ref = access.AccessInfo.factory(resp=TOKEN_RESPONSE, body=UNSCOPED_TOKEN) self.assertTrue(auth_ref) self.assertIn('methods', auth_ref) self.assertIn('catalog', auth_ref) self.assertFalse(auth_ref['catalog']) self.assertEquals(auth_ref.auth_token, '3e2813b7ba0b4006840c3825860b86ed') self.assertEquals(auth_ref.username, 'exampleuser') self.assertEquals(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a') self.assertEquals(auth_ref.project_name, None) self.assertEquals(auth_ref.project_id, None) self.assertEquals(auth_ref.auth_url, None) self.assertEquals(auth_ref.management_url, None) self.assertFalse(auth_ref.domain_scoped) self.assertFalse(auth_ref.project_scoped) self.assertEquals(auth_ref.user_domain_id, '4e6893b7ba0b4006840c3845660b86ed') self.assertEquals(auth_ref.user_domain_name, 'exampledomain') self.assertIsNone(auth_ref.project_domain_id) self.assertIsNone(auth_ref.project_domain_name) self.assertEquals(auth_ref.expires, timeutils.parse_isotime( UNSCOPED_TOKEN['token']['expires_at']))
def _request_admin_token(self): """Retrieve new token as admin user from keystone. :return token id upon success :raises ServerError when unable to communicate with keystone """ params = { 'auth': { 'passwordCredentials': { 'username': self.admin_user, 'password': self.admin_password, }, 'tenantName': self.admin_tenant_name, } } response, data = self._json_request('POST', '/v2.0/tokens', body=params) try: token = data['access']['token']['id'] expiry = data['access']['token']['expires'] assert token assert expiry datetime_expiry = timeutils.parse_isotime(expiry) return (token, timeutils.normalize_time(datetime_expiry)) except (AssertionError, KeyError): LOG.warn("Unexpected response from keystone service: %s", data) raise ServiceError('invalid json response') except (ValueError): LOG.warn("Unable to parse expiration time from token: %s", data) raise ServiceError('invalid json response')
def _cache_get(self, token_id, ignore_expires=False): """Return token information from cache. If token is invalid raise InvalidUserToken return token only if fresh (not expired). """ if self._cache and token_id: if self._memcache_security_strategy is None: key = CACHE_KEY_TEMPLATE % token_id serialized = self._cache.get(key) else: keys = memcache_crypt.derive_keys( token_id, self._memcache_secret_key, self._memcache_security_strategy) cache_key = CACHE_KEY_TEMPLATE % ( memcache_crypt.get_cache_key(keys)) raw_cached = self._cache.get(cache_key) try: # unprotect_data will return None if raw_cached is None serialized = memcache_crypt.unprotect_data(keys, raw_cached) except Exception: msg = 'Failed to decrypt/verify cache data' self.LOG.exception(msg) # this should have the same effect as data not # found in cache serialized = None if serialized is None: return None # Note that 'invalid' and (data, expires) are the only # valid types of serialized cache entries, so there is not # a collision with jsonutils.loads(serialized) == None. cached = jsonutils.loads(serialized) if cached == 'invalid': self.LOG.debug('Cached Token %s is marked unauthorized', token_id) raise InvalidUserToken('Token authorization failed') data, expires = cached try: expires = timeutils.parse_isotime(expires) except ValueError: # Gracefully handle upgrade of expiration times from *nix # timestamps to ISO 8601 formatted dates by ignoring old cached # values. return expires = timeutils.normalize_time(expires) utcnow = timeutils.utcnow() if ignore_expires or utcnow < expires: self.LOG.debug('Returning cached token %s', token_id) return data else: self.LOG.debug('Cached Token %s seems expired', token_id)
def _cache_get(self, token_id, ignore_expires=False): """Return token information from cache. If token is invalid raise InvalidUserToken return token only if fresh (not expired). """ if self._cache and token_id: if self._memcache_security_strategy is None: key = CACHE_KEY_TEMPLATE % token_id serialized = self._cache.get(key) else: keys = memcache_crypt.derive_keys( token_id, self._memcache_secret_key, self._memcache_security_strategy) cache_key = CACHE_KEY_TEMPLATE % ( memcache_crypt.get_cache_key(keys)) raw_cached = self._cache.get(cache_key) try: # unprotect_data will return None if raw_cached is None serialized = memcache_crypt.unprotect_data( keys, raw_cached) except Exception: msg = 'Failed to decrypt/verify cache data' self.LOG.exception(msg) # this should have the same effect as data not # found in cache serialized = None if serialized is None: return None # Note that 'invalid' and (data, expires) are the only # valid types of serialized cache entries, so there is not # a collision with jsonutils.loads(serialized) == None. cached = jsonutils.loads(serialized) if cached == 'invalid': self.LOG.debug('Cached Token %s is marked unauthorized', token_id) raise InvalidUserToken('Token authorization failed') data, expires = cached try: expires = timeutils.parse_isotime(expires) except ValueError: # Gracefully handle upgrade of expiration times from *nix # timestamps to ISO 8601 formatted dates by ignoring old cached # values. return expires = timeutils.normalize_time(expires) utcnow = timeutils.utcnow() if ignore_expires or utcnow < expires: self.LOG.debug('Returning cached token %s', token_id) return data else: self.LOG.debug('Cached Token %s seems expired', token_id)
def build_token_values_v2(access, default_domain_id): token_data = access['token'] token_values = { 'expires_at': timeutils.normalize_time(timeutils.parse_isotime( token_data['expires'])), 'issued_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['issued_at'])) } token_values['user_id'] = access.get('user', {}).get('id') project = token_data.get('tenant') if project is not None: token_values['project_id'] = project['id'] else: token_values['project_id'] = None token_values['identity_domain_id'] = default_domain_id token_values['assignment_domain_id'] = default_domain_id trust = token_data.get('trust') if trust is None: token_values['trust_id'] = None token_values['trustor_id'] = None token_values['trustee_id'] = None else: token_values['trust_id'] = trust['id'] token_values['trustor_id'] = trust['trustor_id'] token_values['trustee_id'] = trust['trustee_id'] token_values['consumer_id'] = None token_values['access_token_id'] = None role_list = [] # Roles are by ID in metadata and by name in the user section roles = access.get('metadata', {}).get('roles', []) for role in roles: role_list.append(role) token_values['roles'] = role_list return token_values
def test_create_expires(self): ref = self.new_ref() ref['trustor_user_id'] = uuid.uuid4().hex ref['trustee_user_id'] = uuid.uuid4().hex ref['impersonation'] = False ref['expires_at'] = timeutils.parse_isotime( '2013-03-04T12:00:01.000000Z') req_ref = ref.copy() # Note the TrustManager takes a datetime.datetime object for # expires_at, and converts it internally into an iso format datestamp req_ref['expires_at'] = '2013-03-04T12:00:01.000000Z' super(TrustTests, self).test_create(ref=ref, req_ref=req_ref)
def build_token_values_v2(access, default_domain_id): token_data = access['token'] token_values = { 'expires_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['expires'])), 'issued_at': timeutils.normalize_time( timeutils.parse_isotime(token_data['issued_at']))} token_values['user_id'] = access.get('user', {}).get('id') project = token_data.get('tenant') if project is not None: token_values['project_id'] = project['id'] else: token_values['project_id'] = None token_values['identity_domain_id'] = default_domain_id token_values['assignment_domain_id'] = default_domain_id trust = token_data.get('trust') if trust is None: token_values['trust_id'] = None token_values['trustor_id'] = None token_values['trustee_id'] = None else: token_values['trust_id'] = trust['id'] token_values['trustor_id'] = trust['trustor_id'] token_values['trustee_id'] = trust['trustee_id'] token_values['consumer_id'] = None token_values['access_token_id'] = None role_list = [] # Roles are by ID in metadata and by name in the user section roles = access.get('metadata', {}).get('roles', []) for role in roles: role_list.append(role) token_values['roles'] = role_list return token_values
def _confirm_token_not_expired(self, data): if not data: raise InvalidUserToken('Token authorization failed') if self._token_is_v2(data): timestamp = data['access']['token']['expires'] elif self._token_is_v3(data): timestamp = data['token']['expires_at'] else: raise InvalidUserToken('Token authorization failed') expires = timeutils.parse_isotime(timestamp).strftime('%s') if time.time() >= float(expires): self.LOG.debug('Token expired a %s', timestamp) raise InvalidUserToken('Token authorization failed') return expires
def _confirm_token_not_expired(self, data): if not data: raise InvalidUserToken('Token authorization failed') if self._token_is_v2(data): timestamp = data['access']['token']['expires'] elif self._token_is_v3(data): timestamp = data['token']['expires_at'] else: raise InvalidUserToken('Token authorization failed') expires = timeutils.parse_isotime(timestamp).strftime('%s') if time.time() >= float(expires): self.LOG.debug('Token expired a %s', timestamp) raise InvalidUserToken('Token authorization failed') return expires
def _cache_put(self, token, data): """ Put token data into the cache. Stores the parsed expire date in cache allowing quick check of token freshness on retrieval. """ if self._cache and data: if "token" in data.get("access", {}): timestamp = data["access"]["token"]["expires"] expires = timeutils.parse_isotime(timestamp).strftime("%s") else: self.LOG.error("invalid token format") return self.LOG.debug("Storing %s token in memcache", token) self._cache_store(token, data, expires)
def confirm_token_not_expired(data): if not data: raise InvalidUserToken('Token authorization failed') if _token_is_v2(data): timestamp = data['access']['token']['expires'] elif _token_is_v3(data): timestamp = data['token']['expires_at'] else: raise InvalidUserToken('Token authorization failed') expires = timeutils.parse_isotime(timestamp) expires = timeutils.normalize_time(expires) utcnow = timeutils.utcnow() if utcnow >= expires: raise InvalidUserToken('Token authorization failed') return timeutils.isotime(at=expires, subsecond=True)
def _cache_put(self, token, data): """ Put token data into the cache. Stores the parsed expire date in cache allowing quick check of token freshness on retrieval. """ if self._cache and data: if 'token' in data.get('access', {}): timestamp = data['access']['token']['expires'] expires = timeutils.parse_isotime(timestamp).strftime('%s') else: self.LOG.error('invalid token format') return self.LOG.debug('Storing %s token in memcache', token) self._cache_store(token, data, expires)
def confirm_token_not_expired(data): if not data: raise InvalidUserToken('Token authorization failed') if _token_is_v2(data): timestamp = data['access']['token']['expires'] elif _token_is_v3(data): timestamp = data['token']['expires_at'] else: raise InvalidUserToken('Token authorization failed') expires = timeutils.parse_isotime(timestamp) expires = timeutils.normalize_time(expires) utcnow = timeutils.utcnow() if utcnow >= expires: raise InvalidUserToken('Token authorization failed') return timeutils.isotime(at=expires, subsecond=True)
def _cache_put(self, token, data): """ Put token data into the cache. Stores the parsed expire date in cache allowing quick check of token freshness on retrieval. """ if self._cache and data: if self._token_is_v2(data): timestamp = data['access']['token']['expires'] elif self._token_is_v3(data): timestamp = data['token']['expires_at'] else: self.LOG.error('invalid token format') return expires = timeutils.parse_isotime(timestamp).strftime('%s') self.LOG.debug('Storing %s token in memcache', token) self._cache_store(token, data, expires)
def issued(self): return timeutils.parse_isotime(self.issued_str)
def expires(self): return timeutils.parse_isotime(self['expires_at'])
def issued(self): return timeutils.parse_isotime(self['issued_at'])
def expires(self): return timeutils.parse_isotime(self.expires_str)
def updated(self): return timeutils.parse_isotime(self.updated_str)
def issued(self): return timeutils.parse_isotime(self.issued_str)
def issued(self): return timeutils.parse_isotime(self['issued_at'])
def expires(self): return timeutils.parse_isotime(self.expires_str)
def expires(self): return timeutils.parse_isotime(self['token']['expires'])
def updated(self): return timeutils.parse_isotime(self.updated_str)
def expires(self): return timeutils.parse_isotime(self["token"]["expires"])
def expires(self): return timeutils.parse_isotime(self['token']['expires'])
# logging.basicConfig(level=logging.DEBUG) glance = client.Client('1', endpoint=endpoint, token=auth_token) glance.format = 'json' # Fetch the list of files in store_directory matching the UUID regex uuid_re = re.compile( r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}') files = [(x, os.path.join(store_directory, x)) for x in os.listdir(store_directory) if uuid_re.match(x)] files = [(x, os.path.getsize(p), datetime.fromtimestamp(os.path.getmtime(p), iso8601.Utc())) for x, p in files if os.path.isfile(p)] # Fetch the list of glance images glance_images = [(x.id, x.size, timeutils.parse_isotime(x.created_at)) for x in glance.images.list() if x.status == 'active'] # Check all active images 1 hour or older are present time_cutoff = datetime.now(iso8601.Utc()) - timedelta(0, 3600) result = 0 for image in [x for x in glance_images if x[2] < time_cutoff]: if not [x for x in files if x[0] == image[0]]: print "Glance image %s not found in %s" % (image[0], store_directory) result = 2 # Check all files have a corresponding glance image
def expires(self): return timeutils.parse_isotime(self['expires_at'])