211
212
cfg.StrOpt('cache', default=None), # env key for the swift cache
212
213
cfg.StrOpt('certfile'),
213
214
cfg.StrOpt('keyfile'),
214
cfg.StrOpt('signing_dir',
215
default=os.path.expanduser('~/keystone-signing')),
215
cfg.StrOpt('signing_dir'),
216
216
cfg.ListOpt('memcache_servers'),
217
217
cfg.IntOpt('token_cache_time', default=300),
218
cfg.IntOpt('revocation_cache_time', default=1),
218
219
cfg.StrOpt('memcache_security_strategy', default=None),
219
220
cfg.StrOpt('memcache_secret_key', default=None, secret=True)
291
292
self.cert_file = self._conf_get('certfile')
292
293
self.key_file = self._conf_get('keyfile')
295
296
self.signing_dirname = self._conf_get('signing_dir')
297
if self.signing_dirname is None:
298
self.signing_dirname = tempfile.mkdtemp(prefix='keystone-signing-')
296
299
self.LOG.info('Using %s as cache directory for signing certificate' %
297
300
self.signing_dirname)
298
if (os.path.exists(self.signing_dirname) and
299
not os.access(self.signing_dirname, os.W_OK)):
300
raise ConfigurationError("unable to access signing dir %s" %
301
self.signing_dirname)
303
if not os.path.exists(self.signing_dirname):
304
os.makedirs(self.signing_dirname)
305
#will throw IOError if it cannot change permissions
306
os.chmod(self.signing_dirname, stat.S_IRWXU)
301
if os.path.exists(self.signing_dirname):
302
if not os.access(self.signing_dirname, os.W_OK):
303
raise ConfigurationError(
304
'unable to access signing_dir %s' % self.signing_dirname)
305
if os.stat(self.signing_dirname).st_uid != os.getuid():
307
'signing_dir is not owned by %s' % os.getlogin())
308
current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode)
309
if current_mode != stat.S_IRWXU:
311
'signing_dir mode is %s instead of %s' %
312
(oct(current_mode), oct(stat.S_IRWXU)))
314
os.makedirs(self.signing_dirname, stat.S_IRWXU)
308
316
val = '%s/signing_cert.pem' % self.signing_dirname
309
317
self.signing_cert_file_name = val
337
345
self.token_cache_time = int(self._conf_get('token_cache_time'))
338
346
self._token_revocation_list = None
339
347
self._token_revocation_list_fetched_time = None
340
cache_timeout = datetime.timedelta(seconds=0)
341
self.token_revocation_list_cache_timeout = cache_timeout
348
self.token_revocation_list_cache_timeout = datetime.timedelta(
349
seconds=self._conf_get('revocation_cache_time'))
342
350
http_connect_timeout_cfg = self._conf_get('http_connect_timeout')
343
351
self.http_connect_timeout = (http_connect_timeout_cfg and
344
352
int(http_connect_timeout_cfg))
689
697
data = json.loads(verified)
691
699
data = self.verify_uuid_token(user_token, retry)
692
self._cache_put(token_id, data)
700
expires = self._confirm_token_not_expired(data)
701
self._cache_put(token_id, data, expires)
694
703
except Exception as e:
695
704
self.LOG.debug('Token validation failure.', exc_info=True)
924
933
timeout=self.token_cache_time)
926
def _cache_put(self, token, data):
935
def _confirm_token_not_expired(self, data):
937
raise InvalidUserToken('Token authorization failed')
938
if self._token_is_v2(data):
939
timestamp = data['access']['token']['expires']
940
elif self._token_is_v3(data):
941
timestamp = data['token']['expires_at']
943
raise InvalidUserToken('Token authorization failed')
944
expires = timeutils.parse_isotime(timestamp).strftime('%s')
945
if time.time() >= float(expires):
946
self.LOG.debug('Token expired a %s', timestamp)
947
raise InvalidUserToken('Token authorization failed')
950
def _cache_put(self, token, data, expires):
927
951
""" Put token data into the cache.
929
953
Stores the parsed expire date in cache allowing
930
954
quick check of token freshness on retrieval.
932
if self._cache and data:
933
if self._token_is_v2(data):
934
timestamp = data['access']['token']['expires']
935
elif self._token_is_v3(data):
936
timestamp = data['token']['expires']
938
self.LOG.error('invalid token format')
940
expires = timeutils.parse_isotime(timestamp).strftime('%s')
941
self.LOG.debug('Storing %s token in memcache', token)
942
self._cache_store(token, data, expires)
958
self.LOG.debug('Storing %s token in memcache', token)
959
self._cache_store(token, data, expires)
944
961
def _cache_store_invalid(self, token):
945
962
"""Store invalid token in cache."""