Revoke user tokens when disabling/delete a project

- Revoke tokens scoped to all users from a project when disabling or
  deleting the project.
- Tests provided by Dolph.

Closes-Bug: #1179955
Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
Signed-off-by: Chmouel Boudjnah <chmouel@enovance.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/keystone/common/controller.py b/keystone/common/controller.py
index affc34de..0252bcdc 100644
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@@ -169,6 +169,10 @@ class V2Controller(wsgi.Application):
             self._delete_tokens_for_trust(trust['trustee_user_id'],
                                           trust['id'])
 
+    def _delete_tokens_for_project(self, project_id):
+        for user_ref in self.identity_api.get_project_users(project_id):
+            self._delete_tokens_for_user(user_ref['id'], project_id=project_id)
+
     def _require_attribute(self, ref, attr):
         """Ensures the reference contains the specified attribute."""
         if ref.get(attr) is None or ref.get(attr) == '':