summaryrefslogtreecommitdiff
blob: 0ea6cd8bab20ad4213d4cff77224bc8f5cc3d28a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
From ee1dc941042d1f71699971c5c30566af1b348572 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Mon, 2 May 2016 19:16:11 +0000
Subject: Fix fernet audit ids for v2.0

The fernet token provider was doing some weird things with audit ids that
caused token rescoping to not work because audit ids were never pulled from the
original token. This commit also enables some tests for v2.0 authentication
with the Fernet as the token provider.

Closes-Bug: 1577558
Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e
(cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240)
---
 keystone/tests/unit/test_auth.py        | 22 ++++++++++++++++++++++
 keystone/token/controllers.py           |  3 ++-
 keystone/token/providers/fernet/core.py |  9 ++-------
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py
index b09d9ac..6f44b31 100644
--- a/keystone/tests/unit/test_auth.py
+++ b/keystone/tests/unit/test_auth.py
@@ -33,6 +33,7 @@ from keystone import exception
 from keystone.models import token_model
 from keystone.tests import unit
 from keystone.tests.unit import default_fixtures
+from keystone.tests.unit import ksfixtures
 from keystone.tests.unit.ksfixtures import database
 from keystone import token
 from keystone.token import provider
@@ -671,6 +672,27 @@ class AuthWithToken(AuthTest):
                               token_id=token_2_id)
 
 
+class FernetAuthWithToken(AuthWithToken):
+    def config_overrides(self):
+        super(FernetAuthWithToken, self).config_overrides()
+        self.config_fixture.config(group='token', provider='fernet')
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
+
+    def test_token_auth_with_binding(self):
+        self.config_fixture.config(group='token', bind=['kerberos'])
+        body_dict = _build_user_auth()
+        self.assertRaises(exception.NotImplemented,
+                          self.controller.authenticate,
+                          self.context_with_remote_user,
+                          body_dict)
+
+    def test_revoke_with_no_audit_info(self):
+        self.skipTest('Fernet with v2.0 and revocation is broken')
+
+    def test_deleting_role_revokes_token(self):
+        self.skipTest('Fernet with v2.0 and revocation is broken')
+
+
 class AuthWithPasswordCredentials(AuthTest):
     def test_auth_invalid_user(self):
         """Verify exception is raised if invalid user."""
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
index f610fc4..6eeb23e 100644
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@@ -180,7 +180,8 @@ class Auth(controller.V2Controller):
         try:
             token_model_ref = token_model.KeystoneToken(
                 token_id=old_token,
-                token_data=self.token_provider_api.validate_token(old_token))
+                token_data=self.token_provider_api.validate_v2_token(old_token)
+            )
         except exception.NotFound as e:
             raise exception.Unauthorized(e)
 
diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py
index 8042aab..ff6fe9c 100644
--- a/keystone/token/providers/fernet/core.py
+++ b/keystone/token/providers/fernet/core.py
@@ -15,7 +15,6 @@ from oslo_config import cfg
 from keystone.common import dependency
 from keystone.common import utils as ks_utils
 from keystone.federation import constants as federation_constants
-from keystone.token import provider
 from keystone.token.providers import common
 from keystone.token.providers.fernet import token_formatters as tf
 
@@ -145,12 +144,8 @@ class Provider(common.BaseProvider):
         expires_at = token_data['access']['token']['expires']
         audit_ids = token_data['access']['token'].get('audit_ids')
         methods = ['password']
-        if audit_ids:
-            parent_audit_id = token_data['access']['token'].get(
-                'parent_audit_id')
-            audit_ids = provider.audit_info(parent_audit_id)
-            if parent_audit_id:
-                methods.append('token')
+        if len(audit_ids) > 1:
+            methods.append('token')
         project_id = token_data['access']['token'].get('tenant', {}).get('id')
         domain_id = None
         trust_id = None
-- 
cgit v0.11.2