diff --git a/nova/db/api.py b/nova/db/api.py
index a120b069d..d3c64f972 100644
--- a/nova/db/api.py
+++ b/nova/db/api.py
@@ -2050,3 +2050,39 @@ def instance_tag_delete_all(context, instance_uuid):
def instance_tag_exists(context, instance_uuid, tag):
"""Check if specified tag exist on the instance."""
return IMPL.instance_tag_exists(context, instance_uuid, tag)
+
+
+####################
+
+
+def console_auth_token_create(context, values):
+ """Create a console authorization."""
+ return IMPL.console_auth_token_create(context, values)
+
+
+def console_auth_token_get_valid(context, token_hash, instance_uuid):
+ """Get a valid console authorization by token_hash and instance_uuid.
+
+ The console authorizations expire at the time specified by their
+ 'expires' column. An expired console auth token will not be returned
+ to the caller - it is treated as if it does not exist.
+ """
+ return IMPL.console_auth_token_get_valid(context,
+ token_hash,
+ instance_uuid)
+
+
+def console_auth_token_destroy_all_by_instance(context, instance_uuid):
+ """Delete all console authorizations belonging to the instance."""
+ return IMPL.console_auth_token_destroy_all_by_instance(context,
+ instance_uuid)
+
+
+def console_auth_token_destroy_expired_by_host(context, host):
+ """Delete expired console authorizations belonging to the host.
+
+ The console authorizations expire at the time specified by their
+ 'expires' column. This function is used to garbage collect expired
+ tokens associated with the given host.
+ """
+ return IMPL.console_auth_token_destroy_expired_by_host(context, host)
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 08ff0e154..8d832f8ee 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -6812,3 +6812,40 @@ def instance_tag_exists(context, instance_uuid, tag):
q = context.session.query(models.Tag).filter_by(
resource_id=instance_uuid, tag=tag)
return context.session.query(q.exists()).scalar()
+
+
+####################
+
+
+@pick_context_manager_writer
+def console_auth_token_create(context, values):
+ instance_uuid = values.get('instance_uuid')
+ _check_instance_exists_in_project(context, instance_uuid)
+ token_ref = models.ConsoleAuthToken()
+ token_ref.update(values)
+ context.session.add(token_ref)
+ return token_ref
+
+
+@pick_context_manager_reader
+def console_auth_token_get_valid(context, token_hash, instance_uuid):
+ _check_instance_exists_in_project(context, instance_uuid)
+ return context.session.query(models.ConsoleAuthToken).\
+ filter_by(token_hash=token_hash).\
+ filter_by(instance_uuid=instance_uuid).\
+ filter(models.ConsoleAuthToken.expires > timeutils.utcnow_ts()).\
+ first()
+
+
+@pick_context_manager_writer
+def console_auth_token_destroy_all_by_instance(context, instance_uuid):
+ context.session.query(models.ConsoleAuthToken).\
+ filter_by(instance_uuid=instance_uuid).delete()
+
+
+@pick_context_manager_writer
+def console_auth_token_destroy_expired_by_host(context, host):
+ context.session.query(models.ConsoleAuthToken).\
+ filter_by(host=host).\
+ filter(models.ConsoleAuthToken.expires <= timeutils.utcnow_ts()).\
+ delete()
diff --git a/nova/utils.py b/nova/utils.py
index 83e5f6e0e..eeeb8ea1c 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -1211,6 +1211,19 @@ def get_hash_str(base_str):
return hashlib.md5(base_str).hexdigest()
+def get_sha256_str(base_str):
+ """Returns string that represents sha256 hash of base_str (in hex format).
+
+ sha1 and md5 are known to be breakable, so sha256 is a better option
+ when the hash is being used for security purposes. If hashing passwords
+ or anything else that needs to be retained for a long period a salted
+ hash is better.
+ """
+ if isinstance(base_str, six.text_type):
+ base_str = base_str.encode('utf-8')
+ return hashlib.sha256(base_str).hexdigest()
+
+
def filter_and_format_resource_metadata(resource_type, resource_list,
search_filts, metadata_type=None):
"""Get all metadata for a list of resources after filtering.