summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYang Youseok <ileixe@gmail.com>2019-01-29 18:59:12 +0900
committerYang Youseok <ileixe@gmail.com>2019-02-07 12:14:51 +0900
commit4e51cb8e6b4968fcb68903dce7e773b218f85bb7 (patch)
tree892225214296a67d6c17fdd5d30c520a84d34af8
parent4bc09580070c5f6afa9ef39a3d9d1641de557589 (diff)
Add auth invalidation in auth_token for identity endpoint update
Currently auth_token middleware does not concern identity endpoint update since service catalog is not updated after service having auth_token middleware started. Add invalidation logic when EndpointNotfound exception occurs so that auth_token middleware can be notified of sevice catalog update without restart. Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0 Closes-Bug: #1813739
Notes
Notes (review): Code-Review+2: Colleen Murphy <colleen@gazlene.net> Code-Review+2: Lance Bragstad <lbragstad@gmail.com> Workflow+1: Lance Bragstad <lbragstad@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 13 Feb 2019 01:46:21 +0000 Reviewed-on: https://review.openstack.org/633695 Project: openstack/keystonemiddleware Branch: refs/heads/master
-rw-r--r--keystonemiddleware/auth_token/__init__.py4
-rw-r--r--keystonemiddleware/auth_token/_identity.py3
-rw-r--r--keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py13
-rw-r--r--releasenotes/notes/bug-1813739-80eae72371903119.yaml9
4 files changed, 29 insertions, 0 deletions
diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index 0b954ef..de37aef 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -760,6 +760,10 @@ class AuthProtocol(BaseAuthProtocol):
760 _CACHE_INVALID_INDICATOR) 760 _CACHE_INVALID_INDICATOR)
761 self.log.warning('Authorization failed for token') 761 self.log.warning('Authorization failed for token')
762 raise 762 raise
763 except ksa_exceptions.EndpointNotFound:
764 # Invalidate auth in adapter for identity endpoint update
765 self._identity_server.invalidate()
766 raise
763 767
764 return data 768 return data
765 769
diff --git a/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware/auth_token/_identity.py
index 1e37070..36639a6 100644
--- a/keystonemiddleware/auth_token/_identity.py
+++ b/keystonemiddleware/auth_token/_identity.py
@@ -239,3 +239,6 @@ class IdentityServer(object):
239 239
240 def fetch_ca_cert(self): 240 def fetch_ca_cert(self):
241 return self._request_strategy.fetch_ca_cert() 241 return self._request_strategy.fetch_ca_cert()
242
243 def invalidate(self):
244 return self._adapter.invalidate()
diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
index 3ffd803..9ea8077 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@@ -97,6 +97,7 @@ VERSION_LIST_v2 = fixture.DiscoveryList(v3=False, href=BASE_URI)
97 97
98ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2' 98ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2'
99TIMEOUT_TOKEN = '4ed1c5e53beee59458adcf8261a8cae2' 99TIMEOUT_TOKEN = '4ed1c5e53beee59458adcf8261a8cae2'
100ENDPOINT_NOT_FOUND_TOKEN = 'edf9fa62-5afd-4d64-89ac-f99b209bd995'
100 101
101 102
102def strtime(at=None): 103def strtime(at=None):
@@ -1534,6 +1535,8 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1534 raise ksa_exceptions.ConnectFailure(msg) 1535 raise ksa_exceptions.ConnectFailure(msg)
1535 elif token_id == TIMEOUT_TOKEN: 1536 elif token_id == TIMEOUT_TOKEN:
1536 request_timeout_response(request, context) 1537 request_timeout_response(request, context)
1538 elif token_id == ENDPOINT_NOT_FOUND_TOKEN:
1539 raise ksa_exceptions.EndpointNotFound()
1537 1540
1538 try: 1541 try:
1539 response = self.examples.JSON_TOKEN_RESPONSES[token_id] 1542 response = self.examples.JSON_TOKEN_RESPONSES[token_id]
@@ -1686,6 +1689,16 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1686 new_data = self.middleware.fetch_token(token) 1689 new_data = self.middleware.fetch_token(token)
1687 self.assertEqual(data, new_data) 1690 self.assertEqual(data, new_data)
1688 1691
1692 def test_endpoint_not_found_in_token(self):
1693 token = ENDPOINT_NOT_FOUND_TOKEN
1694 self.set_middleware()
1695 self.middleware._token_cache.initialize({})
1696 with mock.patch.object(self.middleware._identity_server, 'invalidate',
1697 new=mock.Mock()):
1698 self.assertRaises(ksa_exceptions.EndpointNotFound,
1699 self.middleware.fetch_token, token)
1700 self.assertTrue(self.middleware._identity_server.invalidate.called)
1701
1689 def test_not_is_admin_project(self): 1702 def test_not_is_admin_project(self):
1690 token = self.examples.v3_NOT_IS_ADMIN_PROJECT 1703 token = self.examples.v3_NOT_IS_ADMIN_PROJECT
1691 self.set_middleware(expected_env={'HTTP_X_IS_ADMIN_PROJECT': 'False'}) 1704 self.set_middleware(expected_env={'HTTP_X_IS_ADMIN_PROJECT': 'False'})
diff --git a/releasenotes/notes/bug-1813739-80eae72371903119.yaml b/releasenotes/notes/bug-1813739-80eae72371903119.yaml
new file mode 100644
index 0000000..df6fadb
--- /dev/null
+++ b/releasenotes/notes/bug-1813739-80eae72371903119.yaml
@@ -0,0 +1,9 @@
1---
2fixes:
3 - |
4 [`bug/1813739 <https://bugs.launchpad.net/keystonemiddleware/+bug/1813739>`_]
5 When admin identity endpoint is not created yet, keystonemiddleware emit
6 EndpointNotFound exception. Even after admin identity endpoint created,
7 auth_token middleware could not be notified of update since it does not
8 invalidate existing auth. Add an invalidation step so that endpoint
9 updates can be detected.