def _cache_store(self, policy):
"""Store value into memcache.
data may be the string 'invalid' or a tuple like (data, expires)
"""
serialized_data = json.dumps(policy['blob'])
if self._memcache_security_strategy is None:
cache_key = CACHE_KEY_TEMPLATE
data_to_store = (policy['timestamp'],serialized_data)
else:
keys = memcache_crypt.derive_keys(
token,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % memcache_crypt.get_cache_key(keys)
data_to_store = memcache_crypt.protect_data(keys, serialized_data)
try:
self._cache.set(cache_key,
data_to_store,
time=self.policy_cache_time)
except(TypeError):
self._cache.set(cache_key,
data_to_store,
timeout=self.policy_cache_time)
def _cache_store(self, token_id, data):
"""Store value into memcache.
data may be the string 'invalid' or a tuple like (data, expires)
"""
serialized_data = jsonutils.dumps(data)
if self._memcache_security_strategy is None:
cache_key = CACHE_KEY_TEMPLATE % token_id
data_to_store = serialized_data
else:
keys = memcache_crypt.derive_keys(
token_id,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % memcache_crypt.get_cache_key(keys)
data_to_store = memcache_crypt.protect_data(keys, serialized_data)
# Historically the swift cache conection used the argument
# timeout= for the cache timeout, but this has been unified
# with the official python memcache client with time= since
# grizzly, we still need to handle folsom for a while until
# this could get removed.
try:
self._cache.set(cache_key,
data_to_store,
time=self.token_cache_time)
except(TypeError):
self._cache.set(cache_key,
data_to_store,
timeout=self.token_cache_time)
def _cache_store(self, token, data):
"""Store value into memcache.
data may be the string 'invalid' or a tuple like (data, expires)
"""
serialized_data = json.dumps(data)
if self._memcache_security_strategy is None:
cache_key = CACHE_KEY_TEMPLATE % token
data_to_store = serialized_data
else:
keys = memcache_crypt.derive_keys(token, self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % memcache_crypt.get_cache_key(keys)
data_to_store = memcache_crypt.protect_data(keys, serialized_data)
# Historically the swift cache conection used the argument
# timeout= for the cache timeout, but this has been unified
# with the official python memcache client with time= since
# grizzly, we still need to handle folsom for a while until
# this could get removed.
try:
self._cache.set(cache_key,
data_to_store,
time=self.token_cache_time)
except (TypeError):
self._cache.set(cache_key,
data_to_store,
timeout=self.token_cache_time)
def _cache_get(self, policy, token):
"""Return policy information from cache.
"""
if self._cache and policy:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE
timestamp, serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
serialized = memcache_crypt.unprotect_data(keys,
raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
serialized = None
if serialized is None:
return None
cached = json.loads(serialized)
if timestamp == policy[0]['timestamp']:
self.LOG.debug('Policy is synced')
return cached
else:
self.LOG.debug('Cached Policy %s seems expired', policy)
new_policy = self._fetch_policy(token, policy[0])
self._cache_store(new_policy)
def _cache_get(self, token_id, ignore_expires=False):
"""Return token information from cache.
If token is invalid raise InvalidUserToken
return token only if fresh (not expired).
"""
if self._cache and token_id:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE % token_id
serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token_id,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
# unprotect_data will return None if raw_cached is None
serialized = memcache_crypt.unprotect_data(keys,
raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
# this should have the same effect as data not
# found in cache
serialized = None
if serialized is None:
return None
# Note that 'invalid' and (data, expires) are the only
# valid types of serialized cache entries, so there is not
# a collision with jsonutils.loads(serialized) == None.
cached = jsonutils.loads(serialized)
if cached == 'invalid':
self.LOG.debug('Cached Token %s is marked unauthorized',
token_id)
raise InvalidUserToken('Token authorization failed')
data, expires = cached
try:
expires = timeutils.parse_isotime(expires)
except ValueError:
# Gracefully handle upgrade of expiration times from *nix
# timestamps to ISO 8601 formatted dates by ignoring old cached
# values.
return
expires = timeutils.normalize_time(expires)
utcnow = timeutils.utcnow()
if ignore_expires or utcnow < expires:
self.LOG.debug('Returning cached token %s', token_id)
return data
else:
self.LOG.debug('Cached Token %s seems expired', token_id)
def _cache_get(self, token_id, ignore_expires=False):
"""Return token information from cache.
If token is invalid raise InvalidUserToken
return token only if fresh (not expired).
"""
if self._cache and token_id:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE % token_id
serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token_id, self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
# unprotect_data will return None if raw_cached is None
serialized = memcache_crypt.unprotect_data(
keys, raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
# this should have the same effect as data not
# found in cache
serialized = None
if serialized is None:
return None
# Note that 'invalid' and (data, expires) are the only
# valid types of serialized cache entries, so there is not
# a collision with jsonutils.loads(serialized) == None.
cached = jsonutils.loads(serialized)
if cached == 'invalid':
self.LOG.debug('Cached Token %s is marked unauthorized',
token_id)
raise InvalidUserToken('Token authorization failed')
data, expires = cached
try:
expires = timeutils.parse_isotime(expires)
except ValueError:
# Gracefully handle upgrade of expiration times from *nix
# timestamps to ISO 8601 formatted dates by ignoring old cached
# values.
return
expires = timeutils.normalize_time(expires)
utcnow = timeutils.utcnow()
if ignore_expires or utcnow < expires:
self.LOG.debug('Returning cached token %s', token_id)
return data
else:
self.LOG.debug('Cached Token %s seems expired', token_id)
def test_derive_keys(self):
keys = memcache_crypt.derive_keys('token', 'secret', 'strategy')
self.assertEqual(len(keys['ENCRYPTION']),
len(keys['CACHE_KEY']))
self.assertEqual(len(keys['CACHE_KEY']),
len(keys['MAC']))
self.assertNotEqual(keys['ENCRYPTION'],
keys['MAC'])
self.assertIn('strategy', keys.keys())
def _cache_get(self, token_id, ignore_expires=False):
"""Return token information from cache.
If token is invalid raise InvalidUserToken
return token only if fresh (not expired).
"""
if self._cache and token_id:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE % token_id
serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token_id,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
# unprotect_data will return None if raw_cached is None
serialized = memcache_crypt.unprotect_data(keys,
raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
# this should have the same effect as data not
# found in cache
serialized = None
if serialized is None:
return None
# Note that 'invalid' and (data, expires) are the only
# valid types of serialized cache entries, so there is not
# a collision with jsonutils.loads(serialized) == None.
cached = jsonutils.loads(serialized)
if cached == 'invalid':
self.LOG.debug('Cached Token %s is marked unauthorized',
token_id)
raise InvalidUserToken('Token authorization failed')
data, expires = cached
if ignore_expires or time.time() < float(expires):
self.LOG.debug('Returning cached token %s', token_id)
return data
else:
self.LOG.debug('Cached Token %s seems expired', token_id)
def _cache_get(self, token_id, ignore_expires=False):
"""Return token information from cache.
If token is invalid raise InvalidUserToken
return token only if fresh (not expired).
"""
if self._cache and token_id:
if self._memcache_security_strategy is None:
key = CACHE_KEY_TEMPLATE % token_id
serialized = self._cache.get(key)
else:
keys = memcache_crypt.derive_keys(
token_id,
self._memcache_secret_key,
self._memcache_security_strategy)
cache_key = CACHE_KEY_TEMPLATE % (
memcache_crypt.get_cache_key(keys))
raw_cached = self._cache.get(cache_key)
try:
# unprotect_data will return None if raw_cached is None
serialized = memcache_crypt.unprotect_data(keys,
raw_cached)
except Exception:
msg = 'Failed to decrypt/verify cache data'
self.LOG.exception(msg)
# this should have the same effect as data not
# found in cache
serialized = None
if serialized is None:
return None
# Note that 'invalid' and (data, expires) are the only
# valid types of serialized cache entries, so there is not
# a collision with json.loads(serialized) == None.
cached = json.loads(serialized)
if cached == 'invalid':
self.LOG.debug('Cached Token %s is marked unauthorized',
token_id)
raise InvalidUserToken('Token authorization failed')
data, expires = cached
if ignore_expires or time.time() < float(expires):
self.LOG.debug('Returning cached token %s', token_id)
return data
else:
self.LOG.debug('Cached Token %s seems expired', token_id)
def _setup_keys(self, strategy):
return memcache_crypt.derive_keys(b'token', b'secret', strategy)
def _setup_keys(self, strategy):
return memcache_crypt.derive_keys(b'token', b'secret', strategy)
def test_derive_keys(self):
keys = memcache_crypt.derive_keys('token', 'secret', 'strategy')
self.assertEqual(len(keys['ENCRYPTION']), len(keys['CACHE_KEY']))
self.assertEqual(len(keys['CACHE_KEY']), len(keys['MAC']))
self.assertNotEqual(keys['ENCRYPTION'], keys['MAC'])
self.assertIn('strategy', keys.keys())
