openstack
/
keystone
Code Issues Proposed changes

Merge "Add debug logging to revocation event checking"

This commit is contained in:
Jenkins 2016-08-13 03:01:26 +00:00 committed by Gerrit Code Review
parent a98a858c12 d2ee07b8e7
commit 2a7a44e71a
1 changed files with 87 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
keystone/models/revoke_model.py
View File

@ -159,12 +159,11 @@ def is_revoked(events, token_data):
def matches(event, token_values): def matches(event, token_values):
"""See if the token matches the revocation event. """See if the token matches the revocation event.
A brute force approach to checking. A brute force approach to checking. Compare each attribute from the event
Compare each attribute from the event with the corresponding with the corresponding value from the token. If the event does not have a
value from the token. If the event does not have a value for value for the attribute, a match is still possible. If the event has a
the attribute, a match is still possible. If the event has a value for the attribute, and it does not match the token, no match is
value for the attribute, and it does not match the token, no match possible, so skip the remaining checks.
is possible, so skip the remaining checks.
:param event: a RevokeEvent instance :param event: a RevokeEvent instance
:param token_values: dictionary with set of values taken from the :param token_values: dictionary with set of values taken from the
@ -172,65 +171,143 @@ def matches(event, token_values):
:returns: True if the token matches the revocation event, indicating the :returns: True if the token matches the revocation event, indicating the
token has been revoked token has been revoked
""" """
# If any one check does not match, the whole token does # If any one check does not match, the whole token does not match the
# not match the event. The numerous return False indicate # event. The numerous return False indicate that the token is still valid
# that the token is still valid and short-circuits the # and short-circuits the rest of the logic.
# rest of the logic.
# The token has three attributes that can match the user_id. # The token has three attributes that can match the user_id.
if event.user_id is not None and event.user_id not in ( if event.user_id is not None and event.user_id not in (
token_values['user_id'], token_values['user_id'],
token_values['trustor_id'], token_values['trustor_id'],
token_values['trustee_id'],): token_values['trustee_id'],):
LOG.debug(
'The user (id=%s) in the revocation event does not match any user '
'(user_id=%s, trustor_id=%s, trustee_id=%s) in the token.',
event.user_id,
token_values['user_id'],
token_values['trustor_id'],
token_values['trustee_id'])
return False return False
# The token has two attributes that can match the domain_id. # The token has two attributes that can match the domain_id.
if event.domain_id is not None and event.domain_id not in( if event.domain_id is not None and event.domain_id not in(
token_values['identity_domain_id'], token_values['identity_domain_id'],
token_values['assignment_domain_id'],): token_values['assignment_domain_id'],):
LOG.debug(
'The domain (id=%s) in the revocation event does not match any '
'domain (identity_domain_id=%s, assignment_domain_id=%s) in the '
'token.',
event.domain_id,
token_values['identity_domain_id'],
token_values['assignment_domain_id'])
return False return False
if event.domain_scope_id is not None and event.domain_scope_id not in ( if event.domain_scope_id is not None and event.domain_scope_id not in (
token_values['assignment_domain_id'],): token_values['assignment_domain_id'],):
LOG.debug(
'The domain scope (id=%s) in the revocation event does not match '
'the domain scope (id=%s) in the token.',
event.domain_scope_id,
token_values['assignment_domain_id'])
return False return False
# If an event specifies an attribute name, but it does not match, the token # If an event specifies an attribute name, but it does not match, the token
# is not revoked. # is not revoked.
if event.project_id is not None and event.project_id not in ( if event.project_id is not None and event.project_id not in (
token_values['project_id'],): token_values['project_id'],):
LOG.debug(
'The project ID (%s) in the revocation event does not match the '
'project ID (%s) in the token.',
event.project_id,
token_values['project_id'])
return False return False
if event.expires_at is not None and event.expires_at not in ( if event.expires_at is not None and event.expires_at not in (
token_values['expires_at'],): token_values['expires_at'],):
LOG.debug(
'The expiration (id=%s) in the revocation event does not match '
'the expiration (at=%s) of the token.',
event.expires_at,
token_values['expires_at'])
return False return False
if event.trust_id is not None and event.trust_id not in ( if event.trust_id is not None and event.trust_id not in (
token_values['trust_id'],): token_values['trust_id'],):
LOG.debug(
'The trust (id=%s) in the revocation event does not match the '
'trust (id=%s) in the token.',
event.trust_id,
token_values['trust_id'])
return False return False
if event.consumer_id is not None and event.consumer_id not in ( if event.consumer_id is not None and event.consumer_id not in (
token_values['consumer_id'],): token_values['consumer_id'],):
LOG.debug(
'The OAuth consumer (id=%s) in the revocation event does not '
'match the OAuth consumer ID (id=%s) in the token.',
event.consumer_id,
token_values['consumer_id'])
return False return False
if event.access_token_id is not None and event.access_token_id not in ( if event.access_token_id is not None and event.access_token_id not in (
token_values['access_token_id'],): token_values['access_token_id'],):
LOG.debug(
'The OAuth access token (id=%s) in the revocation event does not '
'match the OAuth access token (id=%s) in the token.',
event.access_token_id,
token_values['access_token_id'])
return False return False
if event.audit_id is not None and event.audit_id not in ( if event.audit_id is not None and event.audit_id not in (
token_values['audit_id'],): token_values['audit_id'],):
LOG.debug(
'The audit (id=%s) in the revocation event does not match the '
'audit (id=%s) in the token.',
event.audit_id,
token_values['audit_id'])
return False return False
if event.audit_chain_id is not None and event.audit_chain_id not in ( if event.audit_chain_id is not None and event.audit_chain_id not in (
token_values['audit_chain_id'],): token_values['audit_chain_id'],):
LOG.debug(
'The audit chain (id=%s) in the revocation event does not match '
'the audit chain (id=%s) in the token.',
event.audit_chain_id,
token_values['audit_chain_id'])
return False return False
if event.role_id is not None and event.role_id not in ( if event.role_id is not None and event.role_id not in (
token_values['roles']): token_values['roles']):
if LOG.logger.getEffectiveLevel() <= log.DEBUG:
# The string formatting here needs to be conditional, so that the
# extra work can be skipped if DEBUG logs are not actually being
# written anywhere.
role_ids = ', '.join('id=%s' % x for x in token_values['roles'])
LOG.debug(
'The role (id=%s) in the revocation event does not match any '
'of the roles (%s) in the token.',
event.role_id,
role_ids)
return False return False
if token_values['issued_at'] > event.issued_before: if token_values['issued_at'] > event.issued_before:
LOG.debug(
'The token was created (%s) after the revocation event was issued '
'(%s).',
token_values['issued_at'],
event.issued_before)
return False return False
if LOG.logger.getEffectiveLevel() <= log.DEBUG:
# The string formatting here needs to be conditional, so that the
# extra work can be skipped if DEBUG logs are not actually being
# written anywhere.
event_dict = event.to_dict()
attrs = ', '.join('='.join(item) for item in event_dict.items())
LOG.debug(
'All attributes (%s) in the revocation event are in the token.',
attrs, )
return True return True