def setUpModule(self):
signing_path = CMSDIR
with open(os.path.join(signing_path, 'auth_token_scoped.pem')) as f:
self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read())
with open(os.path.join(signing_path, 'auth_token_unscoped.pem')) as f:
self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read())
with open(os.path.join(signing_path, 'auth_token_revoked.pem')) as f:
self.REVOKED_TOKEN = cms.cms_to_token(f.read())
self.REVOKED_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_TOKEN)
with open(os.path.join(signing_path, 'revocation_list.json')) as f:
self.REVOCATION_LIST = jsonutils.loads(f.read())
with open(os.path.join(signing_path, 'revocation_list.pem')) as f:
self.VALID_SIGNED_REVOCATION_LIST = jsonutils.dumps(
{'signed': f.read()})
self.SIGNED_TOKEN_SCOPED_KEY =\
cms.cms_hash_token(self.SIGNED_TOKEN_SCOPED)
self.SIGNED_TOKEN_UNSCOPED_KEY =\
cms.cms_hash_token(self.SIGNED_TOKEN_UNSCOPED)
self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = {
'access': {
'token': {
'id': self.SIGNED_TOKEN_SCOPED_KEY,
},
'user': {
'id': 'user_id1',
'name': 'user_name1',
'tenantId': 'tenant_id1',
'tenantName': 'tenant_name1',
'roles': [
{'name': 'role1'},
{'name': 'role2'},
],
},
},
}
self.TOKEN_RESPONSES[SIGNED_TOKEN_UNSCOPED_KEY] = {
'access': {
'token': {
'id': SIGNED_TOKEN_UNSCOPED_KEY,
},
'user': {
'id': 'user_id1',
'name': 'user_name1',
'roles': [
{'name': 'role1'},
{'name': 'role2'},
],
},
},
},
def test_list_keystone_tokens_by_consumer(self):
self.test_oauth_flow()
tokens = self.token_api.list_tokens(self.user_id,
consumer_id=self.consumer.key)
keystone_token_uuid = cms.cms_hash_token(self.keystone_token_id)
self.assertTrue(len(tokens) > 0)
self.assertTrue(keystone_token_uuid in tokens)
def test_list_keystone_tokens_by_consumer(self):
self.test_oauth_flow()
tokens = self.token_api.list_tokens(self.user_id,
consumer_id=self.consumer.key)
keystone_token_uuid = cms.cms_hash_token(self.keystone_token_id)
self.assertTrue(len(tokens) > 0)
self.assertTrue(keystone_token_uuid in tokens)
def _validate_user_token(self, user_token, retry=True):
"""Authenticate user using PKI
:param user_token: user's token id
:param retry: Ignored, as it is not longer relevant
:return uncrypted body of the token if the token is valid
:raise InvalidUserToken if token is rejected
:no longer raises ServiceError since it no longer makes RPC
"""
try:
token_id = cms.cms_hash_token(user_token)
cached = self._cache_get(token_id)
if cached:
return cached
if cms.is_ans1_token(user_token):
verified = self.verify_signed_token(user_token)
data = json.loads(verified)
else:
data = self.verify_uuid_token(user_token, retry)
self._cache_put(token_id, data)
return data
except Exception as e:
LOG.debug('Token validation failure.', exc_info=True)
self._cache_store_invalid(user_token)
LOG.warn("Authorization failed for token %s", user_token)
raise InvalidUserToken('Token authorization failed')
def token_to_key(self, token_id):
""" Converts PKI tokens to their short form used for keys in
Database tables, memcached, and other lookup tables.
returns: if given a PKI token, returns its hashed value
Otherwise, returns the passed-in value if given a UUID or
hash of a token.
"""
return cms.cms_hash_token(token_id)
def token_to_key(self, token_id):
""" Converts PKI tokens to their short form used for keys in
Database tables, memcached, and other lookup tables.
returns: if given a PKI token, returns its hashed value
Otherwise, returns the passed-in value if given a UUID or
hash of a token.
"""
return cms.cms_hash_token(token_id)
def unique_id(token_id):
"""Return a unique ID for a token.
The returned value is useful as the primary key of a database table,
memcache store, or other lookup table.
:returns: Given a PKI token, returns it's hashed value. Otherwise, returns
the passed-in value (such as a UUID token ID or an existing
hash).
"""
return cms.cms_hash_token(token_id)
def unique_id(token_id):
"""Return a unique ID for a token.
The returned value is useful as the primary key of a database table,
memcache store, or other lookup table.
:returns: Given a PKI token, returns it's hashed value. Otherwise, returns
the passed-in value (such as a UUID token ID or an existing
hash).
"""
return cms.cms_hash_token(token_id)
def __init__(self, token_id, token_data):
self.token_data = token_data
if 'token' in token_data and 'methods' in token_data['token']:
super(KeystoneToken, self).__init__(**token_data['token'])
self.version = V3
else:
raise exception.UnsupportedTokenVersionException()
self.token_id = token_id
self.short_id = cms.cms_hash_token(token_id,
mode=CONF.token.hash_algorithm)
if self.project_scoped and self.domain_scoped:
raise exception.UnexpectedError(_('Found invalid token: scoped to '
'both project and domain.'))
