"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/api/_shared/EC2_S3_Resource.py" between
keystone-16.0.0.tar.gz and keystone-16.0.1.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Train" series (latest release).

EC2_S3_Resource.py  (keystone-16.0.0):EC2_S3_Resource.py  (keystone-16.0.1)
skipping to change at line 15 skipping to change at line 15
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
# Unless required by applicable law or agreed to in writing, software # Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
# Common base resource for EC2 and S3 Authentication # Common base resource for EC2 and S3 Authentication
import datetime
import sys import sys
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from oslo_utils import timeutils
import six import six
from werkzeug import exceptions from werkzeug import exceptions
from keystone.common import provider_api from keystone.common import provider_api
from keystone.common import utils from keystone.common import utils
import keystone.conf
from keystone import exception as ks_exceptions from keystone import exception as ks_exceptions
from keystone.i18n import _ from keystone.i18n import _
from keystone.server import flask as ks_flask from keystone.server import flask as ks_flask
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs PROVIDERS = provider_api.ProviderAPIs
CRED_TYPE_EC2 = 'ec2' CRED_TYPE_EC2 = 'ec2'
class ResourceBase(ks_flask.ResourceBase): class ResourceBase(ks_flask.ResourceBase):
def get(self): def get(self):
# SPECIAL CASE: GET is not allowed, raise METHOD_NOT_ALLOWED # SPECIAL CASE: GET is not allowed, raise METHOD_NOT_ALLOWED
raise exceptions.MethodNotAllowed(valid_methods=['POST']) raise exceptions.MethodNotAllowed(valid_methods=['POST'])
@staticmethod @staticmethod
def _check_signature(cred_ref, credentials): def _check_signature(cred_ref, credentials):
# NOTE(morgan): @staticmethod doesn't always play nice with # NOTE(morgan): @staticmethod doesn't always play nice with
# the ABC module. # the ABC module.
raise NotImplementedError() raise NotImplementedError()
@staticmethod
def _check_timestamp(credentials):
timestamp = (
# AWS Signature v1/v2
credentials.get('params', {}).get('Timestamp') or
# AWS Signature v4
credentials.get('headers', {}).get('X-Amz-Date') or
credentials.get('params', {}).get('X-Amz-Date')
)
if not timestamp:
# If the signed payload doesn't include a timestamp then the signer
# must have intentionally left it off
return
try:
timestamp = timeutils.parse_isotime(timestamp)
timestamp = timeutils.normalize_time(timestamp)
except Exception as e:
raise ks_exceptions.Unauthorized(
_('Credential timestamp is invalid: %s') % e)
auth_ttl = datetime.timedelta(minutes=CONF.credential.auth_ttl)
current_time = timeutils.normalize_time(timeutils.utcnow())
if current_time > timestamp + auth_ttl:
raise ks_exceptions.Unauthorized(
_('Credential is expired'))
def handle_authenticate(self): def handle_authenticate(self):
# TODO(morgan): convert this dirty check to JSON Schema validation # TODO(morgan): convert this dirty check to JSON Schema validation
# this mirrors the previous behavior of the webob system where an # this mirrors the previous behavior of the webob system where an
# empty request body for s3 and ec2 tokens would result in a BAD # empty request body for s3 and ec2 tokens would result in a BAD
# REQUEST. Almost all other APIs use JSON Schema and therefore would # REQUEST. Almost all other APIs use JSON Schema and therefore would
# catch this early on. S3 and EC2 did not ever get json schema # catch this early on. S3 and EC2 did not ever get json schema
# implemented for them. # implemented for them.
if not self.request_body_json: if not self.request_body_json:
msg = _('request must include a request body') msg = _('request must include a request body')
raise ks_exceptions.ValidationError(msg) raise ks_exceptions.ValidationError(msg)
skipping to change at line 88 skipping to change at line 117
loaded = jsonutils.loads(cred['blob']) loaded = jsonutils.loads(cred['blob'])
except TypeError: except TypeError:
loaded = cred['blob'] loaded = cred['blob']
# Convert to the legacy format # Convert to the legacy format
cred_data = dict( cred_data = dict(
user_id=cred.get('user_id'), user_id=cred.get('user_id'),
project_id=cred.get('project_id'), project_id=cred.get('project_id'),
access=loaded.get('access'), access=loaded.get('access'),
secret=loaded.get('secret'), secret=loaded.get('secret'),
trust_id=loaded.get('trust_id') trust_id=loaded.get('trust_id'),
app_cred_id=loaded.get('app_cred_id'),
access_token_id=loaded.get('access_token_id')
) )
# validate the signature # validate the signature
self._check_signature(cred_data, credentials) self._check_signature(cred_data, credentials)
project_ref = PROVIDERS.resource_api.get_project( project_ref = PROVIDERS.resource_api.get_project(
cred_data['project_id']) cred_data['project_id'])
user_ref = PROVIDERS.identity_api.get_user(cred_data['user_id']) user_ref = PROVIDERS.identity_api.get_user(cred_data['user_id'])
# validate that the auth info is valid and nothing is disabled # validate that the auth info is valid and nothing is disabled
try: try:
PROVIDERS.identity_api.assert_user_enabled( PROVIDERS.identity_api.assert_user_enabled(
user_id=user_ref['id'], user=user_ref) user_id=user_ref['id'], user=user_ref)
PROVIDERS.resource_api.assert_project_enabled( PROVIDERS.resource_api.assert_project_enabled(
project_id=project_ref['id'], project=project_ref) project_id=project_ref['id'], project=project_ref)
except AssertionError as e: except AssertionError as e:
six.reraise( six.reraise(
ks_exceptions.Unauthorized, ks_exceptions.Unauthorized,
ks_exceptions.Unauthorized(e), ks_exceptions.Unauthorized(e),
sys.exc_info()[2]) sys.exc_info()[2])
roles = PROVIDERS.assignment_api.get_roles_for_user_and_project( self._check_timestamp(credentials)
user_ref['id'], project_ref['id'])
trustee_user_id = None
auth_context = None
if cred_data['trust_id']:
trust = PROVIDERS.trust_api.get_trust(cred_data['trust_id'])
roles = [r['id'] for r in trust['roles']]
# NOTE(cmurphy): if this credential was created using a
# trust-scoped token with impersonation, the user_id will be for
# the trustor, not the trustee. In this case, issuing a
# trust-scoped token to the trustor will fail. In order to get a
# trust-scoped token, use the user ID of the trustee. With
# impersonation, the resulting token will still be for the trustor.
# Without impersonation, the token will be for the trustee.
if trust['impersonation'] is True:
trustee_user_id = trust['trustee_user_id']
elif cred_data['app_cred_id']:
ac_client = PROVIDERS.application_credential_api
app_cred = ac_client.get_application_credential(
cred_data['app_cred_id'])
roles = [r['id'] for r in app_cred['roles']]
elif cred_data['access_token_id']:
access_token = PROVIDERS.oauth_api.get_access_token(
cred_data['access_token_id'])
roles = jsonutils.loads(access_token['role_ids'])
auth_context = {'access_token_id': cred_data['access_token_id']}
else:
roles = PROVIDERS.assignment_api.get_roles_for_user_and_project(
user_ref['id'], project_ref['id'])
if not roles: if not roles:
raise ks_exceptions.Unauthorized(_('User not valid for project.')) raise ks_exceptions.Unauthorized(_('User not valid for project.'))
for r_id in roles: for r_id in roles:
# Assert all roles exist. # Assert all roles exist.
PROVIDERS.role_api.get_role(r_id) PROVIDERS.role_api.get_role(r_id)
method_names = ['ec2credential'] method_names = ['ec2credential']
if trustee_user_id:
user_id = trustee_user_id
else:
user_id = user_ref['id']
token = PROVIDERS.token_provider_api.issue_token( token = PROVIDERS.token_provider_api.issue_token(
user_id=user_ref['id'], method_names=method_names, user_id=user_id, method_names=method_names,
project_id=project_ref['id']) project_id=project_ref['id'],
trust_id=cred_data['trust_id'],
app_cred_id=cred_data['app_cred_id'],
auth_context=auth_context)
return token return token
 End of changes. 9 change blocks. 
5 lines changed or deleted 70 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)