From ff6188c7fe41ec2eb38b7159758a5f1e4da401e4 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Wed, 18 Jun 2014 23:20:02 -0400 Subject: [PATCH] Hash the token id if it is over a maximum length Instead of exclusively hashing the token id based on if the token is ASN1, hash the id if it exceeds the maximum size allowed within the session. Keystone has allowed more than simple PKI and UUID tokens so the is_asn1_token check will not catch all cases. Closes-Bug: 1331406 Change-Id: I7891eb3fb35a10926ac16829eed0ff8c306f2661 --- openstack_auth/user.py | 2 +- openstack_auth/utils.py | 46 ----------------------------------------- 2 files changed, 1 insertion(+), 47 deletions(-) diff --git a/openstack_auth/user.py b/openstack_auth/user.py index 91c1565d..fd000781 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -68,7 +68,7 @@ class Token(object): # Token-related attributes self.id = auth_ref.auth_token - if utils.is_asn1_token(self.id): + if len(self.id) > 32: self.id = hashlib.md5(self.id).hexdigest() self.expires = auth_ref.expires diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py index 43aa4b2f..7278d2eb 100644 --- a/openstack_auth/utils.py +++ b/openstack_auth/utils.py @@ -76,52 +76,6 @@ def check_token_expiration(token): return False -# Copied from Keystone's keystone/common/cms.py file. -PKI_ASN1_PREFIX = 'MII' - - -def is_asn1_token(token): - ''' - thx to ayoung for sorting this out. - - base64 decoded hex representation of MII is 3082 - In [3]: binascii.hexlify(base64.b64decode('MII=')) - Out[3]: '3082' - - re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf - - pg4: For tags from 0 to 30 the first octet is the identfier - pg10: Hex 30 means sequence, followed by the length of that sequence. - pg5: Second octet is the length octet - first bit indicates short or long form, next 7 bits encode the number - of subsequent octets that make up the content length octets as an - unsigned binary int - - 82 = 10000010 (first bit indicates long form) - 0000010 = 2 octets of content length - so read the next 2 octets to get the length of the content. - - In the case of a very large content length there could be a requirement to - have more than 2 octets to designate the content length, therefore - requiring us to check for MIM, MIQ, etc. - In [4]: base64.b64encode(binascii.a2b_hex('3083')) - Out[4]: 'MIM=' - In [5]: base64.b64encode(binascii.a2b_hex('3084')) - Out[5]: 'MIQ=' - Checking for MI would become invalid at 16 octets of content length - 10010000 = 90 - In [6]: base64.b64encode(binascii.a2b_hex('3090')) - Out[6]: 'MJA=' - Checking for just M is insufficient - - But we will only check for MII: - Max length of the content using 2 octets is 7FFF or 32767 - It's not practical to support a token of this length or greater in http - therefore, we will check for MII only and ignore the case of larger tokens - ''' - return token[:3] == PKI_ASN1_PREFIX - - # From django.contrib.auth.views # Added in Django 1.4.3, 1.5b2 # Vendored here for compatibility with old Django versions.