Changed the key repo validation to allow read only
Fernet token operations would fail if the key respository did not
have write access, even though it would only need read access.
Added logic to validation to only check for read or read/write
access based on what is required.
Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d
Closes-Bug: 1523664
(cherry picked from commit 0aaa3ab171
)
This commit is contained in:
parent
f3b9b41dcc
commit
f811287bea
|
@ -199,7 +199,7 @@ class FernetSetup(BasePermissionsSetup):
|
|||
|
||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||
fernet.create_key_directory(keystone_user_id, keystone_group_id)
|
||||
if fernet.validate_key_repository():
|
||||
if fernet.validate_key_repository(requires_write=True):
|
||||
fernet.initialize_key_repository(
|
||||
keystone_user_id, keystone_group_id)
|
||||
|
||||
|
@ -229,7 +229,7 @@ class FernetRotate(BasePermissionsSetup):
|
|||
from keystone.token.providers.fernet import utils as fernet
|
||||
|
||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||
if fernet.validate_key_repository():
|
||||
if fernet.validate_key_repository(requires_write=True):
|
||||
fernet.rotate_keys(keystone_user_id, keystone_group_id)
|
||||
|
||||
|
||||
|
|
|
@ -25,29 +25,33 @@ LOG = log.getLogger(__name__)
|
|||
CONF = cfg.CONF
|
||||
|
||||
|
||||
def validate_key_repository():
|
||||
def validate_key_repository(requires_write=False):
|
||||
"""Validate permissions on the key repository directory."""
|
||||
# NOTE(lbragstad): We shouldn't need to check if the directory was passed
|
||||
# in as None because we don't set allow_no_values to True.
|
||||
|
||||
# ensure current user has full access to the key repository
|
||||
if (not os.access(CONF.fernet_tokens.key_repository, os.R_OK) or not
|
||||
os.access(CONF.fernet_tokens.key_repository, os.W_OK) or not
|
||||
os.access(CONF.fernet_tokens.key_repository, os.X_OK)):
|
||||
# ensure current user has sufficient access to the key repository
|
||||
is_valid = (os.access(CONF.fernet_tokens.key_repository, os.R_OK) and
|
||||
os.access(CONF.fernet_tokens.key_repository, os.X_OK))
|
||||
if requires_write:
|
||||
is_valid = (is_valid and
|
||||
os.access(CONF.fernet_tokens.key_repository, os.W_OK))
|
||||
|
||||
if not is_valid:
|
||||
LOG.error(
|
||||
_LE('Either [fernet_tokens] key_repository does not exist or '
|
||||
'Keystone does not have sufficient permission to access it: '
|
||||
'%s'), CONF.fernet_tokens.key_repository)
|
||||
return False
|
||||
else:
|
||||
# ensure the key repository isn't world-readable
|
||||
stat_info = os.stat(CONF.fernet_tokens.key_repository)
|
||||
if(stat_info.st_mode & stat.S_IROTH or
|
||||
stat_info.st_mode & stat.S_IXOTH):
|
||||
LOG.warning(_LW(
|
||||
'[fernet_tokens] key_repository is world readable: %s'),
|
||||
CONF.fernet_tokens.key_repository)
|
||||
|
||||
# ensure the key repository isn't world-readable
|
||||
stat_info = os.stat(CONF.fernet_tokens.key_repository)
|
||||
if stat_info.st_mode & stat.S_IROTH or stat_info.st_mode & stat.S_IXOTH:
|
||||
LOG.warning(_LW(
|
||||
'[fernet_tokens] key_repository is world readable: %s'),
|
||||
CONF.fernet_tokens.key_repository)
|
||||
|
||||
return True
|
||||
return is_valid
|
||||
|
||||
|
||||
def _convert_to_integers(id_value):
|
||||
|
|
Loading…
Reference in New Issue