diff options
Diffstat (limited to 'keystone/token/token_formatters.py')
-rw-r--r-- | keystone/token/token_formatters.py | 106 |
1 files changed, 81 insertions, 25 deletions
diff --git a/keystone/token/token_formatters.py b/keystone/token/token_formatters.py index 76220b0ef..b1971ca52 100644 --- a/keystone/token/token_formatters.py +++ b/keystone/token/token_formatters.py @@ -137,14 +137,14 @@ class TokenFormatter(object): methods=None, system=None, domain_id=None, project_id=None, trust_id=None, federated_group_ids=None, identity_provider_id=None, protocol_id=None, - access_token_id=None, app_cred_id=None): + access_token_id=None, app_cred_id=None, + thumbprint=None): """Given a set of payload attributes, generate a Fernet token.""" version = payload_class.version payload = payload_class.assemble( user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, - protocol_id, access_token_id, app_cred_id - ) + protocol_id, access_token_id, app_cred_id, thumbprint) versioned_payload = (version,) + payload serialized_payload = msgpack.packb(versioned_payload) @@ -187,7 +187,8 @@ class TokenFormatter(object): (user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) = payload_class.disassemble(payload) + app_cred_id, thumbprint) = ( + payload_class.disassemble(payload)) break else: # If the token_format is not recognized, raise ValidationError. @@ -211,8 +212,8 @@ class TokenFormatter(object): return (user_id, methods, audit_ids, system, domain_id, project_id, trust_id, federated_group_ids, identity_provider_id, - protocol_id, access_token_id, app_cred_id, issued_at, - expires_at) + protocol_id, access_token_id, app_cred_id, thumbprint, + issued_at, expires_at) class BasePayload(object): @@ -223,7 +224,7 @@ class BasePayload(object): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): """Assemble the payload of a token. :param user_id: identifier of the user in the token request @@ -239,6 +240,7 @@ class BasePayload(object): :param protocol_id: federated protocol used for authentication :param access_token_id: ID of the secret in OAuth1 authentication :param app_cred_id: ID of the application credential in effect + :param thumbprint: thumbprint of the certificate in OAuth2 mTLS :returns: the payload of a token """ @@ -377,7 +379,7 @@ class UnscopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) expires_at_int = cls._convert_time_string_to_float(expires_at) @@ -401,10 +403,11 @@ class UnscopedPayload(BasePayload): protocol_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) class DomainScopedPayload(BasePayload): @@ -414,7 +417,7 @@ class DomainScopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) try: @@ -455,10 +458,11 @@ class DomainScopedPayload(BasePayload): protocol_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) class ProjectScopedPayload(BasePayload): @@ -468,7 +472,7 @@ class ProjectScopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) b_project_id = cls.attempt_convert_uuid_hex_to_bytes(project_id) @@ -494,10 +498,11 @@ class ProjectScopedPayload(BasePayload): protocol_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) class TrustScopedPayload(BasePayload): @@ -507,7 +512,7 @@ class TrustScopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) b_project_id = cls.attempt_convert_uuid_hex_to_bytes(project_id) @@ -536,10 +541,11 @@ class TrustScopedPayload(BasePayload): protocol_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) class FederatedUnscopedPayload(BasePayload): @@ -559,7 +565,7 @@ class FederatedUnscopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) b_group_ids = list(map(cls.pack_group_id, federated_group_ids)) @@ -590,9 +596,10 @@ class FederatedUnscopedPayload(BasePayload): trust_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, group_ids, idp_id, - protocol_id, access_token_id, app_cred_id) + protocol_id, access_token_id, app_cred_id, thumbprint) class FederatedScopedPayload(FederatedUnscopedPayload): @@ -602,7 +609,7 @@ class FederatedScopedPayload(FederatedUnscopedPayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) b_scope_id = cls.attempt_convert_uuid_hex_to_bytes( @@ -641,9 +648,10 @@ class FederatedScopedPayload(FederatedUnscopedPayload): trust_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, group_ids, idp_id, - protocol_id, access_token_id, app_cred_id) + protocol_id, access_token_id, app_cred_id, thumbprint) class FederatedProjectScopedPayload(FederatedScopedPayload): @@ -661,7 +669,7 @@ class OauthScopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) b_project_id = cls.attempt_convert_uuid_hex_to_bytes(project_id) @@ -692,11 +700,12 @@ class OauthScopedPayload(BasePayload): identity_provider_id = None protocol_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) class SystemScopedPayload(BasePayload): @@ -706,7 +715,7 @@ class SystemScopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) expires_at_int = cls._convert_time_string_to_float(expires_at) @@ -730,10 +739,11 @@ class SystemScopedPayload(BasePayload): protocol_id = None access_token_id = None app_cred_id = None + thumbprint = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) class ApplicationCredentialScopedPayload(BasePayload): @@ -743,7 +753,7 @@ class ApplicationCredentialScopedPayload(BasePayload): def assemble(cls, user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id): + app_cred_id, thumbprint): b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) methods = auth_plugins.convert_method_list_to_integer(methods) b_project_id = cls.attempt_convert_uuid_hex_to_bytes(project_id) @@ -772,10 +782,55 @@ class ApplicationCredentialScopedPayload(BasePayload): access_token_id = None (is_stored_as_bytes, app_cred_id) = payload[5] app_cred_id = cls._convert_or_decode(is_stored_as_bytes, app_cred_id) + thumbprint = None + return (user_id, methods, system, project_id, domain_id, + expires_at_str, audit_ids, trust_id, federated_group_ids, + identity_provider_id, protocol_id, access_token_id, + app_cred_id, thumbprint) + + +class Oauth2CredentialsScopedPayload(BasePayload): + version = 10 + + @classmethod + def assemble(cls, user_id, methods, system, project_id, domain_id, + expires_at, audit_ids, trust_id, federated_group_ids, + identity_provider_id, protocol_id, access_token_id, + app_cred_id, thumbprint): + b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id) + methods = auth_plugins.convert_method_list_to_integer(methods) + b_project_id = cls.attempt_convert_uuid_hex_to_bytes(project_id) + b_domain_id = cls.attempt_convert_uuid_hex_to_bytes(domain_id) + expires_at_int = cls._convert_time_string_to_float(expires_at) + b_audit_ids = list(map(cls.random_urlsafe_str_to_bytes, audit_ids)) + b_thumbprint = (False, thumbprint) + return (b_user_id, methods, b_project_id, b_domain_id, expires_at_int, + b_audit_ids, b_thumbprint) + + @classmethod + def disassemble(cls, payload): + (is_stored_as_bytes, user_id) = payload[0] + user_id = cls._convert_or_decode(is_stored_as_bytes, user_id) + methods = auth_plugins.convert_integer_to_method_list(payload[1]) + (is_stored_as_bytes, project_id) = payload[2] + project_id = cls._convert_or_decode(is_stored_as_bytes, project_id) + (is_stored_as_bytes, domain_id) = payload[3] + domain_id = cls._convert_or_decode(is_stored_as_bytes, domain_id) + expires_at_str = cls._convert_float_to_time_string(payload[4]) + audit_ids = list(map(cls.base64_encode, payload[5])) + (is_stored_as_bytes, thumbprint) = payload[6] + thumbprint = cls._convert_or_decode(is_stored_as_bytes, thumbprint) + system = None + trust_id = None + federated_group_ids = None + identity_provider_id = None + protocol_id = None + access_token_id = None + app_cred_id = None return (user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, - app_cred_id) + app_cred_id, thumbprint) _PAYLOAD_CLASSES = [ @@ -789,4 +844,5 @@ _PAYLOAD_CLASSES = [ OauthScopedPayload, SystemScopedPayload, ApplicationCredentialScopedPayload, + Oauth2CredentialsScopedPayload, ] |