From 74f788aa9da0dabf54bd1f4718f9c0e0b9726757 Mon Sep 17 00:00:00 2001
From: Chmouel Boudjnah <chmouel@enovance.com>
Date: Fri, 2 Aug 2013 10:12:03 +0200
Subject: Revoke user tokens when disabling/delete a project

- Revoke tokens scoped to all users from a project when disabling or
  deleting the project.
- Tests provided by Dolph.

Closes-Bug: #1179955
Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
Signed-off-by: Chmouel Boudjnah <chmouel@enovance.com>
---
 keystone/tests/test_v3_auth.py | 61 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

(limited to 'keystone/tests/test_v3_auth.py')

diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index 43f87d98..1f4425ce 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -545,6 +545,67 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
                   headers={'X-Subject-Token': token},
                   expected_status=204)
 
+    def test_disabling_project_revokes_token(self):
+        resp = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+        token = resp.headers.get('X-Subject-Token')
+
+        # confirm token is valid
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': token},
+                  expected_status=204)
+
+        # disable the project, which should invalidate the token
+        self.patch(
+            '/projects/%(project_id)s' % {'project_id': self.projectA['id']},
+            body={'project': {'enabled': False}})
+
+        # user should no longer have access to the project
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': token},
+                  expected_status=401)
+        resp = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']),
+            expected_status=401)
+
+    def test_deleting_project_revokes_token(self):
+        resp = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+        token = resp.headers.get('X-Subject-Token')
+
+        # confirm token is valid
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': token},
+                  expected_status=204)
+
+        # delete the project, which should invalidate the token
+        self.delete(
+            '/projects/%(project_id)s' % {'project_id': self.projectA['id']})
+
+        # user should no longer have access to the project
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': token},
+                  expected_status=401)
+        resp = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']),
+            expected_status=401)
+
     def test_deleting_group_grant_revokes_tokens(self):
         """Test deleting a group grant revokes tokens.
 
-- 
cgit