def validate_token(self, token_id): unique_id = utils.generate_unique_id(token_id) # NOTE(morganfainberg): Ensure we never use the long-form token_id # (PKI) as part of the cache_key. token = self._validate_token(unique_id) self._is_valid_token(token) return token
def validate_v2_token(self, token_id, belongs_to=None): # NOTE(lbragstad): Only go to the persistence backend if the token # provider requires it. if self._needs_persistence: # NOTE(morganfainberg): Ensure we never use the long-form token_id # (PKI) as part of the cache_key. unique_id = utils.generate_unique_id(token_id) token_ref = self._persistence.get_token(unique_id) token = self._validate_v2_token(token_ref) else: # NOTE(lbragstad): If the token doesn't require persistence, then # it is a fernet token. The fernet token provider doesn't care if # it's creating version 2.0 tokens or v3 tokens, so we use the same # validate_non_persistent_token() method to validate both. Then we # can leverage a separate method to make version 3 token data look # like version 2.0 token data. The pattern we want to move towards # is one where the token providers just handle data and the # controller layers handle interpreting the token data in a format # that makes sense for the request. v3_token_ref = self.validate_non_persistent_token(token_id) v2_token_data_helper = providers.common.V2TokenDataHelper() token = v2_token_data_helper.v3_to_v2_token(v3_token_ref, token_id) # these are common things that happen regardless of token provider self._token_belongs_to(token, belongs_to) self._is_valid_token(token) return token
def delete_token(self, token_id): if not CONF.token.revoke_by_id: return unique_id = utils.generate_unique_id(token_id) self.driver.delete_token(unique_id) self._invalidate_individual_token_cache(unique_id) self.invalidate_revocation_list()
def validate_v2_token(self, token_id, belongs_to=None): # NOTE(lbragstad): Only go to the persistence backend if the token # provider requires it. if self._needs_persistence: # NOTE(morganfainberg): Ensure we never use the long-form token_id # (PKI) as part of the cache_key. unique_id = utils.generate_unique_id(token_id) token_ref = self._persistence.get_token(unique_id) token = self._validate_v2_token(token_ref) else: # NOTE(lbragstad): If the token doesn't require persistence, then # it is a fernet token. The fernet token provider doesn't care if # it's creating version 2.0 tokens or v3 tokens, so we use the same # validate_non_persistent_token() method to validate both. Then we # can leverage a separate method to make version 3 token data look # like version 2.0 token data. The pattern we want to move towards # is one where the token providers just handle data and the # controller layers handle interpreting the token data in a format # that makes sense for the request. v3_token_ref = self.validate_non_persistent_token(token_id) v2_token_data_helper = providers.common.V2TokenDataHelper() token = v2_token_data_helper.v3_to_v2_token(v3_token_ref) # these are common things that happen regardless of token provider token['access']['token']['id'] = token_id self._token_belongs_to(token, belongs_to) self._is_valid_token(token) return token
def delete_tokens(self, user_id, tenant_id=None, trust_id=None, consumer_id=None): if not CONF.token.revoke_by_id: return token_list = self.driver.delete_tokens(user_id, tenant_id, trust_id, consumer_id) for token_id in token_list: unique_id = utils.generate_unique_id(token_id) self._invalidate_individual_token_cache(unique_id) self.invalidate_revocation_list()
def get_token(self, token_id): unique_id = utils.generate_unique_id(token_id) token_ref = self._get_token(unique_id) # NOTE(morganfainberg): Lift expired checking to the manager, there is # no reason to make the drivers implement this check. With caching, # self._get_token could return an expired token. Make sure we behave # as expected and raise TokenNotFound on those instances. self._assert_valid(token_id, token_ref) return token_ref
def create_token(self, token_id, data): unique_id = utils.generate_unique_id(token_id) data_copy = copy.deepcopy(data) data_copy['id'] = unique_id ret = self.driver.create_token(unique_id, data_copy) if MEMOIZE.should_cache(ret): # NOTE(morganfainberg): when doing a cache set, you must pass the # same arguments through, the same as invalidate (this includes # "self"). First argument is always the value to be cached self._get_token.set(ret, self, unique_id) return ret
def validate_v2_token(self, token_id, belongs_to=None): unique_id = utils.generate_unique_id(token_id) if self._needs_persistence: # NOTE(morganfainberg): Ensure we never use the long-form token_id # (PKI) as part of the cache_key. token_ref = self._persistence.get_token(unique_id) else: token_ref = token_id token = self._validate_v2_token(token_ref) self._token_belongs_to(token, belongs_to) self._is_valid_token(token) return token
def validate_v3_token(self, token_id): unique_id = utils.generate_unique_id(token_id) # NOTE(lbragstad): Only go to persistent storage if we have a token to # fetch from the backend (the driver persists the token). Otherwise # the information about the token must be in the token id. if not self._needs_persistence: token_ref = token_id else: # NOTE(morganfainberg): Ensure we never use the long-form token_id # (PKI) as part of the cache_key. token_ref = self._persistence.get_token(unique_id) token = self._validate_v3_token(token_ref) self._is_valid_token(token) return token
def get_token(self, token_id): if not token_id: # NOTE(morganfainberg): There are cases when the # context['token_id'] will in-fact be None. This also saves # a round-trip to the backend if we don't have a token_id. raise exception.TokenNotFound(token_id='') unique_id = utils.generate_unique_id(token_id) token_ref = self._get_token(unique_id) # NOTE(morganfainberg): Lift expired checking to the manager, there is # no reason to make the drivers implement this check. With caching, # self._get_token could return an expired token. Make sure we behave # as expected and raise TokenNotFound on those instances. self._assert_valid(token_id, token_ref) return token_ref
def validate_v3_token(self, token_id): unique_id = utils.generate_unique_id(token_id) # NOTE(lbragstad): Only go to persistent storage if we have a token to # fetch from the backend. If the Fernet token provider is being used # this step isn't necessary. The Fernet token reference is persisted in # the token_id, so in this case set the token_ref as the identifier of # the token. if not self._needs_persistence: token_ref = token_id else: # NOTE(morganfainberg): Ensure we never use the long-form token_id # (PKI) as part of the cache_key. token_ref = self._persistence.get_token(unique_id) token = self._validate_v3_token(token_ref) self._is_valid_token(token) return token
def validate_v3_token(self, token_id): if not token_id: raise exception.TokenNotFound(_('No token in the request')) try: # NOTE(lbragstad): Only go to persistent storage if we have a token # to fetch from the backend (the driver persists the token). # Otherwise the information about the token must be in the token # id. if not self._needs_persistence: token_ref = self.validate_non_persistent_token(token_id) else: unique_id = utils.generate_unique_id(token_id) # NOTE(morganfainberg): Ensure we never use the long-form # token_id (PKI) as part of the cache_key. token_ref = self._persistence.get_token(unique_id) token_ref = self._validate_v3_token(token_ref) self._is_valid_token(token_ref) return token_ref except exception.Unauthorized as e: LOG.debug('Unable to validate token: %s', e) raise exception.TokenNotFound(token_id=token_id)
def validate_v3_token(self, token_id): if not token_id: raise exception.TokenNotFound(_('No token in the request')) try: unique_id = utils.generate_unique_id(token_id) # NOTE(lbragstad): Only go to persistent storage if we have a # token to fetch from the backend. If the Fernet token provider is # being used this step isn't necessary. The Fernet token reference # is persisted in the token_id, so in this case set the token_ref # as the identifier of the token. if not self._needs_persistence: token_ref = token_id else: # NOTE(morganfainberg): Ensure we never use the long-form # token_id (PKI) as part of the cache_key. token_ref = self._persistence.get_token(unique_id) token = self._validate_v3_token(token_ref) self._is_valid_token(token) return token except exception.Unauthorized as e: LOG.debug('Unable to validate token: %s', e) raise exception.TokenNotFound(token_id=token_id)
def get_token(self, token_id): return self._get_token(utils.generate_unique_id(token_id))