Merge "Address hacking check H405."
This commit is contained in:
commit
86d8c8de34
|
@ -135,8 +135,7 @@ class TokenCache(object):
|
||||||
self._initialized = True
|
self._initialized = True
|
||||||
|
|
||||||
def store(self, token_id, data):
|
def store(self, token_id, data):
|
||||||
"""Put token data into the cache.
|
"""Put token data into the cache."""
|
||||||
"""
|
|
||||||
self._LOG.debug('Storing token in cache')
|
self._LOG.debug('Storing token in cache')
|
||||||
self._cache_store(token_id, data)
|
self._cache_store(token_id, data)
|
||||||
|
|
||||||
|
|
|
@ -107,9 +107,9 @@ else:
|
||||||
|
|
||||||
|
|
||||||
def derive_keys(token, secret, strategy):
|
def derive_keys(token, secret, strategy):
|
||||||
"""Derives keys for MAC and ENCRYPTION from the user-provided
|
"""Derives keys for MAC and ENCRYPTION from the user-provided secret.
|
||||||
secret. The resulting keys should be passed to the protect and
|
|
||||||
unprotect functions.
|
The resulting keys should be passed to the protect and unprotect functions.
|
||||||
|
|
||||||
As suggested by NIST Special Publication 800-108, this uses the
|
As suggested by NIST Special Publication 800-108, this uses the
|
||||||
first 128 bits from the sha384 KDF for the obscured cache key
|
first 128 bits from the sha384 KDF for the obscured cache key
|
||||||
|
@ -160,8 +160,10 @@ def decrypt_data(key, data):
|
||||||
|
|
||||||
|
|
||||||
def protect_data(keys, data):
|
def protect_data(keys, data):
|
||||||
"""Given keys and serialized data, returns an appropriately
|
"""Serialize data given a dict of keys.
|
||||||
protected string suitable for storage in the cache.
|
|
||||||
|
Given keys and serialized data, returns an appropriately protected string
|
||||||
|
suitable for storage in the cache.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
if keys['strategy'] == b'ENCRYPT':
|
if keys['strategy'] == b'ENCRYPT':
|
||||||
|
@ -174,8 +176,10 @@ def protect_data(keys, data):
|
||||||
|
|
||||||
|
|
||||||
def unprotect_data(keys, signed_data):
|
def unprotect_data(keys, signed_data):
|
||||||
"""Given keys and cached string data, verifies the signature,
|
"""De-serialize data given a dict of keys.
|
||||||
decrypts if necessary, and returns the original serialized data.
|
|
||||||
|
Given keys and cached string data, verifies the signature, decrypts if
|
||||||
|
necessary, and returns the original serialized data.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
# cache backends return None when no data is found. We don't mind
|
# cache backends return None when no data is found. We don't mind
|
||||||
|
@ -203,8 +207,10 @@ def unprotect_data(keys, signed_data):
|
||||||
|
|
||||||
|
|
||||||
def get_cache_key(keys):
|
def get_cache_key(keys):
|
||||||
"""Given keys generated by derive_keys(), returns a base64
|
"""Return a cache key.
|
||||||
encoded value suitable for use as a cache key in memcached.
|
|
||||||
|
Given keys generated by derive_keys(), returns a base64 encoded value
|
||||||
|
suitable for use as a cache key in memcached.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
return base64.b64encode(keys['CACHE_KEY'])
|
return base64.b64encode(keys['CACHE_KEY'])
|
||||||
|
|
|
@ -47,7 +47,9 @@ class _TokenData(object):
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def user_domain_id(self):
|
def user_domain_id(self):
|
||||||
"""Returns the domain id of the user associated with the authentication
|
"""The domain ID of the user associated with the authentication.
|
||||||
|
|
||||||
|
Returns the domain id of the user associated with the authentication
|
||||||
request.
|
request.
|
||||||
|
|
||||||
:returns: str
|
:returns: str
|
||||||
|
@ -69,7 +71,9 @@ class _TokenData(object):
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def project_domain_id(self):
|
def project_domain_id(self):
|
||||||
"""The domain id of the project associated with the authentication
|
"""The ID of the project associated with the authentication.
|
||||||
|
|
||||||
|
The domain id of the project associated with the authentication
|
||||||
request.
|
request.
|
||||||
|
|
||||||
:rtype: str
|
:rtype: str
|
||||||
|
|
|
@ -377,9 +377,8 @@ class DiabloAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
|
||||||
|
|
||||||
class CachePoolTest(BaseAuthTokenMiddlewareTest):
|
class CachePoolTest(BaseAuthTokenMiddlewareTest):
|
||||||
def test_use_cache_from_env(self):
|
def test_use_cache_from_env(self):
|
||||||
"""If `swift.cache` is set in the environment and `cache` is set in the
|
# If `swift.cache` is set in the environment and `cache` is set in the
|
||||||
config then the env cache is used.
|
# config then the env cache is used.
|
||||||
"""
|
|
||||||
env = {'swift.cache': 'CACHE_TEST'}
|
env = {'swift.cache': 'CACHE_TEST'}
|
||||||
conf = {
|
conf = {
|
||||||
'cache': 'swift.cache'
|
'cache': 'swift.cache'
|
||||||
|
@ -390,9 +389,8 @@ class CachePoolTest(BaseAuthTokenMiddlewareTest):
|
||||||
self.assertEqual(cache, 'CACHE_TEST')
|
self.assertEqual(cache, 'CACHE_TEST')
|
||||||
|
|
||||||
def test_not_use_cache_from_env(self):
|
def test_not_use_cache_from_env(self):
|
||||||
"""If `swift.cache` is set in the environment but `cache` isn't set in
|
# If `swift.cache` is set in the environment but `cache` isn't set
|
||||||
the config then the env cache isn't used.
|
# initialize the config then the env cache isn't used.
|
||||||
"""
|
|
||||||
self.set_middleware()
|
self.set_middleware()
|
||||||
env = {'swift.cache': 'CACHE_TEST'}
|
env = {'swift.cache': 'CACHE_TEST'}
|
||||||
self.middleware._token_cache.initialize(env)
|
self.middleware._token_cache.initialize(env)
|
||||||
|
@ -433,7 +431,9 @@ class CachePoolTest(BaseAuthTokenMiddlewareTest):
|
||||||
|
|
||||||
class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
|
class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
|
||||||
testresources.ResourcedTestCase):
|
testresources.ResourcedTestCase):
|
||||||
"""These tests are not affected by the token format
|
"""General Token Behavior tests.
|
||||||
|
|
||||||
|
These tests are not affected by the token format
|
||||||
(see CommonAuthTokenMiddlewareTest).
|
(see CommonAuthTokenMiddlewareTest).
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
|
@ -77,8 +77,10 @@ if tuple(sys.version_info)[0:2] < (2, 7):
|
||||||
|
|
||||||
|
|
||||||
class TestResponse(requests.Response):
|
class TestResponse(requests.Response):
|
||||||
"""Class used to wrap requests.Response and provide some
|
"""Utility class to wrap requests.Response.
|
||||||
convenience to initialize with a dict.
|
|
||||||
|
Class used to wrap requests.Response and provide some convenience to
|
||||||
|
initialize with a dict.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, data):
|
def __init__(self, data):
|
||||||
|
|
8
tox.ini
8
tox.ini
|
@ -36,8 +36,12 @@ deps = -r{toxinidir}/test-requirements.txt
|
||||||
commands = bandit -c bandit.yaml -r keystonemiddleware -n5 -p keystone_conservative
|
commands = bandit -c bandit.yaml -r keystonemiddleware -n5 -p keystone_conservative
|
||||||
|
|
||||||
[flake8]
|
[flake8]
|
||||||
# H405: multi line docstring summary not separated with an empty line
|
# NOTE(lbragstad): Even though we aren't ignoring any hacking checks, we have
|
||||||
ignore = H405
|
# to leave it assigned in the environment specification otherwise some error
|
||||||
|
# checks will be ignored by default. If we need to ignore a specific hacking
|
||||||
|
# check in the future, we will have to remove '___' from the ignore line.
|
||||||
|
# See: http://flake8.readthedocs.org/en/latest/config.html#default
|
||||||
|
ignore = ___
|
||||||
show-source = True
|
show-source = True
|
||||||
exclude = .venv,.tox,dist,doc,*egg,build,*openstack/common*
|
exclude = .venv,.tox,dist,doc,*egg,build,*openstack/common*
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue