aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/oauth1
diff options
context:
space:
mode:
authorRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
committerRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
commit920a49cfa055733d575282973e23558c33087a4a (patch)
treed371dab34efa5028600dad2e7ca58063626e7ba4 /keystone-moon/keystone/oauth1
parentef3eefca70d8abb4a00dafb9419ad32738e934b2 (diff)
remove keystone-moon
Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/keystone/oauth1')
-rw-r--r--keystone-moon/keystone/oauth1/__init__.py15
-rw-r--r--keystone-moon/keystone/oauth1/backends/__init__.py0
-rw-r--r--keystone-moon/keystone/oauth1/backends/sql.py258
-rw-r--r--keystone-moon/keystone/oauth1/controllers.py409
-rw-r--r--keystone-moon/keystone/oauth1/core.py367
-rw-r--r--keystone-moon/keystone/oauth1/routers.py154
-rw-r--r--keystone-moon/keystone/oauth1/schema.py34
-rw-r--r--keystone-moon/keystone/oauth1/validator.py177
8 files changed, 0 insertions, 1414 deletions
diff --git a/keystone-moon/keystone/oauth1/__init__.py b/keystone-moon/keystone/oauth1/__init__.py
deleted file mode 100644
index ea011f6b..00000000
--- a/keystone-moon/keystone/oauth1/__init__.py
+++ /dev/null
@@ -1,15 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.oauth1.core import * # noqa
diff --git a/keystone-moon/keystone/oauth1/backends/__init__.py b/keystone-moon/keystone/oauth1/backends/__init__.py
deleted file mode 100644
index e69de29b..00000000
--- a/keystone-moon/keystone/oauth1/backends/__init__.py
+++ /dev/null
diff --git a/keystone-moon/keystone/oauth1/backends/sql.py b/keystone-moon/keystone/oauth1/backends/sql.py
deleted file mode 100644
index c5da7873..00000000
--- a/keystone-moon/keystone/oauth1/backends/sql.py
+++ /dev/null
@@ -1,258 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import datetime
-import random as _random
-import uuid
-
-from oslo_serialization import jsonutils
-from oslo_utils import timeutils
-
-from keystone.common import sql
-from keystone.common import utils
-from keystone import exception
-from keystone.i18n import _
-from keystone.oauth1 import core
-
-
-random = _random.SystemRandom()
-
-
-class Consumer(sql.ModelBase, sql.DictBase):
- __tablename__ = 'consumer'
- attributes = ['id', 'description', 'secret']
- id = sql.Column(sql.String(64), primary_key=True, nullable=False)
- description = sql.Column(sql.String(64), nullable=True)
- secret = sql.Column(sql.String(64), nullable=False)
- extra = sql.Column(sql.JsonBlob(), nullable=False)
-
-
-class RequestToken(sql.ModelBase, sql.DictBase):
- __tablename__ = 'request_token'
- attributes = ['id', 'request_secret',
- 'verifier', 'authorizing_user_id', 'requested_project_id',
- 'role_ids', 'consumer_id', 'expires_at']
- id = sql.Column(sql.String(64), primary_key=True, nullable=False)
- request_secret = sql.Column(sql.String(64), nullable=False)
- verifier = sql.Column(sql.String(64), nullable=True)
- authorizing_user_id = sql.Column(sql.String(64), nullable=True)
- requested_project_id = sql.Column(sql.String(64), nullable=False)
- role_ids = sql.Column(sql.Text(), nullable=True)
- consumer_id = sql.Column(sql.String(64), sql.ForeignKey('consumer.id'),
- nullable=False, index=True)
- expires_at = sql.Column(sql.String(64), nullable=True)
-
- @classmethod
- def from_dict(cls, user_dict):
- return cls(**user_dict)
-
- def to_dict(self):
- return dict(self.items())
-
-
-class AccessToken(sql.ModelBase, sql.DictBase):
- __tablename__ = 'access_token'
- attributes = ['id', 'access_secret', 'authorizing_user_id',
- 'project_id', 'role_ids', 'consumer_id',
- 'expires_at']
- id = sql.Column(sql.String(64), primary_key=True, nullable=False)
- access_secret = sql.Column(sql.String(64), nullable=False)
- authorizing_user_id = sql.Column(sql.String(64), nullable=False,
- index=True)
- project_id = sql.Column(sql.String(64), nullable=False)
- role_ids = sql.Column(sql.Text(), nullable=False)
- consumer_id = sql.Column(sql.String(64), sql.ForeignKey('consumer.id'),
- nullable=False)
- expires_at = sql.Column(sql.String(64), nullable=True)
-
- @classmethod
- def from_dict(cls, user_dict):
- return cls(**user_dict)
-
- def to_dict(self):
- return dict(self.items())
-
-
-class OAuth1(core.Oauth1DriverV8):
- def _get_consumer(self, session, consumer_id):
- consumer_ref = session.query(Consumer).get(consumer_id)
- if consumer_ref is None:
- raise exception.NotFound(_('Consumer not found'))
- return consumer_ref
-
- def get_consumer_with_secret(self, consumer_id):
- with sql.session_for_read() as session:
- consumer_ref = self._get_consumer(session, consumer_id)
- return consumer_ref.to_dict()
-
- def get_consumer(self, consumer_id):
- return core.filter_consumer(
- self.get_consumer_with_secret(consumer_id))
-
- def create_consumer(self, consumer_ref):
- with sql.session_for_write() as session:
- consumer = Consumer.from_dict(consumer_ref)
- session.add(consumer)
- return consumer.to_dict()
-
- def _delete_consumer(self, session, consumer_id):
- consumer_ref = self._get_consumer(session, consumer_id)
- session.delete(consumer_ref)
-
- def _delete_request_tokens(self, session, consumer_id):
- q = session.query(RequestToken)
- req_tokens = q.filter_by(consumer_id=consumer_id)
- req_tokens_list = set([x.id for x in req_tokens])
- for token_id in req_tokens_list:
- token_ref = self._get_request_token(session, token_id)
- session.delete(token_ref)
-
- def _delete_access_tokens(self, session, consumer_id):
- q = session.query(AccessToken)
- acc_tokens = q.filter_by(consumer_id=consumer_id)
- acc_tokens_list = set([x.id for x in acc_tokens])
- for token_id in acc_tokens_list:
- token_ref = self._get_access_token(session, token_id)
- session.delete(token_ref)
-
- def delete_consumer(self, consumer_id):
- with sql.session_for_write() as session:
- self._delete_request_tokens(session, consumer_id)
- self._delete_access_tokens(session, consumer_id)
- self._delete_consumer(session, consumer_id)
-
- def list_consumers(self):
- with sql.session_for_read() as session:
- cons = session.query(Consumer)
- return [core.filter_consumer(x.to_dict()) for x in cons]
-
- def update_consumer(self, consumer_id, consumer_ref):
- with sql.session_for_write() as session:
- consumer = self._get_consumer(session, consumer_id)
- old_consumer_dict = consumer.to_dict()
- old_consumer_dict.update(consumer_ref)
- new_consumer = Consumer.from_dict(old_consumer_dict)
- consumer.description = new_consumer.description
- consumer.extra = new_consumer.extra
- return core.filter_consumer(consumer.to_dict())
-
- def create_request_token(self, consumer_id, requested_project,
- request_token_duration):
- request_token_id = uuid.uuid4().hex
- request_token_secret = uuid.uuid4().hex
- expiry_date = None
- if request_token_duration:
- now = timeutils.utcnow()
- future = now + datetime.timedelta(seconds=request_token_duration)
- expiry_date = utils.isotime(future, subsecond=True)
-
- ref = {}
- ref['id'] = request_token_id
- ref['request_secret'] = request_token_secret
- ref['verifier'] = None
- ref['authorizing_user_id'] = None
- ref['requested_project_id'] = requested_project
- ref['role_ids'] = None
- ref['consumer_id'] = consumer_id
- ref['expires_at'] = expiry_date
- with sql.session_for_write() as session:
- token_ref = RequestToken.from_dict(ref)
- session.add(token_ref)
- return token_ref.to_dict()
-
- def _get_request_token(self, session, request_token_id):
- token_ref = session.query(RequestToken).get(request_token_id)
- if token_ref is None:
- raise exception.NotFound(_('Request token not found'))
- return token_ref
-
- def get_request_token(self, request_token_id):
- with sql.session_for_read() as session:
- token_ref = self._get_request_token(session, request_token_id)
- return token_ref.to_dict()
-
- def authorize_request_token(self, request_token_id, user_id,
- role_ids):
- with sql.session_for_write() as session:
- token_ref = self._get_request_token(session, request_token_id)
- token_dict = token_ref.to_dict()
- token_dict['authorizing_user_id'] = user_id
- token_dict['verifier'] = ''.join(random.sample(core.VERIFIER_CHARS,
- 8))
- token_dict['role_ids'] = jsonutils.dumps(role_ids)
-
- new_token = RequestToken.from_dict(token_dict)
- for attr in RequestToken.attributes:
- if (attr == 'authorizing_user_id' or attr == 'verifier'
- or attr == 'role_ids'):
- setattr(token_ref, attr, getattr(new_token, attr))
-
- return token_ref.to_dict()
-
- def create_access_token(self, request_id, access_token_duration):
- access_token_id = uuid.uuid4().hex
- access_token_secret = uuid.uuid4().hex
- with sql.session_for_write() as session:
- req_token_ref = self._get_request_token(session, request_id)
- token_dict = req_token_ref.to_dict()
-
- expiry_date = None
- if access_token_duration:
- now = timeutils.utcnow()
- future = (now +
- datetime.timedelta(seconds=access_token_duration))
- expiry_date = utils.isotime(future, subsecond=True)
-
- # add Access Token
- ref = {}
- ref['id'] = access_token_id
- ref['access_secret'] = access_token_secret
- ref['authorizing_user_id'] = token_dict['authorizing_user_id']
- ref['project_id'] = token_dict['requested_project_id']
- ref['role_ids'] = token_dict['role_ids']
- ref['consumer_id'] = token_dict['consumer_id']
- ref['expires_at'] = expiry_date
- token_ref = AccessToken.from_dict(ref)
- session.add(token_ref)
-
- # remove request token, it's been used
- session.delete(req_token_ref)
-
- return token_ref.to_dict()
-
- def _get_access_token(self, session, access_token_id):
- token_ref = session.query(AccessToken).get(access_token_id)
- if token_ref is None:
- raise exception.NotFound(_('Access token not found'))
- return token_ref
-
- def get_access_token(self, access_token_id):
- with sql.session_for_read() as session:
- token_ref = self._get_access_token(session, access_token_id)
- return token_ref.to_dict()
-
- def list_access_tokens(self, user_id):
- with sql.session_for_read() as session:
- q = session.query(AccessToken)
- user_auths = q.filter_by(authorizing_user_id=user_id)
- return [core.filter_token(x.to_dict()) for x in user_auths]
-
- def delete_access_token(self, user_id, access_token_id):
- with sql.session_for_write() as session:
- token_ref = self._get_access_token(session, access_token_id)
- token_dict = token_ref.to_dict()
- if token_dict['authorizing_user_id'] != user_id:
- raise exception.Unauthorized(_('User IDs do not match'))
-
- session.delete(token_ref)
diff --git a/keystone-moon/keystone/oauth1/controllers.py b/keystone-moon/keystone/oauth1/controllers.py
deleted file mode 100644
index 489bb4c7..00000000
--- a/keystone-moon/keystone/oauth1/controllers.py
+++ /dev/null
@@ -1,409 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""Extensions supporting OAuth1."""
-
-from oslo_config import cfg
-from oslo_serialization import jsonutils
-from oslo_utils import timeutils
-
-from keystone.common import controller
-from keystone.common import dependency
-from keystone.common import utils
-from keystone.common import validation
-from keystone.common import wsgi
-from keystone import exception
-from keystone.i18n import _
-from keystone import notifications
-from keystone.oauth1 import core as oauth1
-from keystone.oauth1 import schema
-from keystone.oauth1 import validator
-
-
-CONF = cfg.CONF
-
-
-def _emit_user_oauth_consumer_token_invalidate(payload):
- # This is a special case notification that expect the payload to be a dict
- # containing the user_id and the consumer_id. This is so that the token
- # provider can invalidate any tokens in the token persistence if
- # token persistence is enabled
- notifications.Audit.internal(
- notifications.INVALIDATE_USER_OAUTH_CONSUMER_TOKENS,
- payload,
- )
-
-
-@dependency.requires('oauth_api', 'token_provider_api')
-class ConsumerCrudV3(controller.V3Controller):
- collection_name = 'consumers'
- member_name = 'consumer'
-
- @classmethod
- def base_url(cls, context, path=None):
- """Construct a path and pass it to V3Controller.base_url method."""
- # NOTE(stevemar): Overriding path to /OS-OAUTH1/consumers so that
- # V3Controller.base_url handles setting the self link correctly.
- path = '/OS-OAUTH1/' + cls.collection_name
- return controller.V3Controller.base_url(context, path=path)
-
- @controller.protected()
- @validation.validated(schema.consumer_create, 'consumer')
- def create_consumer(self, context, consumer):
- ref = self._assign_unique_id(self._normalize_dict(consumer))
- initiator = notifications._get_request_audit_info(context)
- consumer_ref = self.oauth_api.create_consumer(ref, initiator)
- return ConsumerCrudV3.wrap_member(context, consumer_ref)
-
- @controller.protected()
- @validation.validated(schema.consumer_update, 'consumer')
- def update_consumer(self, context, consumer_id, consumer):
- self._require_matching_id(consumer_id, consumer)
- ref = self._normalize_dict(consumer)
- initiator = notifications._get_request_audit_info(context)
- ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
- return ConsumerCrudV3.wrap_member(context, ref)
-
- @controller.protected()
- def list_consumers(self, context):
- ref = self.oauth_api.list_consumers()
- return ConsumerCrudV3.wrap_collection(context, ref)
-
- @controller.protected()
- def get_consumer(self, context, consumer_id):
- ref = self.oauth_api.get_consumer(consumer_id)
- return ConsumerCrudV3.wrap_member(context, ref)
-
- @controller.protected()
- def delete_consumer(self, context, consumer_id):
- user_token_ref = utils.get_token_ref(context)
- payload = {'user_id': user_token_ref.user_id,
- 'consumer_id': consumer_id}
- _emit_user_oauth_consumer_token_invalidate(payload)
- initiator = notifications._get_request_audit_info(context)
- self.oauth_api.delete_consumer(consumer_id, initiator)
-
-
-@dependency.requires('oauth_api')
-class AccessTokenCrudV3(controller.V3Controller):
- collection_name = 'access_tokens'
- member_name = 'access_token'
-
- @classmethod
- def _add_self_referential_link(cls, context, ref):
- # NOTE(lwolf): overriding method to add proper path to self link
- ref.setdefault('links', {})
- path = '/users/%(user_id)s/OS-OAUTH1/access_tokens' % {
- 'user_id': cls._get_user_id(ref)
- }
- ref['links']['self'] = cls.base_url(context, path) + '/' + ref['id']
-
- @controller.protected()
- def get_access_token(self, context, user_id, access_token_id):
- access_token = self.oauth_api.get_access_token(access_token_id)
- if access_token['authorizing_user_id'] != user_id:
- raise exception.NotFound()
- access_token = self._format_token_entity(context, access_token)
- return AccessTokenCrudV3.wrap_member(context, access_token)
-
- @controller.protected()
- def list_access_tokens(self, context, user_id):
- auth_context = context.get('environment',
- {}).get('KEYSTONE_AUTH_CONTEXT', {})
- if auth_context.get('is_delegated_auth'):
- raise exception.Forbidden(
- _('Cannot list request tokens'
- ' with a token issued via delegation.'))
- refs = self.oauth_api.list_access_tokens(user_id)
- formatted_refs = ([self._format_token_entity(context, x)
- for x in refs])
- return AccessTokenCrudV3.wrap_collection(context, formatted_refs)
-
- @controller.protected()
- def delete_access_token(self, context, user_id, access_token_id):
- access_token = self.oauth_api.get_access_token(access_token_id)
- consumer_id = access_token['consumer_id']
- payload = {'user_id': user_id, 'consumer_id': consumer_id}
- _emit_user_oauth_consumer_token_invalidate(payload)
- initiator = notifications._get_request_audit_info(context)
- return self.oauth_api.delete_access_token(
- user_id, access_token_id, initiator)
-
- @staticmethod
- def _get_user_id(entity):
- return entity.get('authorizing_user_id', '')
-
- def _format_token_entity(self, context, entity):
-
- formatted_entity = entity.copy()
- access_token_id = formatted_entity['id']
- user_id = self._get_user_id(formatted_entity)
- if 'role_ids' in entity:
- formatted_entity.pop('role_ids')
- if 'access_secret' in entity:
- formatted_entity.pop('access_secret')
-
- url = ('/users/%(user_id)s/OS-OAUTH1/access_tokens/%(access_token_id)s'
- '/roles' % {'user_id': user_id,
- 'access_token_id': access_token_id})
-
- formatted_entity.setdefault('links', {})
- formatted_entity['links']['roles'] = (self.base_url(context, url))
-
- return formatted_entity
-
-
-@dependency.requires('oauth_api', 'role_api')
-class AccessTokenRolesV3(controller.V3Controller):
- collection_name = 'roles'
- member_name = 'role'
-
- @controller.protected()
- def list_access_token_roles(self, context, user_id, access_token_id):
- access_token = self.oauth_api.get_access_token(access_token_id)
- if access_token['authorizing_user_id'] != user_id:
- raise exception.NotFound()
- authed_role_ids = access_token['role_ids']
- authed_role_ids = jsonutils.loads(authed_role_ids)
- refs = ([self._format_role_entity(x) for x in authed_role_ids])
- return AccessTokenRolesV3.wrap_collection(context, refs)
-
- @controller.protected()
- def get_access_token_role(self, context, user_id,
- access_token_id, role_id):
- access_token = self.oauth_api.get_access_token(access_token_id)
- if access_token['authorizing_user_id'] != user_id:
- raise exception.Unauthorized(_('User IDs do not match'))
- authed_role_ids = access_token['role_ids']
- authed_role_ids = jsonutils.loads(authed_role_ids)
- for authed_role_id in authed_role_ids:
- if authed_role_id == role_id:
- role = self._format_role_entity(role_id)
- return AccessTokenRolesV3.wrap_member(context, role)
- raise exception.RoleNotFound(role_id=role_id)
-
- def _format_role_entity(self, role_id):
- role = self.role_api.get_role(role_id)
- formatted_entity = role.copy()
- if 'description' in role:
- formatted_entity.pop('description')
- if 'enabled' in role:
- formatted_entity.pop('enabled')
- return formatted_entity
-
-
-@dependency.requires('assignment_api', 'oauth_api',
- 'resource_api', 'token_provider_api')
-class OAuthControllerV3(controller.V3Controller):
- collection_name = 'not_used'
- member_name = 'not_used'
-
- def create_request_token(self, context):
- headers = context['headers']
- oauth_headers = oauth1.get_oauth_headers(headers)
- consumer_id = oauth_headers.get('oauth_consumer_key')
- requested_project_id = headers.get('Requested-Project-Id')
-
- if not consumer_id:
- raise exception.ValidationError(
- attribute='oauth_consumer_key', target='request')
- if not requested_project_id:
- raise exception.ValidationError(
- attribute='requested_project_id', target='request')
-
- # NOTE(stevemar): Ensure consumer and requested project exist
- self.resource_api.get_project(requested_project_id)
- self.oauth_api.get_consumer(consumer_id)
-
- url = self.base_url(context, context['path'])
-
- req_headers = {'Requested-Project-Id': requested_project_id}
- req_headers.update(headers)
- request_verifier = oauth1.RequestTokenEndpoint(
- request_validator=validator.OAuthValidator(),
- token_generator=oauth1.token_generator)
- h, b, s = request_verifier.create_request_token_response(
- url,
- http_method='POST',
- body=context['query_string'],
- headers=req_headers)
-
- if (not b) or int(s) > 399:
- msg = _('Invalid signature')
- raise exception.Unauthorized(message=msg)
-
- request_token_duration = CONF.oauth1.request_token_duration
- initiator = notifications._get_request_audit_info(context)
- token_ref = self.oauth_api.create_request_token(consumer_id,
- requested_project_id,
- request_token_duration,
- initiator)
-
- result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
- % {'key': token_ref['id'],
- 'secret': token_ref['request_secret']})
-
- if CONF.oauth1.request_token_duration:
- expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
- result += expiry_bit
-
- headers = [('Content-Type', 'application/x-www-urlformencoded')]
- response = wsgi.render_response(result,
- status=(201, 'Created'),
- headers=headers)
-
- return response
-
- def create_access_token(self, context):
- headers = context['headers']
- oauth_headers = oauth1.get_oauth_headers(headers)
- consumer_id = oauth_headers.get('oauth_consumer_key')
- request_token_id = oauth_headers.get('oauth_token')
- oauth_verifier = oauth_headers.get('oauth_verifier')
-
- if not consumer_id:
- raise exception.ValidationError(
- attribute='oauth_consumer_key', target='request')
- if not request_token_id:
- raise exception.ValidationError(
- attribute='oauth_token', target='request')
- if not oauth_verifier:
- raise exception.ValidationError(
- attribute='oauth_verifier', target='request')
-
- req_token = self.oauth_api.get_request_token(
- request_token_id)
-
- expires_at = req_token['expires_at']
- if expires_at:
- now = timeutils.utcnow()
- expires = timeutils.normalize_time(
- timeutils.parse_isotime(expires_at))
- if now > expires:
- raise exception.Unauthorized(_('Request token is expired'))
-
- url = self.base_url(context, context['path'])
-
- access_verifier = oauth1.AccessTokenEndpoint(
- request_validator=validator.OAuthValidator(),
- token_generator=oauth1.token_generator)
- h, b, s = access_verifier.create_access_token_response(
- url,
- http_method='POST',
- body=context['query_string'],
- headers=headers)
- params = oauth1.extract_non_oauth_params(b)
- if params:
- msg = _('There should not be any non-oauth parameters')
- raise exception.Unauthorized(message=msg)
-
- if req_token['consumer_id'] != consumer_id:
- msg = _('provided consumer key does not match stored consumer key')
- raise exception.Unauthorized(message=msg)
-
- if req_token['verifier'] != oauth_verifier:
- msg = _('provided verifier does not match stored verifier')
- raise exception.Unauthorized(message=msg)
-
- if req_token['id'] != request_token_id:
- msg = _('provided request key does not match stored request key')
- raise exception.Unauthorized(message=msg)
-
- if not req_token.get('authorizing_user_id'):
- msg = _('Request Token does not have an authorizing user id')
- raise exception.Unauthorized(message=msg)
-
- access_token_duration = CONF.oauth1.access_token_duration
- initiator = notifications._get_request_audit_info(context)
- token_ref = self.oauth_api.create_access_token(request_token_id,
- access_token_duration,
- initiator)
-
- result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
- % {'key': token_ref['id'],
- 'secret': token_ref['access_secret']})
-
- if CONF.oauth1.access_token_duration:
- expiry_bit = '&oauth_expires_at=%s' % (token_ref['expires_at'])
- result += expiry_bit
-
- headers = [('Content-Type', 'application/x-www-urlformencoded')]
- response = wsgi.render_response(result,
- status=(201, 'Created'),
- headers=headers)
-
- return response
-
- @controller.protected()
- def authorize_request_token(self, context, request_token_id, roles):
- """An authenticated user is going to authorize a request token.
-
- As a security precaution, the requested roles must match those in
- the request token. Because this is in a CLI-only world at the moment,
- there is not another easy way to make sure the user knows which roles
- are being requested before authorizing.
- """
- auth_context = context.get('environment',
- {}).get('KEYSTONE_AUTH_CONTEXT', {})
- if auth_context.get('is_delegated_auth'):
- raise exception.Forbidden(
- _('Cannot authorize a request token'
- ' with a token issued via delegation.'))
-
- req_token = self.oauth_api.get_request_token(request_token_id)
-
- expires_at = req_token['expires_at']
- if expires_at:
- now = timeutils.utcnow()
- expires = timeutils.normalize_time(
- timeutils.parse_isotime(expires_at))
- if now > expires:
- raise exception.Unauthorized(_('Request token is expired'))
-
- # put the roles in a set for easy comparison
- authed_roles = set()
- for role in roles:
- authed_roles.add(role['id'])
-
- # verify the authorizing user has the roles
- user_token = utils.get_token_ref(context)
- user_id = user_token.user_id
- project_id = req_token['requested_project_id']
- user_roles = self.assignment_api.get_roles_for_user_and_project(
- user_id, project_id)
- cred_set = set(user_roles)
-
- if not cred_set.issuperset(authed_roles):
- msg = _('authorizing user does not have role required')
- raise exception.Unauthorized(message=msg)
-
- # create list of just the id's for the backend
- role_ids = list(authed_roles)
-
- # verify the user has the project too
- req_project_id = req_token['requested_project_id']
- user_projects = self.assignment_api.list_projects_for_user(user_id)
- for user_project in user_projects:
- if user_project['id'] == req_project_id:
- break
- else:
- msg = _("User is not a member of the requested project")
- raise exception.Unauthorized(message=msg)
-
- # finally authorize the token
- authed_token = self.oauth_api.authorize_request_token(
- request_token_id, user_id, role_ids)
-
- to_return = {'token': {'oauth_verifier': authed_token['verifier']}}
- return to_return
diff --git a/keystone-moon/keystone/oauth1/core.py b/keystone-moon/keystone/oauth1/core.py
deleted file mode 100644
index 2e52aefe..00000000
--- a/keystone-moon/keystone/oauth1/core.py
+++ /dev/null
@@ -1,367 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""Main entry point into the OAuth1 service."""
-
-from __future__ import absolute_import
-
-import abc
-import string
-import uuid
-
-import oauthlib.common
-from oauthlib import oauth1
-from oslo_config import cfg
-from oslo_log import log
-import six
-
-from keystone.common import dependency
-from keystone.common import extension
-from keystone.common import manager
-from keystone import exception
-from keystone.i18n import _LE
-from keystone import notifications
-
-
-RequestValidator = oauth1.RequestValidator
-Client = oauth1.Client
-AccessTokenEndpoint = oauth1.AccessTokenEndpoint
-ResourceEndpoint = oauth1.ResourceEndpoint
-AuthorizationEndpoint = oauth1.AuthorizationEndpoint
-SIG_HMAC = oauth1.SIGNATURE_HMAC
-RequestTokenEndpoint = oauth1.RequestTokenEndpoint
-oRequest = oauthlib.common.Request
-# The characters used to generate verifiers are limited to alphanumerical
-# values for ease of manual entry. Commonly confused characters are omitted.
-VERIFIER_CHARS = string.ascii_letters + string.digits
-CONFUSED_CHARS = 'jiIl1oO0'
-VERIFIER_CHARS = ''.join(c for c in VERIFIER_CHARS if c not in CONFUSED_CHARS)
-
-
-class Token(object):
- def __init__(self, key, secret):
- self.key = key
- self.secret = secret
- self.verifier = None
-
- def set_verifier(self, verifier):
- self.verifier = verifier
-
-
-CONF = cfg.CONF
-LOG = log.getLogger(__name__)
-
-
-def token_generator(*args, **kwargs):
- return uuid.uuid4().hex
-
-
-EXTENSION_DATA = {
- 'name': 'OpenStack OAUTH1 API',
- 'namespace': 'http://docs.openstack.org/identity/api/ext/'
- 'OS-OAUTH1/v1.0',
- 'alias': 'OS-OAUTH1',
- 'updated': '2013-07-07T12:00:0-00:00',
- 'description': 'OpenStack OAuth 1.0a Delegated Auth Mechanism.',
- 'links': [
- {
- 'rel': 'describedby',
- 'type': 'text/html',
- 'href': 'http://specs.openstack.org/openstack/keystone-specs/api/'
- 'v3/identity-api-v3-os-oauth1-ext.html',
- }
- ]}
-extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
-extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
-
-
-def filter_consumer(consumer_ref):
- """Filter out private items in a consumer dict.
-
- 'secret' is never returned.
-
- :returns: consumer_ref
-
- """
- if consumer_ref:
- consumer_ref = consumer_ref.copy()
- consumer_ref.pop('secret', None)
- return consumer_ref
-
-
-def filter_token(access_token_ref):
- """Filter out private items in an access token dict.
-
- 'access_secret' is never returned.
-
- :returns: access_token_ref
-
- """
- if access_token_ref:
- access_token_ref = access_token_ref.copy()
- access_token_ref.pop('access_secret', None)
- return access_token_ref
-
-
-def get_oauth_headers(headers):
- parameters = {}
-
- # The incoming headers variable is your usual heading from context
- # In an OAuth signed req, where the oauth variables are in the header,
- # they with the key 'Authorization'.
-
- if headers and 'Authorization' in headers:
- # A typical value for Authorization is seen below
- # 'OAuth realm="", oauth_body_hash="2jm%3D", oauth_nonce="14475435"
- # along with other oauth variables, the 'OAuth ' part is trimmed
- # to split the rest of the headers.
-
- auth_header = headers['Authorization']
- params = oauth1.rfc5849.utils.parse_authorization_header(auth_header)
- parameters.update(dict(params))
- return parameters
- else:
- msg = _LE('Cannot retrieve Authorization headers')
- LOG.error(msg)
- raise exception.OAuthHeadersMissingError()
-
-
-def extract_non_oauth_params(query_string):
- params = oauthlib.common.extract_params(query_string)
- return {k: v for k, v in params if not k.startswith('oauth_')}
-
-
-@dependency.provider('oauth_api')
-class Manager(manager.Manager):
- """Default pivot point for the OAuth1 backend.
-
- See :mod:`keystone.common.manager.Manager` for more details on how this
- dynamically calls the backend.
-
- """
-
- driver_namespace = 'keystone.oauth1'
-
- _ACCESS_TOKEN = "OS-OAUTH1:access_token"
- _REQUEST_TOKEN = "OS-OAUTH1:request_token"
- _CONSUMER = "OS-OAUTH1:consumer"
-
- def __init__(self):
- super(Manager, self).__init__(CONF.oauth1.driver)
-
- def create_consumer(self, consumer_ref, initiator=None):
- consumer_ref = consumer_ref.copy()
- consumer_ref['secret'] = uuid.uuid4().hex
- ret = self.driver.create_consumer(consumer_ref)
- notifications.Audit.created(self._CONSUMER, ret['id'], initiator)
- return ret
-
- def update_consumer(self, consumer_id, consumer_ref, initiator=None):
- ret = self.driver.update_consumer(consumer_id, consumer_ref)
- notifications.Audit.updated(self._CONSUMER, consumer_id, initiator)
- return ret
-
- def delete_consumer(self, consumer_id, initiator=None):
- ret = self.driver.delete_consumer(consumer_id)
- notifications.Audit.deleted(self._CONSUMER, consumer_id, initiator)
- return ret
-
- def create_access_token(self, request_id, access_token_duration,
- initiator=None):
- ret = self.driver.create_access_token(request_id,
- access_token_duration)
- notifications.Audit.created(self._ACCESS_TOKEN, ret['id'], initiator)
- return ret
-
- def delete_access_token(self, user_id, access_token_id, initiator=None):
- ret = self.driver.delete_access_token(user_id, access_token_id)
- notifications.Audit.deleted(self._ACCESS_TOKEN, access_token_id,
- initiator)
- return ret
-
- def create_request_token(self, consumer_id, requested_project,
- request_token_duration, initiator=None):
- ret = self.driver.create_request_token(
- consumer_id, requested_project, request_token_duration)
- notifications.Audit.created(self._REQUEST_TOKEN, ret['id'],
- initiator)
- return ret
-
-
-@six.add_metaclass(abc.ABCMeta)
-class Oauth1DriverV8(object):
- """Interface description for an OAuth1 driver."""
-
- @abc.abstractmethod
- def create_consumer(self, consumer_ref):
- """Create consumer.
-
- :param consumer_ref: consumer ref with consumer name
- :type consumer_ref: dict
- :returns: consumer_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def update_consumer(self, consumer_id, consumer_ref):
- """Update consumer.
-
- :param consumer_id: id of consumer to update
- :type consumer_id: string
- :param consumer_ref: new consumer ref with consumer name
- :type consumer_ref: dict
- :returns: consumer_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def list_consumers(self):
- """List consumers.
-
- :returns: list of consumers
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def get_consumer(self, consumer_id):
- """Get consumer, returns the consumer id (key) and description.
-
- :param consumer_id: id of consumer to get
- :type consumer_id: string
- :returns: consumer_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def get_consumer_with_secret(self, consumer_id):
- """Like get_consumer(), but also returns consumer secret.
-
- Returned dictionary consumer_ref includes consumer secret.
- Secrets should only be shared upon consumer creation; the
- consumer secret is required to verify incoming OAuth requests.
-
- :param consumer_id: id of consumer to get
- :type consumer_id: string
- :returns: consumer_ref containing consumer secret
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def delete_consumer(self, consumer_id):
- """Delete consumer.
-
- :param consumer_id: id of consumer to get
- :type consumer_id: string
- :returns: None.
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def list_access_tokens(self, user_id):
- """List access tokens.
-
- :param user_id: search for access tokens authorized by given user id
- :type user_id: string
- :returns: list of access tokens the user has authorized
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def delete_access_token(self, user_id, access_token_id):
- """Delete access token.
-
- :param user_id: authorizing user id
- :type user_id: string
- :param access_token_id: access token to delete
- :type access_token_id: string
- :returns: None
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def create_request_token(self, consumer_id, requested_project,
- request_token_duration):
- """Create request token.
-
- :param consumer_id: the id of the consumer
- :type consumer_id: string
- :param requested_project_id: requested project id
- :type requested_project_id: string
- :param request_token_duration: duration of request token
- :type request_token_duration: string
- :returns: request_token_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def get_request_token(self, request_token_id):
- """Get request token.
-
- :param request_token_id: the id of the request token
- :type request_token_id: string
- :returns: request_token_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def get_access_token(self, access_token_id):
- """Get access token.
-
- :param access_token_id: the id of the access token
- :type access_token_id: string
- :returns: access_token_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def authorize_request_token(self, request_token_id, user_id, role_ids):
- """Authorize request token.
-
- :param request_token_id: the id of the request token, to be authorized
- :type request_token_id: string
- :param user_id: the id of the authorizing user
- :type user_id: string
- :param role_ids: list of role ids to authorize
- :type role_ids: list
- :returns: verifier
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def create_access_token(self, request_id, access_token_duration):
- """Create access token.
-
- :param request_id: the id of the request token, to be deleted
- :type request_id: string
- :param access_token_duration: duration of an access token
- :type access_token_duration: string
- :returns: access_token_ref
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
-
-Driver = manager.create_legacy_driver(Oauth1DriverV8)
diff --git a/keystone-moon/keystone/oauth1/routers.py b/keystone-moon/keystone/oauth1/routers.py
deleted file mode 100644
index 0575b107..00000000
--- a/keystone-moon/keystone/oauth1/routers.py
+++ /dev/null
@@ -1,154 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import functools
-
-from keystone.common import json_home
-from keystone.common import wsgi
-from keystone.oauth1 import controllers
-
-
-build_resource_relation = functools.partial(
- json_home.build_v3_extension_resource_relation,
- extension_name='OS-OAUTH1', extension_version='1.0')
-
-build_parameter_relation = functools.partial(
- json_home.build_v3_extension_parameter_relation,
- extension_name='OS-OAUTH1', extension_version='1.0')
-
-ACCESS_TOKEN_ID_PARAMETER_RELATION = build_parameter_relation(
- parameter_name='access_token_id')
-
-
-class Routers(wsgi.RoutersBase):
- """API Endpoints for the OAuth1 extension.
-
- The goal of this extension is to allow third-party service providers
- to acquire tokens with a limited subset of a user's roles for acting
- on behalf of that user. This is done using an oauth-similar flow and
- api.
-
- The API looks like::
-
- # Basic admin-only consumer crud
- POST /OS-OAUTH1/consumers
- GET /OS-OAUTH1/consumers
- PATCH /OS-OAUTH1/consumers/{consumer_id}
- GET /OS-OAUTH1/consumers/{consumer_id}
- DELETE /OS-OAUTH1/consumers/{consumer_id}
-
- # User access token crud
- GET /users/{user_id}/OS-OAUTH1/access_tokens
- GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
- GET /users/{user_id}/OS-OAUTH1/access_tokens
- /{access_token_id}/roles/{role_id}
- DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
-
- # OAuth interfaces
- POST /OS-OAUTH1/request_token # create a request token
- PUT /OS-OAUTH1/authorize # authorize a request token
- POST /OS-OAUTH1/access_token # create an access token
-
- """
-
- def append_v3_routers(self, mapper, routers):
- consumer_controller = controllers.ConsumerCrudV3()
- access_token_controller = controllers.AccessTokenCrudV3()
- access_token_roles_controller = controllers.AccessTokenRolesV3()
- oauth_controller = controllers.OAuthControllerV3()
-
- # basic admin-only consumer crud
- self._add_resource(
- mapper, consumer_controller,
- path='/OS-OAUTH1/consumers',
- get_action='list_consumers',
- post_action='create_consumer',
- rel=build_resource_relation(resource_name='consumers'))
- self._add_resource(
- mapper, consumer_controller,
- path='/OS-OAUTH1/consumers/{consumer_id}',
- get_action='get_consumer',
- patch_action='update_consumer',
- delete_action='delete_consumer',
- rel=build_resource_relation(resource_name='consumer'),
- path_vars={
- 'consumer_id':
- build_parameter_relation(parameter_name='consumer_id'),
- })
-
- # user access token crud
- self._add_resource(
- mapper, access_token_controller,
- path='/users/{user_id}/OS-OAUTH1/access_tokens',
- get_action='list_access_tokens',
- rel=build_resource_relation(resource_name='user_access_tokens'),
- path_vars={
- 'user_id': json_home.Parameters.USER_ID,
- })
- self._add_resource(
- mapper, access_token_controller,
- path='/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}',
- get_action='get_access_token',
- delete_action='delete_access_token',
- rel=build_resource_relation(resource_name='user_access_token'),
- path_vars={
- 'access_token_id': ACCESS_TOKEN_ID_PARAMETER_RELATION,
- 'user_id': json_home.Parameters.USER_ID,
- })
- self._add_resource(
- mapper, access_token_roles_controller,
- path='/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/'
- 'roles',
- get_action='list_access_token_roles',
- rel=build_resource_relation(
- resource_name='user_access_token_roles'),
- path_vars={
- 'access_token_id': ACCESS_TOKEN_ID_PARAMETER_RELATION,
- 'user_id': json_home.Parameters.USER_ID,
- })
- self._add_resource(
- mapper, access_token_roles_controller,
- path='/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/'
- 'roles/{role_id}',
- get_action='get_access_token_role',
- rel=build_resource_relation(
- resource_name='user_access_token_role'),
- path_vars={
- 'access_token_id': ACCESS_TOKEN_ID_PARAMETER_RELATION,
- 'role_id': json_home.Parameters.ROLE_ID,
- 'user_id': json_home.Parameters.USER_ID,
- })
-
- # oauth flow calls
- self._add_resource(
- mapper, oauth_controller,
- path='/OS-OAUTH1/request_token',
- post_action='create_request_token',
- rel=build_resource_relation(resource_name='request_tokens'))
- self._add_resource(
- mapper, oauth_controller,
- path='/OS-OAUTH1/access_token',
- post_action='create_access_token',
- rel=build_resource_relation(resource_name='access_tokens'))
- self._add_resource(
- mapper, oauth_controller,
- path='/OS-OAUTH1/authorize/{request_token_id}',
- path_vars={
- 'request_token_id':
- build_parameter_relation(parameter_name='request_token_id')
- },
- put_action='authorize_request_token',
- rel=build_resource_relation(
- resource_name='authorize_request_token'))
diff --git a/keystone-moon/keystone/oauth1/schema.py b/keystone-moon/keystone/oauth1/schema.py
deleted file mode 100644
index 51c11afe..00000000
--- a/keystone-moon/keystone/oauth1/schema.py
+++ /dev/null
@@ -1,34 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.common import validation
-from keystone.common.validation import parameter_types
-
-_consumer_properties = {
- 'description': validation.nullable(parameter_types.description)
-}
-
-consumer_create = {
- 'type': 'object',
- 'properties': _consumer_properties,
- 'additionalProperties': True
-}
-
-consumer_update = {
- 'type': 'object',
- 'properties': _consumer_properties,
- 'not': {
- 'required': ['secret']
- },
- 'minProperties': 1,
- 'additionalProperties': True
-}
diff --git a/keystone-moon/keystone/oauth1/validator.py b/keystone-moon/keystone/oauth1/validator.py
deleted file mode 100644
index f21a02d7..00000000
--- a/keystone-moon/keystone/oauth1/validator.py
+++ /dev/null
@@ -1,177 +0,0 @@
-# Copyright 2014 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""oAuthlib request validator."""
-
-import six
-
-from keystone.common import dependency
-from keystone import exception
-from keystone.oauth1 import core as oauth1
-
-
-METHOD_NAME = 'oauth_validator'
-
-
-@dependency.requires('oauth_api')
-class OAuthValidator(oauth1.RequestValidator):
-
- # TODO(mhu) set as option probably?
- @property
- def enforce_ssl(self):
- return False
-
- @property
- def safe_characters(self):
- # oauth tokens are generated from a uuid hex value
- return set("abcdef0123456789")
-
- def _check_token(self, token):
- # generic token verification when they're obtained from a uuid hex
- return (set(token) <= self.safe_characters and
- len(token) == 32)
-
- def check_client_key(self, client_key):
- return self._check_token(client_key)
-
- def check_request_token(self, request_token):
- return self._check_token(request_token)
-
- def check_access_token(self, access_token):
- return self._check_token(access_token)
-
- def check_nonce(self, nonce):
- # Assuming length is not a concern
- return set(nonce) <= self.safe_characters
-
- def check_verifier(self, verifier):
- return (all(i in oauth1.VERIFIER_CHARS for i in verifier) and
- len(verifier) == 8)
-
- def get_client_secret(self, client_key, request):
- client = self.oauth_api.get_consumer_with_secret(client_key)
- return client['secret']
-
- def get_request_token_secret(self, client_key, token, request):
- token_ref = self.oauth_api.get_request_token(token)
- return token_ref['request_secret']
-
- def get_access_token_secret(self, client_key, token, request):
- access_token = self.oauth_api.get_access_token(token)
- return access_token['access_secret']
-
- def get_default_realms(self, client_key, request):
- # realms weren't implemented with the previous library
- return []
-
- def get_realms(self, token, request):
- return []
-
- def get_redirect_uri(self, token, request):
- # OOB (out of band) is supposed to be the default value to use
- return 'oob'
-
- def get_rsa_key(self, client_key, request):
- # HMAC signing is used, so return a dummy value
- return ''
-
- def invalidate_request_token(self, client_key, request_token, request):
- # this method is invoked when an access token is generated out of a
- # request token, to make sure that request token cannot be consumed
- # anymore. This is done in the backend, so we do nothing here.
- pass
-
- def validate_client_key(self, client_key, request):
- try:
- return self.oauth_api.get_consumer(client_key) is not None
- except exception.NotFound:
- return False
-
- def validate_request_token(self, client_key, token, request):
- try:
- return self.oauth_api.get_request_token(token) is not None
- except exception.NotFound:
- return False
-
- def validate_access_token(self, client_key, token, request):
- try:
- return self.oauth_api.get_access_token(token) is not None
- except exception.NotFound:
- return False
-
- def validate_timestamp_and_nonce(self,
- client_key,
- timestamp,
- nonce,
- request,
- request_token=None,
- access_token=None):
- return True
-
- def validate_redirect_uri(self, client_key, redirect_uri, request):
- # we expect OOB, we don't really care
- return True
-
- def validate_requested_realms(self, client_key, realms, request):
- # realms are not used
- return True
-
- def validate_realms(self,
- client_key,
- token,
- request,
- uri=None,
- realms=None):
- return True
-
- def validate_verifier(self, client_key, token, verifier, request):
- try:
- req_token = self.oauth_api.get_request_token(token)
- return req_token['verifier'] == verifier
- except exception.NotFound:
- return False
-
- def verify_request_token(self, token, request):
- # there aren't strong expectations on the request token format
- return isinstance(token, six.string_types)
-
- def verify_realms(self, token, realms, request):
- return True
-
- # The following save_XXX methods are called to create tokens. I chose to
- # keep the original logic, but the comments below show how that could be
- # implemented. The real implementation logic is in the backend.
- def save_access_token(self, token, request):
- pass
-# token_duration = CONF.oauth1.request_token_duration
-# request_token_id = request.client_key
-# self.oauth_api.create_access_token(request_token_id,
-# token_duration,
-# token["oauth_token"],
-# token["oauth_token_secret"])
-
- def save_request_token(self, token, request):
- pass
-# project_id = request.headers.get('Requested-Project-Id')
-# token_duration = CONF.oauth1.request_token_duration
-# self.oauth_api.create_request_token(request.client_key,
-# project_id,
-# token_duration,
-# token["oauth_token"],
-# token["oauth_token_secret"])
-
- def save_verifier(self, token, verifier, request):
- # keep the old logic for this, as it is done in two steps and requires
- # information that the request validator has no access to
- pass