Refactor revoke matcher

This makes the code more verbose (and more redundant) in favor of making it easier to read. There was a pretty consistent pattern to what it was actually doing, but each block of code was basically written differently. This makes them all the same. Change-Id: I0804f490e28cedfaea2016e796a773ba50cc821a
6 years ago · e9b0f2f52e
1 changed files with 51 additions and 32 deletions
--- a/keystone/models/revoke_model.py
+++ b/keystone/models/revoke_model.py
@ -177,41 +177,60 @@ def matches(event, token_values):
    # that the token is still valid and short-circuits the
    # rest of the logic.

-    # The token has three attributes that can match the user_id
-    if event.user_id is not None:
-        if all(event.user_id != token_values[attribute_name]
-               for attribute_name in ['user_id', 'trustor_id', 'trustee_id']):
-            return False
-
-    # The token has two attributes that can match the domain_id
-    if event.domain_id is not None:
-        if all(event.domain_id != token_values[attribute_name]
-                for attribute_name in ['identity_domain_id',
-                                       'assignment_domain_id']):
-            return False
-
-    if event.domain_scope_id is not None:
-        if event.domain_scope_id != token_values['assignment_domain_id']:
-            return False
-
-    # If an event specifies an attribute name, but it does not  match,
-    # the token is not revoked.
-    attribute_names = ['project_id',
-                       'expires_at', 'trust_id', 'consumer_id',
-                       'access_token_id', 'audit_id', 'audit_chain_id']
-    for attribute_name in attribute_names:
-        if getattr(event, attribute_name) is not None:
-            if (getattr(event, attribute_name) !=
-                    token_values[attribute_name]):
-                        return False
-
-    if event.role_id is not None:
-        roles = token_values['roles']
-        if all(event.role_id != role for role in roles):
-            return False
+    # The token has three attributes that can match the user_id.
+    if event.user_id is not None and event.user_id not in (
+            token_values['user_id'],
+            token_values['trustor_id'],
+            token_values['trustee_id'],):
+        return False
+
+    # The token has two attributes that can match the domain_id.
+    if event.domain_id is not None and event.domain_id not in(
+            token_values['identity_domain_id'],
+            token_values['assignment_domain_id'],):
+        return False
+
+    if event.domain_scope_id is not None and event.domain_scope_id not in (
+            token_values['assignment_domain_id'],):
+        return False
+
+    # If an event specifies an attribute name, but it does not match, the token
+    # is not revoked.
+    if event.project_id is not None and event.project_id not in (
+            token_values['project_id'],):
+        return False
+
+    if event.expires_at is not None and event.expires_at not in (
+            token_values['expires_at'],):
+        return False
+
+    if event.trust_id is not None and event.trust_id not in (
+            token_values['trust_id'],):
+        return False
+
+    if event.consumer_id is not None and event.consumer_id not in (
+            token_values['consumer_id'],):
+        return False
+
+    if event.access_token_id is not None and event.access_token_id not in (
+            token_values['access_token_id'],):
+        return False
+
+    if event.audit_id is not None and event.audit_id not in (
+            token_values['audit_id'],):
+        return False
+
+    if event.audit_chain_id is not None and event.audit_chain_id not in (
+            token_values['audit_chain_id'],):
+        return False
+
+    if event.role_id is not None and event.role_id not in (
+            token_values['roles']):
+        return False

    if token_values['issued_at'] > event.issued_before:
        return False
+
    return True