Exemple #1
0
    def issue_v2_token(self, token_ref, roles_ref=None, catalog_ref=None):
        """Issue a V2 formatted token.

        :param token_ref: reference describing the token
        :param roles_ref: reference describing the roles for the token
        :param catalog_ref: reference describing the token's catalog
        :returns: tuple containing the ID of the token and the token data

        """
        # TODO(lbragstad): Currently, Fernet tokens don't support bind in the
        # token format. Raise a 501 if we're dealing with bind.
        if token_ref.get('bind'):
            raise exception.NotImplemented()

        user_id = token_ref['user']['id']
        # Default to password since methods not provided by token_ref
        method_names = ['password']
        project_id = None
        # Verify that tenant is not None in token_ref
        if token_ref.get('tenant'):
            project_id = token_ref['tenant']['id']

        # maintain expiration time across rescopes
        expires = token_ref.get('expires')

        parent_audit_id = token_ref.get('parent_audit_id')
        # If parent_audit_id is defined then a token authentication was made
        if parent_audit_id:
            method_names.append('token')

        audit_ids = provider.audit_info(parent_audit_id)

        # Get v3 token data and exclude building v3 specific catalog. This is
        # due to the fact that the V2TokenDataHelper.format_token() method
        # doesn't build any of the token_reference from other Keystone APIs.
        # Instead, it builds it from what is persisted in the token reference.
        # Here we are going to leverage the V3TokenDataHelper.get_token_data()
        # method written for V3 because it goes through and populates the token
        # reference dynamically. Once we have a V3 token reference, we can
        # attempt to convert it to a V2 token response.
        v3_token_data = self.v3_token_data_helper.get_token_data(
            user_id,
            method_names,
            project_id=project_id,
            token=token_ref,
            include_catalog=False,
            audit_info=audit_ids,
            expires=expires)

        expires_at = v3_token_data['token']['expires_at']
        token_id = self.token_formatter.create_token(user_id, expires_at,
                                                     audit_ids,
                                                     methods=method_names,
                                                     project_id=project_id)
        self._build_issued_at_info(token_id, v3_token_data)
        # Convert v3 to v2 token data and build v2 catalog
        token_data = self.v2_token_data_helper.v3_to_v2_token(token_id,
                                                              v3_token_data)

        return token_id, token_data
Exemple #2
0
    def issue_v2_token(self, token_ref, roles_ref=None, catalog_ref=None):
        """Issue a V2 formatted token.

        :param token_ref: reference describing the token
        :param roles_ref: reference describing the roles for the token
        :param catalog_ref: reference describing the token's catalog
        :returns: tuple containing the ID of the token and the token data

        """
        # TODO(lbragstad): Currently, Fernet tokens don't support bind in the
        # token format. Raise a 501 if we're dealing with bind.
        if token_ref.get('bind'):
            raise exception.NotImplemented()

        user_id = token_ref['user']['id']
        # Default to password since methods not provided by token_ref
        method_names = ['password']
        project_id = None
        # Verify that tenant is not None in token_ref
        if token_ref.get('tenant'):
            project_id = token_ref['tenant']['id']

        # maintain expiration time across rescopes
        expires = token_ref.get('expires')

        parent_audit_id = token_ref.get('parent_audit_id')
        # If parent_audit_id is defined then a token authentication was made
        if parent_audit_id:
            method_names.append('token')

        audit_ids = provider.audit_info(parent_audit_id)

        # Get v3 token data and exclude building v3 specific catalog. This is
        # due to the fact that the V2TokenDataHelper.format_token() method
        # doesn't build any of the token_reference from other Keystone APIs.
        # Instead, it builds it from what is persisted in the token reference.
        # Here we are going to leverage the V3TokenDataHelper.get_token_data()
        # method written for V3 because it goes through and populates the token
        # reference dynamically. Once we have a V3 token reference, we can
        # attempt to convert it to a V2 token response.
        v3_token_data = self.v3_token_data_helper.get_token_data(
            user_id,
            method_names,
            project_id=project_id,
            token=token_ref,
            include_catalog=False,
            audit_info=audit_ids,
            expires=expires)

        expires_at = v3_token_data['token']['expires_at']
        token_id = self.token_formatter.create_token(user_id, expires_at,
                                                     audit_ids,
                                                     methods=method_names,
                                                     project_id=project_id)
        self._build_issued_at_info(token_id, v3_token_data)
        # Convert v3 to v2 token data and build v2 catalog
        token_data = self.v2_token_data_helper.v3_to_v2_token(v3_token_data)
        token_data['access']['token']['id'] = token_id

        return token_id, token_data
Exemple #3
0
 def _extract_v2_token_data(self, token_data):
     user_id = token_data["access"]["user"]["id"]
     expires_at = token_data["access"]["token"]["expires"]
     audit_ids = token_data["access"]["token"].get("audit_ids")
     methods = ["password"]
     if audit_ids:
         parent_audit_id = token_data["access"]["token"].get("parent_audit_id")
         audit_ids = provider.audit_info(parent_audit_id)
         if parent_audit_id:
             methods.append("token")
     project_id = token_data["access"]["token"].get("tenant", {}).get("id")
     domain_id = None
     trust_id = None
     access_token_id = None
     federated_info = None
     return (
         user_id,
         expires_at,
         audit_ids,
         methods,
         domain_id,
         project_id,
         trust_id,
         access_token_id,
         federated_info,
     )
Exemple #4
0
    def format_token(cls, token_ref, roles_ref=None, catalog_ref=None, trust_ref=None):
        audit_info = None
        user_ref = token_ref["user"]
        metadata_ref = token_ref["metadata"]
        if roles_ref is None:
            roles_ref = []
        expires = token_ref.get("expires", provider.default_expire_time())
        if expires is not None:
            if not isinstance(expires, six.text_type):
                expires = utils.isotime(expires)

        token_data = token_ref.get("token_data")
        if token_data:
            token_audit = token_data.get("access", token_data).get("token", {}).get("audit_ids")
            audit_info = token_audit

        if audit_info is None:
            audit_info = provider.audit_info(token_ref.get("parent_audit_id"))

        o = {
            "access": {
                "token": {
                    "id": token_ref["id"],
                    "expires": expires,
                    "issued_at": utils.strtime(),
                    "audit_ids": audit_info,
                },
                "user": {
                    "id": user_ref["id"],
                    "name": user_ref["name"],
                    "username": user_ref["name"],
                    "roles": roles_ref,
                    "roles_links": metadata_ref.get("roles_links", []),
                },
            }
        }
        if "bind" in token_ref:
            o["access"]["token"]["bind"] = token_ref["bind"]
        if "tenant" in token_ref and token_ref["tenant"]:
            token_ref["tenant"]["enabled"] = True
            o["access"]["token"]["tenant"] = token_ref["tenant"]
        if catalog_ref is not None:
            o["access"]["serviceCatalog"] = V2TokenDataHelper.format_catalog(catalog_ref)
        if metadata_ref:
            if "is_admin" in metadata_ref:
                o["access"]["metadata"] = {"is_admin": metadata_ref["is_admin"]}
            else:
                o["access"]["metadata"] = {"is_admin": 0}
        if "roles" in metadata_ref:
            o["access"]["metadata"]["roles"] = metadata_ref["roles"]
        if CONF.trust.enabled and trust_ref:
            o["access"]["trust"] = {
                "trustee_user_id": trust_ref["trustee_user_id"],
                "id": trust_ref["id"],
                "trustor_user_id": trust_ref["trustor_user_id"],
                "impersonation": trust_ref["impersonation"],
            }
        return o
Exemple #5
0
    def test_revoke_by_audit_id(self):
        audit_id = provider.audit_info(parent_audit_id=None)[0]
        token_data_1 = _sample_blank_token()
        # Audit ID and Audit Chain ID are populated with the same value
        # if the token is an original token
        token_data_1['audit_id'] = audit_id
        token_data_1['audit_chain_id'] = audit_id
        event = self._revoke_by_audit_id(audit_id)
        self._assertTokenRevoked(token_data_1)

        audit_id_2 = provider.audit_info(parent_audit_id=audit_id)[0]
        token_data_2 = _sample_blank_token()
        token_data_2['audit_id'] = audit_id_2
        token_data_2['audit_chain_id'] = audit_id
        self._assertTokenNotRevoked(token_data_2)

        self.remove_event(event)
        self._assertTokenNotRevoked(token_data_1)
Exemple #6
0
    def test_revoke_by_audit_id(self):
        audit_id = provider.audit_info(parent_audit_id=None)[0]
        token_data_1 = _sample_blank_token()
        # Audit ID and Audit Chain ID are populated with the same value
        # if the token is an original token
        token_data_1['audit_id'] = audit_id
        token_data_1['audit_chain_id'] = audit_id
        event = self._revoke_by_audit_id(audit_id)
        self._assertTokenRevoked(token_data_1)

        audit_id_2 = provider.audit_info(parent_audit_id=audit_id)[0]
        token_data_2 = _sample_blank_token()
        token_data_2['audit_id'] = audit_id_2
        token_data_2['audit_chain_id'] = audit_id
        self._assertTokenNotRevoked(token_data_2)

        self.remove_event(event)
        self._assertTokenNotRevoked(token_data_1)
Exemple #7
0
    def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
        audit_info = None
        user_ref = token_ref['user']
        metadata_ref = token_ref['metadata']
        if roles_ref is None:
            roles_ref = []
        expires = token_ref.get('expires', provider.default_expire_time())
        if expires is not None:
            if not isinstance(expires, six.text_type):
                expires = timeutils.isotime(expires)

        token_data = token_ref.get('token_data')
        if token_data:
            token_audit = token_data.get(
                'access', token_data).get('token', {}).get('audit_ids')
            audit_info = token_audit

        if audit_info is None:
            audit_info = provider.audit_info(token_ref.get('parent_audit_id'))

        o = {'access': {'token': {'id': token_ref['id'],
                                  'expires': expires,
                                  'issued_at': timeutils.strtime(),
                                  'audit_ids': audit_info
                                  },
                        'user': {'id': user_ref['id'],
                                 'name': user_ref['name'],
                                 'username': user_ref['name'],
                                 'roles': roles_ref,
                                 'roles_links': metadata_ref.get('roles_links',
                                                                 [])
                                 }
                        }
             }
        if 'bind' in token_ref:
            o['access']['token']['bind'] = token_ref['bind']
        if 'tenant' in token_ref and token_ref['tenant']:
            token_ref['tenant']['enabled'] = True
            o['access']['token']['tenant'] = token_ref['tenant']
        if catalog_ref is not None:
            o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
                catalog_ref)
        if metadata_ref:
            if 'is_admin' in metadata_ref:
                o['access']['metadata'] = {'is_admin':
                                           metadata_ref['is_admin']}
            else:
                o['access']['metadata'] = {'is_admin': 0}
        if 'roles' in metadata_ref:
            o['access']['metadata']['roles'] = metadata_ref['roles']
        if CONF.trust.enabled and 'trust_id' in metadata_ref:
            o['access']['trust'] = {'trustee_user_id':
                                    metadata_ref['trustee_user_id'],
                                    'id': metadata_ref['trust_id']
                                    }
        return o
Exemple #8
0
 def _populate_audit_info(self, token_data, audit_info=None):
     if audit_info is None or isinstance(audit_info, six.string_types):
         token_data['audit_ids'] = provider.audit_info(audit_info)
     elif isinstance(audit_info, list):
         token_data['audit_ids'] = audit_info
     else:
         msg = _('Invalid audit info data type: %(data)s (%(type)s)')
         msg_subst = {'data': audit_info, 'type': type(audit_info)}
         LOG.error(msg, msg_subst)
         raise exception.UnexpectedError(msg % msg_subst)
Exemple #9
0
 def _populate_audit_info(self, token_data, audit_info=None):
     if audit_info is None or isinstance(audit_info, six.string_types):
         token_data['audit_ids'] = provider.audit_info(audit_info)
     elif isinstance(audit_info, list):
         token_data['audit_ids'] = audit_info
     else:
         msg = (_('Invalid audit info data type: %(data)s (%(type)s)') %
                {'data': audit_info, 'type': type(audit_info)})
         LOG.error(msg)
         raise exception.UnexpectedError(msg)
Exemple #10
0
 def _populate_audit_info(self, token_data, audit_info=None):
     if audit_info is None or isinstance(audit_info, six.string_types):
         token_data["audit_ids"] = provider.audit_info(audit_info)
     elif isinstance(audit_info, list):
         token_data["audit_ids"] = audit_info
     else:
         msg = _("Invalid audit info data type: %(data)s (%(type)s)") % {
             "data": audit_info,
             "type": type(audit_info),
         }
         LOG.error(msg)
         raise exception.UnexpectedError(msg)
Exemple #11
0
 def _extract_v2_token_data(self, token_data):
     user_id = token_data['access']['user']['id']
     expires_at = token_data['access']['token']['expires']
     audit_ids = token_data['access']['token'].get('audit_ids')
     methods = ['password']
     if audit_ids:
         parent_audit_id = token_data['access']['token'].get(
             'parent_audit_id')
         audit_ids = provider.audit_info(parent_audit_id)
         if parent_audit_id:
             methods.append('token')
     project_id = token_data['access']['token'].get('tenant', {}).get('id')
     domain_id = None
     trust_id = None
     federated_info = None
     return (user_id, expires_at, audit_ids, methods, domain_id, project_id,
             trust_id, federated_info)
Exemple #12
0
 def _extract_v2_token_data(self, token_data):
     user_id = token_data['access']['user']['id']
     expires_at = token_data['access']['token']['expires']
     audit_ids = token_data['access']['token'].get('audit_ids')
     methods = ['password']
     if audit_ids:
         parent_audit_id = token_data['access']['token'].get(
             'parent_audit_id')
         audit_ids = provider.audit_info(parent_audit_id)
         if parent_audit_id:
             methods.append('token')
     project_id = token_data['access']['token'].get('tenant', {}).get('id')
     domain_id = None
     trust_id = None
     federated_info = None
     return (user_id, expires_at, audit_ids, methods, domain_id, project_id,
             trust_id, federated_info)
Exemple #13
0
    def format_token(cls,
                     token_ref,
                     roles_ref=None,
                     catalog_ref=None,
                     trust_ref=None):
        audit_info = None
        user_ref = token_ref['user']
        metadata_ref = token_ref['metadata']
        if roles_ref is None:
            roles_ref = []
        expires = token_ref.get('expires', provider.default_expire_time())
        if expires is not None:
            if not isinstance(expires, six.text_type):
                expires = utils.isotime(expires)

        token_data = token_ref.get('token_data')
        if token_data:
            token_audit = token_data.get('access',
                                         token_data).get('token',
                                                         {}).get('audit_ids')
            audit_info = token_audit

        if audit_info is None:
            audit_info = provider.audit_info(token_ref.get('parent_audit_id'))

        o = {
            'access': {
                'token': {
                    'id': token_ref['id'],
                    'expires': expires,
                    'issued_at': utils.isotime(subsecond=True),
                    'audit_ids': audit_info
                },
                'user': {
                    'id': user_ref['id'],
                    'name': user_ref['name'],
                    'username': user_ref['name'],
                    'roles': roles_ref,
                    'roles_links': metadata_ref.get('roles_links', [])
                }
            }
        }
        if 'bind' in token_ref:
            o['access']['token']['bind'] = token_ref['bind']
        if 'tenant' in token_ref and token_ref['tenant']:
            token_ref['tenant']['enabled'] = True
            o['access']['token']['tenant'] = token_ref['tenant']
        if catalog_ref is not None:
            o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
                catalog_ref)
        if metadata_ref:
            if 'is_admin' in metadata_ref:
                o['access']['metadata'] = {
                    'is_admin': metadata_ref['is_admin']
                }
            else:
                o['access']['metadata'] = {'is_admin': 0}
        if 'roles' in metadata_ref:
            o['access']['metadata']['roles'] = metadata_ref['roles']
        if CONF.trust.enabled and trust_ref:
            o['access']['trust'] = {
                'trustee_user_id': trust_ref['trustee_user_id'],
                'id': trust_ref['id'],
                'trustor_user_id': trust_ref['trustor_user_id'],
                'impersonation': trust_ref['impersonation']
            }
        return o