TokenData

pydantic model gafaelfawr.models.token.TokenData

Data about a token stored in Redis.

This holds all the token information stored in Redis, and thus all the token information required to support authentication decisions and (currently) user information queries. It should not be used directly as a response model; for that, see TokenInfo and TokenUserInfo.

Parameters:

data (Any)

Show JSON schema
{
   "title": "TokenData",
   "description": "Data about a token stored in Redis.\n\nThis holds all the token information stored in Redis, and thus all the\ntoken information required to support authentication decisions and\n(currently) user information queries.  It should not be used directly as a\nresponse model; for that, see `TokenInfo` and `TokenUserInfo`.",
   "type": "object",
   "properties": {
      "username": {
         "description": "User to whom the token was issued",
         "examples": [
            "someuser"
         ],
         "maxLength": 64,
         "minLength": 1,
         "title": "Username",
         "type": "string"
      },
      "name": {
         "anyOf": [
            {
               "minLength": 1,
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "examples": [
            "Alice Example"
         ],
         "title": "Preferred full name"
      },
      "email": {
         "anyOf": [
            {
               "minLength": 1,
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "examples": [
            "alice@example.com"
         ],
         "title": "Email address"
      },
      "uid": {
         "anyOf": [
            {
               "minimum": 1,
               "type": "integer"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "examples": [
            4123
         ],
         "title": "UID number"
      },
      "gid": {
         "anyOf": [
            {
               "minimum": 1,
               "type": "integer"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "GID of primary group. If set, this will also be the GID of one of the groups of which the user is a member.",
         "examples": [
            4123
         ],
         "title": "Primary GID"
      },
      "groups": {
         "anyOf": [
            {
               "items": {
                  "$ref": "#/$defs/Group"
               },
               "type": "array"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Groups of which the user is a member",
         "title": "Groups"
      },
      "token_type": {
         "$ref": "#/$defs/TokenType",
         "examples": [
            "session"
         ],
         "title": "Token type"
      },
      "service": {
         "anyOf": [
            {
               "maxLength": 64,
               "minLength": 1,
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Service to which the token was delegated. Only present for internal tokens.",
         "examples": [
            "some-service"
         ],
         "title": "Service"
      },
      "scopes": {
         "$ref": "#/$defs/Scopes",
         "description": "Scopes of the token",
         "examples": [
            [
               "read:all",
               "user:token"
            ]
         ],
         "title": "Token scopes"
      },
      "created": {
         "$ref": "#/$defs/Timestamp",
         "description": "Creation timestamp of the token in seconds since epoch",
         "examples": [
            1614986130
         ],
         "title": "Creation time"
      },
      "expires": {
         "anyOf": [
            {
               "$ref": "#/$defs/Timestamp"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Expiration timestamp of the token in seconds since epoch",
         "examples": [
            1616986130
         ],
         "title": "Expiration time"
      },
      "token": {
         "$ref": "#/$defs/Token",
         "title": "Associated token"
      }
   },
   "$defs": {
      "Group": {
         "description": "Information about a single group.",
         "properties": {
            "name": {
               "examples": [
                  "g_special_users"
               ],
               "minLength": 1,
               "pattern": "^[a-zA-Z][a-zA-Z0-9._-]*$",
               "title": "Name of the group",
               "type": "string"
            },
            "id": {
               "examples": [
                  123181
               ],
               "title": "Numeric GID of the group",
               "type": "integer"
            }
         },
         "required": [
            "name",
            "id"
         ],
         "title": "Group",
         "type": "object"
      },
      "Scopes": {},
      "Timestamp": {
         "format": "date-time",
         "type": "string"
      },
      "Token": {
         "description": "An opaque token.\n\nNotes\n-----\nA token consists of two parts, a semi-public key that is used as the Redis\nkey, and a secret that is only present in the token returned to the user\nand the encrypted session in Redis.\n\nThe serialized form of a token always starts with ``gt-``, short for\nGafaelfawr token, to make it easier to identify these tokens in logs.\n\nThe serialized form encodes the secret in URL-safe base64 with the padding\nstripped off (because equal signs can be parsed oddly in cookies).",
         "properties": {
            "key": {
               "title": "Key",
               "type": "string"
            },
            "secret": {
               "title": "Secret",
               "type": "string"
            }
         },
         "title": "Token",
         "type": "object"
      },
      "TokenType": {
         "description": "The class of token.",
         "enum": [
            "session",
            "user",
            "notebook",
            "internal",
            "service",
            "oidc"
         ],
         "title": "TokenType",
         "type": "string"
      }
   },
   "required": [
      "username",
      "token_type",
      "scopes",
      "token"
   ]
}

Fields:
field created: Timestamp [Optional]

Creation timestamp of the token in seconds since epoch

field email: str | None = None
Constraints:
  • min_length = 1

field expires: Timestamp | None = None

Expiration timestamp of the token in seconds since epoch

field gid: int | None = None

GID of primary group. If set, this will also be the GID of one of the groups of which the user is a member.

Constraints:
  • ge = 1

field groups: list[Group] | None = None

Groups of which the user is a member

field name: str | None = None
Constraints:
  • min_length = 1

field scopes: Scopes [Required]

Scopes of the token

field service: str | None = None

Service to which the token was delegated. Only present for internal tokens.

Constraints:
  • min_length = 1

  • max_length = 64

field token: Token [Required]
field token_type: TokenType [Required]
field uid: int | None = None
Constraints:
  • ge = 1

field username: str [Required]

User to whom the token was issued

Constraints:
  • min_length = 1

  • max_length = 64

classmethod bootstrap_token()

Build authentication data for the bootstrap token.

This token doesn’t exist in the backing store, so instead synthesize a TokenData object for it.

Returns:

Artificial data for the bootstrap token.

Return type:

TokenData

classmethod internal_token()

Build authentication data for the internal token.

Similar to the bootstrap token, this does not exist in the backing store. It is used by background jobs internal to Gafaelfawr.

Returns:

Artificial data for the bootstrap token.

Return type:

TokenData

to_userinfo_dict()

Convert to a dictionary for logging purposes.

This method converts only the TokenUserInfo portion of a token to a dictionary for logging purposes, excluding the username field (which is logged separately). It’s used when logging creation of new tokens to make a record of the user identity information included in the token (as opposed to retrieved dynamically from other sources such as LDAP or Firestore).

Returns:

Dictionary of information, roughly equivalent to calling dict(exclude_none=True) on the TokenUserInfo object, but ensuring that only its data is included even if called on a subclass such as TokenData.

Return type:

dict