diff options
| author | Morgan Fainberg <morgan.fainberg@gmail.com> | 2014-08-19 17:21:40 -0700 |
|---|---|---|
| committer | Morgan Fainberg <morgan.fainberg@gmail.com> | 2014-08-25 21:11:11 -0700 |
| commit | 37f59f4b0b82756167aeb63842420b90622de9bd (patch) | |
| tree | 147e2096a54a87b803f7cb553f6a1986cd105d60 /keystone/auth/plugins/token.py | |
| parent | ea185a25a235d339d0d9282fbc08905fa1949b92 (diff) | |
| download | keystone-37f59f4b0b82756167aeb63842420b90622de9bd.tar.gz | |
Update AuthContextMiddleware to not use token_api
AuthContextMiddleware and the fall-through in the controller base
_build_policy_check_credentials now utilizes the KeystoneToken
model and uses token_provider_api instead of token_api.
In support of this change, the token auth plugin, the auth_context
builder, token bind check, and token controller have all been updated
to utilize the KeystoneToken model. Support for the federation data
has been added to the KeystoneToken model so that it can be used
in the auth context and associated code.
Associated tests that passed a raw token_ref to methods that now
expect the KeystoneToken model have been updated. This includes an
update to the revocation model to guard against users without domain
data (the federated user case).
Change-Id: I81da15137a0ab3778d835c8de1ec8ed9e5b301f6
bp: non-persistent-tokens
Diffstat (limited to 'keystone/auth/plugins/token.py')
| -rw-r--r-- | keystone/auth/plugins/token.py | 35 |
1 files changed, 9 insertions, 26 deletions
diff --git a/keystone/auth/plugins/token.py b/keystone/auth/plugins/token.py index 501a00812..2e8f5040b 100644 --- a/keystone/auth/plugins/token.py +++ b/keystone/auth/plugins/token.py @@ -12,12 +12,11 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo.utils import timeutils - from keystone import auth from keystone.common import dependency from keystone.common import wsgi from keystone import exception +from keystone.models import token_model from keystone.openstack.common import log @@ -36,21 +35,14 @@ class Token(auth.AuthMethodHandler): target=self.method) token_id = auth_payload['id'] response = self.token_provider_api.validate_token(token_id) - # For V3 tokens, the essential data is under the 'token' value. - # For V2, the comparable data was nested under 'access'. - token_ref = response.get('token', response.get('access')) + token_ref = token_model.KeystoneToken(token_id=token_id, + token_data=response) # Do not allow tokens used for delegation to # create another token, or perform any changes of # state in Keystone. To do so is to invite elevation of # privilege attacks - if 'OS-TRUST:trust' in token_ref: - raise exception.Forbidden() - if 'trust' in token_ref: - raise exception.Forbidden() - if 'trust_id' in token_ref.get('metadata', {}): - raise exception.Forbidden() - if 'OS-OAUTH1' in token_ref: + if token_ref.oauth_scoped or token_ref.trust_scoped: raise exception.Forbidden() wsgi.validate_token_bind(context, token_ref) @@ -68,22 +60,13 @@ class Token(auth.AuthMethodHandler): # issued prior to audit id existing, the chain is not tracked. token_audit_id = None - # New tokens are not allowed to extend the expiration - # time of an old token, otherwise, they could be extened - # forever. The expiration value was stored at different - # locations in v2 and v3 tokens. - expires_at = token_ref.get('expires_at') - if not expires_at: - expires_at = token_ref.get('expires') - if not expires_at: - expires_at = timeutils.normalize_time( - timeutils.parse_isotime(token_ref['token']['expires'])) - - user_context.setdefault('expires_at', expires_at) + user_context.setdefault('expires_at', token_ref.expires) user_context['audit_id'] = token_audit_id - user_context.setdefault('user_id', token_ref['user']['id']) + user_context.setdefault('user_id', token_ref.user_id) + # TODO(morganfainberg: determine if token 'extras' can be removed + # from the user_context user_context['extras'].update(token_ref.get('extras', {})) - user_context['method_names'].extend(token_ref.get('methods', [])) + user_context['method_names'].extend(token_ref.methods) except AssertionError as e: LOG.error(e) |