diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index a6c3038d5..9161d70b8 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -576,7 +576,8 @@ class FernetSetup(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -610,7 +611,8 @@ class FernetRotate(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -633,7 +635,8 @@ class CredentialSetup(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -704,7 +707,8 @@ class CredentialRotate(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -763,7 +767,8 @@ class CredentialMigrate(BasePermissionsSetup): # Check to make sure we have a repository that works... futils = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) futils.validate_key_repository(requires_write=True) klass = cls() diff --git a/keystone/cmd/doctor/credential.py b/keystone/cmd/doctor/credential.py index b9b0f4a36..54b11ede4 100644 --- a/keystone/cmd/doctor/credential.py +++ b/keystone/cmd/doctor/credential.py @@ -49,7 +49,8 @@ def symptom_usability_of_credential_fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) return ( 'fernet' in CONF.credential.provider @@ -66,7 +67,8 @@ def symptom_keys_in_credential_fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) return ( 'fernet' in CONF.credential.provider diff --git a/keystone/cmd/doctor/tokens_fernet.py b/keystone/cmd/doctor/tokens_fernet.py index bf7d30db7..e0e7a5bdd 100644 --- a/keystone/cmd/doctor/tokens_fernet.py +++ b/keystone/cmd/doctor/tokens_fernet.py @@ -27,7 +27,8 @@ def symptom_usability_of_Fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) return ( 'fernet' in CONF.token.provider @@ -44,7 +45,8 @@ def symptom_keys_in_Fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) return ( 'fernet' in CONF.token.provider diff --git a/keystone/common/fernet_utils.py b/keystone/common/fernet_utils.py index 4eddff52f..70a4fb173 100644 --- a/keystone/common/fernet_utils.py +++ b/keystone/common/fernet_utils.py @@ -36,9 +36,11 @@ NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32) class FernetUtils(object): - def __init__(self, key_repository=None, max_active_keys=None): + def __init__(self, key_repository=None, max_active_keys=None, + config_group=None): self.key_repository = key_repository self.max_active_keys = max_active_keys + self.config_group = config_group def validate_key_repository(self, requires_write=False): """Validate permissions on the key repository directory.""" @@ -54,9 +56,11 @@ class FernetUtils(object): if not is_valid: LOG.error( - _LE('Either [fernet_tokens] key_repository does not exist or ' - 'Keystone does not have sufficient permission to access ' - 'it: %s'), self.key_repository) + _LE('Either [%(config_group)s] key_repository does not exist ' + 'or Keystone does not have sufficient permission to ' + 'access it: %(key_repo)s'), + {'key_repo': self.key_repository, + 'config_group': self.config_group}) else: # ensure the key repository isn't world-readable stat_info = os.stat(self.key_repository) diff --git a/keystone/credential/providers/fernet/core.py b/keystone/credential/providers/fernet/core.py index b77d11a8e..cdccef07c 100644 --- a/keystone/credential/providers/fernet/core.py +++ b/keystone/credential/providers/fernet/core.py @@ -43,7 +43,8 @@ MAX_ACTIVE_KEYS = 3 def get_multi_fernet_keys(): key_utils = fernet_utils.FernetUtils( - CONF.credential.key_repository, MAX_ACTIVE_KEYS) + CONF.credential.key_repository, MAX_ACTIVE_KEYS, + 'credential') keys = key_utils.load_keys(use_null_key=True) fernet_keys = [fernet.Fernet(key) for key in keys] diff --git a/keystone/tests/unit/common/test_utils.py b/keystone/tests/unit/common/test_utils.py index 2a260000b..1abcf9cc6 100644 --- a/keystone/tests/unit/common/test_utils.py +++ b/keystone/tests/unit/common/test_utils.py @@ -261,7 +261,8 @@ class FernetUtilsTestCase(unit.BaseTestCase): logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) fernet_utilities = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) fernet_utilities.load_keys() expected_debug_message = ( @@ -283,11 +284,12 @@ class FernetUtilsTestCase(unit.BaseTestCase): logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) fernet_utilities = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) fernet_utilities.load_keys() debug_message = ( - 'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] ' + 'Loaded 2 Fernet keys from %(dir)s, but `[credential] ' 'max_active_keys = %(max)d`; perhaps there have not been enough ' 'key rotations to reach `max_active_keys` yet?') % { 'dir': CONF.credential.key_repository, diff --git a/keystone/tests/unit/ksfixtures/key_repository.py b/keystone/tests/unit/ksfixtures/key_repository.py index 57f9fcecf..e5fdd3324 100644 --- a/keystone/tests/unit/ksfixtures/key_repository.py +++ b/keystone/tests/unit/ksfixtures/key_repository.py @@ -33,7 +33,8 @@ class KeyRepository(fixtures.Fixture): fernet_utils = utils.FernetUtils( directory, - self.max_active_keys + self.max_active_keys, + self.key_group ) fernet_utils.create_key_directory() fernet_utils.initialize_key_repository() diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index 17a2d0e18..02f8a54f7 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -535,7 +535,8 @@ class TestFernetKeyRotation(unit.TestCase): # Load the keys into a list, keys is list of six.text_type. key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keys = key_utils.load_keys() @@ -602,7 +603,8 @@ class TestFernetKeyRotation(unit.TestCase): # repository. key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) for rotation in range(max_active_keys - min_active_keys): key_utils.rotate_keys() @@ -619,7 +621,8 @@ class TestFernetKeyRotation(unit.TestCase): # the desired number of active keys. key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) for rotation in range(10): key_utils.rotate_keys() @@ -645,7 +648,8 @@ class TestFernetKeyRotation(unit.TestCase): key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) # Simulate the disk full situation @@ -672,7 +676,8 @@ class TestFernetKeyRotation(unit.TestCase): pass key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) key_utils.rotate_keys() self.assertTrue(os.path.isfile(evil_file)) @@ -703,7 +708,8 @@ class TestLoadKeys(unit.TestCase): pass key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keys = key_utils.load_keys() self.assertEqual(2, len(keys)) diff --git a/keystone/token/providers/fernet/token_formatters.py b/keystone/token/providers/fernet/token_formatters.py index 44a18cb4c..43502ca82 100644 --- a/keystone/token/providers/fernet/token_formatters.py +++ b/keystone/token/providers/fernet/token_formatters.py @@ -58,7 +58,8 @@ class TokenFormatter(object): """ fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keys = fernet_utils.load_keys()