1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
# Copyright (c) 2015 Mirantis, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystoneauth1 import exceptions as ka_exceptions
from keystoneauth1 import loading as ka_loading
from oslo_config import cfg
from oslo_log import log as logging
CONF = cfg.CONF
CONF.register_opt(cfg.IntOpt('timeout'), group='keystone_authtoken')
LOG = logging.getLogger(__name__)
class TokenRefresher(object):
"""Class that responsible for token refreshing with trusts"""
def __init__(self, user_plugin, user_project, user_roles):
"""Prepare all parameters and clients required to refresh token"""
# step 1: create trust to ensure that we can always update token
# trustor = user who made the request
trustor_client = self._load_session(user_plugin)
trustor_id = trustor_client.get_user_id()
# get trustee user client that impersonates main user
trustee_user_auth = ka_loading.load_auth_from_conf_options(
CONF, 'keystone_authtoken')
# save service user client because we need new service token
# to refresh trust-scoped client later
self.trustee_user_client = self._load_session(trustee_user_auth)
trustee_id = self.trustee_user_client.get_user_id()
self.trust_id = trustor_client.trusts.create(trustor_user=trustor_id,
trustee_user=trustee_id,
impersonation=True,
role_names=user_roles,
project=user_project).id
LOG.debug("Trust %s has been created.", self.trust_id)
# step 2: postpone trust-scoped client initialization
# until we need to refresh the token
self.trustee_client = None
def refresh_token(self):
"""Receive new token if user need to update old token
:return: new token that can be used for authentication
"""
LOG.debug("Requesting the new token with trust %s", self.trust_id)
if self.trustee_client is None:
self.trustee_client = self._refresh_trustee_client()
try:
return self.trustee_client.get_token()
except ka_exceptions.Unauthorized:
# in case of Unauthorized exceptions try to refresh client because
# service user token may expired
self.trustee_client = self._refresh_trustee_client()
return self.trustee_client.get_token()
def release_resources(self):
"""Release keystone resources required for refreshing"""
try:
if self.trustee_client is None:
self._refresh_trustee_client().trusts.delete(self.trust_id)
else:
self.trustee_client.trusts.delete(self.trust_id)
except ka_exceptions.Unauthorized:
# service user token may expire when we are trying to delete token
# so need to update client to ensure that this is not the reason
# of failure
self.trustee_client = self._refresh_trustee_client()
self.trustee_client.trusts.delete(self.trust_id)
def _refresh_trustee_client(self):
# Remove project_name and project_id, since we need a trust scoped
# auth object
kwargs = {
'project_name': None,
'project_domain_name': None,
'project_id': None,
'trust_id': self.trust_id
}
trustee_auth = ka_loading.load_auth_from_conf_options(
CONF, 'keystone_authtoken', **kwargs)
return self._load_session(trustee_auth)
@staticmethod
def _load_session(plugin):
# load ksa session from auth settings and user plugin
sess = ka_loading.load_session_from_conf_options(
CONF, 'keystone_authtoken', auth=plugin)
return sess
|
