openstack
/
keystone
Code Issues Proposed changes
Browse Source

Fix for V2 token issued_at time changing 

When the server converted a V2 token to a V3 token it regenerated
the issued_at time.

This was causing the server to return a different issued_at time
when a V2 token was validated using the V3 API.

This was causing the server to fail to revoke a V2 token if it was
revoked before validating it first because the regenerated token was
considered to be after the revocation event.

Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
Closes-Bug: #1348820
changes/47/109747/2
Brant Knudson 8 years ago
parent
556fb86031
commit
a4c73e4382
2 changed files with 14 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      keystone/tests/test_v3_auth.py
  2. 17
      keystone/token/providers/common.py

8
keystone/tests/test_v3_auth.py
Unescape View File

@ -370,8 +370,7 @@ class TokenAPITests(object):
v3_issued_at = timeutils.parse_isotime(
token_data['token']['issued_at'])
# FIXME(blk-u): the following should be assertEqual, see bug 1348820
self.assertNotEqual(v2_issued_at, v3_issued_at)
self.assertEqual(v2_issued_at, v3_issued_at)
def test_rescoping_token(self):
expires = self.token_data['token']['expires_at']
@ -1248,9 +1247,6 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
def test_revoke_v2_token_no_check(self):
# Test that a V2 token can be revoked without validating it first.
# NOTE(blk-u): This doesn't work right. The token should be invalid
# after being revoked but it's not. See bug 1348820.
token = self.get_v2_token()
self.delete('/auth/tokens',
@ -1259,7 +1255,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
expected_status=200) # FIXME(blk-u): This should be 404
expected_status=404)
@dependency.requires('revoke_api')

17
keystone/token/providers/common.py
Unescape View File

@ -310,18 +310,20 @@ class V3TokenDataHelper(object):
# TODO(ayoung): Enforce Endpoints for trust
token_data['catalog'] = service_catalog
def _populate_token_dates(self, token_data, expires=None, trust=None):
def _populate_token_dates(self, token_data, expires=None, trust=None,
issued_at=None):
if not expires:
expires = provider.default_expire_time()
if not isinstance(expires, six.string_types):
expires = timeutils.isotime(expires, subsecond=True)
token_data['expires_at'] = expires
token_data['issued_at'] = timeutils.isotime(subsecond=True)
token_data['issued_at'] = (issued_at or
timeutils.isotime(subsecond=True))
def get_token_data(self, user_id, method_names, extras,
domain_id=None, project_id=None, expires=None,
trust=None, token=None, include_catalog=True,
bind=None, access_token=None):
bind=None, access_token=None, issued_at=None):
token_data = {'methods': method_names,
'extras': extras}
@ -345,7 +347,8 @@ class V3TokenDataHelper(object):
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id, trust)
self._populate_token_dates(token_data, expires=expires, trust=trust)
self._populate_token_dates(token_data, expires=expires, trust=trust,
issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {'token': token_data}
@ -633,13 +636,17 @@ class BaseProvider(provider.Provider):
project_ref = token_ref.get('tenant')
if project_ref:
project_id = project_ref['id']
issued_at = token_ref['token_data']['access']['token']['issued_at']
token_data = self.v3_token_data_helper.get_token_data(
token_ref['user']['id'],
['password', 'token'],
{},
project_id=project_id,
bind=token_ref.get('bind'),
expires=token_ref['expires'])
expires=token_ref['expires'],
issued_at=issued_at)
return token_data
def validate_token(self, token_id):

Write Preview
Loading…
Cancel
Save