Merge "Fix fernet token validate for disabled domains/trusts"

2016-07-09 03:37:01 +00:00 · 2016-07-09 03:37:01 +00:00 · 216000fd31
parent 7faa001f10 d53db1889e
commit 216000fd31
2 changed files with 20 additions and 2 deletions
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -2482,6 +2482,10 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
    # FIXME(lbragstad): Remove this test from this class and inherit the
    # version in TokenAPITest once bug 1532280 is fixed.
    def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
+        # Remove this once revocation for domains is handled properly
+        self.config_fixture.config(
+            group='cache',
+            enabled=False)
        # create a new domain with new user in that domain
        new_domain_ref = unit.new_domain_ref()
        self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
@ -2525,8 +2529,9 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
            '/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
            body=disable_body)

-        # this should return Not Found once bug 1532280 is fixed!
-        self._validate_token(trust_scoped_token)
+        # ensure the project-scoped token from the trust is invalid
+        self._validate_token(trust_scoped_token,
+                             expected_status=http_client.NOT_FOUND)


 class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -352,6 +352,19 @@ class V3TokenDataHelper(object):
        if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
            trustor_user_ref = (self.identity_api.get_user(
                                trust['trustor_user_id']))
+            trustee_user_ref = (self.identity_api.get_user(
+                                trust['trustee_user_id']))
+            try:
+                self.resource_api.assert_domain_enabled(
+                    trustor_user_ref['domain_id'])
+            except AssertionError:
+                raise exception.TokenNotFound(_('Trustor domain is disabled.'))
+            try:
+                self.resource_api.assert_domain_enabled(
+                    trustee_user_ref['domain_id'])
+            except AssertionError:
+                raise exception.TokenNotFound(_('Trustee domain is disabled.'))
+
            try:
                self.identity_api.assert_user_enabled(trust['trustor_user_id'])
            except AssertionError: