~ubuntu-branches/ubuntu/trusty/python-keystoneclient/trusty-proposed

Viewing changes to keystoneclient/middleware/auth_token.py

Committer: Package Import Robot
Author(s): Chuck Short
Date: 2013-05-29 13:07:56 UTC
mfrom: (1.1.19)
Revision ID: package-import@ubuntu.com-20130529130756-3h7dh05a39n9uvq5

Tags: 1:0.2.4-0ubuntu1

* New upstream release.
* debian/control: Add python-d2to1 and python-pbr
* debian/control: Add testrepository, dropped python-nose
* debian/control: Add python-six

files added:
.testr.conf

examples/pki/cms/auth_token_scoped_expired.json

examples/pki/cms/auth_token_scoped_expired.pem

requirements.txt

test-requirements.txt

files removed:
keystoneclient/middleware/test.py

keystoneclient/openstack/common/setup.py

keystoneclient/versioninfo

tools/generate_authors.sh

tools/pip-requires

tools/test-requires

files modified:
.gitignore

AUTHORS

ChangeLog

HACKING

MANIFEST.in

PKG-INFO

debian/changelog

debian/control

doc/source/using-api.rst

examples/pki/certs/cacert.pem

examples/pki/certs/middleware.pem

examples/pki/certs/signing_cert.pem

examples/pki/certs/ssl_cert.pem

examples/pki/cms/auth_token_revoked.json

examples/pki/cms/auth_token_revoked.pem

examples/pki/cms/auth_token_scoped.json

examples/pki/cms/auth_token_scoped.pem

examples/pki/cms/auth_token_unscoped.json

examples/pki/cms/auth_token_unscoped.pem

examples/pki/cms/auth_v3_token_revoked.json

examples/pki/cms/auth_v3_token_revoked.pem

examples/pki/cms/auth_v3_token_scoped.json

examples/pki/cms/auth_v3_token_scoped.pem

examples/pki/cms/revocation_list.pem

examples/pki/gen_pki.sh

examples/pki/private/cakey.pem

examples/pki/private/signing_key.pem

examples/pki/private/ssl_key.pem

keystoneclient/client.py

keystoneclient/contrib/ec2/utils.py

keystoneclient/exceptions.py

keystoneclient/middleware/auth_token.py

keystoneclient/openstack/common/jsonutils.py

keystoneclient/openstack/common/timeutils.py

keystoneclient/shell.py

keystoneclient/utils.py

keystoneclient/v2_0/shell.py

keystoneclient/v2_0/users.py

keystoneclient/v3/client.py

keystoneclient/v3/endpoints.py

keystoneclient/v3/groups.py

keystoneclient/v3/projects.py

keystoneclient/v3/roles.py

keystoneclient/v3/users.py

openstack-common.conf

python_keystoneclient.egg-info/PKG-INFO

python_keystoneclient.egg-info/SOURCES.txt

python_keystoneclient.egg-info/requires.txt

run_tests.sh

setup.cfg

setup.py

tests/test_auth_token_middleware.py

tests/test_ec2utils.py

tests/test_http.py

tests/test_service_catalog.py

tests/test_shell.py

tests/v2_0/fakes.py

tests/v2_0/test_auth.py

tests/v2_0/test_tenants.py

tests/v2_0/test_users.py

tools/install_venv.py

tools/install_venv_common.py

tox.ini

Show diffs side-by-side

added added

removed removed

keystoneclient/middleware/auth_token.py

150

import logging

151

import os

152

import stat

153

import tempfile

153

154

import time

154

155

import urllib

155

156

import webob.exc

211

212

cfg.StrOpt('cache', default=None), # env key for the swift cache

212

213

cfg.StrOpt('certfile'),

213

214

cfg.StrOpt('keyfile'),

214

cfg.StrOpt('signing_dir',

215

default=os.path.expanduser('~/keystone-signing')),

215

cfg.StrOpt('signing_dir'),

216

cfg.ListOpt('memcache_servers'),

217

cfg.IntOpt('token_cache_time', default=300),

218

cfg.IntOpt('revocation_cache_time', default=1),

218

219

cfg.StrOpt('memcache_security_strategy', default=None),

219

220

cfg.StrOpt('memcache_secret_key', default=None, secret=True)

220

221

]

291

292

self.cert_file = self._conf_get('certfile')

292

293

self.key_file = self._conf_get('keyfile')

293

294

#signing

295

# signing

295

296

self.signing_dirname = self._conf_get('signing_dir')

297

if self.signing_dirname is None:

298

self.signing_dirname = tempfile.mkdtemp(prefix='keystone-signing-')

296

299

self.LOG.info('Using %s as cache directory for signing certificate' %

297

300

self.signing_dirname)

298

if (os.path.exists(self.signing_dirname) and

299

not os.access(self.signing_dirname, os.W_OK)):

300

raise ConfigurationError("unable to access signing dir %s" %

301

self.signing_dirname)

302

303

if not os.path.exists(self.signing_dirname):

304

os.makedirs(self.signing_dirname)

305

#will throw IOError if it cannot change permissions

306

os.chmod(self.signing_dirname, stat.S_IRWXU)

301

if os.path.exists(self.signing_dirname):

302

if not os.access(self.signing_dirname, os.W_OK):

303

raise ConfigurationError(

304

'unable to access signing_dir %s' % self.signing_dirname)

305

if os.stat(self.signing_dirname).st_uid != os.getuid():

306

self.LOG.warning(

307

'signing_dir is not owned by %s' % os.getlogin())

308

current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode)

309

if current_mode != stat.S_IRWXU:

310

self.LOG.warning(

311

'signing_dir mode is %s instead of %s' %

312

(oct(current_mode), oct(stat.S_IRWXU)))

313

else:

314

os.makedirs(self.signing_dirname, stat.S_IRWXU)

307

315

308

316

val = '%s/signing_cert.pem' % self.signing_dirname

309

317

self.signing_cert_file_name = val

337

345

self.token_cache_time = int(self._conf_get('token_cache_time'))

338

346

self._token_revocation_list = None

339

347

self._token_revocation_list_fetched_time = None

340

cache_timeout = datetime.timedelta(seconds=0)

341

self.token_revocation_list_cache_timeout = cache_timeout

348

self.token_revocation_list_cache_timeout = datetime.timedelta(

349

seconds=self._conf_get('revocation_cache_time'))

342

350

http_connect_timeout_cfg = self._conf_get('http_connect_timeout')

343

351

self.http_connect_timeout = (http_connect_timeout_cfg and

344

352

int(http_connect_timeout_cfg))

689

697

data = json.loads(verified)

690

698

else:

691

699

data = self.verify_uuid_token(user_token, retry)

692

self._cache_put(token_id, data)

700

expires = self._confirm_token_not_expired(data)

701

self._cache_put(token_id, data, expires)

693

702

return data

694

703

except Exception as e:

695

704

self.LOG.debug('Token validation failure.', exc_info=True)

923

932

data_to_store,

924

933

timeout=self.token_cache_time)

925

934

926

def _cache_put(self, token, data):

935

def _confirm_token_not_expired(self, data):

936

if not data:

937

raise InvalidUserToken('Token authorization failed')

938

if self._token_is_v2(data):

939

timestamp = data['access']['token']['expires']

940

elif self._token_is_v3(data):

941

timestamp = data['token']['expires_at']

942

else:

943

raise InvalidUserToken('Token authorization failed')

944

expires = timeutils.parse_isotime(timestamp).strftime('%s')

945

if time.time() >= float(expires):

946

self.LOG.debug('Token expired a %s', timestamp)

947

raise InvalidUserToken('Token authorization failed')

948

return expires

949

950

def _cache_put(self, token, data, expires):

927

951

""" Put token data into the cache.

928

952

929

953

Stores the parsed expire date in cache allowing

930

954

quick check of token freshness on retrieval.

955

931

956

"""

932

if self._cache and data:

933

if self._token_is_v2(data):

934

timestamp = data['access']['token']['expires']

935

elif self._token_is_v3(data):

936

timestamp = data['token']['expires']

937

else:

938

self.LOG.error('invalid token format')

939

return

940

expires = timeutils.parse_isotime(timestamp).strftime('%s')

941

self.LOG.debug('Storing %s token in memcache', token)

942

self._cache_store(token, data, expires)

957

if self._cache:

958

self.LOG.debug('Storing %s token in memcache', token)

959

self._cache_store(token, data, expires)

943

960

944

961

def _cache_store_invalid(self, token):

945

962

"""Store invalid token in cache."""

Older »