Add tests related to V2 token issued_at time changing

There was no test that showed that when a V2 token is used in a V3 context its "issued_at" time changes. This affects validating a V2 token using V3 and also revoking a V2 token. The tests show the current incorrect behavior. Partial-Bug: #1348820 Change-Id: I2a3443847b2699384413933ae164fdc183aa110f
openstack · Jul 25, 2014 · 556fb86 · 556fb86
1 parent 46f2871
commit 556fb86
Showing 1 changed file with 37 additions and 12 deletions.
diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
@@ -365,6 +365,14 @@ def test_v2_v3_token_intermix(self):
         self.assertEqual(v2_token_data['access']['user']['roles'][0]['name'],
                          token_data['token']['roles'][0]['name'])
 
+        v2_issued_at = timeutils.parse_isotime(
+            v2_token_data['access']['token']['issued_at'])
+        v3_issued_at = timeutils.parse_isotime(
+            token_data['token']['issued_at'])
+
+        # FIXME(blk-u): the following should be assertEqual, see bug 1348820
+        self.assertNotEqual(v2_issued_at, v3_issued_at)
+
     def test_rescoping_token(self):
         expires = self.token_data['token']['expires_at']
         auth_data = self.build_authentication_request(
@@ -1224,6 +1232,35 @@ def test_deleting_project_deletes_grants(self):
         # Make sure that we get a NotFound(404) when heading that role.
         self.head(role_path, expected_status=404)
 
+    def get_v2_token(self):
+        body = {
+            'auth': {
+                'passwordCredentials': {
+                    'username': self.default_domain_user['name'],
+                    'password': self.default_domain_user['password'],
+                }
+            },
+        }
+
+        r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
+        return r.json_body['access']['token']['id']
+
+    def test_revoke_v2_token_no_check(self):
+        # Test that a V2 token can be revoked without validating it first.
+
+        # NOTE(blk-u): This doesn't work right. The token should be invalid
+        # after being revoked but it's not. See bug 1348820.
+
+        token = self.get_v2_token()
+
+        self.delete('/auth/tokens',
+                    headers={'X-Subject-Token': token},
+                    expected_status=204)
+
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': token},
+                  expected_status=200)  # FIXME(blk-u): This should be 404
+
 
 @dependency.requires('revoke_api')
 class TestTokenRevokeApi(TestTokenRevokeById):
@@ -1286,18 +1323,6 @@ def test_revoke_token(self):
                                    expected_status=200).json_body
         self.assertValidRevokedTokenResponse(events_response, self.user['id'])
 
-    def get_v2_token(self):
-        body = {
-            'auth': {
-                'passwordCredentials': {
-                    'username': self.default_domain_user['name'],
-                    'password': self.default_domain_user['password'],
-                },
-            },
-        }
-        r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
-        return r.json_body['access']['token']['id']
-
     def test_revoke_v2_token(self):
         token = self.get_v2_token()
         headers = {'X-Subject-Token': token}