aboutsummaryrefslogtreecommitdiffstats
path: root/keystonemiddleware-moon/keystonemiddleware/auth_token/_revocations.py
blob: a68356a83ae7e7ea3dea355fd145f684df8c075a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import datetime
import logging
import os

from oslo_serialization import jsonutils
from oslo_utils import timeutils

from keystonemiddleware.auth_token import _exceptions as exc
from keystonemiddleware.i18n import _

_LOG = logging.getLogger(__name__)


class Revocations(object):
    _FILE_NAME = 'revoked.pem'

    def __init__(self, timeout, signing_directory, identity_server,
                 cms_verify, log=_LOG):
        self._cache_timeout = timeout
        self._signing_directory = signing_directory
        self._identity_server = identity_server
        self._cms_verify = cms_verify
        self._log = log

        self._fetched_time_prop = None
        self._list_prop = None

    @property
    def _fetched_time(self):
        if not self._fetched_time_prop:
            # If the fetched list has been written to disk, use its
            # modification time.
            file_path = self._signing_directory.calc_path(self._FILE_NAME)
            if os.path.exists(file_path):
                mtime = os.path.getmtime(file_path)
                fetched_time = datetime.datetime.utcfromtimestamp(mtime)
            # Otherwise the list will need to be fetched.
            else:
                fetched_time = datetime.datetime.min
            self._fetched_time_prop = fetched_time
        return self._fetched_time_prop

    @_fetched_time.setter
    def _fetched_time(self, value):
        self._fetched_time_prop = value

    def _fetch(self):
        revocation_list_data = self._identity_server.fetch_revocation_list()
        return self._cms_verify(revocation_list_data)

    @property
    def _list(self):
        timeout = self._fetched_time + self._cache_timeout
        list_is_current = timeutils.utcnow() < timeout

        if list_is_current:
            # Load the list from disk if required
            if not self._list_prop:
                self._list_prop = jsonutils.loads(
                    self._signing_directory.read_file(self._FILE_NAME))
        else:
            self._list = self._fetch()
        return self._list_prop

    @_list.setter
    def _list(self, value):
        """Save a revocation list to memory and to disk.

        :param value: A json-encoded revocation list

        """
        self._list_prop = jsonutils.loads(value)
        self._fetched_time = timeutils.utcnow()
        self._signing_directory.write_file(self._FILE_NAME, value)

    def _is_revoked(self, token_id):
        """Indicate whether the token_id appears in the revocation list."""
        revoked_tokens = self._list.get('revoked', None)
        if not revoked_tokens:
            return False

        revoked_ids = (x['id'] for x in revoked_tokens)
        return token_id in revoked_ids

    def _any_revoked(self, token_ids):
        for token_id in token_ids:
            if self._is_revoked(token_id):
                return True
        return False

    def check(self, token_ids):
        if self._any_revoked(token_ids):
            self._log.debug('Token is marked as having been revoked')
            raise exc.InvalidToken(_('Token has been revoked'))

    def check_by_audit_id(self, audit_ids):
        """Check whether the audit_id appears in the revocation list.

        :raises keystonemiddleware.auth_token._exceptions.InvalidToken:
            if the audit ID(s) appear in the revocation list.

        """
        revoked_tokens = self._list.get('revoked', None)
        if not revoked_tokens:
            # There's no revoked tokens, so nothing to do.
            return

        # The audit_id may not be present in the revocation events because
        # earlier versions of the identity server didn't provide them.
        revoked_ids = set(
            x['audit_id'] for x in revoked_tokens if 'audit_id' in x)
        for audit_id in audit_ids:
            if audit_id in revoked_ids:
                self._log.debug(
                    'Token is marked as having been revoked by audit id')
                raise exc.InvalidToken(_('Token has been revoked'))