Make keystone exit when fernet keys don't exist
An outcome of some of the token discussions in Austin was that when Fernet is the configured token provider, Keystone should fail on start up if there are no keys in the key repository or if the repository doesn't exist. Closes-Bug: 1576315 Change-Id: I0351dddc49da5908f46e09e22467f6fb112593dd
This commit is contained in:
parent
0d376025ba
commit
971ba5fa45
|
@ -22,6 +22,7 @@ from keystone.common import dependency
|
|||
from keystone.common import utils
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import ksfixtures
|
||||
from keystone.tests.unit.ksfixtures import database
|
||||
from keystone import token
|
||||
from keystone.token.providers import fernet
|
||||
|
@ -717,6 +718,7 @@ class TestTokenProvider(unit.TestCase):
|
|||
def setUp(self):
|
||||
super(TestTokenProvider, self).setUp()
|
||||
self.useFixture(database.Database())
|
||||
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
|
||||
self.load_backends()
|
||||
|
||||
def test_get_token_version(self):
|
||||
|
|
|
@ -1421,8 +1421,6 @@ class TestFernetTokenProviderV2(RestfulTestCase):
|
|||
|
||||
def setUp(self):
|
||||
super(TestFernetTokenProviderV2, self).setUp()
|
||||
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
|
||||
|
||||
# Add catalog data
|
||||
self.region = unit.new_region_ref()
|
||||
self.region_id = self.region['id']
|
||||
|
@ -1458,6 +1456,7 @@ class TestFernetTokenProviderV2(RestfulTestCase):
|
|||
def config_overrides(self):
|
||||
super(TestFernetTokenProviderV2, self).config_overrides()
|
||||
self.config_fixture.config(group='token', provider='fernet')
|
||||
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
|
||||
|
||||
def test_authenticate_unscoped_token(self):
|
||||
unscoped_token = self.get_unscoped_token()
|
||||
|
|
|
@ -4718,10 +4718,10 @@ class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain):
|
|||
class TestAuthFernetTokenProvider(TestAuth):
|
||||
def setUp(self):
|
||||
super(TestAuthFernetTokenProvider, self).setUp()
|
||||
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
|
||||
|
||||
def config_overrides(self):
|
||||
super(TestAuthFernetTokenProvider, self).config_overrides()
|
||||
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
|
||||
self.config_fixture.config(group='token', provider='fernet')
|
||||
|
||||
def test_verify_with_bound_token(self):
|
||||
|
|
|
@ -10,11 +10,14 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import os
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from keystone.common import dependency
|
||||
from keystone.common import utils as ks_utils
|
||||
from keystone.federation import constants as federation_constants
|
||||
from keystone.i18n import _
|
||||
from keystone.token.providers import common
|
||||
from keystone.token.providers.fernet import token_formatters as tf
|
||||
|
||||
|
@ -27,6 +30,20 @@ class Provider(common.BaseProvider):
|
|||
def __init__(self, *args, **kwargs):
|
||||
super(Provider, self).__init__(*args, **kwargs)
|
||||
|
||||
# NOTE(lbragstad): We add these checks here because if the fernet
|
||||
# provider is going to be used and either the `key_repository` is empty
|
||||
# or doesn't exist we should fail, hard. It doesn't make sense to start
|
||||
# keystone and just 500 because we can't do anything with an empty or
|
||||
# non-existant key repository.
|
||||
if not os.path.exists(CONF.fernet_tokens.key_repository):
|
||||
subs = {'key_repo': CONF.fernet_tokens.key_repository}
|
||||
raise SystemExit(_('%(key_repo)s does not exist') % subs)
|
||||
if not os.listdir(CONF.fernet_tokens.key_repository):
|
||||
subs = {'key_repo': CONF.fernet_tokens.key_repository}
|
||||
raise SystemExit(_('%(key_repo)s does not contain keys, use '
|
||||
'keystone-manage fernet_setup to create '
|
||||
'Fernet keys.') % subs)
|
||||
|
||||
self.token_formatter = tf.TokenFormatter()
|
||||
|
||||
def needs_persistence(self):
|
||||
|
|
Loading…
Reference in New Issue