From 1e856a860b540fe7116534b0c8b0eef9798757b8 Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Fri, 25 Oct 2013 15:40:57 +0100
Subject: [PATCH] Avoid returning stale token via auth_token property

The auth_ref token should take precedence over the user provided
token, since any call to authenticate() will update the auth_ref,
rendering the auth_token_from_user stale.

Change-Id: Ibc86dca840f4b8dd23856735616ee48a7b397fcd
Closes-Bug: #1244675
---
 keystoneclient/httpclient.py      |  4 ++--
 keystoneclient/tests/test_http.py | 33 +++++++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/keystoneclient/httpclient.py b/keystoneclient/httpclient.py
index 7146d8c07..58ff48f89 100644
--- a/keystoneclient/httpclient.py
+++ b/keystoneclient/httpclient.py
@@ -336,12 +336,12 @@ class HTTPClient(object):
 
     @property
     def auth_token(self):
-        if self.auth_token_from_user:
-            return self.auth_token_from_user
         if self.auth_ref:
             if self.auth_ref.will_expire_soon(self.stale_duration):
                 self.authenticate()
             return self.auth_ref.auth_token
+        elif self.auth_token_from_user:
+            return self.auth_token_from_user
 
     @auth_token.setter
     def auth_token(self, value):
diff --git a/keystoneclient/tests/test_http.py b/keystoneclient/tests/test_http.py
index 6d5e09bed..d3a742efe 100644
--- a/keystoneclient/tests/test_http.py
+++ b/keystoneclient/tests/test_http.py
@@ -23,18 +23,22 @@ from keystoneclient import httpclient
 from keystoneclient.tests import utils
 
 RESPONSE_BODY = '{"hi": "there"}'
+AUTHED_TOKEN = "token"
 
 
-def get_client():
-    cl = httpclient.HTTPClient(username="username", password="password",
-                               tenant_id="tenant", auth_url="auth_test")
+def get_client(token=None):
+    if token:
+        cl = httpclient.HTTPClient(token=token, auth_url="auth_test")
+    else:
+        cl = httpclient.HTTPClient(username="username", password="password",
+                                   tenant_id="tenant", auth_url="auth_test")
     return cl
 
 
 def get_authed_client():
     cl = get_client()
     cl.management_url = "http://127.0.0.1:5000"
-    cl.auth_token = "token"
+    cl.auth_token = AUTHED_TOKEN
     return cl
 
 
@@ -144,6 +148,27 @@ class ClientTest(utils.TestCase):
 
         client.HTTPClient
 
+    def test_auth_token_none(self):
+        cl = get_client()
+        self.assertEqual(cl.auth_token, None)
+
+    def test_auth_token_authed(self):
+        cl = get_authed_client()
+        self.assertEqual(cl.auth_token, AUTHED_TOKEN)
+
+    def test_auth_token_reauth(self):
+        cl = get_client(token='initial')
+        self.assertEqual(cl.auth_token, 'initial')
+
+        class FakeAccessInfo(object):
+            auth_token = 'updated'
+
+            def will_expire_soon(self, stale_duration=None):
+                return False
+
+        cl.auth_ref = FakeAccessInfo()
+        self.assertEqual(cl.auth_token, 'updated')
+
 
 class BasicRequestTests(utils.TestCase):