def issue_v2_token(self, token_ref, roles_ref=None, catalog_ref=None):
"""Issue a V2 formatted token.
:param token_ref: reference describing the token
:param roles_ref: reference describing the roles for the token
:param catalog_ref: reference describing the token's catalog
:returns: tuple containing the ID of the token and the token data
"""
# TODO(lbragstad): Currently, Fernet tokens don't support bind in the
# token format. Raise a 501 if we're dealing with bind.
if token_ref.get('bind'):
raise exception.NotImplemented()
user_id = token_ref['user']['id']
# Default to password since methods not provided by token_ref
method_names = ['password']
project_id = None
# Verify that tenant is not None in token_ref
if token_ref.get('tenant'):
project_id = token_ref['tenant']['id']
# maintain expiration time across rescopes
expires = token_ref.get('expires')
parent_audit_id = token_ref.get('parent_audit_id')
# If parent_audit_id is defined then a token authentication was made
if parent_audit_id:
method_names.append('token')
audit_ids = provider.audit_info(parent_audit_id)
# Get v3 token data and exclude building v3 specific catalog. This is
# due to the fact that the V2TokenDataHelper.format_token() method
# doesn't build any of the token_reference from other Keystone APIs.
# Instead, it builds it from what is persisted in the token reference.
# Here we are going to leverage the V3TokenDataHelper.get_token_data()
# method written for V3 because it goes through and populates the token
# reference dynamically. Once we have a V3 token reference, we can
# attempt to convert it to a V2 token response.
v3_token_data = self.v3_token_data_helper.get_token_data(
user_id,
method_names,
project_id=project_id,
token=token_ref,
include_catalog=False,
audit_info=audit_ids,
expires=expires)
expires_at = v3_token_data['token']['expires_at']
token_id = self.token_formatter.create_token(user_id, expires_at,
audit_ids,
methods=method_names,
project_id=project_id)
self._build_issued_at_info(token_id, v3_token_data)
# Convert v3 to v2 token data and build v2 catalog
token_data = self.v2_token_data_helper.v3_to_v2_token(token_id,
v3_token_data)
return token_id, token_data
def issue_v2_token(self, token_ref, roles_ref=None, catalog_ref=None):
"""Issue a V2 formatted token.
:param token_ref: reference describing the token
:param roles_ref: reference describing the roles for the token
:param catalog_ref: reference describing the token's catalog
:returns: tuple containing the ID of the token and the token data
"""
# TODO(lbragstad): Currently, Fernet tokens don't support bind in the
# token format. Raise a 501 if we're dealing with bind.
if token_ref.get('bind'):
raise exception.NotImplemented()
user_id = token_ref['user']['id']
# Default to password since methods not provided by token_ref
method_names = ['password']
project_id = None
# Verify that tenant is not None in token_ref
if token_ref.get('tenant'):
project_id = token_ref['tenant']['id']
# maintain expiration time across rescopes
expires = token_ref.get('expires')
parent_audit_id = token_ref.get('parent_audit_id')
# If parent_audit_id is defined then a token authentication was made
if parent_audit_id:
method_names.append('token')
audit_ids = provider.audit_info(parent_audit_id)
# Get v3 token data and exclude building v3 specific catalog. This is
# due to the fact that the V2TokenDataHelper.format_token() method
# doesn't build any of the token_reference from other Keystone APIs.
# Instead, it builds it from what is persisted in the token reference.
# Here we are going to leverage the V3TokenDataHelper.get_token_data()
# method written for V3 because it goes through and populates the token
# reference dynamically. Once we have a V3 token reference, we can
# attempt to convert it to a V2 token response.
v3_token_data = self.v3_token_data_helper.get_token_data(
user_id,
method_names,
project_id=project_id,
token=token_ref,
include_catalog=False,
audit_info=audit_ids,
expires=expires)
expires_at = v3_token_data['token']['expires_at']
token_id = self.token_formatter.create_token(user_id, expires_at,
audit_ids,
methods=method_names,
project_id=project_id)
self._build_issued_at_info(token_id, v3_token_data)
# Convert v3 to v2 token data and build v2 catalog
token_data = self.v2_token_data_helper.v3_to_v2_token(v3_token_data)
token_data['access']['token']['id'] = token_id
return token_id, token_data
def _extract_v2_token_data(self, token_data):
user_id = token_data["access"]["user"]["id"]
expires_at = token_data["access"]["token"]["expires"]
audit_ids = token_data["access"]["token"].get("audit_ids")
methods = ["password"]
if audit_ids:
parent_audit_id = token_data["access"]["token"].get("parent_audit_id")
audit_ids = provider.audit_info(parent_audit_id)
if parent_audit_id:
methods.append("token")
project_id = token_data["access"]["token"].get("tenant", {}).get("id")
domain_id = None
trust_id = None
access_token_id = None
federated_info = None
return (
user_id,
expires_at,
audit_ids,
methods,
domain_id,
project_id,
trust_id,
access_token_id,
federated_info,
)
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None, trust_ref=None):
audit_info = None
user_ref = token_ref["user"]
metadata_ref = token_ref["metadata"]
if roles_ref is None:
roles_ref = []
expires = token_ref.get("expires", provider.default_expire_time())
if expires is not None:
if not isinstance(expires, six.text_type):
expires = utils.isotime(expires)
token_data = token_ref.get("token_data")
if token_data:
token_audit = token_data.get("access", token_data).get("token", {}).get("audit_ids")
audit_info = token_audit
if audit_info is None:
audit_info = provider.audit_info(token_ref.get("parent_audit_id"))
o = {
"access": {
"token": {
"id": token_ref["id"],
"expires": expires,
"issued_at": utils.strtime(),
"audit_ids": audit_info,
},
"user": {
"id": user_ref["id"],
"name": user_ref["name"],
"username": user_ref["name"],
"roles": roles_ref,
"roles_links": metadata_ref.get("roles_links", []),
},
}
}
if "bind" in token_ref:
o["access"]["token"]["bind"] = token_ref["bind"]
if "tenant" in token_ref and token_ref["tenant"]:
token_ref["tenant"]["enabled"] = True
o["access"]["token"]["tenant"] = token_ref["tenant"]
if catalog_ref is not None:
o["access"]["serviceCatalog"] = V2TokenDataHelper.format_catalog(catalog_ref)
if metadata_ref:
if "is_admin" in metadata_ref:
o["access"]["metadata"] = {"is_admin": metadata_ref["is_admin"]}
else:
o["access"]["metadata"] = {"is_admin": 0}
if "roles" in metadata_ref:
o["access"]["metadata"]["roles"] = metadata_ref["roles"]
if CONF.trust.enabled and trust_ref:
o["access"]["trust"] = {
"trustee_user_id": trust_ref["trustee_user_id"],
"id": trust_ref["id"],
"trustor_user_id": trust_ref["trustor_user_id"],
"impersonation": trust_ref["impersonation"],
}
return o
def test_revoke_by_audit_id(self):
audit_id = provider.audit_info(parent_audit_id=None)[0]
token_data_1 = _sample_blank_token()
# Audit ID and Audit Chain ID are populated with the same value
# if the token is an original token
token_data_1['audit_id'] = audit_id
token_data_1['audit_chain_id'] = audit_id
event = self._revoke_by_audit_id(audit_id)
self._assertTokenRevoked(token_data_1)
audit_id_2 = provider.audit_info(parent_audit_id=audit_id)[0]
token_data_2 = _sample_blank_token()
token_data_2['audit_id'] = audit_id_2
token_data_2['audit_chain_id'] = audit_id
self._assertTokenNotRevoked(token_data_2)
self.remove_event(event)
self._assertTokenNotRevoked(token_data_1)
def test_revoke_by_audit_id(self):
audit_id = provider.audit_info(parent_audit_id=None)[0]
token_data_1 = _sample_blank_token()
# Audit ID and Audit Chain ID are populated with the same value
# if the token is an original token
token_data_1['audit_id'] = audit_id
token_data_1['audit_chain_id'] = audit_id
event = self._revoke_by_audit_id(audit_id)
self._assertTokenRevoked(token_data_1)
audit_id_2 = provider.audit_info(parent_audit_id=audit_id)[0]
token_data_2 = _sample_blank_token()
token_data_2['audit_id'] = audit_id_2
token_data_2['audit_chain_id'] = audit_id
self._assertTokenNotRevoked(token_data_2)
self.remove_event(event)
self._assertTokenNotRevoked(token_data_1)
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
audit_info = None
user_ref = token_ref['user']
metadata_ref = token_ref['metadata']
if roles_ref is None:
roles_ref = []
expires = token_ref.get('expires', provider.default_expire_time())
if expires is not None:
if not isinstance(expires, six.text_type):
expires = timeutils.isotime(expires)
token_data = token_ref.get('token_data')
if token_data:
token_audit = token_data.get(
'access', token_data).get('token', {}).get('audit_ids')
audit_info = token_audit
if audit_info is None:
audit_info = provider.audit_info(token_ref.get('parent_audit_id'))
o = {'access': {'token': {'id': token_ref['id'],
'expires': expires,
'issued_at': timeutils.strtime(),
'audit_ids': audit_info
},
'user': {'id': user_ref['id'],
'name': user_ref['name'],
'username': user_ref['name'],
'roles': roles_ref,
'roles_links': metadata_ref.get('roles_links',
[])
}
}
}
if 'bind' in token_ref:
o['access']['token']['bind'] = token_ref['bind']
if 'tenant' in token_ref and token_ref['tenant']:
token_ref['tenant']['enabled'] = True
o['access']['token']['tenant'] = token_ref['tenant']
if catalog_ref is not None:
o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
catalog_ref)
if metadata_ref:
if 'is_admin' in metadata_ref:
o['access']['metadata'] = {'is_admin':
metadata_ref['is_admin']}
else:
o['access']['metadata'] = {'is_admin': 0}
if 'roles' in metadata_ref:
o['access']['metadata']['roles'] = metadata_ref['roles']
if CONF.trust.enabled and 'trust_id' in metadata_ref:
o['access']['trust'] = {'trustee_user_id':
metadata_ref['trustee_user_id'],
'id': metadata_ref['trust_id']
}
return o
def _populate_audit_info(self, token_data, audit_info=None):
if audit_info is None or isinstance(audit_info, six.string_types):
token_data['audit_ids'] = provider.audit_info(audit_info)
elif isinstance(audit_info, list):
token_data['audit_ids'] = audit_info
else:
msg = _('Invalid audit info data type: %(data)s (%(type)s)')
msg_subst = {'data': audit_info, 'type': type(audit_info)}
LOG.error(msg, msg_subst)
raise exception.UnexpectedError(msg % msg_subst)
def _populate_audit_info(self, token_data, audit_info=None):
if audit_info is None or isinstance(audit_info, six.string_types):
token_data['audit_ids'] = provider.audit_info(audit_info)
elif isinstance(audit_info, list):
token_data['audit_ids'] = audit_info
else:
msg = (_('Invalid audit info data type: %(data)s (%(type)s)') %
{'data': audit_info, 'type': type(audit_info)})
LOG.error(msg)
raise exception.UnexpectedError(msg)
def _populate_audit_info(self, token_data, audit_info=None):
if audit_info is None or isinstance(audit_info, six.string_types):
token_data["audit_ids"] = provider.audit_info(audit_info)
elif isinstance(audit_info, list):
token_data["audit_ids"] = audit_info
else:
msg = _("Invalid audit info data type: %(data)s (%(type)s)") % {
"data": audit_info,
"type": type(audit_info),
}
LOG.error(msg)
raise exception.UnexpectedError(msg)
def _extract_v2_token_data(self, token_data):
user_id = token_data['access']['user']['id']
expires_at = token_data['access']['token']['expires']
audit_ids = token_data['access']['token'].get('audit_ids')
methods = ['password']
if audit_ids:
parent_audit_id = token_data['access']['token'].get(
'parent_audit_id')
audit_ids = provider.audit_info(parent_audit_id)
if parent_audit_id:
methods.append('token')
project_id = token_data['access']['token'].get('tenant', {}).get('id')
domain_id = None
trust_id = None
federated_info = None
return (user_id, expires_at, audit_ids, methods, domain_id, project_id,
trust_id, federated_info)
def _extract_v2_token_data(self, token_data):
user_id = token_data['access']['user']['id']
expires_at = token_data['access']['token']['expires']
audit_ids = token_data['access']['token'].get('audit_ids')
methods = ['password']
if audit_ids:
parent_audit_id = token_data['access']['token'].get(
'parent_audit_id')
audit_ids = provider.audit_info(parent_audit_id)
if parent_audit_id:
methods.append('token')
project_id = token_data['access']['token'].get('tenant', {}).get('id')
domain_id = None
trust_id = None
federated_info = None
return (user_id, expires_at, audit_ids, methods, domain_id, project_id,
trust_id, federated_info)
def format_token(cls,
token_ref,
roles_ref=None,
catalog_ref=None,
trust_ref=None):
audit_info = None
user_ref = token_ref['user']
metadata_ref = token_ref['metadata']
if roles_ref is None:
roles_ref = []
expires = token_ref.get('expires', provider.default_expire_time())
if expires is not None:
if not isinstance(expires, six.text_type):
expires = utils.isotime(expires)
token_data = token_ref.get('token_data')
if token_data:
token_audit = token_data.get('access',
token_data).get('token',
{}).get('audit_ids')
audit_info = token_audit
if audit_info is None:
audit_info = provider.audit_info(token_ref.get('parent_audit_id'))
o = {
'access': {
'token': {
'id': token_ref['id'],
'expires': expires,
'issued_at': utils.isotime(subsecond=True),
'audit_ids': audit_info
},
'user': {
'id': user_ref['id'],
'name': user_ref['name'],
'username': user_ref['name'],
'roles': roles_ref,
'roles_links': metadata_ref.get('roles_links', [])
}
}
}
if 'bind' in token_ref:
o['access']['token']['bind'] = token_ref['bind']
if 'tenant' in token_ref and token_ref['tenant']:
token_ref['tenant']['enabled'] = True
o['access']['token']['tenant'] = token_ref['tenant']
if catalog_ref is not None:
o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
catalog_ref)
if metadata_ref:
if 'is_admin' in metadata_ref:
o['access']['metadata'] = {
'is_admin': metadata_ref['is_admin']
}
else:
o['access']['metadata'] = {'is_admin': 0}
if 'roles' in metadata_ref:
o['access']['metadata']['roles'] = metadata_ref['roles']
if CONF.trust.enabled and trust_ref:
o['access']['trust'] = {
'trustee_user_id': trust_ref['trustee_user_id'],
'id': trust_ref['id'],
'trustor_user_id': trust_ref['trustor_user_id'],
'impersonation': trust_ref['impersonation']
}
return o