Maintain the expiry of v2 fernet tokens

The v2 fernet provider didn't carry the expiration of a token from it's parent token when handling a rescope. This means that a rescope of fernet tokens could extend the session indefinitely. Change-Id: Id1ec725fd89cd32260b7be4eead24a0fc84abfe1 closes-bug: #1469563
2015-06-28 13:30:40 -07:00 · 2015-06-28 13:30:40 -07:00 · e641c40b68
parent 4d2bbe0e7c
commit e641c40b68
2 changed files with 46 additions and 1 deletions
--- a/keystone/tests/unit/test_v2.py
+++ b/keystone/tests/unit/test_v2.py
@ -1496,3 +1496,44 @@ class TestFernetTokenProviderV2(RestfulTestCase):
            path=path,
            token=CONF.admin_token,
            expected_status=200)
+
+    def test_rescoped_tokens_maintain_original_expiration(self):
+        project_ref = self.new_project_ref()
+        self.resource_api.create_project(project_ref['id'], project_ref)
+        self.assignment_api.add_role_to_user_and_project(self.user_foo['id'],
+                                                         project_ref['id'],
+                                                         self.role_admin['id'])
+        resp = self.public_request(
+            method='POST',
+            path='/v2.0/tokens',
+            body={
+                'auth': {
+                    'tenantName': project_ref['name'],
+                    'passwordCredentials': {
+                        'username': self.user_foo['name'],
+                        'password': self.user_foo['password']
+                    }
+                }
+            },
+            # NOTE(lbragstad): This test may need to be refactored if Keystone
+            # decides to disallow rescoping using a scoped token.
+            expected_status=200)
+        original_token = resp.result['access']['token']['id']
+        original_expiration = resp.result['access']['token']['expires']
+
+        resp = self.public_request(
+            method='POST',
+            path='/v2.0/tokens',
+            body={
+                'auth': {
+                    'tenantName': project_ref['name'],
+                    'token': {
+                        'id': original_token,
+                    }
+                }
+            },
+            expected_status=200)
+        rescoped_token = resp.result['access']['token']['id']
+        rescoped_expiration = resp.result['access']['token']['expires']
+        self.assertNotEqual(original_token, rescoped_token)
+        self.assertEqual(original_expiration, rescoped_expiration)
--- a/keystone/token/providers/fernet/core.py
+++ b/keystone/token/providers/fernet/core.py
@ -60,6 +60,9 @@ class Provider(common.BaseProvider):
        if token_ref.get('tenant'):
            project_id = token_ref['tenant']['id']

+        # maintain expiration time across rescopes
+        expires = token_ref.get('expires')
+
        parent_audit_id = token_ref.get('parent_audit_id')
        # If parent_audit_id is defined then a token authentication was made
        if parent_audit_id:
@ -81,7 +84,8 @@ class Provider(common.BaseProvider):
            project_id=project_id,
            token=token_ref,
            include_catalog=False,
-            audit_info=audit_ids)
+            audit_info=audit_ids,
+            expires=expires)

        expires_at = v3_token_data['token']['expires_at']
        token_id = self.token_formatter.create_token(user_id, expires_at,