From 1e265faf15032ab91b82a840c6f0a1c96c0b0cfb Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Fri, 30 May 2014 10:02:51 -0500
Subject: [PATCH] auth_token _cache_get checks token expired

When auth_token stores the token in the cache, it's stored with
the expiration time; but when the token is retrieved from the
cache, if the expiration time has passed the token is treated as if
it wasn't cached. This creates extra work because now auth_token
has to check the token expiration (either by decrypting the PKI
token or online validation for UUID tokens).

With this change, getting the token from the cache will fail if the
expiration is past.

Change-Id: Id0ec6b3c2e5af4a2d910f16da4e0312733fc2198
---
 keystoneclient/middleware/auth_token.py            | 1 +
 keystoneclient/tests/test_auth_token_middleware.py | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
index d6fe3dd8b..593518b21 100644
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -1518,6 +1518,7 @@ class TokenCache(object):
             return data
         else:
             self.LOG.debug('Cached Token seems expired')
+            raise InvalidUserToken('Token authorization failed')
 
     def _cache_store(self, token_id, data):
         """Store value into memcache.
diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py
index a38bab68a..cb045d00d 100644
--- a/keystoneclient/tests/test_auth_token_middleware.py
+++ b/keystoneclient/tests/test_auth_token_middleware.py
@@ -28,6 +28,7 @@ import iso8601
 import mock
 import testresources
 import testtools
+from testtools import matchers
 import webob
 
 from keystoneclient import access
@@ -1904,7 +1905,8 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
         some_time_earlier = timeutils.strtime(at=(self.now - self.delta))
         expires = some_time_earlier
         self.middleware._token_cache.store(token, data, expires)
-        self.assertIsNone(self.middleware._token_cache._cache_get(token))
+        self.assertThat(lambda: self.middleware._token_cache._cache_get(token),
+                        matchers.raises(auth_token.InvalidUserToken))
 
     def test_cached_token_with_timezone_offset_not_expired(self):
         token = 'mytoken'
@@ -1926,7 +1928,8 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
         some_time_earlier = self.now - timezone_offset - self.delta
         expires = timeutils.strtime(some_time_earlier) + '-02:00'
         self.middleware._token_cache.store(token, data, expires)
-        self.assertIsNone(self.middleware._token_cache._cache_get(token))
+        self.assertThat(lambda: self.middleware._token_cache._cache_get(token),
+                        matchers.raises(auth_token.InvalidUserToken))
 
 
 class CatalogConversionTests(BaseAuthTokenMiddlewareTest):