1 files changed, 56 insertions, 0 deletions

diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py
index cc2a49d0b..997b5e6f7 100644
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@@ -17,6 +17,8 @@ import os
 from unittest import mock
 import uuid
 
+import fixtures
+from oslo_log import log
 from oslo_utils import timeutils
 
 from keystone import auth
@@ -26,6 +28,7 @@ from keystone.common import utils
 import keystone.conf
 from keystone import exception
 from keystone.federation import constants as federation_constants
+from keystone.models import token_model
 from keystone.tests import unit
 from keystone.tests.unit import default_fixtures
 from keystone.tests.unit import ksfixtures
@@ -51,6 +54,59 @@ class TestFernetTokenProvider(unit.TestCase):
             self.provider.validate_token,
             token_id)
 
+    def test_log_warning_when_token_exceeds_max_token_size_default(self):
+        self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
+
+        token = token_model.TokenModel()
+        token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.expires_at = utils.isotime(
+            provider.default_expire_time(), subsecond=True)
+        token.methods = ['password']
+        token.audit_id = provider.random_urlsafe_str()
+        token_id, issued_at = self.provider.generate_id_and_issued_at(token)
+        expected_output = (
+            f'Fernet token created with length of {len(token_id)} characters, '
+            'which exceeds 255 characters'
+        )
+        self.assertIn(expected_output, self.logging.output)
+
+    def test_log_warning_when_token_exceeds_max_token_size_override(self):
+        self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
+        self.config_fixture.config(max_token_size=250)
+
+        token = token_model.TokenModel()
+        token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.expires_at = utils.isotime(
+            provider.default_expire_time(), subsecond=True)
+        token.methods = ['password']
+        token.audit_id = provider.random_urlsafe_str()
+        token_id, issued_at = self.provider.generate_id_and_issued_at(token)
+        expected_output = (
+            f'Fernet token created with length of {len(token_id)} characters, '
+            'which exceeds 250 characters'
+        )
+        self.assertIn(expected_output, self.logging.output)
+
+    def test_no_warning_when_token_does_not_exceed_max_token_size(self):
+        self.config_fixture.config(max_token_size=300)
+        self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
+
+        token = token_model.TokenModel()
+        token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.expires_at = utils.isotime(
+            provider.default_expire_time(), subsecond=True)
+        token.methods = ['password']
+        token.audit_id = provider.random_urlsafe_str()
+        token_id, issued_at = self.provider.generate_id_and_issued_at(token)
+        expected_output = (
+            f'Fernet token created with length of {len(token_id)} characters, '
+            'which exceeds 255 characters'
+        )
+        self.assertNotIn(expected_output, self.logging.output)
+
 
 class TestValidate(unit.TestCase):
     def setUp(self):