diff options
Diffstat (limited to 'keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py')
-rw-r--r-- | keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py | 47 |
1 files changed, 43 insertions, 4 deletions
diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py index cef65b8e..258e195a 100644 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py +++ b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py @@ -27,22 +27,24 @@ from keystonemiddleware.tests.unit import utils class RevocationsTests(utils.BaseTestCase): - def _check_with_list(self, revoked_list, token_ids): + def _setup_revocations(self, revoked_list): directory_name = '/tmp/%s' % uuid.uuid4().hex signing_directory = _signing_dir.SigningDirectory(directory_name) self.addCleanup(shutil.rmtree, directory_name) identity_server = mock.Mock() - verify_result_obj = { - 'revoked': list({'id': r} for r in revoked_list) - } + verify_result_obj = {'revoked': revoked_list} cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj)) revocations = _revocations.Revocations( timeout=datetime.timedelta(1), signing_directory=signing_directory, identity_server=identity_server, cms_verify=cms_verify) + return revocations + def _check_with_list(self, revoked_list, token_ids): + revoked_list = list({'id': r} for r in revoked_list) + revocations = self._setup_revocations(revoked_list) revocations.check(token_ids) def test_check_empty_list(self): @@ -63,3 +65,40 @@ class RevocationsTests(utils.BaseTestCase): token_ids = [token_id] self.assertRaises(exc.InvalidToken, self._check_with_list, revoked_tokens, token_ids) + + def test_check_by_audit_id_revoked(self): + # When the audit ID is in the revocation list, InvalidToken is raised. + audit_id = uuid.uuid4().hex + revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': audit_id}] + revocations = self._setup_revocations(revoked_list) + self.assertRaises(exc.InvalidToken, + revocations.check_by_audit_id, [audit_id]) + + def test_check_by_audit_id_chain_revoked(self): + # When the token's audit chain ID is in the revocation list, + # InvalidToken is raised. + revoked_audit_id = uuid.uuid4().hex + revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': revoked_audit_id}] + revocations = self._setup_revocations(revoked_list) + + token_audit_ids = [uuid.uuid4().hex, revoked_audit_id] + self.assertRaises(exc.InvalidToken, + revocations.check_by_audit_id, token_audit_ids) + + def test_check_by_audit_id_not_revoked(self): + # When the audit ID is not in the revocation list no exception. + revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': uuid.uuid4().hex}] + revocations = self._setup_revocations(revoked_list) + + audit_id = uuid.uuid4().hex + revocations.check_by_audit_id([audit_id]) + + def test_check_by_audit_id_no_audit_ids(self): + # Older identity servers don't send audit_ids in the revocation list. + # When this happens, check_by_audit_id still works, just doesn't + # verify anything. + revoked_list = [{'id': uuid.uuid4().hex}] + revocations = self._setup_revocations(revoked_list) + + audit_id = uuid.uuid4().hex + revocations.check_by_audit_id([audit_id]) |