¡@

Home 

OpenStack Study: validator.py

OpenStack Index

**** CubicPower OpenStack Study ****

# Copyright 2014 OpenStack Foundation

#

# Licensed under the Apache License, Version 2.0 (the "License"); you may

# not use this file except in compliance with the License. You may obtain

# a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

# License for the specific language governing permissions and limitations

# under the License.

"""oAuthlib request validator."""

import six

from keystone.common import dependency

from keystone.contrib.oauth1 import core as oauth1

from keystone import exception

from keystone.openstack.common import log

METHOD_NAME = 'oauth_validator'

LOG = log.getLogger(__name__)

@dependency.requires('oauth_api')

**** CubicPower OpenStack Study ****

class OAuthValidator(oauth1.RequestValidator):

#TODO(mhu) set as option probably ?

@property

**** CubicPower OpenStack Study ****

    def enforce_ssl(self):

        return False

    @property

**** CubicPower OpenStack Study ****

    def safe_characters(self):

        #oauth tokens are generated from a uuid hex value

        return set("abcdef0123456789")

**** CubicPower OpenStack Study ****

    def _check_token(self, token):

        # generic token verification when they're obtained from a uuid hex

        return (set(token) <= self.safe_characters and

                len(token) == 32)

**** CubicPower OpenStack Study ****

    def check_client_key(self, client_key):

        return self._check_token(client_key)

**** CubicPower OpenStack Study ****

    def check_request_token(self, request_token):

        return self._check_token(request_token)

**** CubicPower OpenStack Study ****

    def check_access_token(self, access_token):

        return self._check_token(access_token)

**** CubicPower OpenStack Study ****

    def check_nonce(self, nonce):

        # Assuming length is not a concern

        return set(nonce) <= self.safe_characters

**** CubicPower OpenStack Study ****

    def check_verifier(self, verifier):

        try:

            return 1000 <= int(verifier) <= 9999

        except ValueError:

            return False

**** CubicPower OpenStack Study ****

    def get_client_secret(self, client_key, request):

        client = self.oauth_api.get_consumer_with_secret(client_key)

        return client['secret']

**** CubicPower OpenStack Study ****

    def get_request_token_secret(self, client_key, token, request):

        token_ref = self.oauth_api.get_request_token(token)

        return token_ref['request_secret']

**** CubicPower OpenStack Study ****

    def get_access_token_secret(self, client_key, token, request):

        access_token = self.oauth_api.get_access_token(token)

        return access_token['access_secret']

**** CubicPower OpenStack Study ****

    def get_default_realms(self, client_key, request):

        # realms weren't implemented with the previous library

        return []

**** CubicPower OpenStack Study ****

    def get_realms(self, token, request):

        return []

**** CubicPower OpenStack Study ****

    def get_redirect_uri(self, token, request):

        # OOB (out of band) is supposed to be the default value to use

        return 'oob'

**** CubicPower OpenStack Study ****

    def get_rsa_key(self, client_key, request):

        # HMAC signing is used, so return a dummy value

        return ''

**** CubicPower OpenStack Study ****

    def invalidate_request_token(self, client_key, request_token, request):

        # this method is invoked when an access token is generated out of a

        # request token, to make sure that request token cannot be consumed

        # anymore. This is done in the backend, so we do nothing here.

        pass

**** CubicPower OpenStack Study ****

    def validate_client_key(self, client_key, request):

        try:

            return self.oauth_api.get_consumer(client_key) is not None

        except exception.NotFound:

            return False

**** CubicPower OpenStack Study ****

    def validate_request_token(self, client_key, token, request):

        try:

            return self.oauth_api.get_request_token(token) is not None

        except exception.NotFound:

            return False

**** CubicPower OpenStack Study ****

    def validate_access_token(self, client_key, token, request):

        try:

            return self.oauth_api.get_access_token(token) is not None

        except exception.NotFound:

            return False

**** CubicPower OpenStack Study ****

    def validate_timestamp_and_nonce(self,

                                     client_key,

                                     timestamp,

                                     nonce,

                                     request,

                                     request_token=None,

                                     access_token=None):

        return True

**** CubicPower OpenStack Study ****

    def validate_redirect_uri(self, client_key, redirect_uri, request):

        # we expect OOB, we don't really care

        return True

**** CubicPower OpenStack Study ****

    def validate_requested_realms(self, client_key, realms, request):

        # realms are not used

        return True

**** CubicPower OpenStack Study ****

    def validate_realms(self,

                        client_key,

                        token,

                        request,

                        uri=None,

                        realms=None):

        return True

**** CubicPower OpenStack Study ****

    def validate_verifier(self, client_key, token, verifier, request):

        try:

            req_token = self.oauth_api.get_request_token(token)

            return req_token['verifier'] == verifier

        except exception.NotFound:

            return False

**** CubicPower OpenStack Study ****

    def verify_request_token(self, token, request):

        # there aren't strong expectations on the request token format

        return isinstance(token, six.string_types)

**** CubicPower OpenStack Study ****

    def verify_realms(self, token, realms, request):

        return True

    # The following save_XXX methods are called to create tokens. I chose to

    # keep the original logic, but the comments below show how that could be

    # implemented. The real implementation logic is in the backend.

**** CubicPower OpenStack Study ****

    def save_access_token(self, token, request):

        pass

#        token_duration = CONF.oauth1.request_token_duration

#        request_token_id = request.client_key

#        self.oauth_api.create_access_token(request_token_id,

#                                           token_duration,

#                                           token["oauth_token"],

#                                           token["oauth_token_secret"])

**** CubicPower OpenStack Study ****

    def save_request_token(self, token, request):

        pass

#        project_id = request.headers.get('Requested-Project-Id')

#        token_duration = CONF.oauth1.request_token_duration

#        self.oauth_api.create_request_token(request.client_key,

#                                            project_id,

#                                            token_duration,

#                                            token["oauth_token"],

#                                            token["oauth_token_secret"])

**** CubicPower OpenStack Study ****

    def save_verifier(self, token, verifier, request):

        # keep the old logic for this, as it is done in two steps and requires

        # information that the request validator has no access to

        pass