Don't fail on converting user ids to bytes

When building Fernet token payloads, we should attempt to convert user IDs to bytes because this makes the payload a little smaller, resulting in a smaller token. But if we are unable to convert the user ID to bytes we shouldn't fail with a ValueError because the user ID could be coming from LDAP, or some other external identity backend. We can't assume the user ID is a UUID. Change-Id: I05b1e8389b15475c3fe512a2f82ec86f81422a05 Closes-Bug: 1459382 (cherry picked from commit cb32568954)
2015-05-27 18:18:28 +00:00 · 2015-05-27 18:18:28 +00:00 · b255b8ff71
parent 285f4a353f
commit b255b8ff71
2 changed files with 87 additions and 8 deletions
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -181,3 +181,82 @@ class TestPayloads(tests.TestCase):
        self.assertEqual(exp_expires_at, expires_at)
        self.assertEqual(exp_audit_ids, audit_ids)
        self.assertEqual(exp_trust_id, trust_id)
+
+    def test_unscoped_payload_with_non_uuid_user_id(self):
+        exp_user_id = 'someNonUuidUserId'
+        exp_methods = ['password']
+        exp_expires_at = timeutils.isotime(timeutils.utcnow())
+        exp_audit_ids = [provider.random_urlsafe_str()]
+
+        payload = token_formatters.UnscopedPayload.assemble(
+            exp_user_id, exp_methods, exp_expires_at, exp_audit_ids)
+
+        (user_id, methods, expires_at, audit_ids) = (
+            token_formatters.UnscopedPayload.disassemble(payload))
+
+        self.assertEqual(exp_user_id, user_id)
+        self.assertEqual(exp_methods, methods)
+        self.assertEqual(exp_expires_at, expires_at)
+        self.assertEqual(exp_audit_ids, audit_ids)
+
+    def test_project_scoped_payload_with_non_uuid_user_id(self):
+        exp_user_id = 'someNonUuidUserId'
+        exp_methods = ['password']
+        exp_project_id = uuid.uuid4().hex
+        exp_expires_at = timeutils.isotime(timeutils.utcnow())
+        exp_audit_ids = [provider.random_urlsafe_str()]
+
+        payload = token_formatters.ProjectScopedPayload.assemble(
+            exp_user_id, exp_methods, exp_project_id, exp_expires_at,
+            exp_audit_ids)
+
+        (user_id, methods, project_id, expires_at, audit_ids) = (
+            token_formatters.ProjectScopedPayload.disassemble(payload))
+
+        self.assertEqual(exp_user_id, user_id)
+        self.assertEqual(exp_methods, methods)
+        self.assertEqual(exp_project_id, project_id)
+        self.assertEqual(exp_expires_at, expires_at)
+        self.assertEqual(exp_audit_ids, audit_ids)
+
+    def test_domain_scoped_payload_with_non_uuid_user_id(self):
+        exp_user_id = 'someNonUuidUserId'
+        exp_methods = ['password']
+        exp_domain_id = uuid.uuid4().hex
+        exp_expires_at = timeutils.isotime(timeutils.utcnow())
+        exp_audit_ids = [provider.random_urlsafe_str()]
+
+        payload = token_formatters.DomainScopedPayload.assemble(
+            exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
+            exp_audit_ids)
+
+        (user_id, methods, domain_id, expires_at, audit_ids) = (
+            token_formatters.DomainScopedPayload.disassemble(payload))
+
+        self.assertEqual(exp_user_id, user_id)
+        self.assertEqual(exp_methods, methods)
+        self.assertEqual(exp_domain_id, domain_id)
+        self.assertEqual(exp_expires_at, expires_at)
+        self.assertEqual(exp_audit_ids, audit_ids)
+
+    def test_trust_scoped_payload_with_non_uuid_user_id(self):
+        exp_user_id = 'someNonUuidUserId'
+        exp_methods = ['password']
+        exp_project_id = uuid.uuid4().hex
+        exp_expires_at = timeutils.isotime(timeutils.utcnow())
+        exp_audit_ids = [provider.random_urlsafe_str()]
+        exp_trust_id = uuid.uuid4().hex
+
+        payload = token_formatters.TrustScopedPayload.assemble(
+            exp_user_id, exp_methods, exp_project_id, exp_expires_at,
+            exp_audit_ids, exp_trust_id)
+
+        (user_id, methods, project_id, expires_at, audit_ids, trust_id) = (
+            token_formatters.TrustScopedPayload.disassemble(payload))
+
+        self.assertEqual(exp_user_id, user_id)
+        self.assertEqual(exp_methods, methods)
+        self.assertEqual(exp_project_id, project_id)
+        self.assertEqual(exp_expires_at, expires_at)
+        self.assertEqual(exp_audit_ids, audit_ids)
+        self.assertEqual(exp_trust_id, trust_id)
--- a/keystone/token/providers/fernet/token_formatters.py
+++ b/keystone/token/providers/fernet/token_formatters.py
@ -319,7 +319,7 @@ class UnscopedPayload(BasePayload):
        :returns: the payload of an unscoped token

        """
-        b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
+        b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
        methods = auth_plugins.convert_method_list_to_integer(methods)
        expires_at_int = cls._convert_time_string_to_int(expires_at)
        b_audit_ids = list(map(provider.random_urlsafe_str_to_bytes,
@ -335,7 +335,7 @@ class UnscopedPayload(BasePayload):
                 audit_ids

        """
-        user_id = cls.convert_uuid_bytes_to_hex(payload[0])
+        user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
        methods = auth_plugins.convert_integer_to_method_list(payload[1])
        expires_at_str = cls._convert_int_to_time_string(payload[2])
        audit_ids = list(map(provider.base64_encode, payload[3]))
@ -357,7 +357,7 @@ class DomainScopedPayload(BasePayload):
        :returns: the payload of a domain-scoped token

        """
-        b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
+        b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
        methods = auth_plugins.convert_method_list_to_integer(methods)
        try:
            b_domain_id = cls.convert_uuid_hex_to_bytes(domain_id)
@ -381,7 +381,7 @@ class DomainScopedPayload(BasePayload):
                 expires_at_str, and audit_ids

        """
-        user_id = cls.convert_uuid_bytes_to_hex(payload[0])
+        user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
        methods = auth_plugins.convert_integer_to_method_list(payload[1])
        try:
            domain_id = cls.convert_uuid_bytes_to_hex(payload[2])
@ -412,7 +412,7 @@ class ProjectScopedPayload(BasePayload):
        :returns: the payload of a project-scoped token

        """
-        b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
+        b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
        methods = auth_plugins.convert_method_list_to_integer(methods)
        b_project_id = cls.convert_uuid_hex_to_bytes(project_id)
        expires_at_int = cls._convert_time_string_to_int(expires_at)
@ -429,7 +429,7 @@ class ProjectScopedPayload(BasePayload):
                 expires_at_str, and audit_ids

        """
-        user_id = cls.convert_uuid_bytes_to_hex(payload[0])
+        user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
        methods = auth_plugins.convert_integer_to_method_list(payload[1])
        project_id = cls.convert_uuid_bytes_to_hex(payload[2])
        expires_at_str = cls._convert_int_to_time_string(payload[3])
@ -455,7 +455,7 @@ class TrustScopedPayload(BasePayload):
        :returns: the payload of a trust-scoped token

        """
-        b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
+        b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
        methods = auth_plugins.convert_method_list_to_integer(methods)
        b_project_id = cls.convert_uuid_hex_to_bytes(project_id)
        b_trust_id = cls.convert_uuid_hex_to_bytes(trust_id)
@ -475,7 +475,7 @@ class TrustScopedPayload(BasePayload):
                  expires_at_str, audit_ids, and trust_id

        """
-        user_id = cls.convert_uuid_bytes_to_hex(payload[0])
+        user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
        methods = auth_plugins.convert_integer_to_method_list(payload[1])
        project_id = cls.convert_uuid_bytes_to_hex(payload[2])
        expires_at_str = cls._convert_int_to_time_string(payload[3])