Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / tempest / a2c4ebc4fac75c0889489e4bed5a0aa89f8193f1^! / .
commita2c4ebc4fac75c0889489e4bed5a0aa89f8193f1[log] [tgz]
authorLance Bragstad <lbragstad@gmail.com>Mon Oct 05 20:34:39 2015 +0000
committerLance Bragstad <lbragstad@gmail.com>Wed Nov 11 05:19:09 2015 +0000
treeef2e5029954e41dfbd56e3b0a398394b38eb1df8
parent005ff334d485c4ca231d7ee8396d3eb979a9ce59 [diff]
Fix race condition when changing passwords

This patch makes it so that there is a one second wait when changing a password
with Keystone. This is done because when we lose sub-second precision with
Fernet tokens there is the possibility of a token being issued and revoked
within the same second. Keystone will err on the side of security and return a
404 NotFound when validating a token that was issued in the same second as a
revocation event.

For example, it is possible for a revocation event to happen at .000001, but it
will be stored in MySQL as .000000 because of sub-second truncation. A token can
be created at .000002, but the creation time of that token, according to
Fernet, will be .000000, because Fernet tokens don't have sub-second precision.
When that token is validated, it will appear invalid even though it was created
*after* the revocation event.

Change-Id: Ied83448de8af1b0da9afdfe6ce9431438215bfe0
Closes-Bug: 1473567

diff --git a/tempest/api/identity/v2/test_users.py b/tempest/api/identity/v2/test_users.py
index 3b89b66..50aaa25 100644
--- a/tempest/api/identity/v2/test_users.py
+++ b/tempest/api/identity/v2/test_users.py

@@ -14,6 +14,7 @@
 #    under the License.
 
 import copy
+import time
 
 from tempest_lib.common.utils import data_utils
 from tempest_lib import exceptions
@@ -54,6 +55,15 @@
             new_pass=old_pass,
             old_pass=new_pass)
 
+        # TODO(lbragstad): Sleeping after the response status has been checked
+        # and the body loaded as JSON allows requests to fail-fast. The sleep
+        # is necessary because keystone will err on the side of security and
+        # invalidate tokens within a small margin of error (within the same
+        # wall clock second) after a revocation event is issued (such as a
+        # password change). Remove this once keystone and Fernet support
+        # sub-second precision.
+        time.sleep(1)
+
         # user updates own password
         resp = self.non_admin_client.update_user_own_password(
             user_id=user_id, new_pass=new_pass, old_pass=old_pass)['access']

diff --git a/tempest/api/identity/v3/test_users.py b/tempest/api/identity/v3/test_users.py
index a1f664f..14a866f 100644
--- a/tempest/api/identity/v3/test_users.py
+++ b/tempest/api/identity/v3/test_users.py

@@ -14,6 +14,7 @@
 #    under the License.
 
 import copy
+import time
 
 from tempest_lib.common.utils import data_utils
 from tempest_lib import exceptions
@@ -53,6 +54,15 @@
             password=old_pass,
             original_password=new_pass)
 
+        # TODO(lbragstad): Sleeping after the response status has been checked
+        # and the body loaded as JSON allows requests to fail-fast. The sleep
+        # is necessary because keystone will err on the side of security and
+        # invalidate tokens within a small margin of error (within the same
+        # wall clock second) after a revocation event is issued (such as a
+        # password change). Remove this once keystone and Fernet support
+        # sub-second precision.
+        time.sleep(1)
+
         # user updates own password
         self.non_admin_client.update_user_password(
             user_id=user_id, password=new_pass, original_password=old_pass)