If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple: https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid. /github. com/openstack/ keystone/ blob/master/ keystone/ models/ revoke_ model.py# L200-L201 values[ 'audit_ chain_id' ],) to not in (token_ values[ 'audit_ chain_id' ])
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https:/
This needs to have the comma removed from
not in (token_
The second and main reason is because this functionality is never exposed to the user /github. com/openstack/ keystone/ blob/master/ keystone/ token/provider. py#L255- L277
and in the code it is never run here:
https:/
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code.