openstack
/
keystone
Code Issues Proposed changes

Merge "Fix bad error message from FernetUtils"

This commit is contained in:
Jenkins 2017-02-01 02:33:46 +00:00 committed by Gerrit Code Review
parent 59177627b3 8354fb34af
commit 287984c90a
9 changed files with 49 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
keystone/cmd/cli.py
View File

@ -576,7 +576,8 @@ class FernetSetup(BasePermissionsSetup):
def main(cls):
futils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
@ -610,7 +611,8 @@ class FernetRotate(BasePermissionsSetup):
def main(cls):
futils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
@ -633,7 +635,8 @@ class CredentialSetup(BasePermissionsSetup):
def main(cls):
futils = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
@ -704,7 +707,8 @@ class CredentialRotate(BasePermissionsSetup):
def main(cls):
futils = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
keystone_user_id, keystone_group_id = cls.get_user_group()
@ -763,7 +767,8 @@ class CredentialMigrate(BasePermissionsSetup):
# Check to make sure we have a repository that works...
futils = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
futils.validate_key_repository(requires_write=True)
klass = cls()

6
keystone/cmd/doctor/credential.py
View File

@ -49,7 +49,8 @@ def symptom_usability_of_credential_fernet_key_repository():
"""
fernet_utils = utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
return (
'fernet' in CONF.credential.provider
@ -66,7 +67,8 @@ def symptom_keys_in_credential_fernet_key_repository():
"""
fernet_utils = utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
return (
'fernet' in CONF.credential.provider

6
keystone/cmd/doctor/tokens_fernet.py
View File

@ -27,7 +27,8 @@ def symptom_usability_of_Fernet_key_repository():
"""
fernet_utils = utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
return (
'fernet' in CONF.token.provider
@ -44,7 +45,8 @@ def symptom_keys_in_Fernet_key_repository():
"""
fernet_utils = utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
return (
'fernet' in CONF.token.provider

12
keystone/common/fernet_utils.py
View File

@ -36,9 +36,11 @@ NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32)
class FernetUtils(object):
def __init__(self, key_repository=None, max_active_keys=None):
def __init__(self, key_repository=None, max_active_keys=None,
config_group=None):
self.key_repository = key_repository
self.max_active_keys = max_active_keys
self.config_group = config_group
def validate_key_repository(self, requires_write=False):
"""Validate permissions on the key repository directory."""
@ -54,9 +56,11 @@ class FernetUtils(object):
if not is_valid:
LOG.error(
_LE('Either [fernet_tokens] key_repository does not exist or '
'Keystone does not have sufficient permission to access '
'it: %s'), self.key_repository)
_LE('Either [%(config_group)s] key_repository does not exist '
'or Keystone does not have sufficient permission to '
'access it: %(key_repo)s'),
{'key_repo': self.key_repository,
'config_group': self.config_group})
else:
# ensure the key repository isn't world-readable
stat_info = os.stat(self.key_repository)

3
keystone/credential/providers/fernet/core.py
View File

@ -43,7 +43,8 @@ MAX_ACTIVE_KEYS = 3
def get_multi_fernet_keys():
key_utils = fernet_utils.FernetUtils(
CONF.credential.key_repository, MAX_ACTIVE_KEYS)
CONF.credential.key_repository, MAX_ACTIVE_KEYS,
'credential')
keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys]

8
keystone/tests/unit/common/test_utils.py
View File

@ -261,7 +261,8 @@ class FernetUtilsTestCase(unit.BaseTestCase):
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
fernet_utilities = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
fernet_utilities.load_keys()
expected_debug_message = (
@ -283,11 +284,12 @@ class FernetUtilsTestCase(unit.BaseTestCase):
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
fernet_utilities = fernet_utils.FernetUtils(
CONF.credential.key_repository,
credential_fernet.MAX_ACTIVE_KEYS
credential_fernet.MAX_ACTIVE_KEYS,
'credential'
)
fernet_utilities.load_keys()
debug_message = (
'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] '
'Loaded 2 Fernet keys from %(dir)s, but `[credential] '
'max_active_keys = %(max)d`; perhaps there have not been enough '
'key rotations to reach `max_active_keys` yet?') % {
'dir': CONF.credential.key_repository,

3
keystone/tests/unit/ksfixtures/key_repository.py
View File

@ -33,7 +33,8 @@ class KeyRepository(fixtures.Fixture):
fernet_utils = utils.FernetUtils(
directory,
self.max_active_keys
self.max_active_keys,
self.key_group
)
fernet_utils.create_key_directory()
fernet_utils.initialize_key_repository()

18
keystone/tests/unit/token/test_fernet_provider.py
View File

@ -535,7 +535,8 @@ class TestFernetKeyRotation(unit.TestCase):
# Load the keys into a list, keys is list of six.text_type.
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keys = key_utils.load_keys()
@ -602,7 +603,8 @@ class TestFernetKeyRotation(unit.TestCase):
# repository.
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
for rotation in range(max_active_keys - min_active_keys):
key_utils.rotate_keys()
@ -619,7 +621,8 @@ class TestFernetKeyRotation(unit.TestCase):
# the desired number of active keys.
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
for rotation in range(10):
key_utils.rotate_keys()
@ -645,7 +648,8 @@ class TestFernetKeyRotation(unit.TestCase):
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
# Simulate the disk full situation
@ -672,7 +676,8 @@ class TestFernetKeyRotation(unit.TestCase):
pass
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
key_utils.rotate_keys()
self.assertTrue(os.path.isfile(evil_file))
@ -703,7 +708,8 @@ class TestLoadKeys(unit.TestCase):
pass
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keys = key_utils.load_keys()
self.assertEqual(2, len(keys))

3
keystone/token/providers/fernet/token_formatters.py
View File

@ -58,7 +58,8 @@ class TokenFormatter(object):
"""
fernet_utils = utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
keys = fernet_utils.load_keys()