Merge "Unscoped PKI token should no longer be hashed multiple times."

openstack_auth/user.py

@@ -84,18 +84,17 @@ class Token(object):
         # Token-related attributes
         self.id = auth_ref.auth_token
         self.unscoped_token = unscoped_token
-        if (_TOKEN_HASH_ENABLED and
+        if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id):
-                (keystone_cms.is_asn1_token(self.id)
-                    or keystone_cms.is_pkiz(self.id))):
             algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
                                 'md5')
             hasher = hashlib.new(algorithm)
             hasher.update(self.id)
             self.id = hasher.hexdigest()
-            # If the scoped_token is long, then unscoped_token must be too.
+            # Only hash unscoped token if needed
-            hasher = hashlib.new(algorithm)
+            if self._is_pki_token(self.unscoped_token):
-            hasher.update(self.unscoped_token)
+                hasher = hashlib.new(algorithm)
-            self.unscoped_token = hasher.hexdigest()
+                hasher.update(self.unscoped_token)
+                self.unscoped_token = hasher.hexdigest()
         self.expires = auth_ref.expires
 
         # Project-related attributes
@@ -116,6 +115,11 @@ class Token(object):
         self.roles = [{'name': role} for role in auth_ref.role_names]
         self.serviceCatalog = auth_ref.service_catalog.catalog
 
+    def _is_pki_token(self, token):
+        """Determines if this is a pki-based token (pki or pkiz)"""
+        return (keystone_cms.is_ans1_token(token)
+                or keystone_cms.is_pkiz(token))
+
 
 class User(models.AbstractBaseUser, models.AnonymousUser):
     """A User class with some extra special sauce for Keystone.