Merge "Ensure that cached token is not revoked"
This commit is contained in:
commit
f1ace5c418
|
@ -277,7 +277,7 @@ opts = [
|
||||||
' configurable duration (in seconds). Set to -1 to disable'
|
' configurable duration (in seconds). Set to -1 to disable'
|
||||||
' caching completely.'),
|
' caching completely.'),
|
||||||
cfg.IntOpt('revocation_cache_time',
|
cfg.IntOpt('revocation_cache_time',
|
||||||
default=300,
|
default=10,
|
||||||
help='Determines the frequency at which the list of revoked'
|
help='Determines the frequency at which the list of revoked'
|
||||||
' tokens is retrieved from the Identity service (in seconds). A'
|
' tokens is retrieved from the Identity service (in seconds). A'
|
||||||
' high number of revocation events combined with a low cache'
|
' high number of revocation events combined with a low cache'
|
||||||
|
@ -832,7 +832,7 @@ class AuthProtocol(object):
|
||||||
raise ServiceError('invalid json response')
|
raise ServiceError('invalid json response')
|
||||||
|
|
||||||
def _validate_user_token(self, user_token, env, retry=True):
|
def _validate_user_token(self, user_token, env, retry=True):
|
||||||
"""Authenticate user using PKI
|
"""Authenticate user token
|
||||||
|
|
||||||
:param user_token: user's token id
|
:param user_token: user's token id
|
||||||
:param retry: Ignored, as it is not longer relevant
|
:param retry: Ignored, as it is not longer relevant
|
||||||
|
@ -847,12 +847,17 @@ class AuthProtocol(object):
|
||||||
token_id = cms.cms_hash_token(user_token)
|
token_id = cms.cms_hash_token(user_token)
|
||||||
cached = self._cache_get(token_id)
|
cached = self._cache_get(token_id)
|
||||||
if cached:
|
if cached:
|
||||||
return cached
|
data = cached
|
||||||
if cms.is_asn1_token(user_token):
|
elif cms.is_asn1_token(user_token):
|
||||||
verified = self.verify_signed_token(user_token)
|
verified = self.verify_signed_token(user_token)
|
||||||
data = jsonutils.loads(verified)
|
data = jsonutils.loads(verified)
|
||||||
else:
|
else:
|
||||||
data = self.verify_uuid_token(user_token, retry)
|
data = self.verify_uuid_token(user_token, retry)
|
||||||
|
# A token stored in Memcached might have been revoked
|
||||||
|
# regardless of initial mechanism used to validate it,
|
||||||
|
# and needs to be checked.
|
||||||
|
if self._is_token_id_in_revoked_list(token_id):
|
||||||
|
raise InvalidUserToken('Token authorization failed')
|
||||||
expires = confirm_token_not_expired(data)
|
expires = confirm_token_not_expired(data)
|
||||||
self._confirm_token_bind(data, env)
|
self._confirm_token_bind(data, env)
|
||||||
self._cache_put(token_id, data, expires)
|
self._cache_put(token_id, data, expires)
|
||||||
|
@ -1182,19 +1187,20 @@ class AuthProtocol(object):
|
||||||
|
|
||||||
def is_signed_token_revoked(self, signed_text):
|
def is_signed_token_revoked(self, signed_text):
|
||||||
"""Indicate whether the token appears in the revocation list."""
|
"""Indicate whether the token appears in the revocation list."""
|
||||||
revocation_list = self.token_revocation_list
|
|
||||||
revoked_tokens = revocation_list.get('revoked', [])
|
|
||||||
if not revoked_tokens:
|
|
||||||
return
|
|
||||||
revoked_ids = (x['id'] for x in revoked_tokens)
|
|
||||||
if isinstance(signed_text, six.text_type):
|
if isinstance(signed_text, six.text_type):
|
||||||
signed_text = signed_text.encode('utf-8')
|
signed_text = signed_text.encode('utf-8')
|
||||||
token_id = utils.hash_signed_token(signed_text)
|
token_id = utils.hash_signed_token(signed_text)
|
||||||
for revoked_id in revoked_ids:
|
return self._is_token_id_in_revoked_list(token_id)
|
||||||
if token_id == revoked_id:
|
|
||||||
self.LOG.debug('Token is marked as having been revoked')
|
def _is_token_id_in_revoked_list(self, token_id):
|
||||||
return True
|
"""Indicate whether the token_id appears in the revocation list."""
|
||||||
return False
|
revocation_list = self.token_revocation_list
|
||||||
|
revoked_tokens = revocation_list.get('revoked', None)
|
||||||
|
if not revoked_tokens:
|
||||||
|
return False
|
||||||
|
|
||||||
|
revoked_ids = (x['id'] for x in revoked_tokens)
|
||||||
|
return token_id in revoked_ids
|
||||||
|
|
||||||
def cms_verify(self, data):
|
def cms_verify(self, data):
|
||||||
"""Verifies the signature of the provided data's IAW CMS syntax.
|
"""Verifies the signature of the provided data's IAW CMS syntax.
|
||||||
|
|
Loading…
Reference in New Issue