From b39b59197faddd84646c24698a66d34994de0dab Mon Sep 17 00:00:00 2001
From: Morgan Fainberg <morgan.fainberg@gmail.com>
Date: Tue, 16 Oct 2018 11:20:33 -0700
Subject: [PATCH] Invalidate app cred AFTER deletion

Invalidate the application credential after deletion, not before.
This prevents timing issues where an app_cred could remain active
after deletion.

Change-Id: I14748bf2399e5da4ee360f451a8050f25dd90803
(cherry picked from commit 906a1d3f689b9226cb949153fc9b07d287e7ff75)
---
 keystone/application_credential/core.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keystone/application_credential/core.py b/keystone/application_credential/core.py
index 8ee8c57426..147380719c 100644
--- a/keystone/application_credential/core.py
+++ b/keystone/application_credential/core.py
@@ -179,9 +179,9 @@ class Manager(manager.Manager):
         :raises keystone.exception.ApplicationCredentialNotFound: If the
             application credential doesn't exist.
         """
+        self.driver.delete_application_credential(application_credential_id)
         self.get_application_credential.invalidate(self,
                                                    application_credential_id)
-        self.driver.delete_application_credential(application_credential_id)
         notifications.Audit.deleted(
             self._APP_CRED, application_credential_id, initiator)