def build_token_values(token_data):
token_values = {
'expires_at':
timeutils.normalize_time(
timeutils.parse_isotime(token_data['expires_at'])),
'issued_at':
timeutils.normalize_time(
timeutils.parse_isotime(token_data['issued_at']))
}
user = token_data.get('user')
if user is not None:
token_values['user_id'] = user['id']
token_values['identity_domain_id'] = user['domain']['id']
else:
token_values['user_id'] = None
token_values['identity_domain_id'] = None
project = token_data.get('project', token_data.get('tenant'))
if project is not None:
token_values['project_id'] = project['id']
token_values['assignment_domain_id'] = project['domain']['id']
else:
token_values['project_id'] = None
token_values['assignment_domain_id'] = None
role_list = []
roles = token_data.get('roles')
if roles is not None:
for role in roles:
role_list.append(role['id'])
token_values['roles'] = role_list
trust = token_data.get('OS-TRUST:trust')
if trust is None:
token_values['trust_id'] = None
token_values['trustor_id'] = None
token_values['trustee_id'] = None
else:
token_values['trust_id'] = trust['id']
token_values['trustor_id'] = trust['trustor_user']['id']
token_values['trustee_id'] = trust['trustee_user']['id']
oauth1 = token_data.get('OS-OAUTH1')
if oauth1 is None:
token_values['consumer_id'] = None
token_values['access_token_id'] = None
else:
token_values['consumer_id'] = oauth1['consumer_id']
token_values['access_token_id'] = oauth1['access_token_id']
return token_values
def build_token_values(token_data):
token_values = {
'expires_at': timeutils.normalize_time(
timeutils.parse_isotime(token_data['expires_at'])),
'issued_at': timeutils.normalize_time(
timeutils.parse_isotime(token_data['issued_at']))}
user = token_data.get('user')
if user is not None:
token_values['user_id'] = user['id']
token_values['identity_domain_id'] = user['domain']['id']
else:
token_values['user_id'] = None
token_values['identity_domain_id'] = None
project = token_data.get('project', token_data.get('tenant'))
if project is not None:
token_values['project_id'] = project['id']
token_values['assignment_domain_id'] = project['domain']['id']
else:
token_values['project_id'] = None
token_values['assignment_domain_id'] = None
role_list = []
roles = token_data.get('roles')
if roles is not None:
for role in roles:
role_list.append(role['id'])
token_values['roles'] = role_list
trust = token_data.get('OS-TRUST:trust')
if trust is None:
token_values['trust_id'] = None
token_values['trustor_id'] = None
token_values['trustee_id'] = None
else:
token_values['trust_id'] = trust['id']
token_values['trustor_id'] = trust['trustor_user']['id']
token_values['trustee_id'] = trust['trustee_user']['id']
oauth1 = token_data.get('OS-OAUTH1')
if oauth1 is None:
token_values['consumer_id'] = None
token_values['access_token_id'] = None
else:
token_values['consumer_id'] = oauth1['consumer_id']
token_values['access_token_id'] = oauth1['access_token_id']
return token_values
def _request_admin_token(self):
"""Retrieve new token as admin user from keystone.
:return token id upon success
:raises ServerError when unable to communicate with keystone
"""
params = {
"auth": {
"passwordCredentials": {"username": self.admin_user, "password": self.admin_password},
"tenantName": self.admin_tenant_name,
}
}
response, data = self._json_request("POST", "/v2.0/tokens", body=params)
try:
token = data["access"]["token"]["id"]
expiry = data["access"]["token"]["expires"]
assert token
assert expiry
datetime_expiry = timeutils.parse_isotime(expiry)
return (token, timeutils.normalize_time(datetime_expiry))
except (AssertionError, KeyError):
self.LOG.warn("Unexpected response from keystone service: %s", data)
raise ServiceError("invalid json response")
except (ValueError):
self.LOG.warn("Unable to parse expiration time from token: %s", data)
raise ServiceError("invalid json response")
def test_building_unscoped_accessinfo(self):
auth_ref = access.AccessInfo.factory(body=UNSCOPED_TOKEN)
self.assertTrue(auth_ref)
self.assertIn("token", auth_ref)
self.assertIn("serviceCatalog", auth_ref)
self.assertFalse(auth_ref["serviceCatalog"])
self.assertEqual(auth_ref.auth_token, "3e2813b7ba0b4006840c3825860b86ed")
self.assertEqual(auth_ref.username, "exampleuser")
self.assertEqual(auth_ref.user_id, "c4da488862bd435c9e6c0275a0d0e49a")
self.assertEqual(auth_ref.tenant_name, None)
self.assertEqual(auth_ref.tenant_id, None)
self.assertEqual(auth_ref.auth_url, None)
self.assertEqual(auth_ref.management_url, None)
self.assertFalse(auth_ref.scoped)
self.assertFalse(auth_ref.domain_scoped)
self.assertFalse(auth_ref.project_scoped)
self.assertFalse(auth_ref.trust_scoped)
self.assertIsNone(auth_ref.project_domain_id)
self.assertIsNone(auth_ref.project_domain_name)
self.assertEqual(auth_ref.user_domain_id, "default")
self.assertEqual(auth_ref.user_domain_name, "Default")
self.assertEqual(auth_ref.expires, timeutils.parse_isotime(UNSCOPED_TOKEN["access"]["token"]["expires"]))
def test_building_unscoped_accessinfo(self):
auth_ref = access.AccessInfo.factory(resp=TOKEN_RESPONSE,
body=UNSCOPED_TOKEN)
self.assertTrue(auth_ref)
self.assertIn('methods', auth_ref)
self.assertIn('catalog', auth_ref)
self.assertFalse(auth_ref['catalog'])
self.assertEqual(auth_ref.auth_token,
'3e2813b7ba0b4006840c3825860b86ed')
self.assertEqual(auth_ref.username, 'exampleuser')
self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a')
self.assertEqual(auth_ref.project_name, None)
self.assertEqual(auth_ref.project_id, None)
self.assertEqual(auth_ref.auth_url, None)
self.assertEqual(auth_ref.management_url, None)
self.assertFalse(auth_ref.domain_scoped)
self.assertFalse(auth_ref.project_scoped)
self.assertEqual(auth_ref.user_domain_id,
'4e6893b7ba0b4006840c3845660b86ed')
self.assertEqual(auth_ref.user_domain_name, 'exampledomain')
self.assertIsNone(auth_ref.project_domain_id)
self.assertIsNone(auth_ref.project_domain_name)
self.assertEqual(
auth_ref.expires,
timeutils.parse_isotime(UNSCOPED_TOKEN['token']['expires_at']))
def test_building_unscoped_accessinfo(self):
auth_ref = access.AccessInfo.factory(body=UNSCOPED_TOKEN)
self.assertTrue(auth_ref)
self.assertIn('token', auth_ref)
self.assertIn('serviceCatalog', auth_ref)
self.assertFalse(auth_ref['serviceCatalog'])
self.assertEqual(auth_ref.auth_token,
'3e2813b7ba0b4006840c3825860b86ed')
self.assertEqual(auth_ref.username, 'exampleuser')
self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a')
self.assertEqual(auth_ref.tenant_name, None)
self.assertEqual(auth_ref.tenant_id, None)
self.assertEqual(auth_ref.auth_url, None)
self.assertEqual(auth_ref.management_url, None)
self.assertFalse(auth_ref.scoped)
self.assertFalse(auth_ref.domain_scoped)
self.assertFalse(auth_ref.project_scoped)
self.assertFalse(auth_ref.trust_scoped)
self.assertIsNone(auth_ref.project_domain_id)
self.assertIsNone(auth_ref.project_domain_name)
self.assertEqual(auth_ref.user_domain_id, 'default')
self.assertEqual(auth_ref.user_domain_name, 'Default')
self.assertEqual(auth_ref.expires, timeutils.parse_isotime(
UNSCOPED_TOKEN['access']['token']['expires']))
def expires(self):
""" Returns the token expiration (as datetime object)
:returns: datetime
"""
return timeutils.parse_isotime(self['token']['expires'])
def test_building_unscoped_accessinfo(self):
auth_ref = access.AccessInfo.factory(body=UNSCOPED_TOKEN)
self.assertTrue(auth_ref)
self.assertIn('token', auth_ref)
self.assertIn('serviceCatalog', auth_ref)
self.assertFalse(auth_ref['serviceCatalog'])
self.assertEqual(auth_ref.auth_token,
'3e2813b7ba0b4006840c3825860b86ed')
self.assertEqual(auth_ref.username, 'exampleuser')
self.assertEqual(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a')
self.assertEqual(auth_ref.tenant_name, None)
self.assertEqual(auth_ref.tenant_id, None)
self.assertEqual(auth_ref.auth_url, None)
self.assertEqual(auth_ref.management_url, None)
self.assertFalse(auth_ref.scoped)
self.assertFalse(auth_ref.domain_scoped)
self.assertFalse(auth_ref.project_scoped)
self.assertFalse(auth_ref.trust_scoped)
self.assertIsNone(auth_ref.project_domain_id)
self.assertIsNone(auth_ref.project_domain_name)
self.assertEqual(auth_ref.user_domain_id, 'default')
self.assertEqual(auth_ref.user_domain_name, 'Default')
self.assertEqual(
auth_ref.expires,
timeutils.parse_isotime(
UNSCOPED_TOKEN['access']['token']['expires']))
def _request_admin_token(self):
"""Retrieve new token as admin user from keystone.
:return token id upon success
:raises ServerError when unable to communicate with keystone
"""
params = {
'auth': {
'passwordCredentials': {
'username': self.admin_user,
'password': self.admin_password,
},
'tenantName': self.admin_tenant_name,
}
}
response, data = self._json_request('POST',
'/v2.0/tokens',
body=params)
try:
token = data['access']['token']['id']
expiry = data['access']['token']['expires']
assert token
assert expiry
datetime_expiry = timeutils.parse_isotime(expiry)
return (token, timeutils.normalize_time(datetime_expiry))
except (AssertionError, KeyError):
LOG.warn("Unexpected response from keystone service: %s", data)
raise ServiceError('invalid json response')
except (ValueError):
LOG.warn("Unable to parse expiration time from token: %s", data)
raise ServiceError('invalid json response')
def expires(self):
""" Returns the token expiration (as datetime object)
:returns: datetime
"""
return timeutils.parse_isotime(self['token']['expires'])
def test_building_unscoped_accessinfo(self):
auth_ref = access.AccessInfo.factory(resp=TOKEN_RESPONSE,
body=UNSCOPED_TOKEN)
self.assertTrue(auth_ref)
self.assertIn('methods', auth_ref)
self.assertIn('catalog', auth_ref)
self.assertFalse(auth_ref['catalog'])
self.assertEquals(auth_ref.auth_token,
'3e2813b7ba0b4006840c3825860b86ed')
self.assertEquals(auth_ref.username, 'exampleuser')
self.assertEquals(auth_ref.user_id, 'c4da488862bd435c9e6c0275a0d0e49a')
self.assertEquals(auth_ref.project_name, None)
self.assertEquals(auth_ref.project_id, None)
self.assertEquals(auth_ref.auth_url, None)
self.assertEquals(auth_ref.management_url, None)
self.assertFalse(auth_ref.domain_scoped)
self.assertFalse(auth_ref.project_scoped)
self.assertEquals(auth_ref.user_domain_id,
'4e6893b7ba0b4006840c3845660b86ed')
self.assertEquals(auth_ref.user_domain_name, 'exampledomain')
self.assertIsNone(auth_ref.project_domain_id)
self.assertIsNone(auth_ref.project_domain_name)
self.assertEquals(auth_ref.expires, timeutils.parse_isotime(
UNSCOPED_TOKEN['token']['expires_at']))
def _request_admin_token(self):
"""Retrieve new token as admin user from keystone.
:return token id upon success
:raises ServerError when unable to communicate with keystone
"""
params = {
'auth': {
'passwordCredentials': {
'username': self.admin_user,
'password': self.admin_password,
},
'tenantName': self.admin_tenant_name,
}
}
response, data = self._json_request('POST',
'/v2.0/tokens',
body=params)
try:
token = data['access']['token']['id']
expiry = data['access']['token']['expires']
assert token
assert expiry
datetime_expiry = timeutils.parse_isotime(expiry)
return (token, timeutils.normalize_time(datetime_expiry))
except (AssertionError, KeyError):
LOG.warn("Unexpected response from keystone service: %s", data)
raise ServiceError('invalid json response')
except (ValueError):
LOG.warn("Unable to parse expiration time from token: %s", data)
raise ServiceError('invalid json response')
def _cache_get(self, token_id, ignore_expires=False):
"""Return token information from cache.
If token is invalid raise InvalidUserToken
return token only if fresh (not expired).
"""
if self._cache and token_id:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE % token_id
serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token_id,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
# unprotect_data will return None if raw_cached is None
serialized = memcache_crypt.unprotect_data(keys,
raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
# this should have the same effect as data not
# found in cache
serialized = None
if serialized is None:
return None
# Note that 'invalid' and (data, expires) are the only
# valid types of serialized cache entries, so there is not
# a collision with jsonutils.loads(serialized) == None.
cached = jsonutils.loads(serialized)
if cached == 'invalid':
self.LOG.debug('Cached Token %s is marked unauthorized',
token_id)
raise InvalidUserToken('Token authorization failed')
data, expires = cached
try:
expires = timeutils.parse_isotime(expires)
except ValueError:
# Gracefully handle upgrade of expiration times from *nix
# timestamps to ISO 8601 formatted dates by ignoring old cached
# values.
return
expires = timeutils.normalize_time(expires)
utcnow = timeutils.utcnow()
if ignore_expires or utcnow < expires:
self.LOG.debug('Returning cached token %s', token_id)
return data
else:
self.LOG.debug('Cached Token %s seems expired', token_id)
def _cache_get(self, token_id, ignore_expires=False):
"""Return token information from cache.
If token is invalid raise InvalidUserToken
return token only if fresh (not expired).
"""
if self._cache and token_id:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE % token_id
serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token_id, self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
# unprotect_data will return None if raw_cached is None
serialized = memcache_crypt.unprotect_data(
keys, raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
# this should have the same effect as data not
# found in cache
serialized = None
if serialized is None:
return None
# Note that 'invalid' and (data, expires) are the only
# valid types of serialized cache entries, so there is not
# a collision with jsonutils.loads(serialized) == None.
cached = jsonutils.loads(serialized)
if cached == 'invalid':
self.LOG.debug('Cached Token %s is marked unauthorized',
token_id)
raise InvalidUserToken('Token authorization failed')
data, expires = cached
try:
expires = timeutils.parse_isotime(expires)
except ValueError:
# Gracefully handle upgrade of expiration times from *nix
# timestamps to ISO 8601 formatted dates by ignoring old cached
# values.
return
expires = timeutils.normalize_time(expires)
utcnow = timeutils.utcnow()
if ignore_expires or utcnow < expires:
self.LOG.debug('Returning cached token %s', token_id)
return data
else:
self.LOG.debug('Cached Token %s seems expired', token_id)
def build_token_values_v2(access, default_domain_id):
token_data = access['token']
token_values = {
'expires_at':
timeutils.normalize_time(timeutils.parse_isotime(
token_data['expires'])),
'issued_at':
timeutils.normalize_time(
timeutils.parse_isotime(token_data['issued_at']))
}
token_values['user_id'] = access.get('user', {}).get('id')
project = token_data.get('tenant')
if project is not None:
token_values['project_id'] = project['id']
else:
token_values['project_id'] = None
token_values['identity_domain_id'] = default_domain_id
token_values['assignment_domain_id'] = default_domain_id
trust = token_data.get('trust')
if trust is None:
token_values['trust_id'] = None
token_values['trustor_id'] = None
token_values['trustee_id'] = None
else:
token_values['trust_id'] = trust['id']
token_values['trustor_id'] = trust['trustor_id']
token_values['trustee_id'] = trust['trustee_id']
token_values['consumer_id'] = None
token_values['access_token_id'] = None
role_list = []
# Roles are by ID in metadata and by name in the user section
roles = access.get('metadata', {}).get('roles', [])
for role in roles:
role_list.append(role)
token_values['roles'] = role_list
return token_values
def test_create_expires(self):
ref = self.new_ref()
ref['trustor_user_id'] = uuid.uuid4().hex
ref['trustee_user_id'] = uuid.uuid4().hex
ref['impersonation'] = False
ref['expires_at'] = timeutils.parse_isotime(
'2013-03-04T12:00:01.000000Z')
req_ref = ref.copy()
# Note the TrustManager takes a datetime.datetime object for
# expires_at, and converts it internally into an iso format datestamp
req_ref['expires_at'] = '2013-03-04T12:00:01.000000Z'
super(TrustTests, self).test_create(ref=ref, req_ref=req_ref)
def build_token_values_v2(access, default_domain_id):
token_data = access['token']
token_values = {
'expires_at': timeutils.normalize_time(
timeutils.parse_isotime(token_data['expires'])),
'issued_at': timeutils.normalize_time(
timeutils.parse_isotime(token_data['issued_at']))}
token_values['user_id'] = access.get('user', {}).get('id')
project = token_data.get('tenant')
if project is not None:
token_values['project_id'] = project['id']
else:
token_values['project_id'] = None
token_values['identity_domain_id'] = default_domain_id
token_values['assignment_domain_id'] = default_domain_id
trust = token_data.get('trust')
if trust is None:
token_values['trust_id'] = None
token_values['trustor_id'] = None
token_values['trustee_id'] = None
else:
token_values['trust_id'] = trust['id']
token_values['trustor_id'] = trust['trustor_id']
token_values['trustee_id'] = trust['trustee_id']
token_values['consumer_id'] = None
token_values['access_token_id'] = None
role_list = []
# Roles are by ID in metadata and by name in the user section
roles = access.get('metadata', {}).get('roles', [])
for role in roles:
role_list.append(role)
token_values['roles'] = role_list
return token_values
def _confirm_token_not_expired(self, data):
if not data:
raise InvalidUserToken('Token authorization failed')
if self._token_is_v2(data):
timestamp = data['access']['token']['expires']
elif self._token_is_v3(data):
timestamp = data['token']['expires_at']
else:
raise InvalidUserToken('Token authorization failed')
expires = timeutils.parse_isotime(timestamp).strftime('%s')
if time.time() >= float(expires):
self.LOG.debug('Token expired a %s', timestamp)
raise InvalidUserToken('Token authorization failed')
return expires
def _confirm_token_not_expired(self, data):
if not data:
raise InvalidUserToken('Token authorization failed')
if self._token_is_v2(data):
timestamp = data['access']['token']['expires']
elif self._token_is_v3(data):
timestamp = data['token']['expires_at']
else:
raise InvalidUserToken('Token authorization failed')
expires = timeutils.parse_isotime(timestamp).strftime('%s')
if time.time() >= float(expires):
self.LOG.debug('Token expired a %s', timestamp)
raise InvalidUserToken('Token authorization failed')
return expires
def _cache_put(self, token, data):
""" Put token data into the cache.
Stores the parsed expire date in cache allowing
quick check of token freshness on retrieval.
"""
if self._cache and data:
if "token" in data.get("access", {}):
timestamp = data["access"]["token"]["expires"]
expires = timeutils.parse_isotime(timestamp).strftime("%s")
else:
self.LOG.error("invalid token format")
return
self.LOG.debug("Storing %s token in memcache", token)
self._cache_store(token, data, expires)
def confirm_token_not_expired(data):
if not data:
raise InvalidUserToken('Token authorization failed')
if _token_is_v2(data):
timestamp = data['access']['token']['expires']
elif _token_is_v3(data):
timestamp = data['token']['expires_at']
else:
raise InvalidUserToken('Token authorization failed')
expires = timeutils.parse_isotime(timestamp)
expires = timeutils.normalize_time(expires)
utcnow = timeutils.utcnow()
if utcnow >= expires:
raise InvalidUserToken('Token authorization failed')
return timeutils.isotime(at=expires, subsecond=True)
def _cache_put(self, token, data):
""" Put token data into the cache.
Stores the parsed expire date in cache allowing
quick check of token freshness on retrieval.
"""
if self._cache and data:
if 'token' in data.get('access', {}):
timestamp = data['access']['token']['expires']
expires = timeutils.parse_isotime(timestamp).strftime('%s')
else:
self.LOG.error('invalid token format')
return
self.LOG.debug('Storing %s token in memcache', token)
self._cache_store(token, data, expires)
def confirm_token_not_expired(data):
if not data:
raise InvalidUserToken('Token authorization failed')
if _token_is_v2(data):
timestamp = data['access']['token']['expires']
elif _token_is_v3(data):
timestamp = data['token']['expires_at']
else:
raise InvalidUserToken('Token authorization failed')
expires = timeutils.parse_isotime(timestamp)
expires = timeutils.normalize_time(expires)
utcnow = timeutils.utcnow()
if utcnow >= expires:
raise InvalidUserToken('Token authorization failed')
return timeutils.isotime(at=expires, subsecond=True)
def _cache_put(self, token, data):
""" Put token data into the cache.
Stores the parsed expire date in cache allowing
quick check of token freshness on retrieval.
"""
if self._cache and data:
if self._token_is_v2(data):
timestamp = data['access']['token']['expires']
elif self._token_is_v3(data):
timestamp = data['token']['expires_at']
else:
self.LOG.error('invalid token format')
return
expires = timeutils.parse_isotime(timestamp).strftime('%s')
self.LOG.debug('Storing %s token in memcache', token)
self._cache_store(token, data, expires)
def issued(self):
return timeutils.parse_isotime(self.issued_str)
def expires(self):
return timeutils.parse_isotime(self['expires_at'])
def issued(self):
return timeutils.parse_isotime(self['issued_at'])
def expires(self):
return timeutils.parse_isotime(self.expires_str)
def updated(self):
return timeutils.parse_isotime(self.updated_str)
def issued(self):
return timeutils.parse_isotime(self.issued_str)
def issued(self):
return timeutils.parse_isotime(self['issued_at'])
def expires(self):
return timeutils.parse_isotime(self.expires_str)
def expires(self):
return timeutils.parse_isotime(self['token']['expires'])
def updated(self):
return timeutils.parse_isotime(self.updated_str)
def expires(self):
return timeutils.parse_isotime(self["token"]["expires"])
def expires(self):
return timeutils.parse_isotime(self['token']['expires'])
# logging.basicConfig(level=logging.DEBUG)
glance = client.Client('1', endpoint=endpoint, token=auth_token)
glance.format = 'json'
# Fetch the list of files in store_directory matching the UUID regex
uuid_re = re.compile(
r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}')
files = [(x, os.path.join(store_directory, x)) for x in
os.listdir(store_directory) if uuid_re.match(x)]
files = [(x, os.path.getsize(p),
datetime.fromtimestamp(os.path.getmtime(p), iso8601.Utc()))
for x, p in files if os.path.isfile(p)]
# Fetch the list of glance images
glance_images = [(x.id, x.size, timeutils.parse_isotime(x.created_at))
for x in glance.images.list() if x.status == 'active']
# Check all active images 1 hour or older are present
time_cutoff = datetime.now(iso8601.Utc()) - timedelta(0, 3600)
result = 0
for image in [x for x in glance_images if x[2] < time_cutoff]:
if not [x for x in files if x[0] == image[0]]:
print "Glance image %s not found in %s" % (image[0], store_directory)
result = 2
# Check all files have a corresponding glance image
def expires(self):
return timeutils.parse_isotime(self['expires_at'])