keystone.models package

Submodules

keystone.models.receipt_model module

Unified in-memory receipt model.

class keystone.models.receipt_model.ReceiptModel[source]

Bases: object

An object that represents a receipt emitted by keystone.

This is a queryable object that other parts of keystone can use to reason about a user’s receipt.

property expires_at
property issued_at
mint(receipt_id, issued_at)[source]

Set the id and issued_at attributes of a receipt.

The process of building a Receipt requires setting attributes about the partial authentication context, like user_id and methods for example. Once a Receipt object accurately represents this information it should be “minted”. Receipt are minted when they get an id attribute and their creation time is recorded.

property required_methods
property user
property user_domain

keystone.models.revoke_model module

class keystone.models.revoke_model.RevokeEvent(**kwargs)[source]

Bases: object

to_dict()[source]
keystone.models.revoke_model.blank_token_data(issued_at)[source]
keystone.models.revoke_model.build_token_values(token)[source]
keystone.models.revoke_model.is_revoked(events, token_data)[source]

Check if a token matches a revocation event.

Compare a token against every revocation event. If the token matches an event in the events list, the token is revoked. If the token is compared against every item in the list without a match, it is not considered revoked from the revoke_api.

Parameters
  • events – a list of RevokeEvent instances

  • token_data – map based on a flattened view of the token. The required fields are expires_at,`user_id`, project_id, identity_domain_id, assignment_domain_id, trust_id, trustor_id, trustee_id consumer_id and access_token_id

Returns

True if the token matches an existing revocation event, meaning the token is revoked. False is returned if the token does not match any revocation events, meaning the token is considered valid by the revocation API.

keystone.models.revoke_model.matches(event, token_values)[source]

See if the token matches the revocation event.

A brute force approach to checking. Compare each attribute from the event with the corresponding value from the token. If the event does not have a value for the attribute, a match is still possible. If the event has a value for the attribute, and it does not match the token, no match is possible, so skip the remaining checks.

Parameters
  • event – a RevokeEvent instance

  • token_values – dictionary with set of values taken from the token

Returns

True if the token matches the revocation event, indicating the token has been revoked

keystone.models.token_model module

Unified in-memory token model.

class keystone.models.token_model.TokenModel[source]

Bases: object

An object that represents a token emitted by keystone.

This is a queryable object that other parts of keystone can use to reason about a user’s authentication or authorization.

property access_token
property application_credential
property audit_ids
property domain
property domain_scoped
property expires_at
property issued_at
mint(token_id, issued_at)[source]

Set the id and issued_at attributes of a token.

The process of building a token requires setting attributes about the authentication and authorization context, like user_id and project_id for example. Once a Token object accurately represents this information it should be “minted”. Tokens are minted when they get an id attribute and their creation time is recorded.

property oauth_scoped
property project
property project_domain
property project_scoped
property roles
property system_scoped
property trust
property trust_project
property trust_project_domain
property trust_scoped
property trustee
property trustor
property unscoped
property user
property user_domain

Module contents