Clean up token binding validation code

This patch makes two changes to the token binding validation code easier to read and provide a better user experience. Firstly, "if a != b" is used instead of "if not (a == b)" which is easier to read. Secondly, validation failures are included in 401 unauthorized responses instead of the default 401 message. Because the Unauthorized class is also a SecurityError, insecure_debug will need to be enabled in keystone.conf in order to expose these details to the API. So, the user experience for operators trying to debug their token binding configuration will be improved, but security is not unnecessarily weakened. Change-Id: Icc78cacd39a31a33680f891cde1acf4ff41f6ae7
2016-07-13 11:22:17 -05:00 · 2016-07-13 11:22:17 -05:00 · d90281e4d9
parent 7923a46692
commit d90281e4d9
1 changed files with 20 additions and 16 deletions
--- a/keystone/common/wsgi.py
+++ b/keystone/common/wsgi.py
@ -92,27 +92,31 @@ def validate_token_bind(context, token_ref):

    for bind_type, identifier in bind.items():
        if bind_type == 'kerberos':
-            if not (context['environment'].get('AUTH_TYPE', '').lower()
-                    == 'negotiate'):
-                LOG.info(_LI("Kerberos credentials required and not present"))
-                raise exception.Unauthorized()
+            if (context['environment'].get('AUTH_TYPE', '').lower() !=
+                    'negotiate'):
+                msg = _('Kerberos credentials required and not present')
+                LOG.info(msg)
+                raise exception.Unauthorized(msg)

-            if not context['environment'].get('REMOTE_USER') == identifier:
-                LOG.info(_LI("Kerberos credentials do not match "
-                             "those in bind"))
-                raise exception.Unauthorized()
+            if context['environment'].get('REMOTE_USER') != identifier:
+                msg = _('Kerberos credentials do not match those in bind')
+                LOG.info(msg)
+                raise exception.Unauthorized(msg)

-            LOG.info(_LI("Kerberos bind authentication successful"))
+            LOG.info(_LI('Kerberos bind authentication successful'))

        elif bind_mode == 'permissive':
-            LOG.debug(("Ignoring unknown bind for permissive mode: "
-                       "{%(bind_type)s: %(identifier)s}"),
-                      {'bind_type': bind_type, 'identifier': identifier})
+            LOG.debug(("Ignoring unknown bind (due to permissive mode): "
+                       "{%(bind_type)s: %(identifier)s}"), {
+                           'bind_type': bind_type,
+                           'identifier': identifier})
        else:
-            LOG.info(_LI("Couldn't verify unknown bind: "
-                         "{%(bind_type)s: %(identifier)s}"),
-                     {'bind_type': bind_type, 'identifier': identifier})
-            raise exception.Unauthorized()
+            msg = _('Could not verify unknown bind: {%(bind_type)s: '
+                    '%(identifier)s}') % {
+                        'bind_type': bind_type,
+                        'identifier': identifier}
+            LOG.info(msg)
+            raise exception.Unauthorized(msg)


 def best_match_language(req):