Last active
September 21, 2018 03:33
-
-
Save dolph/ef4aa9b1e164fc6c97b7 to your computer and use it in GitHub Desktop.
Peeking inside OpenStack keystone Fernet token payloads: http://dolphm.com/inside-openstack-keystone-fernet-token-payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl localhost:35357/v3/auth/tokens \ | |
| -H "X-Subject-Token: {{ fernet_token }}" \ | |
| -H "X-Auth-Token: {{ keystone.conf [default] admin_token }}" \ | |
| | python -m json.tool |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "token": { | |
| "audit_ids": [ | |
| "6UGTaLhpQGCbjgvmWEmFQQ" | |
| ], | |
| "catalog": [ | |
| { | |
| "endpoints": [ | |
| { | |
| "id": "2a33a94c07204efbb557c87eac2153f0", | |
| "interface": "admin", | |
| "region": "RegionOne", | |
| "region_id": "RegionOne", | |
| "url": "http://172.29.236.100:35357/v3" | |
| }, | |
| { | |
| "id": "51fe3bbf5b0d493ba909c17df69a1ef5", | |
| "interface": "internal", | |
| "region": "RegionOne", | |
| "region_id": "RegionOne", | |
| "url": "http://172.29.236.100:5000/v2.0" | |
| }, | |
| { | |
| "id": "92adfc46b0e94083b1455508c10d3e3a", | |
| "interface": "public", | |
| "region": "RegionOne", | |
| "region_id": "RegionOne", | |
| "url": "http://104.239.232.65:5000/v2.0" | |
| } | |
| ], | |
| "id": "2b8a5f3844b444be90c7e14db4779eca", | |
| "name": "keystone", | |
| "type": "identity" | |
| } | |
| ], | |
| "expires_at": "2015-09-17T11:04:19.843989Z", | |
| "extras": {}, | |
| "issued_at": "2015-09-16T23:04:20.000000Z", | |
| "methods": [ | |
| "password" | |
| ], | |
| "project": { | |
| "domain": { | |
| "id": "default", | |
| "name": "Default" | |
| }, | |
| "id": "1bbe74f5b22243048a75459be8544d62", | |
| "name": "admin" | |
| }, | |
| "roles": [ | |
| { | |
| "id": "08c8a9303a844ed59fa868db5d27b88d", | |
| "name": "admin" | |
| }, | |
| { | |
| "id": "981c580495d24799aa197e842b529d18", | |
| "name": "heat_stack_owner" | |
| } | |
| ], | |
| "service_providers": [ | |
| { | |
| "auth_url": "http://104.239.231.30:5000/v3/OS-FEDERATION/identity_providers/my_idp/protocols/saml2/auth", | |
| "id": "my_sp", | |
| "sp_url": "http://104.239.231.30:5000/Shibboleth.sso/SAML2/ECP" | |
| } | |
| ], | |
| "user": { | |
| "domain": { | |
| "id": "default", | |
| "name": "Default" | |
| }, | |
| "id": "9a75d040210e47d7b2a9ca0315defa2d", | |
| "name": "admin" | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This snippet illustrates calling into internal APIs of stable/kilo. | |
| # Absolutely nothing here can be expected to work in future releases! | |
| # You'll have to give Keystone a chance to read it's configuration. | |
| from keystone.server import common | |
| common.configure() | |
| # Then, you can instantiate a Fernet token formatter directly. | |
| from keystone.token.providers.fernet import token_formatters | |
| formatter = token_formatters.TokenFormatter() | |
| # This lets the Fernet token formatter return all the context it can from a | |
| # plaintext token. | |
| validated_dict = formatter.validate_token(fernet_token) | |
| # For the sake of readability, let's pretty-print that dictionary. | |
| import json | |
| print(json.dumps(validated_dict, indent=4)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| "9a75d040210e47d7b2a9ca0315defa2d", | |
| [ | |
| "password" | |
| ], | |
| [ | |
| "6UGTaLhpQGCbjgvmWEmFQQ" | |
| ], | |
| null, | |
| "1bbe74f5b22243048a75459be8544d62", | |
| null, | |
| null, | |
| "2015-09-16T23:04:20.000000Z", | |
| "2015-09-17T11:04:19.843989Z" | |
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This snippet illustrates calling into internal APIs of stable/kilo. | |
| # Absolutely nothing here can be expected to work in future releases! | |
| # You'll have to give Keystone a chance to read it's configuration. | |
| from keystone.server import common | |
| common.configure() | |
| # Then, you can instantiate a Fernet token formatter directly. | |
| from keystone.token.providers.fernet import token_formatters | |
| formatter = token_formatters.TokenFormatter() | |
| # We can use the token formatter to decrypt and validate a plaintext token. | |
| payload = formatter.unpack(fernet_token) | |
| # But the payload itself is binary serialized using MessagePack. | |
| # tl;dr MessagePack == compressed JSON | |
| unpacked_iterable = msgpack.unpackb(payload) | |
| # Because the iterable contains further byte arrays, it's easiest just to print | |
| # it directly at this point. | |
| print(unpacked_iterable) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [2, '\x9au\xd0@!\x0eG\xd7\xb2\xa9\xca\x03\x15\xde\xfa-', 1, '\x1b\xbet\xf5\xb2"C\x04\x8auE\x9b\xe8TMb', 1442487859.843989, ['\xe9A\x93h\xb8i@`\x9b\x8e\x0b\xe6XI\x85A']] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment