def token_to_key(self, token_id): if cms.is_ans1_token(token_id): hash = hashlib.md5() hash.update(token_id) return hash.hexdigest() else: return token_id
def _validate_user_token(self, user_token, retry=True): """Authenticate user using PKI :param user_token: user's token id :param retry: Ignored, as it is not longer relevant :return uncrypted body of the token if the token is valid :raise InvalidUserToken if token is rejected :no longer raises ServiceError since it no longer makes RPC """ try: token_id = cms.cms_hash_token(user_token) cached = self._cache_get(token_id) if cached: return cached if cms.is_ans1_token(user_token): verified = self.verify_signed_token(user_token) data = json.loads(verified) else: data = self.verify_uuid_token(user_token, retry) self._cache_put(token_id, data) return data except Exception as e: LOG.debug('Token validation failure.', exc_info=True) self._cache_store_invalid(user_token) LOG.warn("Authorization failed for token %s", user_token) raise InvalidUserToken('Token authorization failed')
def _get_token_ref(self, context, token_id, belongs_to=None): token_ref = self.token_api.get_token(token_id) if cms.is_ans1_token(token_id): verified_token = cms.cms_verify(cms.token_to_cms(token_id), CONF.signing.certfile, CONF.signing.ca_certs) token_ref = json.loads(verified_token) if belongs_to: assert token_ref['project']['id'] == belongs_to return token_ref
def _get_token_ref(self, context, token_id, belongs_to=None): token_ref = self.token_api.get_token(context=context, token_id=token_id) if cms.is_ans1_token(token_id): verified_token = cms.cms_verify(cms.token_to_cms(token_id), CONF.signing.certfile, CONF.signing.ca_certs) token_ref = json.loads(verified_token) if belongs_to: assert token_ref['project']['id'] == belongs_to return token_ref
def validate(self, response, realm_id): catalog_api = catalog.controllers.EndpointV3() context = {} context['is_admin'] = True context['query_string'] = {} context['query_string']['service_id'] = realm_id context['interface'] = 'adminurl' context['path'] = "" endpoints = catalog_api.list_endpoints(context) for e in endpoints['endpoints']: creds = e["creds"] if e['interface'] == 'admin': endpoint = e['url']+'/tokens/' if e['interface'] == 'public': post_endpoint = e['url']+'/tokens' token_id = response['access']['token']['id'] if not cms.is_ans1_token(token_id): auth_req = {"auth":{}} auth_req["auth"]["tenantName"] = "service" auth_req['auth']['passwordCredentials'] = {"username": creds["user"], "password": creds["pass"]} auth_token = self.request(post_endpoint, data=auth_req, method="POST") header = {"X-Auth-Token": auth_token['access']['token']['id']} validatedResponse = self.request(keystoneEndpoint=endpoint, data=token_id, method="GET", header=header) else: cert_file = tempfile.NamedTemporaryFile() cert_file.write(self.format_certdata(creds["certdata"])) cert_file.flush() cacert_file = tempfile.NamedTemporaryFile() cacert_file.write(self.format_certdata(creds["cacert"])) cacert_file.flush() data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),cert_file.name,cacert_file.name)) cert_file.close() cacert_file.close() data['access']['token']['user'] = data['access']['user'] data['access']['token']['metadata'] = data['access']['metadata'] validatedResponse = data validatedAttributes = {} for r in validatedResponse['access']['user']['roles']: if validatedAttributes.get('role') is None: validatedAttributes['role'] = [] validatedAttributes['role'].append(r['name']) validatedAttributes['project'] = [validatedResponse['access']['token']['tenant']['name']] username = validatedResponse['access']['user']['name'] expires = validatedResponse['access']['token']['expires'] return username, expires, self.check_issuers(validatedAttributes, realm_id)
def _get_token_ref(self, context, token_id, belongs_to=None): """Returns a token if a valid one exists. Optionally, limited to a token owned by a specific tenant. """ # TODO(termie): this stuff should probably be moved to middleware self.assert_admin(context) if cms.is_ans1_token(token_id): data = json.loads( cms.cms_verify(cms.token_to_cms(token_id), config.CONF.signing.certfile, config.CONF.signing.ca_certs) ) data["access"]["token"]["user"] = data["access"]["user"] data["access"]["token"]["metadata"] = data["access"]["metadata"] if belongs_to: assert data["access"]["token"]["tenant"]["id"] == belongs_to token_ref = data["access"]["token"] else: token_ref = self.token_api.get_token(context=context, token_id=token_id) return token_ref
def _get_token_ref(self, context, token_id, belongs_to=None): """Returns a token if a valid one exists. Optionally, limited to a token owned by a specific tenant. """ # TODO(termie): this stuff should probably be moved to middleware self.assert_admin(context) if cms.is_ans1_token(token_id): data = json.loads( cms.cms_verify(cms.token_to_cms(token_id), config.CONF.signing.certfile, config.CONF.signing.ca_certs)) data['access']['token']['user'] = data['access']['user'] data['access']['token']['metadata'] = data['access']['metadata'] if belongs_to: assert data['access']['token']['tenant']['id'] == belongs_to token_ref = data['access']['token'] else: token_ref = self.token_api.get_token(context=context, token_id=token_id) return token_ref