Bases: object
Interface for recording and reporting revocation events.
return the revocation events, as a list of objects
Parameters: | last_fetch – Time of last fetch. Return all events newer. |
---|---|
Returns: | A list of keystone.contrib.revoke.model.RevokeEvent newer than last_fetch. If no last_fetch is specified, returns all events for tokens issued after the expiration cutoff. |
Bases: keystone.common.manager.Manager
Revoke API Manager.
Performs common logic for recording revocations.
Checks the values from a token against the revocation list
Parameters: | token_values – dictionary of values from a token, normalized for differences between v2 and v3. The checked values are a subset of the attributes of model.TokenEvent |
---|---|
Raises exception.TokenNotFound: | |
if the token is invalid |
Bases: object
Fast Revocation Checking Tree Structure
The Tree is an index to quickly match tokens against events. Each node is a hashtable of key=value combinations from revocation events. The
Updates the tree based on a revocation event.
Creates any necessary internal nodes in the tree corresponding to the fields of the revocation event. The leaf node will always be set to the latest ‘issued_before’ for events that are otherwise identical.
Param : | Event to add to the tree |
---|---|
Returns: | the event that was passed in. |
Check if a token matches the revocation event
Compare the values for each level of the tree with the values from the token, accounting for attributes that have alternative keys, and for wildcard matches. if there is a match, continue down the tree. if there is no match, exit early.
token_data is a map based on a flattened view of token. The required fields are:
‘expires_at’,’user_id’, ‘project_id’, ‘identity_domain_id’, ‘assignment_domain_id’, ‘trust_id’, ‘trustor_id’, ‘trustee_id’ ‘consumer_id’, ‘access_token_id’
Update the tree based on the removal of a Revocation Event
Removes empty nodes from the tree from the leaf back to the root.
If multiple events trace the same path, but have different ‘issued_before’ values, only the last is ever stored in the tree. So only an exact match on ‘issued_before’ ever triggers a removal
Param : | Event to remove from the tree |
---|