def verify_signed_token(self, signed_text):
"""Check that the token is unrevoked and has a valid signature."""
if self.is_signed_token_revoked(signed_text):
raise InvalidUserToken('Token has been revoked')
formatted = cms.token_to_cms(signed_text)
return self.cms_verify(formatted)
def verify_signed_token(self, signed_text):
"""Check that the token is unrevoked and has a valid signature."""
if self.is_signed_token_revoked(signed_text):
raise InvalidUserToken('Token has been revoked')
formatted = cms.token_to_cms(signed_text)
return self.cms_verify(formatted)
def _get_token_ref(self, context, token_id, belongs_to=None):
token_ref = self.token_api.get_token(token_id)
if cms.is_ans1_token(token_id):
verified_token = cms.cms_verify(cms.token_to_cms(token_id),
CONF.signing.certfile,
CONF.signing.ca_certs)
token_ref = json.loads(verified_token)
if belongs_to:
assert token_ref['project']['id'] == belongs_to
return token_ref
def _get_token_ref(self, context, token_id, belongs_to=None):
token_ref = self.token_api.get_token(context=context,
token_id=token_id)
if cms.is_ans1_token(token_id):
verified_token = cms.cms_verify(cms.token_to_cms(token_id),
CONF.signing.certfile,
CONF.signing.ca_certs)
token_ref = json.loads(verified_token)
if belongs_to:
assert token_ref['project']['id'] == belongs_to
return token_ref
def validate(self, response, realm_id):
catalog_api = catalog.controllers.EndpointV3()
context = {}
context['is_admin'] = True
context['query_string'] = {}
context['query_string']['service_id'] = realm_id
context['interface'] = 'adminurl'
context['path'] = ""
endpoints = catalog_api.list_endpoints(context)
for e in endpoints['endpoints']:
creds = e["creds"]
if e['interface'] == 'admin':
endpoint = e['url']+'/tokens/'
if e['interface'] == 'public':
post_endpoint = e['url']+'/tokens'
token_id = response['access']['token']['id']
if not cms.is_ans1_token(token_id):
auth_req = {"auth":{}}
auth_req["auth"]["tenantName"] = "service"
auth_req['auth']['passwordCredentials'] = {"username": creds["user"], "password": creds["pass"]}
auth_token = self.request(post_endpoint, data=auth_req, method="POST")
header = {"X-Auth-Token": auth_token['access']['token']['id']}
validatedResponse = self.request(keystoneEndpoint=endpoint, data=token_id, method="GET", header=header)
else:
cert_file = tempfile.NamedTemporaryFile()
cert_file.write(self.format_certdata(creds["certdata"]))
cert_file.flush()
cacert_file = tempfile.NamedTemporaryFile()
cacert_file.write(self.format_certdata(creds["cacert"]))
cacert_file.flush()
data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),cert_file.name,cacert_file.name))
cert_file.close()
cacert_file.close()
data['access']['token']['user'] = data['access']['user']
data['access']['token']['metadata'] = data['access']['metadata']
validatedResponse = data
validatedAttributes = {}
for r in validatedResponse['access']['user']['roles']:
if validatedAttributes.get('role') is None:
validatedAttributes['role'] = []
validatedAttributes['role'].append(r['name'])
validatedAttributes['project'] = [validatedResponse['access']['token']['tenant']['name']]
username = validatedResponse['access']['user']['name']
expires = validatedResponse['access']['token']['expires']
return username, expires, self.check_issuers(validatedAttributes, realm_id)
def _get_token_ref(self, context, token_id, belongs_to=None):
"""Returns a token if a valid one exists.
Optionally, limited to a token owned by a specific tenant.
"""
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
if cms.is_ans1_token(token_id):
data = json.loads(
cms.cms_verify(cms.token_to_cms(token_id), config.CONF.signing.certfile, config.CONF.signing.ca_certs)
)
data["access"]["token"]["user"] = data["access"]["user"]
data["access"]["token"]["metadata"] = data["access"]["metadata"]
if belongs_to:
assert data["access"]["token"]["tenant"]["id"] == belongs_to
token_ref = data["access"]["token"]
else:
token_ref = self.token_api.get_token(context=context, token_id=token_id)
return token_ref
def _get_token_ref(self, context, token_id, belongs_to=None):
"""Returns a token if a valid one exists.
Optionally, limited to a token owned by a specific tenant.
"""
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
if len(token_id) > cms.UUID_TOKEN_LENGTH:
data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
config.CONF.signing.certfile,
config.CONF.signing.ca_certs))
data['access']['token']['user'] = data['access']['user']
data['access']['token']['metadata'] = data['access']['metadata']
if belongs_to:
assert data['access']['token']['tenant']['id'] == belongs_to
token_ref = data['access']['token']
else:
token_ref = self.token_api.get_token(context=context,
token_id=token_id)
return token_ref
def verify_signed_token(self, signed_text):
"""
Converts a block of Base64 encoding to strict PEM format
and verifies the signature of the contensts IAW CMS syntax
If either of the certificate files are missing, fetch them
and retry
"""
formatted = cms.token_to_cms(signed_text)
while True:
try:
output = cms.cms_verify(formatted, self.signing_cert_file_name,
self.ca_file_name)
except subprocess.CalledProcessError as err:
if self.cert_file_missing(err, self.signing_cert_file_name):
self.fetch_signing_cert()
continue
if self.cert_file_missing(err, self.ca_file_name):
self.fetch_ca_cert()
continue
raise err
return output
def _get_token_ref(self, context, token_id, belongs_to=None):
"""Returns a token if a valid one exists.
Optionally, limited to a token owned by a specific tenant.
"""
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
if len(token_id) > cms.UUID_TOKEN_LENGTH:
data = json.loads(
cms.cms_verify(cms.token_to_cms(token_id),
config.CONF.signing.certfile,
config.CONF.signing.ca_certs))
data['access']['token']['user'] = data['access']['user']
data['access']['token']['metadata'] = data['access']['metadata']
if belongs_to:
assert data['access']['token']['tenant']['id'] == belongs_to
token_ref = data['access']['token']
else:
token_ref = self.token_api.get_token(context=context,
token_id=token_id)
return token_ref
