def validate_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token = self._validate_token(unique_id)
self._is_valid_token(token)
return token
def validate_v2_token(self, token_id, belongs_to=None):
# NOTE(lbragstad): Only go to the persistence backend if the token
# provider requires it.
if self._needs_persistence:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
unique_id = utils.generate_unique_id(token_id)
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v2_token(token_ref)
else:
# NOTE(lbragstad): If the token doesn't require persistence, then
# it is a fernet token. The fernet token provider doesn't care if
# it's creating version 2.0 tokens or v3 tokens, so we use the same
# validate_non_persistent_token() method to validate both. Then we
# can leverage a separate method to make version 3 token data look
# like version 2.0 token data. The pattern we want to move towards
# is one where the token providers just handle data and the
# controller layers handle interpreting the token data in a format
# that makes sense for the request.
v3_token_ref = self.validate_non_persistent_token(token_id)
v2_token_data_helper = providers.common.V2TokenDataHelper()
token = v2_token_data_helper.v3_to_v2_token(v3_token_ref, token_id)
# these are common things that happen regardless of token provider
self._token_belongs_to(token, belongs_to)
self._is_valid_token(token)
return token
def delete_token(self, token_id):
if not CONF.token.revoke_by_id:
return
unique_id = utils.generate_unique_id(token_id)
self.driver.delete_token(unique_id)
self._invalidate_individual_token_cache(unique_id)
self.invalidate_revocation_list()
def delete_token(self, token_id):
if not CONF.token.revoke_by_id:
return
unique_id = utils.generate_unique_id(token_id)
self.driver.delete_token(unique_id)
self._invalidate_individual_token_cache(unique_id)
self.invalidate_revocation_list()
def validate_v2_token(self, token_id, belongs_to=None):
# NOTE(lbragstad): Only go to the persistence backend if the token
# provider requires it.
if self._needs_persistence:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
unique_id = utils.generate_unique_id(token_id)
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v2_token(token_ref)
else:
# NOTE(lbragstad): If the token doesn't require persistence, then
# it is a fernet token. The fernet token provider doesn't care if
# it's creating version 2.0 tokens or v3 tokens, so we use the same
# validate_non_persistent_token() method to validate both. Then we
# can leverage a separate method to make version 3 token data look
# like version 2.0 token data. The pattern we want to move towards
# is one where the token providers just handle data and the
# controller layers handle interpreting the token data in a format
# that makes sense for the request.
v3_token_ref = self.validate_non_persistent_token(token_id)
v2_token_data_helper = providers.common.V2TokenDataHelper()
token = v2_token_data_helper.v3_to_v2_token(v3_token_ref)
# these are common things that happen regardless of token provider
token['access']['token']['id'] = token_id
self._token_belongs_to(token, belongs_to)
self._is_valid_token(token)
return token
def validate_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token = self._validate_token(unique_id)
self._is_valid_token(token)
return token
def delete_tokens(self, user_id, tenant_id=None, trust_id=None, consumer_id=None):
if not CONF.token.revoke_by_id:
return
token_list = self.driver.delete_tokens(user_id, tenant_id, trust_id, consumer_id)
for token_id in token_list:
unique_id = utils.generate_unique_id(token_id)
self._invalidate_individual_token_cache(unique_id)
self.invalidate_revocation_list()
def get_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
token_ref = self._get_token(unique_id)
# NOTE(morganfainberg): Lift expired checking to the manager, there is
# no reason to make the drivers implement this check. With caching,
# self._get_token could return an expired token. Make sure we behave
# as expected and raise TokenNotFound on those instances.
self._assert_valid(token_id, token_ref)
return token_ref
def get_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
token_ref = self._get_token(unique_id)
# NOTE(morganfainberg): Lift expired checking to the manager, there is
# no reason to make the drivers implement this check. With caching,
# self._get_token could return an expired token. Make sure we behave
# as expected and raise TokenNotFound on those instances.
self._assert_valid(token_id, token_ref)
return token_ref
def delete_tokens(self, user_id, tenant_id=None, trust_id=None,
consumer_id=None):
if not CONF.token.revoke_by_id:
return
token_list = self.driver.delete_tokens(user_id, tenant_id, trust_id,
consumer_id)
for token_id in token_list:
unique_id = utils.generate_unique_id(token_id)
self._invalidate_individual_token_cache(unique_id)
self.invalidate_revocation_list()
def create_token(self, token_id, data):
unique_id = utils.generate_unique_id(token_id)
data_copy = copy.deepcopy(data)
data_copy['id'] = unique_id
ret = self.driver.create_token(unique_id, data_copy)
if MEMOIZE.should_cache(ret):
# NOTE(morganfainberg): when doing a cache set, you must pass the
# same arguments through, the same as invalidate (this includes
# "self"). First argument is always the value to be cached
self._get_token.set(ret, self, unique_id)
return ret
def create_token(self, token_id, data):
unique_id = utils.generate_unique_id(token_id)
data_copy = copy.deepcopy(data)
data_copy['id'] = unique_id
ret = self.driver.create_token(unique_id, data_copy)
if MEMOIZE.should_cache(ret):
# NOTE(morganfainberg): when doing a cache set, you must pass the
# same arguments through, the same as invalidate (this includes
# "self"). First argument is always the value to be cached
self._get_token.set(ret, self, unique_id)
return ret
def validate_v2_token(self, token_id, belongs_to=None):
unique_id = utils.generate_unique_id(token_id)
if self._needs_persistence:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
else:
token_ref = token_id
token = self._validate_v2_token(token_ref)
self._token_belongs_to(token, belongs_to)
self._is_valid_token(token)
return token
def validate_v2_token(self, token_id, belongs_to=None):
unique_id = utils.generate_unique_id(token_id)
if self._needs_persistence:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
else:
token_ref = token_id
token = self._validate_v2_token(token_ref)
self._token_belongs_to(token, belongs_to)
self._is_valid_token(token)
return token
def validate_v3_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
# NOTE(lbragstad): Only go to persistent storage if we have a token to
# fetch from the backend (the driver persists the token). Otherwise
# the information about the token must be in the token id.
if not self._needs_persistence:
token_ref = token_id
else:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v3_token(token_ref)
self._is_valid_token(token)
return token
def get_token(self, token_id):
if not token_id:
# NOTE(morganfainberg): There are cases when the
# context['token_id'] will in-fact be None. This also saves
# a round-trip to the backend if we don't have a token_id.
raise exception.TokenNotFound(token_id='')
unique_id = utils.generate_unique_id(token_id)
token_ref = self._get_token(unique_id)
# NOTE(morganfainberg): Lift expired checking to the manager, there is
# no reason to make the drivers implement this check. With caching,
# self._get_token could return an expired token. Make sure we behave
# as expected and raise TokenNotFound on those instances.
self._assert_valid(token_id, token_ref)
return token_ref
def get_token(self, token_id):
if not token_id:
# NOTE(morganfainberg): There are cases when the
# context['token_id'] will in-fact be None. This also saves
# a round-trip to the backend if we don't have a token_id.
raise exception.TokenNotFound(token_id='')
unique_id = utils.generate_unique_id(token_id)
token_ref = self._get_token(unique_id)
# NOTE(morganfainberg): Lift expired checking to the manager, there is
# no reason to make the drivers implement this check. With caching,
# self._get_token could return an expired token. Make sure we behave
# as expected and raise TokenNotFound on those instances.
self._assert_valid(token_id, token_ref)
return token_ref
def validate_v3_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
# NOTE(lbragstad): Only go to persistent storage if we have a token to
# fetch from the backend (the driver persists the token). Otherwise
# the information about the token must be in the token id.
if not self._needs_persistence:
token_ref = token_id
else:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v3_token(token_ref)
self._is_valid_token(token)
return token
def validate_v3_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
# NOTE(lbragstad): Only go to persistent storage if we have a token to
# fetch from the backend. If the Fernet token provider is being used
# this step isn't necessary. The Fernet token reference is persisted in
# the token_id, so in this case set the token_ref as the identifier of
# the token.
if not self._needs_persistence:
token_ref = token_id
else:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v3_token(token_ref)
self._is_valid_token(token)
return token
def validate_v3_token(self, token_id):
unique_id = utils.generate_unique_id(token_id)
# NOTE(lbragstad): Only go to persistent storage if we have a token to
# fetch from the backend. If the Fernet token provider is being used
# this step isn't necessary. The Fernet token reference is persisted in
# the token_id, so in this case set the token_ref as the identifier of
# the token.
if not self._needs_persistence:
token_ref = token_id
else:
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v3_token(token_ref)
self._is_valid_token(token)
return token
def validate_v3_token(self, token_id):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
try:
# NOTE(lbragstad): Only go to persistent storage if we have a token
# to fetch from the backend (the driver persists the token).
# Otherwise the information about the token must be in the token
# id.
if not self._needs_persistence:
token_ref = self.validate_non_persistent_token(token_id)
else:
unique_id = utils.generate_unique_id(token_id)
# NOTE(morganfainberg): Ensure we never use the long-form
# token_id (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token_ref = self._validate_v3_token(token_ref)
self._is_valid_token(token_ref)
return token_ref
except exception.Unauthorized as e:
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
def validate_v3_token(self, token_id):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
try:
# NOTE(lbragstad): Only go to persistent storage if we have a token
# to fetch from the backend (the driver persists the token).
# Otherwise the information about the token must be in the token
# id.
if not self._needs_persistence:
token_ref = self.validate_non_persistent_token(token_id)
else:
unique_id = utils.generate_unique_id(token_id)
# NOTE(morganfainberg): Ensure we never use the long-form
# token_id (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token_ref = self._validate_v3_token(token_ref)
self._is_valid_token(token_ref)
return token_ref
except exception.Unauthorized as e:
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
def validate_v3_token(self, token_id):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
try:
unique_id = utils.generate_unique_id(token_id)
# NOTE(lbragstad): Only go to persistent storage if we have a
# token to fetch from the backend. If the Fernet token provider is
# being used this step isn't necessary. The Fernet token reference
# is persisted in the token_id, so in this case set the token_ref
# as the identifier of the token.
if not self._needs_persistence:
token_ref = token_id
else:
# NOTE(morganfainberg): Ensure we never use the long-form
# token_id (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token = self._validate_v3_token(token_ref)
self._is_valid_token(token)
return token
except exception.Unauthorized as e:
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
def get_token(self, token_id):
return self._get_token(utils.generate_unique_id(token_id))
def get_token(self, token_id):
return self._get_token(utils.generate_unique_id(token_id))
