Replace 401 to 404 when token is invalid

According to specs, keystone should return 404 when token is invalid.
This commit fixes it, and fixes validate_token return.

Change-Id: Ia44ea94c6f72ab6f46c0799056d41deddcbfb051
Closes-Bug: 1477600

keystone/tests/unit/test_v3_auth.py

@@ -4144,7 +4144,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
         unscoped_token = self._get_unscoped_token()
         tampered_token = (unscoped_token[:50] + uuid.uuid4().hex +
                           unscoped_token[50 + 32:])
-        self._validate_token(tampered_token, expected_status=401)
+        self._validate_token(tampered_token, expected_status=404)
 
     def test_revoke_unscoped_token(self):
         unscoped_token = self._get_unscoped_token()
@@ -4224,7 +4224,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
         project_scoped_token = self._get_project_scoped_token()
         tampered_token = (project_scoped_token[:50] + uuid.uuid4().hex +
                           project_scoped_token[50 + 32:])
-        self._validate_token(tampered_token, expected_status=401)
+        self._validate_token(tampered_token, expected_status=404)
 
     def test_revoke_project_scoped_token(self):
         project_scoped_token = self._get_project_scoped_token()
@@ -4332,7 +4332,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
         # Get a trust scoped token
         tampered_token = (trust_scoped_token[:50] + uuid.uuid4().hex +
                           trust_scoped_token[50 + 32:])
-        self._validate_token(tampered_token, expected_status=401)
+        self._validate_token(tampered_token, expected_status=404)
 
     def test_revoke_trust_scoped_token(self):
         trustee_user, trust = self._create_trust()

keystone/tests/unit/token/test_fernet_provider.py

@@ -42,15 +42,15 @@ class TestFernetTokenProvider(tests.TestCase):
     def test_needs_persistence_returns_false(self):
         self.assertFalse(self.provider.needs_persistence())
 
-    def test_invalid_v3_token_raises_401(self):
+    def test_invalid_v3_token_raises_404(self):
         self.assertRaises(
-            exception.Unauthorized,
+            exception.TokenNotFound,
             self.provider.validate_v3_token,
             uuid.uuid4().hex)
 
-    def test_invalid_v2_token_raises_401(self):
+    def test_invalid_v2_token_raises_404(self):
         self.assertRaises(
-            exception.Unauthorized,
+            exception.TokenNotFound,
             self.provider.validate_v2_token,
             uuid.uuid4().hex)
 

keystone/token/providers/fernet/core.py

@@ -142,14 +142,18 @@ class Provider(common.BaseProvider):
 
         :param token_ref: reference describing the token to validate
         :returns: the token data
+        :raises keystone.exception.TokenNotFound: if token format is invalid
         :raises keystone.exception.Unauthorized: if v3 token is used
 
         """
-        (user_id, methods,
-         audit_ids, domain_id,
-         project_id, trust_id,
-         federated_info, created_at,
-         expires_at) = self.token_formatter.validate_token(token_ref)
+        try:
+            (user_id, methods,
+             audit_ids, domain_id,
+             project_id, trust_id,
+             federated_info, created_at,
+             expires_at) = self.token_formatter.validate_token(token_ref)
+        except exception.ValidationError as e:
+            raise exception.TokenNotFound(e)
 
         if trust_id or domain_id or federated_info:
             msg = _('This is not a v2.0 Fernet token. Use v3 for trust, '
@@ -173,13 +177,16 @@ class Provider(common.BaseProvider):
 
         :param token: a string describing the token to validate
         :returns: the token data
-        :raises keystone.exception.Unauthorized: if token format version isn't
+        :raises keystone.exception.TokenNotFound: if token format version isn't
                                                  supported
 
         """
-        (user_id, methods, audit_ids, domain_id, project_id, trust_id,
-            federated_info, created_at, expires_at) = (
-                self.token_formatter.validate_token(token))
+        try:
+            (user_id, methods, audit_ids, domain_id, project_id, trust_id,
+                federated_info, created_at, expires_at) = (
+                    self.token_formatter.validate_token(token))
+        except exception.ValidationError as e:
+            raise exception.TokenNotFound(e)
 
         token_dict = None
         trust_ref = None

keystone/token/providers/fernet/token_formatters.py

@@ -75,8 +75,9 @@ class TokenFormatter(object):
 
         try:
             return self.crypto.decrypt(token)
-        except fernet.InvalidToken as e:
-            raise exception.Unauthorized(six.text_type(e))
+        except fernet.InvalidToken:
+            raise exception.ValidationError(
+                _('This is not a recognized Fernet token'))
 
     @classmethod
     def creation_time(cls, fernet_token):
@@ -197,8 +198,8 @@ class TokenFormatter(object):
             (user_id, methods, expires_at, audit_ids, federated_info) = (
                 FederatedPayload.disassemble(payload))
         else:
-            # If the token_format is not recognized, raise Unauthorized.
-            raise exception.Unauthorized(_(
+            # If the token_format is not recognized, raise ValidationError.
+            raise exception.ValidationError(_(
                 'This is not a recognized Fernet payload version: %s') %
                 version)