Expose token expiration time in tempauth auth response
Previously, we gave no indication of when a token would expire. Users would have to just use it until it stopped working, then re-auth. Now, a successful auth response will include a new header, X-Auth-Token-Expires, with the number of seconds remaining until the token is invalid. This allows the client to attempt to re-auth before sending a request that will definitely fail. For comparison, swauth already uses the X-Auth-Token-Expires header with identical semantics. Additionally, Keystone (v2 and v3) already exposes expiration times in its JSON responses. The security impact should be minimal. Change-Id: I5a4a74276bc0df6dda94e4bc150065c0d77de0eb
This commit is contained in:
parent
6a473e3d7b
commit
bf10974cde
@ -38,6 +38,9 @@ from swift.common.utils import config_read_reseller_options
|
||||
from swift.proxy.controllers.base import get_account_info
|
||||
|
||||
|
||||
DEFAULT_TOKEN_LIFE = 86400
|
||||
|
||||
|
||||
class TempAuth(object):
|
||||
"""
|
||||
Test authentication and authorization system.
|
||||
@ -181,7 +184,7 @@ class TempAuth(object):
|
||||
self.auth_prefix = '/' + self.auth_prefix
|
||||
if not self.auth_prefix.endswith('/'):
|
||||
self.auth_prefix += '/'
|
||||
self.token_life = int(conf.get('token_life', 86400))
|
||||
self.token_life = int(conf.get('token_life', DEFAULT_TOKEN_LIFE))
|
||||
self.allow_overrides = config_true_value(
|
||||
conf.get('allow_overrides', 't'))
|
||||
self.storage_url_scheme = conf.get('storage_url_scheme', 'default')
|
||||
@ -765,7 +768,8 @@ class TempAuth(object):
|
||||
memcache_client.set(memcache_user_key, token,
|
||||
time=float(expires - time()))
|
||||
resp = Response(request=req, headers={
|
||||
'x-auth-token': token, 'x-storage-token': token})
|
||||
'x-auth-token': token, 'x-storage-token': token,
|
||||
'x-auth-token-expires': str(int(expires - time()))})
|
||||
url = self.users[account_user]['url'].replace('$HOST', resp.host_url)
|
||||
if self.storage_url_scheme != 'default':
|
||||
url = self.storage_url_scheme + ':' + url.split(':', 1)[1]
|
||||
|
@ -515,7 +515,11 @@ class TestAuth(unittest.TestCase):
|
||||
self.assertEqual(resp.status_int, 200)
|
||||
self.assertTrue(resp.headers['x-storage-url'].endswith('/v1/AUTH_ac'))
|
||||
self.assertTrue(resp.headers['x-auth-token'].startswith('AUTH_'))
|
||||
self.assertTrue(len(resp.headers['x-auth-token']) > 10)
|
||||
self.assertEqual(resp.headers['x-auth-token'],
|
||||
resp.headers['x-storage-token'])
|
||||
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||
auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5)
|
||||
self.assertGreater(len(resp.headers['x-auth-token']), 10)
|
||||
|
||||
def test_use_token_success(self):
|
||||
# Example of how to simulate an authorized request
|
||||
@ -641,11 +645,16 @@ class TestAuth(unittest.TestCase):
|
||||
req.environ['SERVER_NAME'] = 'bob'
|
||||
req.environ['SERVER_PORT'] = '1234'
|
||||
req.environ['swift.cache'].set('AUTH_/user/test:tester', 'uuid_token')
|
||||
expires = time() + 180
|
||||
req.environ['swift.cache'].set('AUTH_/token/uuid_token',
|
||||
(time() + 180, 'test,test:tester'))
|
||||
(expires, 'test,test:tester'))
|
||||
resp = req.get_response(self.test_auth)
|
||||
self.assertEqual(resp.status_int, 200)
|
||||
self.assertEqual(resp.headers['x-auth-token'], 'uuid_token')
|
||||
self.assertEqual(resp.headers['x-auth-token'],
|
||||
resp.headers['x-storage-token'])
|
||||
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||
179.5, delta=0.5)
|
||||
|
||||
def test_old_token_overdate(self):
|
||||
self.test_auth = \
|
||||
@ -664,6 +673,8 @@ class TestAuth(unittest.TestCase):
|
||||
self.assertEqual(resp.status_int, 200)
|
||||
self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token')
|
||||
self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk')
|
||||
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||
auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5)
|
||||
|
||||
def test_old_token_with_old_data(self):
|
||||
self.test_auth = \
|
||||
@ -682,6 +693,8 @@ class TestAuth(unittest.TestCase):
|
||||
self.assertEqual(resp.status_int, 200)
|
||||
self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token')
|
||||
self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk')
|
||||
self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']),
|
||||
auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5)
|
||||
|
||||
def test_reseller_admin_is_owner(self):
|
||||
orig_authorize = self.test_auth.authorize
|
||||
|
Loading…
Reference in New Issue
Block a user