Add auth invalidation in auth_token for identity endpoint update

Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.

Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.

Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
This commit is contained in:
Yang Youseok 2019-01-29 18:59:12 +09:00
parent 4bc0958007
commit 4e51cb8e6b
4 changed files with 29 additions and 0 deletions

View File

@ -760,6 +760,10 @@ class AuthProtocol(BaseAuthProtocol):
_CACHE_INVALID_INDICATOR)
self.log.warning('Authorization failed for token')
raise
except ksa_exceptions.EndpointNotFound:
# Invalidate auth in adapter for identity endpoint update
self._identity_server.invalidate()
raise
return data

View File

@ -239,3 +239,6 @@ class IdentityServer(object):
def fetch_ca_cert(self):
return self._request_strategy.fetch_ca_cert()
def invalidate(self):
return self._adapter.invalidate()

View File

@ -97,6 +97,7 @@ VERSION_LIST_v2 = fixture.DiscoveryList(v3=False, href=BASE_URI)
ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2'
TIMEOUT_TOKEN = '4ed1c5e53beee59458adcf8261a8cae2'
ENDPOINT_NOT_FOUND_TOKEN = 'edf9fa62-5afd-4d64-89ac-f99b209bd995'
def strtime(at=None):
@ -1534,6 +1535,8 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
raise ksa_exceptions.ConnectFailure(msg)
elif token_id == TIMEOUT_TOKEN:
request_timeout_response(request, context)
elif token_id == ENDPOINT_NOT_FOUND_TOKEN:
raise ksa_exceptions.EndpointNotFound()
try:
response = self.examples.JSON_TOKEN_RESPONSES[token_id]
@ -1686,6 +1689,16 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
new_data = self.middleware.fetch_token(token)
self.assertEqual(data, new_data)
def test_endpoint_not_found_in_token(self):
token = ENDPOINT_NOT_FOUND_TOKEN
self.set_middleware()
self.middleware._token_cache.initialize({})
with mock.patch.object(self.middleware._identity_server, 'invalidate',
new=mock.Mock()):
self.assertRaises(ksa_exceptions.EndpointNotFound,
self.middleware.fetch_token, token)
self.assertTrue(self.middleware._identity_server.invalidate.called)
def test_not_is_admin_project(self):
token = self.examples.v3_NOT_IS_ADMIN_PROJECT
self.set_middleware(expected_env={'HTTP_X_IS_ADMIN_PROJECT': 'False'})

View File

@ -0,0 +1,9 @@
---
fixes:
- |
[`bug/1813739 <https://bugs.launchpad.net/keystonemiddleware/+bug/1813739>`_]
When admin identity endpoint is not created yet, keystonemiddleware emit
EndpointNotFound exception. Even after admin identity endpoint created,
auth_token middleware could not be notified of update since it does not
invalidate existing auth. Add an invalidation step so that endpoint
updates can be detected.