From 5ab3908cff64fa5b5a5bd5ea4877c42096172dd3 Mon Sep 17 00:00:00 2001 From: Einar Forselv Date: Thu, 7 Jan 2016 13:42:28 +0100 Subject: [PATCH] Unscoped PKI token should no longer be hashed multiple times. When token hashing is used with pki tokens, the unscoped token gets re-hashed when switching project. This fix checks if the unscoped token needs to be hashed before doing so. The project list operation when switching project in horizon failed because the unscoped token could for example be an md5 of an md5. Change-Id: I64684ca251eb4d0c6164e58c078cf7d132eb3cc1 Closes-Bug: #1487372 --- openstack_auth/user.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/openstack_auth/user.py b/openstack_auth/user.py index d57bb86..cff107b 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -84,18 +84,17 @@ class Token(object): # Token-related attributes self.id = auth_ref.auth_token self.unscoped_token = unscoped_token - if (_TOKEN_HASH_ENABLED and - (keystone_cms.is_asn1_token(self.id) - or keystone_cms.is_pkiz(self.id))): + if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id): algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM', 'md5') hasher = hashlib.new(algorithm) hasher.update(self.id) self.id = hasher.hexdigest() - # If the scoped_token is long, then unscoped_token must be too. - hasher = hashlib.new(algorithm) - hasher.update(self.unscoped_token) - self.unscoped_token = hasher.hexdigest() + # Only hash unscoped token if needed + if self._is_pki_token(self.unscoped_token): + hasher = hashlib.new(algorithm) + hasher.update(self.unscoped_token) + self.unscoped_token = hasher.hexdigest() self.expires = auth_ref.expires # Project-related attributes @@ -116,6 +115,11 @@ class Token(object): self.roles = [{'name': role} for role in auth_ref.role_names] self.serviceCatalog = auth_ref.service_catalog.catalog + def _is_pki_token(self, token): + """Determines if this is a pki-based token (pki or pkiz)""" + return (keystone_cms.is_ans1_token(token) + or keystone_cms.is_pkiz(token)) + class User(models.AbstractBaseUser, models.AnonymousUser): """A User class with some extra special sauce for Keystone.