Fix 500 error when no fernet token is passed

Keystone returns internal server error if the
user doesn't send any token. This happens only for
fernet token. This review returns 401 if the token
is not passed. Logic is moved from provider to
controller layer.

Since the logic has movoed to controller, some
of code which directly checks for no token in
the provider and their corresponding  tests
has been removed from the token providers
as they are redundant.

Closes-Bug: 1526976

Change-Id: I0b6b0c48d6c841f996d1b8711d6c343ddfd5d945

keystone/tests/unit/test_backend.py

@@ -4294,9 +4294,6 @@ class TokenTests(object):
         self.assertRaises(exception.TokenNotFound,
                           self.token_provider_api._persistence.get_token,
                           uuid.uuid4().hex)
-        self.assertRaises(exception.TokenNotFound,
-                          self.token_provider_api._persistence.get_token,
-                          None)
 
     def test_delete_token_returns_not_found(self):
         self.assertRaises(exception.TokenNotFound,

keystone/tests/unit/test_token_provider.py

@@ -781,6 +781,12 @@ class TestTokenProvider(unit.TestCase):
         self.assertIsNone(
             self.token_provider_api._is_valid_token(create_v3_token()))
 
+    def test_no_token_raises_token_not_found(self):
+        self.assertRaises(
+            exception.TokenNotFound,
+            self.token_provider_api.validate_token,
+            None)
+
 
 # NOTE(ayoung): renamed to avoid automatic test detection
 class PKIProviderTests(object):

keystone/tests/unit/test_v3_auth.py

@@ -403,6 +403,17 @@ class TokenAPITests(object):
         r = self.get('/auth/tokens', headers=self.headers)
         self.assertValidUnscopedTokenResponse(r)
 
+    def test_validate_missing_subject_token(self):
+        self.get('/auth/tokens',
+                 expected_status=http_client.NOT_FOUND)
+
+    def test_validate_missing_auth_token(self):
+        self.admin_request(
+            method='GET',
+            path='/v3/projects',
+            token=None,
+            expected_status=http_client.UNAUTHORIZED)
+
     def test_validate_token_nocatalog(self):
         v3_token = self.get_requested_token(self.build_authentication_request(
             user_id=self.user['id'],

keystone/token/persistence/core.py

@@ -60,11 +60,6 @@ class PersistenceManager(manager.Manager):
             raise exception.TokenNotFound(token_id=token_id)
 
     def get_token(self, token_id):
-        if not token_id:
-            # NOTE(morganfainberg): There are cases when the
-            # context['token_id'] will in-fact be None. This also saves
-            # a round-trip to the backend if we don't have a token_id.
-            raise exception.TokenNotFound(token_id='')
         unique_id = utils.generate_unique_id(token_id)
         token_ref = self._get_token(unique_id)
         # NOTE(morganfainberg): Lift expired checking to the manager, there is

keystone/token/provider.py

@@ -250,6 +250,9 @@ class Manager(manager.Manager):
             return self.check_revocation_v3(token)
 
     def validate_v3_token(self, token_id):
+        if not token_id:
+            raise exception.TokenNotFound(_('No token in the request'))
+
         unique_id = utils.generate_unique_id(token_id)
         # NOTE(lbragstad): Only go to persistent storage if we have a token to
         # fetch from the backend (the driver persists the token). Otherwise
@@ -266,6 +269,9 @@ class Manager(manager.Manager):
 
     @MEMOIZE
     def _validate_token(self, token_id):
+        if not token_id:
+            raise exception.TokenNotFound(_('No token in the request'))
+
         if not self._needs_persistence:
             return self.driver.validate_v3_token(token_id)
         token_ref = self._persistence.get_token(token_id)