keystoneclient.contrib.revoke package¶
Submodules¶
keystoneclient.contrib.revoke.model module¶
-
class
keystoneclient.contrib.revoke.model.RevokeEvent(**kwargs)¶ Bases:
object-
key_for_name(name)¶
-
to_dict()¶
-
-
class
keystoneclient.contrib.revoke.model.RevokeTree(revoke_events=None)¶ Bases:
objectFast Revocation Checking Tree Structure.
The Tree is an index to quickly match tokens against events. Each node is a hashtable of key=value combinations from revocation events. The
-
add_event(event)¶ Update the tree based on a revocation event.
Creates any necessary internal nodes in the tree corresponding to the fields of the revocation event. The leaf node will always be set to the latest ‘issued_before’ for events that are otherwise identical.
Param: Event to add to the tree Returns: the event that was passed in.
-
add_events(revoke_events)¶
-
is_revoked(token_data)¶ Check if a token is revoked.
Compare the values for each level of the tree with the values from the token, accounting for attributes that have alternative keys, and for wildcard matches. if there is a match, continue down the tree. if there is no match, exit early.
token_data is a map based on a flattened view of token. The required fields are:
‘expires_at’,’user_id’, ‘project_id’, ‘identity_domain_id’, ‘assignment_domain_id’, ‘trust_id’, ‘trustor_id’, ‘trustee_id’ ‘consumer_id’, ‘access_token_id’
-
remove_event(event)¶ Update the tree based on the removal of a Revocation Event.
Removes empty nodes from the tree from the leaf back to the root.
If multiple events trace the same path, but have different ‘issued_before’ values, only the last is ever stored in the tree. So only an exact match on ‘issued_before’ ever triggers a removal
Param: Event to remove from the tree
-
-
keystoneclient.contrib.revoke.model.attr_keys(event)¶
-
keystoneclient.contrib.revoke.model.blank_token_data(issued_at)¶
-
keystoneclient.contrib.revoke.model.build_token_values(token_data)¶
-
keystoneclient.contrib.revoke.model.build_token_values_v2(access, default_domain_id)¶