diff options
| author | Dolph Mathews <dolph.mathews@gmail.com> | 2013-09-12 17:02:26 -0500 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@gmail.com> | 2013-09-13 07:19:35 -0500 |
| commit | 7244e5342acb86c241e2d03fc76897174302de04 (patch) | |
| tree | b56f46c2d3d51fd85fadf017303c8e359d273d99 | |
| parent | 44d72a2c3285c5c69fa5bca65153c3f4ac87529a (diff) | |
| download | keystone-7244e5342acb86c241e2d03fc76897174302de04.tar.gz | |
Revoke user tokens when disabling/delete a tenantfolsom-eol
Revoke tokens scoped to all users from a tenant when disabling or
deleting the tenant.
Closes-Bug: #1179955
Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
| -rw-r--r-- | keystone/identity/core.py | 16 | ||||
| -rw-r--r-- | tests/test_keystoneclient.py | 51 |
2 files changed, 67 insertions, 0 deletions
diff --git a/keystone/identity/core.py b/keystone/identity/core.py index e6f63aa5b..7a5408d2a 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -399,14 +399,30 @@ class TenantController(wsgi.Application): context, tenant_ref['id'], tenant_ref) return {'tenant': tenant} + def _delete_tokens_for_user(self, context, user_id, tenant_id=None): + self.token_api.revoke_tokens(context, user_id, tenant_id=tenant_id) + + def _delete_tokens_for_tenant(self, context, tenant_id): + for user_ref in self.identity_api.get_tenant_users(context, tenant_id): + self._delete_tokens_for_user( + context, user_ref['id'], tenant_id=tenant_id) + def update_tenant(self, context, tenant_id, tenant): self.assert_admin(context) + + # If the tenant has been disabled (or enabled=False) we are + # deleting the tokens for that tenant. + if not tenant.get('enabled', True): + self._delete_tokens_for_tenant(context, tenant_id) + tenant_ref = self.identity_api.update_tenant( context, tenant_id, tenant) return {'tenant': tenant_ref} def delete_tenant(self, context, tenant_id): self.assert_admin(context) + # Delete all tokens belonging to the users for that tenant + self._delete_tokens_for_tenant(context, tenant_id) self.identity_api.delete_tenant(context, tenant_id) def get_tenant_users(self, context, tenant_id, **kw): diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py index e65c7ef70..a7ed79d58 100644 --- a/tests/test_keystoneclient.py +++ b/tests/test_keystoneclient.py @@ -368,6 +368,51 @@ class KeystoneClientTests(object): client.tokens.authenticate, token=token_id) + def test_disable_tenant_invalidates_token(self): + from keystoneclient import exceptions as client_exceptions + + admin_client = self.get_client(admin=True) + foo_client = self.get_client(self.user_foo) + + # Disable the tenant. + admin_client.tenants.update(self.tenant_bar['id'], enabled=False) + + # Test that the token has been removed. + self.assertRaises(client_exceptions.Unauthorized, + foo_client.tokens.authenticate, + token=foo_client.auth_token) + + # Test that the user access has been disabled. + self.assertRaises(client_exceptions.Unauthorized, + self.get_client, + self.user_foo) + + def test_delete_tenant_invalidates_token(self): + from keystoneclient import exceptions as client_exceptions + + admin_client = self.get_client(admin=True) + foo_client = self.get_client(self.user_foo, self.tenant_bar) + tenant_bar = admin_client.tenants.get(self.tenant_bar['id']) + + # Delete the tenant. + tenant_bar.delete() + + # Test that the token has been removed. + self.assertRaises(client_exceptions.Unauthorized, + foo_client.tokens.authenticate, + token=foo_client.auth_token) + + # Test that the user access has been disabled. + """ + # FIXME(dolph): this assertion should not be skipped, but appears to be + # an unrelated bug? auth succeeds, even though tenant_bar + # was deleted + self.assertRaises(client_exceptions.Unauthorized, + self.get_client, + self.user_foo, + self.tenant_bar) + """ + def test_disable_user_invalidates_token(self): from keystoneclient import exceptions as client_exceptions @@ -1111,6 +1156,12 @@ class KcEssex3TestCase(CompatTestCase, KeystoneClientTests): def test_endpoint_delete_404(self): raise nose.exc.SkipTest('N/A') + def test_disable_tenant_invalidates_token(self): + raise self.skipTest('N/A') + + def test_delete_tenant_invalidates_token(self): + raise self.skipTest('N/A') + class Kc11TestCase(CompatTestCase, KeystoneClientTests): def get_checkout(self): |