From 8f2273a54e5349b5e7f94924f54297bb9b0164fe Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 17 Oct 2017 21:41:21 +0000 Subject: [PATCH] Deleting an identity provider doesn't invalidate tokens This commit exposes a bug where it's possible to continue using a federated token even after the identity provider is deleted. Change-Id: Id19ff4f7823bdc2b078f27f9dc544f7a5ff9ea99 Partial-Bug: 1291157 --- keystone/tests/unit/test_v3_federation.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index f2232c2227..f03ed51285 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -2061,6 +2061,28 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER, expected_status=http_client.FORBIDDEN) + @utils.wip('This will fail because of bug #1291157. The token should be ' + 'invalid after deleting the identity provider.') + def test_validate_token_after_deleting_idp_fails(self): + token = self.v3_create_token( + self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_ADMIN + ) + token_id = token.headers.get('X-Subject-Token') + federated_info = token.json_body['token']['user']['OS-FEDERATION'] + idp_id = federated_info['identity_provider']['id'] + self.federation_api.delete_idp(idp_id) + headers = { + 'X-Subject-Token': token_id + } + # FIXME(lbragstad): This should raise a 401 Unauthorized exception + # since the identity provider is gone. + self.get( + '/auth/tokens/', + token=token_id, + headers=headers, + expected_status=http_client.UNAUTHORIZED + ) + def test_scope_to_bad_project(self): """Scope unscoped token with a project we don't have access to.""" self.v3_create_token(