diff options
Diffstat (limited to 'keystone-moon/keystone/revoke')
-rw-r--r-- | keystone-moon/keystone/revoke/__init__.py | 13 | ||||
-rw-r--r-- | keystone-moon/keystone/revoke/backends/__init__.py | 0 | ||||
-rw-r--r-- | keystone-moon/keystone/revoke/backends/sql.py | 100 | ||||
-rw-r--r-- | keystone-moon/keystone/revoke/controllers.py | 44 | ||||
-rw-r--r-- | keystone-moon/keystone/revoke/core.py | 261 | ||||
-rw-r--r-- | keystone-moon/keystone/revoke/model.py | 13 | ||||
-rw-r--r-- | keystone-moon/keystone/revoke/routers.py | 29 |
7 files changed, 0 insertions, 460 deletions
diff --git a/keystone-moon/keystone/revoke/__init__.py b/keystone-moon/keystone/revoke/__init__.py deleted file mode 100644 index 6d4ee0bc..00000000 --- a/keystone-moon/keystone/revoke/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.revoke.core import * # noqa diff --git a/keystone-moon/keystone/revoke/backends/__init__.py b/keystone-moon/keystone/revoke/backends/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/keystone-moon/keystone/revoke/backends/__init__.py +++ /dev/null diff --git a/keystone-moon/keystone/revoke/backends/sql.py b/keystone-moon/keystone/revoke/backends/sql.py deleted file mode 100644 index 9f8a82db..00000000 --- a/keystone-moon/keystone/revoke/backends/sql.py +++ /dev/null @@ -1,100 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.common import sql -from keystone.models import revoke_model -from keystone import revoke - - -class RevocationEvent(sql.ModelBase, sql.ModelDictMixin): - __tablename__ = 'revocation_event' - attributes = revoke_model.REVOKE_KEYS - - # The id field is not going to be exposed to the outside world. - # It is, however, necessary for SQLAlchemy. - id = sql.Column(sql.Integer, primary_key=True, nullable=False) - domain_id = sql.Column(sql.String(64)) - project_id = sql.Column(sql.String(64)) - user_id = sql.Column(sql.String(64)) - role_id = sql.Column(sql.String(64)) - trust_id = sql.Column(sql.String(64)) - consumer_id = sql.Column(sql.String(64)) - access_token_id = sql.Column(sql.String(64)) - issued_before = sql.Column(sql.DateTime(), nullable=False) - expires_at = sql.Column(sql.DateTime()) - revoked_at = sql.Column(sql.DateTime(), nullable=False, index=True) - audit_id = sql.Column(sql.String(32)) - audit_chain_id = sql.Column(sql.String(32)) - - -class Revoke(revoke.RevokeDriverV8): - def _flush_batch_size(self, dialect): - batch_size = 0 - if dialect == 'ibm_db_sa': - # This functionality is limited to DB2, because - # it is necessary to prevent the transaction log - # from filling up, whereas at least some of the - # other supported databases do not support update - # queries with LIMIT subqueries nor do they appear - # to require the use of such queries when deleting - # large numbers of records at once. - batch_size = 100 - # Limit of 100 is known to not fill a transaction log - # of default maximum size while not significantly - # impacting the performance of large token purges on - # systems where the maximum transaction log size has - # been increased beyond the default. - return batch_size - - def _prune_expired_events(self): - oldest = revoke.revoked_before_cutoff_time() - - with sql.session_for_write() as session: - dialect = session.bind.dialect.name - batch_size = self._flush_batch_size(dialect) - if batch_size > 0: - query = session.query(RevocationEvent.id) - query = query.filter(RevocationEvent.revoked_at < oldest) - query = query.limit(batch_size).subquery() - delete_query = (session.query(RevocationEvent). - filter(RevocationEvent.id.in_(query))) - while True: - rowcount = delete_query.delete(synchronize_session=False) - if rowcount == 0: - break - else: - query = session.query(RevocationEvent) - query = query.filter(RevocationEvent.revoked_at < oldest) - query.delete(synchronize_session=False) - - session.flush() - - def list_events(self, last_fetch=None): - with sql.session_for_read() as session: - query = session.query(RevocationEvent).order_by( - RevocationEvent.revoked_at) - - if last_fetch: - query = query.filter(RevocationEvent.revoked_at > last_fetch) - - events = [revoke_model.RevokeEvent(**e.to_dict()) for e in query] - - return events - - def revoke(self, event): - kwargs = dict() - for attr in revoke_model.REVOKE_KEYS: - kwargs[attr] = getattr(event, attr) - record = RevocationEvent(**kwargs) - with sql.session_for_write() as session: - session.add(record) - self._prune_expired_events() diff --git a/keystone-moon/keystone/revoke/controllers.py b/keystone-moon/keystone/revoke/controllers.py deleted file mode 100644 index 40151bae..00000000 --- a/keystone-moon/keystone/revoke/controllers.py +++ /dev/null @@ -1,44 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_utils import timeutils - -from keystone.common import controller -from keystone.common import dependency -from keystone import exception -from keystone.i18n import _ - - -@dependency.requires('revoke_api') -class RevokeController(controller.V3Controller): - @controller.protected() - def list_revoke_events(self, context): - since = context['query_string'].get('since') - last_fetch = None - if since: - try: - last_fetch = timeutils.normalize_time( - timeutils.parse_isotime(since)) - except ValueError: - raise exception.ValidationError( - message=_('invalid date format %s') % since) - events = self.revoke_api.list_events(last_fetch=last_fetch) - # Build the links by hand as the standard controller calls require ids - response = {'events': [event.to_dict() for event in events], - 'links': { - 'next': None, - 'self': RevokeController.base_url( - context, - path=context['path']), - 'previous': None} - } - return response diff --git a/keystone-moon/keystone/revoke/core.py b/keystone-moon/keystone/revoke/core.py deleted file mode 100644 index 64d2e998..00000000 --- a/keystone-moon/keystone/revoke/core.py +++ /dev/null @@ -1,261 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Main entry point into the Revoke service.""" - -import abc -import datetime - -from oslo_config import cfg -from oslo_log import versionutils -from oslo_utils import timeutils -import six - -from keystone.common import cache -from keystone.common import dependency -from keystone.common import extension -from keystone.common import manager -from keystone import exception -from keystone.i18n import _ -from keystone.models import revoke_model -from keystone import notifications - - -CONF = cfg.CONF - - -EXTENSION_DATA = { - 'name': 'OpenStack Revoke API', - 'namespace': 'http://docs.openstack.org/identity/api/ext/' - 'OS-REVOKE/v1.0', - 'alias': 'OS-REVOKE', - 'updated': '2014-02-24T20:51:0-00:00', - 'description': 'OpenStack revoked token reporting mechanism.', - 'links': [ - { - 'rel': 'describedby', - 'type': 'text/html', - 'href': 'http://specs.openstack.org/openstack/keystone-specs/api/' - 'v3/identity-api-v3-os-revoke-ext.html', - } - ]} -extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA) -extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA) - -MEMOIZE = cache.get_memoization_decorator(group='revoke') - - -def revoked_before_cutoff_time(): - expire_delta = datetime.timedelta( - seconds=CONF.token.expiration + CONF.revoke.expiration_buffer) - oldest = timeutils.utcnow() - expire_delta - return oldest - - -@dependency.provider('revoke_api') -class Manager(manager.Manager): - """Default pivot point for the Revoke backend. - - Performs common logic for recording revocations. - - See :mod:`keystone.common.manager.Manager` for more details on - how this dynamically calls the backend. - - """ - - driver_namespace = 'keystone.revoke' - - def __init__(self): - super(Manager, self).__init__(CONF.revoke.driver) - self._register_listeners() - self.model = revoke_model - - def _user_callback(self, service, resource_type, operation, - payload): - self.revoke_by_user(payload['resource_info']) - - def _role_callback(self, service, resource_type, operation, - payload): - self.revoke( - revoke_model.RevokeEvent(role_id=payload['resource_info'])) - - def _project_callback(self, service, resource_type, operation, - payload): - self.revoke( - revoke_model.RevokeEvent(project_id=payload['resource_info'])) - - def _domain_callback(self, service, resource_type, operation, - payload): - self.revoke( - revoke_model.RevokeEvent(domain_id=payload['resource_info'])) - - def _trust_callback(self, service, resource_type, operation, - payload): - self.revoke( - revoke_model.RevokeEvent(trust_id=payload['resource_info'])) - - def _consumer_callback(self, service, resource_type, operation, - payload): - self.revoke( - revoke_model.RevokeEvent(consumer_id=payload['resource_info'])) - - def _access_token_callback(self, service, resource_type, operation, - payload): - self.revoke( - revoke_model.RevokeEvent(access_token_id=payload['resource_info'])) - - def _role_assignment_callback(self, service, resource_type, operation, - payload): - info = payload['resource_info'] - self.revoke_by_grant(role_id=info['role_id'], user_id=info['user_id'], - domain_id=info.get('domain_id'), - project_id=info.get('project_id')) - - def _register_listeners(self): - callbacks = { - notifications.ACTIONS.deleted: [ - ['OS-TRUST:trust', self._trust_callback], - ['OS-OAUTH1:consumer', self._consumer_callback], - ['OS-OAUTH1:access_token', self._access_token_callback], - ['role', self._role_callback], - ['user', self._user_callback], - ['project', self._project_callback], - ['role_assignment', self._role_assignment_callback] - ], - notifications.ACTIONS.disabled: [ - ['user', self._user_callback], - ['project', self._project_callback], - ['domain', self._domain_callback], - ], - notifications.ACTIONS.internal: [ - [notifications.INVALIDATE_USER_TOKEN_PERSISTENCE, - self._user_callback], - ] - } - - for event, cb_info in callbacks.items(): - for resource_type, callback_fns in cb_info: - notifications.register_event_callback(event, resource_type, - callback_fns) - - def revoke_by_user(self, user_id): - return self.revoke(revoke_model.RevokeEvent(user_id=user_id)) - - def _assert_not_domain_and_project_scoped(self, domain_id=None, - project_id=None): - if domain_id is not None and project_id is not None: - msg = _('The revoke call must not have both domain_id and ' - 'project_id. This is a bug in the Keystone server. The ' - 'current request is aborted.') - raise exception.UnexpectedError(exception=msg) - - @versionutils.deprecated(as_of=versionutils.deprecated.JUNO, - remove_in=0) - def revoke_by_expiration(self, user_id, expires_at, - domain_id=None, project_id=None): - - self._assert_not_domain_and_project_scoped(domain_id=domain_id, - project_id=project_id) - - self.revoke( - revoke_model.RevokeEvent(user_id=user_id, - expires_at=expires_at, - domain_id=domain_id, - project_id=project_id)) - - def revoke_by_audit_id(self, audit_id): - self.revoke(revoke_model.RevokeEvent(audit_id=audit_id)) - - def revoke_by_audit_chain_id(self, audit_chain_id, project_id=None, - domain_id=None): - - self._assert_not_domain_and_project_scoped(domain_id=domain_id, - project_id=project_id) - - self.revoke(revoke_model.RevokeEvent(audit_chain_id=audit_chain_id, - domain_id=domain_id, - project_id=project_id)) - - def revoke_by_grant(self, role_id, user_id=None, - domain_id=None, project_id=None): - self.revoke( - revoke_model.RevokeEvent(user_id=user_id, - role_id=role_id, - domain_id=domain_id, - project_id=project_id)) - - def revoke_by_user_and_project(self, user_id, project_id): - self.revoke( - revoke_model.RevokeEvent(project_id=project_id, user_id=user_id)) - - def revoke_by_project_role_assignment(self, project_id, role_id): - self.revoke(revoke_model.RevokeEvent(project_id=project_id, - role_id=role_id)) - - def revoke_by_domain_role_assignment(self, domain_id, role_id): - self.revoke(revoke_model.RevokeEvent(domain_id=domain_id, - role_id=role_id)) - - @MEMOIZE - def _get_revoke_tree(self): - events = self.driver.list_events() - revoke_tree = revoke_model.RevokeTree(revoke_events=events) - - return revoke_tree - - def check_token(self, token_values): - """Checks the values from a token against the revocation list - - :param token_values: dictionary of values from a token, normalized for - differences between v2 and v3. The checked values - are a subset of the attributes of model.TokenEvent - - :raises keystone.exception.TokenNotFound: If the token is invalid. - - """ - if self._get_revoke_tree().is_revoked(token_values): - raise exception.TokenNotFound(_('Failed to validate token')) - - def revoke(self, event): - self.driver.revoke(event) - self._get_revoke_tree.invalidate(self) - - -@six.add_metaclass(abc.ABCMeta) -class RevokeDriverV8(object): - """Interface for recording and reporting revocation events.""" - - @abc.abstractmethod - def list_events(self, last_fetch=None): - """return the revocation events, as a list of objects - - :param last_fetch: Time of last fetch. Return all events newer. - :returns: A list of keystone.revoke.model.RevokeEvent - newer than `last_fetch.` - If no last_fetch is specified, returns all events - for tokens issued after the expiration cutoff. - - """ - raise exception.NotImplemented() # pragma: no cover - - @abc.abstractmethod - def revoke(self, event): - """register a revocation event - - :param event: An instance of - keystone.revoke.model.RevocationEvent - - """ - raise exception.NotImplemented() # pragma: no cover - - -Driver = manager.create_legacy_driver(RevokeDriverV8) diff --git a/keystone-moon/keystone/revoke/model.py b/keystone-moon/keystone/revoke/model.py deleted file mode 100644 index 28a8d07f..00000000 --- a/keystone-moon/keystone/revoke/model.py +++ /dev/null @@ -1,13 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.models.revoke_model import * # noqa diff --git a/keystone-moon/keystone/revoke/routers.py b/keystone-moon/keystone/revoke/routers.py deleted file mode 100644 index aab78493..00000000 --- a/keystone-moon/keystone/revoke/routers.py +++ /dev/null @@ -1,29 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.common import json_home -from keystone.common import wsgi -from keystone.revoke import controllers - - -class Routers(wsgi.RoutersBase): - - PATH_PREFIX = '/OS-REVOKE' - - def append_v3_routers(self, mapper, routers): - revoke_controller = controllers.RevokeController() - self._add_resource( - mapper, revoke_controller, - path=self.PATH_PREFIX + '/events', - get_action='list_revoke_events', - rel=json_home.build_v3_extension_resource_relation( - 'OS-REVOKE', '1.0', 'events')) |