def get(self): """Validate a token. HEAD/GET /v3/auth/tokens """ # TODO(morgan): eliminate the check_token action only use validate # NOTE(morgan): Well lookie here, we have different enforcements # for no good reason (historical), because the methods previouslly # had to be named different names. Check which method and do the # correct enforcement. if flask.request.method == 'HEAD': ENFORCER.enforce_call(action='identity:check_token') else: ENFORCER.enforce_call(action='identity:validate_token') token_id = flask.request.headers.get( authorization.SUBJECT_TOKEN_HEADER) access_rules_support = flask.request.headers.get( authorization.ACCESS_RULES_HEADER) allow_expired = strutils.bool_from_string( flask.request.args.get('allow_expired')) window_secs = CONF.token.allow_expired_window if allow_expired else 0 include_catalog = 'nocatalog' not in flask.request.args token = PROVIDERS.token_provider_api.validate_token( token_id, window_seconds=window_secs, access_rules_support=access_rules_support) token_resp = render_token.render_token_response_from_model( token, include_catalog=include_catalog) resp_body = jsonutils.dumps(token_resp) response = flask.make_response(resp_body, http_client.OK) response.headers['X-Subject-Token'] = token_id response.headers['Content-Type'] = 'application/json' return response
def _keystone_specific_values(self, token, request_context): request_context.token_reference = ( render_token.render_token_response_from_model(token) ) if token.domain_scoped: # Domain scoped tokens should never have is_admin_project set # Even if KSA defaults it otherwise. The two mechanisms are # parallel; only ione or the other should be used for access. request_context.is_admin_project = False request_context.domain_id = token.domain_id request_context.domain_name = token.domain['name'] if token.oauth_scoped: request_context.is_delegated_auth = True request_context.oauth_consumer_id = ( token.access_token['consumer_id'] ) request_context.oauth_access_token_id = token.access_token_id if token.trust_scoped: request_context.is_delegated_auth = True request_context.trust_id = token.trust_id if token.is_federated: request_context.group_ids = [] for group in token.federated_groups: request_context.group_ids.append(group['id']) else: request_context.group_ids = []
def _keystone_specific_values(self, token, request_context): request_context.token_reference = ( render_token.render_token_response_from_model(token) ) if token.domain_scoped: # Domain scoped tokens should never have is_admin_project set # Even if KSA defaults it otherwise. The two mechanisms are # parallel; only ione or the other should be used for access. request_context.is_admin_project = False request_context.domain_id = token.domain_id request_context.domain_name = token.domain['name'] if token.oauth_scoped: request_context.is_delegated_auth = True request_context.oauth_consumer_id = ( token.access_token['consumer_id'] ) request_context.oauth_access_token_id = token.access_token_id if token.trust_scoped: request_context.is_delegated_auth = True request_context.trust_id = token.trust_id if token.is_federated: request_context.group_ids = [] for group in token.federated_groups: request_context.group_ids.append(group['id']) else: request_context.group_ids = []
def fetch_token(self, token, **kwargs): try: self.token = self.token_provider_api.validate_token( token, access_rules_support=ACCESS_RULES_MIN_VERSION) return render_token.render_token_response_from_model(self.token) except exception.TokenNotFound: raise auth_token.InvalidToken(_('Could not find token'))
def get(self): """Validate a token. HEAD/GET /v3/auth/tokens """ # TODO(morgan): eliminate the check_token action only use validate # NOTE(morgan): Well lookie here, we have different enforcements # for no good reason (historical), because the methods previouslly # had to be named different names. Check which method and do the # correct enforcement. if flask.request.method == 'HEAD': ENFORCER.enforce_call(action='identity:check_token') else: ENFORCER.enforce_call(action='identity:validate_token') token_id = flask.request.headers.get( authorization.SUBJECT_TOKEN_HEADER) allow_expired = strutils.bool_from_string( flask.request.args.get('allow_expired')) window_secs = CONF.token.allow_expired_window if allow_expired else 0 include_catalog = 'nocatalog' not in flask.request.args token = PROVIDERS.token_provider_api.validate_token( token_id, window_seconds=window_secs) token_resp = render_token.render_token_response_from_model( token, include_catalog=include_catalog) resp_body = jsonutils.dumps(token_resp) response = flask.make_response(resp_body, http_client.OK) response.headers['X-Subject-Token'] = token_id response.headers['Content-Type'] = 'application/json' return response
def post(self): """Authenticate s3token. POST /v3/s3tokens """ token = self.handle_authenticate() token_reference = render_token.render_token_response_from_model(token) resp_body = jsonutils.dumps(token_reference) response = flask.make_response(resp_body, http.client.OK) response.headers['Content-Type'] = 'application/json' return response
def post(self): """Authenticate s3token. POST /v3/s3tokens """ token = self.handle_authenticate() token_reference = render_token.render_token_response_from_model(token) resp_body = jsonutils.dumps(token_reference) response = flask.make_response(resp_body, http_client.OK) response.headers['Content-Type'] = 'application/json' return response
def _enforce(self, credentials, action, target, do_raise=True): """Verify that the action is valid on the target in this context. This method is for cases that exceed the base enforcer functionality (notably for compatibility with `@protected` style decorators. :param credentials: user credentials :param action: string representing the action to be checked, which should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': object.project_id} :raises keystone.exception.Forbidden: If verification fails. Actions should be colon separated for clarity. For example: * identity:list_users """ # Add the exception arguments if asked to do a raise extra = {} if do_raise: extra.update(exc=exception.ForbiddenAction, action=action, do_raise=do_raise) # NOTE(lbragstad): If there is a token in the credentials dictionary, # it's going to be an instance of a TokenModel. We'll need to convert # it to the a token response or dictionary before passing it to # oslo.policy for enforcement. This is because oslo.policy shouldn't # know how to deal with an internal object only used within keystone. # # TODO(morgan): Rework this to not need an explicit token render as # this is a generally poorly designed behavior. The enforcer should not # rely on a contract of the token's rendered JSON form. This likely # needs reworking of how we handle the context in oslo.policy. Until # this is reworked, it is not possible to merge the token render # function into keystone.api if 'token' in credentials: token_ref = render_token.render_token_response_from_model( credentials['token']) credentials_copy = copy.deepcopy(credentials) credentials_copy['token'] = token_ref credentials = credentials_copy try: return self._enforcer.enforce(rule=action, target=target, creds=credentials, **extra) except common_policy.InvalidScope: raise exception.ForbiddenAction(action=action)
def authenticate(self, context, credentials=None, ec2Credentials=None): (user_ref, project_ref, roles_ref) = self._authenticate( credentials=credentials, ec2credentials=ec2Credentials ) method_names = ['ec2credential'] token = self.token_provider_api.issue_token( user_ref['id'], method_names, project_id=project_ref['id'] ) token_reference = render_token.render_token_response_from_model(token) return self.render_token_data_response(token.id, token_reference)
def post(self): """Issue a token. POST /v3/auth/tokens """ include_catalog = 'nocatalog' not in flask.request.args auth_data = self.request_body_json.get('auth') auth_schema.validate_issue_token_auth(auth_data) token = authentication.authenticate_for_token(auth_data) resp_data = render_token.render_token_response_from_model( token, include_catalog=include_catalog) resp_body = jsonutils.dumps(resp_data) response = flask.make_response(resp_body, http_client.CREATED) response.headers['X-Subject-Token'] = token.id response.headers['Content-Type'] = 'application/json' return response
def post(self): """Issue a token. POST /v3/auth/tokens """ include_catalog = 'nocatalog' not in flask.request.args auth_data = self.request_body_json.get('auth') auth_schema.validate_issue_token_auth(auth_data) token = authentication.authenticate_for_token(auth_data) resp_data = render_token.render_token_response_from_model( token, include_catalog=include_catalog ) resp_body = jsonutils.dumps(resp_data) response = flask.make_response(resp_body, http_client.CREATED) response.headers['X-Subject-Token'] = token.id response.headers['Content-Type'] = 'application/json' return response
def _auth(self, idp_id, protocol_id): """Build and pass auth data to authentication code. Build HTTP request body for federated authentication and inject it into the ``authenticate_for_token`` function. """ auth = { 'identity': { 'methods': [protocol_id], protocol_id: { 'identity_provider': idp_id, 'protocol': protocol_id }, } } token = authentication.authenticate_for_token(auth) token_data = render_token.render_token_response_from_model(token) resp_data = jsonutils.dumps(token_data) flask_resp = flask.make_response(resp_data, http.client.CREATED) flask_resp.headers['X-Subject-Token'] = token.id flask_resp.headers['Content-Type'] = 'application/json' return flask_resp
def _auth(self, idp_id, protocol_id): """Build and pass auth data to authentication code. Build HTTP request body for federated authentication and inject it into the ``authenticate_for_token`` function. """ auth = { 'identity': { 'methods': [protocol_id], protocol_id: { 'identity_provider': idp_id, 'protocol': protocol_id }, } } token = authentication.authenticate_for_token(auth) token_data = render_token.render_token_response_from_model(token) resp_data = jsonutils.dumps(token_data) flask_resp = flask.make_response(resp_data, http_client.CREATED) flask_resp.headers['X-Subject-Token'] = token.id flask_resp.headers['Content-Type'] = 'application/json' return flask_resp
def fetch_token(self, token, **kwargs): try: token_model = self.token_provider_api.validate_token(token) return render_token.render_token_response_from_model(token_model) except exception.TokenNotFound: raise auth_token.InvalidToken(_('Could not find token'))
def fetch_token(self, token, **kwargs): try: self.token = self.token_provider_api.validate_token(token) return render_token.render_token_response_from_model(self.token) except exception.TokenNotFound: raise auth_token.InvalidToken(_('Could not find token'))