Fix race condition when changing passwords
This patch makes it so that there is a one second wait when changing a password
with Keystone. This is done because when we lose sub-second precision with
Fernet tokens there is the possibility of a token being issued and revoked
within the same second. Keystone will err on the side of security and return a
404 NotFound when validating a token that was issued in the same second as a
revocation event.
For example, it is possible for a revocation event to happen at .000001, but it
will be stored in MySQL as .000000 because of sub-second truncation. A token can
be created at .000002, but the creation time of that token, according to
Fernet, will be .000000, because Fernet tokens don't have sub-second precision.
When that token is validated, it will appear invalid even though it was created
*after* the revocation event.
Change-Id: Ied83448de8af1b0da9afdfe6ce9431438215bfe0
Closes-Bug: 1473567
2 files changed