keystone.token.providers.fernet package¶
Submodules¶
keystone.token.providers.fernet.core module¶
keystone.token.providers.fernet.token_formatters module¶
-
class
keystone.token.providers.fernet.token_formatters.
BasePayload
[source]¶ Bases:
object
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)¶ Assemble the payload of a token.
Parameters: - user_id – identifier of the user in the token request
- methods – list of authentication methods used
- project_id – ID of the project to scope to
- domain_id – ID of the domain to scope to
- expires_at – datetime of the token’s expiration
- audit_ids – list of the token’s audit IDs
- trust_id – ID of the trust in effect
- federated_info – dictionary containing group IDs, the identity provider ID, protocol ID, and federated domain ID
- access_token_id – ID of the secret in OAuth1 authentication
Returns: the payload of a token
-
classmethod
attempt_convert_uuid_hex_to_bytes
(value)¶ Attempt to convert value to bytes or return value.
Parameters: value – value to attempt to convert to bytes Returns: tuple containing boolean indicating whether user_id was stored as bytes and uuid value as bytes or the original value
-
classmethod
convert_uuid_bytes_to_hex
(uuid_byte_string)¶ Generate uuid.hex format based on byte string.
Parameters: uuid_byte_string – uuid string to generate from Returns: uuid hex formatted string
-
classmethod
convert_uuid_hex_to_bytes
(uuid_string)¶ Compress UUID formatted strings to bytes.
Parameters: uuid_string – uuid string to compress to bytes Returns: a byte representation of the uuid
-
classmethod
create_arguments_apply
(**kwargs)¶ Check the arguments to see if they apply to this payload variant.
Returns: True if the arguments indicate that this payload class is needed for the token otherwise returns False. Return type: bool
-
classmethod
disassemble
(payload)¶ Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_info, access_token_id)
methods
are the auth methods.- federated_info is a dict contains the group IDs, the identity provider ID, the protocol ID, and the federated domain ID
Fields will be set to None if they didn’t apply to this payload type.
Parameters: payload – this variant of payload Returns: a tuple of the payloads component data
-
version
= None¶
-
classmethod
-
class
keystone.token.providers.fernet.token_formatters.
DomainScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.BasePayload
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)[source]¶
-
version
= 1¶
-
classmethod
-
class
keystone.token.providers.fernet.token_formatters.
FederatedDomainScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.FederatedScopedPayload
-
version
= 6¶
-
-
class
keystone.token.providers.fernet.token_formatters.
FederatedProjectScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.FederatedScopedPayload
-
version
= 5¶
-
-
class
keystone.token.providers.fernet.token_formatters.
FederatedScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.FederatedUnscopedPayload
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)[source]¶
-
version
= None¶
-
classmethod
-
class
keystone.token.providers.fernet.token_formatters.
FederatedUnscopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.BasePayload
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)[source]¶
-
version
= 4¶
-
classmethod
-
class
keystone.token.providers.fernet.token_formatters.
OauthScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.BasePayload
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)[source]¶
-
version
= 7¶
-
classmethod
-
class
keystone.token.providers.fernet.token_formatters.
ProjectScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.BasePayload
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)[source]¶
-
version
= 2¶
-
classmethod
-
class
keystone.token.providers.fernet.token_formatters.
TokenFormatter
[source]¶ Bases:
object
Packs and unpacks payloads into tokens for transport.
-
create_token
(user_id, expires_at, audit_ids, methods=None, domain_id=None, project_id=None, trust_id=None, federated_info=None, access_token_id=None)[source]¶ Given a set of payload attributes, generate a Fernet token.
-
crypto
¶ Return a cryptography instance.
You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g.
python-keyczar
) or to meet arbitrary security requirements.This @property just needs to return an object that implements
encrypt(plaintext)
anddecrypt(ciphertext)
.
-
-
class
keystone.token.providers.fernet.token_formatters.
TrustScopedPayload
[source]¶ Bases:
keystone.token.providers.fernet.token_formatters.BasePayload
-
classmethod
assemble
(user_id, methods, project_id, domain_id, expires_at, audit_ids, trust_id, federated_info, access_token_id)[source]¶
-
version
= 3¶
-
classmethod
keystone.token.providers.fernet.utils module¶
-
keystone.token.providers.fernet.utils.
create_key_directory
(keystone_user_id=None, keystone_group_id=None)[source]¶ If the configured key directory does not exist, attempt to create it.
-
keystone.token.providers.fernet.utils.
initialize_key_repository
(keystone_user_id=None, keystone_group_id=None)[source]¶ Create a key repository and bootstrap it with a key.
Parameters: - keystone_user_id – User ID of the Keystone user.
- keystone_group_id – Group ID of the Keystone user.
-
keystone.token.providers.fernet.utils.
load_keys
()[source]¶ Load keys from disk into a list.
The first key in the list is the primary key used for encryption. All other keys are active secondary keys that can be used for decrypting tokens.
-
keystone.token.providers.fernet.utils.
rotate_keys
(keystone_user_id=None, keystone_group_id=None)[source]¶ Create a new primary key and revoke excess active keys.
Parameters: - keystone_user_id – User ID of the Keystone user.
- keystone_group_id – Group ID of the Keystone user.
Key rotation utilizes the following behaviors:
- The highest key number is used as the primary key (used for encryption).
- All keys can be used for decryption.
- New keys are always created as key “0,” which serves as a placeholder before promoting it to be the primary key.
This strategy allows you to safely perform rotation on one node in a cluster, before syncing the results of the rotation to all other nodes (during both key rotation and synchronization, all nodes must recognize all primary keys).