summaryrefslogtreecommitdiffstats
path: root/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py')
-rw-r--r--keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py47
1 files changed, 43 insertions, 4 deletions
diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py
index cef65b8e..258e195a 100644
--- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py
+++ b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py
@@ -27,22 +27,24 @@ from keystonemiddleware.tests.unit import utils
class RevocationsTests(utils.BaseTestCase):
- def _check_with_list(self, revoked_list, token_ids):
+ def _setup_revocations(self, revoked_list):
directory_name = '/tmp/%s' % uuid.uuid4().hex
signing_directory = _signing_dir.SigningDirectory(directory_name)
self.addCleanup(shutil.rmtree, directory_name)
identity_server = mock.Mock()
- verify_result_obj = {
- 'revoked': list({'id': r} for r in revoked_list)
- }
+ verify_result_obj = {'revoked': revoked_list}
cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj))
revocations = _revocations.Revocations(
timeout=datetime.timedelta(1), signing_directory=signing_directory,
identity_server=identity_server, cms_verify=cms_verify)
+ return revocations
+ def _check_with_list(self, revoked_list, token_ids):
+ revoked_list = list({'id': r} for r in revoked_list)
+ revocations = self._setup_revocations(revoked_list)
revocations.check(token_ids)
def test_check_empty_list(self):
@@ -63,3 +65,40 @@ class RevocationsTests(utils.BaseTestCase):
token_ids = [token_id]
self.assertRaises(exc.InvalidToken,
self._check_with_list, revoked_tokens, token_ids)
+
+ def test_check_by_audit_id_revoked(self):
+ # When the audit ID is in the revocation list, InvalidToken is raised.
+ audit_id = uuid.uuid4().hex
+ revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': audit_id}]
+ revocations = self._setup_revocations(revoked_list)
+ self.assertRaises(exc.InvalidToken,
+ revocations.check_by_audit_id, [audit_id])
+
+ def test_check_by_audit_id_chain_revoked(self):
+ # When the token's audit chain ID is in the revocation list,
+ # InvalidToken is raised.
+ revoked_audit_id = uuid.uuid4().hex
+ revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': revoked_audit_id}]
+ revocations = self._setup_revocations(revoked_list)
+
+ token_audit_ids = [uuid.uuid4().hex, revoked_audit_id]
+ self.assertRaises(exc.InvalidToken,
+ revocations.check_by_audit_id, token_audit_ids)
+
+ def test_check_by_audit_id_not_revoked(self):
+ # When the audit ID is not in the revocation list no exception.
+ revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': uuid.uuid4().hex}]
+ revocations = self._setup_revocations(revoked_list)
+
+ audit_id = uuid.uuid4().hex
+ revocations.check_by_audit_id([audit_id])
+
+ def test_check_by_audit_id_no_audit_ids(self):
+ # Older identity servers don't send audit_ids in the revocation list.
+ # When this happens, check_by_audit_id still works, just doesn't
+ # verify anything.
+ revoked_list = [{'id': uuid.uuid4().hex}]
+ revocations = self._setup_revocations(revoked_list)
+
+ audit_id = uuid.uuid4().hex
+ revocations.check_by_audit_id([audit_id])