Fix bad error message from FernetUtils
FernetUtils is giving incorrect error messages to administrators indicating that [fernet_tokens] option is always where the fernet repository information is stored even if it is referenced from the [credential] option group. Change-Id: I7b8344bb306eeb0a9e1cf5093dfd42d3e6c2dd1b
This commit is contained in:
parent
781db8e67a
commit
8354fb34af
@ -576,7 +576,8 @@ class FernetSetup(BasePermissionsSetup):
|
|||||||
def main(cls):
|
def main(cls):
|
||||||
futils = fernet_utils.FernetUtils(
|
futils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
|
|
||||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||||
@ -610,7 +611,8 @@ class FernetRotate(BasePermissionsSetup):
|
|||||||
def main(cls):
|
def main(cls):
|
||||||
futils = fernet_utils.FernetUtils(
|
futils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
|
|
||||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||||
@ -633,7 +635,8 @@ class CredentialSetup(BasePermissionsSetup):
|
|||||||
def main(cls):
|
def main(cls):
|
||||||
futils = fernet_utils.FernetUtils(
|
futils = fernet_utils.FernetUtils(
|
||||||
CONF.credential.key_repository,
|
CONF.credential.key_repository,
|
||||||
credential_fernet.MAX_ACTIVE_KEYS
|
credential_fernet.MAX_ACTIVE_KEYS,
|
||||||
|
'credential'
|
||||||
)
|
)
|
||||||
|
|
||||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||||
@ -704,7 +707,8 @@ class CredentialRotate(BasePermissionsSetup):
|
|||||||
def main(cls):
|
def main(cls):
|
||||||
futils = fernet_utils.FernetUtils(
|
futils = fernet_utils.FernetUtils(
|
||||||
CONF.credential.key_repository,
|
CONF.credential.key_repository,
|
||||||
credential_fernet.MAX_ACTIVE_KEYS
|
credential_fernet.MAX_ACTIVE_KEYS,
|
||||||
|
'credential'
|
||||||
)
|
)
|
||||||
|
|
||||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||||
@ -763,7 +767,8 @@ class CredentialMigrate(BasePermissionsSetup):
|
|||||||
# Check to make sure we have a repository that works...
|
# Check to make sure we have a repository that works...
|
||||||
futils = fernet_utils.FernetUtils(
|
futils = fernet_utils.FernetUtils(
|
||||||
CONF.credential.key_repository,
|
CONF.credential.key_repository,
|
||||||
credential_fernet.MAX_ACTIVE_KEYS
|
credential_fernet.MAX_ACTIVE_KEYS,
|
||||||
|
'credential'
|
||||||
)
|
)
|
||||||
futils.validate_key_repository(requires_write=True)
|
futils.validate_key_repository(requires_write=True)
|
||||||
klass = cls()
|
klass = cls()
|
||||||
|
@ -49,7 +49,8 @@ def symptom_usability_of_credential_fernet_key_repository():
|
|||||||
"""
|
"""
|
||||||
fernet_utils = utils.FernetUtils(
|
fernet_utils = utils.FernetUtils(
|
||||||
CONF.credential.key_repository,
|
CONF.credential.key_repository,
|
||||||
credential_fernet.MAX_ACTIVE_KEYS
|
credential_fernet.MAX_ACTIVE_KEYS,
|
||||||
|
'credential'
|
||||||
)
|
)
|
||||||
return (
|
return (
|
||||||
'fernet' in CONF.credential.provider
|
'fernet' in CONF.credential.provider
|
||||||
@ -66,7 +67,8 @@ def symptom_keys_in_credential_fernet_key_repository():
|
|||||||
"""
|
"""
|
||||||
fernet_utils = utils.FernetUtils(
|
fernet_utils = utils.FernetUtils(
|
||||||
CONF.credential.key_repository,
|
CONF.credential.key_repository,
|
||||||
credential_fernet.MAX_ACTIVE_KEYS
|
credential_fernet.MAX_ACTIVE_KEYS,
|
||||||
|
'credential'
|
||||||
)
|
)
|
||||||
return (
|
return (
|
||||||
'fernet' in CONF.credential.provider
|
'fernet' in CONF.credential.provider
|
||||||
|
@ -27,7 +27,8 @@ def symptom_usability_of_Fernet_key_repository():
|
|||||||
"""
|
"""
|
||||||
fernet_utils = utils.FernetUtils(
|
fernet_utils = utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
return (
|
return (
|
||||||
'fernet' in CONF.token.provider
|
'fernet' in CONF.token.provider
|
||||||
@ -44,7 +45,8 @@ def symptom_keys_in_Fernet_key_repository():
|
|||||||
"""
|
"""
|
||||||
fernet_utils = utils.FernetUtils(
|
fernet_utils = utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
return (
|
return (
|
||||||
'fernet' in CONF.token.provider
|
'fernet' in CONF.token.provider
|
||||||
|
@ -36,9 +36,11 @@ NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32)
|
|||||||
|
|
||||||
class FernetUtils(object):
|
class FernetUtils(object):
|
||||||
|
|
||||||
def __init__(self, key_repository=None, max_active_keys=None):
|
def __init__(self, key_repository=None, max_active_keys=None,
|
||||||
|
config_group=None):
|
||||||
self.key_repository = key_repository
|
self.key_repository = key_repository
|
||||||
self.max_active_keys = max_active_keys
|
self.max_active_keys = max_active_keys
|
||||||
|
self.config_group = config_group
|
||||||
|
|
||||||
def validate_key_repository(self, requires_write=False):
|
def validate_key_repository(self, requires_write=False):
|
||||||
"""Validate permissions on the key repository directory."""
|
"""Validate permissions on the key repository directory."""
|
||||||
@ -54,9 +56,11 @@ class FernetUtils(object):
|
|||||||
|
|
||||||
if not is_valid:
|
if not is_valid:
|
||||||
LOG.error(
|
LOG.error(
|
||||||
_LE('Either [fernet_tokens] key_repository does not exist or '
|
_LE('Either [%(config_group)s] key_repository does not exist '
|
||||||
'Keystone does not have sufficient permission to access '
|
'or Keystone does not have sufficient permission to '
|
||||||
'it: %s'), self.key_repository)
|
'access it: %(key_repo)s'),
|
||||||
|
{'key_repo': self.key_repository,
|
||||||
|
'config_group': self.config_group})
|
||||||
else:
|
else:
|
||||||
# ensure the key repository isn't world-readable
|
# ensure the key repository isn't world-readable
|
||||||
stat_info = os.stat(self.key_repository)
|
stat_info = os.stat(self.key_repository)
|
||||||
|
@ -43,7 +43,8 @@ MAX_ACTIVE_KEYS = 3
|
|||||||
|
|
||||||
def get_multi_fernet_keys():
|
def get_multi_fernet_keys():
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.credential.key_repository, MAX_ACTIVE_KEYS)
|
CONF.credential.key_repository, MAX_ACTIVE_KEYS,
|
||||||
|
'credential')
|
||||||
keys = key_utils.load_keys(use_null_key=True)
|
keys = key_utils.load_keys(use_null_key=True)
|
||||||
|
|
||||||
fernet_keys = [fernet.Fernet(key) for key in keys]
|
fernet_keys = [fernet.Fernet(key) for key in keys]
|
||||||
|
@ -261,7 +261,8 @@ class FernetUtilsTestCase(unit.BaseTestCase):
|
|||||||
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||||
fernet_utilities = fernet_utils.FernetUtils(
|
fernet_utilities = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
fernet_utilities.load_keys()
|
fernet_utilities.load_keys()
|
||||||
expected_debug_message = (
|
expected_debug_message = (
|
||||||
@ -283,11 +284,12 @@ class FernetUtilsTestCase(unit.BaseTestCase):
|
|||||||
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||||
fernet_utilities = fernet_utils.FernetUtils(
|
fernet_utilities = fernet_utils.FernetUtils(
|
||||||
CONF.credential.key_repository,
|
CONF.credential.key_repository,
|
||||||
credential_fernet.MAX_ACTIVE_KEYS
|
credential_fernet.MAX_ACTIVE_KEYS,
|
||||||
|
'credential'
|
||||||
)
|
)
|
||||||
fernet_utilities.load_keys()
|
fernet_utilities.load_keys()
|
||||||
debug_message = (
|
debug_message = (
|
||||||
'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] '
|
'Loaded 2 Fernet keys from %(dir)s, but `[credential] '
|
||||||
'max_active_keys = %(max)d`; perhaps there have not been enough '
|
'max_active_keys = %(max)d`; perhaps there have not been enough '
|
||||||
'key rotations to reach `max_active_keys` yet?') % {
|
'key rotations to reach `max_active_keys` yet?') % {
|
||||||
'dir': CONF.credential.key_repository,
|
'dir': CONF.credential.key_repository,
|
||||||
|
@ -33,7 +33,8 @@ class KeyRepository(fixtures.Fixture):
|
|||||||
|
|
||||||
fernet_utils = utils.FernetUtils(
|
fernet_utils = utils.FernetUtils(
|
||||||
directory,
|
directory,
|
||||||
self.max_active_keys
|
self.max_active_keys,
|
||||||
|
self.key_group
|
||||||
)
|
)
|
||||||
fernet_utils.create_key_directory()
|
fernet_utils.create_key_directory()
|
||||||
fernet_utils.initialize_key_repository()
|
fernet_utils.initialize_key_repository()
|
||||||
|
@ -535,7 +535,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
|||||||
# Load the keys into a list, keys is list of six.text_type.
|
# Load the keys into a list, keys is list of six.text_type.
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
keys = key_utils.load_keys()
|
keys = key_utils.load_keys()
|
||||||
|
|
||||||
@ -602,7 +603,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
|||||||
# repository.
|
# repository.
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
for rotation in range(max_active_keys - min_active_keys):
|
for rotation in range(max_active_keys - min_active_keys):
|
||||||
key_utils.rotate_keys()
|
key_utils.rotate_keys()
|
||||||
@ -619,7 +621,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
|||||||
# the desired number of active keys.
|
# the desired number of active keys.
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
for rotation in range(10):
|
for rotation in range(10):
|
||||||
key_utils.rotate_keys()
|
key_utils.rotate_keys()
|
||||||
@ -645,7 +648,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
|||||||
|
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
|
|
||||||
# Simulate the disk full situation
|
# Simulate the disk full situation
|
||||||
@ -672,7 +676,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
|||||||
pass
|
pass
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
key_utils.rotate_keys()
|
key_utils.rotate_keys()
|
||||||
self.assertTrue(os.path.isfile(evil_file))
|
self.assertTrue(os.path.isfile(evil_file))
|
||||||
@ -703,7 +708,8 @@ class TestLoadKeys(unit.TestCase):
|
|||||||
pass
|
pass
|
||||||
key_utils = fernet_utils.FernetUtils(
|
key_utils = fernet_utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
keys = key_utils.load_keys()
|
keys = key_utils.load_keys()
|
||||||
self.assertEqual(2, len(keys))
|
self.assertEqual(2, len(keys))
|
||||||
|
@ -58,7 +58,8 @@ class TokenFormatter(object):
|
|||||||
"""
|
"""
|
||||||
fernet_utils = utils.FernetUtils(
|
fernet_utils = utils.FernetUtils(
|
||||||
CONF.fernet_tokens.key_repository,
|
CONF.fernet_tokens.key_repository,
|
||||||
CONF.fernet_tokens.max_active_keys
|
CONF.fernet_tokens.max_active_keys,
|
||||||
|
'fernet_tokens'
|
||||||
)
|
)
|
||||||
keys = fernet_utils.load_keys()
|
keys = fernet_utils.load_keys()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user