def _populate_token(self, token_data, expires=None):
if not expires:
expires = token_module.default_expire_time()
if not isinstance(expires, unicode):
expires = timeutils.isotime(expires)
token_data['expires'] = expires
token_data['issued_at'] = timeutils.strtime()
def _populate_token_dates(self, token_data, expires=None, trust=None):
if not expires:
expires = token.default_expire_time()
if not isinstance(expires, basestring):
expires = timeutils.isotime(expires, subsecond=True)
token_data['expires_at'] = expires
token_data['issued_at'] = timeutils.isotime(subsecond=True)
def _populate_token_dates(self, token_data, expires=None, trust=None):
if not expires:
expires = token.default_expire_time()
if not isinstance(expires, basestring):
expires = timeutils.isotime(expires, subsecond=True)
token_data['expires_at'] = expires
token_data['issued_at'] = timeutils.isotime(subsecond=True)
def create_token(self, token_id, data):
token_id = token.unique_id(token_id)
data_copy = copy.deepcopy(data)
if 'expires' not in data:
data_copy['expires'] = token.default_expire_time()
self.db.set('token-%s' % token_id, data_copy)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
token_id = token.unique_id(token_id)
data_copy = copy.deepcopy(data)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if 'trust_id' in data and data['trust_id'] is None:
data_copy.pop('trust_id')
self.db.set('token-%s' % token_id, data_copy)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
data_copy["id"] = token_id
if not data_copy.get("expires"):
data_copy["expires"] = token.default_expire_time()
if not data_copy.get("user_id"):
data_copy["user_id"] = data_copy["user"]["id"]
self.db.set("token-%s" % token_id, data_copy)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
data_copy['id'] = token_id
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
self.db.set('token-%s' % token_id, data_copy)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
data_copy['id'] = token_id
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
self.db.set('token-%s' % token_id, data_copy)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
token_ref = TokenModel.from_dict(data_copy)
token_ref.id = token.unique_id(token_id)
token_ref.valid = True
session = self.get_session()
with session.begin():
session.add(token_ref)
session.flush()
return token_ref.to_dict()
def test_revoked_token_in_list(self):
user_id = uuid.uuid4().hex
expires_at = token.default_expire_time()
sample = self._blank_event()
sample['user_id'] = unicode(user_id)
sample['expires_at'] = unicode(timeutils.isotime(expires_at))
before_time = timeutils.utcnow()
self.revoke_api.revoke_by_expiration(user_id, expires_at)
resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events']
self.assertEqual(len(events), 1)
self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
def test_revoked_token_in_list(self):
user_id = uuid.uuid4().hex
expires_at = token.default_expire_time()
sample = self._blank_event()
sample['user_id'] = unicode(user_id)
sample['expires_at'] = unicode(timeutils.isotime(expires_at))
before_time = timeutils.utcnow()
self.revoke_api.revoke_by_expiration(user_id, expires_at)
resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events']
self.assertEqual(len(events), 1)
self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
token_ref = TokenModel.from_dict(data_copy)
token_ref.valid = True
session = db_session.get_session()
with session.begin():
session.add(token_ref)
return token_ref.to_dict()
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
token_ref = TokenModel.from_dict(data_copy)
token_ref.valid = True
session = sql.get_session()
with session.begin():
session.add(token_ref)
return token_ref.to_dict()
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
if not data_copy.get("expires"):
data_copy["expires"] = token.default_expire_time()
if not data_copy.get("user_id"):
data_copy["user_id"] = data_copy["user"]["id"]
token_ref = TokenModel.from_dict(data_copy)
token_ref.valid = True
session = self.get_session()
with session.begin():
session.add(token_ref)
session.flush()
return token_ref.to_dict()
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
user_ref = token_ref['user']
metadata_ref = token_ref['metadata']
if roles_ref is None:
roles_ref = []
expires = token_ref.get('expires', token.default_expire_time())
if expires is not None:
if not isinstance(expires, unicode):
expires = timeutils.isotime(expires)
o = {
'access': {
'token': {
'id': token_ref['id'],
'expires': expires,
'issued_at': timeutils.strtime()
},
'user': {
'id': user_ref['id'],
'name': user_ref['name'],
'username': user_ref['name'],
'roles': roles_ref,
'roles_links': metadata_ref.get('roles_links', [])
}
}
}
if 'bind' in token_ref:
o['access']['token']['bind'] = token_ref['bind']
if 'tenant' in token_ref and token_ref['tenant']:
token_ref['tenant']['enabled'] = True
o['access']['token']['tenant'] = token_ref['tenant']
if catalog_ref is not None:
o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
catalog_ref)
if metadata_ref:
if 'is_admin' in metadata_ref:
o['access']['metadata'] = {
'is_admin': metadata_ref['is_admin']
}
else:
o['access']['metadata'] = {'is_admin': 0}
if 'roles' in metadata_ref:
o['access']['metadata']['roles'] = metadata_ref['roles']
if CONF.trust.enabled and 'trust_id' in metadata_ref:
o['access']['trust'] = {
'trustee_user_id': metadata_ref['trustee_user_id'],
'id': metadata_ref['trust_id']
}
return o
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
user_ref = token_ref['user']
metadata_ref = token_ref['metadata']
if roles_ref is None:
roles_ref = []
expires = token_ref.get('expires', token.default_expire_time())
if expires is not None:
if not isinstance(expires, six.text_type):
expires = timeutils.isotime(expires)
o = {'access': {'token': {'id': token_ref['id'],
'expires': expires,
'issued_at': timeutils.strtime()
},
'user': {'id': user_ref['id'],
'name': user_ref['name'],
'username': user_ref['name'],
'roles': roles_ref,
'roles_links': metadata_ref.get('roles_links',
[])
}
}
}
if 'bind' in token_ref:
o['access']['token']['bind'] = token_ref['bind']
if 'tenant' in token_ref and token_ref['tenant']:
token_ref['tenant']['enabled'] = True
o['access']['token']['tenant'] = token_ref['tenant']
if catalog_ref is not None:
o['access']['serviceCatalog'] = V2TokenDataHelper.format_catalog(
catalog_ref)
if metadata_ref:
if 'is_admin' in metadata_ref:
o['access']['metadata'] = {'is_admin':
metadata_ref['is_admin']}
else:
o['access']['metadata'] = {'is_admin': 0}
if 'roles' in metadata_ref:
o['access']['metadata']['roles'] = metadata_ref['roles']
if CONF.trust.enabled and 'trust_id' in metadata_ref:
o['access']['trust'] = {'trustee_user_id':
metadata_ref['trustee_user_id'],
'id': metadata_ref['trust_id']
}
# Kerberos
#o['access']['kerberos'] = token_ref['kerberos']
return o
def create_token(self, token_id, data):
"""Create a token by id and data.
It is assumed the caller has performed data validation on the "data"
parameter.
"""
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token_id)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
# NOTE(morganfainberg): for ease of manipulating the data without
# concern about the backend, always store the value(s) in the
# index as the isotime (string) version so this is where the string is
# built.
expires_str = timeutils.isotime(data_copy['expires'], subsecond=True)
self._set_key(ptk, data_copy)
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
self._update_user_token_list(user_key, token_id, expires_str)
if CONF.trust.enabled and data.get('trust_id'):
# NOTE(morganfainberg): If trusts are enabled and this is a trust
# scoped token, we add the token to the trustee list as well. This
# allows password changes of the trustee to also expire the token.
# There is no harm in placing the token in multiple lists, as
# _list_tokens is smart enough to handle almost any case of
# valid/invalid/expired for a given token.
token_data = data_copy['token_data']
if data_copy['token_version'] == token.provider.V2:
trustee_user_id = token_data['access']['trust'][
'trustee_user_id']
elif data_copy['token_version'] == token.provider.V3:
trustee_user_id = token_data['OS-TRUST:trust'][
'trustee_user_id']
else:
raise token.provider.UnsupportedTokenVersionException(
_('Unknown token version %s') %
data_copy.get('token_version'))
trustee_key = self._prefix_user_id(trustee_user_id)
self._update_user_token_list(trustee_key, token_id, expires_str)
return data_copy
def create_token(self, token_id, data):
"""Create a token by id and data.
It is assumed the caller has performed data validation on the "data"
parameter.
"""
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token_id)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
# NOTE(morganfainberg): for ease of manipulating the data without
# concern about the backend, always store the value(s) in the
# index as the isotime (string) version so this is where the string is
# built.
expires_str = timeutils.isotime(data_copy['expires'], subsecond=True)
self._set_key(ptk, data_copy)
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
self._update_user_token_list(user_key, token_id, expires_str)
if CONF.trust.enabled and data.get('trust_id'):
# NOTE(morganfainberg): If trusts are enabled and this is a trust
# scoped token, we add the token to the trustee list as well. This
# allows password changes of the trustee to also expire the token.
# There is no harm in placing the token in multiple lists, as
# _list_tokens is smart enough to handle almost any case of
# valid/invalid/expired for a given token.
token_data = data_copy['token_data']
if data_copy['token_version'] == token.provider.V2:
trustee_user_id = token_data['access']['trust'][
'trustee_user_id']
elif data_copy['token_version'] == token.provider.V3:
trustee_user_id = token_data['OS-TRUST:trust'][
'trustee_user_id']
else:
raise token.provider.UnsupportedTokenVersionException(
_('Unknown token version %s') %
data_copy.get('token_version'))
trustee_key = self._prefix_user_id(trustee_user_id)
self._update_user_token_list(trustee_key, token_id, expires_str)
return data_copy
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token_id)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
kwargs = {}
if data_copy['expires'] is not None:
expires_ts = utils.unixtime(data_copy['expires'])
kwargs['time'] = expires_ts
self.client.set(ptk, data_copy, **kwargs)
if 'id' in data['user']:
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
# Append the new token_id to the token-index-list stored in the
# user-key within memcache.
self._update_user_list_with_cas(user_key, token_id, data_copy)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token_id)
if not data_copy.get("expires"):
data_copy["expires"] = token.default_expire_time()
if not data_copy.get("user_id"):
data_copy["user_id"] = data_copy["user"]["id"]
kwargs = {}
if data_copy["expires"] is not None:
expires_ts = utils.unixtime(data_copy["expires"])
kwargs["time"] = expires_ts
self.client.set(ptk, data_copy, **kwargs)
if "id" in data["user"]:
token_data = jsonutils.dumps(token_id)
user_id = data["user"]["id"]
user_key = self._prefix_user_id(user_id)
# Append the new token_id to the token-index-list stored in the
# user-key within memcache.
self._update_user_list_with_cas(user_key, token_data)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token.unique_id(token_id))
if 'expires' not in data_copy:
data_copy['expires'] = token.default_expire_time()
kwargs = {}
if data_copy['expires'] is not None:
expires_ts = utils.unixtime(data_copy['expires'])
kwargs['time'] = expires_ts
self.client.set(ptk, data_copy, **kwargs)
if 'id' in data['user']:
token_data = jsonutils.dumps(token_id)
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
if not self.client.append(user_key, ',%s' % token_data):
if not self.client.add(user_key, token_data):
if not self.client.append(user_key, ',%s' % token_data):
msg = _('Unable to add token user list.')
raise exception.UnexpectedError(msg)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token_id)
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
kwargs = {}
if data_copy['expires'] is not None:
expires_ts = utils.unixtime(data_copy['expires'])
kwargs['time'] = expires_ts
self.client.set(ptk, data_copy, **kwargs)
if 'id' in data['user']:
token_data = jsonutils.dumps(token_id)
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
# Append the new token_id to the token-index-list stored in the
# user-key within memcache.
self._update_user_list_with_cas(user_key, token_data)
return copy.deepcopy(data_copy)
def create_token(self, token_id, data):
data_copy = copy.deepcopy(data)
ptk = self._prefix_token_id(token.unique_id(token_id))
if not data_copy.get('expires'):
data_copy['expires'] = token.default_expire_time()
if not data_copy.get('user_id'):
data_copy['user_id'] = data_copy['user']['id']
kwargs = {}
if data_copy['expires'] is not None:
expires_ts = utils.unixtime(data_copy['expires'])
kwargs['time'] = expires_ts
self.client.set(ptk, data_copy, **kwargs)
if 'id' in data['user']:
token_data = jsonutils.dumps(token_id)
user_id = data['user']['id']
user_key = self._prefix_user_id(user_id)
if not self.client.append(user_key, ',%s' % token_data):
if not self.client.add(user_key, token_data):
if not self.client.append(user_key, ',%s' % token_data):
msg = _('Unable to add token user list.')
raise exception.UnexpectedError(msg)
return copy.deepcopy(data_copy)
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
user_ref = token_ref["user"]
metadata_ref = token_ref["metadata"]
if roles_ref is None:
roles_ref = []
expires = token_ref.get("expires", token.default_expire_time())
if expires is not None:
if not isinstance(expires, six.text_type):
expires = timeutils.isotime(expires)
o = {
"access": {
"token": {"id": token_ref["id"], "expires": expires, "issued_at": timeutils.strtime()},
"user": {
"id": user_ref["id"],
"name": user_ref["name"],
"username": user_ref["name"],
"roles": roles_ref,
"roles_links": metadata_ref.get("roles_links", []),
},
}
}
if "bind" in token_ref:
o["access"]["token"]["bind"] = token_ref["bind"]
if "tenant" in token_ref and token_ref["tenant"]:
token_ref["tenant"]["enabled"] = True
o["access"]["token"]["tenant"] = token_ref["tenant"]
if catalog_ref is not None:
o["access"]["serviceCatalog"] = V2TokenDataHelper.format_catalog(catalog_ref)
if metadata_ref:
if "is_admin" in metadata_ref:
o["access"]["metadata"] = {"is_admin": metadata_ref["is_admin"]}
else:
o["access"]["metadata"] = {"is_admin": 0}
if "roles" in metadata_ref:
o["access"]["metadata"]["roles"] = metadata_ref["roles"]
if CONF.trust.enabled and "trust_id" in metadata_ref:
o["access"]["trust"] = {"trustee_user_id": metadata_ref["trustee_user_id"], "id": metadata_ref["trust_id"]}
return o