You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
163 lines
5.8 KiB
163 lines
5.8 KiB
# vim: tabstop=4 shiftwidth=4 softtabstop=4 |
|
|
|
# Copyright 2012 OpenStack Foundation |
|
# |
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
|
# not use this file except in compliance with the License. You may obtain |
|
# a copy of the License at |
|
# |
|
# http://www.apache.org/licenses/LICENSE-2.0 |
|
# |
|
# Unless required by applicable law or agreed to in writing, software |
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
|
# License for the specific language governing permissions and limitations |
|
# under the License. |
|
|
|
import copy |
|
|
|
from keystone.common import kvs |
|
from keystone import exception |
|
from keystone.openstack.common import log as logging |
|
from keystone.openstack.common import timeutils |
|
from keystone import token |
|
|
|
LOG = logging.getLogger(__name__) |
|
|
|
|
|
class Token(kvs.Base, token.Driver): |
|
"""kvs backend for tokens is deprecated. |
|
|
|
Deprecated in Havana and will be removed in Icehouse, as this backend |
|
is not production grade. |
|
""" |
|
|
|
def __init__(self, *args, **kw): |
|
super(Token, self).__init__(*args, **kw) |
|
LOG.warn(_("kvs token backend is DEPRECATED. Use " |
|
"keystone.token.backends.sql or " |
|
"keystone.token.backend.memcache instead.")) |
|
|
|
# Public interface |
|
def get_token(self, token_id): |
|
try: |
|
ref = self.db.get('token-%s' % token_id) |
|
return copy.deepcopy(ref) |
|
except Exception: |
|
# On any issues here, Token is not found. |
|
raise exception.TokenNotFound(token_id=token_id) |
|
|
|
def create_token(self, token_id, data): |
|
data_copy = copy.deepcopy(data) |
|
data_copy['id'] = token_id |
|
if not data_copy.get('expires'): |
|
data_copy['expires'] = token.default_expire_time() |
|
if not data_copy.get('user_id'): |
|
data_copy['user_id'] = data_copy['user']['id'] |
|
self.db.set('token-%s' % token_id, data_copy) |
|
return copy.deepcopy(data_copy) |
|
|
|
def delete_token(self, token_id): |
|
try: |
|
token_ref = self.get_token(token_id) |
|
self.db.delete('token-%s' % token_id) |
|
self.db.set('revoked-token-%s' % token_id, token_ref) |
|
except exception.NotFound: |
|
raise exception.TokenNotFound(token_id=token_id) |
|
|
|
def delete_tokens(self, user_id, tenant_id=None, trust_id=None, |
|
consumer_id=None): |
|
return super(Token, self).delete_tokens( |
|
user_id=user_id, |
|
tenant_id=tenant_id, |
|
trust_id=trust_id, |
|
consumer_id=consumer_id, |
|
) |
|
|
|
def is_not_expired(self, now, ref): |
|
return not ref.get('expires') and ref.get('expires') < now |
|
|
|
def is_expired(self, now, ref): |
|
return ref.get('expires') and ref.get('expires') < now |
|
|
|
def trust_matches(self, trust_id, ref): |
|
return ref.get('trust_id') and ref['trust_id'] == trust_id |
|
|
|
def _list_tokens_for_trust(self, trust_id): |
|
tokens = [] |
|
now = timeutils.utcnow() |
|
for token, ref in self.db.items(): |
|
if not token.startswith('token-') or self.is_expired(now, ref): |
|
continue |
|
if self.trust_matches(trust_id, ref): |
|
tokens.append(token.split('-', 1)[1]) |
|
return tokens |
|
|
|
def _consumer_matches(self, consumer_id, token_ref_dict): |
|
if consumer_id is None: |
|
return True |
|
else: |
|
if 'token_data' in token_ref_dict: |
|
token_data = token_ref_dict.get('token_data') |
|
if 'token' in token_data: |
|
token = token_data.get('token') |
|
oauth = token.get('OS-OAUTH1') |
|
if oauth and oauth.get('consumer_id') == consumer_id: |
|
return True |
|
return False |
|
|
|
def _list_tokens_for_consumer(self, consumer_id): |
|
tokens = [] |
|
now = timeutils.utcnow() |
|
for token, ref in self.db.items(): |
|
if not token.startswith('token-') or self.is_expired(now, ref): |
|
continue |
|
if self._consumer_matches(consumer_id, ref): |
|
tokens.append(token.split('-', 1)[1]) |
|
return tokens |
|
|
|
def _list_tokens_for_user(self, user_id, tenant_id=None): |
|
def user_matches(user_id, ref): |
|
return ref.get('user') and ref['user'].get('id') == user_id |
|
|
|
def tenant_matches(tenant_id, ref): |
|
return ((tenant_id is None) or |
|
(ref.get('tenant') and |
|
ref['tenant'].get('id') == tenant_id)) |
|
|
|
tokens = [] |
|
now = timeutils.utcnow() |
|
for token, ref in self.db.items(): |
|
if not token.startswith('token-') or self.is_expired(now, ref): |
|
continue |
|
else: |
|
if (user_matches(user_id, ref) and |
|
tenant_matches(tenant_id, ref)): |
|
tokens.append(token.split('-', 1)[1]) |
|
return tokens |
|
|
|
def list_tokens(self, user_id, tenant_id=None, trust_id=None, |
|
consumer_id=None): |
|
if trust_id: |
|
return self._list_tokens_for_trust(trust_id) |
|
if consumer_id: |
|
return self._list_tokens_for_consumer(consumer_id) |
|
else: |
|
return self._list_tokens_for_user(user_id, tenant_id) |
|
|
|
def list_revoked_tokens(self): |
|
tokens = [] |
|
for token, token_ref in self.db.items(): |
|
if not token.startswith('revoked-token-'): |
|
continue |
|
record = {} |
|
record['id'] = token_ref['id'] |
|
record['expires'] = token_ref['expires'] |
|
tokens.append(record) |
|
return tokens |
|
|
|
def flush_expired_tokens(self): |
|
now = timeutils.utcnow() |
|
for token, token_ref in self.db.items(): |
|
if self.is_expired(now, token_ref): |
|
self.db.delete(token)
|
|
|