From 5346dfaf01ba2c42c8f523023f2d995f3f036d07 Mon Sep 17 00:00:00 2001
From: Sean Perry <sean.perry@hpe.com>
Date: Fri, 26 Aug 2016 10:44:58 -0700
Subject: [PATCH] Impose a min and a max on time values in CONF.token

expiration is passed to datetime.timedelta which cannot handle Python
long values. Cap the integer at sys.maxsize. A negative time is also
invalid so set the minimum to 0.

Change-Id: Ie3ec0c490cac3b4c4cb87f246d6c8bc4e9b0d41a
---
 keystone/conf/token.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/keystone/conf/token.py b/keystone/conf/token.py
index 2c72d6b868..055a1dbfde 100644
--- a/keystone/conf/token.py
+++ b/keystone/conf/token.py
@@ -11,6 +11,7 @@
 # under the License.
 
 import hashlib
+import sys
 
 from oslo_config import cfg
 
@@ -46,6 +47,8 @@ binding metadata be supported by keystone.
 expiration = cfg.IntOpt(
     'expiration',
     default=3600,
+    min=0,
+    max=sys.maxsize,
     help=utils.fmt("""
 The amount of time that a token should remain valid (in seconds). Drastically
 reducing this value may break "long-running" operations that involve multiple
@@ -96,6 +99,8 @@ unless global caching is enabled.
 
 cache_time = cfg.IntOpt(
     'cache_time',
+    min=0,
+    max=sys.maxsize,
     help=utils.fmt("""
 The number of seconds to cache token creation and validation data. This has no
 effect unless both global and `[token] caching` are enabled.