280 lines
12 KiB
Python
280 lines
12 KiB
Python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright 2012 OpenStack Foundation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from __future__ import absolute_import
|
|
import copy
|
|
import datetime
|
|
|
|
import memcache
|
|
|
|
from keystone.common import utils
|
|
from keystone import config
|
|
from keystone import exception
|
|
from keystone.openstack.common import jsonutils
|
|
from keystone.openstack.common import log as logging
|
|
from keystone.openstack.common import timeutils
|
|
from keystone import token
|
|
|
|
|
|
CONF = config.CONF
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
class Token(token.Driver):
|
|
revocation_key = 'revocation-list'
|
|
|
|
def __init__(self, client=None):
|
|
self._memcache_client = client
|
|
|
|
@property
|
|
def client(self):
|
|
return self._memcache_client or self._get_memcache_client()
|
|
|
|
def _get_memcache_client(self):
|
|
memcache_servers = CONF.memcache.servers.split(',')
|
|
# NOTE(morganfainberg): The memcache client library for python is NOT
|
|
# thread safe and should not be passed between threads. This is highly
|
|
# specific to the cas() (compare and set) methods and the caching of
|
|
# the previous value(s). It appears greenthread should ensure there is
|
|
# a single data structure per spawned greenthread.
|
|
self._memcache_client = memcache.Client(memcache_servers, debug=0,
|
|
cache_cas=True)
|
|
return self._memcache_client
|
|
|
|
def _prefix_token_id(self, token_id):
|
|
return 'token-%s' % token_id.encode('utf-8')
|
|
|
|
def _prefix_user_id(self, user_id):
|
|
return 'usertokens-%s' % user_id.encode('utf-8')
|
|
|
|
def get_token(self, token_id):
|
|
if token_id is None:
|
|
raise exception.TokenNotFound(token_id='')
|
|
ptk = self._prefix_token_id(token_id)
|
|
token_ref = self.client.get(ptk)
|
|
if token_ref is None:
|
|
raise exception.TokenNotFound(token_id=token_id)
|
|
|
|
return token_ref
|
|
|
|
def create_token(self, token_id, data):
|
|
data_copy = copy.deepcopy(data)
|
|
ptk = self._prefix_token_id(token_id)
|
|
if not data_copy.get('expires'):
|
|
data_copy['expires'] = token.default_expire_time()
|
|
if not data_copy.get('user_id'):
|
|
data_copy['user_id'] = data_copy['user']['id']
|
|
kwargs = {}
|
|
if data_copy['expires'] is not None:
|
|
expires_ts = utils.unixtime(data_copy['expires'])
|
|
kwargs['time'] = expires_ts
|
|
self.client.set(ptk, data_copy, **kwargs)
|
|
user_id = data['user']['id']
|
|
user_key = self._prefix_user_id(user_id)
|
|
# Append the new token_id to the token-index-list stored in the
|
|
# user-key within memcache.
|
|
self._update_user_list_with_cas(user_key, token_id, data_copy)
|
|
if CONF.trust.enabled and data.get('trust_id'):
|
|
# NOTE(morganfainberg): If trusts are enabled and this is a trust
|
|
# scoped token, we add the token to the trustee list as well. This
|
|
# allows password changes of the trustee to also expire the token.
|
|
# There is no harm in placing the token in multiple lists, as
|
|
# _list_tokens is smart enough to handle almost any case of
|
|
# valid/invalid/expired for a given token.
|
|
token_data = data_copy['token_data']
|
|
if data_copy['token_version'] == token.provider.V2:
|
|
trustee_user_id = token_data['access']['trust'][
|
|
'trustee_user_id']
|
|
elif data_copy['token_version'] == token.provider.V3:
|
|
trustee_user_id = token_data['OS-TRUST:trust'][
|
|
'trustee_user_id']
|
|
else:
|
|
raise token.provider.UnsupportedTokenVersionException(
|
|
_('Unknown token version %s') %
|
|
data_copy.get('token_version'))
|
|
|
|
trustee_key = self._prefix_user_id(trustee_user_id)
|
|
self._update_user_list_with_cas(trustee_key, token_id, data_copy)
|
|
|
|
return copy.deepcopy(data_copy)
|
|
|
|
def _convert_user_index_from_json(self, token_list, user_key):
|
|
try:
|
|
# NOTE(morganfainberg): Try loading in the old format
|
|
# of the list.
|
|
token_list = jsonutils.loads('[%s]' % token_list)
|
|
|
|
# NOTE(morganfainberg): Build a delta based upon the
|
|
# token TTL configured. Since we are using the old
|
|
# format index-list, we will create a "fake" expiration
|
|
# that should be further in the future than the actual
|
|
# expiry. To avoid locking up keystone trying to
|
|
# communicate to memcached, it is better to use a fake
|
|
# value. The logic that utilizes this list already
|
|
# knows how to handle the case of tokens that are
|
|
# no longer valid being included.
|
|
delta = datetime.timedelta(
|
|
seconds=CONF.token.expiration)
|
|
new_expiry = timeutils.normalize_time(
|
|
timeutils.utcnow()) + delta
|
|
|
|
for idx, token_id in enumerate(token_list):
|
|
token_list[idx] = (token_id, new_expiry)
|
|
|
|
except Exception:
|
|
# NOTE(morganfainberg): Catch any errors thrown here. There is
|
|
# nothing the admin or operator needs to do in this case, but
|
|
# it should be logged that there was an error and some action was
|
|
# taken to correct it
|
|
LOG.info(_('Unable to convert user-token-index to new format; '
|
|
'clearing user token index record "%s".'), user_key)
|
|
token_list = []
|
|
return token_list
|
|
|
|
def _update_user_list_with_cas(self, user_key, token_id, token_data):
|
|
cas_retry = 0
|
|
max_cas_retry = CONF.memcache.max_compare_and_set_retry
|
|
current_time = timeutils.normalize_time(timeutils.utcnow())
|
|
|
|
self.client.reset_cas()
|
|
|
|
while cas_retry <= max_cas_retry:
|
|
# NOTE(morganfainberg): cas or "compare and set" is a function of
|
|
# memcache. It will return false if the value has changed since the
|
|
# last call to client.gets(). This is the memcache supported method
|
|
# of avoiding race conditions on set(). Memcache is already atomic
|
|
# on the back-end and serializes operations.
|
|
#
|
|
# cas_retry is for tracking our iterations before we give up (in
|
|
# case memcache is down or something horrible happens we don't
|
|
# iterate forever trying to compare and set the new value.
|
|
cas_retry += 1
|
|
token_list = self.client.gets(user_key)
|
|
filtered_list = []
|
|
|
|
if token_list is not None:
|
|
if not isinstance(token_list, list):
|
|
token_list = self._convert_user_index_from_json(token_list,
|
|
user_key)
|
|
for token_i, expiry in token_list:
|
|
expires_at = timeutils.normalize_time(expiry)
|
|
if expires_at < current_time:
|
|
# skip tokens that are expired.
|
|
continue
|
|
|
|
# Add the still valid token_id to the list.
|
|
filtered_list.append((token_i, expiry))
|
|
# Add the new token_id and expiry.
|
|
filtered_list.append(
|
|
(token_id, timeutils.normalize_time(token_data['expires'])))
|
|
|
|
# Use compare-and-set (cas) to set the new value for the
|
|
# token-index-list for the user-key. Cas is used to prevent race
|
|
# conditions from causing the loss of valid token ids from this
|
|
# list.
|
|
if self.client.cas(user_key, filtered_list):
|
|
msg = _('Successful set of token-index-list for user-key '
|
|
'"%(user_key)s", #%(count)d records')
|
|
LOG.debug(msg, {'user_key': user_key,
|
|
'count': len(filtered_list)})
|
|
return filtered_list
|
|
|
|
# The cas function will return true if it succeeded or false if it
|
|
# failed for any reason, including memcache server being down, cas
|
|
# id changed since gets() called (the data changed between when
|
|
# this loop started and this point, etc.
|
|
error_msg = _('Failed to set token-index-list for user-key '
|
|
'"%(user_key)s". Attempt %(cas_retry)d of '
|
|
'%(cas_retry_max)d')
|
|
LOG.debug(error_msg,
|
|
{'user_key': user_key,
|
|
'cas_retry': cas_retry,
|
|
'cas_retry_max': max_cas_retry})
|
|
|
|
# Exceeded the maximum retry attempts.
|
|
error_msg = _('Unable to add token user list')
|
|
raise exception.UnexpectedError(error_msg)
|
|
|
|
def _add_to_revocation_list(self, data):
|
|
data_json = jsonutils.dumps(data)
|
|
if not self.client.append(self.revocation_key, ',%s' % data_json):
|
|
if not self.client.add(self.revocation_key, data_json):
|
|
if not self.client.append(self.revocation_key,
|
|
',%s' % data_json):
|
|
msg = _('Unable to add token to revocation list.')
|
|
raise exception.UnexpectedError(msg)
|
|
|
|
def delete_token(self, token_id):
|
|
# Test for existence
|
|
data = self.get_token(token_id)
|
|
ptk = self._prefix_token_id(token_id)
|
|
result = self.client.delete(ptk)
|
|
self._add_to_revocation_list(data)
|
|
return result
|
|
|
|
def list_tokens(self, user_id, tenant_id=None, trust_id=None,
|
|
consumer_id=None):
|
|
tokens = []
|
|
user_key = self._prefix_user_id(user_id)
|
|
current_time = timeutils.normalize_time(timeutils.utcnow())
|
|
token_list = self.client.get(user_key) or []
|
|
if not isinstance(token_list, list):
|
|
# NOTE(morganfainberg): This is for compatibility for old-format
|
|
# token-lists that were a JSON string of just token_ids. This code
|
|
# will reference the underlying expires directly from the
|
|
# token_ref vs in this list, so setting to none just ensures the
|
|
# loop works as expected.
|
|
token_list = [(i, None) for i in
|
|
jsonutils.loads('[%s]' % token_list)]
|
|
for token_id, expiry in token_list:
|
|
ptk = self._prefix_token_id(token_id)
|
|
token_ref = self.client.get(ptk)
|
|
if token_ref:
|
|
if tenant_id is not None:
|
|
tenant = token_ref.get('tenant')
|
|
if not tenant:
|
|
continue
|
|
if tenant.get('id') != tenant_id:
|
|
continue
|
|
if trust_id is not None:
|
|
trust = token_ref.get('trust_id')
|
|
if not trust:
|
|
continue
|
|
if trust != trust_id:
|
|
continue
|
|
if consumer_id is not None:
|
|
try:
|
|
oauth = token_ref['token_data']['token']['OS-OAUTH1']
|
|
if oauth.get('consumer_id') != consumer_id:
|
|
continue
|
|
except KeyError:
|
|
continue
|
|
|
|
if (timeutils.normalize_time(token_ref['expires']) <
|
|
current_time):
|
|
# Skip expired tokens.
|
|
continue
|
|
|
|
tokens.append(token_id)
|
|
return tokens
|
|
|
|
def list_revoked_tokens(self):
|
|
list_json = self.client.get(self.revocation_key)
|
|
if list_json:
|
|
return jsonutils.loads('[%s]' % list_json)
|
|
return []
|