From dd91f41c0a65856aebc7c7fddf7843da949be8de Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 14 Feb 2018 23:13:31 +0000
Subject: Simplify federation and oauth token callbacks

The token provider listened for specific callbacks from the
federation and oauth APIs. These were mainly for token invalidation
and token persistence removal. Now that the sql token driver and uuid
token provider have been removed, we can remove the need for
persistence notifications.

Instead, both of these cases can use a generic token cache
invalidation callback. This makes the token provider Manager simpler
because it only has to listen for a single internal notification to
invalidate the token cache, instead of multiple. It also makes the
code sending the notification easier to understand because it's
clearer about what it's doing.

Change-Id: I3281a013ce2764872dda8c183c4e9851974e1d14
---
 keystone/federation/core.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'keystone/federation')

diff --git a/keystone/federation/core.py b/keystone/federation/core.py
index 92da910b0..a78f6039d 100644
--- a/keystone/federation/core.py
+++ b/keystone/federation/core.py
@@ -68,12 +68,14 @@ class Manager(manager.Manager):
         # NOTE(lbragstad): If an identity provider is removed from the system,
         # then we need to invalidate the token cache. Otherwise it will be
         # possible for federated tokens to be considered valid after a service
-        # provider removes a federated identity provider resource. The `idp_id`
-        # isn't actually used when invalidating the token cache but we have to
-        # pass something.
-        notifications.Audit.internal(
-            notifications.INVALIDATE_TOKEN_CACHE_DELETED_IDP, idp_id
+        # provider removes a federated identity provider resource.
+        reason = (
+            'The token cache is being invalidated because identity provider '
+            '%(idp_id)s has been deleted. Authorization for federated users '
+            'will be recalculated and enforced accordingly the next time '
+            'they authenticate or validate a token.' % {'idp_id': idp_id}
         )
+        notifications.invalidate_token_cache_notification(reason)
 
     def _cleanup_idp_domain(self, domain_id):
         domain = {'enabled': False}
-- 
cgit v1.2.1