Fix fernet token validate for disabled domains/trusts
This commit adds a check when rebuilding the authorization context of a
trust-scoped token to make sure that both the trustor and the trustee are in
enabled domains. With this patch the uuid token provider and the fernet token
provider give the same response when caching is disabled. If caching is
enabled, the fernet provider will still consider a trust-scoped token valid
even though the trustor/trustee is in a disabled domain. A subsequent patch
will fix the revocation event to make sure the token is removed from the cache
when a domain is disabled.
Reviewed: https:/ /review. openstack. org/339176 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=d53db1889e1 7d4932027432462 43936af90234b9
Committed: https:/
Submitter: Jenkins
Branch: master
commit d53db1889e17d49 320274324624393 6af90234b9
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 7 18:32:11 2016 +0000
Fix fernet token validate for disabled domains/trusts
This commit adds a check when rebuilding the authorization context of a
trust-scoped token to make sure that both the trustor and the trustee are in
enabled domains. With this patch the uuid token provider and the fernet token
provider give the same response when caching is disabled. If caching is
enabled, the fernet provider will still consider a trust-scoped token valid
even though the trustor/trustee is in a disabled domain. A subsequent patch
will fix the revocation event to make sure the token is removed from the cache
when a domain is disabled.
Change-Id: If3e941018d5c2c 9bd22397e69f83b 7bf92643340
Partial-Bug: 1532280