Browse Source

Add auth invalidation in auth_token for identity endpoint update

Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.

Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.

Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
tags/6.0.0
Yang Youseok 5 months ago
parent
commit
4e51cb8e6b

+ 4
- 0
keystonemiddleware/auth_token/__init__.py View File

@@ -760,6 +760,10 @@ class AuthProtocol(BaseAuthProtocol):
760 760
                                       _CACHE_INVALID_INDICATOR)
761 761
             self.log.warning('Authorization failed for token')
762 762
             raise
763
+        except ksa_exceptions.EndpointNotFound:
764
+            # Invalidate auth in adapter for identity endpoint update
765
+            self._identity_server.invalidate()
766
+            raise
763 767
 
764 768
         return data
765 769
 

+ 3
- 0
keystonemiddleware/auth_token/_identity.py View File

@@ -239,3 +239,6 @@ class IdentityServer(object):
239 239
 
240 240
     def fetch_ca_cert(self):
241 241
         return self._request_strategy.fetch_ca_cert()
242
+
243
+    def invalidate(self):
244
+        return self._adapter.invalidate()

+ 13
- 0
keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py View File

@@ -97,6 +97,7 @@ VERSION_LIST_v2 = fixture.DiscoveryList(v3=False, href=BASE_URI)
97 97
 
98 98
 ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2'
99 99
 TIMEOUT_TOKEN = '4ed1c5e53beee59458adcf8261a8cae2'
100
+ENDPOINT_NOT_FOUND_TOKEN = 'edf9fa62-5afd-4d64-89ac-f99b209bd995'
100 101
 
101 102
 
102 103
 def strtime(at=None):
@@ -1534,6 +1535,8 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1534 1535
             raise ksa_exceptions.ConnectFailure(msg)
1535 1536
         elif token_id == TIMEOUT_TOKEN:
1536 1537
             request_timeout_response(request, context)
1538
+        elif token_id == ENDPOINT_NOT_FOUND_TOKEN:
1539
+            raise ksa_exceptions.EndpointNotFound()
1537 1540
 
1538 1541
         try:
1539 1542
             response = self.examples.JSON_TOKEN_RESPONSES[token_id]
@@ -1686,6 +1689,16 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1686 1689
         new_data = self.middleware.fetch_token(token)
1687 1690
         self.assertEqual(data, new_data)
1688 1691
 
1692
+    def test_endpoint_not_found_in_token(self):
1693
+        token = ENDPOINT_NOT_FOUND_TOKEN
1694
+        self.set_middleware()
1695
+        self.middleware._token_cache.initialize({})
1696
+        with mock.patch.object(self.middleware._identity_server, 'invalidate',
1697
+                               new=mock.Mock()):
1698
+            self.assertRaises(ksa_exceptions.EndpointNotFound,
1699
+                              self.middleware.fetch_token, token)
1700
+            self.assertTrue(self.middleware._identity_server.invalidate.called)
1701
+
1689 1702
     def test_not_is_admin_project(self):
1690 1703
         token = self.examples.v3_NOT_IS_ADMIN_PROJECT
1691 1704
         self.set_middleware(expected_env={'HTTP_X_IS_ADMIN_PROJECT': 'False'})

+ 9
- 0
releasenotes/notes/bug-1813739-80eae72371903119.yaml View File

@@ -0,0 +1,9 @@
1
+---
2
+fixes:
3
+  - |
4
+    [`bug/1813739 <https://bugs.launchpad.net/keystonemiddleware/+bug/1813739>`_]
5
+    When admin identity endpoint is not created yet, keystonemiddleware emit
6
+    EndpointNotFound exception. Even after admin identity endpoint created,
7
+    auth_token middleware could not be notified of update since it does not
8
+    invalidate existing auth. Add an invalidation step so that endpoint
9
+    updates can be detected.

Loading…
Cancel
Save