Пример #1
0
    def verify_signed_token(self, signed_text):
        """Check that the token is unrevoked and has a valid signature."""
        if self.is_signed_token_revoked(signed_text):
            raise InvalidUserToken('Token has been revoked')

        formatted = cms.token_to_cms(signed_text)
        return self.cms_verify(formatted)
Пример #2
0
    def verify_signed_token(self, signed_text):
        """Check that the token is unrevoked and has a valid signature."""
        if self.is_signed_token_revoked(signed_text):
            raise InvalidUserToken('Token has been revoked')

        formatted = cms.token_to_cms(signed_text)
        return self.cms_verify(formatted)
Пример #3
0
 def _get_token_ref(self, context, token_id, belongs_to=None):
     token_ref = self.token_api.get_token(token_id)
     if cms.is_ans1_token(token_id):
         verified_token = cms.cms_verify(cms.token_to_cms(token_id),
                                         CONF.signing.certfile,
                                         CONF.signing.ca_certs)
         token_ref = json.loads(verified_token)
     if belongs_to:
         assert token_ref['project']['id'] == belongs_to
     return token_ref
Пример #4
0
 def _get_token_ref(self, context, token_id, belongs_to=None):
     token_ref = self.token_api.get_token(context=context,
                                          token_id=token_id)
     if cms.is_ans1_token(token_id):
         verified_token = cms.cms_verify(cms.token_to_cms(token_id),
                                         CONF.signing.certfile,
                                         CONF.signing.ca_certs)
         token_ref = json.loads(verified_token)
     if belongs_to:
         assert token_ref['project']['id'] == belongs_to
     return token_ref
 def validate(self, response, realm_id):
     catalog_api = catalog.controllers.EndpointV3()
     context = {}
     context['is_admin'] = True
     context['query_string'] = {}
     context['query_string']['service_id'] = realm_id
     context['interface'] = 'adminurl'
     context['path'] = ""
     endpoints = catalog_api.list_endpoints(context)
     for e in endpoints['endpoints']:
         creds = e["creds"]
         if e['interface'] == 'admin':
             endpoint = e['url']+'/tokens/'
         if e['interface'] == 'public':
             post_endpoint = e['url']+'/tokens'
     token_id = response['access']['token']['id']
     if not cms.is_ans1_token(token_id):
         auth_req = {"auth":{}}
         auth_req["auth"]["tenantName"] = "service"
         auth_req['auth']['passwordCredentials'] = {"username": creds["user"], "password": creds["pass"]}
         auth_token = self.request(post_endpoint, data=auth_req, method="POST")
         header = {"X-Auth-Token": auth_token['access']['token']['id']}
         validatedResponse = self.request(keystoneEndpoint=endpoint, data=token_id, method="GET", header=header)
     else:
         cert_file = tempfile.NamedTemporaryFile()
         cert_file.write(self.format_certdata(creds["certdata"]))
         cert_file.flush()
         cacert_file = tempfile.NamedTemporaryFile()
         cacert_file.write(self.format_certdata(creds["cacert"]))
         cacert_file.flush()
         data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),cert_file.name,cacert_file.name))
         cert_file.close()
         cacert_file.close()
         data['access']['token']['user'] = data['access']['user']
         data['access']['token']['metadata'] = data['access']['metadata']
         validatedResponse = data
     validatedAttributes = {}
     for r in validatedResponse['access']['user']['roles']:
         if validatedAttributes.get('role') is None:
             validatedAttributes['role'] = []
     validatedAttributes['role'].append(r['name'])
     validatedAttributes['project'] = [validatedResponse['access']['token']['tenant']['name']]
     username = validatedResponse['access']['user']['name']
     expires = validatedResponse['access']['token']['expires']
     return username, expires, self.check_issuers(validatedAttributes, realm_id)
Пример #6
0
    def _get_token_ref(self, context, token_id, belongs_to=None):
        """Returns a token if a valid one exists.

        Optionally, limited to a token owned by a specific tenant.

        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)

        if cms.is_ans1_token(token_id):
            data = json.loads(
                cms.cms_verify(cms.token_to_cms(token_id), config.CONF.signing.certfile, config.CONF.signing.ca_certs)
            )
            data["access"]["token"]["user"] = data["access"]["user"]
            data["access"]["token"]["metadata"] = data["access"]["metadata"]
            if belongs_to:
                assert data["access"]["token"]["tenant"]["id"] == belongs_to
            token_ref = data["access"]["token"]
        else:
            token_ref = self.token_api.get_token(context=context, token_id=token_id)
        return token_ref
Пример #7
0
    def _get_token_ref(self, context, token_id, belongs_to=None):
        """Returns a token if a valid one exists.

        Optionally, limited to a token owned by a specific tenant.

        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)

        if len(token_id) > cms.UUID_TOKEN_LENGTH:
            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
                                             config.CONF.signing.certfile,
                                             config.CONF.signing.ca_certs))
            data['access']['token']['user'] = data['access']['user']
            data['access']['token']['metadata'] = data['access']['metadata']
            if belongs_to:
                assert data['access']['token']['tenant']['id'] == belongs_to
            token_ref = data['access']['token']
        else:
            token_ref = self.token_api.get_token(context=context,
                                                 token_id=token_id)
        return token_ref
Пример #8
0
    def verify_signed_token(self, signed_text):
        """
            Converts a block of Base64 encoding to strict PEM format
            and verifies the signature of the contensts IAW CMS syntax
            If either of the certificate files are missing, fetch them
            and retry
        """

        formatted = cms.token_to_cms(signed_text)

        while True:
            try:
                output = cms.cms_verify(formatted, self.signing_cert_file_name,
                                        self.ca_file_name)
            except subprocess.CalledProcessError as err:
                if self.cert_file_missing(err, self.signing_cert_file_name):
                    self.fetch_signing_cert()
                    continue
                if self.cert_file_missing(err, self.ca_file_name):
                    self.fetch_ca_cert()
                    continue
                raise err
            return output
Пример #9
0
    def _get_token_ref(self, context, token_id, belongs_to=None):
        """Returns a token if a valid one exists.

        Optionally, limited to a token owned by a specific tenant.

        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)

        if len(token_id) > cms.UUID_TOKEN_LENGTH:
            data = json.loads(
                cms.cms_verify(cms.token_to_cms(token_id),
                               config.CONF.signing.certfile,
                               config.CONF.signing.ca_certs))
            data['access']['token']['user'] = data['access']['user']
            data['access']['token']['metadata'] = data['access']['metadata']
            if belongs_to:
                assert data['access']['token']['tenant']['id'] == belongs_to
            token_ref = data['access']['token']
        else:
            token_ref = self.token_api.get_token(context=context,
                                                 token_id=token_id)
        return token_ref