Add tests related to V2 token issued_at time changing

There was no test that showed that when a V2 token is used in a V3 context its "issued_at" time changes. This affects validating a V2 token using V3 and also revoking a V2 token. The tests show the current incorrect behavior. Partial-Bug: #1348820 Change-Id: I2a3443847b2699384413933ae164fdc183aa110f
2014-07-25 09:14:14 -05:00 · 2014-07-25 09:14:14 -05:00 · 556fb86031
commit 556fb86031
parent 46f2871258
1 changed files with 37 additions and 12 deletions
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -365,6 +365,14 @@ class TokenAPITests(object):
        self.assertEqual(v2_token_data['access']['user']['roles'][0]['name'],
                         token_data['token']['roles'][0]['name'])

+        v2_issued_at = timeutils.parse_isotime(
+            v2_token_data['access']['token']['issued_at'])
+        v3_issued_at = timeutils.parse_isotime(
+            token_data['token']['issued_at'])
+
+        # FIXME(blk-u): the following should be assertEqual, see bug 1348820
+        self.assertNotEqual(v2_issued_at, v3_issued_at)
+
    def test_rescoping_token(self):
        expires = self.token_data['token']['expires_at']
        auth_data = self.build_authentication_request(
@ -1224,6 +1232,35 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
        # Make sure that we get a NotFound(404) when heading that role.
        self.head(role_path, expected_status=404)

+    def get_v2_token(self):
+        body = {
+            'auth': {
+                'passwordCredentials': {
+                    'username': self.default_domain_user['name'],
+                    'password': self.default_domain_user['password'],
+                }
+            },
+        }
+
+        r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
+        return r.json_body['access']['token']['id']
+
+    def test_revoke_v2_token_no_check(self):
+        # Test that a V2 token can be revoked without validating it first.
+
+        # NOTE(blk-u): This doesn't work right. The token should be invalid
+        # after being revoked but it's not. See bug 1348820.
+
+        token = self.get_v2_token()
+
+        self.delete('/auth/tokens',
+                    headers={'X-Subject-Token': token},
+                    expected_status=204)
+
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': token},
+                  expected_status=200)  # FIXME(blk-u): This should be 404
+

@dependency.requires('revoke_api')
 class TestTokenRevokeApi(TestTokenRevokeById):
@ -1286,18 +1323,6 @@ class TestTokenRevokeApi(TestTokenRevokeById):
                                   expected_status=200).json_body
        self.assertValidRevokedTokenResponse(events_response, self.user['id'])

-    def get_v2_token(self):
-        body = {
-            'auth': {
-                'passwordCredentials': {
-                    'username': self.default_domain_user['name'],
-                    'password': self.default_domain_user['password'],
-                },
-            },
-        }
-        r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
-        return r.json_body['access']['token']['id']
-
    def test_revoke_v2_token(self):
        token = self.get_v2_token()
        headers = {'X-Subject-Token': token}