Fix "allow expired" feature for JWT

GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens returning the expired token data, whereas it returns exception TokenNotFound for JWT. This patch fixes the same. Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6 Closes-Bug: #1886017
2020-07-07 20:22:07 +05:30 · 2020-07-07 20:22:07 +05:30 · 2707498474
commit 2707498474
parent 3eb8cafb8d
3 changed files with 27 additions and 3 deletions
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -2628,6 +2628,23 @@ class TokenAPITests(object):
        with app.test_client() as c:
            c.get('/v3/users', headers=headers)

+    def test_fetch_expired_allow_expired_in_expired_window(self):
+        self.config_fixture.config(group='token',
+                                   expiration=10,
+                                   allow_expired_window=20)
+        time = datetime.datetime.utcnow()
+        with freezegun.freeze_time(time):
+            token = self._get_project_scoped_token()
+
+        tick = datetime.timedelta(seconds=15)
+        with freezegun.freeze_time(time + tick):
+            # after passing expiry time validation fails
+            self._validate_token(token, expected_status=http.client.NOT_FOUND)
+
+            # but if we pass allow_expired it validates
+            r = self._validate_token(token, allow_expired=True)
+            self.assertValidProjectScopedTokenResponse(r)
+

 class TokenDataTests(object):
    """Test the data in specific token types."""
--- a/keystone/token/providers/jws/core.py
+++ b/keystone/token/providers/jws/core.py
@ -175,13 +175,15 @@ class JWSFormatter(object):
        )

    def _decode_token_from_id(self, token_id):
+        options = dict()
+        options['verify_exp'] = False
        for public_key in self.public_keys:
            try:
                return jwt.decode(
-                    token_id, public_key, algorithms=JWSFormatter.algorithm
+                    token_id, public_key, algorithms=JWSFormatter.algorithm,
+                    options=options
                )
-            except (jwt.InvalidSignatureError, jwt.DecodeError,
-                    jwt.ExpiredSignatureError):
+            except (jwt.InvalidSignatureError, jwt.DecodeError):
                pass    # nosec: We want to exhaustively try all public keys
        raise exception.TokenNotFound(token_id=token_id)

--- a/releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
+++ b/releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    [`bug 1886017 <https://bugs.launchpad.net/keystone/+bug/1886017>`_]
+    JWT validation now supports `allow_expired` query parameters.