Revoke tokens on user delete (bug 1166670)

Change-Id: Ieeb2246579ddc0608092eed5239258d2b4dbf42b
openstack · May 9, 2013 · 33214f3 · 33214f3
1 parent bb40104
commit 33214f3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
@@ -223,6 +223,7 @@ def update_user(self, context, user_id, user):
     def delete_user(self, context, user_id):
         self.assert_admin(context)
         self.identity_api.delete_user(context, user_id)
+        self._delete_tokens_for_user(context, user_id)
 
     def set_user_enabled(self, context, user_id, user):
         return self.update_user(context, user_id, user)

diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
@@ -395,6 +395,30 @@ def test_disable_user_invalidates_token(self):
                           self.get_client,
                           self.user_foo)
 
+    def test_delete_user_invalidates_token(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+        client = self.get_client(admin=False)
+
+        username = uuid.uuid4().hex
+        password = uuid.uuid4().hex
+        user_id = admin_client.users.create(
+            name=username, password=password, email=uuid.uuid4().hex).id
+
+        token_id = client.tokens.authenticate(
+            username=username, password=password).id
+
+        # token should be usable before the user is deleted
+        client.tokens.authenticate(token=token_id)
+
+        admin_client.users.delete(user=user_id)
+
+        # authenticate with a token should not work after the user is deleted
+        self.assertRaises(client_exceptions.Unauthorized,
+                          client.tokens.authenticate,
+                          token=token_id)
+
     def test_token_expiry_maintained(self):
         timeutils.set_time_override()
         foo_client = self.get_client(self.user_foo)