Return 404 instead of 401 for tokens w/o roles
If a scoped-token was validated and the user didn't have any role assignment on a project, keystone would return a 401 Unauthorized. This was the case when the fernet token provider was enabled because the reference is rebuilt on every request. The uuid token provider has a different behavior - if the token isn't found in the backend a 404 Not Found is returned. Furthermore, for persisted tokens, any validation error will result in 404, such as in the case where user no longer have any roles assigned for the given scope. These two behaviors should be consistent regardless of the token provider. This problem was not fixed entirely with https://review.openstack.org/#/c/277436/ because of token caching in devstack which masks the wrong error code for the period of time the token is cached. Therefore, in order to test this in devstack you need to take into account the caching time after un-assigning the role on a project and while using the same fernet token. Closes-Bug: #1541621 Change-Id: I9d36c5c73d5a832cd04dd4c1368b8d769e0acc4c
This commit is contained in:
parent
0b65a9664c
commit
fde57f68e2
|
@ -393,6 +393,28 @@ class TokenAPITests(object):
|
|||
self.token_provider_api.validate_token,
|
||||
project_scoped_token)
|
||||
|
||||
def test_project_scoped_token_is_invalid_after_deleting_grant(self):
|
||||
# disable caching so that user grant deletion is not hidden
|
||||
# by token caching
|
||||
self.config_fixture.config(
|
||||
group='cache',
|
||||
enabled=False)
|
||||
# Grant user access to project
|
||||
self.assignment_api.create_grant(self.role['id'],
|
||||
user_id=self.user['id'],
|
||||
project_id=self.project['id'])
|
||||
project_scoped_token = self._get_project_scoped_token()
|
||||
# Make sure the token is valid
|
||||
self._validate_token(project_scoped_token)
|
||||
# Delete access to project
|
||||
self.assignment_api.delete_grant(self.role['id'],
|
||||
user_id=self.user['id'],
|
||||
project_id=self.project['id'])
|
||||
# Ensure the token has been revoked
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api.validate_token,
|
||||
project_scoped_token)
|
||||
|
||||
def test_rescope_unscoped_token_with_trust(self):
|
||||
trustee_user, trust = self._create_trust()
|
||||
self._get_trust_scoped_token(trustee_user, trust)
|
||||
|
|
|
@ -292,19 +292,19 @@ class Manager(manager.Manager):
|
|||
if not token_id:
|
||||
raise exception.TokenNotFound(_('No token in the request'))
|
||||
|
||||
if not self._needs_persistence:
|
||||
# NOTE(lbragstad): This will validate v2 and v3 non-persistent
|
||||
# tokens.
|
||||
return self.driver.validate_non_persistent_token(token_id)
|
||||
token_ref = self._persistence.get_token(token_id)
|
||||
version = self.get_token_version(token_ref)
|
||||
if version == self.V3:
|
||||
try:
|
||||
try:
|
||||
if not self._needs_persistence:
|
||||
# NOTE(lbragstad): This will validate v2 and v3 non-persistent
|
||||
# tokens.
|
||||
return self.driver.validate_non_persistent_token(token_id)
|
||||
token_ref = self._persistence.get_token(token_id)
|
||||
version = self.get_token_version(token_ref)
|
||||
if version == self.V3:
|
||||
return self.driver.validate_v3_token(token_ref)
|
||||
except exception.Unauthorized as e:
|
||||
LOG.debug('Unable to validate token: %s', e)
|
||||
raise exception.TokenNotFound(token_id=token_id)
|
||||
elif version == self.V2:
|
||||
except exception.Unauthorized as e:
|
||||
LOG.debug('Unable to validate token: %s', e)
|
||||
raise exception.TokenNotFound(token_id=token_id)
|
||||
if version == self.V2:
|
||||
return self.driver.validate_v2_token(token_ref)
|
||||
raise exception.UnsupportedTokenVersionException()
|
||||
|
||||
|
|
Loading…
Reference in New Issue