Don't fail on converting user ids to bytes
When building Fernet token payloads, we should attempt to convert user IDs to bytes
because this makes the payload a little smaller, resulting in a smaller token.
But if we are unable to convert the user ID to bytes we shouldn't fail with a
ValueError because the user ID could be coming from LDAP, or some other
external identity backend. We can't assume the user ID is a UUID.
Change-Id: I05b1e8389b15475c3fe512a2f82ec86f81422a05
Closes-Bug: 1459382
(cherry picked from commit cb32568954
)
This commit is contained in:
parent
285f4a353f
commit
b255b8ff71
|
@ -181,3 +181,82 @@ class TestPayloads(tests.TestCase):
|
|||
self.assertEqual(exp_expires_at, expires_at)
|
||||
self.assertEqual(exp_audit_ids, audit_ids)
|
||||
self.assertEqual(exp_trust_id, trust_id)
|
||||
|
||||
def test_unscoped_payload_with_non_uuid_user_id(self):
|
||||
exp_user_id = 'someNonUuidUserId'
|
||||
exp_methods = ['password']
|
||||
exp_expires_at = timeutils.isotime(timeutils.utcnow())
|
||||
exp_audit_ids = [provider.random_urlsafe_str()]
|
||||
|
||||
payload = token_formatters.UnscopedPayload.assemble(
|
||||
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids)
|
||||
|
||||
(user_id, methods, expires_at, audit_ids) = (
|
||||
token_formatters.UnscopedPayload.disassemble(payload))
|
||||
|
||||
self.assertEqual(exp_user_id, user_id)
|
||||
self.assertEqual(exp_methods, methods)
|
||||
self.assertEqual(exp_expires_at, expires_at)
|
||||
self.assertEqual(exp_audit_ids, audit_ids)
|
||||
|
||||
def test_project_scoped_payload_with_non_uuid_user_id(self):
|
||||
exp_user_id = 'someNonUuidUserId'
|
||||
exp_methods = ['password']
|
||||
exp_project_id = uuid.uuid4().hex
|
||||
exp_expires_at = timeutils.isotime(timeutils.utcnow())
|
||||
exp_audit_ids = [provider.random_urlsafe_str()]
|
||||
|
||||
payload = token_formatters.ProjectScopedPayload.assemble(
|
||||
exp_user_id, exp_methods, exp_project_id, exp_expires_at,
|
||||
exp_audit_ids)
|
||||
|
||||
(user_id, methods, project_id, expires_at, audit_ids) = (
|
||||
token_formatters.ProjectScopedPayload.disassemble(payload))
|
||||
|
||||
self.assertEqual(exp_user_id, user_id)
|
||||
self.assertEqual(exp_methods, methods)
|
||||
self.assertEqual(exp_project_id, project_id)
|
||||
self.assertEqual(exp_expires_at, expires_at)
|
||||
self.assertEqual(exp_audit_ids, audit_ids)
|
||||
|
||||
def test_domain_scoped_payload_with_non_uuid_user_id(self):
|
||||
exp_user_id = 'someNonUuidUserId'
|
||||
exp_methods = ['password']
|
||||
exp_domain_id = uuid.uuid4().hex
|
||||
exp_expires_at = timeutils.isotime(timeutils.utcnow())
|
||||
exp_audit_ids = [provider.random_urlsafe_str()]
|
||||
|
||||
payload = token_formatters.DomainScopedPayload.assemble(
|
||||
exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
|
||||
exp_audit_ids)
|
||||
|
||||
(user_id, methods, domain_id, expires_at, audit_ids) = (
|
||||
token_formatters.DomainScopedPayload.disassemble(payload))
|
||||
|
||||
self.assertEqual(exp_user_id, user_id)
|
||||
self.assertEqual(exp_methods, methods)
|
||||
self.assertEqual(exp_domain_id, domain_id)
|
||||
self.assertEqual(exp_expires_at, expires_at)
|
||||
self.assertEqual(exp_audit_ids, audit_ids)
|
||||
|
||||
def test_trust_scoped_payload_with_non_uuid_user_id(self):
|
||||
exp_user_id = 'someNonUuidUserId'
|
||||
exp_methods = ['password']
|
||||
exp_project_id = uuid.uuid4().hex
|
||||
exp_expires_at = timeutils.isotime(timeutils.utcnow())
|
||||
exp_audit_ids = [provider.random_urlsafe_str()]
|
||||
exp_trust_id = uuid.uuid4().hex
|
||||
|
||||
payload = token_formatters.TrustScopedPayload.assemble(
|
||||
exp_user_id, exp_methods, exp_project_id, exp_expires_at,
|
||||
exp_audit_ids, exp_trust_id)
|
||||
|
||||
(user_id, methods, project_id, expires_at, audit_ids, trust_id) = (
|
||||
token_formatters.TrustScopedPayload.disassemble(payload))
|
||||
|
||||
self.assertEqual(exp_user_id, user_id)
|
||||
self.assertEqual(exp_methods, methods)
|
||||
self.assertEqual(exp_project_id, project_id)
|
||||
self.assertEqual(exp_expires_at, expires_at)
|
||||
self.assertEqual(exp_audit_ids, audit_ids)
|
||||
self.assertEqual(exp_trust_id, trust_id)
|
||||
|
|
|
@ -319,7 +319,7 @@ class UnscopedPayload(BasePayload):
|
|||
:returns: the payload of an unscoped token
|
||||
|
||||
"""
|
||||
b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
|
||||
b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
|
||||
methods = auth_plugins.convert_method_list_to_integer(methods)
|
||||
expires_at_int = cls._convert_time_string_to_int(expires_at)
|
||||
b_audit_ids = list(map(provider.random_urlsafe_str_to_bytes,
|
||||
|
@ -335,7 +335,7 @@ class UnscopedPayload(BasePayload):
|
|||
audit_ids
|
||||
|
||||
"""
|
||||
user_id = cls.convert_uuid_bytes_to_hex(payload[0])
|
||||
user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
|
||||
methods = auth_plugins.convert_integer_to_method_list(payload[1])
|
||||
expires_at_str = cls._convert_int_to_time_string(payload[2])
|
||||
audit_ids = list(map(provider.base64_encode, payload[3]))
|
||||
|
@ -357,7 +357,7 @@ class DomainScopedPayload(BasePayload):
|
|||
:returns: the payload of a domain-scoped token
|
||||
|
||||
"""
|
||||
b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
|
||||
b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
|
||||
methods = auth_plugins.convert_method_list_to_integer(methods)
|
||||
try:
|
||||
b_domain_id = cls.convert_uuid_hex_to_bytes(domain_id)
|
||||
|
@ -381,7 +381,7 @@ class DomainScopedPayload(BasePayload):
|
|||
expires_at_str, and audit_ids
|
||||
|
||||
"""
|
||||
user_id = cls.convert_uuid_bytes_to_hex(payload[0])
|
||||
user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
|
||||
methods = auth_plugins.convert_integer_to_method_list(payload[1])
|
||||
try:
|
||||
domain_id = cls.convert_uuid_bytes_to_hex(payload[2])
|
||||
|
@ -412,7 +412,7 @@ class ProjectScopedPayload(BasePayload):
|
|||
:returns: the payload of a project-scoped token
|
||||
|
||||
"""
|
||||
b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
|
||||
b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
|
||||
methods = auth_plugins.convert_method_list_to_integer(methods)
|
||||
b_project_id = cls.convert_uuid_hex_to_bytes(project_id)
|
||||
expires_at_int = cls._convert_time_string_to_int(expires_at)
|
||||
|
@ -429,7 +429,7 @@ class ProjectScopedPayload(BasePayload):
|
|||
expires_at_str, and audit_ids
|
||||
|
||||
"""
|
||||
user_id = cls.convert_uuid_bytes_to_hex(payload[0])
|
||||
user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
|
||||
methods = auth_plugins.convert_integer_to_method_list(payload[1])
|
||||
project_id = cls.convert_uuid_bytes_to_hex(payload[2])
|
||||
expires_at_str = cls._convert_int_to_time_string(payload[3])
|
||||
|
@ -455,7 +455,7 @@ class TrustScopedPayload(BasePayload):
|
|||
:returns: the payload of a trust-scoped token
|
||||
|
||||
"""
|
||||
b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
|
||||
b_user_id = cls.attempt_convert_uuid_hex_to_bytes(user_id)
|
||||
methods = auth_plugins.convert_method_list_to_integer(methods)
|
||||
b_project_id = cls.convert_uuid_hex_to_bytes(project_id)
|
||||
b_trust_id = cls.convert_uuid_hex_to_bytes(trust_id)
|
||||
|
@ -475,7 +475,7 @@ class TrustScopedPayload(BasePayload):
|
|||
expires_at_str, audit_ids, and trust_id
|
||||
|
||||
"""
|
||||
user_id = cls.convert_uuid_bytes_to_hex(payload[0])
|
||||
user_id = cls.attempt_convert_uuid_bytes_to_hex(payload[0])
|
||||
methods = auth_plugins.convert_integer_to_method_list(payload[1])
|
||||
project_id = cls.convert_uuid_bytes_to_hex(payload[2])
|
||||
expires_at_str = cls._convert_int_to_time_string(payload[3])
|
||||
|
|
Loading…
Reference in New Issue