Browse Source

Merge "Stop supporting revocation list"

Zuul 5 months ago
parent
commit
899aa07a64

+ 0
- 38
examples/pki/gen_cmsz.py View File

@@ -16,7 +16,6 @@ import json
16 16
 import os
17 17
 
18 18
 from keystoneclient.common import cms
19
-from keystoneclient import utils
20 19
 
21 20
 CURRENT_DIR = os.path.abspath(os.path.dirname(__file__))
22 21
 
@@ -25,41 +24,6 @@ def make_filename(*args):
25 24
     return os.path.join(CURRENT_DIR, *args)
26 25
 
27 26
 
28
-def generate_revocation_list():
29
-    REVOKED_TOKENS = ['auth_token_revoked', 'auth_v3_token_revoked']
30
-    revoked_list = []
31
-    for token in REVOKED_TOKENS:
32
-        with open(make_filename('cms', '%s.pkiz' % name), 'r') as f:
33
-            token_data = f.read()
34
-            id = utils.hash_signed_token(token_data.encode('utf-8'))
35
-            revoked_list.append({
36
-                'id': id,
37
-                "expires": "2112-08-14T17:58:48Z"
38
-            })
39
-        with open(make_filename('cms', '%s.pem' % name), 'r') as f:
40
-            pem_data = f.read()
41
-            token_data = cms.cms_to_token(pem_data).encode('utf-8')
42
-            id = utils.hash_signed_token(token_data)
43
-            revoked_list.append({
44
-                'id': id,
45
-                "expires": "2112-08-14T17:58:48Z"
46
-            })
47
-    revoked_json = json.dumps({"revoked": revoked_list})
48
-    with open(make_filename('cms', 'revocation_list.json'), 'w') as f:
49
-        f.write(revoked_json)
50
-    encoded = cms.pkiz_sign(revoked_json,
51
-                            SIGNING_CERT_FILE_NAME,
52
-                            SIGNING_KEY_FILE_NAME)
53
-    with open(make_filename('cms', 'revocation_list.pkiz'), 'w') as f:
54
-        f.write(encoded)
55
-
56
-    encoded = cms.cms_sign_data(revoked_json,
57
-                                SIGNING_CERT_FILE_NAME,
58
-                                SIGNING_KEY_FILE_NAME)
59
-    with open(make_filename('cms', 'revocation_list.pem'), 'w') as f:
60
-        f.write(encoded)
61
-
62
-
63 27
 CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem')
64 28
 SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem')
65 29
 SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem')
@@ -113,5 +77,3 @@ for name in EXAMPLE_TOKENS:
113 77
 
114 78
     with open(pkiz_file, 'w') as f:
115 79
         f.write(encoded)
116
-
117
-    generate_revocation_list()

+ 0
- 38
keystonemiddleware/auth_token/__init__.py View File

@@ -219,7 +219,6 @@ object is stored.
219 219
 
220 220
 import binascii
221 221
 import copy
222
-import datetime
223 222
 
224 223
 from keystoneauth1 import access
225 224
 from keystoneauth1 import adapter
@@ -243,7 +242,6 @@ from keystonemiddleware.auth_token import _exceptions as ksm_exceptions
243 242
 from keystonemiddleware.auth_token import _identity
244 243
 from keystonemiddleware.auth_token import _opts
245 244
 from keystonemiddleware.auth_token import _request
246
-from keystonemiddleware.auth_token import _revocations
247 245
 from keystonemiddleware.auth_token import _signing_dir
248 246
 from keystonemiddleware.auth_token import _user_plugin
249 247
 from keystonemiddleware.i18n import _
@@ -597,17 +595,6 @@ class AuthProtocol(BaseAuthProtocol):
597 595
 
598 596
         self._token_cache = self._token_cache_factory()
599 597
 
600
-        revocation_cache_timeout = datetime.timedelta(
601
-            seconds=self._conf.get('revocation_cache_time'))
602
-        self._revocations = _revocations.Revocations(revocation_cache_timeout,
603
-                                                     self._signing_directory,
604
-                                                     self._identity_server,
605
-                                                     self._cms_verify,
606
-                                                     self.log)
607
-
608
-        self._check_revocations_for_cached = self._conf.get(
609
-            'check_revocations_for_cached')
610
-
611 598
     def process_request(self, request):
612 599
         """Process request.
613 600
 
@@ -690,9 +677,6 @@ class AuthProtocol(BaseAuthProtocol):
690 677
     def _token_hashes(self, token):
691 678
         """Generate a list of hashes that the current token may be cached as.
692 679
 
693
-        With PKI tokens we have multiple hashing algorithms that we test with
694
-        revocations. This generates that whole list.
695
-
696 680
         The first element of this list is the preferred algorithm and is what
697 681
         new cache values should be saved as.
698 682
 
@@ -740,11 +724,6 @@ class AuthProtocol(BaseAuthProtocol):
740 724
                     self.log.debug('Cached token is marked unauthorized')
741 725
                     raise ksm_exceptions.InvalidToken()
742 726
 
743
-                if self._check_revocations_for_cached:
744
-                    # A token might have been revoked, regardless of initial
745
-                    # mechanism used to validate it, and needs to be checked.
746
-                    self._revocations.check(token_hashes)
747
-
748 727
                 # NOTE(jamielennox): Cached values used to be stored as a tuple
749 728
                 # of data and expiry time. They no longer are but we have to
750 729
                 # allow some time to transition the old format so if it's a
@@ -765,7 +744,6 @@ class AuthProtocol(BaseAuthProtocol):
765 744
         except (ksa_exceptions.ConnectFailure,
766 745
                 ksa_exceptions.DiscoveryFailure,
767 746
                 ksa_exceptions.RequestTimeout,
768
-                ksm_exceptions.RevocationListError,
769 747
                 ksm_exceptions.ServiceError) as e:
770 748
             self.log.critical('Unable to validate token: %s', e)
771 749
             if self._delay_auth_decision:
@@ -797,14 +775,10 @@ class AuthProtocol(BaseAuthProtocol):
797 775
             return
798 776
 
799 777
         try:
800
-            self._revocations.check(token_hashes)
801 778
             verified = self._cms_verify(token_data, inform)
802 779
         except ksc_exceptions.CertificateConfigError:
803 780
             self.log.warning('Fetch certificate config failed, '
804 781
                              'fallback to online validation.')
805
-        except ksm_exceptions.RevocationListError:
806
-            self.log.warning('Fetch revocation list failed, '
807
-                             'fallback to online validation.')
808 782
         else:
809 783
             self.log.warning('auth_token middleware received a PKI/Z token. '
810 784
                              'This form of token is deprecated and has been '
@@ -815,17 +789,6 @@ class AuthProtocol(BaseAuthProtocol):
815 789
 
816 790
             data = jsonutils.loads(verified)
817 791
 
818
-            audit_ids = None
819
-            if 'access' in data:
820
-                # It's a v2 token.
821
-                audit_ids = data['access']['token'].get('audit_ids')
822
-            else:
823
-                # It's a v3 token
824
-                audit_ids = data['token'].get('audit_ids')
825
-
826
-            if audit_ids:
827
-                self._revocations.check_by_audit_id(audit_ids)
828
-
829 792
             return data
830 793
 
831 794
     def _validate_token(self, auth_ref, **kwargs):
@@ -1005,4 +968,3 @@ def app_factory(global_conf, **local_conf):
1005 968
 InvalidToken = ksm_exceptions.InvalidToken
1006 969
 ServiceError = ksm_exceptions.ServiceError
1007 970
 ConfigurationError = ksm_exceptions.ConfigurationError
1008
-RevocationListError = ksm_exceptions.RevocationListError

+ 1
- 21
keystonemiddleware/auth_token/_identity.py View File

@@ -61,9 +61,6 @@ class _RequestStrategy(object):
61 61
     def _fetch_ca_cert(self):
62 62
         pass
63 63
 
64
-    def fetch_revocation_list(self):
65
-        pass
66
-
67 64
 
68 65
 class _V2RequestStrategy(_RequestStrategy):
69 66
 
@@ -89,9 +86,6 @@ class _V2RequestStrategy(_RequestStrategy):
89 86
     def _fetch_ca_cert(self):
90 87
         return self._client.certificates.get_ca_certificate()
91 88
 
92
-    def fetch_revocation_list(self):
93
-        return self._client.tokens.get_revoked()
94
-
95 89
 
96 90
 class _V3RequestStrategy(_RequestStrategy):
97 91
 
@@ -119,9 +113,6 @@ class _V3RequestStrategy(_RequestStrategy):
119 113
     def _fetch_ca_cert(self):
120 114
         return self._client.simple_cert.get_ca_certificates()
121 115
 
122
-    def fetch_revocation_list(self):
123
-        return self._client.tokens.get_revoked()
124
-
125 116
 
126 117
 _REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy]
127 118
 
@@ -130,7 +121,7 @@ class IdentityServer(object):
130 121
     """Base class for operations on the Identity API server.
131 122
 
132 123
     The auth_token middleware needs to communicate with the Identity API server
133
-    to validate UUID tokens, fetch the revocation list, signing certificates,
124
+    to validate UUID tokens, signing certificates,
134 125
     etc. This class encapsulates the data and methods to perform these
135 126
     operations.
136 127
 
@@ -243,17 +234,6 @@ class IdentityServer(object):
243 234
         else:
244 235
             return auth_ref
245 236
 
246
-    def fetch_revocation_list(self):
247
-        try:
248
-            data = self._request_strategy.fetch_revocation_list()
249
-        except ksa_exceptions.HttpError as e:
250
-            msg = _('Failed to fetch token revocation list: %d')
251
-            raise ksm_exceptions.RevocationListError(msg % e.http_status)
252
-        if 'signed' not in data:
253
-            msg = _('Revocation list improperly formatted.')
254
-            raise ksm_exceptions.RevocationListError(msg)
255
-        return data['signed']
256
-
257 237
     def fetch_signing_cert(self):
258 238
         return self._request_strategy.fetch_signing_cert()
259 239
 

+ 0
- 18
keystonemiddleware/auth_token/_opts.py View File

@@ -113,17 +113,6 @@ _OPTS = [
113 113
                ' tokens, the middleware caches previously-seen tokens for a'
114 114
                ' configurable duration (in seconds). Set to -1 to disable'
115 115
                ' caching completely.'),
116
-    cfg.IntOpt('revocation_cache_time',
117
-               default=10,
118
-               deprecated_for_removal=True,
119
-               deprecated_reason='PKI token format is no longer supported.',
120
-               deprecated_since='Ocata',
121
-               help='Determines the frequency at which the list of revoked'
122
-               ' tokens is retrieved from the Identity service (in seconds). A'
123
-               ' high number of revocation events combined with a low cache'
124
-               ' duration may significantly reduce performance. Only valid'
125
-               ' for PKI tokens. This option has been deprecated in the Ocata'
126
-               ' release and will be removed in the P release.'),
127 116
     cfg.StrOpt('memcache_security_strategy',
128 117
                default='None',
129 118
                choices=('None', 'MAC', 'ENCRYPT'),
@@ -179,13 +168,6 @@ _OPTS = [
179 168
                ' unknown the token will be rejected. "required" any form of'
180 169
                ' token binding is needed to be allowed. Finally the name of a'
181 170
                ' binding method that must be present in tokens.'),
182
-    cfg.BoolOpt('check_revocations_for_cached', default=False,
183
-                deprecated_for_removal=True,
184
-                deprecated_reason='PKI token format is no longer supported.',
185
-                deprecated_since='Ocata',
186
-                help='If true, the revocation list will be checked for cached'
187
-                ' tokens. This requires that PKI tokens are configured on the'
188
-                ' identity server.'),
189 171
     cfg.ListOpt('hash_algorithms', default=['md5'],
190 172
                 deprecated_for_removal=True,
191 173
                 deprecated_reason='PKI token format is no longer supported.',

+ 0
- 128
keystonemiddleware/auth_token/_revocations.py View File

@@ -1,128 +0,0 @@
1
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
2
-# not use this file except in compliance with the License. You may obtain
3
-# a copy of the License at
4
-#
5
-#      http://www.apache.org/licenses/LICENSE-2.0
6
-#
7
-# Unless required by applicable law or agreed to in writing, software
8
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10
-# License for the specific language governing permissions and limitations
11
-# under the License.
12
-
13
-import datetime
14
-import os
15
-
16
-from oslo_log import log as logging
17
-from oslo_serialization import jsonutils
18
-from oslo_utils import timeutils
19
-
20
-from keystonemiddleware.auth_token import _exceptions as exc
21
-from keystonemiddleware.i18n import _
22
-
23
-_LOG = logging.getLogger(__name__)
24
-
25
-
26
-class Revocations(object):
27
-    _FILE_NAME = 'revoked.pem'
28
-
29
-    def __init__(self, timeout, signing_directory, identity_server,
30
-                 cms_verify, log=_LOG):
31
-        self._cache_timeout = timeout
32
-        self._signing_directory = signing_directory
33
-        self._identity_server = identity_server
34
-        self._cms_verify = cms_verify
35
-        self._log = log
36
-
37
-        self._fetched_time_prop = None
38
-        self._list_prop = None
39
-
40
-    @property
41
-    def _fetched_time(self):
42
-        if not self._fetched_time_prop:
43
-            # If the fetched list has been written to disk, use its
44
-            # modification time.
45
-            file_path = self._signing_directory.calc_path(self._FILE_NAME)
46
-            if os.path.exists(file_path):
47
-                mtime = os.path.getmtime(file_path)
48
-                fetched_time = datetime.datetime.utcfromtimestamp(mtime)
49
-            # Otherwise the list will need to be fetched.
50
-            else:
51
-                fetched_time = datetime.datetime.min
52
-            self._fetched_time_prop = fetched_time
53
-        return self._fetched_time_prop
54
-
55
-    @_fetched_time.setter
56
-    def _fetched_time(self, value):
57
-        self._fetched_time_prop = value
58
-
59
-    def _fetch(self):
60
-        revocation_list_data = self._identity_server.fetch_revocation_list()
61
-        return self._cms_verify(revocation_list_data)
62
-
63
-    @property
64
-    def _list(self):
65
-        timeout = self._fetched_time + self._cache_timeout
66
-        list_is_current = timeutils.utcnow() < timeout
67
-
68
-        if list_is_current:
69
-            # Load the list from disk if required
70
-            if not self._list_prop:
71
-                self._list_prop = jsonutils.loads(
72
-                    self._signing_directory.read_file(self._FILE_NAME))
73
-        else:
74
-            self._list = self._fetch()
75
-        return self._list_prop
76
-
77
-    @_list.setter
78
-    def _list(self, value):
79
-        """Save a revocation list to memory and to disk.
80
-
81
-        :param value: A json-encoded revocation list
82
-
83
-        """
84
-        self._list_prop = jsonutils.loads(value)
85
-        self._fetched_time = timeutils.utcnow()
86
-        self._signing_directory.write_file(self._FILE_NAME, value)
87
-
88
-    def _is_revoked(self, token_id):
89
-        """Indicate whether the token_id appears in the revocation list."""
90
-        revoked_tokens = self._list.get('revoked', None)
91
-        if not revoked_tokens:
92
-            return False
93
-
94
-        revoked_ids = (x['id'] for x in revoked_tokens)
95
-        return token_id in revoked_ids
96
-
97
-    def _any_revoked(self, token_ids):
98
-        for token_id in token_ids:
99
-            if self._is_revoked(token_id):
100
-                return True
101
-        return False
102
-
103
-    def check(self, token_ids):
104
-        if self._any_revoked(token_ids):
105
-            self._log.debug('Token is marked as having been revoked')
106
-            raise exc.InvalidToken(_('Token has been revoked'))
107
-
108
-    def check_by_audit_id(self, audit_ids):
109
-        """Check whether the audit_id appears in the revocation list.
110
-
111
-        :raises keystonemiddleware.auth_token._exceptions.InvalidToken:
112
-            if the audit ID(s) appear in the revocation list.
113
-
114
-        """
115
-        revoked_tokens = self._list.get('revoked', None)
116
-        if not revoked_tokens:
117
-            # There's no revoked tokens, so nothing to do.
118
-            return
119
-
120
-        # The audit_id may not be present in the revocation events because
121
-        # earlier versions of the identity server didn't provide them.
122
-        revoked_ids = set(
123
-            x['audit_id'] for x in revoked_tokens if 'audit_id' in x)
124
-        for audit_id in audit_ids:
125
-            if audit_id in revoked_ids:
126
-                self._log.debug(
127
-                    'Token is marked as having been revoked by audit id')
128
-                raise exc.InvalidToken(_('Token has been revoked'))

+ 0
- 326
keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py View File

@@ -35,7 +35,6 @@ from oslo_utils import timeutils
35 35
 import pbr.version
36 36
 import six
37 37
 import testresources
38
-import testtools
39 38
 from testtools import matchers
40 39
 import webob
41 40
 import webob.dec
@@ -44,7 +43,6 @@ from keystonemiddleware import auth_token
44 43
 from keystonemiddleware.auth_token import _base
45 44
 from keystonemiddleware.auth_token import _cache
46 45
 from keystonemiddleware.auth_token import _exceptions as ksm_exceptions
47
-from keystonemiddleware.auth_token import _revocations
48 46
 from keystonemiddleware.tests.unit.auth_token import base
49 47
 from keystonemiddleware.tests.unit import client_fixtures
50 48
 
@@ -101,13 +99,6 @@ ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2'
101 99
 TIMEOUT_TOKEN = '4ed1c5e53beee59458adcf8261a8cae2'
102 100
 
103 101
 
104
-def cleanup_revoked_file(filename):
105
-    try:
106
-        os.remove(filename)
107
-    except OSError:
108
-        pass
109
-
110
-
111 102
 def strtime(at=None):
112 103
     at = at or timeutils.utcnow()
113 104
     return at.strftime(timeutils.PERFECT_TIME_FORMAT)
@@ -337,9 +328,6 @@ class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase):
337 328
         self.middleware = auth_token.AuthProtocol(
338 329
             self.fake_app(self.expected_env), self.conf)
339 330
 
340
-        self.middleware._revocations._list = jsonutils.dumps(
341
-            {"revoked": [], "extra": "success"})
342
-
343 331
     def update_expected_env(self, expected_env={}):
344 332
         self.middleware._app.expected_env.update(expected_env)
345 333
 
@@ -476,27 +464,14 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
476 464
         self.assertThat(hashed_short_string_key,
477 465
                         matchers.HasLength(len(hashed_long_string_key)))
478 466
 
479
-    def test_config_revocation_cache_timeout(self):
480
-        conf = {
481
-            'revocation_cache_time': '24',
482
-            'www_authenticate_uri': 'https://keystone.example.com:1234',
483
-            'admin_user': uuid.uuid4().hex
484
-        }
485
-        middleware = auth_token.AuthProtocol(self.fake_app, conf)
486
-        self.assertEqual(middleware._revocations._cache_timeout,
487
-                         datetime.timedelta(seconds=24))
488
-
489 467
     def test_conf_values_type_convert(self):
490 468
         conf = {
491
-            'revocation_cache_time': '24',
492 469
             'identity_uri': 'https://keystone.example.com:1234',
493 470
             'include_service_catalog': '0',
494 471
             'nonexsit_option': '0',
495 472
         }
496 473
 
497 474
         middleware = auth_token.AuthProtocol(self.fake_app, conf)
498
-        self.assertEqual(datetime.timedelta(seconds=24),
499
-                         middleware._revocations._cache_timeout)
500 475
         self.assertFalse(middleware._include_service_catalog)
501 476
         self.assertEqual('0', middleware._conf.get('nonexsit_option'))
502 477
 
@@ -643,42 +618,6 @@ class CommonAuthTokenMiddlewareTest(object):
643 618
         self.assert_valid_request_200(self.token_dict['uuid_token_default'])
644 619
         self.assert_valid_last_url(self.token_dict['uuid_token_default'])
645 620
 
646
-    def _test_cache_revoked(self, token, revoked_form=None):
647
-        # When the token is cached and revoked, 401 is returned.
648
-        self.middleware._check_revocations_for_cached = True
649
-
650
-        # Token should be cached as ok after this.
651
-        self.call_middleware(headers={'X-Auth-Token': token})
652
-
653
-        # Put it in revocation list.
654
-        self.middleware._revocations._list = self.get_revocation_list_json(
655
-            token_ids=[revoked_form or token])
656
-
657
-        self.call_middleware(headers={'X-Auth-Token': token},
658
-                             expected_status=401)
659
-
660
-    def test_cached_revoked_error(self):
661
-        # When the token is cached and revocation list retrieval fails,
662
-        # 503 is returned
663
-        token = self.token_dict['uuid_token_default']
664
-        self.middleware._check_revocations_for_cached = True
665
-
666
-        # Token should be cached as ok after this.
667
-        resp = self.call_middleware(headers={'X-Auth-Token': token})
668
-        self.assertEqual(200, resp.status_int)
669
-
670
-        # Cause the revocation list to be fetched again next time so we can
671
-        # test the case where that retrieval fails
672
-        self.middleware._revocations._fetched_time = datetime.datetime.min
673
-        with mock.patch.object(self.middleware._revocations, '_fetch',
674
-                               side_effect=ksm_exceptions.RevocationListError):
675
-            self.call_middleware(headers={'X-Auth-Token': token},
676
-                                 expected_status=503)
677
-
678
-    def test_cached_revoked_uuid(self):
679
-        # When the UUID token is cached and revoked, 401 is returned.
680
-        self._test_cache_revoked(self.token_dict['uuid_token_default'])
681
-
682 621
     def test_valid_signed_request(self):
683 622
         for _ in range(2):  # Do it twice because first result was cached.
684 623
             self.assert_valid_request_200(
@@ -692,176 +631,13 @@ class CommonAuthTokenMiddlewareTest(object):
692 631
         # ensure that signed requests do not generate HTTP traffic
693 632
         self.assertLastPath(None)
694 633
 
695
-    def test_revoked_token_receives_401(self):
696
-        self.middleware._revocations._list = (
697
-            self.get_revocation_list_json())
698
-
699
-        token = self.token_dict['revoked_token']
700
-        self.call_middleware(headers={'X-Auth-Token': token},
701
-                             expected_status=401)
702
-
703
-    def test_revoked_token_receives_401_sha256(self):
704
-        self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
705
-        self.set_middleware()
706
-        self.middleware._revocations._list = (
707
-            self.get_revocation_list_json(mode='sha256'))
708
-
709
-        token = self.token_dict['revoked_token']
710
-        self.call_middleware(headers={'X-Auth-Token': token},
711
-                             expected_status=401)
712
-
713
-    def test_cached_revoked_pki(self):
714
-        # When the PKI token is cached and revoked, 401 is returned.
715
-        token = self.token_dict['signed_token_scoped']
716
-        revoked_form = cms.cms_hash_token(token)
717
-        self._test_cache_revoked(token, revoked_form)
718
-
719
-    def test_cached_revoked_pkiz(self):
720
-        # When the PKIZ token is cached and revoked, 401 is returned.
721
-        token = self.token_dict['signed_token_scoped_pkiz']
722
-        revoked_form = cms.cms_hash_token(token)
723
-        self._test_cache_revoked(token, revoked_form)
724
-
725
-    def test_revoked_token_receives_401_md5_secondary(self):
726
-        # When hash_algorithms has 'md5' as the secondary hash and the
727
-        # revocation list contains the md5 hash for a token, that token is
728
-        # considered revoked so returns 401.
729
-        self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
730
-        self.set_middleware()
731
-        self.middleware._revocations._list = (
732
-            self.get_revocation_list_json())
733
-
734
-        token = self.token_dict['revoked_token']
735
-        self.call_middleware(headers={'X-Auth-Token': token},
736
-                             expected_status=401)
737
-
738
-    def _test_revoked_hashed_token(self, token_name):
739
-        # If hash_algorithms is set as ['sha256', 'md5'],
740
-        # and check_revocations_for_cached is True,
741
-        # and a token is in the cache because it was successfully validated
742
-        # using the md5 hash, then
743
-        # if the token is in the revocation list by md5 hash, it'll be
744
-        # rejected and auth_token returns 401.
745
-        self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
746
-        self.conf['check_revocations_for_cached'] = 'true'
747
-        self.set_middleware()
748
-
749
-        token = self.token_dict[token_name]
750
-
751
-        # Put the token in the revocation list.
752
-        token_hashed = cms.cms_hash_token(token)
753
-        self.middleware._revocations._list = self.get_revocation_list_json(
754
-            token_ids=[token_hashed])
755
-
756
-        # First, request is using the hashed token, is valid so goes in
757
-        # cache using the given hash.
758
-        self.call_middleware(headers={'X-Auth-Token': token_hashed})
759
-
760
-        # This time use the PKI(Z) token
761
-        # Should find the token in the cache and revocation list.
762
-        self.call_middleware(headers={'X-Auth-Token': token},
763
-                             expected_status=401)
764
-
765
-    def test_revoked_hashed_pki_token(self):
766
-        self._test_revoked_hashed_token('signed_token_scoped')
767
-
768
-    def test_revoked_hashed_pkiz_token(self):
769
-        self._test_revoked_hashed_token('signed_token_scoped_pkiz')
770
-
771
-    def test_revoked_pki_token_by_audit_id(self):
772
-        # When the audit ID is in the revocation list, the token is invalid.
773
-        self.set_middleware()
774
-        token = self.token_dict['signed_token_scoped']
775
-
776
-        # Put the token audit ID in the revocation list,
777
-        # the entry will have a false token ID so the token ID doesn't match.
778
-        fake_token_id = uuid.uuid4().hex
779
-        # The audit_id value is in examples/pki/cms/auth_*_token_scoped.json.
780
-        audit_id = 'SLIXlXQUQZWUi9VJrqdXqA'
781
-        revocation_list_data = {
782
-            'revoked': [
783
-                {
784
-                    'id': fake_token_id,
785
-                    'audit_id': audit_id
786
-                },
787
-            ]
788
-        }
789
-        self.middleware._revocations._list = jsonutils.dumps(
790
-            revocation_list_data)
791
-
792
-        self.call_middleware(headers={'X-Auth-Token': token},
793
-                             expected_status=401)
794
-
795
-    def get_revocation_list_json(self, token_ids=None, mode=None):
796
-        if token_ids is None:
797
-            key = 'revoked_token_hash' + (('_' + mode) if mode else '')
798
-            token_ids = [self.token_dict[key]]
799
-        revocation_list = {'revoked': [{'id': x, 'expires': timeutils.utcnow()}
800
-                                       for x in token_ids]}
801
-        return jsonutils.dumps(revocation_list)
802
-
803
-    def test_is_signed_token_revoked_returns_false(self):
804
-        # explicitly setting an empty revocation list here to document intent
805
-        self.middleware._revocations._list = jsonutils.dumps(
806
-            {"revoked": [], "extra": "success"})
807
-        result = self.middleware._revocations._any_revoked(
808
-            [self.token_dict['revoked_token_hash']])
809
-        self.assertFalse(result)
810
-
811
-    def test_is_signed_token_revoked_returns_true(self):
812
-        self.middleware._revocations._list = (
813
-            self.get_revocation_list_json())
814
-        result = self.middleware._revocations._any_revoked(
815
-            [self.token_dict['revoked_token_hash']])
816
-        self.assertTrue(result)
817
-
818
-    def test_is_signed_token_revoked_returns_true_sha256(self):
819
-        self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
820
-        self.set_middleware()
821
-        self.middleware._revocations._list = (
822
-            self.get_revocation_list_json(mode='sha256'))
823
-        result = self.middleware._revocations._any_revoked(
824
-            [self.token_dict['revoked_token_hash_sha256']])
825
-        self.assertTrue(result)
826
-
827
-    def test_validate_offline_raises_exception_for_revoked_token(self):
828
-        self.middleware._revocations._list = (
829
-            self.get_revocation_list_json())
830
-        self.assertRaises(ksm_exceptions.InvalidToken,
831
-                          self.middleware._validate_offline,
832
-                          self.token_dict['revoked_token'],
833
-                          [self.token_dict['revoked_token_hash']])
834
-
835
-    def test_validate_offline_raises_exception_for_revoked_token_s256(self):
836
-        self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
837
-        self.set_middleware()
838
-        self.middleware._revocations._list = (
839
-            self.get_revocation_list_json(mode='sha256'))
840
-        self.assertRaises(ksm_exceptions.InvalidToken,
841
-                          self.middleware._validate_offline,
842
-                          self.token_dict['revoked_token'],
843
-                          [self.token_dict['revoked_token_hash_sha256'],
844
-                           self.token_dict['revoked_token_hash']])
845
-
846
-    def test_validate_offline_raises_exception_for_revoked_pkiz_token(self):
847
-        self.middleware._revocations._list = (
848
-            self.examples.REVOKED_TOKEN_PKIZ_LIST_JSON)
849
-        self.assertRaises(ksm_exceptions.InvalidToken,
850
-                          self.middleware._validate_offline,
851
-                          self.token_dict['revoked_token_pkiz'],
852
-                          [self.token_dict['revoked_token_pkiz_hash']])
853
-
854 634
     def test_validate_offline_succeeds_for_unrevoked_token(self):
855
-        self.middleware._revocations._list = (
856
-            self.get_revocation_list_json())
857 635
         token = self.middleware._validate_offline(
858 636
             self.token_dict['signed_token_scoped'],
859 637
             [self.token_dict['signed_token_scoped_hash']])
860 638
         self.assertIsInstance(token, dict)
861 639
 
862 640
     def test_verify_signed_compressed_token_succeeds_for_unrevoked_token(self):
863
-        self.middleware._revocations._list = (
864
-            self.get_revocation_list_json())
865 641
         token = self.middleware._validate_offline(
866 642
             self.token_dict['signed_token_scoped_pkiz'],
867 643
             [self.token_dict['signed_token_scoped_hash']])
@@ -870,84 +646,12 @@ class CommonAuthTokenMiddlewareTest(object):
870 646
     def test_validate_offline_token_succeeds_for_unrevoked_token_sha256(self):
871 647
         self.conf['hash_algorithms'] = ','.join(['sha256', 'md5'])
872 648
         self.set_middleware()
873
-        self.middleware._revocations._list = (
874
-            self.get_revocation_list_json(mode='sha256'))
875 649
         token = self.middleware._validate_offline(
876 650
             self.token_dict['signed_token_scoped'],
877 651
             [self.token_dict['signed_token_scoped_hash_sha256'],
878 652
              self.token_dict['signed_token_scoped_hash']])
879 653
         self.assertIsInstance(token, dict)
880 654
 
881
-    def test_get_token_revocation_list_fetched_time_returns_min(self):
882
-        self.middleware._revocations._fetched_time = None
883
-
884
-        # Get rid of the revoked file
885
-        revoked_path = self.middleware._signing_directory.calc_path(
886
-            _revocations.Revocations._FILE_NAME)
887
-        os.remove(revoked_path)
888
-
889
-        self.assertEqual(self.middleware._revocations._fetched_time,
890
-                         datetime.datetime.min)
891
-
892
-    # FIXME(blk-u): move the unit tests into unit/test_auth_token.py
893
-    def test_get_token_revocation_list_fetched_time_returns_mtime(self):
894
-        self.middleware._revocations._fetched_time = None
895
-        revoked_path = self.middleware._signing_directory.calc_path(
896
-            _revocations.Revocations._FILE_NAME)
897
-        mtime = os.path.getmtime(revoked_path)
898
-        fetched_time = datetime.datetime.utcfromtimestamp(mtime)
899
-        self.assertEqual(fetched_time,
900
-                         self.middleware._revocations._fetched_time)
901
-
902
-    @testtools.skipUnless(TimezoneFixture.supported(),
903
-                          'TimezoneFixture not supported')
904
-    def test_get_token_revocation_list_fetched_time_returns_utc(self):
905
-        with TimezoneFixture('UTC-1'):
906
-            self.middleware._revocations._list = jsonutils.dumps(
907
-                self.examples.REVOCATION_LIST)
908
-            self.middleware._revocations._fetched_time = None
909
-            fetched_time = self.middleware._revocations._fetched_time
910
-            self.assertTrue(timeutils.is_soon(fetched_time, 1))
911
-
912
-    def test_get_token_revocation_list_fetched_time_returns_value(self):
913
-        expected = self.middleware._revocations._fetched_time
914
-        self.assertEqual(self.middleware._revocations._fetched_time,
915
-                         expected)
916
-
917
-    def test_get_revocation_list_returns_fetched_list(self):
918
-        # auth_token uses v2 to fetch this, so don't allow the v3
919
-        # tests to override the fake http connection
920
-        self.middleware._revocations._fetched_time = None
921
-
922
-        # Get rid of the revoked file
923
-        revoked_path = self.middleware._signing_directory.calc_path(
924
-            _revocations.Revocations._FILE_NAME)
925
-        os.remove(revoked_path)
926
-
927
-        self.assertEqual(self.middleware._revocations._list,
928
-                         self.examples.REVOCATION_LIST)
929
-
930
-    def test_get_revocation_list_returns_current_list_from_memory(self):
931
-        self.assertEqual(self.middleware._revocations._list,
932
-                         self.middleware._revocations._list_prop)
933
-
934
-    def test_get_revocation_list_returns_current_list_from_disk(self):
935
-        in_memory_list = self.middleware._revocations._list
936
-        self.middleware._revocations._list_prop = None
937
-        self.assertEqual(self.middleware._revocations._list,
938
-                         in_memory_list)
939
-
940
-    def test_invalid_revocation_list_raises_error(self):
941
-        self.requests_mock.get(self.revocation_url, json={})
942
-        self.assertRaises(ksm_exceptions.RevocationListError,
943
-                          self.middleware._revocations._fetch)
944
-
945
-    def test_fetch_revocation_list(self):
946
-        # auth_token uses v2 to fetch this, so don't allow the v3
947
-        # tests to override the fake http connection
948
-        fetched = jsonutils.loads(self.middleware._revocations._fetch())
949
-        self.assertEqual(fetched, self.examples.REVOCATION_LIST)
950
-
951 655
     def test_request_invalid_uuid_token(self):
952 656
         # remember because we are testing the middleware we stub the connection
953 657
         # to the keystone server, but this is not what gets returned
@@ -1604,13 +1308,6 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1604 1308
             self.examples.SIGNED_TOKEN_SCOPED_HASH_SHA256,
1605 1309
             'signed_token_scoped_expired':
1606 1310
             self.examples.SIGNED_TOKEN_SCOPED_EXPIRED,
1607
-            'revoked_token': self.examples.REVOKED_TOKEN,
1608
-            'revoked_token_pkiz': self.examples.REVOKED_TOKEN_PKIZ,
1609
-            'revoked_token_pkiz_hash':
1610
-            self.examples.REVOKED_TOKEN_PKIZ_HASH,
1611
-            'revoked_token_hash': self.examples.REVOKED_TOKEN_HASH,
1612
-            'revoked_token_hash_sha256':
1613
-            self.examples.REVOKED_TOKEN_HASH_SHA256,
1614 1311
             'uuid_service_token_default':
1615 1312
             self.examples.UUID_SERVICE_TOKEN_DEFAULT,
1616 1313
         }
@@ -1622,10 +1319,6 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1622 1319
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
1623 1320
                                 text=FAKE_ADMIN_TOKEN)
1624 1321
 
1625
-        self.revocation_url = '%s/v2.0/tokens/revoked' % BASE_URI
1626
-        self.requests_mock.get(self.revocation_url,
1627
-                               text=self.examples.SIGNED_REVOCATION_LIST)
1628
-
1629 1322
         for token in (self.examples.UUID_TOKEN_DEFAULT,
1630 1323
                       self.examples.UUID_TOKEN_UNSCOPED,
1631 1324
                       self.examples.UUID_TOKEN_BIND,
@@ -1812,13 +1505,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1812 1505
             self.examples.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256,
1813 1506
             'signed_token_scoped_expired':
1814 1507
             self.examples.SIGNED_TOKEN_SCOPED_EXPIRED,
1815
-            'revoked_token': self.examples.REVOKED_v3_TOKEN,
1816
-            'revoked_token_pkiz': self.examples.REVOKED_v3_TOKEN_PKIZ,
1817
-            'revoked_token_hash': self.examples.REVOKED_v3_TOKEN_HASH,
1818
-            'revoked_token_hash_sha256':
1819
-            self.examples.REVOKED_v3_TOKEN_HASH_SHA256,
1820
-            'revoked_token_pkiz_hash':
1821
-            self.examples.REVOKED_v3_PKIZ_TOKEN_HASH,
1822 1508
             'uuid_service_token_default':
1823 1509
             self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT,
1824 1510
         }
@@ -1832,10 +1518,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1832 1518
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
1833 1519
                                 text=FAKE_ADMIN_TOKEN)
1834 1520
 
1835
-        self.revocation_url = '%s/v3/auth/tokens/OS-PKI/revoked' % BASE_URI
1836
-        self.requests_mock.get(self.revocation_url,
1837
-                               text=self.examples.SIGNED_REVOCATION_LIST)
1838
-
1839 1521
         self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI,
1840 1522
                                text=self.token_response,
1841 1523
                                headers={'X-Subject-Token': uuid.uuid4().hex})
@@ -1944,7 +1626,6 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1944 1626
             self.token_dict['signed_token_scoped_pkiz'])
1945 1627
 
1946 1628
     def test_fallback_to_online_validation_with_revocation_list_error(self):
1947
-        self.requests_mock.get(self.revocation_url, status_code=404)
1948 1629
         self.assert_valid_request_200(self.token_dict['signed_token_scoped'])
1949 1630
         self.assert_valid_request_200(
1950 1631
             self.token_dict['signed_token_scoped_pkiz'])
@@ -2398,10 +2079,6 @@ class v2CompositeAuthTests(BaseAuthTokenMiddlewareTest,
2398 2079
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
2399 2080
                                 text=FAKE_ADMIN_TOKEN)
2400 2081
 
2401
-        self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI,
2402
-                               text=self.examples.SIGNED_REVOCATION_LIST,
2403
-                               status_code=200)
2404
-
2405 2082
         for token in (self.examples.UUID_TOKEN_DEFAULT,
2406 2083
                       self.examples.UUID_SERVICE_TOKEN_DEFAULT,
2407 2084
                       self.examples.UUID_TOKEN_BIND,
@@ -2455,9 +2132,6 @@ class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest,
2455 2132
         self.requests_mock.post('%s/v2.0/tokens' % BASE_URI,
2456 2133
                                 text=FAKE_ADMIN_TOKEN)
2457 2134
 
2458
-        self.requests_mock.get('%s/v3/auth/tokens/OS-PKI/revoked' % BASE_URI,
2459
-                               text=self.examples.SIGNED_REVOCATION_LIST)
2460
-
2461 2135
         self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI,
2462 2136
                                text=self.token_response,
2463 2137
                                headers={'X-Subject-Token': uuid.uuid4().hex})

+ 0
- 104
keystonemiddleware/tests/unit/auth_token/test_revocations.py View File

@@ -1,104 +0,0 @@
1
-# Copyright 2014 IBM Corp.
2
-#
3
-#   Licensed under the Apache License, Version 2.0 (the "License"); you may
4
-#   not use this file except in compliance with the License. You may obtain
5
-#   a copy of the License at
6
-#
7
-#     http://www.apache.org/licenses/LICENSE-2.0
8
-#
9
-#   Unless required by applicable law or agreed to in writing, software
10
-#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11
-#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12
-#   License for the specific language governing permissions and limitations
13
-#   under the License.
14
-
15
-import datetime
16
-import json
17
-import shutil
18
-import uuid
19
-
20
-import mock
21
-
22
-from keystonemiddleware.auth_token import _exceptions as exc
23
-from keystonemiddleware.auth_token import _revocations
24
-from keystonemiddleware.auth_token import _signing_dir
25
-from keystonemiddleware.tests.unit import utils
26
-
27
-
28
-class RevocationsTests(utils.BaseTestCase):
29
-
30
-    def _setup_revocations(self, revoked_list):
31
-        directory_name = '/tmp/%s' % uuid.uuid4().hex
32
-        signing_directory = _signing_dir.SigningDirectory(directory_name)
33
-        self.addCleanup(shutil.rmtree, directory_name)
34
-
35
-        identity_server = mock.Mock()
36
-
37
-        verify_result_obj = {'revoked': revoked_list}
38
-        cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj))
39
-
40
-        revocations = _revocations.Revocations(
41
-            timeout=datetime.timedelta(1), signing_directory=signing_directory,
42
-            identity_server=identity_server, cms_verify=cms_verify)
43
-        return revocations
44
-
45
-    def _check_with_list(self, revoked_list, token_ids):
46
-        revoked_list = list({'id': r} for r in revoked_list)
47
-        revocations = self._setup_revocations(revoked_list)
48
-        revocations.check(token_ids)
49
-
50
-    def test_check_empty_list(self):
51
-        # When the identity server returns an empty list, a token isn't
52
-        # revoked.
53
-
54
-        revoked_tokens = []
55
-        token_ids = [uuid.uuid4().hex]
56
-        # No assert because this would raise
57
-        self._check_with_list(revoked_tokens, token_ids)
58
-
59
-    def test_check_revoked(self):
60
-        # When the identity server returns a list with a token in it, that
61
-        # token is revoked.
62
-
63
-        token_id = uuid.uuid4().hex
64
-        revoked_tokens = [token_id]
65
-        token_ids = [token_id]
66
-        self.assertRaises(exc.InvalidToken,
67
-                          self._check_with_list, revoked_tokens, token_ids)
68
-
69
-    def test_check_by_audit_id_revoked(self):
70
-        # When the audit ID is in the revocation list, InvalidToken is raised.
71
-        audit_id = uuid.uuid4().hex
72
-        revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': audit_id}]
73
-        revocations = self._setup_revocations(revoked_list)
74
-        self.assertRaises(exc.InvalidToken,
75
-                          revocations.check_by_audit_id, [audit_id])
76
-
77
-    def test_check_by_audit_id_chain_revoked(self):
78
-        # When the token's audit chain ID is in the revocation list,
79
-        # InvalidToken is raised.
80
-        revoked_audit_id = uuid.uuid4().hex
81
-        revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': revoked_audit_id}]
82
-        revocations = self._setup_revocations(revoked_list)
83
-
84
-        token_audit_ids = [uuid.uuid4().hex, revoked_audit_id]
85
-        self.assertRaises(exc.InvalidToken,
86
-                          revocations.check_by_audit_id, token_audit_ids)
87
-
88
-    def test_check_by_audit_id_not_revoked(self):
89
-        # When the audit ID is not in the revocation list no exception.
90
-        revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': uuid.uuid4().hex}]
91
-        revocations = self._setup_revocations(revoked_list)
92
-
93
-        audit_id = uuid.uuid4().hex
94
-        revocations.check_by_audit_id([audit_id])
95
-
96
-    def test_check_by_audit_id_no_audit_ids(self):
97
-        # Older identity servers don't send audit_ids in the revocation list.
98
-        # When this happens, check_by_audit_id still works, just doesn't
99
-        # verify anything.
100
-        revoked_list = [{'id': uuid.uuid4().hex}]
101
-        revocations = self._setup_revocations(revoked_list)
102
-
103
-        audit_id = uuid.uuid4().hex
104
-        revocations.check_by_audit_id([audit_id])

+ 0
- 57
keystonemiddleware/tests/unit/client_fixtures.py View File

@@ -20,7 +20,6 @@ from keystoneauth1 import fixture
20 20
 from keystoneclient.common import cms
21 21
 from keystoneclient import utils
22 22
 from oslo_serialization import jsonutils
23
-from oslo_utils import timeutils
24 23
 import six
25 24
 import testresources
26 25
 
@@ -77,29 +76,17 @@ class Examples(fixtures.Fixture):
77 76
             self.SIGNED_v3_TOKEN_SCOPED)
78 77
         self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe(
79 78
             self.SIGNED_v3_TOKEN_SCOPED, mode='sha256')
80
-        with open(os.path.join(CMSDIR, 'auth_token_revoked.pem')) as f:
81
-            self.REVOKED_TOKEN = cms.cms_to_token(f.read())
82 79
         with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f:
83 80
             self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read())
84
-        with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pem')) as f:
85
-            self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read())
86 81
         with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f:
87 82
             self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read())
88 83
         with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f:
89 84
             self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read())
90 85
         with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f:
91 86
             self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read())
92
-        with open(os.path.join(CMSDIR, 'auth_token_revoked.pkiz')) as f:
93
-            self.REVOKED_TOKEN_PKIZ = cms.cms_to_token(f.read())
94 87
         with open(os.path.join(CMSDIR,
95 88
                                'auth_token_scoped_expired.pkiz')) as f:
96 89
             self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read())
97
-        with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pkiz')) as f:
98
-            self.REVOKED_v3_TOKEN_PKIZ = cms.cms_to_token(f.read())
99
-        with open(os.path.join(CMSDIR, 'revocation_list.json')) as f:
100
-            self.REVOCATION_LIST = jsonutils.loads(f.read())
101
-        with open(os.path.join(CMSDIR, 'revocation_list.pem')) as f:
102
-            self.SIGNED_REVOCATION_LIST = jsonutils.dumps({'signed': f.read()})
103 90
 
104 91
         self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem')
105 92
         with open(self.SIGNING_CERT_FILE) as f:
@@ -134,50 +121,6 @@ class Examples(fixtures.Fixture):
134 121
         self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229'
135 122
         self.v3_UUID_SERVICE_TOKEN_BIND = 'be705e4426d0449a89e35ae21c380a05'
136 123
         self.v3_NOT_IS_ADMIN_PROJECT = uuid.uuid4().hex
137
-
138
-        revoked_token = self.REVOKED_TOKEN
139
-        if isinstance(revoked_token, six.text_type):
140
-            revoked_token = revoked_token.encode('utf-8')
141
-        self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token)
142
-        self.REVOKED_TOKEN_HASH_SHA256 = utils.hash_signed_token(revoked_token,
143
-                                                                 mode='sha256')
144
-        self.REVOKED_TOKEN_LIST = (
145
-            {'revoked': [{'id': self.REVOKED_TOKEN_HASH,
146
-                          'expires': timeutils.utcnow()}]})
147
-        self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST)
148
-
149
-        revoked_v3_token = self.REVOKED_v3_TOKEN
150
-        if isinstance(revoked_v3_token, six.text_type):
151
-            revoked_v3_token = revoked_v3_token.encode('utf-8')
152
-        self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token)
153
-        hash = utils.hash_signed_token(revoked_v3_token, mode='sha256')
154
-        self.REVOKED_v3_TOKEN_HASH_SHA256 = hash
155
-        self.REVOKED_v3_TOKEN_LIST = (
156
-            {'revoked': [{'id': self.REVOKED_v3_TOKEN_HASH,
157
-                          'expires': timeutils.utcnow()}]})
158
-        self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps(
159
-            self.REVOKED_v3_TOKEN_LIST)
160
-
161
-        revoked_token_pkiz = self.REVOKED_TOKEN_PKIZ
162
-        if isinstance(revoked_token_pkiz, six.text_type):
163
-            revoked_token_pkiz = revoked_token_pkiz.encode('utf-8')
164
-        self.REVOKED_TOKEN_PKIZ_HASH = utils.hash_signed_token(
165
-            revoked_token_pkiz)
166
-        revoked_v3_token_pkiz = self.REVOKED_v3_TOKEN_PKIZ
167
-        if isinstance(revoked_v3_token_pkiz, six.text_type):
168
-            revoked_v3_token_pkiz = revoked_v3_token_pkiz.encode('utf-8')
169
-        self.REVOKED_v3_PKIZ_TOKEN_HASH = utils.hash_signed_token(
170
-            revoked_v3_token_pkiz)
171
-
172
-        self.REVOKED_TOKEN_PKIZ_LIST = (
173
-            {'revoked': [{'id': self.REVOKED_TOKEN_PKIZ_HASH,
174
-                          'expires': timeutils.utcnow()},
175
-                         {'id': self.REVOKED_v3_PKIZ_TOKEN_HASH,
176
-                          'expires': timeutils.utcnow()},
177
-                         ]})
178
-        self.REVOKED_TOKEN_PKIZ_LIST_JSON = jsonutils.dumps(
179
-            self.REVOKED_TOKEN_PKIZ_LIST)
180
-
181 124
         self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token(
182 125
             self.SIGNED_TOKEN_SCOPED)
183 126
         self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token(

+ 0
- 4
keystonemiddleware/tests/unit/test_opts.py View File

@@ -55,7 +55,6 @@ class OptsTestCase(utils.TestCase):
55 55
             'signing_dir',
56 56
             'memcached_servers',
57 57
             'token_cache_time',
58
-            'revocation_cache_time',
59 58
             'memcache_security_strategy',
60 59
             'memcache_secret_key',
61 60
             'memcache_use_advanced_pool',
@@ -66,7 +65,6 @@ class OptsTestCase(utils.TestCase):
66 65
             'memcache_pool_socket_timeout',
67 66
             'include_service_catalog',
68 67
             'enforce_token_bind',
69
-            'check_revocations_for_cached',
70 68
             'hash_algorithms',
71 69
             'auth_type',
72 70
             'auth_section',
@@ -102,7 +100,6 @@ class OptsTestCase(utils.TestCase):
102 100
             'signing_dir',
103 101
             'memcached_servers',
104 102
             'token_cache_time',
105
-            'revocation_cache_time',
106 103
             'memcache_security_strategy',
107 104
             'memcache_secret_key',
108 105
             'memcache_use_advanced_pool',
@@ -113,7 +110,6 @@ class OptsTestCase(utils.TestCase):
113 110
             'memcache_pool_socket_timeout',
114 111
             'include_service_catalog',
115 112
             'enforce_token_bind',
116
-            'check_revocations_for_cached',
117 113
             'hash_algorithms',
118 114
             'auth_type',
119 115
             'auth_section',

+ 8
- 0
releasenotes/notes/bug-1649735-3c68f3243e474775.yaml View File

@@ -0,0 +1,8 @@
1
+---
2
+fixes:
3
+  - >
4
+    [`bug 1649735 <https://bugs.launchpad.net/keystone/+bug/1649735>`_]
5
+    The auth_token middleware no longer attempts to retrieve the revocation
6
+    list from the Keystone server. The deprecated options
7
+    `check_revocations_for_cached` and `check_revocations_for_cached` have been
8
+    removed.

Loading…
Cancel
Save