diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index cac5990a..aa116627 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -809,28 +809,26 @@ class AuthProtocol(BaseAuthProtocol): :raises exc.InvalidToken: if token is rejected """ + data = None + token_hashes = None + try: token_hashes = self._token_hashes(token) - offline_data = self._validate_offline(token, token_hashes) - - if offline_data: - # NOTE(jamielennox): If we've validated a PKI token we don't - # need to cache it, and revocation check was already performed. - return offline_data - cached = self._token_cache.get_first(*token_hashes) if cached: + data = cached + if self._check_revocations_for_cached: # A token might have been revoked, regardless of initial # mechanism used to validate it, and needs to be checked. self._revocations.check(token_hashes) + else: + data = self._validate_offline(token, token_hashes) + if not data: + data = self._identity_server.verify_token(token) - return cached - - data = self._identity_server.verify_token(token) - self._token_cache.store(token_hashes[0], data) - return data + self._token_cache.store(token_hashes[0], data) except (ksa_exceptions.ConnectFailure, ksa_exceptions.RequestTimeout, @@ -848,6 +846,8 @@ class AuthProtocol(BaseAuthProtocol): self.log.critical(_LC('Unable to validate token'), exc_info=True) raise webob.exc.HTTPInternalServerError() + return data + def _validate_offline(self, token, token_hashes): try: if cms.is_pkiz(token): diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py index 51c93fad..745f72d4 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py @@ -1015,7 +1015,7 @@ class CommonAuthTokenMiddlewareTest(object): def test_memcache(self): self.mock_memcache() self.set_middleware(conf={'memcached_servers': ['127.0.0.1:4444']}) - token = self.token_dict['uuid_token_default'] + token = self.token_dict['signed_token_scoped'] self.call_middleware(headers={'X-Auth-Token': token}) self.assertIsNotNone(self._get_cached_token(token)) @@ -1048,7 +1048,7 @@ class CommonAuthTokenMiddlewareTest(object): conf.update(extra_conf) self.set_middleware(conf=conf) - token = self.token_dict['uuid_token_default'] + token = self.token_dict['signed_token_scoped'] self.call_middleware(headers={'X-Auth-Token': token}) req = webob.Request.blank('/') @@ -1275,7 +1275,7 @@ class CommonAuthTokenMiddlewareTest(object): orig_cache_set = cache.set cache.set = mock.Mock(side_effect=orig_cache_set) - token = self.token_dict['uuid_token_default'] + token = self.token_dict['signed_token_scoped'] self.call_middleware(headers={'X-Auth-Token': token}) @@ -1286,21 +1286,6 @@ class CommonAuthTokenMiddlewareTest(object): # Assert that the token wasn't cached again. self.assertThat(1, matchers.Equals(cache.set.call_count)) - def test_dont_cache_pki_tokens(self): - cache = mock.Mock() - cache.get.return_value = '{}' - - self.middleware._token_cache._env_cache_name = 'cache' - self.middleware._token_cache.initialize(env={'cache': cache}) - - token = self.token_dict['signed_token_scoped'] - - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - - cache.get.assert_not_called() - cache.set.assert_not_called() - def test_auth_plugin(self): for service_url in (self.examples.UNVERSIONED_SERVICE_URL,