summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2014-08-20 17:31:03 +0000
committerGerrit Code Review <review@openstack.org>2014-08-20 17:31:03 +0000
commit2f7865640029f9c6f788ef149cd3cb8b9d329a14 (patch)
tree72e81e8d8ac20f233b9debe73937300949d97a1e
parente2a14287e505cbf70691f67b2ce3e14f71f91bdd (diff)
parentfc53b9eedad1fea325f651a6861a82616b715a27 (diff)
downloadkeystonemiddleware-2f7865640029f9c6f788ef149cd3cb8b9d329a14.tar.gz
Merge "Hash for PKIZ"1.1.1
Diffstat
-rw-r--r--keystonemiddleware/auth_token.py2
-rw-r--r--keystonemiddleware/tests/test_auth_token_middleware.py21
2 files changed, 18 insertions, 5 deletions
diff --git a/keystonemiddleware/auth_token.py b/keystonemiddleware/auth_token.py
index ce60402..a9625e7 100644
--- a/keystonemiddleware/auth_token.py
+++ b/keystonemiddleware/auth_token.py
@@ -1396,7 +1396,7 @@ class _TokenCache(object):
"""
- if cms.is_asn1_token(user_token):
+ if cms.is_asn1_token(user_token) or cms.is_pkiz(user_token):
# user_token is a PKI token that's not hashed.
token_hashes = list(cms.cms_hash_token(user_token, mode=algo)
diff --git a/keystonemiddleware/tests/test_auth_token_middleware.py b/keystonemiddleware/tests/test_auth_token_middleware.py
index e2dff21..d3f3321 100644
--- a/keystonemiddleware/tests/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/test_auth_token_middleware.py
@@ -642,6 +642,12 @@ class CommonAuthTokenMiddlewareTest(object):
revoked_form = cms.cms_hash_token(token)
self._test_cache_revoked(token, revoked_form)
+ def test_cached_revoked_pkiz(self):
+ # When the PKIZ token is cached and revoked, 401 is returned.
+ token = self.token_dict['signed_token_scoped_pkiz']
+ revoked_form = cms.cms_hash_token(token)
+ self._test_cache_revoked(token, revoked_form)
+
def test_revoked_token_receives_401_md5_secondary(self):
# When hash_algorithms has 'md5' as the secondary hash and the
# revocation list contains the md5 hash for a token, that token is
@@ -655,7 +661,7 @@ class CommonAuthTokenMiddlewareTest(object):
self.middleware(req.environ, self.start_fake_response)
self.assertEqual(self.response_status, 401)
- def test_revoked_hashed_pki_token(self):
+ def _test_revoked_hashed_token(self, token_name):
# If hash_algorithms is set as ['sha256', 'md5'],
# and check_revocations_for_cached is True,
# and a token is in the cache because it was successfully validated
@@ -666,7 +672,7 @@ class CommonAuthTokenMiddlewareTest(object):
self.conf['check_revocations_for_cached'] = True
self.set_middleware()
- token = self.token_dict['signed_token_scoped']
+ token = self.token_dict[token_name]
# Put the token in the revocation list.
token_hashed = cms.cms_hash_token(token)
@@ -680,13 +686,19 @@ class CommonAuthTokenMiddlewareTest(object):
self.middleware(req.environ, self.start_fake_response)
self.assertEqual(200, self.response_status)
- # This time use the PKI token
+ # This time use the PKI(Z) token
req.headers['X-Auth-Token'] = token
self.middleware(req.environ, self.start_fake_response)
# Should find the token in the cache and revocation list.
self.assertEqual(401, self.response_status)
+ def test_revoked_hashed_pki_token(self):
+ self._test_revoked_hashed_token('signed_token_scoped')
+
+ def test_revoked_hashed_pkiz_token(self):
+ self._test_revoked_hashed_token('signed_token_scoped_pkiz')
+
def get_revocation_list_json(self, token_ids=None, mode=None):
if token_ids is None:
key = 'revoked_token_hash' + (('_' + mode) if mode else '')
@@ -1421,7 +1433,8 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
self.examples.UUID_TOKEN_BIND,
self.examples.UUID_TOKEN_UNKNOWN_BIND,
self.examples.UUID_TOKEN_NO_SERVICE_CATALOG,
- self.examples.SIGNED_TOKEN_SCOPED_KEY,):
+ self.examples.SIGNED_TOKEN_SCOPED_KEY,
+ self.examples.SIGNED_TOKEN_SCOPED_PKIZ_KEY,):
httpretty.register_uri(httpretty.GET,
"%s/v2.0/tokens/%s" % (BASE_URI, token),
body=
View Lorry Controller Status