openstack/python-keystoneclient
Code Issues Proposed changes

Add support for app cred access rules header

Browse Source 
This header is set to indicate to the keystone server that the client,
usually keystonemiddleware, will validate application credential access
rules. If not provided and the token uses access rules, the server will
return a 401.

bp whitelist-extension-for-app-creds

Change-Id: I64ac952d663e916150fbf7e5a8f70b76dddf3319
This commit is contained in:
Colleen Murphy
2019-02-14 01:04:28 +01:00
parent 13b889823b
commit 147efb0469
1 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
keystoneclient/v3/tokens.py
View File

@@ -57,7 +57,8 @@ class TokenManager(object):
resp, body = self._client.get(path) resp, body = self._client.get(path)
return body return body
def get_token_data(self, token, include_catalog=True, allow_expired=False): def get_token_data(self, token, include_catalog=True, allow_expired=False,
access_rules_support=None):
"""Fetch the data about a token from the identity server. """Fetch the data about a token from the identity server.
:param str token: The ID of the token to be fetched. :param str token: The ID of the token to be fetched.
@@ -65,11 +66,18 @@ class TokenManager(object):
included in the response. included in the response.
:param allow_expired: If True the token will be validated and returned :param allow_expired: If True the token will be validated and returned
if it has already expired. if it has already expired.
:param access_rules_support: Version number indicating that the client
is capable of enforcing keystone
access rules, if unset this client
does not support access rules.
:type access_rules_support: float
:rtype: dict :rtype: dict
""" """
headers = {'X-Subject-Token': token} headers = {'X-Subject-Token': token}
if access_rules_support:
headers['OpenStack-Identity-Access-Rules'] = access_rules_support
flags = [] flags = []
url = '/auth/tokens' url = '/auth/tokens'
@@ -85,7 +93,8 @@ class TokenManager(object):
resp, body = self._client.get(url, headers=headers) resp, body = self._client.get(url, headers=headers)
return body return body
def validate(self, token, include_catalog=True, allow_expired=False): def validate(self, token, include_catalog=True, allow_expired=False,
access_rules_support=None):
"""Validate a token. """Validate a token.
:param token: The token to be validated. :param token: The token to be validated.
@@ -95,6 +104,11 @@ class TokenManager(object):
:param allow_expired: If True the token will be validated and returned :param allow_expired: If True the token will be validated and returned
if it has already expired. if it has already expired.
:type allow_expired: bool :type allow_expired: bool
:param access_rules_support: Version number indicating that the client
is capable of enforcing keystone
access rules, if unset this client
does not support access rules.
:type access_rules_support: float
:rtype: :class:`keystoneclient.access.AccessInfoV3` :rtype: :class:`keystoneclient.access.AccessInfoV3`
@@ -102,5 +116,6 @@ class TokenManager(object):
token_id = _calc_id(token) token_id = _calc_id(token)
body = self.get_token_data(token_id, body = self.get_token_data(token_id,
include_catalog=include_catalog, include_catalog=include_catalog,
allow_expired=allow_expired) allow_expired=allow_expired,
access_rules_support=access_rules_support)
return access.AccessInfo.factory(auth_token=token_id, body=body) return access.AccessInfo.factory(auth_token=token_id, body=body)