Fix for V2 token issued_at time changing

When the server converted a V2 token to a V3 token it regenerated the issued_at time. This was causing the server to return a different issued_at time when a V2 token was validated using the V3 API. This was causing the server to fail to revoke a V2 token if it was revoked before validating it first because the regenerated token was considered to be after the revocation event. Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205 Closes-Bug: #1348820 (cherry picked from commit a4c73e4382)
7 years ago · bdb88c662a
2 changed files with 14 additions and 11 deletions
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -370,8 +370,7 @@ class TokenAPITests(object):
        v3_issued_at = timeutils.parse_isotime(
            token_data['token']['issued_at'])

-        # FIXME(blk-u): the following should be assertEqual, see bug 1348820
-        self.assertNotEqual(v2_issued_at, v3_issued_at)
+        self.assertEqual(v2_issued_at, v3_issued_at)

    def test_rescoping_token(self):
        expires = self.token_data['token']['expires_at']
@ -1225,9 +1224,6 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
    def test_revoke_v2_token_no_check(self):
        # Test that a V2 token can be revoked without validating it first.

-        # NOTE(blk-u): This doesn't work right. The token should be invalid
-        # after being revoked but it's not. See bug 1348820.
-
        token = self.get_v2_token()

        self.delete('/auth/tokens',
@ -1236,7 +1232,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):

        self.head('/auth/tokens',
                  headers={'X-Subject-Token': token},
-                  expected_status=200)  # FIXME(blk-u): This should be 404
+                  expected_status=404)


@dependency.requires('revoke_api')
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -315,18 +315,20 @@ class V3TokenDataHelper(object):
            # TODO(ayoung): Enforce Endpoints for trust
            token_data['catalog'] = service_catalog

-    def _populate_token_dates(self, token_data, expires=None, trust=None):
+    def _populate_token_dates(self, token_data, expires=None, trust=None,
+                              issued_at=None):
        if not expires:
            expires = token.default_expire_time()
        if not isinstance(expires, six.string_types):
            expires = timeutils.isotime(expires, subsecond=True)
        token_data['expires_at'] = expires
-        token_data['issued_at'] = timeutils.isotime(subsecond=True)
+        token_data['issued_at'] = (issued_at or
+                                   timeutils.isotime(subsecond=True))

    def get_token_data(self, user_id, method_names, extras,
                       domain_id=None, project_id=None, expires=None,
                       trust=None, token=None, include_catalog=True,
-                       bind=None, access_token=None):
+                       bind=None, access_token=None, issued_at=None):
        token_data = {'methods': method_names,
                      'extras': extras}

@ -350,7 +352,8 @@ class V3TokenDataHelper(object):
        if include_catalog:
            self._populate_service_catalog(token_data, user_id, domain_id,
                                           project_id, trust)
-        self._populate_token_dates(token_data, expires=expires, trust=trust)
+        self._populate_token_dates(token_data, expires=expires, trust=trust,
+                                   issued_at=issued_at)
        self._populate_oauth_section(token_data, access_token)
        return {'token': token_data}

@ -648,13 +651,17 @@ class BaseProvider(provider.Provider):
            project_ref = token_ref.get('tenant')
            if project_ref:
                project_id = project_ref['id']
+
+            issued_at = token_ref['token_data']['access']['token']['issued_at']
+
            token_data = self.v3_token_data_helper.get_token_data(
                token_ref['user']['id'],
                ['password', 'token'],
                {},
                project_id=project_id,
                bind=token_ref.get('bind'),
-                expires=token_ref['expires'])
+                expires=token_ref['expires'],
+                issued_at=issued_at)
        return token_data

    def validate_token(self, token_id):