Fix "allow expired" feature for JWT

GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens
returning the expired token data, whereas it returns exception
TokenNotFound for JWT. This patch fixes the same.

Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6
Closes-Bug: #1886017
This commit is contained in:
Vishakha Agarwal 2020-07-07 20:22:07 +05:30
parent 3eb8cafb8d
commit 2707498474
3 changed files with 27 additions and 3 deletions

View File

@ -2628,6 +2628,23 @@ class TokenAPITests(object):
with app.test_client() as c:
c.get('/v3/users', headers=headers)
def test_fetch_expired_allow_expired_in_expired_window(self):
self.config_fixture.config(group='token',
expiration=10,
allow_expired_window=20)
time = datetime.datetime.utcnow()
with freezegun.freeze_time(time):
token = self._get_project_scoped_token()
tick = datetime.timedelta(seconds=15)
with freezegun.freeze_time(time + tick):
# after passing expiry time validation fails
self._validate_token(token, expected_status=http.client.NOT_FOUND)
# but if we pass allow_expired it validates
r = self._validate_token(token, allow_expired=True)
self.assertValidProjectScopedTokenResponse(r)
class TokenDataTests(object):
"""Test the data in specific token types."""

View File

@ -175,13 +175,15 @@ class JWSFormatter(object):
)
def _decode_token_from_id(self, token_id):
options = dict()
options['verify_exp'] = False
for public_key in self.public_keys:
try:
return jwt.decode(
token_id, public_key, algorithms=JWSFormatter.algorithm
token_id, public_key, algorithms=JWSFormatter.algorithm,
options=options
)
except (jwt.InvalidSignatureError, jwt.DecodeError,
jwt.ExpiredSignatureError):
except (jwt.InvalidSignatureError, jwt.DecodeError):
pass # nosec: We want to exhaustively try all public keys
raise exception.TokenNotFound(token_id=token_id)

View File

@ -0,0 +1,5 @@
---
fixes:
- |
[`bug 1886017 <https://bugs.launchpad.net/keystone/+bug/1886017>`_]
JWT validation now supports `allow_expired` query parameters.