keystone.token.providers.fernet package

Submodules

keystone.token.providers.fernet.core module

class keystone.token.providers.fernet.core.Provider(*args, **kwargs)[source]

Bases: keystone.token.providers.common.BaseProvider

issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)[source]

Issue a V2 formatted token.

Parameters:
  • token_ref – reference describing the token
  • roles_ref – reference describing the roles for the token
  • catalog_ref – reference describing the token’s catalog
Returns:

tuple containing the ID of the token and the token data

issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)[source]

Issue a V3 formatted token.

Here is where we need to detect what is given to us, and what kind of token the user is expecting. Depending on the outcome of that, we can pass all the information to be packed to the proper token format handler.

Parameters:
  • user_id – ID of the user
  • method_names – method of authentication
  • expires_at – token expiration time
  • project_id – ID of the project being scoped to
  • domain_id – ID of the domain being scoped to
  • auth_context – authentication context
  • trust – ID of the trust
  • metadata_ref – metadata reference
  • include_catalog – return the catalog in the response if True, otherwise don’t return the catalog
  • parent_audit_id – ID of the parent audit entity
Returns:

tuple containing the id of the token and the token data

needs_persistence()[source]

Should the token be written to a backend.

validate_v2_token(token_ref)[source]

Validate a V2 formatted token.

Parameters:token_ref – reference describing the token to validate
Returns:the token data
Raises keystone.exception.Unauthorized:
 if v3 token is used
validate_v3_token(token)[source]

Validate a V3 formatted token.

Parameters:token – a string describing the token to validate
Returns:the token data
Raises keystone.exception.Unauthorized:
 if token format version isn’t supported

keystone.token.providers.fernet.token_formatters module

class keystone.token.providers.fernet.token_formatters.BasePayload[source]

Bases: object

classmethod assemble(*args)[source]

Assemble the payload of a token.

Parameters:args – whatever data should go into the payload
Returns:the payload of a token
classmethod attempt_convert_uuid_bytes_to_hex(value)[source]

Attempt to convert value to hex or return value.

Parameters:value – value to attempt to convert to hex
Returns:uuid value in hex or value
classmethod attempt_convert_uuid_hex_to_bytes(value)[source]

Attempt to convert value to bytes or return value.

Parameters:value – value to attempt to convert to bytes
Returns:uuid value in bytes or value
classmethod convert_uuid_bytes_to_hex(uuid_byte_string)[source]

Generate uuid.hex format based on byte string.

Parameters:uuid_byte_string – uuid string to generate from
Returns:uuid hex formatted string
classmethod convert_uuid_hex_to_bytes(uuid_string)[source]

Compress UUID formatted strings to bytes.

Parameters:uuid_string – uuid string to compress to bytes
Returns:a byte representation of the uuid
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = None
class keystone.token.providers.fernet.token_formatters.DomainScopedPayload[source]

Bases: keystone.token.providers.fernet.token_formatters.BasePayload

classmethod assemble(user_id, methods, domain_id, expires_at, audit_ids)[source]

Assemble the payload of a domain-scoped token.

Parameters:
  • user_id – ID of the user in the token request
  • methods – list of authentication methods used
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
Returns:

the payload of a domain-scoped token

classmethod disassemble(payload)[source]

Disassemble a payload into the component data.

Parameters:payload – the payload of a token
Returns:a tuple containing the user_id, auth methods, domain_id, expires_at_str, and audit_ids
version = 1
class keystone.token.providers.fernet.token_formatters.FederatedPayload[source]

Bases: keystone.token.providers.fernet.token_formatters.BasePayload

classmethod assemble(user_id, methods, expires_at, audit_ids, federated_info)[source]

Assemble the payload of a federated token.

Parameters:
  • user_id – ID of the user in the token request
  • methods – list of authentication methods used
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • federated_info – dictionary containing group IDs, the identity provider ID, protocol ID, and federated domain ID
Returns:

the payload of a federated token

classmethod disassemble(payload)[source]

Validate a federated paylod.

Parameters:token_string – a string representing the token
Returns:a tuple containing the user_id, auth methods, audit_ids, and a dictionary containing federated information such as the the group IDs, the identity provider ID, the protocol ID, and the federated domain ID
version = 4
class keystone.token.providers.fernet.token_formatters.ProjectScopedPayload[source]

Bases: keystone.token.providers.fernet.token_formatters.BasePayload

classmethod assemble(user_id, methods, project_id, expires_at, audit_ids)[source]

Assemble the payload of a project-scoped token.

Parameters:
  • user_id – ID of the user in the token request
  • methods – list of authentication methods used
  • project_id – ID of the project to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
Returns:

the payload of a project-scoped token

classmethod disassemble(payload)[source]

Disassemble a payload into the component data.

Parameters:payload – the payload of a token
Returns:a tuple containing the user_id, auth methods, project_id, expires_at_str, and audit_ids
version = 2
class keystone.token.providers.fernet.token_formatters.TokenFormatter[source]

Bases: object

Packs and unpacks payloads into tokens for transport.

create_token(user_id, expires_at, audit_ids, methods=None, domain_id=None, project_id=None, trust_id=None, federated_info=None)[source]

Given a set of payload attributes, generate a Fernet token.

classmethod creation_time(fernet_token)[source]

Returns the creation time of a valid Fernet token.

crypto[source]

Return a cryptography instance.

You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g. python-keyczar) or to meet arbitrary security requirements.

This @property just needs to return an object that implements encrypt(plaintext) and decrypt(ciphertext).

pack(payload)[source]

Pack a payload for transport as a token.

unpack(token)[source]

Unpack a token, and validate the payload.

validate_token(token)[source]

Validates a Fernet token and returns the payload attributes.

class keystone.token.providers.fernet.token_formatters.TrustScopedPayload[source]

Bases: keystone.token.providers.fernet.token_formatters.BasePayload

classmethod assemble(user_id, methods, project_id, expires_at, audit_ids, trust_id)[source]

Assemble the payload of a trust-scoped token.

Parameters:
  • user_id – ID of the user in the token request
  • methods – list of authentication methods used
  • project_id – ID of the project to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
Returns:

the payload of a trust-scoped token

classmethod disassemble(payload)[source]

Validate a trust-based payload.

Parameters:token_string – a string representing the token
Returns:a tuple containing the user_id, auth methods, project_id, expires_at_str, audit_ids, and trust_id
version = 3
class keystone.token.providers.fernet.token_formatters.UnscopedPayload[source]

Bases: keystone.token.providers.fernet.token_formatters.BasePayload

classmethod assemble(user_id, methods, expires_at, audit_ids)[source]

Assemble the payload of an unscoped token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
Returns:

the payload of an unscoped token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

Parameters:payload – the payload of an unscoped token
Returns:a tuple containing the user_id, auth methods, expires_at, and audit_ids
version = 0

keystone.token.providers.fernet.utils module

keystone.token.providers.fernet.utils.create_key_directory(keystone_user_id=None, keystone_group_id=None)[source]

If the configured key directory does not exist, attempt to create it.

keystone.token.providers.fernet.utils.initialize_key_repository(keystone_user_id=None, keystone_group_id=None)[source]

Create a key repository and bootstrap it with a key.

Parameters:
  • keystone_user_id – User ID of the Keystone user.
  • keystone_group_id – Group ID of the Keystone user.
keystone.token.providers.fernet.utils.load_keys()[source]

Load keys from disk into a list.

The first key in the list is the primary key used for encryption. All other keys are active secondary keys that can be used for decrypting tokens.

keystone.token.providers.fernet.utils.rotate_keys(keystone_user_id=None, keystone_group_id=None)[source]

Create a new primary key and revoke excess active keys.

Parameters:
  • keystone_user_id – User ID of the Keystone user.
  • keystone_group_id – Group ID of the Keystone user.

Key rotation utilizes the following behaviors:

  • The highest key number is used as the primary key (used for encryption).
  • All keys can be used for decryption.
  • New keys are always created as key “0,” which serves as a placeholder before promoting it to be the primary key.

This strategy allows you to safely perform rotation on one node in a cluster, before syncing the results of the rotation to all other nodes (during both key rotation and synchronization, all nodes must recognize all primary keys).

keystone.token.providers.fernet.utils.validate_key_repository()[source]

Validate permissions on the key repository directory.

Module contents