def _populate_token_dates(self, token_data, expires=None, trust=None): if not expires: expires = token.default_expire_time() if not isinstance(expires, basestring): expires = timeutils.isotime(expires, subsecond=True) token_data['expires_at'] = expires token_data['issued_at'] = timeutils.isotime(subsecond=True)
def _populate_token_dates(self, token_data, expires=None, trust=None, issued_at=None): if not expires: expires = provider.default_expire_time() if not isinstance(expires, six.string_types): expires = timeutils.isotime(expires, subsecond=True) token_data['expires_at'] = expires token_data['issued_at'] = (issued_at or timeutils.isotime(subsecond=True))
def to_dict(self): keys = ["user_id", "role_id", "domain_id", "project_id"] event = dict((key, self.__dict__[key]) for key in keys if self.__dict__[key] is not None) if self.trust_id is not None: event["OS-TRUST:trust_id"] = self.trust_id if self.consumer_id is not None: event["OS-OAUTH1:consumer_id"] = self.consumer_id if self.consumer_id is not None: event["OS-OAUTH1:access_token_id"] = self.access_token_id if self.expires_at is not None: event["expires_at"] = timeutils.isotime(self.expires_at, subsecond=True) if self.issued_before is not None: event["issued_before"] = timeutils.isotime(self.issued_before, subsecond=True) return event
def _populate_token(self, token_data, expires=None): if not expires: expires = token_module.default_expire_time() if not isinstance(expires, unicode): expires = timeutils.isotime(expires) token_data['expires'] = expires token_data['issued_at'] = timeutils.strtime()
def create_v3_token(): return { "token": { "expires_at": timeutils.isotime(CURRENT_DATE + FUTURE_DELTA), "issued_at": "2013-05-21T00:02:43.941473Z", } }
def create_request_token(self, consumer_id, roles, project_id, token_duration): expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) ref = {} request_token_id = uuid.uuid4().hex ref['id'] = request_token_id ref['request_secret'] = uuid.uuid4().hex ref['verifier'] = None ref['authorizing_user_id'] = None ref['requested_project_id'] = project_id ref['requested_roles'] = roles ref['consumer_id'] = consumer_id ref['expires_at'] = expiry_date self.db.set('request_token-%s' % request_token_id, ref) # add req token to the list that containers the consumers req tokens consumer_requests = set( self.db.get('consumer-%s-requests' % consumer_id, [])) consumer_requests.add(request_token_id) self.db.set('consumer-%s-requests' % consumer_id, list(consumer_requests)) return ref
def _create_response(self, issuer, status, assertion, recipient): """Create an object that represents a SAML Response. <ns0:Response Destination="http://beta.com/Shibboleth.sso/SAML2/POST" ID="c5954543230e4e778bc5b92923a0512d" IssueInstant="2014-07-30T03:19:45Z" Version="2.0" /> <ns0:Issuer> ... </ns0:Issuer> <ns0:Assertion> ... </ns0:Assertion> <ns0:Status> ... </ns0:Status> </ns0:Response> :return: XML <Response> object """ response = samlp.Response() response.id = uuid.uuid4().hex response.destination = recipient response.issue_instant = timeutils.isotime() response.version = '2.0' response.issuer = issuer response.status = status response.assertion = assertion return response
def _create_assertion(self, issuer, signature, subject, authn_statement, attribute_statement): """Create an object that represents a SAML Assertion. <ns0:Assertion ID="35daed258ba647ba8962e9baff4d6a46" IssueInstant="2014-06-11T15:45:58Z" Version="2.0"> <ns0:Issuer> ... </ns0:Issuer> <ns1:Signature> ... </ns1:Signature> <ns0:Subject> ... </ns0:Subject> <ns0:AuthnStatement> ... </ns0:AuthnStatement> <ns0:AttributeStatement> ... </ns0:AttributeStatement> </ns0:Assertion> :return: XML <Assertion> object """ assertion = saml.Assertion() assertion.id = self.assertion_id assertion.issue_instant = timeutils.isotime() assertion.version = '2.0' assertion.issuer = issuer assertion.signature = signature assertion.subject = subject assertion.authn_statement = authn_statement assertion.attribute_statement = attribute_statement return assertion
def _add_to_revocation_list(self, data, lock): filtered_list = [] revoked_token_data = {} current_time = self._get_current_time() expires = data['expires'] if isinstance(expires, six.string_types): expires = timeutils.parse_isotime(expires) expires = timeutils.normalize_time(expires) if expires < current_time: LOG.warning( _('Token `%s` is expired, not adding to the ' 'revocation list.'), data['id']) return revoked_token_data['expires'] = timeutils.isotime(expires, subsecond=True) revoked_token_data['id'] = data['id'] token_list = self._get_key_or_default(self.revocation_key, default=[]) if not isinstance(token_list, list): # NOTE(morganfainberg): In the case that the revocation list is not # in a format we understand, reinitialize it. This is an attempt to # not allow the revocation list to be completely broken if # somehow the key is changed outside of keystone (e.g. memcache # that is shared by multiple applications). Logging occurs at error # level so that the cloud administrators have some awareness that # the revocation_list needed to be cleared out. In all, this should # be recoverable. Keystone cannot control external applications # from changing a key in some backends, however, it is possible to # gracefully handle and notify of this event. LOG.error( _('Reinitializing revocation list due to error ' 'in loading revocation list from backend. ' 'Expected `list` type got `%(type)s`. Old ' 'revocation list data: %(list)r'), { 'type': type(token_list), 'list': token_list }) token_list = [] # NOTE(morganfainberg): on revocation, cleanup the expired entries, try # to keep the list of tokens revoked at the minimum. for token_data in token_list: try: expires_at = timeutils.normalize_time( timeutils.parse_isotime(token_data['expires'])) except ValueError: LOG.warning( _('Removing `%s` from revocation list due to ' 'invalid expires data in revocation list.'), token_data.get('id', 'INVALID_TOKEN_DATA')) continue if expires_at > current_time: filtered_list.append(token_data) filtered_list.append(revoked_token_data) self._set_key(self.revocation_key, filtered_list, lock)
def assertReportedEventMatchesRecorded(self, event, sample, before_time): after_time = timeutils.utcnow() event_issued_before = timeutils.normalize_time( timeutils.parse_isotime(event['issued_before'])) self.assertTrue( before_time <= event_issued_before, 'invalid event issued_before time; %s is not later than %s.' % ( timeutils.isotime(event_issued_before, subsecond=True), timeutils.isotime(before_time, subsecond=True))) self.assertTrue( event_issued_before <= after_time, 'invalid event issued_before time; %s is not earlier than %s.' % ( timeutils.isotime(event_issued_before, subsecond=True), timeutils.isotime(after_time, subsecond=True))) del (event['issued_before']) self.assertEqual(sample, event)
def assertReportedEventMatchesRecorded(self, event, sample, before_time): after_time = timeutils.utcnow() event_issued_before = timeutils.normalize_time( timeutils.parse_isotime(event['issued_before'])) self.assertTrue( before_time <= event_issued_before, 'invalid event issued_before time; %s is not later than %s.' % (timeutils.isotime(event_issued_before, subsecond=True), timeutils.isotime(before_time, subsecond=True))) self.assertTrue( event_issued_before <= after_time, 'invalid event issued_before time; %s is not earlier than %s.' % (timeutils.isotime(event_issued_before, subsecond=True), timeutils.isotime(after_time, subsecond=True))) del (event['issued_before']) self.assertEqual(sample, event)
def format_token(cls, token_ref, roles_ref, catalog_ref=None): user_ref = token_ref['user'] metadata_ref = token_ref['metadata'] expires = token_ref['expires'] if expires is not None: if not isinstance(expires, unicode): expires = timeutils.isotime(expires) o = {'access': {'token': {'id': token_ref['id'], 'expires': expires, 'issued_at': timeutils.strtime() }, 'user': {'id': user_ref['id'], 'name': user_ref['name'], 'username': user_ref['name'], 'roles': roles_ref, 'roles_links': metadata_ref.get('roles_links', []) } } } if 'tenant' in token_ref and token_ref['tenant']: token_ref['tenant']['enabled'] = True o['access']['token']['tenant'] = token_ref['tenant'] if catalog_ref is not None: o['access']['serviceCatalog'] = Auth.format_catalog(catalog_ref) if metadata_ref: if 'is_admin' in metadata_ref: o['access']['metadata'] = {'is_admin': metadata_ref['is_admin']} else: o['access']['metadata'] = {'is_admin': 0} if 'roles' in metadata_ref: o['access']['metadata']['roles'] = metadata_ref['roles'] return o
def create_access_token(self, request_token_id, token_duration, access_token_id=None, access_token_secret=None): if access_token_id is None: access_token_id = uuid.uuid4().hex if access_token_secret is None: access_token_secret = uuid.uuid4().hex session = sql.get_session() with session.begin(): req_token_ref = self._get_request_token(session, request_token_id) token_dict = req_token_ref.to_dict() expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) # add Access Token ref = {} ref['id'] = access_token_id ref['access_secret'] = access_token_secret ref['authorizing_user_id'] = token_dict['authorizing_user_id'] ref['project_id'] = token_dict['requested_project_id'] ref['role_ids'] = token_dict['role_ids'] ref['consumer_id'] = token_dict['consumer_id'] ref['expires_at'] = expiry_date token_ref = AccessToken.from_dict(ref) session.add(token_ref) # remove request token, it's been used session.delete(req_token_ref) return token_ref.to_dict()
def format_token(cls, token_ref, roles_ref, catalog_ref=None): user_ref = token_ref["user"] metadata_ref = token_ref["metadata"] expires = token_ref["expires"] if expires is not None: if not isinstance(expires, unicode): expires = timeutils.isotime(expires) o = { "access": { "token": {"id": token_ref["id"], "expires": expires, "issued_at": timeutils.strtime()}, "user": { "id": user_ref["id"], "name": user_ref["name"], "username": user_ref["name"], "roles": roles_ref, "roles_links": metadata_ref.get("roles_links", []), }, } } if "tenant" in token_ref and token_ref["tenant"]: token_ref["tenant"]["enabled"] = True o["access"]["token"]["tenant"] = token_ref["tenant"] if catalog_ref is not None: o["access"]["serviceCatalog"] = Auth.format_catalog(catalog_ref) if metadata_ref: if "is_admin" in metadata_ref: o["access"]["metadata"] = {"is_admin": metadata_ref["is_admin"]} else: o["access"]["metadata"] = {"is_admin": 0} if "roles" in metadata_ref: o["access"]["metadata"]["roles"] = metadata_ref["roles"] return o
def create_access_token(self, request_token_id, token_duration): session = self.get_session() with session.begin(): req_token_ref = self._get_request_token(session, request_token_id) token_dict = req_token_ref.to_dict() expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) # add Access Token ref = {} access_token_id = uuid.uuid4().hex ref['id'] = access_token_id ref['access_secret'] = uuid.uuid4().hex ref['authorizing_user_id'] = token_dict['authorizing_user_id'] ref['project_id'] = token_dict['requested_project_id'] ref['requested_roles'] = token_dict['requested_roles'] ref['consumer_id'] = token_dict['consumer_id'] ref['expires_at'] = expiry_date token_ref = AccessToken.from_dict(ref) session.add(token_ref) # remove request token, it's been used q = session.query(RequestToken) q = q.filter_by(id=request_token_id) q.delete(False) session.delete(req_token_ref) session.flush() return token_ref.to_dict()
def list_trusts(self, context): query = context['query_string'] trusts = [] if not query: self.assert_admin(context) trusts += self.trust_api.list_trusts() if 'trustor_user_id' in query: user_id = query['trustor_user_id'] calling_user_id = self._get_user_id(context) if user_id != calling_user_id: raise exception.Forbidden() trusts += (self.trust_api.list_trusts_for_trustor(user_id)) if 'trustee_user_id' in query: user_id = query['trustee_user_id'] calling_user_id = self._get_user_id(context) if user_id != calling_user_id: raise exception.Forbidden() trusts += self.trust_api.list_trusts_for_trustee(user_id) for trust in trusts: # get_trust returns roles, list_trusts does not # It seems in some circumstances, roles does not # exist in the query response, so check first if 'roles' in trust: del trust['roles'] if trust.get('expires_at') is not None: trust['expires_at'] = (timeutils.isotime(trust['expires_at'], subsecond=True)) return TrustV3.wrap_collection(context, trusts)
def list_trusts(self, context): query = context['query_string'] trusts = [] if not query: self.assert_admin(context) trusts += self.trust_api.list_trusts() if 'trustor_user_id' in query: user_id = query['trustor_user_id'] calling_user_id = self._get_user_id(context) if user_id != calling_user_id: raise exception.Forbidden() trusts += (self.trust_api. list_trusts_for_trustor(user_id)) if 'trustee_user_id' in query: user_id = query['trustee_user_id'] calling_user_id = self._get_user_id(context) if user_id != calling_user_id: raise exception.Forbidden() trusts += self.trust_api.list_trusts_for_trustee(user_id) for trust in trusts: # get_trust returns roles, list_trusts does not # It seems in some circumstances, roles does not # exist in the query response, so check first if 'roles' in trust: del trust['roles'] if trust.get('expires_at') is not None: trust['expires_at'] = (timeutils.isotime (trust['expires_at'], subsecond=True)) return TrustV3.wrap_collection(context, trusts)
def create_request_token(self, consumer_id, roles, project_id, token_duration): expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) ref = {} request_token_id = uuid.uuid4().hex ref['id'] = request_token_id ref['request_secret'] = uuid.uuid4().hex ref['verifier'] = None ref['authorizing_user_id'] = None ref['requested_project_id'] = project_id ref['requested_roles'] = roles ref['consumer_id'] = consumer_id ref['expires_at'] = expiry_date self.db.set('request_token-%s' % request_token_id, ref) # add req token to the list that containers the consumers req tokens consumer_requests = set(self.db.get('consumer-%s-requests' % consumer_id, [])) consumer_requests.add(request_token_id) self.db.set('consumer-%s-requests' % consumer_id, list(consumer_requests)) return ref
def create_request_token(self, consumer_id, project_id, token_duration, request_token_id=None, request_token_secret=None): if request_token_id is None: request_token_id = uuid.uuid4().hex if request_token_secret is None: request_token_secret = uuid.uuid4().hex expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) ref = {} ref['id'] = request_token_id ref['request_secret'] = request_token_secret ref['verifier'] = None ref['authorizing_user_id'] = None ref['requested_project_id'] = project_id ref['role_ids'] = None ref['consumer_id'] = consumer_id ref['expires_at'] = expiry_date session = db_session.get_session() with session.begin(): token_ref = RequestToken.from_dict(ref) session.add(token_ref) return token_ref.to_dict()
def create_request_token(self, consumer_id, project_id, token_duration, request_token_id=None, request_token_secret=None): if request_token_id is None: request_token_id = uuid.uuid4().hex if request_token_secret is None: request_token_secret = uuid.uuid4().hex expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) ref = {} ref['id'] = request_token_id ref['request_secret'] = request_token_secret ref['verifier'] = None ref['authorizing_user_id'] = None ref['requested_project_id'] = project_id ref['role_ids'] = None ref['consumer_id'] = consumer_id ref['expires_at'] = expiry_date session = sql.get_session() with session.begin(): token_ref = RequestToken.from_dict(ref) session.add(token_ref) return token_ref.to_dict()
def _fill_in_roles(self, context, trust, global_roles): if trust.get('expires_at') is not None: trust['expires_at'] = (timeutils.isotime(trust['expires_at'], subsecond=True)) if not 'roles' in trust: trust['roles'] = [] trust_full_roles = [] for trust_role in trust['roles']: if isinstance(trust_role, basestring): trust_role = {'id': trust_role} matching_roles = [ x for x in global_roles if x['id'] == trust_role['id'] ] if matching_roles: full_role = identity.controllers.RoleV3.wrap_member( context, matching_roles[0])['role'] trust_full_roles.append(full_role) trust['roles'] = trust_full_roles trust['roles_links'] = { 'self': (CONF.public_endpoint % CONF + "trusts/%s/roles" % trust['id']), 'next': None, 'previous': None }
def to_dict(self): keys = ['user_id', 'role_id', 'domain_id', 'project_id'] event = dict((key, self.__dict__[key]) for key in keys if self.__dict__[key] is not None) if self.trust_id is not None: event['OS-TRUST:trust_id'] = self.trust_id if self.consumer_id is not None: event['OS-OAUTH1:consumer_id'] = self.consumer_id if self.consumer_id is not None: event['OS-OAUTH1:access_token_id'] = self.access_token_id if self.expires_at is not None: event['expires_at'] = timeutils.isotime(self.expires_at, subsecond=True) if self.issued_before is not None: event['issued_before'] = timeutils.isotime(self.issued_before, subsecond=True) return event
def create_v3_token(): return { "token": { 'methods': [], "expires_at": timeutils.isotime(timeutils.utcnow() + FUTURE_DELTA), "issued_at": "2013-05-21T00:02:43.941473Z", } }
def create_v3_token(): return { "token": { "methods": [], "expires_at": timeutils.isotime(timeutils.utcnow() + FUTURE_DELTA), "issued_at": "2013-05-21T00:02:43.941473Z", } }
def test_revoke_by_expiration_project_and_domain_fails(self): user_id = _new_id() expires_at = timeutils.isotime(_future_time(), subsecond=True) domain_id = _new_id() project_id = _new_id() self.assertThat( lambda: self.revoke_api.revoke_by_expiration( user_id, expires_at, domain_id=domain_id, project_id=project_id), matchers.raises(exception.UnexpectedError))
def create_v2_token(): return { "access": { "token": { "expires": timeutils.isotime(timeutils.utcnow() + FUTURE_DELTA), "issued_at": "2013-05-21T00:02:43.941473Z", "tenant": {"enabled": True, "id": "01257", "name": "service"}, } } }
def _add_to_revocation_list(self, data, lock): filtered_list = [] revoked_token_data = {} current_time = self._get_current_time() expires = data['expires'] if isinstance(expires, six.string_types): expires = timeutils.parse_isotime(expires) expires = timeutils.normalize_time(expires) if expires < current_time: LOG.warning(_('Token `%s` is expired, not adding to the ' 'revocation list.'), data['id']) return revoked_token_data['expires'] = timeutils.isotime(expires, subsecond=True) revoked_token_data['id'] = data['id'] token_list = self._get_key_or_default(self.revocation_key, default=[]) if not isinstance(token_list, list): # NOTE(morganfainberg): In the case that the revocation list is not # in a format we understand, reinitialize it. This is an attempt to # not allow the revocation list to be completely broken if # somehow the key is changed outside of keystone (e.g. memcache # that is shared by multiple applications). Logging occurs at error # level so that the cloud administrators have some awareness that # the revocation_list needed to be cleared out. In all, this should # be recoverable. Keystone cannot control external applications # from changing a key in some backends, however, it is possible to # gracefully handle and notify of this event. LOG.error(_('Reinitializing revocation list due to error ' 'in loading revocation list from backend. ' 'Expected `list` type got `%(type)s`. Old ' 'revocation list data: %(list)r'), {'type': type(token_list), 'list': token_list}) token_list = [] # NOTE(morganfainberg): on revocation, cleanup the expired entries, try # to keep the list of tokens revoked at the minimum. for token_data in token_list: try: expires_at = timeutils.normalize_time( timeutils.parse_isotime(token_data['expires'])) except ValueError: LOG.warning(_('Removing `%s` from revocation list due to ' 'invalid expires data in revocation list.'), token_data.get('id', 'INVALID_TOKEN_DATA')) continue if expires_at > current_time: filtered_list.append(token_data) filtered_list.append(revoked_token_data) self._set_key(self.revocation_key, filtered_list, lock)
def test_revoked_token_in_list(self): user_id = uuid.uuid4().hex expires_at = token.default_expire_time() sample = self._blank_event() sample['user_id'] = unicode(user_id) sample['expires_at'] = unicode(timeutils.isotime(expires_at)) before_time = timeutils.utcnow() self.revoke_api.revoke_by_expiration(user_id, expires_at) resp = self.get('/OS-REVOKE/events') events = resp.json_body['events'] self.assertEqual(len(events), 1) self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
def test_revoked_token_in_list(self): user_id = uuid.uuid4().hex expires_at = provider.default_expire_time() sample = self._blank_event() sample['user_id'] = six.text_type(user_id) sample['expires_at'] = six.text_type(timeutils.isotime(expires_at)) before_time = timeutils.utcnow() self.revoke_api.revoke_by_expiration(user_id, expires_at) resp = self.get('/OS-REVOKE/events') events = resp.json_body['events'] self.assertEqual(len(events), 1) self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
def to_dict(self): keys = ['user_id', 'role_id', 'domain_id', 'domain_scope_id', 'project_id', ] event = dict((key, self.__dict__[key]) for key in keys if self.__dict__[key] is not None) if self.trust_id is not None: event['OS-TRUST:trust_id'] = self.trust_id if self.consumer_id is not None: event['OS-OAUTH1:consumer_id'] = self.consumer_id if self.consumer_id is not None: event['OS-OAUTH1:access_token_id'] = self.access_token_id if self.expires_at is not None: event['expires_at'] = timeutils.isotime(self.expires_at) if self.issued_before is not None: event['issued_before'] = timeutils.isotime(self.issued_before, subsecond=True) return event
def revocation_list(self, context, auth=None): tokens = self.token_api.list_revoked_tokens() for t in tokens: expires = t["expires"] if not (expires and isinstance(expires, unicode)): t["expires"] = timeutils.isotime(expires) data = {"revoked": tokens} json_data = json.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {"signed": signed_text}
def test_revoke_by_expiration_project_and_domain_fails(self): user_id = _new_id() expires_at = timeutils.isotime(_future_time(), subsecond=True) domain_id = _new_id() project_id = _new_id() self.assertThat( lambda: self.revoke_api.revoke_by_expiration(user_id, expires_at, domain_id=domain_id, project_id=project_id ), matchers.raises(exception.UnexpectedError))
def revocation_list(self, context, auth=None): tokens = self.token_api.list_revoked_tokens() for t in tokens: expires = t['expires'] if not (expires and isinstance(expires, six.text_type)): t['expires'] = timeutils.isotime(expires) data = {'revoked': tokens} json_data = json.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {'signed': signed_text}
def create_v2_token(): return { "access": { "token": { "expires": timeutils.isotime(CURRENT_DATE + FUTURE_DELTA), "issued_at": "2013-05-21T00:02:43.941473Z", "tenant": { "enabled": True, "id": "01257", "name": "service" } } } }
def revocation_list(self, context, auth=None): if not CONF.token.revoke_by_id: raise exception.Gone() tokens = self.token_api.list_revoked_tokens() for t in tokens: expires = t["expires"] if expires and isinstance(expires, datetime.datetime): t["expires"] = timeutils.isotime(expires) data = {"revoked": tokens} json_data = jsonutils.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {"signed": signed_text}
def test_cleanup_user_index_on_create(self): user_id = six.text_type(uuid.uuid4().hex) valid_token_id, data = self.create_token_sample_data(user_id=user_id) expired_token_id, expired_data = self.create_token_sample_data( user_id=user_id) expire_delta = datetime.timedelta(seconds=86400) # NOTE(morganfainberg): Directly access the data cache since we need to # get expired tokens as well as valid tokens. token_api.list_tokens() # will not return any expired tokens in the list. user_key = self.token_api.driver._prefix_user_id(user_id) user_token_list = self.token_api.driver._store.get(user_key) valid_token_ref = self.token_api.get_token(valid_token_id) expired_token_ref = self.token_api.get_token(expired_token_id) expected_user_token_list = [ (valid_token_id, timeutils.isotime(valid_token_ref['expires'], subsecond=True)), (expired_token_id, timeutils.isotime(expired_token_ref['expires'], subsecond=True)) ] self.assertEqual(expected_user_token_list, user_token_list) new_expired_data = (expired_token_id, timeutils.isotime( (timeutils.utcnow() - expire_delta), subsecond=True)) self._update_user_token_index_direct(user_key, expired_token_id, new_expired_data) valid_token_id_2, valid_data_2 = self.create_token_sample_data( user_id=user_id) valid_token_ref_2 = self.token_api.get_token(valid_token_id_2) expected_user_token_list = [ (valid_token_id, timeutils.isotime(valid_token_ref['expires'], subsecond=True)), (valid_token_id_2, timeutils.isotime(valid_token_ref_2['expires'], subsecond=True)) ] user_token_list = self.token_api.driver._store.get(user_key) self.assertEqual(expected_user_token_list, user_token_list) # Test that revoked tokens are removed from the list on create. self.token_api.delete_token(valid_token_id_2) new_token_id, data = self.create_token_sample_data(user_id=user_id) new_token_ref = self.token_api.get_token(new_token_id) expected_user_token_list = [ (valid_token_id, timeutils.isotime(valid_token_ref['expires'], subsecond=True)), (new_token_id, timeutils.isotime(new_token_ref['expires'], subsecond=True)) ] user_token_list = self.token_api.driver._store.get(user_key) self.assertEqual(expected_user_token_list, user_token_list)
def revocation_list(self, context, auth=None): self.assert_admin(context) tokens = self.token_api.list_revoked_tokens(context) for t in tokens: expires = t['expires'] if not (expires and isinstance(expires, unicode)): t['expires'] = timeutils.isotime(expires) data = {'revoked': tokens} json_data = json.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {'signed': signed_text}
def revocation_list(self, context, auth=None): if not CONF.token.revoke_by_id: raise exception.Gone() tokens = self.token_api.list_revoked_tokens() for t in tokens: expires = t['expires'] if expires and isinstance(expires, datetime.datetime): t['expires'] = timeutils.isotime(expires) data = {'revoked': tokens} json_data = json.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {'signed': signed_text}
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None): user_ref = token_ref['user'] metadata_ref = token_ref['metadata'] if roles_ref is None: roles_ref = [] expires = token_ref.get('expires', token.default_expire_time()) if expires is not None: if not isinstance(expires, unicode): expires = timeutils.isotime(expires) o = { 'access': { 'token': { 'id': token_ref['id'], 'expires': expires, 'issued_at': timeutils.strtime() }, 'user': { 'id': user_ref['id'], 'name': user_ref['name'], 'username': user_ref['name'], 'roles': roles_ref, 'roles_links': metadata_ref.get('roles_links', []) } } } if 'bind' in token_ref: o['access']['token']['bind'] = token_ref['bind'] if 'tenant' in token_ref and token_ref['tenant']: token_ref['tenant']['enabled'] = True o['access']['token']['tenant'] = token_ref['tenant'] if catalog_ref is not None: o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog( catalog_ref) if metadata_ref: if 'is_admin' in metadata_ref: o['access']['metadata'] = { 'is_admin': metadata_ref['is_admin'] } else: o['access']['metadata'] = {'is_admin': 0} if 'roles' in metadata_ref: o['access']['metadata']['roles'] = metadata_ref['roles'] if CONF.trust.enabled and 'trust_id' in metadata_ref: o['access']['trust'] = { 'trustee_user_id': metadata_ref['trustee_user_id'], 'id': metadata_ref['trust_id'] } return o
def _fill_in_roles(self, context, trust, global_roles): if trust.get("expires_at") is not None: trust["expires_at"] = timeutils.isotime(trust["expires_at"], subsecond=True) if "roles" not in trust: trust["roles"] = [] trust_full_roles = [] for trust_role in trust["roles"]: if isinstance(trust_role, basestring): trust_role = {"id": trust_role} matching_roles = [x for x in global_roles if x["id"] == trust_role["id"]] if matching_roles: full_role = identity.controllers.RoleV3.wrap_member(context, matching_roles[0])["role"] trust_full_roles.append(full_role) trust["roles"] = trust_full_roles trust["roles_links"] = {"self": (self.base_url() + "/%s/roles" % trust["id"]), "next": None, "previous": None}
def revocation_list(self, context, auth=None): if not CONF.token.revoke_by_id: raise exception.Gone() tokens = self.token_api.list_revoked_tokens() for t in tokens: expires = t['expires'] if not (expires and isinstance(expires, six.text_type)): t['expires'] = timeutils.isotime(expires) data = {'revoked': tokens} json_data = json.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {'signed': signed_text}
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None): user_ref = token_ref['user'] metadata_ref = token_ref['metadata'] if roles_ref is None: roles_ref = [] expires = token_ref.get('expires', token.default_expire_time()) if expires is not None: if not isinstance(expires, six.text_type): expires = timeutils.isotime(expires) o = {'access': {'token': {'id': token_ref['id'], 'expires': expires, 'issued_at': timeutils.strtime() }, 'user': {'id': user_ref['id'], 'name': user_ref['name'], 'username': user_ref['name'], 'roles': roles_ref, 'roles_links': metadata_ref.get('roles_links', []) } } } if 'bind' in token_ref: o['access']['token']['bind'] = token_ref['bind'] if 'tenant' in token_ref and token_ref['tenant']: token_ref['tenant']['enabled'] = True o['access']['token']['tenant'] = token_ref['tenant'] if catalog_ref is not None: o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog( catalog_ref) if metadata_ref: if 'is_admin' in metadata_ref: o['access']['metadata'] = {'is_admin': metadata_ref['is_admin']} else: o['access']['metadata'] = {'is_admin': 0} if 'roles' in metadata_ref: o['access']['metadata']['roles'] = metadata_ref['roles'] if CONF.trust.enabled and 'trust_id' in metadata_ref: o['access']['trust'] = {'trustee_user_id': metadata_ref['trustee_user_id'], 'id': metadata_ref['trust_id'] } # Kerberos #o['access']['kerberos'] = token_ref['kerberos'] return o
def test_cleanup_user_index_on_create(self): user_id = six.text_type(uuid.uuid4().hex) valid_token_id, data = self.create_token_sample_data(user_id=user_id) expired_token_id, expired_data = self.create_token_sample_data( user_id=user_id) expire_delta = datetime.timedelta(seconds=86400) # NOTE(morganfainberg): Directly access the data cache since we need to # get expired tokens as well as valid tokens. token_api.list_tokens() # will not return any expired tokens in the list. user_key = self.token_api.driver._prefix_user_id(user_id) user_token_list = self.token_api.driver._store.get(user_key) valid_token_ref = self.token_api.get_token(valid_token_id) expired_token_ref = self.token_api.get_token(expired_token_id) expected_user_token_list = [ (valid_token_id, timeutils.isotime(valid_token_ref['expires'], subsecond=True)), (expired_token_id, timeutils.isotime(expired_token_ref['expires'], subsecond=True))] self.assertEqual(user_token_list, expected_user_token_list) new_expired_data = (expired_token_id, timeutils.isotime( (timeutils.utcnow() - expire_delta), subsecond=True)) self._update_user_token_index_direct(user_key, expired_token_id, new_expired_data) valid_token_id_2, valid_data_2 = self.create_token_sample_data( user_id=user_id) valid_token_ref_2 = self.token_api.get_token(valid_token_id_2) expected_user_token_list = [ (valid_token_id, timeutils.isotime(valid_token_ref['expires'], subsecond=True)), (valid_token_id_2, timeutils.isotime(valid_token_ref_2['expires'], subsecond=True))] user_token_list = self.token_api.driver._store.get(user_key) self.assertEqual(user_token_list, expected_user_token_list) # Test that revoked tokens are removed from the list on create. self.token_api.delete_token(valid_token_id_2) new_token_id, data = self.create_token_sample_data(user_id=user_id) new_token_ref = self.token_api.get_token(new_token_id) expected_user_token_list = [ (valid_token_id, timeutils.isotime(valid_token_ref['expires'], subsecond=True)), (new_token_id, timeutils.isotime(new_token_ref['expires'], subsecond=True))] user_token_list = self.token_api.driver._store.get(user_key) self.assertEqual(user_token_list, expected_user_token_list)
def create_token(self, token_id, data): """Create a token by id and data. It is assumed the caller has performed data validation on the "data" parameter. """ data_copy = copy.deepcopy(data) ptk = self._prefix_token_id(token_id) if not data_copy.get('expires'): data_copy['expires'] = token.default_expire_time() if not data_copy.get('user_id'): data_copy['user_id'] = data_copy['user']['id'] # NOTE(morganfainberg): for ease of manipulating the data without # concern about the backend, always store the value(s) in the # index as the isotime (string) version so this is where the string is # built. expires_str = timeutils.isotime(data_copy['expires'], subsecond=True) self._set_key(ptk, data_copy) user_id = data['user']['id'] user_key = self._prefix_user_id(user_id) self._update_user_token_list(user_key, token_id, expires_str) if CONF.trust.enabled and data.get('trust_id'): # NOTE(morganfainberg): If trusts are enabled and this is a trust # scoped token, we add the token to the trustee list as well. This # allows password changes of the trustee to also expire the token. # There is no harm in placing the token in multiple lists, as # _list_tokens is smart enough to handle almost any case of # valid/invalid/expired for a given token. token_data = data_copy['token_data'] if data_copy['token_version'] == token.provider.V2: trustee_user_id = token_data['access']['trust'][ 'trustee_user_id'] elif data_copy['token_version'] == token.provider.V3: trustee_user_id = token_data['OS-TRUST:trust'][ 'trustee_user_id'] else: raise token.provider.UnsupportedTokenVersionException( _('Unknown token version %s') % data_copy.get('token_version')) trustee_key = self._prefix_user_id(trustee_user_id) self._update_user_token_list(trustee_key, token_id, expires_str) return data_copy
def create_access_token(self, request_id, token_duration): request_token = self.db.get('request_token-%s' % request_id) expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) ref = {} access_token_id = uuid.uuid4().hex ref['id'] = access_token_id ref['access_secret'] = uuid.uuid4().hex ref['authorizing_user_id'] = request_token['authorizing_user_id'] ref['project_id'] = request_token['requested_project_id'] ref['requested_roles'] = request_token['requested_roles'] ref['consumer_id'] = request_token['consumer_id'] ref['expires_at'] = expiry_date self.db.set('access_token-%s' % access_token_id, ref) #add access token id to user authorizations list too user_id = request_token['authorizing_user_id'] user_auth_list = set(self.db.get('auth_list-%s' % user_id, [])) user_auth_list.add(access_token_id) self.db.set('auth_list-%s' % user_id, list(user_auth_list)) #delete request token from table, it has been exchanged self.db.get('request_token-%s' % request_id) self.db.delete('request_token-%s' % request_id) #add access token to the list that containers the consumers acc tokens consumer_id = request_token['consumer_id'] consumer_accesses = set(self.db.get('consumer-%s-accesses' % consumer_id, [])) consumer_accesses.add(access_token_id) self.db.set('consumer-%s-accesses' % consumer_id, list(consumer_accesses)) # remove the used up request token id from consumer req list consumer_requests = set(self.db.get('consumer-%s-requests' % consumer_id, [])) consumer_requests.remove(request_id) self.db.set('consumer-%s-requests' % consumer_id, list(consumer_requests)) return ref
def create_token(self, token_id, data): """Create a token by id and data. It is assumed the caller has performed data validation on the "data" parameter. """ data_copy = copy.deepcopy(data) ptk = self._prefix_token_id(token_id) if not data_copy.get('expires'): data_copy['expires'] = provider.default_expire_time() if not data_copy.get('user_id'): data_copy['user_id'] = data_copy['user']['id'] # NOTE(morganfainberg): for ease of manipulating the data without # concern about the backend, always store the value(s) in the # index as the isotime (string) version so this is where the string is # built. expires_str = timeutils.isotime(data_copy['expires'], subsecond=True) self._set_key(ptk, data_copy) user_id = data['user']['id'] user_key = self._prefix_user_id(user_id) self._update_user_token_list(user_key, token_id, expires_str) if CONF.trust.enabled and data.get('trust_id'): # NOTE(morganfainberg): If trusts are enabled and this is a trust # scoped token, we add the token to the trustee list as well. This # allows password changes of the trustee to also expire the token. # There is no harm in placing the token in multiple lists, as # _list_tokens is smart enough to handle almost any case of # valid/invalid/expired for a given token. token_data = data_copy['token_data'] if data_copy['token_version'] == token.provider.V2: trustee_user_id = token_data['access']['trust'][ 'trustee_user_id'] elif data_copy['token_version'] == token.provider.V3: trustee_user_id = token_data['OS-TRUST:trust'][ 'trustee_user_id'] else: raise token.provider.UnsupportedTokenVersionException( _('Unknown token version %s') % data_copy.get('token_version')) trustee_key = self._prefix_user_id(trustee_user_id) self._update_user_token_list(trustee_key, token_id, expires_str) return data_copy
def create_access_token(self, request_id, token_duration): request_token = self.db.get('request_token-%s' % request_id) expiry_date = None if token_duration: now = timeutils.utcnow() future = now + datetime.timedelta(seconds=token_duration) expiry_date = timeutils.isotime(future, subsecond=True) ref = {} access_token_id = uuid.uuid4().hex ref['id'] = access_token_id ref['access_secret'] = uuid.uuid4().hex ref['authorizing_user_id'] = request_token['authorizing_user_id'] ref['project_id'] = request_token['requested_project_id'] ref['requested_roles'] = request_token['requested_roles'] ref['consumer_id'] = request_token['consumer_id'] ref['expires_at'] = expiry_date self.db.set('access_token-%s' % access_token_id, ref) #add access token id to user authorizations list too user_id = request_token['authorizing_user_id'] user_auth_list = set(self.db.get('auth_list-%s' % user_id, [])) user_auth_list.add(access_token_id) self.db.set('auth_list-%s' % user_id, list(user_auth_list)) #delete request token from table, it has been exchanged self.db.get('request_token-%s' % request_id) self.db.delete('request_token-%s' % request_id) #add access token to the list that containers the consumers acc tokens consumer_id = request_token['consumer_id'] consumer_accesses = set( self.db.get('consumer-%s-accesses' % consumer_id, [])) consumer_accesses.add(access_token_id) self.db.set('consumer-%s-accesses' % consumer_id, list(consumer_accesses)) # remove the used up request token id from consumer req list consumer_requests = set( self.db.get('consumer-%s-requests' % consumer_id, [])) consumer_requests.remove(request_id) self.db.set('consumer-%s-requests' % consumer_id, list(consumer_requests)) return ref
def _format_token(self, token_ref, roles_ref, catalog_ref=None): user_ref = token_ref['user'] metadata_ref = token_ref['metadata'] expires = token_ref['expires'] if expires is not None: if not isinstance(expires, unicode): expires = timeutils.isotime(expires) o = { 'access': { 'token': { 'id': token_ref['id'], 'expires': expires, 'issued_at': timeutils.strtime() }, 'user': { 'id': user_ref['id'], 'name': user_ref['name'], 'username': user_ref['name'], 'roles': roles_ref, 'roles_links': metadata_ref.get('roles_links', []) } } } if 'tenant' in token_ref and token_ref['tenant']: token_ref['tenant']['enabled'] = True o['access']['token']['tenant'] = token_ref['tenant'] if catalog_ref is not None: o['access']['serviceCatalog'] = self._format_catalog(catalog_ref) if metadata_ref: if 'is_admin' in metadata_ref: o['access']['metadata'] = { 'is_admin': metadata_ref['is_admin'] } else: o['access']['metadata'] = {'is_admin': 0} if 'roles' in metadata_ref: o['access']['metadata']['roles'] = metadata_ref['roles'] return o
def _fill_in_roles(self, context, trust, all_roles): if trust.get('expires_at') is not None: trust['expires_at'] = (timeutils.isotime (trust['expires_at'], subsecond=True)) if 'roles' not in trust: trust['roles'] = [] trust_full_roles = [] for trust_role in trust['roles']: if isinstance(trust_role, six.string_types): trust_role = {'id': trust_role} matching_roles = [x for x in all_roles if x['id'] == trust_role['id']] if matching_roles: full_role = assignment.controllers.RoleV3.wrap_member( context, matching_roles[0])['role'] trust_full_roles.append(full_role) trust['roles'] = trust_full_roles trust['roles_links'] = { 'self': (self.base_url(context) + "/%s/roles" % trust['id']), 'next': None, 'previous': None}
def _create_authn_statement(self, issuer, expiration_time): """Create an object that represents a SAML AuthnStatement. <ns0:AuthnStatement xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2014-07-30T03:04:25Z" SessionIndex="47335964efb" SessionNotOnOrAfter="2014-07-30T03:04:26Z"> <ns0:AuthnContext> <ns0:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </ns0:AuthnContextClassRef> <ns0:AuthenticatingAuthority> https://acme.com/FIM/sps/openstack/saml20 </ns0:AuthenticatingAuthority> </ns0:AuthnContext> </ns0:AuthnStatement> :return: XML <AuthnStatement> object """ authn_statement = saml.AuthnStatement() authn_statement.authn_instant = timeutils.isotime() authn_statement.session_index = uuid.uuid4().hex authn_statement.session_not_on_or_after = expiration_time authn_context = saml.AuthnContext() authn_context_class = saml.AuthnContextClassRef() authn_context_class.set_text(saml.AUTHN_PASSWORD) authn_authority = saml.AuthenticatingAuthority() authn_authority.set_text(issuer) authn_context.authn_context_class_ref = authn_context_class authn_context.authenticating_authority = authn_authority authn_statement.authn_context = authn_context return authn_statement
def _authenticate_token(self, context, auth): """Try to authenticate using an already existing token. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'token' not in auth: raise exception.ValidationError(attribute='token', target='auth') if "id" not in auth['token']: raise exception.ValidationError(attribute="id", target="token") old_token = auth['token']['id'] if len(old_token) > CONF.max_token_size: raise exception.ValidationSizeError(attribute='token', size=CONF.max_token_size) try: old_token_ref = self.token_api.get_token(context=context, token_id=old_token) except exception.NotFound as e: raise exception.Unauthorized(e) #A trust token cannot be used to get another token if 'trust' in old_token_ref: raise exception.Forbidden() if 'trust_id' in old_token_ref['metadata']: raise exception.Forbidden() user_ref = old_token_ref['user'] user_id = user_ref['id'] if not CONF.trust.enabled and 'trust_id' in auth: raise exception.Forbidden('Trusts are disabled.') elif CONF.trust.enabled and 'trust_id' in auth: trust_ref = self.trust_api.get_trust(context, auth['trust_id']) if trust_ref is None: raise exception.Forbidden() if user_id != trust_ref['trustee_user_id']: raise exception.Forbidden() if ('expires' in trust_ref) and (trust_ref['expires']): expiry = trust_ref['expires'] if expiry < timeutils.parse_isotime(timeutils.isotime()): raise exception.Forbidden()() user_id = trust_ref['trustor_user_id'] trustor_user_ref = (self.identity_api.get_user( context=context, user_id=trust_ref['trustor_user_id'])) if not trustor_user_ref['enabled']: raise exception.Forbidden()() trustee_user_ref = self.identity_api.get_user( context, trust_ref['trustee_user_id']) if not trustee_user_ref['enabled']: raise exception.Forbidden()() if trust_ref['impersonation'] == 'True': current_user_ref = trustor_user_ref else: current_user_ref = trustee_user_ref else: current_user_ref = self.identity_api.get_user(context=context, user_id=user_id) tenant_id = self._get_project_id_from_auth(context, auth) tenant_ref = self._get_project_ref(context, user_id, tenant_id) metadata_ref = self._get_metadata_ref(context, user_id, tenant_id) # TODO (henry-nash) If no tenant was specified, instead check # for a domain and find any related user/group roles self._append_roles( metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id)) expiry = old_token_ref['expires'] if CONF.trust.enabled and 'trust_id' in auth: trust_id = auth['trust_id'] trust_roles = [] for role in trust_ref['roles']: if not 'roles' in metadata_ref: raise exception.Forbidden()() if role['id'] in metadata_ref['roles']: trust_roles.append(role['id']) else: raise exception.Forbidden() if 'expiry' in trust_ref and trust_ref['expiry']: trust_expiry = timeutils.parse_isotime(trust_ref['expiry']) if trust_expiry < expiry: expiry = trust_expiry metadata_ref['roles'] = trust_roles metadata_ref['trustee_user_id'] = trust_ref['trustee_user_id'] metadata_ref['trust_id'] = trust_id return (current_user_ref, tenant_ref, metadata_ref, expiry)
def _future_time_string(): expire_delta = datetime.timedelta(seconds=1000) future_time = timeutils.utcnow() + expire_delta return timeutils.isotime(future_time)
def _authenticate_token(self, context, auth): """Try to authenticate using an already existing token. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'token' not in auth: raise exception.ValidationError(attribute='token', target='auth') if "id" not in auth['token']: raise exception.ValidationError(attribute="id", target="token") old_token = auth['token']['id'] if len(old_token) > CONF.max_token_size: raise exception.ValidationSizeError(attribute='token', size=CONF.max_token_size) try: old_token_ref = self.token_api.get_token(old_token) except exception.NotFound as e: raise exception.Unauthorized(e) wsgi.validate_token_bind(context, old_token_ref) #A trust token cannot be used to get another token if 'trust' in old_token_ref: raise exception.Forbidden() if 'trust_id' in old_token_ref['metadata']: raise exception.Forbidden() user_ref = old_token_ref['user'] user_id = user_ref['id'] if not CONF.trust.enabled and 'trust_id' in auth: raise exception.Forbidden('Trusts are disabled.') elif CONF.trust.enabled and 'trust_id' in auth: trust_ref = self.trust_api.get_trust(auth['trust_id']) if trust_ref is None: raise exception.Forbidden() if user_id != trust_ref['trustee_user_id']: raise exception.Forbidden() if ('expires' in trust_ref) and (trust_ref['expires']): expiry = trust_ref['expires'] if expiry < timeutils.parse_isotime(timeutils.isotime()): raise exception.Forbidden()() user_id = trust_ref['trustor_user_id'] trustor_user_ref = self.identity_api.get_user( trust_ref['trustor_user_id']) if not trustor_user_ref['enabled']: raise exception.Forbidden()() trustee_user_ref = self.identity_api.get_user( trust_ref['trustee_user_id']) if not trustee_user_ref['enabled']: raise exception.Forbidden()() self.trust_api.consume_use(auth['trust_id']) if trust_ref['impersonation'] is True: current_user_ref = trustor_user_ref else: current_user_ref = trustee_user_ref else: current_user_ref = self.identity_api.get_user(user_id) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = old_token_ref['expires'] if CONF.trust.enabled and 'trust_id' in auth: trust_id = auth['trust_id'] trust_roles = [] for role in trust_ref['roles']: if 'roles' not in metadata_ref: raise exception.Forbidden()() if role['id'] in metadata_ref['roles']: trust_roles.append(role['id']) else: raise exception.Forbidden() if 'expiry' in trust_ref and trust_ref['expiry']: trust_expiry = timeutils.parse_isotime(trust_ref['expiry']) if trust_expiry < expiry: expiry = trust_expiry metadata_ref['roles'] = trust_roles metadata_ref['trustee_user_id'] = trust_ref['trustee_user_id'] metadata_ref['trust_id'] = trust_id bind = old_token_ref.get('bind') return (current_user_ref, tenant_ref, metadata_ref, expiry, bind)
FUTURE_DELTA), "issued_at": "2013-05-21T00:02:43.941473Z", "tenant": { "enabled": True, "id": "01257", "name": "service" } } } } SAMPLE_V2_TOKEN_EXPIRED = { "access": { "token": { "expires": timeutils.isotime(CURRENT_DATE), "issued_at": "2013-05-21T00:02:43.941473Z", "tenant": { "enabled": True, "id": "01257", "name": "service" } } } } def create_v3_token(): return { "token": { 'methods': [],
def _determine_expiration_time(self, expires_in): if expires_in is None: expires_in = CONF.saml.assertion_expiration_time now = timeutils.utcnow() future = now + datetime.timedelta(seconds=expires_in) return timeutils.isotime(future, subsecond=True)