diff options
| author | Vladimir Eremin <yottatsa@yandex-team.ru> | 2015-07-23 18:55:54 +0300 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@gmail.com> | 2015-08-18 20:40:27 +0000 |
| commit | fb7f4a7ee1c0da299b00c8fb54870d1c37738b83 (patch) | |
| tree | bae89bb6a242a157b76c6391e4a62dd88b8fa591 | |
| parent | a1e20fbbb5d739b878b00638769ff81466f3a0b8 (diff) | |
| download | keystone-fb7f4a7ee1c0da299b00c8fb54870d1c37738b83.tar.gz | |
Replace 401 to 404 when token is invalid
According to specs, keystone should return 404 when token is invalid.
This commit fixes it, and fixes validate_token return.
Change-Id: Ia44ea94c6f72ab6f46c0799056d41deddcbfb051
Closes-Bug: 1477600
(cherry picked from commit 7bdeef83535dafae8f3e1ba95ad661e90912938b)
| -rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 6 | ||||
| -rw-r--r-- | keystone/tests/unit/token/test_fernet_provider.py | 8 | ||||
| -rw-r--r-- | keystone/token/providers/fernet/core.py | 25 | ||||
| -rw-r--r-- | keystone/token/providers/fernet/token_formatters.py | 9 |
4 files changed, 28 insertions, 20 deletions
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 2a92411ee..3d20e0e14 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -4160,7 +4160,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase): unscoped_token = self._get_unscoped_token() tampered_token = (unscoped_token[:50] + uuid.uuid4().hex + unscoped_token[50 + 32:]) - self._validate_token(tampered_token, expected_status=401) + self._validate_token(tampered_token, expected_status=404) def test_revoke_unscoped_token(self): unscoped_token = self._get_unscoped_token() @@ -4240,7 +4240,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase): project_scoped_token = self._get_project_scoped_token() tampered_token = (project_scoped_token[:50] + uuid.uuid4().hex + project_scoped_token[50 + 32:]) - self._validate_token(tampered_token, expected_status=401) + self._validate_token(tampered_token, expected_status=404) def test_revoke_project_scoped_token(self): project_scoped_token = self._get_project_scoped_token() @@ -4348,7 +4348,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase): # Get a trust scoped token tampered_token = (trust_scoped_token[:50] + uuid.uuid4().hex + trust_scoped_token[50 + 32:]) - self._validate_token(tampered_token, expected_status=401) + self._validate_token(tampered_token, expected_status=404) def test_revoke_trust_scoped_token(self): trustee_user, trust = self._create_trust() diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index 211cef2b7..19c82a3d3 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -44,15 +44,15 @@ class TestFernetTokenProvider(tests.TestCase): def test_needs_persistence_returns_false(self): self.assertFalse(self.provider.needs_persistence()) - def test_invalid_v3_token_raises_401(self): + def test_invalid_v3_token_raises_404(self): self.assertRaises( - exception.Unauthorized, + exception.TokenNotFound, self.provider.validate_v3_token, uuid.uuid4().hex) - def test_invalid_v2_token_raises_401(self): + def test_invalid_v2_token_raises_404(self): self.assertRaises( - exception.Unauthorized, + exception.TokenNotFound, self.provider.validate_v2_token, uuid.uuid4().hex) diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py index 2ca82e51a..722ec606c 100644 --- a/keystone/token/providers/fernet/core.py +++ b/keystone/token/providers/fernet/core.py @@ -202,14 +202,18 @@ class Provider(common.BaseProvider): :param token_ref: reference describing the token to validate :returns: the token data + :raises keystone.exception.TokenNotFound: if token format is invalid :raises keystone.exception.Unauthorized: if v3 token is used """ - (user_id, methods, - audit_ids, domain_id, - project_id, trust_id, - federated_info, created_at, - expires_at) = self.token_formatter.validate_token(token_ref) + try: + (user_id, methods, + audit_ids, domain_id, + project_id, trust_id, + federated_info, created_at, + expires_at) = self.token_formatter.validate_token(token_ref) + except exception.ValidationError as e: + raise exception.TokenNotFound(e) if trust_id or domain_id or federated_info: msg = _('This is not a v2.0 Fernet token. Use v3 for trust, ' @@ -233,13 +237,16 @@ class Provider(common.BaseProvider): :param token: a string describing the token to validate :returns: the token data - :raises keystone.exception.Unauthorized: if token format version isn't + :raises keystone.exception.TokenNotFound: if token format version isn't supported """ - (user_id, methods, audit_ids, domain_id, project_id, trust_id, - federated_info, created_at, expires_at) = ( - self.token_formatter.validate_token(token)) + try: + (user_id, methods, audit_ids, domain_id, project_id, trust_id, + federated_info, created_at, expires_at) = ( + self.token_formatter.validate_token(token)) + except exception.ValidationError as e: + raise exception.TokenNotFound(e) token_dict = None if federated_info: diff --git a/keystone/token/providers/fernet/token_formatters.py b/keystone/token/providers/fernet/token_formatters.py index 81f2cda65..f7399220a 100644 --- a/keystone/token/providers/fernet/token_formatters.py +++ b/keystone/token/providers/fernet/token_formatters.py @@ -74,8 +74,9 @@ class TokenFormatter(object): try: return self.crypto.decrypt(token) - except fernet.InvalidToken as e: - raise exception.Unauthorized(six.text_type(e)) + except fernet.InvalidToken: + raise exception.ValidationError( + _('This is not a recognized Fernet token')) @classmethod def creation_time(cls, fernet_token): @@ -185,8 +186,8 @@ class TokenFormatter(object): (user_id, methods, expires_at, audit_ids, federated_info) = ( FederatedPayload.disassemble(payload)) else: - # If the token_format is not recognized, raise Unauthorized. - raise exception.Unauthorized(_( + # If the token_format is not recognized, raise ValidationError. + raise exception.ValidationError(_( 'This is not a recognized Fernet payload version: %s') % version) |