Fix bad error message from FernetUtils
FernetUtils is giving incorrect error messages to administrators indicating that [fernet_tokens] option is always where the fernet repository information is stored even if it is referenced from the [credential] option group. Change-Id: I7b8344bb306eeb0a9e1cf5093dfd42d3e6c2dd1b
This commit is contained in:
parent
781db8e67a
commit
8354fb34af
@ -576,7 +576,8 @@ class FernetSetup(BasePermissionsSetup):
|
||||
def main(cls):
|
||||
futils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
|
||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||
@ -610,7 +611,8 @@ class FernetRotate(BasePermissionsSetup):
|
||||
def main(cls):
|
||||
futils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
|
||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||
@ -633,7 +635,8 @@ class CredentialSetup(BasePermissionsSetup):
|
||||
def main(cls):
|
||||
futils = fernet_utils.FernetUtils(
|
||||
CONF.credential.key_repository,
|
||||
credential_fernet.MAX_ACTIVE_KEYS
|
||||
credential_fernet.MAX_ACTIVE_KEYS,
|
||||
'credential'
|
||||
)
|
||||
|
||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||
@ -704,7 +707,8 @@ class CredentialRotate(BasePermissionsSetup):
|
||||
def main(cls):
|
||||
futils = fernet_utils.FernetUtils(
|
||||
CONF.credential.key_repository,
|
||||
credential_fernet.MAX_ACTIVE_KEYS
|
||||
credential_fernet.MAX_ACTIVE_KEYS,
|
||||
'credential'
|
||||
)
|
||||
|
||||
keystone_user_id, keystone_group_id = cls.get_user_group()
|
||||
@ -763,7 +767,8 @@ class CredentialMigrate(BasePermissionsSetup):
|
||||
# Check to make sure we have a repository that works...
|
||||
futils = fernet_utils.FernetUtils(
|
||||
CONF.credential.key_repository,
|
||||
credential_fernet.MAX_ACTIVE_KEYS
|
||||
credential_fernet.MAX_ACTIVE_KEYS,
|
||||
'credential'
|
||||
)
|
||||
futils.validate_key_repository(requires_write=True)
|
||||
klass = cls()
|
||||
|
@ -49,7 +49,8 @@ def symptom_usability_of_credential_fernet_key_repository():
|
||||
"""
|
||||
fernet_utils = utils.FernetUtils(
|
||||
CONF.credential.key_repository,
|
||||
credential_fernet.MAX_ACTIVE_KEYS
|
||||
credential_fernet.MAX_ACTIVE_KEYS,
|
||||
'credential'
|
||||
)
|
||||
return (
|
||||
'fernet' in CONF.credential.provider
|
||||
@ -66,7 +67,8 @@ def symptom_keys_in_credential_fernet_key_repository():
|
||||
"""
|
||||
fernet_utils = utils.FernetUtils(
|
||||
CONF.credential.key_repository,
|
||||
credential_fernet.MAX_ACTIVE_KEYS
|
||||
credential_fernet.MAX_ACTIVE_KEYS,
|
||||
'credential'
|
||||
)
|
||||
return (
|
||||
'fernet' in CONF.credential.provider
|
||||
|
@ -27,7 +27,8 @@ def symptom_usability_of_Fernet_key_repository():
|
||||
"""
|
||||
fernet_utils = utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
return (
|
||||
'fernet' in CONF.token.provider
|
||||
@ -44,7 +45,8 @@ def symptom_keys_in_Fernet_key_repository():
|
||||
"""
|
||||
fernet_utils = utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
return (
|
||||
'fernet' in CONF.token.provider
|
||||
|
@ -36,9 +36,11 @@ NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32)
|
||||
|
||||
class FernetUtils(object):
|
||||
|
||||
def __init__(self, key_repository=None, max_active_keys=None):
|
||||
def __init__(self, key_repository=None, max_active_keys=None,
|
||||
config_group=None):
|
||||
self.key_repository = key_repository
|
||||
self.max_active_keys = max_active_keys
|
||||
self.config_group = config_group
|
||||
|
||||
def validate_key_repository(self, requires_write=False):
|
||||
"""Validate permissions on the key repository directory."""
|
||||
@ -54,9 +56,11 @@ class FernetUtils(object):
|
||||
|
||||
if not is_valid:
|
||||
LOG.error(
|
||||
_LE('Either [fernet_tokens] key_repository does not exist or '
|
||||
'Keystone does not have sufficient permission to access '
|
||||
'it: %s'), self.key_repository)
|
||||
_LE('Either [%(config_group)s] key_repository does not exist '
|
||||
'or Keystone does not have sufficient permission to '
|
||||
'access it: %(key_repo)s'),
|
||||
{'key_repo': self.key_repository,
|
||||
'config_group': self.config_group})
|
||||
else:
|
||||
# ensure the key repository isn't world-readable
|
||||
stat_info = os.stat(self.key_repository)
|
||||
|
@ -43,7 +43,8 @@ MAX_ACTIVE_KEYS = 3
|
||||
|
||||
def get_multi_fernet_keys():
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.credential.key_repository, MAX_ACTIVE_KEYS)
|
||||
CONF.credential.key_repository, MAX_ACTIVE_KEYS,
|
||||
'credential')
|
||||
keys = key_utils.load_keys(use_null_key=True)
|
||||
|
||||
fernet_keys = [fernet.Fernet(key) for key in keys]
|
||||
|
@ -261,7 +261,8 @@ class FernetUtilsTestCase(unit.BaseTestCase):
|
||||
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||
fernet_utilities = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
fernet_utilities.load_keys()
|
||||
expected_debug_message = (
|
||||
@ -283,11 +284,12 @@ class FernetUtilsTestCase(unit.BaseTestCase):
|
||||
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||
fernet_utilities = fernet_utils.FernetUtils(
|
||||
CONF.credential.key_repository,
|
||||
credential_fernet.MAX_ACTIVE_KEYS
|
||||
credential_fernet.MAX_ACTIVE_KEYS,
|
||||
'credential'
|
||||
)
|
||||
fernet_utilities.load_keys()
|
||||
debug_message = (
|
||||
'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] '
|
||||
'Loaded 2 Fernet keys from %(dir)s, but `[credential] '
|
||||
'max_active_keys = %(max)d`; perhaps there have not been enough '
|
||||
'key rotations to reach `max_active_keys` yet?') % {
|
||||
'dir': CONF.credential.key_repository,
|
||||
|
@ -33,7 +33,8 @@ class KeyRepository(fixtures.Fixture):
|
||||
|
||||
fernet_utils = utils.FernetUtils(
|
||||
directory,
|
||||
self.max_active_keys
|
||||
self.max_active_keys,
|
||||
self.key_group
|
||||
)
|
||||
fernet_utils.create_key_directory()
|
||||
fernet_utils.initialize_key_repository()
|
||||
|
@ -535,7 +535,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
||||
# Load the keys into a list, keys is list of six.text_type.
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
keys = key_utils.load_keys()
|
||||
|
||||
@ -602,7 +603,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
||||
# repository.
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
for rotation in range(max_active_keys - min_active_keys):
|
||||
key_utils.rotate_keys()
|
||||
@ -619,7 +621,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
||||
# the desired number of active keys.
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
for rotation in range(10):
|
||||
key_utils.rotate_keys()
|
||||
@ -645,7 +648,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
||||
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
|
||||
# Simulate the disk full situation
|
||||
@ -672,7 +676,8 @@ class TestFernetKeyRotation(unit.TestCase):
|
||||
pass
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
key_utils.rotate_keys()
|
||||
self.assertTrue(os.path.isfile(evil_file))
|
||||
@ -703,7 +708,8 @@ class TestLoadKeys(unit.TestCase):
|
||||
pass
|
||||
key_utils = fernet_utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
keys = key_utils.load_keys()
|
||||
self.assertEqual(2, len(keys))
|
||||
|
@ -58,7 +58,8 @@ class TokenFormatter(object):
|
||||
"""
|
||||
fernet_utils = utils.FernetUtils(
|
||||
CONF.fernet_tokens.key_repository,
|
||||
CONF.fernet_tokens.max_active_keys
|
||||
CONF.fernet_tokens.max_active_keys,
|
||||
'fernet_tokens'
|
||||
)
|
||||
keys = fernet_utils.load_keys()
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user