def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM):
"""Verifies the signature of the provided data's IAW CMS syntax.
If either of the certificate files might be missing, fetch them and
retry.
"""
def verify():
try:
signing_cert_path = self._signing_directory.calc_path(
self._SIGNING_CERT_FILE_NAME)
signing_ca_path = self._signing_directory.calc_path(
self._SIGNING_CA_FILE_NAME)
return cms.cms_verify(data, signing_cert_path,
signing_ca_path,
inform=inform).decode('utf-8')
except (exceptions.CMSError,
cms.subprocess.CalledProcessError) as err:
self._LOG.warning(_LW('Verify error: %s'), err)
raise exc.InvalidToken(_('Token authorization failed'))
try:
return verify()
except exceptions.CertificateConfigError:
# the certs might be missing; unconditionally fetch to avoid racing
self._fetch_signing_cert()
self._fetch_ca_cert()
try:
# retry with certs in place
return verify()
except exceptions.CertificateConfigError as err:
# if this is still occurring, something else is wrong and we
# need err.output to identify the problem
self._LOG.error(_LE('CMS Verify output: %s'), err.output)
raise
def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM):
"""Verifies the signature of the provided data's IAW CMS syntax.
If either of the certificate files might be missing, fetch them and
retry.
"""
def verify():
try:
signing_cert_path = self._signing_directory.calc_path(
self._SIGNING_CERT_FILE_NAME)
signing_ca_path = self._signing_directory.calc_path(
self._SIGNING_CA_FILE_NAME)
return cms.cms_verify(data, signing_cert_path,
signing_ca_path,
inform=inform).decode('utf-8')
except cms.subprocess.CalledProcessError as err:
self._LOG.warning(_LW('Verify error: %s'), err)
raise
try:
return verify()
except exceptions.CertificateConfigError:
# the certs might be missing; unconditionally fetch to avoid racing
self._fetch_signing_cert()
self._fetch_ca_cert()
try:
# retry with certs in place
return verify()
except exceptions.CertificateConfigError as err:
# if this is still occurring, something else is wrong and we
# need err.output to identify the problem
self._LOG.error(_LE('CMS Verify output: %s'), err.output)
raise
def wrapper(*args, **kwargs):
try:
return fn(*args, **kwargs)
except Exception as e:
_LOG.exception(
_LE('An exception occurred processing '
'the API call: %s '), e)
def verify_token(self, user_token, retry=True):
"""Authenticate user token with identity server.
:param user_token: user's token id
:param retry: flag that forces the middleware to retry
user authentication when an indeterminate
response is received. Optional.
:returns: token object received from identity server on success
:raises exc.InvalidToken: if token is rejected
:raises exc.ServiceError: if unable to authenticate token
"""
user_token = _utils.safe_quote(user_token)
try:
response, data = self._request_strategy.verify_token(user_token)
except exceptions.NotFound as e:
self._LOG.warn(_LW('Authorization failed for token'))
self._LOG.warn(_LW('Identity response: %s'), e.response.text)
except exceptions.Unauthorized as e:
self._LOG.info(_LI('Identity server rejected authorization'))
self._LOG.warn(_LW('Identity response: %s'), e.response.text)
if retry:
self._LOG.info(_LI('Retrying validation'))
return self.verify_token(user_token, False)
except exceptions.HttpError as e:
self._LOG.error(
_LE('Bad response code while validating token: %s'),
e.http_status)
self._LOG.warn(_LW('Identity response: %s'), e.response.text)
else:
if response.status_code == 200:
return data
raise exc.InvalidToken()
def verify_token(self, user_token, retry=True):
"""Authenticate user token with identity server.
:param user_token: user's token id
:param retry: flag that forces the middleware to retry
user authentication when an indeterminate
response is received. Optional.
:returns: access info received from identity server on success
:rtype: :py:class:`keystoneauth1.access.AccessInfo`
:raises exc.InvalidToken: if token is rejected
:raises exc.ServiceError: if unable to authenticate token
"""
try:
auth_ref = self._request_strategy.verify_token(user_token)
except ksa_exceptions.NotFound as e:
self._LOG.warning(_LW("Authorization failed for token"))
self._LOG.warning(_LW("Identity response: %s"), e.response.text)
raise ksm_exceptions.InvalidToken(_("Token authorization failed"))
except ksa_exceptions.Unauthorized as e:
self._LOG.info(_LI("Identity server rejected authorization"))
self._LOG.warning(_LW("Identity response: %s"), e.response.text)
if retry:
self._LOG.info(_LI("Retrying validation"))
return self.verify_token(user_token, False)
msg = _("Identity server rejected authorization necessary to " "fetch token data")
raise ksm_exceptions.ServiceError(msg)
except ksa_exceptions.HttpError as e:
self._LOG.error(_LE("Bad response code while validating token: %s"), e.http_status)
self._LOG.warning(_LW("Identity response: %s"), e.response.text)
msg = _("Failed to fetch token data from identity server")
raise ksm_exceptions.ServiceError(msg)
else:
return auth_ref
def verify_token(self, user_token, retry=True):
"""Authenticate user token with identity server.
:param user_token: user's token id
:param retry: flag that forces the middleware to retry
user authentication when an indeterminate
response is received. Optional.
:returns: token object received from identity server on success
:raises exc.InvalidToken: if token is rejected
:raises exc.ServiceError: if unable to authenticate token
"""
user_token = _utils.safe_quote(user_token)
try:
response, data = self._request_strategy.verify_token(user_token)
except exceptions.NotFound as e:
self._LOG.warn(_LW('Authorization failed for token'))
self._LOG.warn(_LW('Identity response: %s'), e.response.text)
except exceptions.Unauthorized as e:
self._LOG.info(_LI('Identity server rejected authorization'))
self._LOG.warn(_LW('Identity response: %s'), e.response.text)
if retry:
self._LOG.info(_LI('Retrying validation'))
return self.verify_token(user_token, False)
except exceptions.HttpError as e:
self._LOG.error(
_LE('Bad response code while validating token: %s'),
e.http_status)
self._LOG.warn(_LW('Identity response: %s'), e.response.text)
else:
if response.status_code == 200:
return data
raise exc.InvalidToken()
def _deserialize(self, data, context):
try:
# unprotect_data will return None if raw_cached is None
return memcache_crypt.unprotect_data(context, data)
except Exception:
msg = _LE('Failed to decrypt/verify cache data')
self._LOG.exception(msg)
# this should have the same effect as data not
# found in cache
return None
def _deserialize(self, data, context):
try:
# unprotect_data will return None if raw_cached is None
return memcache_crypt.unprotect_data(context, data)
except Exception:
msg = _LE('Failed to decrypt/verify cache data')
self._LOG.exception(msg)
# this should have the same effect as data not
# found in cache
return None
def _get_strategy_class(self):
if self._requested_auth_version:
# A specific version was requested.
if discover.version_match(_V3RequestStrategy.AUTH_VERSION, self._requested_auth_version):
return _V3RequestStrategy
# The version isn't v3 so we don't know what to do. Just assume V2.
return _V2RequestStrategy
# Specific version was not requested then we fall through to
# discovering available versions from the server
for klass in _REQUEST_STRATEGIES:
if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
self._LOG.debug("Auth Token confirmed use of %s apis", self._requested_auth_version)
return klass
versions = ["v%d.%d" % s.AUTH_VERSION for s in _REQUEST_STRATEGIES]
self._LOG.error(_LE("No attempted versions [%s] supported by server"), ", ".join(versions))
msg = _("No compatible apis supported by server")
raise ksm_exceptions.ServiceError(msg)
def verify_token(self, user_token, retry=True, allow_expired=False):
"""Authenticate user token with identity server.
:param user_token: user's token id
:param retry: flag that forces the middleware to retry
user authentication when an indeterminate
response is received. Optional.
:param allow_expired: Allow retrieving an expired token.
:returns: access info received from identity server on success
:rtype: :py:class:`keystoneauth1.access.AccessInfo`
:raises exc.InvalidToken: if token is rejected
:raises exc.ServiceError: if unable to authenticate token
"""
try:
auth_ref = self._request_strategy.verify_token(
user_token, allow_expired=allow_expired)
except ksa_exceptions.NotFound as e:
self._LOG.warning(_LW('Authorization failed for token'))
self._LOG.warning(_LW('Identity response: %s'), e.response.text)
raise ksm_exceptions.InvalidToken(_('Token authorization failed'))
except ksa_exceptions.Unauthorized as e:
self._LOG.info(_LI('Identity server rejected authorization'))
self._LOG.warning(_LW('Identity response: %s'), e.response.text)
if retry:
self._LOG.info(_LI('Retrying validation'))
return self.verify_token(user_token, False)
msg = _('Identity server rejected authorization necessary to '
'fetch token data')
raise ksm_exceptions.ServiceError(msg)
except ksa_exceptions.HttpError as e:
self._LOG.error(
_LE('Bad response code while validating token: %s'),
e.http_status)
self._LOG.warning(_LW('Identity response: %s'), e.response.text)
msg = _('Failed to fetch token data from identity server')
raise ksm_exceptions.ServiceError(msg)
else:
return auth_ref
def _get_strategy_class(self):
if self._requested_auth_version:
# A specific version was requested.
if discover.version_match(_V3RequestStrategy.AUTH_VERSION,
self._requested_auth_version):
return _V3RequestStrategy
# The version isn't v3 so we don't know what to do. Just assume V2.
return _V2RequestStrategy
# Specific version was not requested then we fall through to
# discovering available versions from the server
for klass in _REQUEST_STRATEGIES:
if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
self._LOG.debug('Auth Token confirmed use of %s apis',
self._requested_auth_version)
return klass
versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES]
self._LOG.error(_LE('No attempted versions [%s] supported by server'),
', '.join(versions))
msg = _('No compatible apis supported by server')
raise ksm_exceptions.ServiceError(msg)
def wrapper(*args, **kwargs):
try:
return fn(*args, **kwargs)
except Exception as e:
_LOG.exception(_LE('An exception occurred processing '
'the API call: %s '), e)
