From f57a839909bb430d9e0a5b870bfe6c3537601286 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Fri, 22 Jan 2016 09:49:47 -0600
Subject: [PATCH] Revert "Don't cache signed tokens"

This reverts commit 5ba3d06b2063e10cf30dafd3bd6886f8fc24244d.

This caused conflicts in the revert of
f27d7f7 (Disable memory caching of tokens), so to make the revert
clean we'll also revert this one.

We'll consider re-applying this change. (Seems fine to me.)

Change-Id: I7ac9748dd8118f3490615a5f7b923760e1ee251e
---
 keystonemiddleware/auth_token/__init__.py     | 24 +++++++++----------
 .../auth_token/test_auth_token_middleware.py  | 21 +++-------------
 2 files changed, 15 insertions(+), 30 deletions(-)

diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index cac5990a..aa116627 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -809,28 +809,26 @@ class AuthProtocol(BaseAuthProtocol):
 
         :raises exc.InvalidToken: if token is rejected
         """
+        data = None
+        token_hashes = None
+
         try:
             token_hashes = self._token_hashes(token)
-            offline_data = self._validate_offline(token, token_hashes)
-
-            if offline_data:
-                # NOTE(jamielennox): If we've validated a PKI token we don't
-                # need to cache it, and revocation check was already performed.
-                return offline_data
-
             cached = self._token_cache.get_first(*token_hashes)
 
             if cached:
+                data = cached
+
                 if self._check_revocations_for_cached:
                     # A token might have been revoked, regardless of initial
                     # mechanism used to validate it, and needs to be checked.
                     self._revocations.check(token_hashes)
+            else:
+                data = self._validate_offline(token, token_hashes)
+                if not data:
+                    data = self._identity_server.verify_token(token)
 
-                return cached
-
-            data = self._identity_server.verify_token(token)
-            self._token_cache.store(token_hashes[0], data)
-            return data
+                self._token_cache.store(token_hashes[0], data)
 
         except (ksa_exceptions.ConnectFailure,
                 ksa_exceptions.RequestTimeout,
@@ -848,6 +846,8 @@ class AuthProtocol(BaseAuthProtocol):
             self.log.critical(_LC('Unable to validate token'), exc_info=True)
             raise webob.exc.HTTPInternalServerError()
 
+        return data
+
     def _validate_offline(self, token, token_hashes):
         try:
             if cms.is_pkiz(token):
diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
index 51c93fad..745f72d4 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@@ -1015,7 +1015,7 @@ class CommonAuthTokenMiddlewareTest(object):
     def test_memcache(self):
         self.mock_memcache()
         self.set_middleware(conf={'memcached_servers': ['127.0.0.1:4444']})
-        token = self.token_dict['uuid_token_default']
+        token = self.token_dict['signed_token_scoped']
         self.call_middleware(headers={'X-Auth-Token': token})
         self.assertIsNotNone(self._get_cached_token(token))
 
@@ -1048,7 +1048,7 @@ class CommonAuthTokenMiddlewareTest(object):
         conf.update(extra_conf)
         self.set_middleware(conf=conf)
 
-        token = self.token_dict['uuid_token_default']
+        token = self.token_dict['signed_token_scoped']
         self.call_middleware(headers={'X-Auth-Token': token})
 
         req = webob.Request.blank('/')
@@ -1275,7 +1275,7 @@ class CommonAuthTokenMiddlewareTest(object):
         orig_cache_set = cache.set
         cache.set = mock.Mock(side_effect=orig_cache_set)
 
-        token = self.token_dict['uuid_token_default']
+        token = self.token_dict['signed_token_scoped']
 
         self.call_middleware(headers={'X-Auth-Token': token})
 
@@ -1286,21 +1286,6 @@ class CommonAuthTokenMiddlewareTest(object):
         # Assert that the token wasn't cached again.
         self.assertThat(1, matchers.Equals(cache.set.call_count))
 
-    def test_dont_cache_pki_tokens(self):
-        cache = mock.Mock()
-        cache.get.return_value = '{}'
-
-        self.middleware._token_cache._env_cache_name = 'cache'
-        self.middleware._token_cache.initialize(env={'cache': cache})
-
-        token = self.token_dict['signed_token_scoped']
-
-        resp = self.call_middleware(headers={'X-Auth-Token': token})
-        self.assertEqual(200, resp.status_int)
-
-        cache.get.assert_not_called()
-        cache.set.assert_not_called()
-
     def test_auth_plugin(self):
 
         for service_url in (self.examples.UNVERSIONED_SERVICE_URL,