diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index aa116627..cac5990a 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -809,26 +809,28 @@ class AuthProtocol(BaseAuthProtocol): :raises exc.InvalidToken: if token is rejected """ - data = None - token_hashes = None - try: token_hashes = self._token_hashes(token) + offline_data = self._validate_offline(token, token_hashes) + + if offline_data: + # NOTE(jamielennox): If we've validated a PKI token we don't + # need to cache it, and revocation check was already performed. + return offline_data + cached = self._token_cache.get_first(*token_hashes) if cached: - data = cached - if self._check_revocations_for_cached: # A token might have been revoked, regardless of initial # mechanism used to validate it, and needs to be checked. self._revocations.check(token_hashes) - else: - data = self._validate_offline(token, token_hashes) - if not data: - data = self._identity_server.verify_token(token) - self._token_cache.store(token_hashes[0], data) + return cached + + data = self._identity_server.verify_token(token) + self._token_cache.store(token_hashes[0], data) + return data except (ksa_exceptions.ConnectFailure, ksa_exceptions.RequestTimeout, @@ -846,8 +848,6 @@ class AuthProtocol(BaseAuthProtocol): self.log.critical(_LC('Unable to validate token'), exc_info=True) raise webob.exc.HTTPInternalServerError() - return data - def _validate_offline(self, token, token_hashes): try: if cms.is_pkiz(token): diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py index d7237997..cd3caef3 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py @@ -1015,7 +1015,7 @@ class CommonAuthTokenMiddlewareTest(object): def test_memcache(self): self.mock_memcache() self.set_middleware(conf={'memcached_servers': ['127.0.0.1:4444']}) - token = self.token_dict['signed_token_scoped'] + token = self.token_dict['uuid_token_default'] self.call_middleware(headers={'X-Auth-Token': token}) self.assertIsNotNone(self._get_cached_token(token)) @@ -1048,7 +1048,7 @@ class CommonAuthTokenMiddlewareTest(object): conf.update(extra_conf) self.set_middleware(conf=conf) - token = self.token_dict['signed_token_scoped'] + token = self.token_dict['uuid_token_default'] self.call_middleware(headers={'X-Auth-Token': token}) req = webob.Request.blank('/') @@ -1275,7 +1275,7 @@ class CommonAuthTokenMiddlewareTest(object): orig_cache_set = cache.set cache.set = mock.Mock(side_effect=orig_cache_set) - token = self.token_dict['signed_token_scoped'] + token = self.token_dict['uuid_token_default'] self.call_middleware(headers={'X-Auth-Token': token}) @@ -1286,6 +1286,21 @@ class CommonAuthTokenMiddlewareTest(object): # Assert that the token wasn't cached again. self.assertThat(1, matchers.Equals(cache.set.call_count)) + def test_dont_cache_pki_tokens(self): + cache = mock.Mock() + cache.get.return_value = '{}' + + self.middleware._token_cache._env_cache_name = 'cache' + self.middleware._token_cache.initialize(env={'cache': cache}) + + token = self.token_dict['signed_token_scoped'] + + resp = self.call_middleware(headers={'X-Auth-Token': token}) + self.assertEqual(200, resp.status_int) + + cache.get.assert_not_called() + cache.set.assert_not_called() + def test_auth_plugin(self): for service_url in (self.examples.UNVERSIONED_SERVICE_URL,