Fix for V2 token issued_at time changing
When the server converted a V2 token to a V3 token it regenerated the issued_at time. This was causing the server to return a different issued_at time when a V2 token was validated using the V3 API. This was causing the server to fail to revoke a V2 token if it was revoked before validating it first because the regenerated token was considered to be after the revocation event. Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205 Closes-Bug: #1348820
This commit is contained in:
parent
556fb86031
commit
a4c73e4382
|
@ -370,8 +370,7 @@ class TokenAPITests(object):
|
|||
v3_issued_at = timeutils.parse_isotime(
|
||||
token_data['token']['issued_at'])
|
||||
|
||||
# FIXME(blk-u): the following should be assertEqual, see bug 1348820
|
||||
self.assertNotEqual(v2_issued_at, v3_issued_at)
|
||||
self.assertEqual(v2_issued_at, v3_issued_at)
|
||||
|
||||
def test_rescoping_token(self):
|
||||
expires = self.token_data['token']['expires_at']
|
||||
|
@ -1248,9 +1247,6 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
|
|||
def test_revoke_v2_token_no_check(self):
|
||||
# Test that a V2 token can be revoked without validating it first.
|
||||
|
||||
# NOTE(blk-u): This doesn't work right. The token should be invalid
|
||||
# after being revoked but it's not. See bug 1348820.
|
||||
|
||||
token = self.get_v2_token()
|
||||
|
||||
self.delete('/auth/tokens',
|
||||
|
@ -1259,7 +1255,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
|
|||
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': token},
|
||||
expected_status=200) # FIXME(blk-u): This should be 404
|
||||
expected_status=404)
|
||||
|
||||
|
||||
@dependency.requires('revoke_api')
|
||||
|
|
|
@ -310,18 +310,20 @@ class V3TokenDataHelper(object):
|
|||
# TODO(ayoung): Enforce Endpoints for trust
|
||||
token_data['catalog'] = service_catalog
|
||||
|
||||
def _populate_token_dates(self, token_data, expires=None, trust=None):
|
||||
def _populate_token_dates(self, token_data, expires=None, trust=None,
|
||||
issued_at=None):
|
||||
if not expires:
|
||||
expires = provider.default_expire_time()
|
||||
if not isinstance(expires, six.string_types):
|
||||
expires = timeutils.isotime(expires, subsecond=True)
|
||||
token_data['expires_at'] = expires
|
||||
token_data['issued_at'] = timeutils.isotime(subsecond=True)
|
||||
token_data['issued_at'] = (issued_at or
|
||||
timeutils.isotime(subsecond=True))
|
||||
|
||||
def get_token_data(self, user_id, method_names, extras,
|
||||
domain_id=None, project_id=None, expires=None,
|
||||
trust=None, token=None, include_catalog=True,
|
||||
bind=None, access_token=None):
|
||||
bind=None, access_token=None, issued_at=None):
|
||||
token_data = {'methods': method_names,
|
||||
'extras': extras}
|
||||
|
||||
|
@ -345,7 +347,8 @@ class V3TokenDataHelper(object):
|
|||
if include_catalog:
|
||||
self._populate_service_catalog(token_data, user_id, domain_id,
|
||||
project_id, trust)
|
||||
self._populate_token_dates(token_data, expires=expires, trust=trust)
|
||||
self._populate_token_dates(token_data, expires=expires, trust=trust,
|
||||
issued_at=issued_at)
|
||||
self._populate_oauth_section(token_data, access_token)
|
||||
return {'token': token_data}
|
||||
|
||||
|
@ -633,13 +636,17 @@ class BaseProvider(provider.Provider):
|
|||
project_ref = token_ref.get('tenant')
|
||||
if project_ref:
|
||||
project_id = project_ref['id']
|
||||
|
||||
issued_at = token_ref['token_data']['access']['token']['issued_at']
|
||||
|
||||
token_data = self.v3_token_data_helper.get_token_data(
|
||||
token_ref['user']['id'],
|
||||
['password', 'token'],
|
||||
{},
|
||||
project_id=project_id,
|
||||
bind=token_ref.get('bind'),
|
||||
expires=token_ref['expires'])
|
||||
expires=token_ref['expires'],
|
||||
issued_at=issued_at)
|
||||
return token_data
|
||||
|
||||
def validate_token(self, token_id):
|
||||
|
|
Loading…
Reference in New Issue