Merge "Parameter to return audit ids only in revocation list"

2016-02-24 10:47:03 +00:00 · 2016-02-24 10:47:03 +00:00 · e943768088
parent 9c682c0fd1 c187636691
commit e943768088
2 changed files with 42 additions and 0 deletions
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -559,13 +559,23 @@ class Auth(controller.V3Controller):
    def revocation_list(self, context, auth=None):
        if not CONF.token.revoke_by_id:
            raise exception.Gone()
+
+        audit_id_only = ('audit_id_only' in context['query_string'])
+
        tokens = self.token_provider_api.list_revoked_tokens()

        for t in tokens:
            expires = t['expires']
            if not (expires and isinstance(expires, six.text_type)):
                t['expires'] = utils.isotime(expires)
+            if audit_id_only:
+                t.pop('id', None)
        data = {'revoked': tokens}
+
+        if audit_id_only:
+            # No need to obfuscate if no token IDs.
+            return data
+
        json_data = jsonutils.dumps(data)
        signed_text = cms.cms_sign_text(json_data,
                                        CONF.signing.certfile,
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -4857,3 +4857,35 @@ class TestFetchRevocationList(test_v3.RestfulTestCase):
        }

        self.assertEqual({'revoked': [exp_token_revoke_data]}, payload)
+
+    def test_audit_id_only_no_tokens(self):
+        # When there's no revoked tokens and ?audit_id_only is used, the
+        # response is an empty list and is not signed.
+        res = self.get('/auth/tokens/OS-PKI/revoked?audit_id_only')
+        self.assertEqual({'revoked': []}, res.json)
+
+    def test_audit_id_only_token(self):
+        # When there's a revoked token and ?audit_id_only is used, the
+        # response contains the audit_id of the token and is not signed.
+        token_res = self.v3_create_token(
+            self.build_authentication_request(
+                user_id=self.user['id'],
+                password=self.user['password'],
+                project_id=self.project['id']))
+
+        token_id = token_res.headers.get('X-Subject-Token')
+        token_data = token_res.json['token']
+
+        self.delete('/auth/tokens', headers={'X-Subject-Token': token_id})
+
+        res = self.get('/auth/tokens/OS-PKI/revoked?audit_id_only')
+
+        def truncate(ts_str):
+            return ts_str[:19] + 'Z'  # 2016-01-21T15:53:52 == 19 chars.
+
+        exp_token_revoke_data = {
+            'audit_id': token_data['audit_ids'][0],
+            'expires': truncate(token_data['expires_at']),
+        }
+
+        self.assertEqual({'revoked': [exp_token_revoke_data]}, res.json)