示例#1
0
    def revocation_list(self, context, auth=None):
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t["expires"]
            if not (expires and isinstance(expires, unicode)):
                t["expires"] = timeutils.isotime(expires)
        data = {"revoked": tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile)

        return {"signed": signed_text}
示例#2
0
    def revocation_list(self, context, auth=None):
        tokens = self.token_api.list_revoked_tokens()

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, six.text_type)):
                t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
示例#3
0
    def revocation_list(self, context, auth=None):
        self.assert_admin(context)
        tokens = self.token_api.list_revoked_tokens(context)

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, unicode)):
                    t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = json.dumps(data)
        signed_text = cms.cms_sign_text(json_data,
                                        CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
示例#4
0
    def revocation_list(self, context, auth=None):
        if not CONF.token.revoke_by_id:
            raise exception.Gone()
        tokens = self.token_provider_api.list_revoked_tokens()

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, six.text_type)):
                t['expires'] = timeutils.isotime(expires)
        data = {'revoked': tokens}
        json_data = jsonutils.dumps(data)
        signed_text = cms.cms_sign_text(json_data,
                                        CONF.signing.certfile,
                                        CONF.signing.keyfile)

        return {'signed': signed_text}
示例#5
0
    def authenticate(self, context, auth=None):
        """Authenticate credentials and return a token.

        Accept auth as a dict that looks like::

            {
                "auth":{
                    "passwordCredentials":{
                        "username":"******",
                        "password":"******"
                    },
                    "tenantName":"customer-x"
                }
            }

        In this case, tenant is optional, if not provided the token will be
        considered "unscoped" and can later be used to get a scoped token.

        Alternatively, this call accepts auth with only a token and tenant
        that will return a token that is scoped to that tenant.
        """

        if 'passwordCredentials' in auth:
            user_id = auth['passwordCredentials'].get('userId', None)
            username = auth['passwordCredentials'].get('username', '')
            password = auth['passwordCredentials'].get('password', '')
            tenant_name = auth.get('tenantName', None)

            if username:
                try:
                    user_ref = self.identity_api.get_user_by_name(
                        context=context, user_name=username)
                    user_id = user_ref['id']
                except exception.UserNotFound:
                    raise exception.Unauthorized()

            # more compat
            tenant_id = auth.get('tenantId', None)
            if tenant_name:
                try:
                    tenant_ref = self.identity_api.get_tenant_by_name(
                        context=context, tenant_name=tenant_name)
                    tenant_id = tenant_ref['id']
                except exception.TenantNotFound:
                    raise exception.Unauthorized()

            try:
                auth_info = self.identity_api.authenticate(context=context,
                                                           user_id=user_id,
                                                           password=password,
                                                           tenant_id=tenant_id)
                (user_ref, tenant_ref, metadata_ref) = auth_info

                # If the user is disabled don't allow them to authenticate
                if not user_ref.get('enabled', True):
                    LOG.warning('User %s is disabled' % user_id)
                    raise exception.Unauthorized()

                # If the tenant is disabled don't allow them to authenticate
                if tenant_ref and not tenant_ref.get('enabled', True):
                    LOG.warning('Tenant %s is disabled' % tenant_id)
                    raise exception.Unauthorized()
            except AssertionError as e:
                raise exception.Unauthorized(e.message)
            auth_token_data = dict(zip(["user", "tenant", "metadata"],
                                       auth_info))
            expiry = self.token_api._get_default_expire_time(context=context)

            if tenant_ref:
                catalog_ref = self.catalog_api.get_catalog(
                    context=context,
                    user_id=user_ref['id'],
                    tenant_id=tenant_ref['id'],
                    metadata=metadata_ref)
            else:
                catalog_ref = {}

        elif 'token' in auth:

            old_token = auth['token'].get('id', None)
            tenant_name = auth.get('tenantName')

            try:
                old_token_ref = self.token_api.get_token(context=context,
                                                         token_id=old_token)
            except exception.NotFound:
                raise exception.Unauthorized()
            user_ref = old_token_ref['user']
            user_id = user_ref['id']

            current_user_ref = self.identity_api.get_user(context=context,
                                                          user_id=user_id)
            if not current_user_ref.get('enabled', True):
                LOG.warning('User %s is disabled' % user_id)
                raise exception.Unauthorized()

            if tenant_name:
                tenant_ref = self.identity_api.\
                    get_tenant_by_name(context=context,
                                       tenant_name=tenant_name)
                tenant_id = tenant_ref['id']
            else:
                tenant_id = auth.get('tenantId', None)
            tenants = self.identity_api.get_tenants_for_user(context, user_id)

            if tenant_id:
                if not tenant_id in tenants:
                    LOG.warning('User %s is authorized for tenant %s'
                                % (user_id, tenant_id))
                    raise exception.Unauthorized()

                #if the old token is sufficient unpack and return it.
                if (old_token_ref['tenant']) and \
                    (tenant_id == old_token_ref['tenant']['id']) and\
                        len(old_token) > cms.UUID_TOKEN_LENGTH:
                        return_data = \
                            json.loads(cms.verify_token
                                       (old_token,
                                        config.CONF.signing.certfile,
                                        config.CONF.signing.ca_certs))
                        return_data['access']['token']['id'] = old_token
                        return return_data

            expiry = old_token_ref['expires']
            try:
                tenant_ref = self.identity_api.get_tenant(context=context,
                                                          tenant_id=tenant_id)
            except exception.TenantNotFound:
                tenant_ref = None
                metadata_ref = {}
                catalog_ref = {}

            except exception.MetadataNotFound:
                metadata_ref = {}
                catalog_ref = {}

            # If the tenant is disabled don't allow them to authenticate
            if tenant_ref and not tenant_ref.get('enabled', True):
                LOG.warning('Tenant %s is disabled' % tenant_id)
                raise exception.Unauthorized()

            if tenant_ref:
                metadata_ref = self.identity_api.get_metadata(
                    context=context,
                    user_id=user_ref['id'],
                    tenant_id=tenant_ref['id'])
                catalog_ref = self.catalog_api.get_catalog(
                    context=context,
                    user_id=user_ref['id'],
                    tenant_id=tenant_ref['id'],
                    metadata=metadata_ref)

            auth_token_data = dict(dict(user=current_user_ref,
                                        tenant=tenant_ref,
                                        metadata=metadata_ref))

        auth_token_data['expires'] = expiry
        auth_token_data['id'] = 'placeholder'

        roles_ref = []
        for role_id in metadata_ref.get('roles', []):
            role_ref = self.identity_api.get_role(context, role_id)
            roles_ref.append(dict(name=role_ref['name']))

        token_data = self._format_token(auth_token_data, roles_ref)

        service_catalog = self._format_catalog(catalog_ref)
        token_data['access']['serviceCatalog'] = service_catalog

        if config.CONF.signing.disable_pki:
            token_id = uuid.uuid4().hex
            signed = token_id
        else:
            signed = cms.cms_sign_text(json.dumps(token_data),
                                       config.CONF.signing.certfile,
                                       config.CONF.signing.keyfile)
            token_id = signed
        try:
            token_ref = self.token_api.create_token(
                context, token_id, dict(key=token_id,
                                        id=signed,
                                        user=user_ref,
                                        tenant=tenant_ref,
                                        metadata=metadata_ref))
        except Exception as ex:
            #an identical token may have been created already.
            #if so,  return the token_data as it is also identical
            try:
                exist_token = self.token_api.get_token(context=context,
                                                       token_id=token_id)
            except exception.TokenNotFound:
                raise ex

        token_data['access']['token']['id'] = signed

        return token_data