def validate_token(self, request): token_id = request.subject_token window_seconds = authorization.token_validation_window(request) include_catalog = 'nocatalog' not in request.params token = PROVIDERS.token_provider_api.validate_token( token_id, window_seconds=window_seconds) token_reference = controller.render_token_response_from_model( token, include_catalog=include_catalog) return render_token_data_response(token.id, token_reference)
def authenticate(self, context, credentials=None, ec2Credentials=None): (user_ref, project_ref, roles_ref) = self._authenticate(credentials=credentials, ec2credentials=ec2Credentials) method_names = ['ec2credential'] token = self.token_provider_api.issue_token( user_ref['id'], method_names, project_id=project_ref['id']) token_reference = controller.render_token_response_from_model(token) return self.render_token_data_response(token.id, token_reference)
def check_token(self, request): token_id = request.subject_token window_seconds = authorization.token_validation_window(request) include_catalog = 'nocatalog' not in request.params token = PROVIDERS.token_provider_api.validate_token( token_id, window_seconds=window_seconds) token_reference = controller.render_token_response_from_model( token, include_catalog=include_catalog) # NOTE(morganfainberg): The code in # ``keystone.common.wsgi.render_response`` will remove the content # body. return render_token_data_response(token.id, token_reference)
def _enforce(self, credentials, action, target, do_raise=True): """Verify that the action is valid on the target in this context. This method is for cases that exceed the base enforcer functionality (notably for compatibility with `@protected` style decorators. :param credentials: user credentials :param action: string representing the action to be checked, which should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': object.project_id} :raises keystone.exception.Forbidden: If verification fails. Actions should be colon separated for clarity. For example: * identity:list_users """ # Add the exception arguments if asked to do a raise extra = {} if do_raise: extra.update(exc=exception.ForbiddenAction, action=action, do_raise=do_raise) # NOTE(lbragstad): If there is a token in the credentials dictionary, # it's going to be an instance of a TokenModel. We'll need to convert # it to the a token response or dictionary before passing it to # oslo.policy for enforcement. This is because oslo.policy shouldn't # know how to deal with an internal object only used within keystone. if 'token' in credentials: token_ref = controller.render_token_response_from_model( credentials['token']) credentials_copy = copy.deepcopy(credentials) credentials_copy['token'] = token_ref credentials = credentials_copy try: return self._enforcer.enforce(rule=action, target=target, creds=credentials, **extra) except common_policy.InvalidScope: raise exception.ForbiddenAction(action=action)
def authenticate_for_token(self, request, auth=None): """Authenticate user and issue a token.""" include_catalog = 'nocatalog' not in request.params schema.validate_issue_token_auth(auth) try: auth_info = core.AuthInfo.create(auth=auth) auth_context = core.AuthContext(method_names=[], bind={}) self.authenticate(request, auth_info, auth_context) if auth_context.get('access_token_id'): auth_info.set_scope(None, auth_context['project_id'], None) self._check_and_set_default_scoping(auth_info, auth_context) (domain_id, project_id, trust, unscoped, system) = (auth_info.get_scope()) trust_id = trust.get('id') if trust else None # NOTE(notmorgan): only methods that actually run and succeed will # be in the auth_context['method_names'] list. Do not blindly take # the values from auth_info, look at the authoritative values. Make # sure the set is unique. method_names_set = set(auth_context.get('method_names', [])) method_names = list(method_names_set) app_cred_id = None if 'application_credential' in method_names: token_auth = auth_info.auth['identity'] app_cred_id = token_auth['application_credential']['id'] # Do MFA Rule Validation for the user if not self._mfa_rules_validator.check_auth_methods_against_rules( auth_context['user_id'], method_names_set): raise exception.InsufficientAuthMethods( user_id=auth_context['user_id'], methods='[%s]' % ','.join(auth_info.get_method_names())) expires_at = auth_context.get('expires_at') token_audit_id = auth_context.get('audit_id') token = PROVIDERS.token_provider_api.issue_token( auth_context['user_id'], method_names, expires_at=expires_at, system=system, project_id=project_id, domain_id=domain_id, auth_context=auth_context, trust_id=trust_id, app_cred_id=app_cred_id, parent_audit_id=token_audit_id) token_reference = controller.render_token_response_from_model( token, include_catalog=include_catalog) # NOTE(wanghong): We consume a trust use only when we are using # trusts and have successfully issued a token. if trust: PROVIDERS.trust_api.consume_use(token.trust_id) return render_token_data_response(token.id, token_reference, created=True) except exception.TrustNotFound as e: LOG.warning(six.text_type(e)) raise exception.Unauthorized(e)
def fetch_token(self, token, **kwargs): try: token_model = self.token_provider_api.validate_token(token) return controller.render_token_response_from_model(token_model) except exception.TokenNotFound: raise auth_token.InvalidToken(_('Could not find token'))