OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
keystone/keystone/token/core.py

110 lines
4.0 KiB

# Copyright 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Main entry point into the Token service."""
from keystone.common import cache
from keystone import config
from keystone import exception
from keystone.i18n import _
from keystone.openstack.common import log
from keystone.openstack.common import versionutils
from keystone.token import persistence
from keystone.token import provider
CONF = config.CONF
LOG = log.getLogger(__name__)
SHOULD_CACHE = cache.should_cache_fn('token')
# NOTE(blk-u): The config options are not available at import time.
EXPIRATION_TIME = lambda: CONF.token.cache_time
REVOCATION_CACHE_EXPIRATION_TIME = lambda: CONF.token.revocation_cache_time
@versionutils.deprecated(
as_of=versionutils.deprecated.JUNO,
in_favor_of='keystone.token.provider.default_expire_time',
what='keystone.token.default_expire_time',
remove_in=+1)
def default_expire_time():
return provider.default_expire_time()
@versionutils.deprecated(as_of=versionutils.deprecated.JUNO,
what='keystone.token.core.validate_auth_info',
remove_in=+1)
def validate_auth_info(self, user_ref, tenant_ref):
"""Validate user and tenant auth info.
Validate the user and tenant auth info in order to ensure that user and
tenant information is valid and not disabled.
Consolidate the checks here to ensure consistency between token auth and
ec2 auth.
:params user_ref: the authenticating user
:params tenant_ref: the scope of authorization, if any
:raises Unauthorized: if any of the user, user's domain, tenant or
tenant's domain are either disabled or otherwise invalid
"""
# If the user is disabled don't allow them to authenticate
if not user_ref.get('enabled', True):
msg = _('User is disabled: %s') % user_ref['id']
LOG.warning(msg)
raise exception.Unauthorized(msg)
# If the user's domain is disabled don't allow them to authenticate
user_domain_ref = self.assignment_api.get_domain(
user_ref['domain_id'])
if user_domain_ref and not user_domain_ref.get('enabled', True):
msg = _('Domain is disabled: %s') % user_domain_ref['id']
LOG.warning(msg)
raise exception.Unauthorized(msg)
if tenant_ref:
# If the project is disabled don't allow them to authenticate
if not tenant_ref.get('enabled', True):
msg = _('Tenant is disabled: %s') % tenant_ref['id']
LOG.warning(msg)
raise exception.Unauthorized(msg)
# If the project's domain is disabled don't allow them to authenticate
project_domain_ref = self.assignment_api.get_domain(
tenant_ref['domain_id'])
if (project_domain_ref and
not project_domain_ref.get('enabled', True)):
msg = _('Domain is disabled: %s') % project_domain_ref['id']
LOG.warning(msg)
raise exception.Unauthorized(msg)
class Manager(persistence.Manager):
@versionutils.deprecated(
versionutils.deprecated.JUNO,
in_favor_of='keystone.token.persistence.Manager',
remove_in=+1,
what='keystone.token.core.Manager')
def __init__(self):
super(Manager, self).__init__()
class Driver(persistence.Driver):
@versionutils.deprecated(
versionutils.deprecated.JUNO,
in_favor_of='keystone.token.persistence.Driver',
remove_in=+1,
what='keystone.token.core.Driver')
def __init__(self):
super(Driver, self).__init__()