Utilities for memcache encryption and integrity check.
Data should be serialized before entering these functions. Encryption has a dependency on the pycrypto. If pycrypto is not available, CryptoUnavailableError will be raised.
This module will not be called unless signing or encryption is enabled in the config. It will always validate signatures, and will decrypt data if encryption is enabled. It is not valid to mix protection modes.
Bases: exceptions.Exception
raise when Python Crypto module is not available.
Bases: exceptions.Exception
raise when unable to decrypt encrypted data.
Bases: exceptions.Exception
raise when unable to verify MACed data.
This usually indicates that data had been expectedly modified in memcache.
Ensure Crypto module is available.
Returns True if both string inputs are equal, otherwise False.
This function should take a constant amount of time regardless of how many characters in the strings match.
Decrypt the data with the given secret key.
Derives keys for MAC and ENCRYPTION from the user-provided secret. The resulting keys should be passed to the protect and unprotect functions.
As suggested by NIST Special Publication 800-108, this uses the first 128 bits from the sha384 KDF for the obscured cache key value, the second 128 bits for the message authentication key and the remaining 128 bits for the encryption key.
This approach is faster than computing a separate hmac as the KDF for each desired key.
Encrypt the data with the given secret key.
Padding is n bytes of the value n, where 1 <= n <= blocksize.
Given keys generated by derive_keys(), returns a base64 encoded value suitable for use as a cache key in memcached.
Given keys and serialized data, returns an appropriately protected string suitable for storage in the cache.
Sign the data using the defined function and the derived key.
Given keys and cached string data, verifies the signature, decrypts if necessary, and returns the original serialized data.
Thread-safe connection pool for python-memcached.
Bases: exceptions.Exception
Bases: Queue.Queue
Base connection pool class
This class implements the basic connection pool logic as an abstract base class.
TOKEN-BASED AUTH MIDDLEWARE
This WSGI component:
Refer to: http://docs.openstack.org/developer/python-keystoneclient/ middlewarearchitecture.html
When using composite authentication (a user and service token are present) additional service headers relating to the service user will be added. They take the same form as the standard headers but add ‘_SERVICE_’. These headers will not exist in the environment if no service token is present.
json encoded keystone service catalog (optional). For compatibility reasons this catalog will always be in the V2 catalog format even if it is a v3 token.
Bases: object
Auth Middleware that handles authenticating client calls.
Bases: exceptions.Exception
Bases: exceptions.Exception
Bases: exceptions.Exception
Bases: exceptions.Exception
Returns a WSGI filter app for use with paste.deploy.
Starting point for routing EC2 requests.
Bases: object
Authenticate an EC2 request with keystone and convert to token.
Returns a WSGI filter app for use with paste.deploy.
Return a list of oslo.config options available in auth_token middleware.
The returned list includes all oslo.config options which may be registered at runtime by the project.
Each element of the list is a tuple. The first element is the name of the group under which the list of elements in the second element will be registered. A group name of None corresponds to the [DEFAULT] group in config files.
This function is also discoverable via the entry point ‘keystonemiddleware.auth_token’ under the ‘oslo.config.opts’ namespace.
The purpose of this is to allow tools like the Oslo sample config file generator to discover the options exposed to users by this middleware.
Returns: | a list of (group_name, opts) tuples |
---|
S3 TOKEN MIDDLEWARE
This WSGI component:
Bases: object
Auth Middleware that handles S3 authenticating client calls.
Bases: exceptions.Exception
Returns a WSGI filter app for use with paste.deploy.