aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/revoke
diff options
context:
space:
mode:
authorRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
committerRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
commit920a49cfa055733d575282973e23558c33087a4a (patch)
treed371dab34efa5028600dad2e7ca58063626e7ba4 /keystone-moon/keystone/revoke
parentef3eefca70d8abb4a00dafb9419ad32738e934b2 (diff)
remove keystone-moon
Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/keystone/revoke')
-rw-r--r--keystone-moon/keystone/revoke/__init__.py13
-rw-r--r--keystone-moon/keystone/revoke/backends/__init__.py0
-rw-r--r--keystone-moon/keystone/revoke/backends/sql.py100
-rw-r--r--keystone-moon/keystone/revoke/controllers.py44
-rw-r--r--keystone-moon/keystone/revoke/core.py261
-rw-r--r--keystone-moon/keystone/revoke/model.py13
-rw-r--r--keystone-moon/keystone/revoke/routers.py29
7 files changed, 0 insertions, 460 deletions
diff --git a/keystone-moon/keystone/revoke/__init__.py b/keystone-moon/keystone/revoke/__init__.py
deleted file mode 100644
index 6d4ee0bc..00000000
--- a/keystone-moon/keystone/revoke/__init__.py
+++ /dev/null
@@ -1,13 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.revoke.core import * # noqa
diff --git a/keystone-moon/keystone/revoke/backends/__init__.py b/keystone-moon/keystone/revoke/backends/__init__.py
deleted file mode 100644
index e69de29b..00000000
--- a/keystone-moon/keystone/revoke/backends/__init__.py
+++ /dev/null
diff --git a/keystone-moon/keystone/revoke/backends/sql.py b/keystone-moon/keystone/revoke/backends/sql.py
deleted file mode 100644
index 9f8a82db..00000000
--- a/keystone-moon/keystone/revoke/backends/sql.py
+++ /dev/null
@@ -1,100 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.common import sql
-from keystone.models import revoke_model
-from keystone import revoke
-
-
-class RevocationEvent(sql.ModelBase, sql.ModelDictMixin):
- __tablename__ = 'revocation_event'
- attributes = revoke_model.REVOKE_KEYS
-
- # The id field is not going to be exposed to the outside world.
- # It is, however, necessary for SQLAlchemy.
- id = sql.Column(sql.Integer, primary_key=True, nullable=False)
- domain_id = sql.Column(sql.String(64))
- project_id = sql.Column(sql.String(64))
- user_id = sql.Column(sql.String(64))
- role_id = sql.Column(sql.String(64))
- trust_id = sql.Column(sql.String(64))
- consumer_id = sql.Column(sql.String(64))
- access_token_id = sql.Column(sql.String(64))
- issued_before = sql.Column(sql.DateTime(), nullable=False)
- expires_at = sql.Column(sql.DateTime())
- revoked_at = sql.Column(sql.DateTime(), nullable=False, index=True)
- audit_id = sql.Column(sql.String(32))
- audit_chain_id = sql.Column(sql.String(32))
-
-
-class Revoke(revoke.RevokeDriverV8):
- def _flush_batch_size(self, dialect):
- batch_size = 0
- if dialect == 'ibm_db_sa':
- # This functionality is limited to DB2, because
- # it is necessary to prevent the transaction log
- # from filling up, whereas at least some of the
- # other supported databases do not support update
- # queries with LIMIT subqueries nor do they appear
- # to require the use of such queries when deleting
- # large numbers of records at once.
- batch_size = 100
- # Limit of 100 is known to not fill a transaction log
- # of default maximum size while not significantly
- # impacting the performance of large token purges on
- # systems where the maximum transaction log size has
- # been increased beyond the default.
- return batch_size
-
- def _prune_expired_events(self):
- oldest = revoke.revoked_before_cutoff_time()
-
- with sql.session_for_write() as session:
- dialect = session.bind.dialect.name
- batch_size = self._flush_batch_size(dialect)
- if batch_size > 0:
- query = session.query(RevocationEvent.id)
- query = query.filter(RevocationEvent.revoked_at < oldest)
- query = query.limit(batch_size).subquery()
- delete_query = (session.query(RevocationEvent).
- filter(RevocationEvent.id.in_(query)))
- while True:
- rowcount = delete_query.delete(synchronize_session=False)
- if rowcount == 0:
- break
- else:
- query = session.query(RevocationEvent)
- query = query.filter(RevocationEvent.revoked_at < oldest)
- query.delete(synchronize_session=False)
-
- session.flush()
-
- def list_events(self, last_fetch=None):
- with sql.session_for_read() as session:
- query = session.query(RevocationEvent).order_by(
- RevocationEvent.revoked_at)
-
- if last_fetch:
- query = query.filter(RevocationEvent.revoked_at > last_fetch)
-
- events = [revoke_model.RevokeEvent(**e.to_dict()) for e in query]
-
- return events
-
- def revoke(self, event):
- kwargs = dict()
- for attr in revoke_model.REVOKE_KEYS:
- kwargs[attr] = getattr(event, attr)
- record = RevocationEvent(**kwargs)
- with sql.session_for_write() as session:
- session.add(record)
- self._prune_expired_events()
diff --git a/keystone-moon/keystone/revoke/controllers.py b/keystone-moon/keystone/revoke/controllers.py
deleted file mode 100644
index 40151bae..00000000
--- a/keystone-moon/keystone/revoke/controllers.py
+++ /dev/null
@@ -1,44 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_utils import timeutils
-
-from keystone.common import controller
-from keystone.common import dependency
-from keystone import exception
-from keystone.i18n import _
-
-
-@dependency.requires('revoke_api')
-class RevokeController(controller.V3Controller):
- @controller.protected()
- def list_revoke_events(self, context):
- since = context['query_string'].get('since')
- last_fetch = None
- if since:
- try:
- last_fetch = timeutils.normalize_time(
- timeutils.parse_isotime(since))
- except ValueError:
- raise exception.ValidationError(
- message=_('invalid date format %s') % since)
- events = self.revoke_api.list_events(last_fetch=last_fetch)
- # Build the links by hand as the standard controller calls require ids
- response = {'events': [event.to_dict() for event in events],
- 'links': {
- 'next': None,
- 'self': RevokeController.base_url(
- context,
- path=context['path']),
- 'previous': None}
- }
- return response
diff --git a/keystone-moon/keystone/revoke/core.py b/keystone-moon/keystone/revoke/core.py
deleted file mode 100644
index 64d2e998..00000000
--- a/keystone-moon/keystone/revoke/core.py
+++ /dev/null
@@ -1,261 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""Main entry point into the Revoke service."""
-
-import abc
-import datetime
-
-from oslo_config import cfg
-from oslo_log import versionutils
-from oslo_utils import timeutils
-import six
-
-from keystone.common import cache
-from keystone.common import dependency
-from keystone.common import extension
-from keystone.common import manager
-from keystone import exception
-from keystone.i18n import _
-from keystone.models import revoke_model
-from keystone import notifications
-
-
-CONF = cfg.CONF
-
-
-EXTENSION_DATA = {
- 'name': 'OpenStack Revoke API',
- 'namespace': 'http://docs.openstack.org/identity/api/ext/'
- 'OS-REVOKE/v1.0',
- 'alias': 'OS-REVOKE',
- 'updated': '2014-02-24T20:51:0-00:00',
- 'description': 'OpenStack revoked token reporting mechanism.',
- 'links': [
- {
- 'rel': 'describedby',
- 'type': 'text/html',
- 'href': 'http://specs.openstack.org/openstack/keystone-specs/api/'
- 'v3/identity-api-v3-os-revoke-ext.html',
- }
- ]}
-extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
-extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
-
-MEMOIZE = cache.get_memoization_decorator(group='revoke')
-
-
-def revoked_before_cutoff_time():
- expire_delta = datetime.timedelta(
- seconds=CONF.token.expiration + CONF.revoke.expiration_buffer)
- oldest = timeutils.utcnow() - expire_delta
- return oldest
-
-
-@dependency.provider('revoke_api')
-class Manager(manager.Manager):
- """Default pivot point for the Revoke backend.
-
- Performs common logic for recording revocations.
-
- See :mod:`keystone.common.manager.Manager` for more details on
- how this dynamically calls the backend.
-
- """
-
- driver_namespace = 'keystone.revoke'
-
- def __init__(self):
- super(Manager, self).__init__(CONF.revoke.driver)
- self._register_listeners()
- self.model = revoke_model
-
- def _user_callback(self, service, resource_type, operation,
- payload):
- self.revoke_by_user(payload['resource_info'])
-
- def _role_callback(self, service, resource_type, operation,
- payload):
- self.revoke(
- revoke_model.RevokeEvent(role_id=payload['resource_info']))
-
- def _project_callback(self, service, resource_type, operation,
- payload):
- self.revoke(
- revoke_model.RevokeEvent(project_id=payload['resource_info']))
-
- def _domain_callback(self, service, resource_type, operation,
- payload):
- self.revoke(
- revoke_model.RevokeEvent(domain_id=payload['resource_info']))
-
- def _trust_callback(self, service, resource_type, operation,
- payload):
- self.revoke(
- revoke_model.RevokeEvent(trust_id=payload['resource_info']))
-
- def _consumer_callback(self, service, resource_type, operation,
- payload):
- self.revoke(
- revoke_model.RevokeEvent(consumer_id=payload['resource_info']))
-
- def _access_token_callback(self, service, resource_type, operation,
- payload):
- self.revoke(
- revoke_model.RevokeEvent(access_token_id=payload['resource_info']))
-
- def _role_assignment_callback(self, service, resource_type, operation,
- payload):
- info = payload['resource_info']
- self.revoke_by_grant(role_id=info['role_id'], user_id=info['user_id'],
- domain_id=info.get('domain_id'),
- project_id=info.get('project_id'))
-
- def _register_listeners(self):
- callbacks = {
- notifications.ACTIONS.deleted: [
- ['OS-TRUST:trust', self._trust_callback],
- ['OS-OAUTH1:consumer', self._consumer_callback],
- ['OS-OAUTH1:access_token', self._access_token_callback],
- ['role', self._role_callback],
- ['user', self._user_callback],
- ['project', self._project_callback],
- ['role_assignment', self._role_assignment_callback]
- ],
- notifications.ACTIONS.disabled: [
- ['user', self._user_callback],
- ['project', self._project_callback],
- ['domain', self._domain_callback],
- ],
- notifications.ACTIONS.internal: [
- [notifications.INVALIDATE_USER_TOKEN_PERSISTENCE,
- self._user_callback],
- ]
- }
-
- for event, cb_info in callbacks.items():
- for resource_type, callback_fns in cb_info:
- notifications.register_event_callback(event, resource_type,
- callback_fns)
-
- def revoke_by_user(self, user_id):
- return self.revoke(revoke_model.RevokeEvent(user_id=user_id))
-
- def _assert_not_domain_and_project_scoped(self, domain_id=None,
- project_id=None):
- if domain_id is not None and project_id is not None:
- msg = _('The revoke call must not have both domain_id and '
- 'project_id. This is a bug in the Keystone server. The '
- 'current request is aborted.')
- raise exception.UnexpectedError(exception=msg)
-
- @versionutils.deprecated(as_of=versionutils.deprecated.JUNO,
- remove_in=0)
- def revoke_by_expiration(self, user_id, expires_at,
- domain_id=None, project_id=None):
-
- self._assert_not_domain_and_project_scoped(domain_id=domain_id,
- project_id=project_id)
-
- self.revoke(
- revoke_model.RevokeEvent(user_id=user_id,
- expires_at=expires_at,
- domain_id=domain_id,
- project_id=project_id))
-
- def revoke_by_audit_id(self, audit_id):
- self.revoke(revoke_model.RevokeEvent(audit_id=audit_id))
-
- def revoke_by_audit_chain_id(self, audit_chain_id, project_id=None,
- domain_id=None):
-
- self._assert_not_domain_and_project_scoped(domain_id=domain_id,
- project_id=project_id)
-
- self.revoke(revoke_model.RevokeEvent(audit_chain_id=audit_chain_id,
- domain_id=domain_id,
- project_id=project_id))
-
- def revoke_by_grant(self, role_id, user_id=None,
- domain_id=None, project_id=None):
- self.revoke(
- revoke_model.RevokeEvent(user_id=user_id,
- role_id=role_id,
- domain_id=domain_id,
- project_id=project_id))
-
- def revoke_by_user_and_project(self, user_id, project_id):
- self.revoke(
- revoke_model.RevokeEvent(project_id=project_id, user_id=user_id))
-
- def revoke_by_project_role_assignment(self, project_id, role_id):
- self.revoke(revoke_model.RevokeEvent(project_id=project_id,
- role_id=role_id))
-
- def revoke_by_domain_role_assignment(self, domain_id, role_id):
- self.revoke(revoke_model.RevokeEvent(domain_id=domain_id,
- role_id=role_id))
-
- @MEMOIZE
- def _get_revoke_tree(self):
- events = self.driver.list_events()
- revoke_tree = revoke_model.RevokeTree(revoke_events=events)
-
- return revoke_tree
-
- def check_token(self, token_values):
- """Checks the values from a token against the revocation list
-
- :param token_values: dictionary of values from a token, normalized for
- differences between v2 and v3. The checked values
- are a subset of the attributes of model.TokenEvent
-
- :raises keystone.exception.TokenNotFound: If the token is invalid.
-
- """
- if self._get_revoke_tree().is_revoked(token_values):
- raise exception.TokenNotFound(_('Failed to validate token'))
-
- def revoke(self, event):
- self.driver.revoke(event)
- self._get_revoke_tree.invalidate(self)
-
-
-@six.add_metaclass(abc.ABCMeta)
-class RevokeDriverV8(object):
- """Interface for recording and reporting revocation events."""
-
- @abc.abstractmethod
- def list_events(self, last_fetch=None):
- """return the revocation events, as a list of objects
-
- :param last_fetch: Time of last fetch. Return all events newer.
- :returns: A list of keystone.revoke.model.RevokeEvent
- newer than `last_fetch.`
- If no last_fetch is specified, returns all events
- for tokens issued after the expiration cutoff.
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
- @abc.abstractmethod
- def revoke(self, event):
- """register a revocation event
-
- :param event: An instance of
- keystone.revoke.model.RevocationEvent
-
- """
- raise exception.NotImplemented() # pragma: no cover
-
-
-Driver = manager.create_legacy_driver(RevokeDriverV8)
diff --git a/keystone-moon/keystone/revoke/model.py b/keystone-moon/keystone/revoke/model.py
deleted file mode 100644
index 28a8d07f..00000000
--- a/keystone-moon/keystone/revoke/model.py
+++ /dev/null
@@ -1,13 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.models.revoke_model import * # noqa
diff --git a/keystone-moon/keystone/revoke/routers.py b/keystone-moon/keystone/revoke/routers.py
deleted file mode 100644
index aab78493..00000000
--- a/keystone-moon/keystone/revoke/routers.py
+++ /dev/null
@@ -1,29 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystone.common import json_home
-from keystone.common import wsgi
-from keystone.revoke import controllers
-
-
-class Routers(wsgi.RoutersBase):
-
- PATH_PREFIX = '/OS-REVOKE'
-
- def append_v3_routers(self, mapper, routers):
- revoke_controller = controllers.RevokeController()
- self._add_resource(
- mapper, revoke_controller,
- path=self.PATH_PREFIX + '/events',
- get_action='list_revoke_events',
- rel=json_home.build_v3_extension_resource_relation(
- 'OS-REVOKE', '1.0', 'events'))