aboutsummaryrefslogtreecommitdiffstats
path: root/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py')
-rw-r--r--keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py44
1 files changed, 30 insertions, 14 deletions
diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py
index 8987e0ea..be268da3 100644
--- a/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py
@@ -206,6 +206,7 @@ object is stored.
"""
+import binascii
import datetime
import logging
@@ -511,7 +512,7 @@ class _BaseAuthProtocol(object):
:raises exc.InvalidToken: if token is rejected
"""
- # 0 seconds of validity means it is invalid right now
+ # 0 seconds of validity means is it valid right now.
if auth_ref.will_expire_soon(stale_duration=0):
raise exc.InvalidToken(_('Token authorization failed'))
@@ -838,8 +839,9 @@ class AuthProtocol(_BaseAuthProtocol):
data = cached
if self._check_revocations_for_cached:
- # A token might have been revoked, regardless of initial
- # mechanism used to validate it, and needs to be checked.
+ # A token stored in Memcached might have been revoked
+ # regardless of initial mechanism used to validate it,
+ # and needs to be checked.
self._revocations.check(token_hashes)
else:
data = self._validate_offline(token, token_hashes)
@@ -848,19 +850,19 @@ class AuthProtocol(_BaseAuthProtocol):
self._token_cache.store(token_hashes[0], data)
- except (exceptions.ConnectionRefused, exceptions.RequestTimeout):
- self.log.debug('Token validation failure.', exc_info=True)
- self.log.warning(_LW('Authorization failed for token'))
- raise exc.InvalidToken(_('Token authorization failed'))
- except exc.ServiceError as e:
- self.log.critical(_LC('Unable to obtain admin token: %s'), e)
+ except (exceptions.ConnectionRefused, exceptions.RequestTimeout,
+ exc.RevocationListError, exc.ServiceError) as e:
+ self.log.critical(_LC('Unable to validate token: %s'), e)
raise webob.exc.HTTPServiceUnavailable()
- except Exception:
+ except exc.InvalidToken:
self.log.debug('Token validation failure.', exc_info=True)
if token_hashes:
self._token_cache.store_invalid(token_hashes[0])
self.log.warning(_LW('Authorization failed for token'))
- raise exc.InvalidToken(_('Token authorization failed'))
+ raise
+ except Exception:
+ self.log.critical(_LC('Unable to validate token'), exc_info=True)
+ raise webob.exc.HTTPInternalServerError()
return data
@@ -881,6 +883,18 @@ class AuthProtocol(_BaseAuthProtocol):
'fallback to online validation.'))
else:
data = jsonutils.loads(verified)
+
+ audit_ids = None
+ if 'access' in data:
+ # It's a v2 token.
+ audit_ids = data['access']['token'].get('audit_ids')
+ else:
+ # It's a v3 token
+ audit_ids = data['token'].get('audit_ids')
+
+ if audit_ids:
+ self._revocations.check_by_audit_id(audit_ids)
+
return data
def _validate_token(self, auth_ref):
@@ -905,9 +919,10 @@ class AuthProtocol(_BaseAuthProtocol):
return cms.cms_verify(data, signing_cert_path,
signing_ca_path,
inform=inform).decode('utf-8')
- except cms.subprocess.CalledProcessError as err:
+ except (exceptions.CMSError,
+ cms.subprocess.CalledProcessError) as err:
self.log.warning(_LW('Verify error: %s'), err)
- raise
+ raise exc.InvalidToken(_('Token authorization failed'))
try:
return verify()
@@ -939,7 +954,8 @@ class AuthProtocol(_BaseAuthProtocol):
verified = self._cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM)
return verified
# TypeError If the signed_text is not zlib compressed
- except TypeError:
+ # binascii.Error if signed_text has incorrect base64 padding (py34)
+ except (TypeError, binascii.Error):
raise exc.InvalidToken(signed_text)
def _fetch_signing_cert(self):