openstack
/
keystone
Code Issues Proposed changes

Fix for V2 token issued_at time changing 

When the server converted a V2 token to a V3 token it regenerated
the issued_at time.

This was causing the server to return a different issued_at time
when a V2 token was validated using the V3 API.

This was causing the server to fail to revoke a V2 token if it was
revoked before validating it first because the regenerated token was
considered to be after the revocation event.

Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
Closes-Bug: #1348820
(cherry picked from commit a4c73e4382)
This commit is contained in:
Brant Knudson 2014-07-25 16:26:38 -05:00
parent 0c34e79ae9
commit bdb88c662a
2 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
keystone/tests/test_v3_auth.py
View File

@ -370,8 +370,7 @@ class TokenAPITests(object):
v3_issued_at = timeutils.parse_isotime(
token_data['token']['issued_at'])
# FIXME(blk-u): the following should be assertEqual, see bug 1348820
self.assertNotEqual(v2_issued_at, v3_issued_at)
self.assertEqual(v2_issued_at, v3_issued_at)
def test_rescoping_token(self):
expires = self.token_data['token']['expires_at']
@ -1225,9 +1224,6 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
def test_revoke_v2_token_no_check(self):
# Test that a V2 token can be revoked without validating it first.
# NOTE(blk-u): This doesn't work right. The token should be invalid
# after being revoked but it's not. See bug 1348820.
token = self.get_v2_token()
self.delete('/auth/tokens',
@ -1236,7 +1232,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
expected_status=200) # FIXME(blk-u): This should be 404
expected_status=404)
@dependency.requires('revoke_api')

17
keystone/token/providers/common.py
View File

@ -315,18 +315,20 @@ class V3TokenDataHelper(object):
# TODO(ayoung): Enforce Endpoints for trust
token_data['catalog'] = service_catalog
def _populate_token_dates(self, token_data, expires=None, trust=None):
def _populate_token_dates(self, token_data, expires=None, trust=None,
issued_at=None):
if not expires:
expires = token.default_expire_time()
if not isinstance(expires, six.string_types):
expires = timeutils.isotime(expires, subsecond=True)
token_data['expires_at'] = expires
token_data['issued_at'] = timeutils.isotime(subsecond=True)
token_data['issued_at'] = (issued_at or
timeutils.isotime(subsecond=True))
def get_token_data(self, user_id, method_names, extras,
domain_id=None, project_id=None, expires=None,
trust=None, token=None, include_catalog=True,
bind=None, access_token=None):
bind=None, access_token=None, issued_at=None):
token_data = {'methods': method_names,
'extras': extras}
@ -350,7 +352,8 @@ class V3TokenDataHelper(object):
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id, trust)
self._populate_token_dates(token_data, expires=expires, trust=trust)
self._populate_token_dates(token_data, expires=expires, trust=trust,
issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {'token': token_data}
@ -648,13 +651,17 @@ class BaseProvider(provider.Provider):
project_ref = token_ref.get('tenant')
if project_ref:
project_id = project_ref['id']
issued_at = token_ref['token_data']['access']['token']['issued_at']
token_data = self.v3_token_data_helper.get_token_data(
token_ref['user']['id'],
['password', 'token'],
{},
project_id=project_id,
bind=token_ref.get('bind'),
expires=token_ref['expires'])
expires=token_ref['expires'],
issued_at=issued_at)
return token_data
def validate_token(self, token_id):