From 4f058bd7406fb48d1870d506bba6e9db47de0cea Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Fri, 21 Aug 2015 18:38:26 +0000 Subject: [PATCH] Handle tokens created and quickly revoked with insufficient timestamp precision In the event that the revocation event is created at the exact same timestamp as the token's creation timestamp, the event's issued_before will equal the token's issued_at and will thus not be revoked (according to the current code). This is much more likely to occur when a token's issue_at timestamp is rounded to whole seconds (rather than carrying microsecond level precision), as they are with Fernet and MySQL. Change-Id: If1f5e546463f189a0b487140a620def545006c25 --- keystone/contrib/revoke/model.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keystone/contrib/revoke/model.py b/keystone/contrib/revoke/model.py index 1a23d57..e677bfb 100644 --- a/keystone/contrib/revoke/model.py +++ b/keystone/contrib/revoke/model.py @@ -220,7 +220,7 @@ class RevokeTree(object): # The last (leaf) level is checked in a special way because we # verify issued_at field differently. try: - return revoke_map['issued_before'] > token_data['issued_at'] + return revoke_map['issued_before'] >= token_data['issued_at'] except KeyError: return False -- 2.1.4