Merge "Log warning if null key is used for encryption"

2016-09-08 14:05:24 +00:00 · 2016-09-08 14:05:24 +00:00 · 5594d45ea7
parent 8ebeb6415e 59f117f6a8
commit 5594d45ea7
2 changed files with 23 additions and 1 deletions
--- a/keystone/credential/providers/fernet/core.py
+++ b/keystone/credential/providers/fernet/core.py
@ -20,7 +20,7 @@ from keystone.common import fernet_utils
 import keystone.conf
 from keystone.credential.providers import core
 from keystone import exception
-from keystone.i18n import _
+from keystone.i18n import _, _LW


 CONF = keystone.conf.CONF
@ -68,6 +68,13 @@ class Provider(core.Provider):
        """
        crypto, keys = get_multi_fernet_keys()

+        if keys[0] == fernet_utils.NULL_KEY:
+            LOG.warning(_LW(
+                'Encrypting credentials with the null key. Please properly '
+                'encrypt credentials using `keystone-manage credential_setup`,'
+                ' `keystone-manage credential_migrate`, and `keystone-manage '
+                'credential_rotate`'))
+
        try:
            return (
                crypto.encrypt(credential.encode('utf-8')),
--- a/keystone/tests/unit/credential/test_fernet_provider.py
+++ b/keystone/tests/unit/credential/test_fernet_provider.py
@ -10,9 +10,12 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+import fixtures
 import hashlib
 import uuid

+from oslo_log import log
+
 from keystone.common import fernet_utils
 import keystone.conf
 from keystone.credential.providers import fernet as credential_fernet
@ -66,3 +69,15 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):

        decrypted_blob = self.provider.decrypt(encrypted_blob)
        self.assertEqual(blob, decrypted_blob)
+
+    def test_warning_is_logged_when_encrypting_with_null_key(self):
+        blob = uuid.uuid4().hex
+        logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
+        expected_output = (
+            'Encrypting credentials with the null key. Please properly '
+            'encrypt credentials using `keystone-manage credential_setup`, '
+            '`keystone-manage credential_migrate`, and `keystone-manage '
+            'credential_rotate`'
+        )
+        encrypted_blob, primary_key_hash = self.provider.encrypt(blob)
+        self.assertIn(expected_output, logging_fixture.output)