From 6ceec888d7d0dd75800813feaa422eb94e6d0105 Mon Sep 17 00:00:00 2001
From: Morgan Fainberg <m@metacloud.com>
Date: Thu, 22 Aug 2013 14:01:41 -0700
Subject: [PATCH] [PATCH] Fix and test token revocation list API

Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5
---
 keystone/token/backends/kvs.py      |  2 +-
 keystone/token/backends/memcache.py | 10 ++++----
 tests/test_backend.py               | 47 +++++++++++++++++++++++++++++++------
 3 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
index 49f15ad..1935b41 100644
--- a/keystone/token/backends/kvs.py
+++ b/keystone/token/backends/kvs.py
@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver):
             if not token.startswith('revoked-token-'):
                 continue
             record = {}
-            record['id'] = token_ref['id']
+            record['id'] = token[len('revoked-token-'):]
             record['expires'] = token_ref['expires']
             tokens.append(record)
         return tokens
diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
index a62f342..bc90d19 100644
--- a/keystone/token/backends/memcache.py
+++ b/keystone/token/backends/memcache.py
@@ -84,8 +84,9 @@ class Token(token.Driver):
                         raise exception.UnexpectedError(msg)
         return copy.deepcopy(data_copy)
 
-    def _add_to_revocation_list(self, data):
-        data_json = jsonutils.dumps(data)
+    def _add_to_revocation_list(self, token_id, token_data):
+        data_json = jsonutils.dumps({'id': token_id,
+                                     'expires': token_data['expires']})
         if not self.client.append(self.revocation_key, ',%s' % data_json):
             if not self.client.add(self.revocation_key, data_json):
                 if not self.client.append(self.revocation_key,
@@ -95,10 +96,11 @@ class Token(token.Driver):
 
     def delete_token(self, token_id):
         # Test for existence
-        data = self.get_token(token.unique_id(token_id))
+        token_id = token.unique_id(token_id)
+        data = self.get_token(token_id)
         ptk = self._prefix_token_id(token.unique_id(token_id))
         result = self.client.delete(ptk)
-        self._add_to_revocation_list(data)
+        self._add_to_revocation_list(token_id, data)
         return result
 
     def list_tokens(self, user_id, tenant_id=None, trust_id=None):
diff --git a/tests/test_backend.py b/tests/test_backend.py
index 85ac7cf..d4c2e6c 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -14,10 +14,11 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import copy
 import datetime
 import default_fixtures
+import hashlib
 import uuid
-import nose.exc
 
 from keystone.catalog import core
 from keystone import config
@@ -2065,17 +2066,19 @@ class TokenTests(object):
                 'trust_id': None,
                 'user': {'id': 'testuserid'}}
         data_ref = self.token_api.create_token(token_id, data)
-        expires = data_ref.pop('expires')
-        data_ref.pop('user_id')
+        data_ref_copy = copy.deepcopy(data_ref)
+        expires = data_ref_copy.pop('expires')
+        data_ref_copy.pop('user_id')
         self.assertTrue(isinstance(expires, datetime.datetime))
-        self.assertDictEqual(data_ref, data)
+        self.assertDictEqual(data_ref_copy, data)
 
         new_data_ref = self.token_api.get_token(token_id)
-        expires = new_data_ref.pop('expires')
-        new_data_ref.pop('user_id')
+        new_data_ref_copy = copy.deepcopy(new_data_ref)
+        expires = new_data_ref_copy.pop('expires')
+        new_data_ref_copy.pop('user_id')
 
         self.assertTrue(isinstance(expires, datetime.datetime))
-        self.assertEquals(new_data_ref, data)
+        self.assertEquals(new_data_ref_copy, data)
 
         self.token_api.delete_token(token_id)
         self.assertRaises(exception.TokenNotFound,
@@ -2248,6 +2251,36 @@ class TokenTests(object):
         self.check_list_revoked_tokens([self.delete_token()
                                         for x in xrange(2)])
 
+    def test_predictable_revoked_pki_token_id(self):
+        # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the
+        #               returned token str in master, but not in grizzly.
+        #               revising _create_token_id() in grizzly to include the
+        #               previx breaks several other tests here
+        token_id = 'MII' + self._create_token_id()
+        token_id_hash = hashlib.md5(token_id).hexdigest()
+        token = {'user': {'id': uuid.uuid4().hex}}
+
+        self.token_api.create_token(token_id, token)
+        self.token_api.delete_token(token_id)
+
+        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
+        self.assertIn(token_id_hash, revoked_ids)
+        self.assertNotIn(token_id, revoked_ids)
+        for t in self.token_api.list_revoked_tokens():
+            self.assertIn('expires', t)
+
+    def test_predictable_revoked_uuid_token_id(self):
+        token_id = uuid.uuid4().hex
+        token = {'user': {'id': uuid.uuid4().hex}}
+
+        self.token_api.create_token(token_id, token)
+        self.token_api.delete_token(token_id)
+
+        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
+        self.assertIn(token_id, revoked_ids)
+        for t in self.token_api.list_revoked_tokens():
+            self.assertIn('expires', t)
+
 
 class TrustTests(object):
     def create_sample_trust(self, new_id):
-- 
1.8.2.1 (Apple Git-45)