Merge "Return password_expires_at during auth"

2016-10-14 06:42:24 +00:00 · 2016-10-14 06:42:24 +00:00 · c1fd67deb5
parent aa22da2cd8 02452d02c4
commit c1fd67deb5
12 changed files with 40 additions and 8 deletions
--- a/api-ref/source/v3/samples/admin/auth-password-explicit-unscoped-response.json
+++ b/api-ref/source/v3/samples/admin/auth-password-explicit-unscoped-response.json
@ -11,7 +11,8 @@
                "name": "Default"
            },
            "id": "ee4dfb6e5540447cb3741905149d9b6e",
-            "name": "admin"
+            "name": "admin",
+            "password_expires_at": null
        },
        "audit_ids": [
            "lC2Wj1jbQe-dLjLyOx4qPQ"
--- a/api-ref/source/v3/samples/admin/auth-password-project-scoped-response.json
+++ b/api-ref/source/v3/samples/admin/auth-password-project-scoped-response.json
@ -392,7 +392,8 @@
                "name": "Default"
            },
            "id": "ee4dfb6e5540447cb3741905149d9b6e",
-            "name": "admin"
+            "name": "admin",
+            "password_expires_at": "2016-11-06T15:32:17.000000"
        },
        "audit_ids": [
            "3T2dc1CGQxyJsHdDu1xkcw"
--- a/api-ref/source/v3/samples/admin/auth-password-unscoped-response.json
+++ b/api-ref/source/v3/samples/admin/auth-password-unscoped-response.json
@ -11,7 +11,8 @@
                "name": "Default"
            },
            "id": "423f19a4ac1e4f48bbb4180756e6eb6c",
-            "name": "admin"
+            "name": "admin",
+            "password_expires_at": null
        },
        "audit_ids": [
            "ZzZwkUflQfygX7pdYDBCQQ"
--- a/api-ref/source/v3/samples/admin/auth-token-scoped-response.json
+++ b/api-ref/source/v3/samples/admin/auth-token-scoped-response.json
@ -392,7 +392,8 @@
                "name": "Default"
            },
            "id": "10a2e6e717a245d9acad3e5f97aeca3d",
-            "name": "admin"
+            "name": "admin",
+            "password_expires_at": "2016-11-06T15:32:17.000000"
        },
        "audit_ids": [
            "wLc7nDMsQiKqf8VFU4ySpg"
--- a/api-ref/source/v3/samples/admin/auth-token-unscoped-response.json
+++ b/api-ref/source/v3/samples/admin/auth-token-unscoped-response.json
@ -11,7 +11,8 @@
                "name": "Default"
            },
            "id": "10a2e6e717a245d9acad3e5f97aeca3d",
-            "name": "admin"
+            "name": "admin",
+            "password_expires_at": null
        },
        "audit_ids": [
            "mAjXQhiYRyKwkB4qygdLVg"
--- a/keystone/models/token_model.py
+++ b/keystone/models/token_model.py
@ -106,6 +106,15 @@ class KeystoneToken(dict):
            pass
        raise exception.UnexpectedError()

+    @property
+    def user_password_expires_at(self):
+        try:
+            return self['user']['password_expires_at']
+        except KeyError:
+            # Do not raise KeyError, raise UnexpectedError
+            pass
+        raise exception.UnexpectedError()
+
    @property
    def user_domain_id(self):
        try:
--- a/keystone/tests/unit/test_token_provider.py
+++ b/keystone/tests/unit/test_token_provider.py
@ -335,7 +335,8 @@ SAMPLE_V3_TOKEN = {
                "name": "Default"
            },
            "id": "f19ddbe2c53c46f189fe66d0a7a9c9ce",
-            "name": "nova"
+            "name": "nova",
+            "password_expires_at": "2013-08-21T00:02:43.941473Z"
        },
        "OS-TRUST:trust": {
            "id": "abc123",
--- a/keystone/tests/unit/test_v3.py
+++ b/keystone/tests/unit/test_v3.py
@ -161,7 +161,7 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
            },
            'user': {
                'type': 'object',
-                'required': ['id', 'name', 'domain'],
+                'required': ['id', 'name', 'domain', 'password_expires_at'],
                'properties': {
                    'id': {'type': 'string'},
                    'name': {'type': 'string'},
@ -173,6 +173,10 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
                        },
                        'required': ['id', 'name'],
                        'additonalProperties': False,
+                    },
+                    'password_expires_at': {
+                        'type': ['string', 'null'],
+                        'pattern': unit.TIME_FORMAT_REGEX,
                    }
                },
                'additionalProperties': False,
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -116,6 +116,7 @@ class TestValidate(unit.TestCase):
                'id': domain_ref['id'],
                'name': domain_ref['name'],
            },
+            'password_expires_at': user_ref['password_expires_at']
        }
        self.assertEqual(exp_user_info, token['user'])

--- a/keystone/tests/unit/token/test_token_model.py
+++ b/keystone/tests/unit/token/test_token_model.py
@ -48,6 +48,9 @@ class TestKeystoneTokenModel(core.TestCase):
                         token_data.user_id)
        self.assertEqual(self.v3_sample_token['token']['user']['name'],
                         token_data.user_name)
+        self.assertEqual(
+            self.v3_sample_token['token']['user']['password_expires_at'],
+            token_data.user_password_expires_at)
        self.assertEqual(self.v3_sample_token['token']['user']['domain']['id'],
                         token_data.user_domain_id)
        self.assertEqual(
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -422,7 +422,8 @@ class V3TokenDataHelper(object):
        filtered_user = {
            'id': user_ref['id'],
            'name': user_ref['name'],
-            'domain': self._get_filtered_domain(user_ref['domain_id'])}
+            'domain': self._get_filtered_domain(user_ref['domain_id']),
+            'password_expires_at': user_ref['password_expires_at']}
        token_data['user'] = filtered_user

    def _populate_oauth_section(self, token_data, access_token):
--- a/releasenotes/notes/bp-password_expired_at-4b32fe7032595932.yaml
+++ b/releasenotes/notes/bp-password_expired_at-4b32fe7032595932.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - >
+    Token responses will now have a ``password_expires_at``
+    field under the ``user`` dictionary.
+    If PCI support is enabled, the ``password_expires_at``
+    field will be populated. Otherwise, it will default
+    to ``null``.