Exclusively use restore_padding method in unpacking fernet tokens
As of Mitaka we no longer need to validate both padded and unpadded fernet tokens. Implements: bp removed-as-of-pike Change-Id: Iaff357efdda7b08b0555b7c56d68222f5610ad80
This commit is contained in:
Kristi Nikolla
parent
81107ce2cc
commit
9b911daf6f
|
|
@ -17,10 +17,8 @@ import mock
|
|||
import os
|
||||
import uuid
|
||||
|
||||
import msgpack
|
||||
from oslo_utils import timeutils
|
||||
import six
|
||||
from six.moves import urllib
|
||||
|
||||
from keystone import auth
|
||||
from keystone.common import fernet_utils
|
||||
|
|
@ -257,46 +255,6 @@ class TestTokenFormatter(unit.TestCase):
|
|||
)
|
||||
self.assertEqual(encoded_string, encoded_str_with_padding_restored)
|
||||
|
||||
def test_legacy_padding_validation(self):
|
||||
first_value = uuid.uuid4().hex
|
||||
second_value = uuid.uuid4().hex
|
||||
payload = (first_value, second_value)
|
||||
msgpack_payload = msgpack.packb(payload)
|
||||
# msgpack_payload is six.binary_type.
|
||||
|
||||
tf = token_formatters.TokenFormatter()
|
||||
|
||||
# NOTE(lbragstad): This method preserves the way that keystone used to
|
||||
# percent encode the tokens, prior to bug #1491926.
|
||||
def legacy_pack(payload):
|
||||
# payload is six.binary_type.
|
||||
encrypted_payload = tf.crypto.encrypt(payload)
|
||||
# encrypted_payload is six.binary_type.
|
||||
|
||||
# the encrypted_payload is returned with padding appended
|
||||
self.assertTrue(encrypted_payload.endswith(b'='))
|
||||
|
||||
# using urllib.parse.quote will percent encode the padding, like
|
||||
# keystone did in Kilo.
|
||||
percent_encoded_payload = urllib.parse.quote(encrypted_payload)
|
||||
# percent_encoded_payload is six.text_type.
|
||||
|
||||
# ensure that the padding was actually percent encoded
|
||||
self.assertTrue(percent_encoded_payload.endswith('%3D'))
|
||||
return percent_encoded_payload
|
||||
|
||||
token_with_legacy_padding = legacy_pack(msgpack_payload)
|
||||
# token_with_legacy_padding is six.text_type.
|
||||
|
||||
# demonstrate the we can validate a payload that has been percent
|
||||
# encoded with the Fernet logic that existed in Kilo
|
||||
serialized_payload = tf.unpack(token_with_legacy_padding)
|
||||
# serialized_payload is six.binary_type.
|
||||
returned_payload = msgpack.unpackb(serialized_payload)
|
||||
# returned_payload contains six.binary_type.
|
||||
self.assertEqual(first_value, returned_payload[0].decode('utf-8'))
|
||||
self.assertEqual(second_value, returned_payload[1].decode('utf-8'))
|
||||
|
||||
|
||||
class TestPayloads(unit.TestCase):
|
||||
def assertTimestampsEqual(self, expected, actual):
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ from oslo_log import log
|
|||
from oslo_utils import timeutils
|
||||
import six
|
||||
from six.moves import map
|
||||
from six.moves import urllib
|
||||
|
||||
from keystone.auth import plugins as auth_plugins
|
||||
from keystone.common import fernet_utils as utils
|
||||
|
|
@ -86,19 +85,7 @@ class TokenFormatter(object):
|
|||
:rtype: six.binary_type
|
||||
|
||||
"""
|
||||
# TODO(lbragstad): Restore padding on token before decoding it.
|
||||
# Initially in Kilo, Fernet tokens were returned to the user with
|
||||
# padding appended to the token. Later in Liberty this padding was
|
||||
# removed and restored in the Fernet provider. The following if
|
||||
# statement ensures that we can validate tokens with and without token
|
||||
# padding, in the event of an upgrade and the tokens that are issued
|
||||
# throughout the upgrade. Remove this if statement when Mitaka opens
|
||||
# for development and exclusively use the restore_padding() class
|
||||
# method.
|
||||
if token.endswith('%3D'):
|
||||
token = urllib.parse.unquote(token)
|
||||
else:
|
||||
token = TokenFormatter.restore_padding(token)
|
||||
token = TokenFormatter.restore_padding(token)
|
||||
|
||||
try:
|
||||
return self.crypto.decrypt(token.encode('utf-8'))
|
||||
|
|
|
|||
Loading…
Reference in New Issue