OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

token.py 5.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
  1. # Copyright 2013 OpenStack Foundation
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  4. # not use this file except in compliance with the License. You may obtain
  5. # a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  11. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  12. # License for the specific language governing permissions and limitations
  13. # under the License.
  14. import flask
  15. from oslo_log import log
  16. import six
  17. from keystone.auth.plugins import base
  18. from keystone.auth.plugins import mapped
  19. from keystone.common import provider_api
  20. import keystone.conf
  21. from keystone import exception
  22. from keystone.i18n import _
  23. LOG = log.getLogger(__name__)
  24. CONF = keystone.conf.CONF
  25. PROVIDERS = provider_api.ProviderAPIs
  26. class Token(base.AuthMethodHandler):
  27. def _get_token_ref(self, auth_payload):
  28. token_id = auth_payload['id']
  29. return PROVIDERS.token_provider_api.validate_token(token_id)
  30. def authenticate(self, auth_payload):
  31. if 'id' not in auth_payload:
  32. raise exception.ValidationError(attribute='id',
  33. target='token')
  34. token = self._get_token_ref(auth_payload)
  35. if token.is_federated and PROVIDERS.federation_api:
  36. response_data = mapped.handle_scoped_token(
  37. token, PROVIDERS.federation_api,
  38. PROVIDERS.identity_api
  39. )
  40. else:
  41. response_data = token_authenticate(token)
  42. # NOTE(notmorgan): The Token auth method is *very* special and sets the
  43. # previous values to the method_names. This is because it can be used
  44. # for re-scoping and we want to maintain the values. Most
  45. # AuthMethodHandlers do no such thing and this is not required.
  46. response_data.setdefault('method_names', []).extend(token.methods)
  47. return base.AuthHandlerResponse(status=True, response_body=None,
  48. response_data=response_data)
  49. def token_authenticate(token):
  50. response_data = {}
  51. try:
  52. # Do not allow tokens used for delegation to
  53. # create another token, or perform any changes of
  54. # state in Keystone. To do so is to invite elevation of
  55. # privilege attacks
  56. json_body = flask.request.get_json(silent=True, force=True) or {}
  57. project_scoped = 'project' in json_body['auth'].get(
  58. 'scope', {}
  59. )
  60. domain_scoped = 'domain' in json_body['auth'].get(
  61. 'scope', {}
  62. )
  63. if token.oauth_scoped:
  64. raise exception.ForbiddenAction(
  65. action=_(
  66. 'Using OAuth-scoped token to create another token. '
  67. 'Create a new OAuth-scoped token instead'))
  68. elif token.trust_scoped:
  69. raise exception.ForbiddenAction(
  70. action=_(
  71. 'Using trust-scoped token to create another token. '
  72. 'Create a new trust-scoped token instead'))
  73. elif token.system_scoped and (project_scoped or domain_scoped):
  74. raise exception.ForbiddenAction(
  75. action=_(
  76. 'Using a system-scoped token to create a project-scoped '
  77. 'or domain-scoped token is not allowed.'
  78. )
  79. )
  80. if not CONF.token.allow_rescope_scoped_token:
  81. # Do not allow conversion from scoped tokens.
  82. if token.project_scoped or token.domain_scoped:
  83. raise exception.ForbiddenAction(
  84. action=_('rescope a scoped token'))
  85. # New tokens maintain the audit_id of the original token in the
  86. # chain (if possible) as the second element in the audit data
  87. # structure. Look for the last element in the audit data structure
  88. # which will be either the audit_id of the token (in the case of
  89. # a token that has not been rescoped) or the audit_chain id (in
  90. # the case of a token that has been rescoped).
  91. try:
  92. token_audit_id = token.parent_audit_id or token.audit_id
  93. except IndexError:
  94. # NOTE(morganfainberg): In the case this is a token that was
  95. # issued prior to audit id existing, the chain is not tracked.
  96. token_audit_id = None
  97. # To prevent users from never having to re-authenticate, the original
  98. # token expiration time is maintained in the new token. Not doing this
  99. # would make it possible for a user to continuously bump token
  100. # expiration through token rescoping without proving their identity.
  101. response_data.setdefault('expires_at', token.expires_at)
  102. response_data['audit_id'] = token_audit_id
  103. response_data.setdefault('user_id', token.user_id)
  104. return response_data
  105. except AssertionError as e:
  106. LOG.error(six.text_type(e))
  107. raise exception.Unauthorized(e)