Browse Source

Merge "Fix "allow expired" feature for JWT"

tags/18.0.0.0rc1
Zuul 1 month ago
committed by Gerrit Code Review
parent
commit
3da5eb8501
3 changed files with 27 additions and 3 deletions
  1. +17
    -0
      keystone/tests/unit/test_v3_auth.py
  2. +5
    -3
      keystone/token/providers/jws/core.py
  3. +5
    -0
      releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml

+ 17
- 0
keystone/tests/unit/test_v3_auth.py View File

@@ -2628,6 +2628,23 @@ class TokenAPITests(object):
with app.test_client() as c:
c.get('/v3/users', headers=headers)

def test_fetch_expired_allow_expired_in_expired_window(self):
self.config_fixture.config(group='token',
expiration=10,
allow_expired_window=20)
time = datetime.datetime.utcnow()
with freezegun.freeze_time(time):
token = self._get_project_scoped_token()

tick = datetime.timedelta(seconds=15)
with freezegun.freeze_time(time + tick):
# after passing expiry time validation fails
self._validate_token(token, expected_status=http.client.NOT_FOUND)

# but if we pass allow_expired it validates
r = self._validate_token(token, allow_expired=True)
self.assertValidProjectScopedTokenResponse(r)


class TokenDataTests(object):
"""Test the data in specific token types."""


+ 5
- 3
keystone/token/providers/jws/core.py View File

@@ -175,13 +175,15 @@ class JWSFormatter(object):
)

def _decode_token_from_id(self, token_id):
options = dict()
options['verify_exp'] = False
for public_key in self.public_keys:
try:
return jwt.decode(
token_id, public_key, algorithms=JWSFormatter.algorithm
token_id, public_key, algorithms=JWSFormatter.algorithm,
options=options
)
except (jwt.InvalidSignatureError, jwt.DecodeError,
jwt.ExpiredSignatureError):
except (jwt.InvalidSignatureError, jwt.DecodeError):
pass # nosec: We want to exhaustively try all public keys
raise exception.TokenNotFound(token_id=token_id)



+ 5
- 0
releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml View File

@@ -0,0 +1,5 @@
---
fixes:
- |
[`bug 1886017 <https://bugs.launchpad.net/keystone/+bug/1886017>`_]
JWT validation now supports `allow_expired` query parameters.

Loading…
Cancel
Save