Merge "Simplify federation and oauth token callbacks"

2018-02-19 17:16:42 +00:00 · 2018-02-19 17:16:42 +00:00 · c80df22669
parent 7c96e99301 dd91f41c0a
commit c80df22669
4 changed files with 23 additions and 29 deletions
--- a/keystone/federation/core.py
+++ b/keystone/federation/core.py
@ -68,12 +68,14 @@ class Manager(manager.Manager):
        # NOTE(lbragstad): If an identity provider is removed from the system,
        # then we need to invalidate the token cache. Otherwise it will be
        # possible for federated tokens to be considered valid after a service
-        # provider removes a federated identity provider resource. The `idp_id`
-        # isn't actually used when invalidating the token cache but we have to
-        # pass something.
-        notifications.Audit.internal(
-            notifications.INVALIDATE_TOKEN_CACHE_DELETED_IDP, idp_id
+        # provider removes a federated identity provider resource.
+        reason = (
+            'The token cache is being invalidated because identity provider '
+            '%(idp_id)s has been deleted. Authorization for federated users '
+            'will be recalculated and enforced accordingly the next time '
+            'they authenticate or validate a token.' % {'idp_id': idp_id}
        )
+        notifications.invalidate_token_cache_notification(reason)

    def _cleanup_idp_domain(self, domain_id):
        domain = {'enabled': False}
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@ -79,8 +79,6 @@ CONF = keystone.conf.CONF
 INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
 PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
 REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
-INVALIDATE_USER_OAUTH_CONSUMER_TOKENS = 'invalidate_user_consumer_tokens'
-INVALIDATE_TOKEN_CACHE_DELETED_IDP = 'invalidate_token_cache_from_deleted_idp'
 DOMAIN_DELETED = 'domain_deleted'


--- a/keystone/oauth1/controllers.py
+++ b/keystone/oauth1/controllers.py
@ -39,17 +39,6 @@ LOG = log.getLogger(__name__)
 PROVIDERS = provider_api.ProviderAPIs


-def _emit_user_oauth_consumer_token_invalidate(payload):
-    # This is a special case notification that expect the payload to be a dict
-    # containing the user_id and the consumer_id. This is so that the token
-    # provider can invalidate any tokens in the token persistence if
-    # token persistence is enabled
-    notifications.Audit.internal(
-        notifications.INVALIDATE_USER_OAUTH_CONSUMER_TOKENS,
-        payload,
-    )
-
-
 class ConsumerCrudV3(controller.V3Controller):
    collection_name = 'consumers'
    member_name = 'consumer'
@ -93,10 +82,14 @@ class ConsumerCrudV3(controller.V3Controller):

    @controller.protected()
    def delete_consumer(self, request, consumer_id):
-        user_token_ref = authorization.get_token_ref(request.context_dict)
-        payload = {'user_id': user_token_ref.user_id,
-                   'consumer_id': consumer_id}
-        _emit_user_oauth_consumer_token_invalidate(payload)
+        reason = (
+            'Invalidating token cache because consumer %(consumer_id)s has '
+            'been deleted. Authorization for users with OAuth tokens will be '
+            'recalculated and enforced accordingly the next time they '
+            'authenticate or validate a token.' %
+            {'consumer_id': consumer_id}
+        )
+        notifications.invalidate_token_cache_notification(reason)
        PROVIDERS.oauth_api.delete_consumer(
            consumer_id, initiator=request.audit_initiator
        )
@ -140,9 +133,14 @@ class AccessTokenCrudV3(controller.V3Controller):
    @controller.protected()
    def delete_access_token(self, request, user_id, access_token_id):
        access_token = PROVIDERS.oauth_api.get_access_token(access_token_id)
-        consumer_id = access_token['consumer_id']
-        payload = {'user_id': user_id, 'consumer_id': consumer_id}
-        _emit_user_oauth_consumer_token_invalidate(payload)
+        reason = (
+            'Invalidating the token cache because an access token for '
+            'consumer %(consumer_id)s has been deleted. Authorization for '
+            'users with OAuth tokens will be recalculated and enforced '
+            'accordingly the next time they authenticate or validate a '
+            'token.' % {'consumer_id': access_token['consumer_id']}
+        )
+        notifications.invalidate_token_cache_notification(reason)
        return PROVIDERS.oauth_api.delete_access_token(
            user_id, access_token_id, initiator=request.audit_initiator
        )
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -80,10 +80,6 @@ class Manager(manager.Manager):
                ['project', self._drop_token_cache],
            ],
            notifications.ACTIONS.internal: [
-                [notifications.INVALIDATE_USER_OAUTH_CONSUMER_TOKENS,
-                    self._drop_token_cache],
-                [notifications.INVALIDATE_TOKEN_CACHE_DELETED_IDP,
-                    self._drop_token_cache],
                [notifications.INVALIDATE_TOKEN_CACHE,
                    self._drop_token_cache],
            ]