Hash the token id if it is over a maximum length
Instead of exclusively hashing the token id based on if the token is ASN1, hash the id if it exceeds the maximum size allowed within the session. Keystone has allowed more than simple PKI and UUID tokens so the is_asn1_token check will not catch all cases. Closes-Bug: 1331406 Change-Id: I7891eb3fb35a10926ac16829eed0ff8c306f2661
This commit is contained in:
parent
a78e41c1ed
commit
ff6188c7fe
|
@ -68,7 +68,7 @@ class Token(object):
|
|||
|
||||
# Token-related attributes
|
||||
self.id = auth_ref.auth_token
|
||||
if utils.is_asn1_token(self.id):
|
||||
if len(self.id) > 32:
|
||||
self.id = hashlib.md5(self.id).hexdigest()
|
||||
self.expires = auth_ref.expires
|
||||
|
||||
|
|
|
@ -76,52 +76,6 @@ def check_token_expiration(token):
|
|||
return False
|
||||
|
||||
|
||||
# Copied from Keystone's keystone/common/cms.py file.
|
||||
PKI_ASN1_PREFIX = 'MII'
|
||||
|
||||
|
||||
def is_asn1_token(token):
|
||||
'''
|
||||
thx to ayoung for sorting this out.
|
||||
|
||||
base64 decoded hex representation of MII is 3082
|
||||
In [3]: binascii.hexlify(base64.b64decode('MII='))
|
||||
Out[3]: '3082'
|
||||
|
||||
re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
|
||||
|
||||
pg4: For tags from 0 to 30 the first octet is the identfier
|
||||
pg10: Hex 30 means sequence, followed by the length of that sequence.
|
||||
pg5: Second octet is the length octet
|
||||
first bit indicates short or long form, next 7 bits encode the number
|
||||
of subsequent octets that make up the content length octets as an
|
||||
unsigned binary int
|
||||
|
||||
82 = 10000010 (first bit indicates long form)
|
||||
0000010 = 2 octets of content length
|
||||
so read the next 2 octets to get the length of the content.
|
||||
|
||||
In the case of a very large content length there could be a requirement to
|
||||
have more than 2 octets to designate the content length, therefore
|
||||
requiring us to check for MIM, MIQ, etc.
|
||||
In [4]: base64.b64encode(binascii.a2b_hex('3083'))
|
||||
Out[4]: 'MIM='
|
||||
In [5]: base64.b64encode(binascii.a2b_hex('3084'))
|
||||
Out[5]: 'MIQ='
|
||||
Checking for MI would become invalid at 16 octets of content length
|
||||
10010000 = 90
|
||||
In [6]: base64.b64encode(binascii.a2b_hex('3090'))
|
||||
Out[6]: 'MJA='
|
||||
Checking for just M is insufficient
|
||||
|
||||
But we will only check for MII:
|
||||
Max length of the content using 2 octets is 7FFF or 32767
|
||||
It's not practical to support a token of this length or greater in http
|
||||
therefore, we will check for MII only and ignore the case of larger tokens
|
||||
'''
|
||||
return token[:3] == PKI_ASN1_PREFIX
|
||||
|
||||
|
||||
# From django.contrib.auth.views
|
||||
# Added in Django 1.4.3, 1.5b2
|
||||
# Vendored here for compatibility with old Django versions.
|
||||
|
|
Loading…
Reference in New Issue