1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
From a20dcd159f9bf98e5605a3d13d4ba8de9aa1533e Mon Sep 17 00:00:00 2001
From: Morgan Fainberg <m@metacloud.com>
Date: Fri, 23 Aug 2013 14:53:26 -0700
Subject: [PATCH] Fix and test token revocation list API
Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5
---
keystone/token/backends/kvs.py | 2 +-
keystone/token/backends/memcache.py | 12 ++++++----
tests/test_backend.py | 47 +++++++++++++++++++++++++++++++------
3 files changed, 48 insertions(+), 13 deletions(-)
diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
index 49f15ad..1935b41 100644
--- a/keystone/token/backends/kvs.py
+++ b/keystone/token/backends/kvs.py
@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver):
if not token.startswith('revoked-token-'):
continue
record = {}
- record['id'] = token_ref['id']
+ record['id'] = token[len('revoked-token-'):]
record['expires'] = token_ref['expires']
tokens.append(record)
return tokens
diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
index a62f342..c2c9b51 100644
--- a/keystone/token/backends/memcache.py
+++ b/keystone/token/backends/memcache.py
@@ -84,8 +84,9 @@ class Token(token.Driver):
raise exception.UnexpectedError(msg)
return copy.deepcopy(data_copy)
- def _add_to_revocation_list(self, data):
- data_json = jsonutils.dumps(data)
+ def _add_to_revocation_list(self, token_id, token_data):
+ data_json = jsonutils.dumps({'id': token_id,
+ 'expires': token_data['expires']})
if not self.client.append(self.revocation_key, ',%s' % data_json):
if not self.client.add(self.revocation_key, data_json):
if not self.client.append(self.revocation_key,
@@ -95,10 +96,11 @@ class Token(token.Driver):
def delete_token(self, token_id):
# Test for existence
- data = self.get_token(token.unique_id(token_id))
- ptk = self._prefix_token_id(token.unique_id(token_id))
+ token_id = token.unique_id(token_id)
+ data = self.get_token(token_id)
+ ptk = self._prefix_token_id(token_id)
result = self.client.delete(ptk)
- self._add_to_revocation_list(data)
+ self._add_to_revocation_list(token_id, data)
return result
def list_tokens(self, user_id, tenant_id=None, trust_id=None):
diff --git a/tests/test_backend.py b/tests/test_backend.py
index 85ac7cf..d4c2e6c 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -14,10 +14,11 @@
# License for the specific language governing permissions and limitations
# under the License.
+import copy
import datetime
import default_fixtures
+import hashlib
import uuid
-import nose.exc
from keystone.catalog import core
from keystone import config
@@ -2065,17 +2066,19 @@ class TokenTests(object):
'trust_id': None,
'user': {'id': 'testuserid'}}
data_ref = self.token_api.create_token(token_id, data)
- expires = data_ref.pop('expires')
- data_ref.pop('user_id')
+ data_ref_copy = copy.deepcopy(data_ref)
+ expires = data_ref_copy.pop('expires')
+ data_ref_copy.pop('user_id')
self.assertTrue(isinstance(expires, datetime.datetime))
- self.assertDictEqual(data_ref, data)
+ self.assertDictEqual(data_ref_copy, data)
new_data_ref = self.token_api.get_token(token_id)
- expires = new_data_ref.pop('expires')
- new_data_ref.pop('user_id')
+ new_data_ref_copy = copy.deepcopy(new_data_ref)
+ expires = new_data_ref_copy.pop('expires')
+ new_data_ref_copy.pop('user_id')
self.assertTrue(isinstance(expires, datetime.datetime))
- self.assertEquals(new_data_ref, data)
+ self.assertEquals(new_data_ref_copy, data)
self.token_api.delete_token(token_id)
self.assertRaises(exception.TokenNotFound,
@@ -2248,6 +2251,36 @@ class TokenTests(object):
self.check_list_revoked_tokens([self.delete_token()
for x in xrange(2)])
+ def test_predictable_revoked_pki_token_id(self):
+ # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the
+ # returned token str in master, but not in grizzly.
+ # revising _create_token_id() in grizzly to include the
+ # previx breaks several other tests here
+ token_id = 'MII' + self._create_token_id()
+ token_id_hash = hashlib.md5(token_id).hexdigest()
+ token = {'user': {'id': uuid.uuid4().hex}}
+
+ self.token_api.create_token(token_id, token)
+ self.token_api.delete_token(token_id)
+
+ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
+ self.assertIn(token_id_hash, revoked_ids)
+ self.assertNotIn(token_id, revoked_ids)
+ for t in self.token_api.list_revoked_tokens():
+ self.assertIn('expires', t)
+
+ def test_predictable_revoked_uuid_token_id(self):
+ token_id = uuid.uuid4().hex
+ token = {'user': {'id': uuid.uuid4().hex}}
+
+ self.token_api.create_token(token_id, token)
+ self.token_api.delete_token(token_id)
+
+ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
+ self.assertIn(token_id, revoked_ids)
+ for t in self.token_api.list_revoked_tokens():
+ self.assertIn('expires', t)
+
class TrustTests(object):
def create_sample_trust(self, new_id):
--
1.8.2.1 (Apple Git-45)
|
GitWeb