Don't validate token expiry in the persistence backend
There's no reason to validate expiry in the persistence backend. Tokens need to be validated in both persistent and non-persistent cases so return the data up to the provider and validate the expiry in just one spot. Implements bp: allow-expired Change-Id: I6dc0a6e922289b95f3eba5ab0595d22eddfc3c0f
This commit is contained in:
parent
29fbffaf37
commit
cb43ea8700
|
@ -23,7 +23,6 @@ from six.moves import range
|
|||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
from keystone.token import provider
|
||||
|
||||
|
||||
|
@ -234,21 +233,6 @@ class TokenTests(object):
|
|||
self.token_provider_api._persistence.delete_token,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_expired_token(self):
|
||||
token_id = uuid.uuid4().hex
|
||||
expire_time = timeutils.utcnow() - datetime.timedelta(minutes=1)
|
||||
data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
|
||||
'expires': expire_time,
|
||||
'trust_id': None,
|
||||
'user': {'id': 'testuserid'}}
|
||||
data_ref = self.token_provider_api._persistence.create_token(token_id,
|
||||
data)
|
||||
data_ref.pop('user_id')
|
||||
self.assertDictEqual(data, data_ref)
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api._persistence.get_token,
|
||||
token_id)
|
||||
|
||||
def test_null_expires_token(self):
|
||||
token_id = uuid.uuid4().hex
|
||||
data = {'id': token_id, 'id_hash': token_id, 'a': 'b', 'expires': None,
|
||||
|
@ -432,32 +416,6 @@ class TokenTests(object):
|
|||
token_id, data = self.create_token_sample_data(user_id=user_id)
|
||||
self.token_provider_api._persistence.get_token(token_id)
|
||||
|
||||
def test_token_expire_timezone(self):
|
||||
|
||||
@test_utils.timezone
|
||||
def _create_token(expire_time):
|
||||
token_id = uuid.uuid4().hex
|
||||
user_id = six.text_type(uuid.uuid4().hex)
|
||||
return self.create_token_sample_data(token_id=token_id,
|
||||
user_id=user_id,
|
||||
expires=expire_time)
|
||||
|
||||
for d in ['+0', '-11', '-8', '-5', '+5', '+8', '+14']:
|
||||
test_utils.TZ = 'UTC' + d
|
||||
expire_time = timeutils.utcnow() + datetime.timedelta(minutes=1)
|
||||
token_id, data_in = _create_token(expire_time)
|
||||
data_get = self.token_provider_api._persistence.get_token(token_id)
|
||||
|
||||
self.assertEqual(data_in['id'], data_get['id'],
|
||||
'TZ=%s' % test_utils.TZ)
|
||||
|
||||
expire_time_expired = (
|
||||
timeutils.utcnow() + datetime.timedelta(minutes=-1))
|
||||
token_id, data_in = _create_token(expire_time_expired)
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api._persistence.get_token,
|
||||
data_in['id'])
|
||||
|
||||
|
||||
class TokenCacheInvalidation(object):
|
||||
def _create_test_data(self):
|
||||
|
|
|
@ -18,7 +18,6 @@ import abc
|
|||
import copy
|
||||
|
||||
from oslo_log import log
|
||||
from oslo_utils import timeutils
|
||||
import six
|
||||
|
||||
from keystone.common import cache
|
||||
|
@ -52,22 +51,8 @@ class PersistenceManager(manager.Manager):
|
|||
def __init__(self):
|
||||
super(PersistenceManager, self).__init__(CONF.token.driver)
|
||||
|
||||
def _assert_valid(self, token_id, token_ref):
|
||||
"""Raise TokenNotFound if the token is expired."""
|
||||
current_time = timeutils.normalize_time(timeutils.utcnow())
|
||||
expires = token_ref.get('expires')
|
||||
if not expires or current_time > timeutils.normalize_time(expires):
|
||||
raise exception.TokenNotFound(token_id=token_id)
|
||||
|
||||
def get_token(self, token_id):
|
||||
unique_id = utils.generate_unique_id(token_id)
|
||||
token_ref = self._get_token(unique_id)
|
||||
# NOTE(morganfainberg): Lift expired checking to the manager, there is
|
||||
# no reason to make the drivers implement this check. With caching,
|
||||
# self._get_token could return an expired token. Make sure we behave
|
||||
# as expected and raise TokenNotFound on those instances.
|
||||
self._assert_valid(token_id, token_ref)
|
||||
return token_ref
|
||||
return self._get_token(utils.generate_unique_id(token_id))
|
||||
|
||||
@MEMOIZE
|
||||
def _get_token(self, token_id):
|
||||
|
|
Loading…
Reference in New Issue