From 9d45964b02e98212025399e69395296f288bd546 Mon Sep 17 00:00:00 2001 From: Gabriel Hurley Date: Sun, 8 Jul 2012 14:55:31 -0700 Subject: [PATCH] Check for expired tokens during authentication. Fixes issue #4. --- openstack_auth/backend.py | 18 ++++++++++++++++++ openstack_auth/user.py | 9 +++++++++ 2 files changed, 27 insertions(+) diff --git a/openstack_auth/backend.py b/openstack_auth/backend.py index 4bbec4a..a1e837c 100644 --- a/openstack_auth/backend.py +++ b/openstack_auth/backend.py @@ -10,6 +10,7 @@ from keystoneclient.v2_0.tokens import Token, TokenManager from .exceptions import KeystoneAuthException from .user import create_user_from_token +from .utils import check_token_expiration LOG = logging.getLogger(__name__) @@ -19,6 +20,17 @@ KEYSTONE_CLIENT_ATTR = "_keystoneclient" class KeystoneBackend(object): + def check_auth_expiry(self, token): + if not check_token_expiration(token): + msg = _("The authentication token issued by the Identity service " + "has expired.") + LOG.warning("The authentication token issued by the Identity " + "service appears to have expired before it was " + "issued. This may indicate a problem with either your " + "server or client configuration.") + raise KeystoneAuthException(msg) + return True + def get_user(self, user_id): if user_id == self.request.session["user_id"]: token = Token(TokenManager(None), @@ -51,6 +63,9 @@ class KeystoneBackend(object): "Please try again later.") raise KeystoneAuthException(msg) + # Check expiry for our unscoped token. + self.check_auth_expiry(unscoped_token) + # FIXME: Log in to default tenant when the Keystone API returns it... # For now we list all the user's tenants and iterate through. try: @@ -78,6 +93,9 @@ class KeystoneBackend(object): msg = _("Unable to authenticate to any available projects.") raise KeystoneAuthException(msg) + # Check expiry for our new scoped token. + self.check_auth_expiry(token) + # If we made it here we succeeded. Create our User! user = create_user_from_token(request, token, client.management_url) diff --git a/openstack_auth/user.py b/openstack_auth/user.py index ace98c8..d137b92 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -76,6 +76,15 @@ class User(AnonymousUser): def __repr__(self): return "<%s: %s>" % (self.__class__.__name__, self.username) + def is_token_expired(self): + """ + Returns ``True`` if the token is expired, ``False`` if not, and + ``None`` if there is no token set. + """ + if self.token is None: + return None + return not check_token_expiration(self.token) + def is_authenticated(self): """ Checks for a valid token that has not yet expired. """ return self.token is not None and check_token_expiration(self.token)