Handle invalidate in identity plugins correctly

Returning a True from the invalidate() call means that something has
changed within the plugin and the session should reissue the request and
expect the plugin to authenticate itself.

This means we should only return True if something actually changed,
because re-issuing the request if there was no auth_ref will not change
the outcome.

Change-Id: I012dacc93b1fcaee31d31a49e95db5a38044f211

2 files changed, 17 insertions, 2 deletions

diff --git a/keystoneclient/auth/identity/base.py b/keystoneclient/auth/identity/base.py
index ffdee4d..c2e5ffa 100644
--- a/keystoneclient/auth/identity/base.py
+++ b/keystoneclient/auth/identity/base.py
@@ -133,8 +133,11 @@ class BaseIdentityPlugin(base.BaseAuthPlugin):
                        invalidate. This means that it makes sense to try again.
                        If nothing happens returns False to indicate give up.
         """
-        self.auth_ref = None
-        return True
+        if self.auth_ref:
+            self.auth_ref = None
+            return True
+
+        return False
 
     def get_endpoint(self, session, service_type=None, interface=None,
                      region_name=None, service_name=None, version=None,
diff --git a/keystoneclient/tests/auth/test_identity_common.py b/keystoneclient/tests/auth/test_identity_common.py
index 8c5499c..d1b595f 100644
--- a/keystoneclient/tests/auth/test_identity_common.py
+++ b/keystoneclient/tests/auth/test_identity_common.py
@@ -209,6 +209,18 @@ class CommonIdentityTests(object):
         s = session.Session(auth=a)
         self.assertIs(expired_auth_ref, a.get_access(s))
 
+    def test_invalidate(self):
+        a = self.create_auth_plugin()
+        s = session.Session(auth=a)
+
+        # trigger token fetching
+        s.get_token()
+
+        self.assertTrue(a.auth_ref)
+        self.assertTrue(a.invalidate())
+        self.assertIsNone(a.auth_ref)
+        self.assertFalse(a.invalidate())
+
 
 class V3(CommonIdentityTests, utils.TestCase):