def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM): """Verifies the signature of the provided data's IAW CMS syntax. If either of the certificate files might be missing, fetch them and retry. """ def verify(): try: signing_cert_path = self._signing_directory.calc_path( self._SIGNING_CERT_FILE_NAME) signing_ca_path = self._signing_directory.calc_path( self._SIGNING_CA_FILE_NAME) return cms.cms_verify(data, signing_cert_path, signing_ca_path, inform=inform).decode('utf-8') except (exceptions.CMSError, cms.subprocess.CalledProcessError) as err: self._LOG.warning(_LW('Verify error: %s'), err) raise exc.InvalidToken(_('Token authorization failed')) try: return verify() except exceptions.CertificateConfigError: # the certs might be missing; unconditionally fetch to avoid racing self._fetch_signing_cert() self._fetch_ca_cert() try: # retry with certs in place return verify() except exceptions.CertificateConfigError as err: # if this is still occurring, something else is wrong and we # need err.output to identify the problem self._LOG.error(_LE('CMS Verify output: %s'), err.output) raise
def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM): """Verifies the signature of the provided data's IAW CMS syntax. If either of the certificate files might be missing, fetch them and retry. """ def verify(): try: signing_cert_path = self._signing_directory.calc_path( self._SIGNING_CERT_FILE_NAME) signing_ca_path = self._signing_directory.calc_path( self._SIGNING_CA_FILE_NAME) return cms.cms_verify(data, signing_cert_path, signing_ca_path, inform=inform).decode('utf-8') except cms.subprocess.CalledProcessError as err: self._LOG.warning(_LW('Verify error: %s'), err) raise try: return verify() except exceptions.CertificateConfigError: # the certs might be missing; unconditionally fetch to avoid racing self._fetch_signing_cert() self._fetch_ca_cert() try: # retry with certs in place return verify() except exceptions.CertificateConfigError as err: # if this is still occurring, something else is wrong and we # need err.output to identify the problem self._LOG.error(_LE('CMS Verify output: %s'), err.output) raise
def wrapper(*args, **kwargs): try: return fn(*args, **kwargs) except Exception as e: _LOG.exception( _LE('An exception occurred processing ' 'the API call: %s '), e)
def verify_token(self, user_token, retry=True): """Authenticate user token with identity server. :param user_token: user's token id :param retry: flag that forces the middleware to retry user authentication when an indeterminate response is received. Optional. :returns: token object received from identity server on success :raises exc.InvalidToken: if token is rejected :raises exc.ServiceError: if unable to authenticate token """ user_token = _utils.safe_quote(user_token) try: response, data = self._request_strategy.verify_token(user_token) except exceptions.NotFound as e: self._LOG.warn(_LW('Authorization failed for token')) self._LOG.warn(_LW('Identity response: %s'), e.response.text) except exceptions.Unauthorized as e: self._LOG.info(_LI('Identity server rejected authorization')) self._LOG.warn(_LW('Identity response: %s'), e.response.text) if retry: self._LOG.info(_LI('Retrying validation')) return self.verify_token(user_token, False) except exceptions.HttpError as e: self._LOG.error( _LE('Bad response code while validating token: %s'), e.http_status) self._LOG.warn(_LW('Identity response: %s'), e.response.text) else: if response.status_code == 200: return data raise exc.InvalidToken()
def verify_token(self, user_token, retry=True): """Authenticate user token with identity server. :param user_token: user's token id :param retry: flag that forces the middleware to retry user authentication when an indeterminate response is received. Optional. :returns: access info received from identity server on success :rtype: :py:class:`keystoneauth1.access.AccessInfo` :raises exc.InvalidToken: if token is rejected :raises exc.ServiceError: if unable to authenticate token """ try: auth_ref = self._request_strategy.verify_token(user_token) except ksa_exceptions.NotFound as e: self._LOG.warning(_LW("Authorization failed for token")) self._LOG.warning(_LW("Identity response: %s"), e.response.text) raise ksm_exceptions.InvalidToken(_("Token authorization failed")) except ksa_exceptions.Unauthorized as e: self._LOG.info(_LI("Identity server rejected authorization")) self._LOG.warning(_LW("Identity response: %s"), e.response.text) if retry: self._LOG.info(_LI("Retrying validation")) return self.verify_token(user_token, False) msg = _("Identity server rejected authorization necessary to " "fetch token data") raise ksm_exceptions.ServiceError(msg) except ksa_exceptions.HttpError as e: self._LOG.error(_LE("Bad response code while validating token: %s"), e.http_status) self._LOG.warning(_LW("Identity response: %s"), e.response.text) msg = _("Failed to fetch token data from identity server") raise ksm_exceptions.ServiceError(msg) else: return auth_ref
def _deserialize(self, data, context): try: # unprotect_data will return None if raw_cached is None return memcache_crypt.unprotect_data(context, data) except Exception: msg = _LE('Failed to decrypt/verify cache data') self._LOG.exception(msg) # this should have the same effect as data not # found in cache return None
def _get_strategy_class(self): if self._requested_auth_version: # A specific version was requested. if discover.version_match(_V3RequestStrategy.AUTH_VERSION, self._requested_auth_version): return _V3RequestStrategy # The version isn't v3 so we don't know what to do. Just assume V2. return _V2RequestStrategy # Specific version was not requested then we fall through to # discovering available versions from the server for klass in _REQUEST_STRATEGIES: if self._adapter.get_endpoint(version=klass.AUTH_VERSION): self._LOG.debug("Auth Token confirmed use of %s apis", self._requested_auth_version) return klass versions = ["v%d.%d" % s.AUTH_VERSION for s in _REQUEST_STRATEGIES] self._LOG.error(_LE("No attempted versions [%s] supported by server"), ", ".join(versions)) msg = _("No compatible apis supported by server") raise ksm_exceptions.ServiceError(msg)
def verify_token(self, user_token, retry=True, allow_expired=False): """Authenticate user token with identity server. :param user_token: user's token id :param retry: flag that forces the middleware to retry user authentication when an indeterminate response is received. Optional. :param allow_expired: Allow retrieving an expired token. :returns: access info received from identity server on success :rtype: :py:class:`keystoneauth1.access.AccessInfo` :raises exc.InvalidToken: if token is rejected :raises exc.ServiceError: if unable to authenticate token """ try: auth_ref = self._request_strategy.verify_token( user_token, allow_expired=allow_expired) except ksa_exceptions.NotFound as e: self._LOG.warning(_LW('Authorization failed for token')) self._LOG.warning(_LW('Identity response: %s'), e.response.text) raise ksm_exceptions.InvalidToken(_('Token authorization failed')) except ksa_exceptions.Unauthorized as e: self._LOG.info(_LI('Identity server rejected authorization')) self._LOG.warning(_LW('Identity response: %s'), e.response.text) if retry: self._LOG.info(_LI('Retrying validation')) return self.verify_token(user_token, False) msg = _('Identity server rejected authorization necessary to ' 'fetch token data') raise ksm_exceptions.ServiceError(msg) except ksa_exceptions.HttpError as e: self._LOG.error( _LE('Bad response code while validating token: %s'), e.http_status) self._LOG.warning(_LW('Identity response: %s'), e.response.text) msg = _('Failed to fetch token data from identity server') raise ksm_exceptions.ServiceError(msg) else: return auth_ref
def _get_strategy_class(self): if self._requested_auth_version: # A specific version was requested. if discover.version_match(_V3RequestStrategy.AUTH_VERSION, self._requested_auth_version): return _V3RequestStrategy # The version isn't v3 so we don't know what to do. Just assume V2. return _V2RequestStrategy # Specific version was not requested then we fall through to # discovering available versions from the server for klass in _REQUEST_STRATEGIES: if self._adapter.get_endpoint(version=klass.AUTH_VERSION): self._LOG.debug('Auth Token confirmed use of %s apis', self._requested_auth_version) return klass versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES] self._LOG.error(_LE('No attempted versions [%s] supported by server'), ', '.join(versions)) msg = _('No compatible apis supported by server') raise ksm_exceptions.ServiceError(msg)
def wrapper(*args, **kwargs): try: return fn(*args, **kwargs) except Exception as e: _LOG.exception(_LE('An exception occurred processing ' 'the API call: %s '), e)