From 13418d9e731c9c993c10e6f00eadbe73eccce907 Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Mon, 18 Feb 2013 21:35:37 -0500
Subject: [PATCH] validate from backend

In certain cases we were depending on CMS to validate PKI tokens
but that is not necessary, and by passes the revocation check

Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
---
 keystone/service.py | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/keystone/service.py b/keystone/service.py
index c088986..fd24cc0 100644
--- a/keystone/service.py
+++ b/keystone/service.py
@@ -490,20 +490,12 @@ class TokenController(wsgi.Application):
         """
         # TODO(termie): this stuff should probably be moved to middleware
         self.assert_admin(context)
-
-        if cms.is_ans1_token(token_id):
-            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
-                                             config.CONF.signing.certfile,
-                                             config.CONF.signing.ca_certs))
-            data['access']['token']['user'] = data['access']['user']
-            data['access']['token']['metadata'] = data['access']['metadata']
-            if belongs_to:
-                assert data['access']['token']['tenant']['id'] == belongs_to
-            token_ref = data['access']['token']
-        else:
-            token_ref = self.token_api.get_token(context=context,
-                                                 token_id=token_id)
-        return token_ref
+        data = self.token_api.get_token(context=context, token_id=token_id)
+        if belongs_to and data['tenant']['id'] != belongs_to:
+            raise exceptions.Unauthorized(
+                'Token does not belong to specified tenant.')
+        
+        return data
 
     # admin only
     def validate_token_head(self, context, token_id):
-- 
1.8.1.2