Changed the key repo validation to allow read only

Fernet token operations would fail if the key respository did not have write access, even though it would only need read access. Added logic to validation to only check for read or read/write access based on what is required. Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d Closes-Bug: 1523664 (cherry picked from commit 0aaa3ab171)
2015-12-11 20:29:09 +00:00 · 2015-12-11 20:29:09 +00:00 · f811287bea
parent f3b9b41dcc
commit f811287bea
2 changed files with 20 additions and 16 deletions
--- a/keystone/cmd/cli.py
+++ b/keystone/cmd/cli.py
@ -199,7 +199,7 @@ class FernetSetup(BasePermissionsSetup):

        keystone_user_id, keystone_group_id = cls.get_user_group()
        fernet.create_key_directory(keystone_user_id, keystone_group_id)
-        if fernet.validate_key_repository():
+        if fernet.validate_key_repository(requires_write=True):
            fernet.initialize_key_repository(
                keystone_user_id, keystone_group_id)

@ -229,7 +229,7 @@ class FernetRotate(BasePermissionsSetup):
        from keystone.token.providers.fernet import utils as fernet

        keystone_user_id, keystone_group_id = cls.get_user_group()
-        if fernet.validate_key_repository():
+        if fernet.validate_key_repository(requires_write=True):
            fernet.rotate_keys(keystone_user_id, keystone_group_id)


--- a/keystone/token/providers/fernet/utils.py
+++ b/keystone/token/providers/fernet/utils.py
@ -25,29 +25,33 @@ LOG = log.getLogger(__name__)
 CONF = cfg.CONF


-def validate_key_repository():
+def validate_key_repository(requires_write=False):
    """Validate permissions on the key repository directory."""
    # NOTE(lbragstad): We shouldn't need to check if the directory was passed
    # in as None because we don't set allow_no_values to True.

-    # ensure current user has full access to the key repository
-    if (not os.access(CONF.fernet_tokens.key_repository, os.R_OK) or not
-            os.access(CONF.fernet_tokens.key_repository, os.W_OK) or not
-            os.access(CONF.fernet_tokens.key_repository, os.X_OK)):
+    # ensure current user has sufficient access to the key repository
+    is_valid = (os.access(CONF.fernet_tokens.key_repository, os.R_OK) and
+                os.access(CONF.fernet_tokens.key_repository, os.X_OK))
+    if requires_write:
+        is_valid = (is_valid and
+                    os.access(CONF.fernet_tokens.key_repository, os.W_OK))
+
+    if not is_valid:
        LOG.error(
            _LE('Either [fernet_tokens] key_repository does not exist or '
                'Keystone does not have sufficient permission to access it: '
                '%s'), CONF.fernet_tokens.key_repository)
-        return False
+    else:
+        # ensure the key repository isn't world-readable
+        stat_info = os.stat(CONF.fernet_tokens.key_repository)
+        if(stat_info.st_mode & stat.S_IROTH or
+           stat_info.st_mode & stat.S_IXOTH):
+            LOG.warning(_LW(
+                '[fernet_tokens] key_repository is world readable: %s'),
+                CONF.fernet_tokens.key_repository)

-    # ensure the key repository isn't world-readable
-    stat_info = os.stat(CONF.fernet_tokens.key_repository)
-    if stat_info.st_mode & stat.S_IROTH or stat_info.st_mode & stat.S_IXOTH:
-        LOG.warning(_LW(
-            '[fernet_tokens] key_repository is world readable: %s'),
-            CONF.fernet_tokens.key_repository)
-
-    return True
+    return is_valid


 def _convert_to_integers(id_value):