Revoke user tokens when disabling/delete a tenant
Revoke tokens scoped to all users from a tenant when disabling or deleting the tenant. Closes-Bug: #1179955 Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
This commit is contained in:
parent
44d72a2c32
commit
7244e5342a
|
@ -399,14 +399,30 @@ class TenantController(wsgi.Application):
|
|||
context, tenant_ref['id'], tenant_ref)
|
||||
return {'tenant': tenant}
|
||||
|
||||
def _delete_tokens_for_user(self, context, user_id, tenant_id=None):
|
||||
self.token_api.revoke_tokens(context, user_id, tenant_id=tenant_id)
|
||||
|
||||
def _delete_tokens_for_tenant(self, context, tenant_id):
|
||||
for user_ref in self.identity_api.get_tenant_users(context, tenant_id):
|
||||
self._delete_tokens_for_user(
|
||||
context, user_ref['id'], tenant_id=tenant_id)
|
||||
|
||||
def update_tenant(self, context, tenant_id, tenant):
|
||||
self.assert_admin(context)
|
||||
|
||||
# If the tenant has been disabled (or enabled=False) we are
|
||||
# deleting the tokens for that tenant.
|
||||
if not tenant.get('enabled', True):
|
||||
self._delete_tokens_for_tenant(context, tenant_id)
|
||||
|
||||
tenant_ref = self.identity_api.update_tenant(
|
||||
context, tenant_id, tenant)
|
||||
return {'tenant': tenant_ref}
|
||||
|
||||
def delete_tenant(self, context, tenant_id):
|
||||
self.assert_admin(context)
|
||||
# Delete all tokens belonging to the users for that tenant
|
||||
self._delete_tokens_for_tenant(context, tenant_id)
|
||||
self.identity_api.delete_tenant(context, tenant_id)
|
||||
|
||||
def get_tenant_users(self, context, tenant_id, **kw):
|
||||
|
|
|
@ -368,6 +368,51 @@ class KeystoneClientTests(object):
|
|||
client.tokens.authenticate,
|
||||
token=token_id)
|
||||
|
||||
def test_disable_tenant_invalidates_token(self):
|
||||
from keystoneclient import exceptions as client_exceptions
|
||||
|
||||
admin_client = self.get_client(admin=True)
|
||||
foo_client = self.get_client(self.user_foo)
|
||||
|
||||
# Disable the tenant.
|
||||
admin_client.tenants.update(self.tenant_bar['id'], enabled=False)
|
||||
|
||||
# Test that the token has been removed.
|
||||
self.assertRaises(client_exceptions.Unauthorized,
|
||||
foo_client.tokens.authenticate,
|
||||
token=foo_client.auth_token)
|
||||
|
||||
# Test that the user access has been disabled.
|
||||
self.assertRaises(client_exceptions.Unauthorized,
|
||||
self.get_client,
|
||||
self.user_foo)
|
||||
|
||||
def test_delete_tenant_invalidates_token(self):
|
||||
from keystoneclient import exceptions as client_exceptions
|
||||
|
||||
admin_client = self.get_client(admin=True)
|
||||
foo_client = self.get_client(self.user_foo, self.tenant_bar)
|
||||
tenant_bar = admin_client.tenants.get(self.tenant_bar['id'])
|
||||
|
||||
# Delete the tenant.
|
||||
tenant_bar.delete()
|
||||
|
||||
# Test that the token has been removed.
|
||||
self.assertRaises(client_exceptions.Unauthorized,
|
||||
foo_client.tokens.authenticate,
|
||||
token=foo_client.auth_token)
|
||||
|
||||
# Test that the user access has been disabled.
|
||||
"""
|
||||
# FIXME(dolph): this assertion should not be skipped, but appears to be
|
||||
# an unrelated bug? auth succeeds, even though tenant_bar
|
||||
# was deleted
|
||||
self.assertRaises(client_exceptions.Unauthorized,
|
||||
self.get_client,
|
||||
self.user_foo,
|
||||
self.tenant_bar)
|
||||
"""
|
||||
|
||||
def test_disable_user_invalidates_token(self):
|
||||
from keystoneclient import exceptions as client_exceptions
|
||||
|
||||
|
@ -1111,6 +1156,12 @@ class KcEssex3TestCase(CompatTestCase, KeystoneClientTests):
|
|||
def test_endpoint_delete_404(self):
|
||||
raise nose.exc.SkipTest('N/A')
|
||||
|
||||
def test_disable_tenant_invalidates_token(self):
|
||||
raise self.skipTest('N/A')
|
||||
|
||||
def test_delete_tenant_invalidates_token(self):
|
||||
raise self.skipTest('N/A')
|
||||
|
||||
|
||||
class Kc11TestCase(CompatTestCase, KeystoneClientTests):
|
||||
def get_checkout(self):
|
||||
|
|
Loading…
Reference in New Issue