Validate identity providers during token validation

Previously, it was possible to validate a federated keystone token
after the identity provider associated by that token was deleted,
which is a security concern.

This commit does two things. First it makes it so that the token
cache is invalidated when identity providers are deleted. Second,
it validates the identity provider in the token data and ensures it
actually exists in the system before considering the token valid.

Change-Id: I57491c5a7d657b25cc436452acd7fcc4cd285839
Closes-Bug: 1291157

1 files changed, 13 insertions, 0 deletions

diff --git a/keystone/federation/core.py b/keystone/federation/core.py
index 1b7c2e161..677e78343 100644
--- a/keystone/federation/core.py
+++ b/keystone/federation/core.py
@@ -22,6 +22,7 @@ import keystone.conf
 from keystone import exception
 from keystone.federation import utils
 from keystone.i18n import _
+from keystone import notifications
 
 
 # This is a general cache region for service providers.
@@ -77,6 +78,18 @@ class Manager(manager.Manager):
                 self._cleanup_idp_domain(idp['domain_id'])
             raise
 
+    def delete_idp(self, idp_id):
+        self.driver.delete_idp(idp_id)
+        # NOTE(lbragstad): If an identity provider is removed from the system,
+        # then we need to invalidate the token cache. Otherwise it will be
+        # possible for federated tokens to be considered valid after a service
+        # provider removes a federated identity provider resource. The `idp_id`
+        # isn't actually used when invalidating the token cache but we have to
+        # pass something.
+        notifications.Audit.internal(
+            notifications.INVALIDATE_TOKEN_CACHE_DELETED_IDP, idp_id
+        )
+
     def _cleanup_idp_domain(self, domain_id):
         domain = {'enabled': False}
         PROVIDERS.resource_api.update_domain(domain_id, domain)