7b70818954
Co-authored-by: Adam Young <ayoung@redhat.com> Token revocations are captured in the backends, During upgrade, all previous tickets are defaulted to valid. Revocation list returned as a signed document and can be fetched in an admin context via HTTP Change config values for enable diable PKI In the auth_token middleware, the revocation list is fetched prior to validating tokens. Any tokens that are on the revocation list will be treated as invalid. Added in PKI token tests that check the same logic as the UUID tests. Sample data for the tests is read out of the signing directory. dropped number on sql scripts to pass tests. Also fixes 1031373 Bug 1037683 Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23 |
||
---|---|---|
.. | ||
Makefile | ||
README | ||
auth_token_revoked.json | ||
auth_token_revoked.pem | ||
auth_token_scoped.json | ||
auth_token_scoped.pem | ||
auth_token_unscoped.json | ||
auth_token_unscoped.pem | ||
cacert.pem | ||
private_key.pem | ||
revocation_list.json | ||
revocation_list.pem | ||
signing_cert.pem |
README
The commands to create the various pem files for the signed tokens and revocation list were generated by the associated make file. The hashed value in the revocation list was generated using the revoked token using the following python code from keystone.common import cms,utils f=open("tests/signing/auth_token_revoked.pem","r") r=f.read() utils.hash_signed_token(cms.cms_to_token(r)) f.close()