diff options
author | Yang Youseok <ileixe@gmail.com> | 2019-01-29 18:59:12 +0900 |
---|---|---|
committer | Yang Youseok <ileixe@gmail.com> | 2019-02-07 12:14:51 +0900 |
commit | 4e51cb8e6b4968fcb68903dce7e773b218f85bb7 (patch) | |
tree | 892225214296a67d6c17fdd5d30c520a84d34af8 | |
parent | 4bc09580070c5f6afa9ef39a3d9d1641de557589 (diff) | |
download | keystonemiddleware-4e51cb8e6b4968fcb68903dce7e773b218f85bb7.tar.gz |
Add auth invalidation in auth_token for identity endpoint update
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.
Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.
Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
4 files changed, 29 insertions, 0 deletions
diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index 0b954ef..de37aef 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -760,6 +760,10 @@ class AuthProtocol(BaseAuthProtocol): _CACHE_INVALID_INDICATOR) self.log.warning('Authorization failed for token') raise + except ksa_exceptions.EndpointNotFound: + # Invalidate auth in adapter for identity endpoint update + self._identity_server.invalidate() + raise return data diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py index 1e37070..36639a6 100644 --- a/keystonemiddleware/auth_token/_identity.py +++ b/keystonemiddleware/auth_token/_identity.py @@ -239,3 +239,6 @@ class IdentityServer(object): def fetch_ca_cert(self): return self._request_strategy.fetch_ca_cert() + + def invalidate(self): + return self._adapter.invalidate() diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py index 3ffd803..9ea8077 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py @@ -97,6 +97,7 @@ VERSION_LIST_v2 = fixture.DiscoveryList(v3=False, href=BASE_URI) ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2' TIMEOUT_TOKEN = '4ed1c5e53beee59458adcf8261a8cae2' +ENDPOINT_NOT_FOUND_TOKEN = 'edf9fa62-5afd-4d64-89ac-f99b209bd995' def strtime(at=None): @@ -1534,6 +1535,8 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, raise ksa_exceptions.ConnectFailure(msg) elif token_id == TIMEOUT_TOKEN: request_timeout_response(request, context) + elif token_id == ENDPOINT_NOT_FOUND_TOKEN: + raise ksa_exceptions.EndpointNotFound() try: response = self.examples.JSON_TOKEN_RESPONSES[token_id] @@ -1686,6 +1689,16 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, new_data = self.middleware.fetch_token(token) self.assertEqual(data, new_data) + def test_endpoint_not_found_in_token(self): + token = ENDPOINT_NOT_FOUND_TOKEN + self.set_middleware() + self.middleware._token_cache.initialize({}) + with mock.patch.object(self.middleware._identity_server, 'invalidate', + new=mock.Mock()): + self.assertRaises(ksa_exceptions.EndpointNotFound, + self.middleware.fetch_token, token) + self.assertTrue(self.middleware._identity_server.invalidate.called) + def test_not_is_admin_project(self): token = self.examples.v3_NOT_IS_ADMIN_PROJECT self.set_middleware(expected_env={'HTTP_X_IS_ADMIN_PROJECT': 'False'}) diff --git a/releasenotes/notes/bug-1813739-80eae72371903119.yaml b/releasenotes/notes/bug-1813739-80eae72371903119.yaml new file mode 100644 index 0000000..df6fadb --- /dev/null +++ b/releasenotes/notes/bug-1813739-80eae72371903119.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug/1813739 <https://bugs.launchpad.net/keystonemiddleware/+bug/1813739>`_] + When admin identity endpoint is not created yet, keystonemiddleware emit + EndpointNotFound exception. Even after admin identity endpoint created, + auth_token middleware could not be notified of update since it does not + invalidate existing auth. Add an invalidation step so that endpoint + updates can be detected. |