def get(self):
"""Validate a token.
HEAD/GET /v3/auth/tokens
"""
# TODO(morgan): eliminate the check_token action only use validate
# NOTE(morgan): Well lookie here, we have different enforcements
# for no good reason (historical), because the methods previouslly
# had to be named different names. Check which method and do the
# correct enforcement.
if flask.request.method == 'HEAD':
ENFORCER.enforce_call(action='identity:check_token')
else:
ENFORCER.enforce_call(action='identity:validate_token')
token_id = flask.request.headers.get(
authorization.SUBJECT_TOKEN_HEADER)
access_rules_support = flask.request.headers.get(
authorization.ACCESS_RULES_HEADER)
allow_expired = strutils.bool_from_string(
flask.request.args.get('allow_expired'))
window_secs = CONF.token.allow_expired_window if allow_expired else 0
include_catalog = 'nocatalog' not in flask.request.args
token = PROVIDERS.token_provider_api.validate_token(
token_id,
window_seconds=window_secs,
access_rules_support=access_rules_support)
token_resp = render_token.render_token_response_from_model(
token, include_catalog=include_catalog)
resp_body = jsonutils.dumps(token_resp)
response = flask.make_response(resp_body, http_client.OK)
response.headers['X-Subject-Token'] = token_id
response.headers['Content-Type'] = 'application/json'
return response
def _keystone_specific_values(self, token, request_context):
request_context.token_reference = (
render_token.render_token_response_from_model(token)
)
if token.domain_scoped:
# Domain scoped tokens should never have is_admin_project set
# Even if KSA defaults it otherwise. The two mechanisms are
# parallel; only ione or the other should be used for access.
request_context.is_admin_project = False
request_context.domain_id = token.domain_id
request_context.domain_name = token.domain['name']
if token.oauth_scoped:
request_context.is_delegated_auth = True
request_context.oauth_consumer_id = (
token.access_token['consumer_id']
)
request_context.oauth_access_token_id = token.access_token_id
if token.trust_scoped:
request_context.is_delegated_auth = True
request_context.trust_id = token.trust_id
if token.is_federated:
request_context.group_ids = []
for group in token.federated_groups:
request_context.group_ids.append(group['id'])
else:
request_context.group_ids = []
def _keystone_specific_values(self, token, request_context):
request_context.token_reference = (
render_token.render_token_response_from_model(token)
)
if token.domain_scoped:
# Domain scoped tokens should never have is_admin_project set
# Even if KSA defaults it otherwise. The two mechanisms are
# parallel; only ione or the other should be used for access.
request_context.is_admin_project = False
request_context.domain_id = token.domain_id
request_context.domain_name = token.domain['name']
if token.oauth_scoped:
request_context.is_delegated_auth = True
request_context.oauth_consumer_id = (
token.access_token['consumer_id']
)
request_context.oauth_access_token_id = token.access_token_id
if token.trust_scoped:
request_context.is_delegated_auth = True
request_context.trust_id = token.trust_id
if token.is_federated:
request_context.group_ids = []
for group in token.federated_groups:
request_context.group_ids.append(group['id'])
else:
request_context.group_ids = []
def fetch_token(self, token, **kwargs):
try:
self.token = self.token_provider_api.validate_token(
token, access_rules_support=ACCESS_RULES_MIN_VERSION)
return render_token.render_token_response_from_model(self.token)
except exception.TokenNotFound:
raise auth_token.InvalidToken(_('Could not find token'))
def get(self):
"""Validate a token.
HEAD/GET /v3/auth/tokens
"""
# TODO(morgan): eliminate the check_token action only use validate
# NOTE(morgan): Well lookie here, we have different enforcements
# for no good reason (historical), because the methods previouslly
# had to be named different names. Check which method and do the
# correct enforcement.
if flask.request.method == 'HEAD':
ENFORCER.enforce_call(action='identity:check_token')
else:
ENFORCER.enforce_call(action='identity:validate_token')
token_id = flask.request.headers.get(
authorization.SUBJECT_TOKEN_HEADER)
allow_expired = strutils.bool_from_string(
flask.request.args.get('allow_expired'))
window_secs = CONF.token.allow_expired_window if allow_expired else 0
include_catalog = 'nocatalog' not in flask.request.args
token = PROVIDERS.token_provider_api.validate_token(
token_id, window_seconds=window_secs)
token_resp = render_token.render_token_response_from_model(
token, include_catalog=include_catalog)
resp_body = jsonutils.dumps(token_resp)
response = flask.make_response(resp_body, http_client.OK)
response.headers['X-Subject-Token'] = token_id
response.headers['Content-Type'] = 'application/json'
return response
def post(self):
"""Authenticate s3token.
POST /v3/s3tokens
"""
token = self.handle_authenticate()
token_reference = render_token.render_token_response_from_model(token)
resp_body = jsonutils.dumps(token_reference)
response = flask.make_response(resp_body, http.client.OK)
response.headers['Content-Type'] = 'application/json'
return response
def post(self):
"""Authenticate s3token.
POST /v3/s3tokens
"""
token = self.handle_authenticate()
token_reference = render_token.render_token_response_from_model(token)
resp_body = jsonutils.dumps(token_reference)
response = flask.make_response(resp_body, http_client.OK)
response.headers['Content-Type'] = 'application/json'
return response
def _enforce(self, credentials, action, target, do_raise=True):
"""Verify that the action is valid on the target in this context.
This method is for cases that exceed the base enforcer
functionality (notably for compatibility with `@protected` style
decorators.
:param credentials: user credentials
:param action: string representing the action to be checked, which
should be colon separated for clarity.
:param target: dictionary representing the object of the action for
object creation this should be a dictionary
representing the location of the object e.g.
{'project_id': object.project_id}
:raises keystone.exception.Forbidden: If verification fails.
Actions should be colon separated for clarity. For example:
* identity:list_users
"""
# Add the exception arguments if asked to do a raise
extra = {}
if do_raise:
extra.update(exc=exception.ForbiddenAction,
action=action,
do_raise=do_raise)
# NOTE(lbragstad): If there is a token in the credentials dictionary,
# it's going to be an instance of a TokenModel. We'll need to convert
# it to the a token response or dictionary before passing it to
# oslo.policy for enforcement. This is because oslo.policy shouldn't
# know how to deal with an internal object only used within keystone.
#
# TODO(morgan): Rework this to not need an explicit token render as
# this is a generally poorly designed behavior. The enforcer should not
# rely on a contract of the token's rendered JSON form. This likely
# needs reworking of how we handle the context in oslo.policy. Until
# this is reworked, it is not possible to merge the token render
# function into keystone.api
if 'token' in credentials:
token_ref = render_token.render_token_response_from_model(
credentials['token'])
credentials_copy = copy.deepcopy(credentials)
credentials_copy['token'] = token_ref
credentials = credentials_copy
try:
return self._enforcer.enforce(rule=action,
target=target,
creds=credentials,
**extra)
except common_policy.InvalidScope:
raise exception.ForbiddenAction(action=action)
def authenticate(self, context, credentials=None, ec2Credentials=None):
(user_ref, project_ref, roles_ref) = self._authenticate(
credentials=credentials, ec2credentials=ec2Credentials
)
method_names = ['ec2credential']
token = self.token_provider_api.issue_token(
user_ref['id'], method_names, project_id=project_ref['id']
)
token_reference = render_token.render_token_response_from_model(token)
return self.render_token_data_response(token.id, token_reference)
def post(self):
"""Issue a token.
POST /v3/auth/tokens
"""
include_catalog = 'nocatalog' not in flask.request.args
auth_data = self.request_body_json.get('auth')
auth_schema.validate_issue_token_auth(auth_data)
token = authentication.authenticate_for_token(auth_data)
resp_data = render_token.render_token_response_from_model(
token, include_catalog=include_catalog)
resp_body = jsonutils.dumps(resp_data)
response = flask.make_response(resp_body, http_client.CREATED)
response.headers['X-Subject-Token'] = token.id
response.headers['Content-Type'] = 'application/json'
return response
def post(self):
"""Issue a token.
POST /v3/auth/tokens
"""
include_catalog = 'nocatalog' not in flask.request.args
auth_data = self.request_body_json.get('auth')
auth_schema.validate_issue_token_auth(auth_data)
token = authentication.authenticate_for_token(auth_data)
resp_data = render_token.render_token_response_from_model(
token, include_catalog=include_catalog
)
resp_body = jsonutils.dumps(resp_data)
response = flask.make_response(resp_body, http_client.CREATED)
response.headers['X-Subject-Token'] = token.id
response.headers['Content-Type'] = 'application/json'
return response
def _auth(self, idp_id, protocol_id):
"""Build and pass auth data to authentication code.
Build HTTP request body for federated authentication and inject
it into the ``authenticate_for_token`` function.
"""
auth = {
'identity': {
'methods': [protocol_id],
protocol_id: {
'identity_provider': idp_id,
'protocol': protocol_id
},
}
}
token = authentication.authenticate_for_token(auth)
token_data = render_token.render_token_response_from_model(token)
resp_data = jsonutils.dumps(token_data)
flask_resp = flask.make_response(resp_data, http.client.CREATED)
flask_resp.headers['X-Subject-Token'] = token.id
flask_resp.headers['Content-Type'] = 'application/json'
return flask_resp
def _auth(self, idp_id, protocol_id):
"""Build and pass auth data to authentication code.
Build HTTP request body for federated authentication and inject
it into the ``authenticate_for_token`` function.
"""
auth = {
'identity': {
'methods': [protocol_id],
protocol_id: {
'identity_provider': idp_id,
'protocol': protocol_id
},
}
}
token = authentication.authenticate_for_token(auth)
token_data = render_token.render_token_response_from_model(token)
resp_data = jsonutils.dumps(token_data)
flask_resp = flask.make_response(resp_data, http_client.CREATED)
flask_resp.headers['X-Subject-Token'] = token.id
flask_resp.headers['Content-Type'] = 'application/json'
return flask_resp
def fetch_token(self, token, **kwargs):
try:
token_model = self.token_provider_api.validate_token(token)
return render_token.render_token_response_from_model(token_model)
except exception.TokenNotFound:
raise auth_token.InvalidToken(_('Could not find token'))
def fetch_token(self, token, **kwargs):
try:
self.token = self.token_provider_api.validate_token(token)
return render_token.render_token_response_from_model(self.token)
except exception.TokenNotFound:
raise auth_token.InvalidToken(_('Could not find token'))
