def test_provider_token_expiration_validation(self): token = token_model.TokenModel() token.issued_at = "2013-05-21T00:02:43.941473Z" token.expires_at = utils.isotime(CURRENT_DATE) self.assertRaises(exception.TokenNotFound, PROVIDERS.token_provider_api._is_valid_token, token) token = token_model.TokenModel() token.issued_at = "2013-05-21T00:02:43.941473Z" token.expires_at = utils.isotime(timeutils.utcnow() + FUTURE_DELTA) self.assertIsNone(PROVIDERS.token_provider_api._is_valid_token(token))
def _validate_token(self, token_id): (user_id, methods, audit_ids, system, domain_id, project_id, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, issued_at, expires_at) = self.driver.validate_token(token_id) token = token_model.TokenModel() token.user_id = user_id token.methods = methods if len(audit_ids) > 1: token.parent_audit_id = audit_ids.pop() token.audit_id = audit_ids.pop() token.system = system token.domain_id = domain_id token.project_id = project_id token.trust_id = trust_id token.access_token_id = access_token_id token.application_credential_id = app_cred_id token.expires_at = expires_at if federated_group_ids is not None: token.is_federated = True token.identity_provider_id = identity_provider_id token.protocol_id = protocol_id token.federated_groups = federated_group_ids token.mint(token_id, issued_at) return token
def test_unable_to_verify_token_with_missing_public_key(self): # create token, signing with private key token = token_model.TokenModel() token.methods = ['password'] token.user_id = uuid.uuid4().hex token.audit_id = provider.random_urlsafe_str() token.expires_at = utils.isotime( provider.default_expire_time(), subsecond=True ) token_id, issued_at = self.provider.generate_id_and_issued_at(token) # remove the public key for the token we just created current_pub_key = os.path.join( CONF.jwt_tokens.jws_public_key_repository, 'public.pem' ) os.remove(current_pub_key) # create additional public keys for _ in range(2): private_key_path = os.path.join( CONF.jwt_tokens.jws_private_key_repository, uuid.uuid4().hex ) pub_key_path = os.path.join( CONF.jwt_tokens.jws_public_key_repository, uuid.uuid4().hex ) jwt_utils.create_jws_keypair(private_key_path, pub_key_path) # validate token and ensure it returns a 404 self.assertRaises( exception.TokenNotFound, self.provider.validate_token, token_id )
def issue_token(self, user_id, method_names, expires_at=None, system=None, project_id=None, domain_id=None, auth_context=None, trust_id=None, app_cred_id=None, parent_audit_id=None): # NOTE(lbragstad): Grab a blank token object and use composition to # build the token according to the authentication and authorization # context. This cuts down on the amount of logic we have to stuff into # the TokenModel's __init__() method. token = token_model.TokenModel() token.methods = method_names token.system = system token.domain_id = domain_id token.project_id = project_id token.trust_id = trust_id token.application_credential_id = app_cred_id token.audit_id = random_urlsafe_str() token.parent_audit_id = parent_audit_id if auth_context: if constants.IDENTITY_PROVIDER in auth_context: token.is_federated = True token.protocol_id = auth_context[constants.PROTOCOL] idp_id = auth_context[constants.IDENTITY_PROVIDER] if isinstance(idp_id, bytes): idp_id = idp_id.decode('utf-8') token.identity_provider_id = idp_id token.user_id = auth_context['user_id'] token.federated_groups = [ {'id': group} for group in auth_context['group_ids'] ] if 'access_token_id' in auth_context: token.access_token_id = auth_context['access_token_id'] if not token.user_id: token.user_id = user_id token.user_domain_id = token.user['domain_id'] if isinstance(expires_at, datetime.datetime): token.expires_at = utils.isotime(expires_at, subsecond=True) if isinstance(expires_at, six.string_types): token.expires_at = expires_at elif not expires_at: token.expires_at = utils.isotime( default_expire_time(), subsecond=True ) token_id, issued_at = self.driver.generate_id_and_issued_at(token) token.mint(token_id, issued_at) # cache the token object and with ID if CONF.token.cache_on_issue or CONF.token.caching: # NOTE(amakarov): here and above TOKENS_REGION is to be passed # to serve as required positional "self" argument. It's ignored, # so I've put it here for convenience - any placeholder is fine. self._validate_token.set(token, self, token.id) return token
def setUp(self): super(TestTokenSerialization, self).setUp() self.admin_user_id = self.bootstrapper.admin_user_id self.admin_username = self.bootstrapper.admin_username self.admin_password = self.bootstrapper.admin_password self.project_id = self.bootstrapper.project_id self.project_name = self.bootstrapper.project_name self.admin_role_id = self.bootstrapper.admin_role_id self.member_role_id = self.bootstrapper.member_role_id self.reader_role_id = self.bootstrapper.reader_role_id self.token_id = uuid.uuid4().hex issued_at = datetime.datetime.utcnow() self.issued_at = ks_utils.isotime(at=issued_at, subsecond=True) # Reach into the cache registry and pull out an instance of the # _TokenModelHandler so that we can interact and test it directly (as # opposed to using PROVIDERS or managers to invoke it). token_handler_id = token_model._TokenModelHandler.identity self.token_handler = _context_cache._registry.get(token_handler_id) self.exp_token = token_model.TokenModel() self.exp_token.user_id = self.admin_user_id self.exp_token.project_id = self.project_id self.exp_token.mint(self.token_id, self.issued_at)
def _build_tokenless_auth_context(self, request): """Build the authentication context. The context is built from the attributes provided in the env, such as certificate and scope attributes. """ tokenless_helper = tokenless_auth.TokenlessAuthHelper(request.environ) (domain_id, project_id, trust_ref, unscoped, system) = ( tokenless_helper.get_scope()) user_ref = tokenless_helper.get_mapped_user( project_id, domain_id) # NOTE(gyee): if it is an ephemeral user, the # given X.509 SSL client cert does not need to map to # an existing user. if user_ref['type'] == federation_utils.UserType.EPHEMERAL: auth_context = {} auth_context['group_ids'] = user_ref['group_ids'] auth_context[federation_constants.IDENTITY_PROVIDER] = ( user_ref[federation_constants.IDENTITY_PROVIDER]) auth_context[federation_constants.PROTOCOL] = ( user_ref[federation_constants.PROTOCOL]) if domain_id and project_id: msg = _('Scoping to both domain and project is not allowed') raise ValueError(msg) if domain_id: auth_context['domain_id'] = domain_id if project_id: auth_context['project_id'] = project_id auth_context['roles'] = user_ref['roles'] else: # it's the local user, so token data is needed. token = token_model.TokenModel() token.user_id = user_ref['id'] token.methods = [CONF.tokenless_auth.protocol] token.domain_id = domain_id token.project_id = project_id auth_context = {'user_id': user_ref['id']} auth_context['is_delegated_auth'] = False if domain_id: auth_context['domain_id'] = domain_id if project_id: auth_context['project_id'] = project_id auth_context['roles'] = [role['name'] for role in token.roles] return auth_context
def test_verify_token_with_multiple_public_keys_present(self): token = token_model.TokenModel() token.methods = ['password'] token.user_id = uuid.uuid4().hex token.audit_id = provider.random_urlsafe_str() token.expires_at = utils.isotime( provider.default_expire_time(), subsecond=True ) token_id, issued_at = self.provider.generate_id_and_issued_at(token) for _ in range(2): private_key_path = os.path.join( CONF.jwt_tokens.jws_private_key_repository, uuid.uuid4().hex ) pub_key_path = os.path.join( CONF.jwt_tokens.jws_public_key_repository, uuid.uuid4().hex ) jwt_utils.create_jws_keypair(private_key_path, pub_key_path) # make sure we iterate through all public keys on disk and we can still # validate the token self.provider.validate_token(token_id)