diff options
author | Colleen Murphy <colleen@gazlene.net> | 2019-02-14 01:04:28 +0100 |
---|---|---|
committer | Colleen Murphy <colleen@gazlene.net> | 2019-02-25 00:30:39 +0100 |
commit | 147efb0469734f793e917641649fd24bb9da317f (patch) | |
tree | 644a2013a4ad3f7b19e942efc5fc654532062616 | |
parent | 13b889823bf8ca7c4f0f50b55e853fc811cf65d0 (diff) | |
download | python-keystoneclient-147efb0469734f793e917641649fd24bb9da317f.tar.gz |
Add support for app cred access rules header
This header is set to indicate to the keystone server that the client,
usually keystonemiddleware, will validate application credential access
rules. If not provided and the token uses access rules, the server will
return a 401.
bp whitelist-extension-for-app-creds
Change-Id: I64ac952d663e916150fbf7e5a8f70b76dddf3319
-rw-r--r-- | keystoneclient/v3/tokens.py | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/keystoneclient/v3/tokens.py b/keystoneclient/v3/tokens.py index 6e6fffd..7e0cb07 100644 --- a/keystoneclient/v3/tokens.py +++ b/keystoneclient/v3/tokens.py @@ -57,7 +57,8 @@ class TokenManager(object): resp, body = self._client.get(path) return body - def get_token_data(self, token, include_catalog=True, allow_expired=False): + def get_token_data(self, token, include_catalog=True, allow_expired=False, + access_rules_support=None): """Fetch the data about a token from the identity server. :param str token: The ID of the token to be fetched. @@ -65,11 +66,18 @@ class TokenManager(object): included in the response. :param allow_expired: If True the token will be validated and returned if it has already expired. + :param access_rules_support: Version number indicating that the client + is capable of enforcing keystone + access rules, if unset this client + does not support access rules. + :type access_rules_support: float :rtype: dict """ headers = {'X-Subject-Token': token} + if access_rules_support: + headers['OpenStack-Identity-Access-Rules'] = access_rules_support flags = [] url = '/auth/tokens' @@ -85,7 +93,8 @@ class TokenManager(object): resp, body = self._client.get(url, headers=headers) return body - def validate(self, token, include_catalog=True, allow_expired=False): + def validate(self, token, include_catalog=True, allow_expired=False, + access_rules_support=None): """Validate a token. :param token: The token to be validated. @@ -95,6 +104,11 @@ class TokenManager(object): :param allow_expired: If True the token will be validated and returned if it has already expired. :type allow_expired: bool + :param access_rules_support: Version number indicating that the client + is capable of enforcing keystone + access rules, if unset this client + does not support access rules. + :type access_rules_support: float :rtype: :class:`keystoneclient.access.AccessInfoV3` @@ -102,5 +116,6 @@ class TokenManager(object): token_id = _calc_id(token) body = self.get_token_data(token_id, include_catalog=include_catalog, - allow_expired=allow_expired) + allow_expired=allow_expired, + access_rules_support=access_rules_support) return access.AccessInfo.factory(auth_token=token_id, body=body) |