From 27564b078a41b6fdb1061f3cbe26f61d345eefbb Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Sat, 11 Jul 2015 07:13:45 -0500
Subject: [PATCH] Refactor extract method for offline validation

Move the code for offline validation into a method so that it's
easier to tell what this block of code is doing.

Change-Id: Idd0a6c016c7b8878234e479b173f98c53d5aad4b
---
 keystonemiddleware/auth_token/__init__.py | 39 ++++++++++++-----------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index bec820df..326ac598 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -706,24 +706,8 @@ class AuthProtocol(_BaseAuthProtocol):
                     # and needs to be checked.
                     self._revocations.check(token_hashes)
             else:
-                verified = None
-
-                try:
-                    if cms.is_pkiz(token):
-                        verified = self._verify_pkiz_token(token, token_hashes)
-                    elif cms.is_asn1_token(token):
-                        verified = self._verify_signed_token(token,
-                                                             token_hashes)
-                except exceptions.CertificateConfigError:
-                    self.log.warning(_LW('Fetch certificate config failed, '
-                                         'fallback to online validation.'))
-                except exc.RevocationListError:
-                    self.log.warning(_LW('Fetch revocation list failed, '
-                                         'fallback to online validation.'))
-
-                if verified is not None:
-                    data = jsonutils.loads(verified)
-                else:
+                data = self._validate_offline(token, token_hashes)
+                if not data:
                     data = self._identity_server.verify_token(token)
 
                 self._token_cache.store(token_hashes[0], data)
@@ -744,6 +728,25 @@ class AuthProtocol(_BaseAuthProtocol):
 
         return data
 
+    def _validate_offline(self, token, token_hashes):
+        try:
+            if cms.is_pkiz(token):
+                verified = self._verify_pkiz_token(token, token_hashes)
+            elif cms.is_asn1_token(token):
+                verified = self._verify_signed_token(token, token_hashes)
+            else:
+                # Can't do offline validation for this type of token.
+                return
+        except exceptions.CertificateConfigError:
+            self.log.warning(_LW('Fetch certificate config failed, '
+                                 'fallback to online validation.'))
+        except exc.RevocationListError:
+            self.log.warning(_LW('Fetch revocation list failed, '
+                                 'fallback to online validation.'))
+        else:
+            data = jsonutils.loads(verified)
+            return data
+
     def _validate_token(self, auth_ref):
         # 0 seconds of validity means is it valid right now.
         if auth_ref.will_expire_soon(stale_duration=0):