diff options
Diffstat (limited to 'keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py')
-rw-r--r-- | keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py | 44 |
1 files changed, 30 insertions, 14 deletions
diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py index 8987e0ea..be268da3 100644 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py @@ -206,6 +206,7 @@ object is stored. """ +import binascii import datetime import logging @@ -511,7 +512,7 @@ class _BaseAuthProtocol(object): :raises exc.InvalidToken: if token is rejected """ - # 0 seconds of validity means it is invalid right now + # 0 seconds of validity means is it valid right now. if auth_ref.will_expire_soon(stale_duration=0): raise exc.InvalidToken(_('Token authorization failed')) @@ -838,8 +839,9 @@ class AuthProtocol(_BaseAuthProtocol): data = cached if self._check_revocations_for_cached: - # A token might have been revoked, regardless of initial - # mechanism used to validate it, and needs to be checked. + # A token stored in Memcached might have been revoked + # regardless of initial mechanism used to validate it, + # and needs to be checked. self._revocations.check(token_hashes) else: data = self._validate_offline(token, token_hashes) @@ -848,19 +850,19 @@ class AuthProtocol(_BaseAuthProtocol): self._token_cache.store(token_hashes[0], data) - except (exceptions.ConnectionRefused, exceptions.RequestTimeout): - self.log.debug('Token validation failure.', exc_info=True) - self.log.warning(_LW('Authorization failed for token')) - raise exc.InvalidToken(_('Token authorization failed')) - except exc.ServiceError as e: - self.log.critical(_LC('Unable to obtain admin token: %s'), e) + except (exceptions.ConnectionRefused, exceptions.RequestTimeout, + exc.RevocationListError, exc.ServiceError) as e: + self.log.critical(_LC('Unable to validate token: %s'), e) raise webob.exc.HTTPServiceUnavailable() - except Exception: + except exc.InvalidToken: self.log.debug('Token validation failure.', exc_info=True) if token_hashes: self._token_cache.store_invalid(token_hashes[0]) self.log.warning(_LW('Authorization failed for token')) - raise exc.InvalidToken(_('Token authorization failed')) + raise + except Exception: + self.log.critical(_LC('Unable to validate token'), exc_info=True) + raise webob.exc.HTTPInternalServerError() return data @@ -881,6 +883,18 @@ class AuthProtocol(_BaseAuthProtocol): 'fallback to online validation.')) else: data = jsonutils.loads(verified) + + audit_ids = None + if 'access' in data: + # It's a v2 token. + audit_ids = data['access']['token'].get('audit_ids') + else: + # It's a v3 token + audit_ids = data['token'].get('audit_ids') + + if audit_ids: + self._revocations.check_by_audit_id(audit_ids) + return data def _validate_token(self, auth_ref): @@ -905,9 +919,10 @@ class AuthProtocol(_BaseAuthProtocol): return cms.cms_verify(data, signing_cert_path, signing_ca_path, inform=inform).decode('utf-8') - except cms.subprocess.CalledProcessError as err: + except (exceptions.CMSError, + cms.subprocess.CalledProcessError) as err: self.log.warning(_LW('Verify error: %s'), err) - raise + raise exc.InvalidToken(_('Token authorization failed')) try: return verify() @@ -939,7 +954,8 @@ class AuthProtocol(_BaseAuthProtocol): verified = self._cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM) return verified # TypeError If the signed_text is not zlib compressed - except TypeError: + # binascii.Error if signed_text has incorrect base64 padding (py34) + except (TypeError, binascii.Error): raise exc.InvalidToken(signed_text) def _fetch_signing_cert(self): |