Browse Source

Refactor revoke matcher

This makes the code more verbose (and more redundant) in favor of making
it easier to read.

There was a pretty consistent pattern to what it was actually doing, but
each block of code was basically written differently. This makes them
all the same.

Change-Id: I0804f490e28cedfaea2016e796a773ba50cc821a
changes/37/353537/2
Dolph Mathews 6 years ago
parent
commit
e9b0f2f52e
  1. 83
      keystone/models/revoke_model.py

83
keystone/models/revoke_model.py

@ -177,41 +177,60 @@ def matches(event, token_values):
# that the token is still valid and short-circuits the
# rest of the logic.
# The token has three attributes that can match the user_id
if event.user_id is not None:
if all(event.user_id != token_values[attribute_name]
for attribute_name in ['user_id', 'trustor_id', 'trustee_id']):
return False
# The token has two attributes that can match the domain_id
if event.domain_id is not None:
if all(event.domain_id != token_values[attribute_name]
for attribute_name in ['identity_domain_id',
'assignment_domain_id']):
return False
if event.domain_scope_id is not None:
if event.domain_scope_id != token_values['assignment_domain_id']:
return False
# If an event specifies an attribute name, but it does not match,
# the token is not revoked.
attribute_names = ['project_id',
'expires_at', 'trust_id', 'consumer_id',
'access_token_id', 'audit_id', 'audit_chain_id']
for attribute_name in attribute_names:
if getattr(event, attribute_name) is not None:
if (getattr(event, attribute_name) !=
token_values[attribute_name]):
return False
if event.role_id is not None:
roles = token_values['roles']
if all(event.role_id != role for role in roles):
return False
# The token has three attributes that can match the user_id.
if event.user_id is not None and event.user_id not in (
token_values['user_id'],
token_values['trustor_id'],
token_values['trustee_id'],):
return False
# The token has two attributes that can match the domain_id.
if event.domain_id is not None and event.domain_id not in(
token_values['identity_domain_id'],
token_values['assignment_domain_id'],):
return False
if event.domain_scope_id is not None and event.domain_scope_id not in (
token_values['assignment_domain_id'],):
return False
# If an event specifies an attribute name, but it does not match, the token
# is not revoked.
if event.project_id is not None and event.project_id not in (
token_values['project_id'],):
return False
if event.expires_at is not None and event.expires_at not in (
token_values['expires_at'],):
return False
if event.trust_id is not None and event.trust_id not in (
token_values['trust_id'],):
return False
if event.consumer_id is not None and event.consumer_id not in (
token_values['consumer_id'],):
return False
if event.access_token_id is not None and event.access_token_id not in (
token_values['access_token_id'],):
return False
if event.audit_id is not None and event.audit_id not in (
token_values['audit_id'],):
return False
if event.audit_chain_id is not None and event.audit_chain_id not in (
token_values['audit_chain_id'],):
return False
if event.role_id is not None and event.role_id not in (
token_values['roles']):
return False
if token_values['issued_at'] > event.issued_before:
return False
return True

Loading…
Cancel
Save