diff options
| author | Jenkins <jenkins@review.openstack.org> | 2016-06-09 17:23:15 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2016-06-09 17:23:16 +0000 |
| commit | b6d8ea959ee378348110311db773755892d2421f (patch) | |
| tree | 8d50770a3412c464aa804929dfb84186aff75e58 | |
| parent | a878664f5dbf08626a796e8cfa6fac88cb9e256a (diff) | |
| parent | 6b84b243a1c92ecfc8c525631747c0f6eaa30f2d (diff) | |
| download | keystone-b6d8ea959ee378348110311db773755892d2421f.tar.gz | |
Merge "Return 404 instead of 401 for tokens w/o roles" into stable/mitaka
| -rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 22 | ||||
| -rw-r--r-- | keystone/token/provider.py | 24 |
2 files changed, 34 insertions, 12 deletions
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 698feeb84..da8dc80a9 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -381,6 +381,28 @@ class TokenAPITests(object): self.token_provider_api.validate_token, project_scoped_token) + def test_project_scoped_token_is_invalid_after_deleting_grant(self): + # disable caching so that user grant deletion is not hidden + # by token caching + self.config_fixture.config( + group='cache', + enabled=False) + # Grant user access to project + self.assignment_api.create_grant(self.role['id'], + user_id=self.user['id'], + project_id=self.project['id']) + project_scoped_token = self._get_project_scoped_token() + # Make sure the token is valid + self._validate_token(project_scoped_token) + # Delete access to project + self.assignment_api.delete_grant(self.role['id'], + user_id=self.user['id'], + project_id=self.project['id']) + # Ensure the token has been revoked + self.assertRaises(exception.TokenNotFound, + self.token_provider_api.validate_token, + project_scoped_token) + def test_rescope_unscoped_token_with_trust(self): trustee_user, trust = self._create_trust() self._get_trust_scoped_token(trustee_user, trust) diff --git a/keystone/token/provider.py b/keystone/token/provider.py index 0900f6b57..b9fb3ac66 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -296,19 +296,19 @@ class Manager(manager.Manager): if not token_id: raise exception.TokenNotFound(_('No token in the request')) - if not self._needs_persistence: - # NOTE(lbragstad): This will validate v2 and v3 non-persistent - # tokens. - return self.driver.validate_non_persistent_token(token_id) - token_ref = self._persistence.get_token(token_id) - version = self.get_token_version(token_ref) - if version == self.V3: - try: + try: + if not self._needs_persistence: + # NOTE(lbragstad): This will validate v2 and v3 non-persistent + # tokens. + return self.driver.validate_non_persistent_token(token_id) + token_ref = self._persistence.get_token(token_id) + version = self.get_token_version(token_ref) + if version == self.V3: return self.driver.validate_v3_token(token_ref) - except exception.Unauthorized as e: - LOG.debug('Unable to validate token: %s', e) - raise exception.TokenNotFound(token_id=token_id) - elif version == self.V2: + except exception.Unauthorized as e: + LOG.debug('Unable to validate token: %s', e) + raise exception.TokenNotFound(token_id=token_id) + if version == self.V2: return self.driver.validate_v2_token(token_ref) raise exception.UnsupportedTokenVersionException() |