def revocation_list(self, context, auth=None):
tokens = self.token_api.list_revoked_tokens()
for t in tokens:
expires = t["expires"]
if not (expires and isinstance(expires, unicode)):
t["expires"] = timeutils.isotime(expires)
data = {"revoked": tokens}
json_data = json.dumps(data)
signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile)
return {"signed": signed_text}
def revocation_list(self, context, auth=None):
tokens = self.token_api.list_revoked_tokens()
for t in tokens:
expires = t['expires']
if not (expires and isinstance(expires, six.text_type)):
t['expires'] = timeutils.isotime(expires)
data = {'revoked': tokens}
json_data = json.dumps(data)
signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile,
CONF.signing.keyfile)
return {'signed': signed_text}
def revocation_list(self, context, auth=None):
self.assert_admin(context)
tokens = self.token_api.list_revoked_tokens(context)
for t in tokens:
expires = t['expires']
if not (expires and isinstance(expires, unicode)):
t['expires'] = timeutils.isotime(expires)
data = {'revoked': tokens}
json_data = json.dumps(data)
signed_text = cms.cms_sign_text(json_data,
CONF.signing.certfile,
CONF.signing.keyfile)
return {'signed': signed_text}
def revocation_list(self, context, auth=None):
if not CONF.token.revoke_by_id:
raise exception.Gone()
tokens = self.token_provider_api.list_revoked_tokens()
for t in tokens:
expires = t['expires']
if not (expires and isinstance(expires, six.text_type)):
t['expires'] = timeutils.isotime(expires)
data = {'revoked': tokens}
json_data = jsonutils.dumps(data)
signed_text = cms.cms_sign_text(json_data,
CONF.signing.certfile,
CONF.signing.keyfile)
return {'signed': signed_text}
def authenticate(self, context, auth=None):
"""Authenticate credentials and return a token.
Accept auth as a dict that looks like::
{
"auth":{
"passwordCredentials":{
"username":"******",
"password":"******"
},
"tenantName":"customer-x"
}
}
In this case, tenant is optional, if not provided the token will be
considered "unscoped" and can later be used to get a scoped token.
Alternatively, this call accepts auth with only a token and tenant
that will return a token that is scoped to that tenant.
"""
if 'passwordCredentials' in auth:
user_id = auth['passwordCredentials'].get('userId', None)
username = auth['passwordCredentials'].get('username', '')
password = auth['passwordCredentials'].get('password', '')
tenant_name = auth.get('tenantName', None)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username)
user_id = user_ref['id']
except exception.UserNotFound:
raise exception.Unauthorized()
# more compat
tenant_id = auth.get('tenantId', None)
if tenant_name:
try:
tenant_ref = self.identity_api.get_tenant_by_name(
context=context, tenant_name=tenant_name)
tenant_id = tenant_ref['id']
except exception.TenantNotFound:
raise exception.Unauthorized()
try:
auth_info = self.identity_api.authenticate(context=context,
user_id=user_id,
password=password,
tenant_id=tenant_id)
(user_ref, tenant_ref, metadata_ref) = auth_info
# If the user is disabled don't allow them to authenticate
if not user_ref.get('enabled', True):
LOG.warning('User %s is disabled' % user_id)
raise exception.Unauthorized()
# If the tenant is disabled don't allow them to authenticate
if tenant_ref and not tenant_ref.get('enabled', True):
LOG.warning('Tenant %s is disabled' % tenant_id)
raise exception.Unauthorized()
except AssertionError as e:
raise exception.Unauthorized(e.message)
auth_token_data = dict(zip(["user", "tenant", "metadata"],
auth_info))
expiry = self.token_api._get_default_expire_time(context=context)
if tenant_ref:
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'],
metadata=metadata_ref)
else:
catalog_ref = {}
elif 'token' in auth:
old_token = auth['token'].get('id', None)
tenant_name = auth.get('tenantName')
try:
old_token_ref = self.token_api.get_token(context=context,
token_id=old_token)
except exception.NotFound:
raise exception.Unauthorized()
user_ref = old_token_ref['user']
user_id = user_ref['id']
current_user_ref = self.identity_api.get_user(context=context,
user_id=user_id)
if not current_user_ref.get('enabled', True):
LOG.warning('User %s is disabled' % user_id)
raise exception.Unauthorized()
if tenant_name:
tenant_ref = self.identity_api.\
get_tenant_by_name(context=context,
tenant_name=tenant_name)
tenant_id = tenant_ref['id']
else:
tenant_id = auth.get('tenantId', None)
tenants = self.identity_api.get_tenants_for_user(context, user_id)
if tenant_id:
if not tenant_id in tenants:
LOG.warning('User %s is authorized for tenant %s'
% (user_id, tenant_id))
raise exception.Unauthorized()
#if the old token is sufficient unpack and return it.
if (old_token_ref['tenant']) and \
(tenant_id == old_token_ref['tenant']['id']) and\
len(old_token) > cms.UUID_TOKEN_LENGTH:
return_data = \
json.loads(cms.verify_token
(old_token,
config.CONF.signing.certfile,
config.CONF.signing.ca_certs))
return_data['access']['token']['id'] = old_token
return return_data
expiry = old_token_ref['expires']
try:
tenant_ref = self.identity_api.get_tenant(context=context,
tenant_id=tenant_id)
except exception.TenantNotFound:
tenant_ref = None
metadata_ref = {}
catalog_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
catalog_ref = {}
# If the tenant is disabled don't allow them to authenticate
if tenant_ref and not tenant_ref.get('enabled', True):
LOG.warning('Tenant %s is disabled' % tenant_id)
raise exception.Unauthorized()
if tenant_ref:
metadata_ref = self.identity_api.get_metadata(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'])
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'],
metadata=metadata_ref)
auth_token_data = dict(dict(user=current_user_ref,
tenant=tenant_ref,
metadata=metadata_ref))
auth_token_data['expires'] = expiry
auth_token_data['id'] = 'placeholder'
roles_ref = []
for role_id in metadata_ref.get('roles', []):
role_ref = self.identity_api.get_role(context, role_id)
roles_ref.append(dict(name=role_ref['name']))
token_data = self._format_token(auth_token_data, roles_ref)
service_catalog = self._format_catalog(catalog_ref)
token_data['access']['serviceCatalog'] = service_catalog
if config.CONF.signing.disable_pki:
token_id = uuid.uuid4().hex
signed = token_id
else:
signed = cms.cms_sign_text(json.dumps(token_data),
config.CONF.signing.certfile,
config.CONF.signing.keyfile)
token_id = signed
try:
token_ref = self.token_api.create_token(
context, token_id, dict(key=token_id,
id=signed,
user=user_ref,
tenant=tenant_ref,
metadata=metadata_ref))
except Exception as ex:
#an identical token may have been created already.
#if so, return the token_data as it is also identical
try:
exist_token = self.token_api.get_token(context=context,
token_id=token_id)
except exception.TokenNotFound:
raise ex
token_data['access']['token']['id'] = signed
return token_data
