openstack/keystone
Code Issues Proposed changes

Merge "Return 404 instead of 401 for tokens w/o roles"

Browse Source
This commit is contained in:
Jenkins 2016-03-03 11:22:01 +00:00 committed by Gerrit Code Review
commit e2ee064192
2 changed files with 55 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
keystone/tests/unit/test_v3_auth.py
View File

@ -687,6 +687,38 @@ class TokenAPITests(object):
self.assertIn(implied['id'], token_role_ids)
self.assertNotIn(new_role['id'], token_role_ids)
def test_remove_all_roles_from_scope_result_in_404(self):
# create a new user
new_user = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
# give the new user a role on a project
path = '/projects/%s/users/%s/roles/%s' % (
self.project['id'], new_user['id'], self.role['id'])
self.put(path=path)
# authenticate as the new user and get a project-scoped token
auth_data = self.build_authentication_request(
user_id=new_user['id'],
password=new_user['password'],
project_id=self.project['id'])
subject_token_id = self.v3_create_token(auth_data).headers.get(
'X-Subject-Token')
# make sure the project-scoped token is valid
headers = {'X-Subject-Token': subject_token_id}
r = self.get('/auth/tokens', headers=headers)
self.assertValidProjectScopedTokenResponse(r)
# remove the roles from the user for the given scope
path = '/projects/%s/users/%s/roles/%s' % (
self.project['id'], new_user['id'], self.role['id'])
self.delete(path=path)
# token validation should now result in 404
self.get('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND)
class TokenDataTests(object):
"""Test the data in specific token types."""

37
keystone/token/provider.py
View File

@ -268,19 +268,24 @@ class Manager(manager.Manager):
if not token_id:
raise exception.TokenNotFound(_('No token in the request'))
# NOTE(lbragstad): Only go to persistent storage if we have a token to
# fetch from the backend (the driver persists the token). Otherwise
# the information about the token must be in the token id.
if not self._needs_persistence:
token_ref = self.validate_non_persistent_token(token_id)
else:
unique_id = utils.generate_unique_id(token_id)
# NOTE(morganfainberg): Ensure we never use the long-form token_id
# (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token_ref = self._validate_v3_token(token_ref)
self._is_valid_token(token_ref)
return token_ref
try:
# NOTE(lbragstad): Only go to persistent storage if we have a token
# to fetch from the backend (the driver persists the token).
# Otherwise the information about the token must be in the token
# id.
if not self._needs_persistence:
token_ref = self.validate_non_persistent_token(token_id)
else:
unique_id = utils.generate_unique_id(token_id)
# NOTE(morganfainberg): Ensure we never use the long-form
# token_id (PKI) as part of the cache_key.
token_ref = self._persistence.get_token(unique_id)
token_ref = self._validate_v3_token(token_ref)
self._is_valid_token(token_ref)
return token_ref
except exception.Unauthorized as e:
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
@MEMOIZE
def _validate_token(self, token_id):
@ -294,7 +299,11 @@ class Manager(manager.Manager):
token_ref = self._persistence.get_token(token_id)
version = self.get_token_version(token_ref)
if version == self.V3:
return self.driver.validate_v3_token(token_ref)
try:
return self.driver.validate_v3_token(token_ref)
except exception.Unauthorized as e:
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
elif version == self.V2:
return self.driver.validate_v2_token(token_ref)
raise exception.UnsupportedTokenVersionException()