Merge "Unscoped PKI token should no longer be hashed multiple times."

openstack_auth/user.py

@@ -84,15 +84,14 @@ class Token(object):
         # Token-related attributes
         self.id = auth_ref.auth_token
         self.unscoped_token = unscoped_token
-        if (_TOKEN_HASH_ENABLED and
-                (keystone_cms.is_asn1_token(self.id)
-                    or keystone_cms.is_pkiz(self.id))):
+        if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id):
             algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
                                 'md5')
             hasher = hashlib.new(algorithm)
             hasher.update(self.id)
             self.id = hasher.hexdigest()
-            # If the scoped_token is long, then unscoped_token must be too.
+            # Only hash unscoped token if needed
+            if self._is_pki_token(self.unscoped_token):
                 hasher = hashlib.new(algorithm)
                 hasher.update(self.unscoped_token)
                 self.unscoped_token = hasher.hexdigest()
@@ -116,6 +115,11 @@ class Token(object):
         self.roles = [{'name': role} for role in auth_ref.role_names]
         self.serviceCatalog = auth_ref.service_catalog.catalog
 
+    def _is_pki_token(self, token):
+        """Determines if this is a pki-based token (pki or pkiz)"""
+        return (keystone_cms.is_ans1_token(token)
+                or keystone_cms.is_pkiz(token))
+
 
 class User(models.AbstractBaseUser, models.AnonymousUser):
     """A User class with some extra special sauce for Keystone.