Merge "Refactor revoke matcher"
This commit is contained in:
commit
42a1f1cfe8
|
@ -177,41 +177,60 @@ def matches(event, token_values):
|
||||||
# that the token is still valid and short-circuits the
|
# that the token is still valid and short-circuits the
|
||||||
# rest of the logic.
|
# rest of the logic.
|
||||||
|
|
||||||
# The token has three attributes that can match the user_id
|
# The token has three attributes that can match the user_id.
|
||||||
if event.user_id is not None:
|
if event.user_id is not None and event.user_id not in (
|
||||||
if all(event.user_id != token_values[attribute_name]
|
token_values['user_id'],
|
||||||
for attribute_name in ['user_id', 'trustor_id', 'trustee_id']):
|
token_values['trustor_id'],
|
||||||
return False
|
token_values['trustee_id'],):
|
||||||
|
return False
|
||||||
|
|
||||||
# The token has two attributes that can match the domain_id
|
# The token has two attributes that can match the domain_id.
|
||||||
if event.domain_id is not None:
|
if event.domain_id is not None and event.domain_id not in(
|
||||||
if all(event.domain_id != token_values[attribute_name]
|
token_values['identity_domain_id'],
|
||||||
for attribute_name in ['identity_domain_id',
|
token_values['assignment_domain_id'],):
|
||||||
'assignment_domain_id']):
|
return False
|
||||||
return False
|
|
||||||
|
|
||||||
if event.domain_scope_id is not None:
|
if event.domain_scope_id is not None and event.domain_scope_id not in (
|
||||||
if event.domain_scope_id != token_values['assignment_domain_id']:
|
token_values['assignment_domain_id'],):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# If an event specifies an attribute name, but it does not match,
|
# If an event specifies an attribute name, but it does not match, the token
|
||||||
# the token is not revoked.
|
# is not revoked.
|
||||||
attribute_names = ['project_id',
|
if event.project_id is not None and event.project_id not in (
|
||||||
'expires_at', 'trust_id', 'consumer_id',
|
token_values['project_id'],):
|
||||||
'access_token_id', 'audit_id', 'audit_chain_id']
|
return False
|
||||||
for attribute_name in attribute_names:
|
|
||||||
if getattr(event, attribute_name) is not None:
|
|
||||||
if (getattr(event, attribute_name) !=
|
|
||||||
token_values[attribute_name]):
|
|
||||||
return False
|
|
||||||
|
|
||||||
if event.role_id is not None:
|
if event.expires_at is not None and event.expires_at not in (
|
||||||
roles = token_values['roles']
|
token_values['expires_at'],):
|
||||||
if all(event.role_id != role for role in roles):
|
return False
|
||||||
return False
|
|
||||||
|
if event.trust_id is not None and event.trust_id not in (
|
||||||
|
token_values['trust_id'],):
|
||||||
|
return False
|
||||||
|
|
||||||
|
if event.consumer_id is not None and event.consumer_id not in (
|
||||||
|
token_values['consumer_id'],):
|
||||||
|
return False
|
||||||
|
|
||||||
|
if event.access_token_id is not None and event.access_token_id not in (
|
||||||
|
token_values['access_token_id'],):
|
||||||
|
return False
|
||||||
|
|
||||||
|
if event.audit_id is not None and event.audit_id not in (
|
||||||
|
token_values['audit_id'],):
|
||||||
|
return False
|
||||||
|
|
||||||
|
if event.audit_chain_id is not None and event.audit_chain_id not in (
|
||||||
|
token_values['audit_chain_id'],):
|
||||||
|
return False
|
||||||
|
|
||||||
|
if event.role_id is not None and event.role_id not in (
|
||||||
|
token_values['roles']):
|
||||||
|
return False
|
||||||
|
|
||||||
if token_values['issued_at'] > event.issued_before:
|
if token_values['issued_at'] > event.issued_before:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue