Merge "Fix "allow expired" feature for JWT"
This commit is contained in:
commit
3da5eb8501
|
@ -2628,6 +2628,23 @@ class TokenAPITests(object):
|
||||||
with app.test_client() as c:
|
with app.test_client() as c:
|
||||||
c.get('/v3/users', headers=headers)
|
c.get('/v3/users', headers=headers)
|
||||||
|
|
||||||
|
def test_fetch_expired_allow_expired_in_expired_window(self):
|
||||||
|
self.config_fixture.config(group='token',
|
||||||
|
expiration=10,
|
||||||
|
allow_expired_window=20)
|
||||||
|
time = datetime.datetime.utcnow()
|
||||||
|
with freezegun.freeze_time(time):
|
||||||
|
token = self._get_project_scoped_token()
|
||||||
|
|
||||||
|
tick = datetime.timedelta(seconds=15)
|
||||||
|
with freezegun.freeze_time(time + tick):
|
||||||
|
# after passing expiry time validation fails
|
||||||
|
self._validate_token(token, expected_status=http.client.NOT_FOUND)
|
||||||
|
|
||||||
|
# but if we pass allow_expired it validates
|
||||||
|
r = self._validate_token(token, allow_expired=True)
|
||||||
|
self.assertValidProjectScopedTokenResponse(r)
|
||||||
|
|
||||||
|
|
||||||
class TokenDataTests(object):
|
class TokenDataTests(object):
|
||||||
"""Test the data in specific token types."""
|
"""Test the data in specific token types."""
|
||||||
|
|
|
@ -175,13 +175,15 @@ class JWSFormatter(object):
|
||||||
)
|
)
|
||||||
|
|
||||||
def _decode_token_from_id(self, token_id):
|
def _decode_token_from_id(self, token_id):
|
||||||
|
options = dict()
|
||||||
|
options['verify_exp'] = False
|
||||||
for public_key in self.public_keys:
|
for public_key in self.public_keys:
|
||||||
try:
|
try:
|
||||||
return jwt.decode(
|
return jwt.decode(
|
||||||
token_id, public_key, algorithms=JWSFormatter.algorithm
|
token_id, public_key, algorithms=JWSFormatter.algorithm,
|
||||||
|
options=options
|
||||||
)
|
)
|
||||||
except (jwt.InvalidSignatureError, jwt.DecodeError,
|
except (jwt.InvalidSignatureError, jwt.DecodeError):
|
||||||
jwt.ExpiredSignatureError):
|
|
||||||
pass # nosec: We want to exhaustively try all public keys
|
pass # nosec: We want to exhaustively try all public keys
|
||||||
raise exception.TokenNotFound(token_id=token_id)
|
raise exception.TokenNotFound(token_id=token_id)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1886017 <https://bugs.launchpad.net/keystone/+bug/1886017>`_]
|
||||||
|
JWT validation now supports `allow_expired` query parameters.
|
Loading…
Reference in New Issue