From 6990bae3afb002adad0027802d21aaa4aa85ea78 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Tue, 1 Dec 2015 16:08:00 -0600
Subject: [PATCH 1/1] Verify audit_id when available

If the token has audit_ids and the revocation list includes
audit_ids, then also validate the token isn't revoked by
audit_id.

Change-Id: I483bc57bd38eb81a0905bcaf94e4ea82604919d6
---
 keystonemiddleware/auth_token/__init__.py     | 12 ++++++++++++
 keystonemiddleware/auth_token/_revocations.py | 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index 3dd746e..f666a60 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -877,6 +877,18 @@ class AuthProtocol(_BaseAuthProtocol):
                                  'fallback to online validation.'))
         else:
             data = jsonutils.loads(verified)
+
+            audit_ids = None
+            if 'token' in data:
+                # It's a v3 token
+                audit_ids = data['token'].get('audit_ids')
+            else:
+                # It's a v2 token.
+                audit_ids = data['access']['token'].get('audit_ids')
+
+            if audit_ids:
+                self._revocations.check_by_audit_id(audit_ids[0])
+
             return data
 
     def _validate_token(self, auth_ref):
diff --git a/keystonemiddleware/auth_token/_revocations.py b/keystonemiddleware/auth_token/_revocations.py
index 8cc449a..b027c62 100644
--- a/keystonemiddleware/auth_token/_revocations.py
+++ b/keystonemiddleware/auth_token/_revocations.py
@@ -104,3 +104,15 @@ class Revocations(object):
         if self._any_revoked(token_ids):
             self._log.debug('Token is marked as having been revoked')
             raise exc.InvalidToken(_('Token has been revoked'))
+
+    def check_by_audit_id(self, audit_id):
+        """Indicate whether the audit_id appears in the revocation list."""
+        revoked_tokens = self._list.get('revoked', None)
+        if not revoked_tokens:
+            return False
+
+        revoked_ids = (x.get('audit_ids', [''])[0] for x in revoked_tokens)
+        if audit_id in revoked_ids:
+            self._log.debug(
+                'Token is marked as having been revoked by audit id')
+            raise exc.InvalidToken(_('Token has been revoked'))
-- 
1.9.1