remove deprecated revoke_by_expiration function

revoke_by_expiration is only useful if a token does not have an
audit_id or audit_chain_id. tokens always have an audit ID, so
this function seems redundant. it was also deprecated in the
J release, with no timeline for its removal

Change-Id: Ieb92a70ab782fa8ceb59dc807ea8647587be9e2b
bp: removed-as-of-newton
This commit is contained in:
Steve Martinelli 2016-01-21 23:17:50 -05:00 committed by Steve Martinelli
parent cbe0a1e07c
commit 3965fbef4d
6 changed files with 22 additions and 197 deletions

View File

@ -147,20 +147,6 @@ class Manager(manager.Manager):
'current request is aborted.')
raise exception.UnexpectedError(exception=msg)
@versionutils.deprecated(as_of=versionutils.deprecated.JUNO,
remove_in=0)
def revoke_by_expiration(self, user_id, expires_at,
domain_id=None, project_id=None):
self._assert_not_domain_and_project_scoped(domain_id=domain_id,
project_id=project_id)
self.revoke(
revoke_model.RevokeEvent(user_id=user_id,
expires_at=expires_at,
domain_id=domain_id,
project_id=project_id))
def revoke_by_audit_id(self, audit_id):
self.revoke(revoke_model.RevokeEvent(audit_id=audit_id))

View File

@ -36,7 +36,6 @@ from keystone.tests.unit import default_fixtures
from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import database
from keystone import token
from keystone.token import provider
from keystone import trust
@ -605,72 +604,6 @@ class AuthWithToken(AuthTest):
# audit_chain_id will also return None.
return [None, None]
def test_revoke_with_no_audit_info(self):
self.config_fixture.config(group='token', revoke_by_id=False)
context = {}
with mock.patch.object(provider, 'audit_info', self._mock_audit_info):
# get a token
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
token_id = unscoped_token['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
# get a second token
body_dict = _build_user_auth(
token=unscoped_token['access']['token'])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
self.token_provider_api.revoke_token(token_id, revoke_chain=True)
self.time_fixture.advance_time_seconds(1)
revoke_events = self.revoke_api.list_events()
self.assertThat(revoke_events, matchers.HasLength(1))
revoke_event = revoke_events[0].to_dict()
self.assertIn('expires_at', revoke_event)
self.assertEqual(unscoped_token_2['access']['token']['expires'],
revoke_event['expires_at'])
self.assertRaises(exception.TokenNotFound,
self.token_provider_api.validate_v2_token,
token_id=token_id)
self.assertRaises(exception.TokenNotFound,
self.token_provider_api.validate_v2_token,
token_id=token_2_id)
# get a new token, with no audit info
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
token_id = unscoped_token['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
# get a second token
body_dict = _build_user_auth(
token=unscoped_token['access']['token'])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
# Revoke by audit_id, no audit_info means both parent and child
# token are revoked.
self.token_provider_api.revoke_token(token_id)
self.time_fixture.advance_time_seconds(1)
revoke_events = self.revoke_api.list_events()
self.assertThat(revoke_events, matchers.HasLength(2))
revoke_event = revoke_events[1].to_dict()
self.assertIn('expires_at', revoke_event)
self.assertEqual(unscoped_token_2['access']['token']['expires'],
revoke_event['expires_at'])
self.assertRaises(exception.TokenNotFound,
self.token_provider_api.validate_v2_token,
token_id=token_id)
self.assertRaises(exception.TokenNotFound,
self.token_provider_api.validate_v2_token,
token_id=token_2_id)
class FernetAuthWithToken(AuthWithToken):
def config_overrides(self):

View File

@ -17,7 +17,6 @@ import uuid
import mock
from oslo_utils import timeutils
from six.moves import range
from testtools import matchers
from keystone.common import utils
from keystone import exception
@ -130,17 +129,8 @@ class RevokeTests(object):
self.assertEqual(0,
len(self.revoke_api.list_events(last_fetch=future)))
def test_past_expiry_are_removed(self):
user_id = 1
self.revoke_api.revoke_by_expiration(user_id, _future_time())
self.assertEqual(1, len(self.revoke_api.list_events()))
event = revoke_model.RevokeEvent()
event.revoked_at = _past_time()
self.revoke_api.revoke(event)
self.assertEqual(1, len(self.revoke_api.list_events()))
@mock.patch.object(timeutils, 'utcnow')
def test_expired_events_removed_validate_token_success(self, mock_utcnow):
def test_expired_events_are_removed(self, mock_utcnow):
def _sample_token_values():
token = _sample_blank_token()
token['expires_at'] = utils.isotime(_future_time(),
@ -155,9 +145,9 @@ class RevokeTests(object):
# future 'synchronize' call.
token_values = _sample_token_values()
user_id = _new_id()
self.revoke_api.revoke_by_user(user_id)
token_values['user_id'] = user_id
audit_chain_id = _new_id()
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id)
token_values['audit_chain_id'] = audit_chain_id
self.assertRaises(exception.TokenNotFound,
self.revoke_api.check_token,
token_values)
@ -165,20 +155,11 @@ class RevokeTests(object):
# Move our clock forward by 2h, build a new token and validate it.
# 'synchronize' should now be exercised and remove old expired events
mock_utcnow.return_value = now_plus_2h
self.revoke_api.revoke_by_expiration(_new_id(), now_plus_2h)
# should no longer throw an exception
self.revoke_api.check_token(token_values)
def test_revoke_by_expiration_project_and_domain_fails(self):
user_id = _new_id()
expires_at = utils.isotime(_future_time(), subsecond=True)
domain_id = _new_id()
project_id = _new_id()
self.assertThat(
lambda: self.revoke_api.revoke_by_expiration(
user_id, expires_at, domain_id=domain_id,
project_id=project_id),
matchers.raises(exception.UnexpectedError))
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id)
# two hours later, it should still be not found
self.assertRaises(exception.TokenNotFound,
self.revoke_api.check_token,
token_values)
class SqlRevokeTests(test_backend_sql.SqlTests, RevokeTests):
@ -335,26 +316,6 @@ class RevokeTreeTests(unit.TestCase):
def test_revoke_by_user_matches_trustor(self):
self._user_field_test('trustor_id')
def test_by_user_expiration(self):
future_time = _future_time()
user_id = 1
event = self._revoke_by_expiration(user_id, future_time)
token_data_1 = _sample_blank_token()
token_data_1['user_id'] = user_id
token_data_1['expires_at'] = future_time.replace(microsecond=0)
self._assertTokenRevoked(token_data_1)
token_data_2 = _sample_blank_token()
token_data_2['user_id'] = user_id
expire_delta = datetime.timedelta(seconds=2000)
future_time = timeutils.utcnow() + expire_delta
token_data_2['expires_at'] = future_time
self._assertTokenNotRevoked(token_data_2)
self.remove_event(event)
self._assertTokenNotRevoked(token_data_1)
def test_revoke_by_audit_id(self):
audit_id = provider.audit_info(parent_audit_id=None)[0]
token_data_1 = _sample_blank_token()
@ -394,40 +355,6 @@ class RevokeTreeTests(unit.TestCase):
self._assertTokenNotRevoked(token_data_1)
self._assertTokenNotRevoked(token_data_2)
def test_by_user_project(self):
# When a user has a project-scoped token and the project-scoped token
# is revoked then the token is revoked.
user_id = _new_id()
project_id = _new_id()
future_time = _future_time()
token_data = _sample_blank_token()
token_data['user_id'] = user_id
token_data['project_id'] = project_id
token_data['expires_at'] = future_time.replace(microsecond=0)
self._revoke_by_expiration(user_id, future_time, project_id=project_id)
self._assertTokenRevoked(token_data)
def test_by_user_domain(self):
# When a user has a domain-scoped token and the domain-scoped token
# is revoked then the token is revoked.
user_id = _new_id()
domain_id = _new_id()
future_time = _future_time()
token_data = _sample_blank_token()
token_data['user_id'] = user_id
token_data['assignment_domain_id'] = domain_id
token_data['expires_at'] = future_time.replace(microsecond=0)
self._revoke_by_expiration(user_id, future_time, domain_id=domain_id)
self._assertTokenRevoked(token_data)
def remove_event(self, event):
self.events.remove(event)
self.tree.remove_event(event)

View File

@ -21,7 +21,6 @@ from testtools import matchers
from keystone.common import utils
from keystone.models import revoke_model
from keystone.tests.unit import test_v3
from keystone.token import provider
def _future_time_string():
@ -72,13 +71,11 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
self.assertThat(links['self'], matchers.EndsWith(revoked_list_url))
def test_revoked_token_in_list(self):
user_id = uuid.uuid4().hex
expires_at = provider.default_expire_time()
audit_id = uuid.uuid4().hex
sample = self._blank_event()
sample['user_id'] = six.text_type(user_id)
sample['expires_at'] = six.text_type(utils.isotime(expires_at))
sample['audit_id'] = six.text_type(audit_id)
before_time = timeutils.utcnow()
self.revoke_api.revoke_by_expiration(user_id, expires_at)
self.revoke_api.revoke_by_audit_id(audit_id)
resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events']
self.assertEqual(1, len(events))

View File

@ -429,41 +429,19 @@ class Manager(manager.Manager):
self._validate_v3_token.invalidate(self, token_id)
def revoke_token(self, token_id, revoke_chain=False):
revoke_by_expires = False
project_id = None
domain_id = None
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.validate_token(token_id))
user_id = token_ref.user_id
expires_at = token_ref.expires
audit_id = token_ref.audit_id
audit_chain_id = token_ref.audit_chain_id
if token_ref.project_scoped:
project_id = token_ref.project_id
if token_ref.domain_scoped:
domain_id = token_ref.domain_id
project_id = token_ref.project_id if token_ref.project_scoped else None
domain_id = token_ref.domain_id if token_ref.domain_scoped else None
if audit_id is None and not revoke_chain:
LOG.debug('Received token with no audit_id.')
revoke_by_expires = True
if audit_chain_id is None and revoke_chain:
LOG.debug('Received token with no audit_chain_id.')
revoke_by_expires = True
if revoke_by_expires:
self.revoke_api.revoke_by_expiration(user_id, expires_at,
project_id=project_id,
domain_id=domain_id)
elif revoke_chain:
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id,
if revoke_chain:
self.revoke_api.revoke_by_audit_chain_id(token_ref.audit_chain_id,
project_id=project_id,
domain_id=domain_id)
else:
self.revoke_api.revoke_by_audit_id(audit_id)
self.revoke_api.revoke_by_audit_id(token_ref.audit_id)
if CONF.token.revoke_by_id and self._needs_persistence:
self._persistence.delete_token(token_id=token_id)

View File

@ -15,4 +15,8 @@ other:
run keystone in an HTTP server.
- >
[`blueprint removed-as-of-newton <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-newton>`_]
Removed support for generating SSL certificates.
Removed support for generating SSL certificates.
- >
[`blueprint removed-as-of-newton <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-newton>`_]
The ``revoke_by_expiration`` method in ``keystone.revoke.core`` has been
removed. This was deprecated in the Juno release.