middleware Package

auth_token Module

TOKEN-BASED AUTH MIDDLEWARE

This WSGI component:

  • Verifies that incoming client requests have valid tokens by validating tokens with the auth service.
  • Rejects unauthenticated requests UNLESS it is in ‘delay_auth_decision’ mode, which means the final decision is delegated to the downstream WSGI component (usually the OpenStack service)
  • Collects and forwards identity information based on a valid token such as user name, tenant, etc

Refer to: http://docs.openstack.org/developer/python-keystoneclient/ middlewarearchitecture.html

HEADERS

  • Headers starting with HTTP_ is a standard http header
  • Headers starting with HTTP_X is an extended http header

Coming in from initial call from client or customer

HTTP_X_AUTH_TOKEN
The client token being passed in.
HTTP_X_STORAGE_TOKEN
The client token being passed in (legacy Rackspace use) to support swift/cloud files

Used for communication between components

WWW-Authenticate
HTTP header returned to a user indicating which endpoint to use to retrieve a new token

What we add to the request for use by the OpenStack service

HTTP_X_IDENTITY_STATUS
‘Confirmed’ or ‘Invalid’ The underlying service will only see a value of ‘Invalid’ if the Middleware is configured to run in ‘delay_auth_decision’ mode
HTTP_X_DOMAIN_ID
Identity service managed unique identifier, string. Only present if this is a domain-scoped v3 token.
HTTP_X_DOMAIN_NAME
Unique domain name, string. Only present if this is a domain-scoped v3 token.
HTTP_X_PROJECT_ID
Identity service managed unique identifier, string. Only present if this is a project-scoped v3 token, or a tenant-scoped v2 token.
HTTP_X_PROJECT_NAME
Project name, unique within owning domain, string. Only present if this is a project-scoped v3 token, or a tenant-scoped v2 token.
HTTP_X_PROJECT_DOMAIN_ID
Identity service managed unique identifier of owning domain of project, string. Only present if this is a project-scoped v3 token. If this variable is set, this indicates that the PROJECT_NAME can only be assumed to be unique within this domain.
HTTP_X_PROJECT_DOMAIN_NAME
Name of owning domain of project, string. Only present if this is a project-scoped v3 token. If this variable is set, this indicates that the PROJECT_NAME can only be assumed to be unique within this domain.
HTTP_X_USER_ID
Identity-service managed unique identifier, string
HTTP_X_USER_NAME
User identifier, unique within owning domain, string
HTTP_X_USER_DOMAIN_ID
Identity service managed unique identifier of owning domain of user, string. If this variable is set, this indicates that the USER_NAME can only be assumed to be unique within this domain.
HTTP_X_USER_DOMAIN_NAME
Name of owning domain of user, string. If this variable is set, this indicates that the USER_NAME can only be assumed to be unique within this domain.
HTTP_X_ROLES
Comma delimited list of case-sensitive role names
HTTP_X_SERVICE_CATALOG
json encoded keystone service catalog (optional).
HTTP_X_TENANT_ID
Deprecated in favor of HTTP_X_PROJECT_ID Identity service managed unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID
HTTP_X_TENANT_NAME
Deprecated in favor of HTTP_X_PROJECT_NAME Project identifier, unique within owning domain, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_NAME
HTTP_X_TENANT
Deprecated in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME Keystone-assigned unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID
HTTP_X_USER
Deprecated in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME User name, unique within owning domain, string
HTTP_X_ROLE
Deprecated in favor of HTTP_X_ROLES Will contain the same values as HTTP_X_ROLES.

OTHER ENVIRONMENT VARIABLES

keystone.token_info
Information about the token discovered in the process of validation. This may include extended information returned by the Keystone token validation call, as well as basic information about the tenant and user.
class keystoneclient.middleware.auth_token.AuthProtocol(app, conf)

Bases: object

Auth Middleware that handles authenticating client calls.

cms_verify(data)

Verifies the signature of the provided data’s IAW CMS syntax.

If either of the certificate files might be missing, fetch them and retry.

fetch_ca_cert()
fetch_revocation_list(retry=True)
fetch_signing_cert()
get_admin_token()

Return admin token, possibly fetching a new one.

if self.admin_token_expiry is set from fetching an admin token, check it for expiration, and request a new token is the existing token is about to expire.

:return admin token id :raise ServiceError when unable to retrieve token from keystone

is_signed_token_revoked(signed_text)

Indicate whether the token appears in the revocation list.

token_revocation_list
token_revocation_list_fetched_time
verify_signed_token(signed_text)

Check that the token is unrevoked and has a valid signature.

verify_signing_dir()
verify_uuid_token(user_token, retry=True)

Authenticate user token with keystone.

Parameters:
  • user_token – user’s token id
  • retry – flag that forces the middleware to retry user authentication when an indeterminate response is received. Optional.
Returns:

token object received from keystone on success

Raises:
  • InvalidUserToken – if token is rejected
  • ServiceError – if unable to authenticate token
class keystoneclient.middleware.auth_token.BIND_MODE
DISABLED = 'disabled'
KERBEROS = 'kerberos'
PERMISSIVE = 'permissive'
REQUIRED = 'required'
STRICT = 'strict'
class keystoneclient.middleware.auth_token.CachePool(cache, memcached_servers)

Bases: list

A lazy pool of cache references.

reserve(*args, **kwds)

Context manager to manage a pooled cache reference.

exception keystoneclient.middleware.auth_token.ConfigurationError

Bases: exceptions.Exception

exception keystoneclient.middleware.auth_token.InvalidUserToken

Bases: exceptions.Exception

class keystoneclient.middleware.auth_token.MiniResp(error_message, env, headers=[])

Bases: object

exception keystoneclient.middleware.auth_token.NetworkError

Bases: exceptions.Exception

exception keystoneclient.middleware.auth_token.ServiceError

Bases: exceptions.Exception

keystoneclient.middleware.auth_token.app_factory(global_conf, **local_conf)
keystoneclient.middleware.auth_token.confirm_token_not_expired(data)
keystoneclient.middleware.auth_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.

keystoneclient.middleware.auth_token.safe_quote(s)

URL-encode strings that are not already URL-encoded.

keystoneclient.middleware.auth_token.will_expire_soon(expiry)

Determines if expiration is about to occur.

Parameters:expiry – a datetime of the expected expiration
Returns:boolean : true if expiration is within 30 seconds

memcache_crypt Module

Utilities for memcache encryption and integrity check.

Data should be serialized before entering these functions. Encryption has a dependency on the pycrypto. If pycrypto is not available, CryptoUnavailableError will be raised.

This module will not be called unless signing or encryption is enabled in the config. It will always validate signatures, and will decrypt data if encryption is enabled. It is not valid to mix protection modes.

exception keystoneclient.middleware.memcache_crypt.CryptoUnavailableError

Bases: exceptions.Exception

raise when Python Crypto module is not available.

exception keystoneclient.middleware.memcache_crypt.DecryptError

Bases: exceptions.Exception

raise when unable to decrypt encrypted data.

exception keystoneclient.middleware.memcache_crypt.InvalidMacError

Bases: exceptions.Exception

raise when unable to verify MACed data.

This usually indicates that data had been expectedly modified in memcache.

keystoneclient.middleware.memcache_crypt.assert_crypto_availability(f)

Ensure Crypto module is available.

keystoneclient.middleware.memcache_crypt.constant_time_compare(first, second)

Returns True if both string inputs are equal, otherwise False.

This function should take a constant amount of time regardless of how many characters in the strings match.

keystoneclient.middleware.memcache_crypt.decrypt_data(*args, **kwds)

Decrypt the data with the given secret key.

keystoneclient.middleware.memcache_crypt.derive_keys(token, secret, strategy)

Derives keys for MAC and ENCRYPTION from the user-provided secret. The resulting keys should be passed to the protect and unprotect functions.

As suggested by NIST Special Publication 800-108, this uses the first 128 bits from the sha384 KDF for the obscured cache key value, the second 128 bits for the message authentication key and the remaining 128 bits for the encryption key.

This approach is faster than computing a separate hmac as the KDF for each desired key.

keystoneclient.middleware.memcache_crypt.encrypt_data(*args, **kwds)

Encrypt the data with the given secret key.

Padding is n bytes of the value n, where 1 <= n <= blocksize.

keystoneclient.middleware.memcache_crypt.get_cache_key(keys)

Given keys generated by derive_keys(), returns a base64 encoded value suitable for use as a cache key in memcached.

keystoneclient.middleware.memcache_crypt.protect_data(keys, data)

Given keys and serialized data, returns an appropriately protected string suitable for storage in the cache.

keystoneclient.middleware.memcache_crypt.sign_data(key, data)

Sign the data using the defined function and the derived key.

keystoneclient.middleware.memcache_crypt.unprotect_data(keys, signed_data)

Given keys and cached string data, verifies the signature, decrypts if necessary, and returns the original serialized data.

s3_token Module

S3 TOKEN MIDDLEWARE

This WSGI component:

  • Get a request from the swift3 middleware with an S3 Authorization access key.
  • Validate s3 token in Keystone.
  • Transform the account name to AUTH_%(tenant_name).
class keystoneclient.middleware.s3_token.S3Token(app, conf)

Bases: object

Auth Middleware that handles S3 authenticating client calls.

deny_request(code)
exception keystoneclient.middleware.s3_token.ServiceError

Bases: exceptions.Exception

keystoneclient.middleware.s3_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.

keystoneclient.middleware.s3_token.split_path(path, minsegs=1, maxsegs=None, rest_with_last=False)

Validate and split the given HTTP request path.

Examples:

['a'] = split_path('/a')
['a', None] = split_path('/a', 1, 2)
['a', 'c'] = split_path('/a/c', 1, 2)
['a', 'c', 'o/r'] = split_path('/a/c/o/r', 1, 3, True)
Parameters:
  • path – HTTP Request path to be split
  • minsegs – Minimum number of segments to be extracted
  • maxsegs – Maximum number of segments to be extracted
  • rest_with_last – If True, trailing data will be returned as part of last segment. If False, and there is trailing data, raises ValueError.
Returns:

list of segments with a length of maxsegs (non-existant segments will return as None)

Raises :

ValueError if given an invalid path