def get_token_version(self, token_data):
if token_data and isinstance(token_data, dict):
if 'token_version' in token_data:
if token_data['token_version'] in token_model.VERSIONS:
return token_data['token_version']
if 'token' in token_data and 'methods' in token_data['token']:
return token_model.V3
raise exception.UnsupportedTokenVersionException()
def _validate_token(self, token_id):
token_ref = self.persistence.get_token(token_id)
version = self.driver.get_token_version(token_ref)
if version == self.V3:
return self.driver.validate_v3_token(token_ref)
elif version == self.V2:
return self.driver.validate_v2_token(token_ref)
raise exception.UnsupportedTokenVersionException()
def __init__(self, token_id, token_data):
self.token_data = token_data
self.token_id = token_id
try:
super(KeystoneToken, self).__init__(**token_data['token'])
except KeyError:
raise exception.UnsupportedTokenVersionException()
if self.project_scoped and self.domain_scoped:
raise exception.UnexpectedError(_('Found invalid token: scoped to '
'both project and domain.'))
def _validate_token(self, token_id):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
if not self._needs_persistence:
return self.driver.validate_v3_token(token_id)
token_ref = self._persistence.get_token(token_id)
version = self.get_token_version(token_ref)
if version == self.V3:
return self.driver.validate_v3_token(token_ref)
elif version == self.V2:
return self.driver.validate_v2_token(token_ref)
raise exception.UnsupportedTokenVersionException()
def get_token_version(self, token_data):
if token_data and isinstance(token_data, dict):
if 'token_version' in token_data:
if token_data['token_version'] in token.provider.VERSIONS:
return token_data['token_version']
# FIXME(morganfainberg): deprecate the following logic in future
# revisions. It is better to just specify the token_version in
# the token_data itself. This way we can support future versions
# that might have the same fields.
if 'access' in token_data:
return token.provider.V2
if 'token' in token_data and 'methods' in token_data['token']:
return token.provider.V3
raise exception.UnsupportedTokenVersionException()
def _validate_token(self, token_id):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
if not self._needs_persistence:
# NOTE(lbragstad): This will validate v2 and v3 non-persistent
# tokens.
return self.driver.validate_non_persistent_token(token_id)
token_ref = self._persistence.get_token(token_id)
version = self.get_token_version(token_ref)
if version == self.V3:
return self.driver.validate_v3_token(token_ref)
elif version == self.V2:
return self.driver.validate_v2_token(token_ref)
raise exception.UnsupportedTokenVersionException()
def __init__(self, token_id, token_data):
self.token_data = token_data
if 'access' in token_data:
super(KeystoneToken, self).__init__(**token_data['access'])
self.version = V2
elif 'token' in token_data and 'methods' in token_data['token']:
super(KeystoneToken, self).__init__(**token_data['token'])
self.version = V3
else:
raise exception.UnsupportedTokenVersionException()
self.token_id = token_id
if self.project_scoped and self.domain_scoped:
raise exception.UnexpectedError(_('Found invalid token: scoped to '
'both project and domain.'))
def _validate_token(self, token_id):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
if not self._needs_persistence:
return self.driver.validate_v3_token(token_id)
token_ref = self._persistence.get_token(token_id)
version = self.driver.get_token_version(token_ref)
if version == self.V3:
try:
return self.driver.validate_v3_token(token_ref)
except exception.Unauthorized as e:
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
elif version == self.V2:
return self.driver.validate_v2_token(token_ref)
raise exception.UnsupportedTokenVersionException()
def create_token(self, token_id, data):
"""Create a token by id and data.
It is assumed the caller has performed data validation on the "data"
parameter.
"""
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token_id)
if not data_copy.get('expires'):
data_copy['expires'] = provider.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
# NOTE(morganfainberg): for ease of manipulating the data without
# concern about the backend, always store the value(s) in the
# index as the isotime (string) version so this is where the string is
# built.
expires_str = timeutils.isotime(data_copy['expires'], subsecond=True)
self._set_key(ptk, data_copy)
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
self._update_user_token_list(user_key, token_id, expires_str)
if CONF.trust.enabled and data.get('trust_id'):
# NOTE(morganfainberg): If trusts are enabled and this is a trust
# scoped token, we add the token to the trustee list as well. This
# allows password changes of the trustee to also expire the token.
# There is no harm in placing the token in multiple lists, as
# _list_tokens is smart enough to handle almost any case of
# valid/invalid/expired for a given token.
token_data = data_copy['token_data']
if data_copy['token_version'] == token.provider.V2:
trustee_user_id = token_data['access']['trust'][
'trustee_user_id']
elif data_copy['token_version'] == token.provider.V3:
trustee_user_id = token_data['OS-TRUST:trust'][
'trustee_user_id']
else:
raise exception.UnsupportedTokenVersionException(
_('Unknown token version %s') %
data_copy.get('token_version'))
trustee_key = self._prefix_user_id(trustee_user_id)
self._update_user_token_list(trustee_key, token_id, expires_str)
return data_copy
