From f811287beadab3c6d5ebdcae57ea6844284f72ea Mon Sep 17 00:00:00 2001
From: Ron De Rose <ronald.de.rose@intel.com>
Date: Fri, 11 Dec 2015 20:29:09 +0000
Subject: [PATCH] Changed the key repo validation to allow read only

Fernet token operations would fail if the key respository did not
have write access, even though it would only need read access.
Added logic to validation to only check for read or read/write
access based on what is required.

Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d
Closes-Bug: 1523664
(cherry picked from commit 0aaa3ab1710c3bd9ca7800cc2156a483bd463a11)
---
 keystone/cmd/cli.py                      |  4 +--
 keystone/token/providers/fernet/utils.py | 32 +++++++++++++-----------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py
index d993d71c54..c1a9218c1b 100644
--- a/keystone/cmd/cli.py
+++ b/keystone/cmd/cli.py
@@ -199,7 +199,7 @@ class FernetSetup(BasePermissionsSetup):
 
         keystone_user_id, keystone_group_id = cls.get_user_group()
         fernet.create_key_directory(keystone_user_id, keystone_group_id)
-        if fernet.validate_key_repository():
+        if fernet.validate_key_repository(requires_write=True):
             fernet.initialize_key_repository(
                 keystone_user_id, keystone_group_id)
 
@@ -229,7 +229,7 @@ class FernetRotate(BasePermissionsSetup):
         from keystone.token.providers.fernet import utils as fernet
 
         keystone_user_id, keystone_group_id = cls.get_user_group()
-        if fernet.validate_key_repository():
+        if fernet.validate_key_repository(requires_write=True):
             fernet.rotate_keys(keystone_user_id, keystone_group_id)
 
 
diff --git a/keystone/token/providers/fernet/utils.py b/keystone/token/providers/fernet/utils.py
index 4235eda86e..f1d70a7679 100644
--- a/keystone/token/providers/fernet/utils.py
+++ b/keystone/token/providers/fernet/utils.py
@@ -25,29 +25,33 @@ LOG = log.getLogger(__name__)
 CONF = cfg.CONF
 
 
-def validate_key_repository():
+def validate_key_repository(requires_write=False):
     """Validate permissions on the key repository directory."""
     # NOTE(lbragstad): We shouldn't need to check if the directory was passed
     # in as None because we don't set allow_no_values to True.
 
-    # ensure current user has full access to the key repository
-    if (not os.access(CONF.fernet_tokens.key_repository, os.R_OK) or not
-            os.access(CONF.fernet_tokens.key_repository, os.W_OK) or not
-            os.access(CONF.fernet_tokens.key_repository, os.X_OK)):
+    # ensure current user has sufficient access to the key repository
+    is_valid = (os.access(CONF.fernet_tokens.key_repository, os.R_OK) and
+                os.access(CONF.fernet_tokens.key_repository, os.X_OK))
+    if requires_write:
+        is_valid = (is_valid and
+                    os.access(CONF.fernet_tokens.key_repository, os.W_OK))
+
+    if not is_valid:
         LOG.error(
             _LE('Either [fernet_tokens] key_repository does not exist or '
                 'Keystone does not have sufficient permission to access it: '
                 '%s'), CONF.fernet_tokens.key_repository)
-        return False
+    else:
+        # ensure the key repository isn't world-readable
+        stat_info = os.stat(CONF.fernet_tokens.key_repository)
+        if(stat_info.st_mode & stat.S_IROTH or
+           stat_info.st_mode & stat.S_IXOTH):
+            LOG.warning(_LW(
+                '[fernet_tokens] key_repository is world readable: %s'),
+                CONF.fernet_tokens.key_repository)
 
-    # ensure the key repository isn't world-readable
-    stat_info = os.stat(CONF.fernet_tokens.key_repository)
-    if stat_info.st_mode & stat.S_IROTH or stat_info.st_mode & stat.S_IXOTH:
-        LOG.warning(_LW(
-            '[fernet_tokens] key_repository is world readable: %s'),
-            CONF.fernet_tokens.key_repository)
-
-    return True
+    return is_valid
 
 
 def _convert_to_integers(id_value):