Check for expired tokens during authentication.

Fixes issue #4.
2012-07-08 14:55:31 -07:00
parent df30fe0887
commit 9d45964b02
2 changed files with 27 additions and 0 deletions
--- a/openstack_auth/backend.py
+++ b/openstack_auth/backend.py
@@ -10,6 +10,7 @@ from keystoneclient.v2_0.tokens import Token, TokenManager

 from .exceptions import KeystoneAuthException
 from .user import create_user_from_token
+from .utils import check_token_expiration


 LOG = logging.getLogger(__name__)
@@ -19,6 +20,17 @@ KEYSTONE_CLIENT_ATTR = "_keystoneclient"


 class KeystoneBackend(object):
+    def check_auth_expiry(self, token):
+        if not check_token_expiration(token):
+            msg = _("The authentication token issued by the Identity service "
+                    "has expired.")
+            LOG.warning("The authentication token issued by the Identity "
+                        "service appears to have expired before it was "
+                        "issued. This may indicate a problem with either your "
+                        "server or client configuration.")
+            raise KeystoneAuthException(msg)
+        return True
+
    def get_user(self, user_id):
        if user_id == self.request.session["user_id"]:
            token = Token(TokenManager(None),
@@ -51,6 +63,9 @@ class KeystoneBackend(object):
                    "Please try again later.")
            raise KeystoneAuthException(msg)

+        # Check expiry for our unscoped token.
+        self.check_auth_expiry(unscoped_token)
+
        # FIXME: Log in to default tenant when the Keystone API returns it...
        # For now we list all the user's tenants and iterate through.
        try:
@@ -78,6 +93,9 @@ class KeystoneBackend(object):
            msg = _("Unable to authenticate to any available projects.")
            raise KeystoneAuthException(msg)

+        # Check expiry for our new scoped token.
+        self.check_auth_expiry(token)
+
        # If we made it here we succeeded. Create our User!
        user = create_user_from_token(request, token, client.management_url)

--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@@ -76,6 +76,15 @@ class User(AnonymousUser):
    def __repr__(self):
        return "<%s: %s>" % (self.__class__.__name__, self.username)

+    def is_token_expired(self):
+        """
+        Returns ``True`` if the token is expired, ``False`` if not, and
+        ``None`` if there is no token set.
+        """
+        if self.token is None:
+            return None
+        return not check_token_expiration(self.token)
+
    def is_authenticated(self):
        """ Checks for a valid token that has not yet expired. """
        return self.token is not None and check_token_expiration(self.token)