Fix for V2 token issued_at time changing
When the server converted a V2 token to a V3 token it regenerated
the issued_at time.
This was causing the server to return a different issued_at time
when a V2 token was validated using the V3 API.
This was causing the server to fail to revoke a V2 token if it was
revoked before validating it first because the regenerated token was
considered to be after the revocation event.
Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
Closes-Bug: #1348820
(cherry picked from commit a4c73e4382
)
This commit is contained in:
parent
0c34e79ae9
commit
bdb88c662a
|
@ -370,8 +370,7 @@ class TokenAPITests(object):
|
||||||
v3_issued_at = timeutils.parse_isotime(
|
v3_issued_at = timeutils.parse_isotime(
|
||||||
token_data['token']['issued_at'])
|
token_data['token']['issued_at'])
|
||||||
|
|
||||||
# FIXME(blk-u): the following should be assertEqual, see bug 1348820
|
self.assertEqual(v2_issued_at, v3_issued_at)
|
||||||
self.assertNotEqual(v2_issued_at, v3_issued_at)
|
|
||||||
|
|
||||||
def test_rescoping_token(self):
|
def test_rescoping_token(self):
|
||||||
expires = self.token_data['token']['expires_at']
|
expires = self.token_data['token']['expires_at']
|
||||||
|
@ -1225,9 +1224,6 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||||
def test_revoke_v2_token_no_check(self):
|
def test_revoke_v2_token_no_check(self):
|
||||||
# Test that a V2 token can be revoked without validating it first.
|
# Test that a V2 token can be revoked without validating it first.
|
||||||
|
|
||||||
# NOTE(blk-u): This doesn't work right. The token should be invalid
|
|
||||||
# after being revoked but it's not. See bug 1348820.
|
|
||||||
|
|
||||||
token = self.get_v2_token()
|
token = self.get_v2_token()
|
||||||
|
|
||||||
self.delete('/auth/tokens',
|
self.delete('/auth/tokens',
|
||||||
|
@ -1236,7 +1232,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||||
|
|
||||||
self.head('/auth/tokens',
|
self.head('/auth/tokens',
|
||||||
headers={'X-Subject-Token': token},
|
headers={'X-Subject-Token': token},
|
||||||
expected_status=200) # FIXME(blk-u): This should be 404
|
expected_status=404)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('revoke_api')
|
@dependency.requires('revoke_api')
|
||||||
|
|
|
@ -315,18 +315,20 @@ class V3TokenDataHelper(object):
|
||||||
# TODO(ayoung): Enforce Endpoints for trust
|
# TODO(ayoung): Enforce Endpoints for trust
|
||||||
token_data['catalog'] = service_catalog
|
token_data['catalog'] = service_catalog
|
||||||
|
|
||||||
def _populate_token_dates(self, token_data, expires=None, trust=None):
|
def _populate_token_dates(self, token_data, expires=None, trust=None,
|
||||||
|
issued_at=None):
|
||||||
if not expires:
|
if not expires:
|
||||||
expires = token.default_expire_time()
|
expires = token.default_expire_time()
|
||||||
if not isinstance(expires, six.string_types):
|
if not isinstance(expires, six.string_types):
|
||||||
expires = timeutils.isotime(expires, subsecond=True)
|
expires = timeutils.isotime(expires, subsecond=True)
|
||||||
token_data['expires_at'] = expires
|
token_data['expires_at'] = expires
|
||||||
token_data['issued_at'] = timeutils.isotime(subsecond=True)
|
token_data['issued_at'] = (issued_at or
|
||||||
|
timeutils.isotime(subsecond=True))
|
||||||
|
|
||||||
def get_token_data(self, user_id, method_names, extras,
|
def get_token_data(self, user_id, method_names, extras,
|
||||||
domain_id=None, project_id=None, expires=None,
|
domain_id=None, project_id=None, expires=None,
|
||||||
trust=None, token=None, include_catalog=True,
|
trust=None, token=None, include_catalog=True,
|
||||||
bind=None, access_token=None):
|
bind=None, access_token=None, issued_at=None):
|
||||||
token_data = {'methods': method_names,
|
token_data = {'methods': method_names,
|
||||||
'extras': extras}
|
'extras': extras}
|
||||||
|
|
||||||
|
@ -350,7 +352,8 @@ class V3TokenDataHelper(object):
|
||||||
if include_catalog:
|
if include_catalog:
|
||||||
self._populate_service_catalog(token_data, user_id, domain_id,
|
self._populate_service_catalog(token_data, user_id, domain_id,
|
||||||
project_id, trust)
|
project_id, trust)
|
||||||
self._populate_token_dates(token_data, expires=expires, trust=trust)
|
self._populate_token_dates(token_data, expires=expires, trust=trust,
|
||||||
|
issued_at=issued_at)
|
||||||
self._populate_oauth_section(token_data, access_token)
|
self._populate_oauth_section(token_data, access_token)
|
||||||
return {'token': token_data}
|
return {'token': token_data}
|
||||||
|
|
||||||
|
@ -648,13 +651,17 @@ class BaseProvider(provider.Provider):
|
||||||
project_ref = token_ref.get('tenant')
|
project_ref = token_ref.get('tenant')
|
||||||
if project_ref:
|
if project_ref:
|
||||||
project_id = project_ref['id']
|
project_id = project_ref['id']
|
||||||
|
|
||||||
|
issued_at = token_ref['token_data']['access']['token']['issued_at']
|
||||||
|
|
||||||
token_data = self.v3_token_data_helper.get_token_data(
|
token_data = self.v3_token_data_helper.get_token_data(
|
||||||
token_ref['user']['id'],
|
token_ref['user']['id'],
|
||||||
['password', 'token'],
|
['password', 'token'],
|
||||||
{},
|
{},
|
||||||
project_id=project_id,
|
project_id=project_id,
|
||||||
bind=token_ref.get('bind'),
|
bind=token_ref.get('bind'),
|
||||||
expires=token_ref['expires'])
|
expires=token_ref['expires'],
|
||||||
|
issued_at=issued_at)
|
||||||
return token_data
|
return token_data
|
||||||
|
|
||||||
def validate_token(self, token_id):
|
def validate_token(self, token_id):
|
||||||
|
|
Loading…
Reference in New Issue