openstack
/
keystone
Code Issues Proposed changes

Revert "Rename fernet_utils to token_utils" 

This reverts commit 03ba867327.

Because of the introduction of auth receipts we will be
using fernet for more than just tokens. Lets make this a
generic util for fernet key handling.

Change-Id: I3a870a63239491f84db3350178bd2313eeccdbf3
This commit is contained in:
Adrian Turjak 2018-05-04 15:12:37 +12:00
parent 104717d458
commit 45d724f535
11 changed files with 77 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
keystone/cmd/cli.py
View File

@ -29,9 +29,9 @@ import pbr.version
from keystone.cmd import bootstrap
from keystone.cmd import doctor
from keystone.common import driver_hints
from keystone.common import fernet_utils
from keystone.common import sql
from keystone.common.sql import upgrades
from keystone.common import token_utils
from keystone.common import utils
import keystone.conf
from keystone.credential.providers import fernet as credential_fernet
@ -395,16 +395,16 @@ class FernetSetup(BasePermissionsSetup):
@classmethod
def main(cls):
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
tutils.create_key_directory(keystone_user_id, keystone_group_id)
if tutils.validate_key_repository(requires_write=True):
tutils.initialize_key_repository(
futils.create_key_directory(keystone_user_id, keystone_group_id)
if futils.validate_key_repository(requires_write=True):
futils.initialize_key_repository(
keystone_user_id, keystone_group_id)
@ -430,15 +430,15 @@ class FernetRotate(BasePermissionsSetup):
@classmethod
def main(cls):
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
if tutils.validate_key_repository(requires_write=True):
tutils.rotate_keys(keystone_user_id, keystone_group_id)
if futils.validate_key_repository(requires_write=True):
futils.rotate_keys(keystone_user_id, keystone_group_id)
class TokenSetup(BasePermissionsSetup):
@ -454,7 +454,7 @@ class TokenSetup(BasePermissionsSetup):
@classmethod
def main(cls):
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
# TODO(gagehugo) Change this to CONF.token
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
@ -462,9 +462,9 @@ class TokenSetup(BasePermissionsSetup):
)
keystone_user_id, keystone_group_id = cls.get_user_group()
tutils.create_key_directory(keystone_user_id, keystone_group_id)
if tutils.validate_key_repository(requires_write=True):
tutils.initialize_key_repository(
futils.create_key_directory(keystone_user_id, keystone_group_id)
if futils.validate_key_repository(requires_write=True):
futils.initialize_key_repository(
keystone_user_id, keystone_group_id)
@ -490,7 +490,7 @@ class TokenRotate(BasePermissionsSetup):
@classmethod
def main(cls):
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
# TODO(gagehugo) Change this to CONF.token
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
@ -498,8 +498,8 @@ class TokenRotate(BasePermissionsSetup):
)
keystone_user_id, keystone_group_id = cls.get_user_group()
if tutils.validate_key_repository(requires_write=True):
tutils.rotate_keys(keystone_user_id, keystone_group_id)
if futils.validate_key_repository(requires_write=True):
futils.rotate_keys(keystone_user_id, keystone_group_id)
class CredentialSetup(BasePermissionsSetup):
@ -515,16 +515,16 @@ class CredentialSetup(BasePermissionsSetup):
@classmethod
def main(cls):
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
tutils.create_key_directory(keystone_user_id, keystone_group_id)
if tutils.validate_key_repository(requires_write=True):
tutils.initialize_key_repository(
futils.create_key_directory(keystone_user_id, keystone_group_id)
if futils.validate_key_repository(requires_write=True):
futils.initialize_key_repository(
keystone_user_id,
keystone_group_id
)
@ -587,17 +587,17 @@ class CredentialRotate(BasePermissionsSetup):
@classmethod
def main(cls):
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
if tutils.validate_key_repository(requires_write=True):
if futils.validate_key_repository(requires_write=True):
klass = cls()
klass.validate_primary_key()
tutils.rotate_keys(keystone_user_id, keystone_group_id)
futils.rotate_keys(keystone_user_id, keystone_group_id)
class CredentialMigrate(BasePermissionsSetup):
@ -647,12 +647,12 @@ class CredentialMigrate(BasePermissionsSetup):
@classmethod
def main(cls):
# Check to make sure we have a repository that works...
tutils = token_utils.TokenUtils(
futils = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
tutils.validate_key_repository(requires_write=True)
futils.validate_key_repository(requires_write=True)
klass = cls()
klass.migrate_credentials()

10
keystone/cmd/doctor/credential.py
View File

@ -12,7 +12,7 @@
import keystone.conf
from keystone.common import token_utils as utils
from keystone.common import fernet_utils as utils
from keystone.credential.providers import fernet as credential_fernet
@ -47,14 +47,14 @@ def symptom_usability_of_credential_fernet_key_repository():
running keystone, but not world-readable, because it contains
security sensitive secrets.
"""
token_utils = utils.TokenUtils(
fernet_utils = utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
return (
'fernet' in CONF.credential.provider
and not token_utils.validate_key_repository())
and not fernet_utils.validate_key_repository())
def symptom_keys_in_credential_fernet_key_repository():
@ -65,11 +65,11 @@ def symptom_keys_in_credential_fernet_key_repository():
key repository with keys, and periodically rotate your keys with
`keystone-manage credential_rotate`.
"""
token_utils = utils.TokenUtils(
fernet_utils = utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
return (
'fernet' in CONF.credential.provider
and not token_utils.load_keys())
and not fernet_utils.load_keys())

10
keystone/cmd/doctor/tokens_fernet.py
View File

@ -12,7 +12,7 @@
import keystone.conf
from keystone.common import token_utils as utils
from keystone.common import fernet_utils as utils
CONF = keystone.conf.CONF
@ -25,14 +25,14 @@ def symptom_usability_of_Fernet_key_repository():
keystone, but not world-readable, because it contains security-sensitive
secrets.
"""
token_utils = utils.TokenUtils(
fernet_utils = utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
return (
'fernet' in CONF.token.provider
and not token_utils.validate_key_repository())
and not fernet_utils.validate_key_repository())
def symptom_keys_in_Fernet_key_repository():
@ -43,11 +43,11 @@ def symptom_keys_in_Fernet_key_repository():
with keys, and periodically rotate your keys with `keystone-manage
fernet_rotate`.
"""
token_utils = utils.TokenUtils(
fernet_utils = utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
return (
'fernet' in CONF.token.provider
and not token_utils.load_keys())
and not fernet_utils.load_keys())

2
keystone/common/token_utils.py → keystone/common/fernet_utils.py
View File

@ -33,7 +33,7 @@ CONF = keystone.conf.CONF
NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32)
class TokenUtils(object):
class FernetUtils(object):
def __init__(self, key_repository=None, max_active_keys=None,
config_group=None):

10
keystone/credential/providers/fernet/core.py
View File

@ -16,7 +16,7 @@ from cryptography import fernet
from oslo_log import log
import six
from keystone.common import token_utils
from keystone.common import fernet_utils
import keystone.conf
from keystone.credential.providers import core
from keystone import exception
@ -36,13 +36,13 @@ LOG = log.getLogger(__name__)
# could remove a key used to encrypt credentials, leaving them recoverable.
# This also means that we don't need to expose a `[credential] max_active_keys`
# option through configuration. Instead we will use a global configuration and
# share that across all places that need to use TokenUtils for credential
# share that across all places that need to use FernetUtils for credential
# encryption.
MAX_ACTIVE_KEYS = 3
def get_multi_fernet_keys():
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.credential.key_repository, MAX_ACTIVE_KEYS,
'credential')
keys = key_utils.load_keys(use_null_key=True)
@ -73,7 +73,7 @@ class Provider(core.Provider):
"""
crypto, keys = get_multi_fernet_keys()
if keys[0] == token_utils.NULL_KEY:
if keys[0] == fernet_utils.NULL_KEY:
LOG.warning(
'Encrypting credentials with the null key. Please properly '
'encrypt credentials using `keystone-manage credential_setup`,'
@ -95,7 +95,7 @@ class Provider(core.Provider):
:param credential: an encrypted credential string
:returns: a decrypted credential
"""
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.credential.key_repository, MAX_ACTIVE_KEYS)
keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys]

10
keystone/tests/unit/common/test_utils.py
View File

@ -20,7 +20,7 @@ from oslo_config import fixture as config_fixture
from oslo_log import log
import six
from keystone.common import token_utils
from keystone.common import fernet_utils
from keystone.common import utils as common_utils
import keystone.conf
from keystone.credential.providers import fernet as credential_fernet
@ -258,10 +258,10 @@ class ServiceHelperTests(unit.BaseTestCase):
self.assertRaises(unit.UnexpectedExit, self._do_test)
class TokenUtilsTestCase(unit.BaseTestCase):
class FernetUtilsTestCase(unit.BaseTestCase):
def setUp(self):
super(TokenUtilsTestCase, self).setUp()
super(FernetUtilsTestCase, self).setUp()
self.config_fixture = self.useFixture(config_fixture.Config(CONF))
def test_debug_message_logged_when_loading_fernet_token_keys(self):
@ -273,7 +273,7 @@ class TokenUtilsTestCase(unit.BaseTestCase):
)
)
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
fernet_utilities = token_utils.TokenUtils(
fernet_utilities = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -296,7 +296,7 @@ class TokenUtilsTestCase(unit.BaseTestCase):
)
)
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
fernet_utilities = token_utils.TokenUtils(
fernet_utilities = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS,
'credential'

4
keystone/tests/unit/credential/test_fernet_provider.py
View File

@ -16,7 +16,7 @@ import uuid
from oslo_log import log
from keystone.common import token_utils
from keystone.common import fernet_utils
from keystone.credential.providers import fernet as credential_fernet
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
@ -63,7 +63,7 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):
)
def test_encryption_with_null_key(self):
null_key = token_utils.NULL_KEY
null_key = fernet_utils.NULL_KEY
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
# which is marked insecure. Keystone uses SHA1 in this case as part of
# HMAC-SHA1 which is currently not insecure but will still get

8
keystone/tests/unit/ksfixtures/key_repository.py
View File

@ -12,7 +12,7 @@
import fixtures
from keystone.common import token_utils as utils
from keystone.common import fernet_utils as utils
class KeyRepository(fixtures.Fixture):
@ -28,10 +28,10 @@ class KeyRepository(fixtures.Fixture):
self.config_fixture.config(group=self.key_group,
key_repository=directory)
token_utils = utils.TokenUtils(
fernet_utils = utils.FernetUtils(
directory,
self.max_active_keys,
self.key_group
)
token_utils.create_key_directory()
token_utils.initialize_key_repository()
fernet_utils.create_key_directory()
fernet_utils.initialize_key_repository()

24
keystone/tests/unit/test_cli.py
View File

@ -841,7 +841,7 @@ class CredentialDoctorTests(unit.TestCase):
def test_usability_of_cred_fernet_key_repo_raised(self, mock_utils):
# Symptom Detected: credential fernet key repository is world readable
self.config_fixture.config(group='credential', provider='fernet')
mock_utils.TokenUtils().validate_key_repository.return_value = False
mock_utils.FernetUtils().validate_key_repository.return_value = False
self.assertTrue(
credential.symptom_usability_of_credential_fernet_key_repository())
@ -849,13 +849,13 @@ class CredentialDoctorTests(unit.TestCase):
def test_usability_of_cred_fernet_key_repo_not_raised(self, mock_utils):
# No Symptom Detected: Custom driver is used
self.config_fixture.config(group='credential', provider='my-driver')
mock_utils.TokenUtils().validate_key_repository.return_value = True
mock_utils.FernetUtils().validate_key_repository.return_value = True
self.assertFalse(
credential.symptom_usability_of_credential_fernet_key_repository())
# No Symptom Detected: key repository is not world readable
self.config_fixture.config(group='credential', provider='fernet')
mock_utils.TokenUtils().validate_key_repository.return_value = True
mock_utils.FernetUtils().validate_key_repository.return_value = True
self.assertFalse(
credential.symptom_usability_of_credential_fernet_key_repository())
@ -863,7 +863,7 @@ class CredentialDoctorTests(unit.TestCase):
def test_keys_in_credential_fernet_key_repository_raised(self, mock_utils):
# Symptom Detected: Key repo is empty
self.config_fixture.config(group='credential', provider='fernet')
mock_utils.TokenUtils().load_keys.return_value = False
mock_utils.FernetUtils().load_keys.return_value = False
self.assertTrue(
credential.symptom_keys_in_credential_fernet_key_repository())
@ -872,13 +872,13 @@ class CredentialDoctorTests(unit.TestCase):
self, mock_utils):
# No Symptom Detected: Custom driver is used
self.config_fixture.config(group='credential', provider='my-driver')
mock_utils.TokenUtils().load_keys.return_value = True
mock_utils.FernetUtils().load_keys.return_value = True
self.assertFalse(
credential.symptom_keys_in_credential_fernet_key_repository())
# No Symptom Detected: Key repo is not empty, fernet is current driver
self.config_fixture.config(group='credential', provider='fernet')
mock_utils.TokenUtils().load_keys.return_value = True
mock_utils.FernetUtils().load_keys.return_value = True
self.assertFalse(
credential.symptom_keys_in_credential_fernet_key_repository())
@ -1262,7 +1262,7 @@ class TokenFernetDoctorTests(unit.TestCase):
def test_usability_of_Fernet_key_repository_raised(self, mock_utils):
# Symptom Detected: Fernet key repo is world readable
self.config_fixture.config(group='token', provider='fernet')
mock_utils.TokenUtils().validate_key_repository.return_value = False
mock_utils.FernetUtils().validate_key_repository.return_value = False
self.assertTrue(
tokens_fernet.symptom_usability_of_Fernet_key_repository())
@ -1270,14 +1270,14 @@ class TokenFernetDoctorTests(unit.TestCase):
def test_usability_of_Fernet_key_repository_not_raised(self, mock_utils):
# No Symptom Detected: UUID is used instead of fernet
self.config_fixture.config(group='token', provider='uuid')
mock_utils.TokenUtils().validate_key_repository.return_value = False
mock_utils.FernetUtils().validate_key_repository.return_value = False
self.assertFalse(
tokens_fernet.symptom_usability_of_Fernet_key_repository())
# No Symptom Detected: configs set properly, key repo is not world
# readable but is user readable
self.config_fixture.config(group='token', provider='fernet')
mock_utils.TokenUtils().validate_key_repository.return_value = True
mock_utils.FernetUtils().validate_key_repository.return_value = True
self.assertFalse(
tokens_fernet.symptom_usability_of_Fernet_key_repository())
@ -1285,7 +1285,7 @@ class TokenFernetDoctorTests(unit.TestCase):
def test_keys_in_Fernet_key_repository_raised(self, mock_utils):
# Symptom Detected: Fernet key repository is empty
self.config_fixture.config(group='token', provider='fernet')
mock_utils.TokenUtils().load_keys.return_value = False
mock_utils.FernetUtils().load_keys.return_value = False
self.assertTrue(
tokens_fernet.symptom_keys_in_Fernet_key_repository())
@ -1293,14 +1293,14 @@ class TokenFernetDoctorTests(unit.TestCase):
def test_keys_in_Fernet_key_repository_not_raised(self, mock_utils):
# No Symptom Detected: UUID is used instead of fernet
self.config_fixture.config(group='token', provider='uuid')
mock_utils.TokenUtils().load_keys.return_value = True
mock_utils.FernetUtils().load_keys.return_value = True
self.assertFalse(
tokens_fernet.symptom_usability_of_Fernet_key_repository())
# No Symptom Detected: configs set properly, key repo has been
# populated with keys
self.config_fixture.config(group='token', provider='fernet')
mock_utils.TokenUtils().load_keys.return_value = True
mock_utils.FernetUtils().load_keys.return_value = True
self.assertFalse(
tokens_fernet.symptom_usability_of_Fernet_key_repository())

22
keystone/tests/unit/token/test_fernet_provider.py
View File

@ -21,8 +21,8 @@ from oslo_utils import timeutils
import six
from keystone import auth
from keystone.common import fernet_utils
from keystone.common import provider_api
from keystone.common import token_utils
from keystone.common import utils
import keystone.conf
from keystone import exception
@ -499,7 +499,7 @@ class TestFernetKeyRotation(unit.TestCase):
"""
# Load the keys into a list, keys is list of six.text_type.
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -567,7 +567,7 @@ class TestFernetKeyRotation(unit.TestCase):
# Rotate the keys just enough times to fully populate the key
# repository.
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -585,7 +585,7 @@ class TestFernetKeyRotation(unit.TestCase):
# Rotate an additional number of times to ensure that we maintain
# the desired number of active keys.
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -603,7 +603,7 @@ class TestFernetKeyRotation(unit.TestCase):
# Make sure that the init key repository contains 2 keys
self.assertRepositoryState(expected_size=2)
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -614,13 +614,13 @@ class TestFernetKeyRotation(unit.TestCase):
file_handle = mock_open()
file_handle.flush.side_effect = IOError('disk full')
with mock.patch('keystone.common.token_utils.open', mock_open):
with mock.patch('keystone.common.fernet_utils.open', mock_open):
self.assertRaises(IOError, key_utils.rotate_keys)
# Assert that the key repository is unchanged
self.assertEqual(self.key_repository_size, 2)
with mock.patch('keystone.common.token_utils.open', mock_open):
with mock.patch('keystone.common.fernet_utils.open', mock_open):
self.assertRaises(IOError, key_utils.rotate_keys)
# Assert that the key repository is still unchanged, even after
@ -640,7 +640,7 @@ class TestFernetKeyRotation(unit.TestCase):
empty_file = os.path.join(CONF.fernet_tokens.key_repository, '2')
with open(empty_file, 'w'):
pass
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -656,7 +656,7 @@ class TestFernetKeyRotation(unit.TestCase):
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '99.bak')
with open(evil_file, 'w'):
pass
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -683,7 +683,7 @@ class TestLoadKeys(unit.TestCase):
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1')
with open(evil_file, 'w'):
pass
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
@ -696,7 +696,7 @@ class TestLoadKeys(unit.TestCase):
empty_file = os.path.join(CONF.fernet_tokens.key_repository, '2')
with open(empty_file, 'w'):
pass
key_utils = token_utils.TokenUtils(
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'

6
keystone/token/token_formatters.py
View File

@ -23,7 +23,7 @@ import six
from six.moves import map
from keystone.auth import plugins as auth_plugins
from keystone.common import token_utils as utils
from keystone.common import fernet_utils as utils
from keystone.common import utils as ks_utils
import keystone.conf
from keystone import exception
@ -55,12 +55,12 @@ class TokenFormatter(object):
``encrypt(plaintext)`` and ``decrypt(ciphertext)``.
"""
token_utils = utils.TokenUtils(
fernet_utils = utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keys = token_utils.load_keys()
keys = fernet_utils.load_keys()
if not keys:
raise exception.KeysNotFound()