Replace 401 to 404 when token is invalid
According to specs, keystone should return 404 when token is invalid. This commit fixes it, and fixes validate_token return. Change-Id: Ia44ea94c6f72ab6f46c0799056d41deddcbfb051 Closes-Bug: 1477600
This commit is contained in:
parent
f188815b54
commit
7bdeef8353
|
@ -4144,7 +4144,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
|
|||
unscoped_token = self._get_unscoped_token()
|
||||
tampered_token = (unscoped_token[:50] + uuid.uuid4().hex +
|
||||
unscoped_token[50 + 32:])
|
||||
self._validate_token(tampered_token, expected_status=401)
|
||||
self._validate_token(tampered_token, expected_status=404)
|
||||
|
||||
def test_revoke_unscoped_token(self):
|
||||
unscoped_token = self._get_unscoped_token()
|
||||
|
@ -4224,7 +4224,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
|
|||
project_scoped_token = self._get_project_scoped_token()
|
||||
tampered_token = (project_scoped_token[:50] + uuid.uuid4().hex +
|
||||
project_scoped_token[50 + 32:])
|
||||
self._validate_token(tampered_token, expected_status=401)
|
||||
self._validate_token(tampered_token, expected_status=404)
|
||||
|
||||
def test_revoke_project_scoped_token(self):
|
||||
project_scoped_token = self._get_project_scoped_token()
|
||||
|
@ -4332,7 +4332,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
|
|||
# Get a trust scoped token
|
||||
tampered_token = (trust_scoped_token[:50] + uuid.uuid4().hex +
|
||||
trust_scoped_token[50 + 32:])
|
||||
self._validate_token(tampered_token, expected_status=401)
|
||||
self._validate_token(tampered_token, expected_status=404)
|
||||
|
||||
def test_revoke_trust_scoped_token(self):
|
||||
trustee_user, trust = self._create_trust()
|
||||
|
|
|
@ -42,15 +42,15 @@ class TestFernetTokenProvider(tests.TestCase):
|
|||
def test_needs_persistence_returns_false(self):
|
||||
self.assertFalse(self.provider.needs_persistence())
|
||||
|
||||
def test_invalid_v3_token_raises_401(self):
|
||||
def test_invalid_v3_token_raises_404(self):
|
||||
self.assertRaises(
|
||||
exception.Unauthorized,
|
||||
exception.TokenNotFound,
|
||||
self.provider.validate_v3_token,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_invalid_v2_token_raises_401(self):
|
||||
def test_invalid_v2_token_raises_404(self):
|
||||
self.assertRaises(
|
||||
exception.Unauthorized,
|
||||
exception.TokenNotFound,
|
||||
self.provider.validate_v2_token,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
|
|
|
@ -142,14 +142,18 @@ class Provider(common.BaseProvider):
|
|||
|
||||
:param token_ref: reference describing the token to validate
|
||||
:returns: the token data
|
||||
:raises keystone.exception.TokenNotFound: if token format is invalid
|
||||
:raises keystone.exception.Unauthorized: if v3 token is used
|
||||
|
||||
"""
|
||||
(user_id, methods,
|
||||
audit_ids, domain_id,
|
||||
project_id, trust_id,
|
||||
federated_info, created_at,
|
||||
expires_at) = self.token_formatter.validate_token(token_ref)
|
||||
try:
|
||||
(user_id, methods,
|
||||
audit_ids, domain_id,
|
||||
project_id, trust_id,
|
||||
federated_info, created_at,
|
||||
expires_at) = self.token_formatter.validate_token(token_ref)
|
||||
except exception.ValidationError as e:
|
||||
raise exception.TokenNotFound(e)
|
||||
|
||||
if trust_id or domain_id or federated_info:
|
||||
msg = _('This is not a v2.0 Fernet token. Use v3 for trust, '
|
||||
|
@ -173,13 +177,16 @@ class Provider(common.BaseProvider):
|
|||
|
||||
:param token: a string describing the token to validate
|
||||
:returns: the token data
|
||||
:raises keystone.exception.Unauthorized: if token format version isn't
|
||||
:raises keystone.exception.TokenNotFound: if token format version isn't
|
||||
supported
|
||||
|
||||
"""
|
||||
(user_id, methods, audit_ids, domain_id, project_id, trust_id,
|
||||
federated_info, created_at, expires_at) = (
|
||||
self.token_formatter.validate_token(token))
|
||||
try:
|
||||
(user_id, methods, audit_ids, domain_id, project_id, trust_id,
|
||||
federated_info, created_at, expires_at) = (
|
||||
self.token_formatter.validate_token(token))
|
||||
except exception.ValidationError as e:
|
||||
raise exception.TokenNotFound(e)
|
||||
|
||||
token_dict = None
|
||||
trust_ref = None
|
||||
|
|
|
@ -75,8 +75,9 @@ class TokenFormatter(object):
|
|||
|
||||
try:
|
||||
return self.crypto.decrypt(token)
|
||||
except fernet.InvalidToken as e:
|
||||
raise exception.Unauthorized(six.text_type(e))
|
||||
except fernet.InvalidToken:
|
||||
raise exception.ValidationError(
|
||||
_('This is not a recognized Fernet token'))
|
||||
|
||||
@classmethod
|
||||
def creation_time(cls, fernet_token):
|
||||
|
@ -197,8 +198,8 @@ class TokenFormatter(object):
|
|||
(user_id, methods, expires_at, audit_ids, federated_info) = (
|
||||
FederatedPayload.disassemble(payload))
|
||||
else:
|
||||
# If the token_format is not recognized, raise Unauthorized.
|
||||
raise exception.Unauthorized(_(
|
||||
# If the token_format is not recognized, raise ValidationError.
|
||||
raise exception.ValidationError(_(
|
||||
'This is not a recognized Fernet payload version: %s') %
|
||||
version)
|
||||
|
||||
|
|
Loading…
Reference in New Issue