Maintain the expiry of v2 fernet tokens
The v2 fernet provider didn't carry the expiration of a token from it's parent token when handling a rescope. This means that a rescope of fernet tokens could extend the session indefinitely. Change-Id: Id1ec725fd89cd32260b7be4eead24a0fc84abfe1 closes-bug: #1469563
This commit is contained in:
parent
4d2bbe0e7c
commit
e641c40b68
|
@ -1496,3 +1496,44 @@ class TestFernetTokenProviderV2(RestfulTestCase):
|
|||
path=path,
|
||||
token=CONF.admin_token,
|
||||
expected_status=200)
|
||||
|
||||
def test_rescoped_tokens_maintain_original_expiration(self):
|
||||
project_ref = self.new_project_ref()
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self.assignment_api.add_role_to_user_and_project(self.user_foo['id'],
|
||||
project_ref['id'],
|
||||
self.role_admin['id'])
|
||||
resp = self.public_request(
|
||||
method='POST',
|
||||
path='/v2.0/tokens',
|
||||
body={
|
||||
'auth': {
|
||||
'tenantName': project_ref['name'],
|
||||
'passwordCredentials': {
|
||||
'username': self.user_foo['name'],
|
||||
'password': self.user_foo['password']
|
||||
}
|
||||
}
|
||||
},
|
||||
# NOTE(lbragstad): This test may need to be refactored if Keystone
|
||||
# decides to disallow rescoping using a scoped token.
|
||||
expected_status=200)
|
||||
original_token = resp.result['access']['token']['id']
|
||||
original_expiration = resp.result['access']['token']['expires']
|
||||
|
||||
resp = self.public_request(
|
||||
method='POST',
|
||||
path='/v2.0/tokens',
|
||||
body={
|
||||
'auth': {
|
||||
'tenantName': project_ref['name'],
|
||||
'token': {
|
||||
'id': original_token,
|
||||
}
|
||||
}
|
||||
},
|
||||
expected_status=200)
|
||||
rescoped_token = resp.result['access']['token']['id']
|
||||
rescoped_expiration = resp.result['access']['token']['expires']
|
||||
self.assertNotEqual(original_token, rescoped_token)
|
||||
self.assertEqual(original_expiration, rescoped_expiration)
|
||||
|
|
|
@ -60,6 +60,9 @@ class Provider(common.BaseProvider):
|
|||
if token_ref.get('tenant'):
|
||||
project_id = token_ref['tenant']['id']
|
||||
|
||||
# maintain expiration time across rescopes
|
||||
expires = token_ref.get('expires')
|
||||
|
||||
parent_audit_id = token_ref.get('parent_audit_id')
|
||||
# If parent_audit_id is defined then a token authentication was made
|
||||
if parent_audit_id:
|
||||
|
@ -81,7 +84,8 @@ class Provider(common.BaseProvider):
|
|||
project_id=project_id,
|
||||
token=token_ref,
|
||||
include_catalog=False,
|
||||
audit_info=audit_ids)
|
||||
audit_info=audit_ids,
|
||||
expires=expires)
|
||||
|
||||
expires_at = v3_token_data['token']['expires_at']
|
||||
token_id = self.token_formatter.create_token(user_id, expires_at,
|
||||
|
|
Loading…
Reference in New Issue