From 194e00a630553d20fe73dc2cebff2d83924fae4f Mon Sep 17 00:00:00 2001
From: Lauren Taylor <lmtaylor@us.ibm.com>
Date: Tue, 5 May 2015 07:32:51 -0700
Subject: [PATCH] Add keystone v3 API to fetch revocation list

Currently in auth_token middleware, only the v2 keystoneclient API is
used to fetch the revocation list. However, the v3 keystoneclient API
should be implemented and used as well. There should be a check on the
value of auth_version, and the corresponding API should be called.

Change-Id: I1c48da9afadfbdae2f69820e0b89bc02ec54000e
Closes-Bug: #1451445
---
 keystonemiddleware/auth_token/_identity.py       | 13 ++++++++++---
 .../auth_token/test_auth_token_middleware.py     | 16 +++++++---------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py
index 51c2b14..d2fc4a4 100644
--- a/keystonemiddleware/auth_token/_identity.py
+++ b/keystonemiddleware/auth_token/_identity.py
@@ -35,6 +35,9 @@ class _RequestStrategy(object):
     def fetch_cert_file(self, cert_type):
         pass
 
+    def fetch_revocation_list(self):
+        pass
+
 
 class _V2RequestStrategy(_RequestStrategy):
 
@@ -55,6 +58,9 @@ class _V2RequestStrategy(_RequestStrategy):
         elif cert_type == 'signing':
             return self._client.certificates.get_signing_certificate()
 
+    def fetch_revocation_list(self):
+        return self._client.tokens.get_revoked()
+
 
 class _V3RequestStrategy(_RequestStrategy):
 
@@ -77,6 +83,9 @@ class _V3RequestStrategy(_RequestStrategy):
         elif cert_type == 'signing':
             return self._client.simple_cert.get_certificates()
 
+    def fetch_revocation_list(self):
+        return self._client.tokens.get_revoked()
+
 
 _REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy]
 
@@ -101,8 +110,6 @@ class IdentityServer(object):
         # Built on-demand with self._request_strategy.
         self._request_strategy_obj = None
 
-        self._v2_client = v2_client.Client(session=self._adapter)
-
     @property
     def auth_uri(self):
         auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE)
@@ -189,7 +196,7 @@ class IdentityServer(object):
 
     def fetch_revocation_list(self):
         try:
-            data = self._v2_client.tokens.get_revoked()
+            data = self._request_strategy.fetch_revocation_list()
         except exceptions.HTTPError as e:
             msg = _('Failed to fetch token revocation list: %d')
             raise exc.RevocationListError(msg % e.http_status)
diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
index a859986..8e4d5d8 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@@ -974,8 +974,7 @@ class CommonAuthTokenMiddlewareTest(object):
                          in_memory_list)
 
     def test_invalid_revocation_list_raises_error(self):
-        self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI, json={})
-
+        self.requests_mock.get(self.revocation_url, json={})
         self.assertRaises(exc.RevocationListError,
                           self.middleware._revocations._fetch)
 
@@ -1559,7 +1558,8 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
                                 text=FAKE_ADMIN_TOKEN)
 
-        self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI,
+        self.revocation_url = '%s/v2.0/tokens/revoked' % BASE_URI
+        self.requests_mock.get(self.revocation_url,
                                text=self.examples.SIGNED_REVOCATION_LIST)
 
         for token in (self.examples.UUID_TOKEN_DEFAULT,
@@ -1768,8 +1768,8 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
                                 text=FAKE_ADMIN_TOKEN)
 
-        # TODO(jamielennox): there is no v3 revocation url yet, it uses v2
-        self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI,
+        self.revocation_url = '%s/v3/auth/tokens/OS-PKI/revoked' % BASE_URI
+        self.requests_mock.get(self.revocation_url,
                                text=self.examples.SIGNED_REVOCATION_LIST)
 
         self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI,
@@ -1862,8 +1862,7 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
             self.token_dict['signed_token_scoped_pkiz'])
 
     def test_fallback_to_online_validation_with_revocation_list_error(self):
-        self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI,
-                               status_code=404)
+        self.requests_mock.get(self.revocation_url, status_code=404)
         self.assert_valid_request_200(self.token_dict['signed_token_scoped'])
         self.assert_valid_request_200(
             self.token_dict['signed_token_scoped_pkiz'])
@@ -2494,8 +2493,7 @@ class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest,
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
                                 text=FAKE_ADMIN_TOKEN)
 
-        # TODO(jamielennox): there is no v3 revocation url yet, it uses v2
-        self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI,
+        self.requests_mock.get('%s/v3/auth/tokens/OS-PKI/revoked' % BASE_URI,
                                text=self.examples.SIGNED_REVOCATION_LIST)
 
         self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI,