From a878664f5dbf08626a796e8cfa6fac88cb9e256a Mon Sep 17 00:00:00 2001
From: Henry Nash <henryn@linux.vnet.ibm.com>
Date: Tue, 7 Jun 2016 06:34:21 +0100
Subject: [PATCH] Revert to caching fernet tokens the same way we do UUID

In Liberty we used to cache the whole token at the provider manager
validate token call. However, in Mitaka we changed this, for
non-persistent tokens (e.g. fernet), to instead attempt to cache
the individual components that make up the token. This change caused
validating a fernet token to become 5 times slower than the same
operation in Liberty (as well as UUID in both releases).

This patches re-instates full-token caching for fernet. This should be
considered somewhat of a bandaid to redress the performance
degredation, while we work to restructure our token issuance
and validation to simplify the multiple code paths.

In terms of invalidation of such a cache, this change effectively
reverts to the Liberty approach where anything logged to the
revokation manager will still cause validaiton of the token to fail
(this is checked for all token types). However, the alternate (and
confusingly additonal) "direct" invalidation of the cache via
the pesistance manager will, like in Liberty, not have any
effect with cached fernet tokens. As far as I can tell, all
situations where we currently want a token revoked will send
this information to both the revoke and persistance managers,
hence this change should not result in any tokens remaining
valid when they shouldn't.

Closes-Bug: #1590179
Change-Id: I80371746735edac075eec9986e89b54b66bc47cb
(cherry picked from commit 9c89e07b11afa2e12c97d0af514ce5fcc04e2ac3)
---
 keystone/token/provider.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/keystone/token/provider.py b/keystone/token/provider.py
index 7c4166f4df..0900f6b576 100644
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@@ -287,6 +287,10 @@ class Manager(manager.Manager):
             LOG.debug('Unable to validate token: %s', e)
             raise exception.TokenNotFound(token_id=token_id)
 
+    @MEMOIZE
+    def validate_non_persistent_token(self, token_id):
+        return self.driver.validate_non_persistent_token(token_id)
+
     @MEMOIZE
     def _validate_token(self, token_id):
         if not token_id:
@@ -425,6 +429,10 @@ class Manager(manager.Manager):
         self._validate_token.invalidate(self, token_id)
         self._validate_v2_token.invalidate(self, token_id)
         self._validate_v3_token.invalidate(self, token_id)
+        # This method isn't actually called in the case of non-persistent
+        # tokens, but we include the invalidation in case this ever changes
+        # in the future.
+        self.validate_non_persistent_token.invalidate(self, token_id)
 
     def revoke_token(self, token_id, revoke_chain=False):
         revoke_by_expires = False