diff options
| author | Jenkins <jenkins@review.openstack.org> | 2014-04-24 07:53:05 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2014-04-24 07:53:05 +0000 |
| commit | f1ace5c418cfc08707716fc99495185b020612e0 (patch) | |
| tree | fa645d661b069c2761eeafbf42c483de85818c76 /keystoneclient/middleware | |
| parent | 507af4c0f4bce8a2fe2290edc39e9d5b0296f8f4 (diff) | |
| parent | 8574256f9342faeba2ce64080ab5190023524e0a (diff) | |
| download | python-keystoneclient-f1ace5c418cfc08707716fc99495185b020612e0.tar.gz | |
Merge "Ensure that cached token is not revoked"
Diffstat (limited to 'keystoneclient/middleware')
| -rw-r--r-- | keystoneclient/middleware/auth_token.py | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py index d92610f..dcbb5d7 100644 --- a/keystoneclient/middleware/auth_token.py +++ b/keystoneclient/middleware/auth_token.py @@ -277,7 +277,7 @@ opts = [ ' configurable duration (in seconds). Set to -1 to disable' ' caching completely.'), cfg.IntOpt('revocation_cache_time', - default=300, + default=10, help='Determines the frequency at which the list of revoked' ' tokens is retrieved from the Identity service (in seconds). A' ' high number of revocation events combined with a low cache' @@ -832,7 +832,7 @@ class AuthProtocol(object): raise ServiceError('invalid json response') def _validate_user_token(self, user_token, env, retry=True): - """Authenticate user using PKI + """Authenticate user token :param user_token: user's token id :param retry: Ignored, as it is not longer relevant @@ -847,12 +847,17 @@ class AuthProtocol(object): token_id = cms.cms_hash_token(user_token) cached = self._cache_get(token_id) if cached: - return cached - if cms.is_asn1_token(user_token): + data = cached + elif cms.is_asn1_token(user_token): verified = self.verify_signed_token(user_token) data = jsonutils.loads(verified) else: data = self.verify_uuid_token(user_token, retry) + # A token stored in Memcached might have been revoked + # regardless of initial mechanism used to validate it, + # and needs to be checked. + if self._is_token_id_in_revoked_list(token_id): + raise InvalidUserToken('Token authorization failed') expires = confirm_token_not_expired(data) self._confirm_token_bind(data, env) self._cache_put(token_id, data, expires) @@ -1182,19 +1187,20 @@ class AuthProtocol(object): def is_signed_token_revoked(self, signed_text): """Indicate whether the token appears in the revocation list.""" - revocation_list = self.token_revocation_list - revoked_tokens = revocation_list.get('revoked', []) - if not revoked_tokens: - return - revoked_ids = (x['id'] for x in revoked_tokens) if isinstance(signed_text, six.text_type): signed_text = signed_text.encode('utf-8') token_id = utils.hash_signed_token(signed_text) - for revoked_id in revoked_ids: - if token_id == revoked_id: - self.LOG.debug('Token is marked as having been revoked') - return True - return False + return self._is_token_id_in_revoked_list(token_id) + + def _is_token_id_in_revoked_list(self, token_id): + """Indicate whether the token_id appears in the revocation list.""" + revocation_list = self.token_revocation_list + revoked_tokens = revocation_list.get('revoked', None) + if not revoked_tokens: + return False + + revoked_ids = (x['id'] for x in revoked_tokens) + return token_id in revoked_ids def cms_verify(self, data): """Verifies the signature of the provided data's IAW CMS syntax. |