From dd91f41c0a65856aebc7c7fddf7843da949be8de Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 14 Feb 2018 23:13:31 +0000 Subject: [PATCH] Simplify federation and oauth token callbacks The token provider listened for specific callbacks from the federation and oauth APIs. These were mainly for token invalidation and token persistence removal. Now that the sql token driver and uuid token provider have been removed, we can remove the need for persistence notifications. Instead, both of these cases can use a generic token cache invalidation callback. This makes the token provider Manager simpler because it only has to listen for a single internal notification to invalidate the token cache, instead of multiple. It also makes the code sending the notification easier to understand because it's clearer about what it's doing. Change-Id: I3281a013ce2764872dda8c183c4e9851974e1d14 --- keystone/federation/core.py | 12 +++++++----- keystone/notifications.py | 2 -- keystone/oauth1/controllers.py | 34 ++++++++++++++++------------------ keystone/token/provider.py | 4 ---- 4 files changed, 23 insertions(+), 29 deletions(-) diff --git a/keystone/federation/core.py b/keystone/federation/core.py index 92da910b04..a78f6039d6 100644 --- a/keystone/federation/core.py +++ b/keystone/federation/core.py @@ -68,12 +68,14 @@ class Manager(manager.Manager): # NOTE(lbragstad): If an identity provider is removed from the system, # then we need to invalidate the token cache. Otherwise it will be # possible for federated tokens to be considered valid after a service - # provider removes a federated identity provider resource. The `idp_id` - # isn't actually used when invalidating the token cache but we have to - # pass something. - notifications.Audit.internal( - notifications.INVALIDATE_TOKEN_CACHE_DELETED_IDP, idp_id + # provider removes a federated identity provider resource. + reason = ( + 'The token cache is being invalidated because identity provider ' + '%(idp_id)s has been deleted. Authorization for federated users ' + 'will be recalculated and enforced accordingly the next time ' + 'they authenticate or validate a token.' % {'idp_id': idp_id} ) + notifications.invalidate_token_cache_notification(reason) def _cleanup_idp_domain(self, domain_id): domain = {'enabled': False} diff --git a/keystone/notifications.py b/keystone/notifications.py index fe74478d9a..3a32865c03 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -79,8 +79,6 @@ CONF = keystone.conf.CONF INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user' REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user' -INVALIDATE_USER_OAUTH_CONSUMER_TOKENS = 'invalidate_user_consumer_tokens' -INVALIDATE_TOKEN_CACHE_DELETED_IDP = 'invalidate_token_cache_from_deleted_idp' DOMAIN_DELETED = 'domain_deleted' diff --git a/keystone/oauth1/controllers.py b/keystone/oauth1/controllers.py index 47bda86a1a..4d26c19bd8 100644 --- a/keystone/oauth1/controllers.py +++ b/keystone/oauth1/controllers.py @@ -39,17 +39,6 @@ LOG = log.getLogger(__name__) PROVIDERS = provider_api.ProviderAPIs -def _emit_user_oauth_consumer_token_invalidate(payload): - # This is a special case notification that expect the payload to be a dict - # containing the user_id and the consumer_id. This is so that the token - # provider can invalidate any tokens in the token persistence if - # token persistence is enabled - notifications.Audit.internal( - notifications.INVALIDATE_USER_OAUTH_CONSUMER_TOKENS, - payload, - ) - - class ConsumerCrudV3(controller.V3Controller): collection_name = 'consumers' member_name = 'consumer' @@ -93,10 +82,14 @@ class ConsumerCrudV3(controller.V3Controller): @controller.protected() def delete_consumer(self, request, consumer_id): - user_token_ref = authorization.get_token_ref(request.context_dict) - payload = {'user_id': user_token_ref.user_id, - 'consumer_id': consumer_id} - _emit_user_oauth_consumer_token_invalidate(payload) + reason = ( + 'Invalidating token cache because consumer %(consumer_id)s has ' + 'been deleted. Authorization for users with OAuth tokens will be ' + 'recalculated and enforced accordingly the next time they ' + 'authenticate or validate a token.' % + {'consumer_id': consumer_id} + ) + notifications.invalidate_token_cache_notification(reason) PROVIDERS.oauth_api.delete_consumer( consumer_id, initiator=request.audit_initiator ) @@ -140,9 +133,14 @@ class AccessTokenCrudV3(controller.V3Controller): @controller.protected() def delete_access_token(self, request, user_id, access_token_id): access_token = PROVIDERS.oauth_api.get_access_token(access_token_id) - consumer_id = access_token['consumer_id'] - payload = {'user_id': user_id, 'consumer_id': consumer_id} - _emit_user_oauth_consumer_token_invalidate(payload) + reason = ( + 'Invalidating the token cache because an access token for ' + 'consumer %(consumer_id)s has been deleted. Authorization for ' + 'users with OAuth tokens will be recalculated and enforced ' + 'accordingly the next time they authenticate or validate a ' + 'token.' % {'consumer_id': access_token['consumer_id']} + ) + notifications.invalidate_token_cache_notification(reason) return PROVIDERS.oauth_api.delete_access_token( user_id, access_token_id, initiator=request.audit_initiator ) diff --git a/keystone/token/provider.py b/keystone/token/provider.py index 28721deb21..71b499b4d4 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -80,10 +80,6 @@ class Manager(manager.Manager): ['project', self._drop_token_cache], ], notifications.ACTIONS.internal: [ - [notifications.INVALIDATE_USER_OAUTH_CONSUMER_TOKENS, - self._drop_token_cache], - [notifications.INVALIDATE_TOKEN_CACHE_DELETED_IDP, - self._drop_token_cache], [notifications.INVALIDATE_TOKEN_CACHE, self._drop_token_cache], ]