Fix fernet token validate for disabled domains/trusts

This commit adds a check when rebuilding the authorization context of a trust-scoped token to make sure that both the trustor and the trustee are in enabled domains. With this patch the uuid token provider and the fernet token provider give the same response when caching is disabled. If caching is enabled, the fernet provider will still consider a trust-scoped token valid even though the trustor/trustee is in a disabled domain. A subsequent patch will fix the revocation event to make sure the token is removed from the cache when a domain is disabled. Change-Id: If3e941018d5c2c9bd22397e69f83b7bf92643340 Partial-Bug: 1532280
2016-07-07 18:32:11 +00:00 · 2016-07-07 18:32:11 +00:00 · d53db1889e
parent e504e8a087
commit d53db1889e
2 changed files with 20 additions and 2 deletions
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -2482,6 +2482,10 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
    # FIXME(lbragstad): Remove this test from this class and inherit the
    # version in TokenAPITest once bug 1532280 is fixed.
    def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
+        # Remove this once revocation for domains is handled properly
+        self.config_fixture.config(
+            group='cache',
+            enabled=False)
        # create a new domain with new user in that domain
        new_domain_ref = unit.new_domain_ref()
        self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
@ -2525,8 +2529,9 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
            '/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
            body=disable_body)

-        # this should return Not Found once bug 1532280 is fixed!
-        self._validate_token(trust_scoped_token)
+        # ensure the project-scoped token from the trust is invalid
+        self._validate_token(trust_scoped_token,
+                             expected_status=http_client.NOT_FOUND)


 class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -352,6 +352,19 @@ class V3TokenDataHelper(object):
        if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
            trustor_user_ref = (self.identity_api.get_user(
                                trust['trustor_user_id']))
+            trustee_user_ref = (self.identity_api.get_user(
+                                trust['trustee_user_id']))
+            try:
+                self.resource_api.assert_domain_enabled(
+                    trustor_user_ref['domain_id'])
+            except AssertionError:
+                raise exception.TokenNotFound(_('Trustor domain is disabled.'))
+            try:
+                self.resource_api.assert_domain_enabled(
+                    trustee_user_ref['domain_id'])
+            except AssertionError:
+                raise exception.TokenNotFound(_('Trustee domain is disabled.'))
+
            try:
                self.identity_api.assert_user_enabled(trust['trustor_user_id'])
            except AssertionError: