diff options
Diffstat (limited to 'keystone/auth/plugins/oauth1.py')
-rw-r--r-- | keystone/auth/plugins/oauth1.py | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/keystone/auth/plugins/oauth1.py b/keystone/auth/plugins/oauth1.py new file mode 100644 index 00000000..ffebd365 --- /dev/null +++ b/keystone/auth/plugins/oauth1.py @@ -0,0 +1,80 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2013 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone import auth +from keystone.common import dependency +from keystone.common import logging +from keystone.contrib import oauth1 +from keystone.contrib.oauth1 import core as oauth +from keystone import exception +from keystone.openstack.common import timeutils + + +METHOD_NAME = 'oauth1' +LOG = logging.getLogger(__name__) + + +@dependency.requires('oauth_api') +class OAuth(auth.AuthMethodHandler): + def __init__(self): + self.oauth_api = oauth1.Manager() + + def authenticate(self, context, auth_info, auth_context): + """Turn a signed request with an access key into a keystone token.""" + headers = context['headers'] + oauth_headers = oauth.get_oauth_headers(headers) + consumer_id = oauth_headers.get('oauth_consumer_key') + access_token_id = oauth_headers.get('oauth_token') + + if not access_token_id: + raise exception.ValidationError( + attribute='oauth_token', target='request') + + acc_token = self.oauth_api.get_access_token(access_token_id) + consumer = self.oauth_api._get_consumer(consumer_id) + + expires_at = acc_token['expires_at'] + if expires_at: + now = timeutils.utcnow() + expires = timeutils.normalize_time( + timeutils.parse_isotime(expires_at)) + if now > expires: + raise exception.Unauthorized(_('Access token is expired')) + + consumer_obj = oauth1.Consumer(key=consumer['id'], + secret=consumer['secret']) + acc_token_obj = oauth1.Token(key=acc_token['id'], + secret=acc_token['access_secret']) + + url = oauth.rebuild_url(context['path']) + oauth_request = oauth1.Request.from_request( + http_method='POST', + http_url=url, + headers=context['headers'], + query_string=context['query_string']) + oauth_server = oauth1.Server() + oauth_server.add_signature_method(oauth1.SignatureMethod_HMAC_SHA1()) + params = oauth_server.verify_request(oauth_request, + consumer_obj, + token=acc_token_obj) + + if len(params) != 0: + msg = _('There should not be any non-oauth parameters') + raise exception.Unauthorized(message=msg) + + auth_context['user_id'] = acc_token['authorizing_user_id'] + auth_context['access_token_id'] = access_token_id + auth_context['project_id'] = acc_token['project_id'] |