f44da98856
Create and move all token persistence code to a new token.persistence module. This allows the token_provider_api to utilize the token persistence service without introducing circular dependencies. A proxy class, that will log a deprecation message if instantiated, has been created for both the token.core.Manager object and token.core.Driver object. These proxy objects are slated for removal in the K cycle. Change-Id: Iae1240c6de4382332b967926efe31f5355554f6e bp: non-persistent-tokens
111 lines
4.0 KiB
Python
111 lines
4.0 KiB
Python
# Copyright 2012 OpenStack Foundation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Main entry point into the Token service."""
|
|
|
|
from keystone.common import cache
|
|
from keystone import config
|
|
from keystone import exception
|
|
from keystone.i18n import _
|
|
from keystone.openstack.common import log
|
|
from keystone.openstack.common import versionutils
|
|
from keystone.token import persistence
|
|
from keystone.token import provider
|
|
|
|
|
|
CONF = config.CONF
|
|
LOG = log.getLogger(__name__)
|
|
SHOULD_CACHE = cache.should_cache_fn('token')
|
|
|
|
# NOTE(blk-u): The config options are not available at import time.
|
|
EXPIRATION_TIME = lambda: CONF.token.cache_time
|
|
REVOCATION_CACHE_EXPIRATION_TIME = lambda: CONF.token.revocation_cache_time
|
|
|
|
|
|
@versionutils.deprecated(
|
|
as_of=versionutils.deprecated.JUNO,
|
|
in_favor_of='keystone.token.provider.default_expire_time',
|
|
what='keystone.token.default_expire_time',
|
|
remove_in=+1)
|
|
def default_expire_time():
|
|
return provider.default_expire_time()
|
|
|
|
|
|
@versionutils.deprecated(as_of=versionutils.deprecated.JUNO,
|
|
what='keystone.token.core.validate_auth_info',
|
|
remove_in=+1)
|
|
def validate_auth_info(self, user_ref, tenant_ref):
|
|
"""Validate user and tenant auth info.
|
|
|
|
Validate the user and tenant auth info in order to ensure that user and
|
|
tenant information is valid and not disabled.
|
|
|
|
Consolidate the checks here to ensure consistency between token auth and
|
|
ec2 auth.
|
|
|
|
:params user_ref: the authenticating user
|
|
:params tenant_ref: the scope of authorization, if any
|
|
:raises Unauthorized: if any of the user, user's domain, tenant or
|
|
tenant's domain are either disabled or otherwise invalid
|
|
"""
|
|
# If the user is disabled don't allow them to authenticate
|
|
if not user_ref.get('enabled', True):
|
|
msg = _('User is disabled: %s') % user_ref['id']
|
|
LOG.warning(msg)
|
|
raise exception.Unauthorized(msg)
|
|
|
|
# If the user's domain is disabled don't allow them to authenticate
|
|
user_domain_ref = self.assignment_api.get_domain(
|
|
user_ref['domain_id'])
|
|
if user_domain_ref and not user_domain_ref.get('enabled', True):
|
|
msg = _('Domain is disabled: %s') % user_domain_ref['id']
|
|
LOG.warning(msg)
|
|
raise exception.Unauthorized(msg)
|
|
|
|
if tenant_ref:
|
|
# If the project is disabled don't allow them to authenticate
|
|
if not tenant_ref.get('enabled', True):
|
|
msg = _('Tenant is disabled: %s') % tenant_ref['id']
|
|
LOG.warning(msg)
|
|
raise exception.Unauthorized(msg)
|
|
|
|
# If the project's domain is disabled don't allow them to authenticate
|
|
project_domain_ref = self.assignment_api.get_domain(
|
|
tenant_ref['domain_id'])
|
|
if (project_domain_ref and
|
|
not project_domain_ref.get('enabled', True)):
|
|
msg = _('Domain is disabled: %s') % project_domain_ref['id']
|
|
LOG.warning(msg)
|
|
raise exception.Unauthorized(msg)
|
|
|
|
|
|
class Manager(persistence.Manager):
|
|
@versionutils.deprecated(
|
|
versionutils.deprecated.JUNO,
|
|
in_favor_of='keystone.token.persistence.Manager',
|
|
remove_in=+1,
|
|
what='keystone.token.core.Manager')
|
|
def __init__(self):
|
|
super(Manager, self).__init__()
|
|
|
|
|
|
class Driver(persistence.Driver):
|
|
@versionutils.deprecated(
|
|
versionutils.deprecated.JUNO,
|
|
in_favor_of='keystone.token.persistence.Driver',
|
|
remove_in=+1,
|
|
what='keystone.token.core.Driver')
|
|
def __init__(self):
|
|
super(Driver, self).__init__()
|