diff options
author | Jenkins <jenkins@review.openstack.org> | 2014-08-26 00:18:29 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2014-08-26 00:18:29 +0000 |
commit | ee6b2f2c0557f062a9ade54808140d3477101697 (patch) | |
tree | e652f2a20ef11d93b52a750df2972de7ad931e70 | |
parent | 62d4c7141b96df60b5fb29ed1525da5513db99dc (diff) | |
parent | eb54dfa3f7ef89502e723d4ade41d8930ffb48d5 (diff) | |
download | python-keystoneclient-ee6b2f2c0557f062a9ade54808140d3477101697.tar.gz |
Merge "Hash for PKIZ"
-rw-r--r-- | keystoneclient/middleware/auth_token.py | 2 | ||||
-rw-r--r-- | keystoneclient/tests/test_auth_token_middleware.py | 23 |
2 files changed, 19 insertions, 6 deletions
diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py index d2eb29b..cf33f04 100644 --- a/keystoneclient/middleware/auth_token.py +++ b/keystoneclient/middleware/auth_token.py @@ -1407,7 +1407,7 @@ class TokenCache(object): """ - if cms.is_asn1_token(user_token): + if cms.is_asn1_token(user_token) or cms.is_pkiz(user_token): # user_token is a PKI token that's not hashed. token_hashes = list(cms.cms_hash_token(user_token, mode=algo) diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py index 5e1a71f..7adcfc5 100644 --- a/keystoneclient/tests/test_auth_token_middleware.py +++ b/keystoneclient/tests/test_auth_token_middleware.py @@ -629,6 +629,12 @@ class CommonAuthTokenMiddlewareTest(object): revoked_form = cms.cms_hash_token(token) self._test_cache_revoked(token, revoked_form) + def test_cached_revoked_pkiz(self): + # When the PKI token is cached and revoked, 401 is returned. + token = self.token_dict['signed_token_scoped_pkiz'] + revoked_form = cms.cms_hash_token(token) + self._test_cache_revoked(token, revoked_form) + def test_revoked_token_receives_401_md5_secondary(self): # When hash_algorithms has 'md5' as the secondary hash and the # revocation list contains the md5 hash for a token, that token is @@ -641,7 +647,7 @@ class CommonAuthTokenMiddlewareTest(object): self.middleware(req.environ, self.start_fake_response) self.assertEqual(self.response_status, 401) - def test_revoked_hashed_pki_token(self): + def _test_revoked_hashed_token(self, token_key): # If hash_algorithms is set as ['sha256', 'md5'], # and check_revocations_for_cached is True, # and a token is in the cache because it was successfully validated @@ -652,27 +658,33 @@ class CommonAuthTokenMiddlewareTest(object): self.conf['check_revocations_for_cached'] = True self.set_middleware() - token = self.token_dict['signed_token_scoped'] + token = self.token_dict[token_key] # Put the token in the revocation list. token_hashed = cms.cms_hash_token(token) self.middleware.token_revocation_list = self.get_revocation_list_json( token_ids=[token_hashed]) - # First, request is using the hashed token, is valid so goes in + # request is using the hashed token, is valid so goes in # cache using the given hash. req = webob.Request.blank('/') req.headers['X-Auth-Token'] = token_hashed self.middleware(req.environ, self.start_fake_response) self.assertEqual(200, self.response_status) - # This time use the PKI token + # This time use the PKI(Z) token req.headers['X-Auth-Token'] = token self.middleware(req.environ, self.start_fake_response) # Should find the token in the cache and revocation list. self.assertEqual(401, self.response_status) + def test_revoked_hashed_pki_token(self): + self._test_revoked_hashed_token('signed_token_scoped') + + def test_revoked_hashed_pkiz_token(self): + self._test_revoked_hashed_token('signed_token_scoped_pkiz') + def get_revocation_list_json(self, token_ids=None, mode=None): if token_ids is None: key = 'revoked_token_hash' + (('_' + mode) if mode else '') @@ -1371,7 +1383,8 @@ class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, self.examples.UUID_TOKEN_BIND, self.examples.UUID_TOKEN_UNKNOWN_BIND, self.examples.UUID_TOKEN_NO_SERVICE_CATALOG, - self.examples.SIGNED_TOKEN_SCOPED_KEY,): + self.examples.SIGNED_TOKEN_SCOPED_KEY, + self.examples.SIGNED_TOKEN_SCOPED_PKIZ_KEY,): text = self.examples.JSON_TOKEN_RESPONSES[token] self.requests.register_uri('GET', '%s/v2.0/tokens/%s' % (BASE_URI, token), |