From 89f5a244f56d5450faf2d1f2bac5faa890b75205 Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Thu, 15 Nov 2012 16:10:45 -0600 Subject: [PATCH] Ensure token expiration is maintained (bug 1079216) Change-Id: I78e719746909301652aa9ecb772329fcad397141 --- keystone/service.py | 4 +++- tests/test_service.py | 63 +++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 64 insertions(+), 3 deletions(-) diff --git a/keystone/service.py b/keystone/service.py index 21d9303..2cfa9ee 100644 --- a/keystone/service.py +++ b/keystone/service.py @@ -528,6 +528,7 @@ class TokenController(wsgi.Application): self.token_api.create_token( context, token_id, dict(key=token_id, id=token_id, + expires=auth_token_data['expires'], user=user_ref, tenant=tenant_ref, metadata=metadata_ref)) @@ -735,7 +736,8 @@ class TokenController(wsgi.Application): config.CONF.signing.certfile, config.CONF.signing.ca_certs)) data['access']['token']['user'] = data['access']['user'] - data['access']['token']['metadata'] = data['access']['metadata'] + metadata = data['access'].get('metadata', {}) + data['access']['token']['metadata'] = metadata if belongs_to: assert data['access']['token']['tenant']['id'] == belongs_to token_ref = data['access']['token'] diff --git a/tests/test_service.py b/tests/test_service.py index ce277c5..175399e 100644 --- a/tests/test_service.py +++ b/tests/test_service.py @@ -12,16 +12,19 @@ # License for the specific language governing permissions and limitations # under the License. +import time import uuid import default_fixtures +from keystone import config from keystone import exception -from keystone import identity from keystone import service from keystone import test from keystone.identity.backends import kvs as kvs_identity -from keystone.openstack.common import timeutils + + +CONF = config.CONF def _build_user_auth(token=None, username=None, @@ -293,3 +296,59 @@ class AuthWithRemoteUser(TokenControllerTest): self.api.authenticate, {'REMOTE_USER': uuid.uuid4().hex}, body_dict) + + +class TokenExpirationTest(test.TestCase): + def setUp(self): + super(TokenExpirationTest, self).setUp() + self.identity_api = kvs_identity.Identity() + self.load_fixtures(default_fixtures) + self.api = service.TokenController() + + def _maintain_token_expiration(self): + """Token expiration should be maintained after re-auth & validation.""" + r = self.api.authenticate( + {}, + auth={ + 'passwordCredentials': { + 'username': self.user_foo['name'], + 'password': self.user_foo['password'] + } + }) + unscoped_token_id = r['access']['token']['id'] + original_expiration = r['access']['token']['expires'] + + time.sleep(0.5) + + r = self.api.validate_token( + dict(is_admin=True, query_string={}), + token_id=unscoped_token_id) + self.assertEqual(original_expiration, r['access']['token']['expires']) + + time.sleep(0.5) + + r = self.api.authenticate( + {}, + auth={ + 'token': { + 'id': unscoped_token_id, + }, + 'tenantId': self.tenant_bar['id'], + }) + scoped_token_id = r['access']['token']['id'] + self.assertEqual(original_expiration, r['access']['token']['expires']) + + time.sleep(0.5) + + r = self.api.validate_token( + dict(is_admin=True, query_string={}), + token_id=scoped_token_id) + self.assertEqual(original_expiration, r['access']['token']['expires']) + + def test_maintain_uuid_token_expiration(self): + CONF.signing.token_format = 'UUID' + self._maintain_token_expiration() + + def test_maintain_pki_token_expiration(self): + CONF.signing.token_format = 'PKI' + self._maintain_token_expiration() -- 1.8.0