Expose token expiration time in tempauth auth response
Previously, we gave no indication of when a token would expire. Users would have to just use it until it stopped working, then re-auth. Now, a successful auth response will include a new header, X-Auth-Token-Expires, with the number of seconds remaining until the token is invalid. This allows the client to attempt to re-auth before sending a request that will definitely fail. For comparison, swauth already uses the X-Auth-Token-Expires header with identical semantics. Additionally, Keystone (v2 and v3) already exposes expiration times in its JSON responses. The security impact should be minimal. Change-Id: I5a4a74276bc0df6dda94e4bc150065c0d77de0eb
This commit is contained in:
parent
6a473e3d7b
commit
bf10974cde
@ -38,6 +38,9 @@ from swift.common.utils import config_read_reseller_options
|
|||||||
from swift.proxy.controllers.base import get_account_info
|
from swift.proxy.controllers.base import get_account_info
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT_TOKEN_LIFE = 86400
|
||||||
|
|
||||||
|
|
||||||
class TempAuth(object):
|
class TempAuth(object):
|
||||||
"""
|
"""
|
||||||
Test authentication and authorization system.
|
Test authentication and authorization system.
|
||||||
@ -181,7 +184,7 @@ class TempAuth(object):
|
|||||||
self.auth_prefix = '/' + self.auth_prefix
|
self.auth_prefix = '/' + self.auth_prefix
|
||||||
if not self.auth_prefix.endswith('/'):
|
if not self.auth_prefix.endswith('/'):
|
||||||
self.auth_prefix += '/'
|
self.auth_prefix += '/'
|
||||||
self.token_life = int(conf.get('token_life', 86400))
|
self.token_life = int(conf.get('token_life', DEFAULT_TOKEN_LIFE))
|
||||||
self.allow_overrides = config_true_value(
|
self.allow_overrides = config_true_value(
|
||||||
conf.get('allow_overrides', 't'))
|
conf.get('allow_overrides', 't'))
|
||||||
self.storage_url_scheme = conf.get('storage_url_scheme', 'default')
|
self.storage_url_scheme = conf.get('storage_url_scheme', 'default')
|
||||||
@ -765,7 +768,8 @@ class TempAuth(object):
|
|||||||
memcache_client.set(memcache_user_key, token,
|
memcache_client.set(memcache_user_key, token,
|
||||||
time=float(expires - time()))
|
time=float(expires - time()))
|
||||||
resp = Response(request=req, headers={
|
resp = Response(request=req, headers={
|
||||||
'x-auth-token': token, 'x-storage-token': token})
|
'x-auth-token': token, 'x-storage-token': token,
|
||||||
|
'x-auth-token-expires': str(int(expires - time()))})
|
||||||
url = self.users[account_user]['url'].replace('$HOST', resp.host_url)
|
url = self.users[account_user]['url'].replace('$HOST', resp.host_url)
|
||||||
if self.storage_url_scheme != 'default':
|
if self.storage_url_scheme != 'default':
|
||||||
url = self.storage_url_scheme + ':' + url.split(':', 1)[1]
|
url = self.storage_url_scheme + ':' + url.split(':', 1)[1]
|
||||||
|
@ -515,7 +515,11 @@ class TestAuth(unittest.TestCase):
|
|||||||
self.assertEqual(resp.status_int, 200)
|
self.assertEqual(resp.status_int, 200)
|
||||||
self.assertTrue(resp.headers['x-storage-url'].endswith('/v1/AUTH_ac'))
|
self.assertTrue(resp.headers['x-storage-url'].endswith('/v1/AUTH_ac'))
|
||||||
self.assertTrue(resp.headers['x-auth-token'].startswith('AUTH_'))
|
self.assertTrue(resp.headers['x-auth-token'].startswith('AUTH_'))
|
||||||
self.assertTrue(len(resp.headers['x-auth-token']) > 10)
|
self.assertEqual(resp.headers['x-auth-token'],
|
||||||
|
resp.headers['x-storage-token'])
|
||||||
|
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||||
|
auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5)
|
||||||
|
self.assertGreater(len(resp.headers['x-auth-token']), 10)
|
||||||
|
|
||||||
def test_use_token_success(self):
|
def test_use_token_success(self):
|
||||||
# Example of how to simulate an authorized request
|
# Example of how to simulate an authorized request
|
||||||
@ -641,11 +645,16 @@ class TestAuth(unittest.TestCase):
|
|||||||
req.environ['SERVER_NAME'] = 'bob'
|
req.environ['SERVER_NAME'] = 'bob'
|
||||||
req.environ['SERVER_PORT'] = '1234'
|
req.environ['SERVER_PORT'] = '1234'
|
||||||
req.environ['swift.cache'].set('AUTH_/user/test:tester', 'uuid_token')
|
req.environ['swift.cache'].set('AUTH_/user/test:tester', 'uuid_token')
|
||||||
|
expires = time() + 180
|
||||||
req.environ['swift.cache'].set('AUTH_/token/uuid_token',
|
req.environ['swift.cache'].set('AUTH_/token/uuid_token',
|
||||||
(time() + 180, 'test,test:tester'))
|
(expires, 'test,test:tester'))
|
||||||
resp = req.get_response(self.test_auth)
|
resp = req.get_response(self.test_auth)
|
||||||
self.assertEqual(resp.status_int, 200)
|
self.assertEqual(resp.status_int, 200)
|
||||||
self.assertEqual(resp.headers['x-auth-token'], 'uuid_token')
|
self.assertEqual(resp.headers['x-auth-token'], 'uuid_token')
|
||||||
|
self.assertEqual(resp.headers['x-auth-token'],
|
||||||
|
resp.headers['x-storage-token'])
|
||||||
|
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||||
|
179.5, delta=0.5)
|
||||||
|
|
||||||
def test_old_token_overdate(self):
|
def test_old_token_overdate(self):
|
||||||
self.test_auth = \
|
self.test_auth = \
|
||||||
@ -664,6 +673,8 @@ class TestAuth(unittest.TestCase):
|
|||||||
self.assertEqual(resp.status_int, 200)
|
self.assertEqual(resp.status_int, 200)
|
||||||
self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token')
|
self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token')
|
||||||
self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk')
|
self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk')
|
||||||
|
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||||
|
auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5)
|
||||||
|
|
||||||
def test_old_token_with_old_data(self):
|
def test_old_token_with_old_data(self):
|
||||||
self.test_auth = \
|
self.test_auth = \
|
||||||
@ -682,6 +693,8 @@ class TestAuth(unittest.TestCase):
|
|||||||
self.assertEqual(resp.status_int, 200)
|
self.assertEqual(resp.status_int, 200)
|
||||||
self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token')
|
self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token')
|
||||||
self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk')
|
self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk')
|
||||||
|
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||||
|
auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5)
|
||||||
|
|
||||||
def test_reseller_admin_is_owner(self):
|
def test_reseller_admin_is_owner(self):
|
||||||
orig_authorize = self.test_auth.authorize
|
orig_authorize = self.test_auth.authorize
|
||||||
|
Loading…
x
Reference in New Issue
Block a user