From 8354fb34afd0b86e2067a92ebb76febb7dedc57f Mon Sep 17 00:00:00 2001 From: Morgan Fainberg Date: Mon, 30 Jan 2017 19:09:40 -0800 Subject: [PATCH] Fix bad error message from FernetUtils FernetUtils is giving incorrect error messages to administrators indicating that [fernet_tokens] option is always where the fernet repository information is stored even if it is referenced from the [credential] option group. Change-Id: I7b8344bb306eeb0a9e1cf5093dfd42d3e6c2dd1b --- keystone/cmd/cli.py | 15 ++++++++++----- keystone/cmd/doctor/credential.py | 6 ++++-- keystone/cmd/doctor/tokens_fernet.py | 6 ++++-- keystone/common/fernet_utils.py | 12 ++++++++---- keystone/credential/providers/fernet/core.py | 3 ++- keystone/tests/unit/common/test_utils.py | 8 +++++--- .../tests/unit/ksfixtures/key_repository.py | 3 ++- .../tests/unit/token/test_fernet_provider.py | 18 ++++++++++++------ .../token/providers/fernet/token_formatters.py | 3 ++- 9 files changed, 49 insertions(+), 25 deletions(-) diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index a6c3038d5d..9161d70b8e 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -576,7 +576,8 @@ class FernetSetup(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -610,7 +611,8 @@ class FernetRotate(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -633,7 +635,8 @@ class CredentialSetup(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -704,7 +707,8 @@ class CredentialRotate(BasePermissionsSetup): def main(cls): futils = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) keystone_user_id, keystone_group_id = cls.get_user_group() @@ -763,7 +767,8 @@ class CredentialMigrate(BasePermissionsSetup): # Check to make sure we have a repository that works... futils = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) futils.validate_key_repository(requires_write=True) klass = cls() diff --git a/keystone/cmd/doctor/credential.py b/keystone/cmd/doctor/credential.py index b9b0f4a369..54b11ede4c 100644 --- a/keystone/cmd/doctor/credential.py +++ b/keystone/cmd/doctor/credential.py @@ -49,7 +49,8 @@ def symptom_usability_of_credential_fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) return ( 'fernet' in CONF.credential.provider @@ -66,7 +67,8 @@ def symptom_keys_in_credential_fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) return ( 'fernet' in CONF.credential.provider diff --git a/keystone/cmd/doctor/tokens_fernet.py b/keystone/cmd/doctor/tokens_fernet.py index bf7d30db79..e0e7a5bdd3 100644 --- a/keystone/cmd/doctor/tokens_fernet.py +++ b/keystone/cmd/doctor/tokens_fernet.py @@ -27,7 +27,8 @@ def symptom_usability_of_Fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) return ( 'fernet' in CONF.token.provider @@ -44,7 +45,8 @@ def symptom_keys_in_Fernet_key_repository(): """ fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) return ( 'fernet' in CONF.token.provider diff --git a/keystone/common/fernet_utils.py b/keystone/common/fernet_utils.py index 4eddff52fd..70a4fb1733 100644 --- a/keystone/common/fernet_utils.py +++ b/keystone/common/fernet_utils.py @@ -36,9 +36,11 @@ NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32) class FernetUtils(object): - def __init__(self, key_repository=None, max_active_keys=None): + def __init__(self, key_repository=None, max_active_keys=None, + config_group=None): self.key_repository = key_repository self.max_active_keys = max_active_keys + self.config_group = config_group def validate_key_repository(self, requires_write=False): """Validate permissions on the key repository directory.""" @@ -54,9 +56,11 @@ class FernetUtils(object): if not is_valid: LOG.error( - _LE('Either [fernet_tokens] key_repository does not exist or ' - 'Keystone does not have sufficient permission to access ' - 'it: %s'), self.key_repository) + _LE('Either [%(config_group)s] key_repository does not exist ' + 'or Keystone does not have sufficient permission to ' + 'access it: %(key_repo)s'), + {'key_repo': self.key_repository, + 'config_group': self.config_group}) else: # ensure the key repository isn't world-readable stat_info = os.stat(self.key_repository) diff --git a/keystone/credential/providers/fernet/core.py b/keystone/credential/providers/fernet/core.py index b77d11a8e2..cdccef07c6 100644 --- a/keystone/credential/providers/fernet/core.py +++ b/keystone/credential/providers/fernet/core.py @@ -43,7 +43,8 @@ MAX_ACTIVE_KEYS = 3 def get_multi_fernet_keys(): key_utils = fernet_utils.FernetUtils( - CONF.credential.key_repository, MAX_ACTIVE_KEYS) + CONF.credential.key_repository, MAX_ACTIVE_KEYS, + 'credential') keys = key_utils.load_keys(use_null_key=True) fernet_keys = [fernet.Fernet(key) for key in keys] diff --git a/keystone/tests/unit/common/test_utils.py b/keystone/tests/unit/common/test_utils.py index 2a260000bb..1abcf9cc66 100644 --- a/keystone/tests/unit/common/test_utils.py +++ b/keystone/tests/unit/common/test_utils.py @@ -261,7 +261,8 @@ class FernetUtilsTestCase(unit.BaseTestCase): logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) fernet_utilities = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) fernet_utilities.load_keys() expected_debug_message = ( @@ -283,11 +284,12 @@ class FernetUtilsTestCase(unit.BaseTestCase): logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) fernet_utilities = fernet_utils.FernetUtils( CONF.credential.key_repository, - credential_fernet.MAX_ACTIVE_KEYS + credential_fernet.MAX_ACTIVE_KEYS, + 'credential' ) fernet_utilities.load_keys() debug_message = ( - 'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] ' + 'Loaded 2 Fernet keys from %(dir)s, but `[credential] ' 'max_active_keys = %(max)d`; perhaps there have not been enough ' 'key rotations to reach `max_active_keys` yet?') % { 'dir': CONF.credential.key_repository, diff --git a/keystone/tests/unit/ksfixtures/key_repository.py b/keystone/tests/unit/ksfixtures/key_repository.py index 57f9fcecf8..e5fdd33247 100644 --- a/keystone/tests/unit/ksfixtures/key_repository.py +++ b/keystone/tests/unit/ksfixtures/key_repository.py @@ -33,7 +33,8 @@ class KeyRepository(fixtures.Fixture): fernet_utils = utils.FernetUtils( directory, - self.max_active_keys + self.max_active_keys, + self.key_group ) fernet_utils.create_key_directory() fernet_utils.initialize_key_repository() diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index 17a2d0e189..02f8a54f7c 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -535,7 +535,8 @@ class TestFernetKeyRotation(unit.TestCase): # Load the keys into a list, keys is list of six.text_type. key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keys = key_utils.load_keys() @@ -602,7 +603,8 @@ class TestFernetKeyRotation(unit.TestCase): # repository. key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) for rotation in range(max_active_keys - min_active_keys): key_utils.rotate_keys() @@ -619,7 +621,8 @@ class TestFernetKeyRotation(unit.TestCase): # the desired number of active keys. key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) for rotation in range(10): key_utils.rotate_keys() @@ -645,7 +648,8 @@ class TestFernetKeyRotation(unit.TestCase): key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) # Simulate the disk full situation @@ -672,7 +676,8 @@ class TestFernetKeyRotation(unit.TestCase): pass key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) key_utils.rotate_keys() self.assertTrue(os.path.isfile(evil_file)) @@ -703,7 +708,8 @@ class TestLoadKeys(unit.TestCase): pass key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keys = key_utils.load_keys() self.assertEqual(2, len(keys)) diff --git a/keystone/token/providers/fernet/token_formatters.py b/keystone/token/providers/fernet/token_formatters.py index 44a18cb4c7..43502ca820 100644 --- a/keystone/token/providers/fernet/token_formatters.py +++ b/keystone/token/providers/fernet/token_formatters.py @@ -58,7 +58,8 @@ class TokenFormatter(object): """ fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, - CONF.fernet_tokens.max_active_keys + CONF.fernet_tokens.max_active_keys, + 'fernet_tokens' ) keys = fernet_utils.load_keys()