remove deprecated revoke_by_expiration function
revoke_by_expiration is only useful if a token does not have an audit_id or audit_chain_id. tokens always have an audit ID, so this function seems redundant. it was also deprecated in the J release, with no timeline for its removal Change-Id: Ieb92a70ab782fa8ceb59dc807ea8647587be9e2b bp: removed-as-of-newton
This commit is contained in:
Steve Martinelli
Steve Martinelli
parent
cbe0a1e07c
commit
3965fbef4d
@ -147,20 +147,6 @@ class Manager(manager.Manager):
|
||||
'current request is aborted.')
|
||||
raise exception.UnexpectedError(exception=msg)
|
||||
|
||||
@versionutils.deprecated(as_of=versionutils.deprecated.JUNO,
|
||||
remove_in=0)
|
||||
def revoke_by_expiration(self, user_id, expires_at,
|
||||
domain_id=None, project_id=None):
|
||||
|
||||
self._assert_not_domain_and_project_scoped(domain_id=domain_id,
|
||||
project_id=project_id)
|
||||
|
||||
self.revoke(
|
||||
revoke_model.RevokeEvent(user_id=user_id,
|
||||
expires_at=expires_at,
|
||||
domain_id=domain_id,
|
||||
project_id=project_id))
|
||||
|
||||
def revoke_by_audit_id(self, audit_id):
|
||||
self.revoke(revoke_model.RevokeEvent(audit_id=audit_id))
|
||||
|
||||
|
||||
@ -36,7 +36,6 @@ from keystone.tests.unit import default_fixtures
|
||||
from keystone.tests.unit import ksfixtures
|
||||
from keystone.tests.unit.ksfixtures import database
|
||||
from keystone import token
|
||||
from keystone.token import provider
|
||||
from keystone import trust
|
||||
|
||||
|
||||
@ -605,72 +604,6 @@ class AuthWithToken(AuthTest):
|
||||
# audit_chain_id will also return None.
|
||||
return [None, None]
|
||||
|
||||
def test_revoke_with_no_audit_info(self):
|
||||
self.config_fixture.config(group='token', revoke_by_id=False)
|
||||
context = {}
|
||||
|
||||
with mock.patch.object(provider, 'audit_info', self._mock_audit_info):
|
||||
# get a token
|
||||
body_dict = _build_user_auth(username='FOO', password='foo2')
|
||||
unscoped_token = self.controller.authenticate(context, body_dict)
|
||||
token_id = unscoped_token['access']['token']['id']
|
||||
self.time_fixture.advance_time_seconds(1)
|
||||
|
||||
# get a second token
|
||||
body_dict = _build_user_auth(
|
||||
token=unscoped_token['access']['token'])
|
||||
unscoped_token_2 = self.controller.authenticate(context, body_dict)
|
||||
token_2_id = unscoped_token_2['access']['token']['id']
|
||||
self.time_fixture.advance_time_seconds(1)
|
||||
|
||||
self.token_provider_api.revoke_token(token_id, revoke_chain=True)
|
||||
self.time_fixture.advance_time_seconds(1)
|
||||
|
||||
revoke_events = self.revoke_api.list_events()
|
||||
self.assertThat(revoke_events, matchers.HasLength(1))
|
||||
revoke_event = revoke_events[0].to_dict()
|
||||
self.assertIn('expires_at', revoke_event)
|
||||
self.assertEqual(unscoped_token_2['access']['token']['expires'],
|
||||
revoke_event['expires_at'])
|
||||
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api.validate_v2_token,
|
||||
token_id=token_id)
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api.validate_v2_token,
|
||||
token_id=token_2_id)
|
||||
|
||||
# get a new token, with no audit info
|
||||
body_dict = _build_user_auth(username='FOO', password='foo2')
|
||||
unscoped_token = self.controller.authenticate(context, body_dict)
|
||||
token_id = unscoped_token['access']['token']['id']
|
||||
self.time_fixture.advance_time_seconds(1)
|
||||
# get a second token
|
||||
body_dict = _build_user_auth(
|
||||
token=unscoped_token['access']['token'])
|
||||
unscoped_token_2 = self.controller.authenticate(context, body_dict)
|
||||
token_2_id = unscoped_token_2['access']['token']['id']
|
||||
self.time_fixture.advance_time_seconds(1)
|
||||
|
||||
# Revoke by audit_id, no audit_info means both parent and child
|
||||
# token are revoked.
|
||||
self.token_provider_api.revoke_token(token_id)
|
||||
self.time_fixture.advance_time_seconds(1)
|
||||
|
||||
revoke_events = self.revoke_api.list_events()
|
||||
self.assertThat(revoke_events, matchers.HasLength(2))
|
||||
revoke_event = revoke_events[1].to_dict()
|
||||
self.assertIn('expires_at', revoke_event)
|
||||
self.assertEqual(unscoped_token_2['access']['token']['expires'],
|
||||
revoke_event['expires_at'])
|
||||
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api.validate_v2_token,
|
||||
token_id=token_id)
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api.validate_v2_token,
|
||||
token_id=token_2_id)
|
||||
|
||||
|
||||
class FernetAuthWithToken(AuthWithToken):
|
||||
def config_overrides(self):
|
||||
|
||||
@ -17,7 +17,6 @@ import uuid
|
||||
import mock
|
||||
from oslo_utils import timeutils
|
||||
from six.moves import range
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import utils
|
||||
from keystone import exception
|
||||
@ -130,17 +129,8 @@ class RevokeTests(object):
|
||||
self.assertEqual(0,
|
||||
len(self.revoke_api.list_events(last_fetch=future)))
|
||||
|
||||
def test_past_expiry_are_removed(self):
|
||||
user_id = 1
|
||||
self.revoke_api.revoke_by_expiration(user_id, _future_time())
|
||||
self.assertEqual(1, len(self.revoke_api.list_events()))
|
||||
event = revoke_model.RevokeEvent()
|
||||
event.revoked_at = _past_time()
|
||||
self.revoke_api.revoke(event)
|
||||
self.assertEqual(1, len(self.revoke_api.list_events()))
|
||||
|
||||
@mock.patch.object(timeutils, 'utcnow')
|
||||
def test_expired_events_removed_validate_token_success(self, mock_utcnow):
|
||||
def test_expired_events_are_removed(self, mock_utcnow):
|
||||
def _sample_token_values():
|
||||
token = _sample_blank_token()
|
||||
token['expires_at'] = utils.isotime(_future_time(),
|
||||
@ -155,9 +145,9 @@ class RevokeTests(object):
|
||||
# future 'synchronize' call.
|
||||
token_values = _sample_token_values()
|
||||
|
||||
user_id = _new_id()
|
||||
self.revoke_api.revoke_by_user(user_id)
|
||||
token_values['user_id'] = user_id
|
||||
audit_chain_id = _new_id()
|
||||
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id)
|
||||
token_values['audit_chain_id'] = audit_chain_id
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.revoke_api.check_token,
|
||||
token_values)
|
||||
@ -165,20 +155,11 @@ class RevokeTests(object):
|
||||
# Move our clock forward by 2h, build a new token and validate it.
|
||||
# 'synchronize' should now be exercised and remove old expired events
|
||||
mock_utcnow.return_value = now_plus_2h
|
||||
self.revoke_api.revoke_by_expiration(_new_id(), now_plus_2h)
|
||||
# should no longer throw an exception
|
||||
self.revoke_api.check_token(token_values)
|
||||
|
||||
def test_revoke_by_expiration_project_and_domain_fails(self):
|
||||
user_id = _new_id()
|
||||
expires_at = utils.isotime(_future_time(), subsecond=True)
|
||||
domain_id = _new_id()
|
||||
project_id = _new_id()
|
||||
self.assertThat(
|
||||
lambda: self.revoke_api.revoke_by_expiration(
|
||||
user_id, expires_at, domain_id=domain_id,
|
||||
project_id=project_id),
|
||||
matchers.raises(exception.UnexpectedError))
|
||||
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id)
|
||||
# two hours later, it should still be not found
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.revoke_api.check_token,
|
||||
token_values)
|
||||
|
||||
|
||||
class SqlRevokeTests(test_backend_sql.SqlTests, RevokeTests):
|
||||
@ -335,26 +316,6 @@ class RevokeTreeTests(unit.TestCase):
|
||||
def test_revoke_by_user_matches_trustor(self):
|
||||
self._user_field_test('trustor_id')
|
||||
|
||||
def test_by_user_expiration(self):
|
||||
future_time = _future_time()
|
||||
|
||||
user_id = 1
|
||||
event = self._revoke_by_expiration(user_id, future_time)
|
||||
token_data_1 = _sample_blank_token()
|
||||
token_data_1['user_id'] = user_id
|
||||
token_data_1['expires_at'] = future_time.replace(microsecond=0)
|
||||
self._assertTokenRevoked(token_data_1)
|
||||
|
||||
token_data_2 = _sample_blank_token()
|
||||
token_data_2['user_id'] = user_id
|
||||
expire_delta = datetime.timedelta(seconds=2000)
|
||||
future_time = timeutils.utcnow() + expire_delta
|
||||
token_data_2['expires_at'] = future_time
|
||||
self._assertTokenNotRevoked(token_data_2)
|
||||
|
||||
self.remove_event(event)
|
||||
self._assertTokenNotRevoked(token_data_1)
|
||||
|
||||
def test_revoke_by_audit_id(self):
|
||||
audit_id = provider.audit_info(parent_audit_id=None)[0]
|
||||
token_data_1 = _sample_blank_token()
|
||||
@ -394,40 +355,6 @@ class RevokeTreeTests(unit.TestCase):
|
||||
self._assertTokenNotRevoked(token_data_1)
|
||||
self._assertTokenNotRevoked(token_data_2)
|
||||
|
||||
def test_by_user_project(self):
|
||||
# When a user has a project-scoped token and the project-scoped token
|
||||
# is revoked then the token is revoked.
|
||||
|
||||
user_id = _new_id()
|
||||
project_id = _new_id()
|
||||
|
||||
future_time = _future_time()
|
||||
|
||||
token_data = _sample_blank_token()
|
||||
token_data['user_id'] = user_id
|
||||
token_data['project_id'] = project_id
|
||||
token_data['expires_at'] = future_time.replace(microsecond=0)
|
||||
|
||||
self._revoke_by_expiration(user_id, future_time, project_id=project_id)
|
||||
self._assertTokenRevoked(token_data)
|
||||
|
||||
def test_by_user_domain(self):
|
||||
# When a user has a domain-scoped token and the domain-scoped token
|
||||
# is revoked then the token is revoked.
|
||||
|
||||
user_id = _new_id()
|
||||
domain_id = _new_id()
|
||||
|
||||
future_time = _future_time()
|
||||
|
||||
token_data = _sample_blank_token()
|
||||
token_data['user_id'] = user_id
|
||||
token_data['assignment_domain_id'] = domain_id
|
||||
token_data['expires_at'] = future_time.replace(microsecond=0)
|
||||
|
||||
self._revoke_by_expiration(user_id, future_time, domain_id=domain_id)
|
||||
self._assertTokenRevoked(token_data)
|
||||
|
||||
def remove_event(self, event):
|
||||
self.events.remove(event)
|
||||
self.tree.remove_event(event)
|
||||
|
||||
@ -21,7 +21,6 @@ from testtools import matchers
|
||||
from keystone.common import utils
|
||||
from keystone.models import revoke_model
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.token import provider
|
||||
|
||||
|
||||
def _future_time_string():
|
||||
@ -72,13 +71,11 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
|
||||
self.assertThat(links['self'], matchers.EndsWith(revoked_list_url))
|
||||
|
||||
def test_revoked_token_in_list(self):
|
||||
user_id = uuid.uuid4().hex
|
||||
expires_at = provider.default_expire_time()
|
||||
audit_id = uuid.uuid4().hex
|
||||
sample = self._blank_event()
|
||||
sample['user_id'] = six.text_type(user_id)
|
||||
sample['expires_at'] = six.text_type(utils.isotime(expires_at))
|
||||
sample['audit_id'] = six.text_type(audit_id)
|
||||
before_time = timeutils.utcnow()
|
||||
self.revoke_api.revoke_by_expiration(user_id, expires_at)
|
||||
self.revoke_api.revoke_by_audit_id(audit_id)
|
||||
resp = self.get('/OS-REVOKE/events')
|
||||
events = resp.json_body['events']
|
||||
self.assertEqual(1, len(events))
|
||||
|
||||
@ -429,41 +429,19 @@ class Manager(manager.Manager):
|
||||
self._validate_v3_token.invalidate(self, token_id)
|
||||
|
||||
def revoke_token(self, token_id, revoke_chain=False):
|
||||
revoke_by_expires = False
|
||||
project_id = None
|
||||
domain_id = None
|
||||
|
||||
token_ref = token_model.KeystoneToken(
|
||||
token_id=token_id,
|
||||
token_data=self.validate_token(token_id))
|
||||
|
||||
user_id = token_ref.user_id
|
||||
expires_at = token_ref.expires
|
||||
audit_id = token_ref.audit_id
|
||||
audit_chain_id = token_ref.audit_chain_id
|
||||
if token_ref.project_scoped:
|
||||
project_id = token_ref.project_id
|
||||
if token_ref.domain_scoped:
|
||||
domain_id = token_ref.domain_id
|
||||
project_id = token_ref.project_id if token_ref.project_scoped else None
|
||||
domain_id = token_ref.domain_id if token_ref.domain_scoped else None
|
||||
|
||||
if audit_id is None and not revoke_chain:
|
||||
LOG.debug('Received token with no audit_id.')
|
||||
revoke_by_expires = True
|
||||
|
||||
if audit_chain_id is None and revoke_chain:
|
||||
LOG.debug('Received token with no audit_chain_id.')
|
||||
revoke_by_expires = True
|
||||
|
||||
if revoke_by_expires:
|
||||
self.revoke_api.revoke_by_expiration(user_id, expires_at,
|
||||
project_id=project_id,
|
||||
domain_id=domain_id)
|
||||
elif revoke_chain:
|
||||
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id,
|
||||
if revoke_chain:
|
||||
self.revoke_api.revoke_by_audit_chain_id(token_ref.audit_chain_id,
|
||||
project_id=project_id,
|
||||
domain_id=domain_id)
|
||||
else:
|
||||
self.revoke_api.revoke_by_audit_id(audit_id)
|
||||
self.revoke_api.revoke_by_audit_id(token_ref.audit_id)
|
||||
|
||||
if CONF.token.revoke_by_id and self._needs_persistence:
|
||||
self._persistence.delete_token(token_id=token_id)
|
||||
|
||||
@ -15,4 +15,8 @@ other:
|
||||
run keystone in an HTTP server.
|
||||
- >
|
||||
[`blueprint removed-as-of-newton <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-newton>`_]
|
||||
Removed support for generating SSL certificates.
|
||||
Removed support for generating SSL certificates.
|
||||
- >
|
||||
[`blueprint removed-as-of-newton <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-newton>`_]
|
||||
The ``revoke_by_expiration`` method in ``keystone.revoke.core`` has been
|
||||
removed. This was deprecated in the Juno release.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user