3 files changed, 88 insertions, 3 deletions
diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
index e6557be5..9f6f1972 100644
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@@ -285,6 +285,8 @@ class Auth(controller.V3Controller):
             auth_info = AuthInfo(context, auth=auth)
             auth_context = {'extras': {}, 'method_names': [], 'bind': {}}
             self.authenticate(context, auth_info, auth_context)
+            if auth_context.get('access_token_id'):
+                auth_info.set_scope(None, auth_context['project_id'], None)
             self._check_and_set_default_scoping(auth_info, auth_context)
             (domain_id, project_id, trust) = auth_info.get_scope()
             method_names = auth_info.get_method_names()
diff --git a/keystone/auth/plugins/oauth1.py b/keystone/auth/plugins/oauth1.py
new file mode 100644
index 00000000..ffebd365
--- /dev/null
+++ b/keystone/auth/plugins/oauth1.py
@@ -0,0 +1,80 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystone import auth
+from keystone.common import dependency
+from keystone.common import logging
+from keystone.contrib import oauth1
+from keystone.contrib.oauth1 import core as oauth
+from keystone import exception
+from keystone.openstack.common import timeutils
+
+
+METHOD_NAME = 'oauth1'
+LOG = logging.getLogger(__name__)
+
+
+@dependency.requires('oauth_api')
+class OAuth(auth.AuthMethodHandler):
+    def __init__(self):
+        self.oauth_api = oauth1.Manager()
+
+    def authenticate(self, context, auth_info, auth_context):
+        """Turn a signed request with an access key into a keystone token."""
+        headers = context['headers']
+        oauth_headers = oauth.get_oauth_headers(headers)
+        consumer_id = oauth_headers.get('oauth_consumer_key')
+        access_token_id = oauth_headers.get('oauth_token')
+
+        if not access_token_id:
+            raise exception.ValidationError(
+                attribute='oauth_token', target='request')
+
+        acc_token = self.oauth_api.get_access_token(access_token_id)
+        consumer = self.oauth_api._get_consumer(consumer_id)
+
+        expires_at = acc_token['expires_at']
+        if expires_at:
+            now = timeutils.utcnow()
+            expires = timeutils.normalize_time(
+                timeutils.parse_isotime(expires_at))
+            if now > expires:
+                raise exception.Unauthorized(_('Access token is expired'))
+
+        consumer_obj = oauth1.Consumer(key=consumer['id'],
+                                       secret=consumer['secret'])
+        acc_token_obj = oauth1.Token(key=acc_token['id'],
+                                     secret=acc_token['access_secret'])
+
+        url = oauth.rebuild_url(context['path'])
+        oauth_request = oauth1.Request.from_request(
+            http_method='POST',
+            http_url=url,
+            headers=context['headers'],
+            query_string=context['query_string'])
+        oauth_server = oauth1.Server()
+        oauth_server.add_signature_method(oauth1.SignatureMethod_HMAC_SHA1())
+        params = oauth_server.verify_request(oauth_request,
+                                             consumer_obj,
+                                             token=acc_token_obj)
+
+        if len(params) != 0:
+            msg = _('There should not be any non-oauth parameters')
+            raise exception.Unauthorized(message=msg)
+
+        auth_context['user_id'] = acc_token['authorizing_user_id']
+        auth_context['access_token_id'] = access_token_id
+        auth_context['project_id'] = acc_token['project_id']
diff --git a/keystone/auth/plugins/token.py b/keystone/auth/plugins/token.py
index b82c0311..bc7cb1ba 100644
--- a/keystone/auth/plugins/token.py
+++ b/keystone/auth/plugins/token.py
@@ -37,6 +37,12 @@ class Token(auth.AuthMethodHandler):
                                                 target=METHOD_NAME)
             token_id = auth_payload['id']
             token_ref = self.token_api.get_token(token_id)
+            if ('OS-TRUST:trust' in token_ref['token_data']['token'] or
+                    'trust' in token_ref['token_data']['token']):
+                raise exception.Forbidden()
+            if 'OS-OAUTH1' in token_ref['token_data']['token']:
+                raise exception.Forbidden()
+
             wsgi.validate_token_bind(context, token_ref)
             user_context.setdefault(
                 'user_id', token_ref['token_data']['token']['user']['id'])
@@ -48,9 +54,6 @@ class Token(auth.AuthMethodHandler):
                 token_ref['token_data']['token']['extras'])
             user_context['method_names'].extend(
                 token_ref['token_data']['token']['methods'])
-            if ('OS-TRUST:trust' in token_ref['token_data']['token'] or
-                    'trust' in token_ref['token_data']['token']):
-                raise exception.Forbidden()
         except AssertionError as e:
             LOG.error(e)
             raise exception.Unauthorized(e)