Unscoped PKI token should no longer be hashed multiple times.

When token hashing is used with pki tokens, the unscoped token gets re-hashed when switching project. This fix checks if the unscoped token needs to be hashed before doing so. The project list operation when switching project in horizon failed because the unscoped token could for example be an md5 of an md5. Change-Id: I64684ca251eb4d0c6164e58c078cf7d132eb3cc1 Closes-Bug: #1487372
2016-01-07 13:42:28 +01:00 · 2016-01-07 13:42:28 +01:00 · 5ab3908cff
commit 5ab3908cff
parent ad98c9dd5b
1 changed files with 11 additions and 7 deletions
--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@ -84,18 +84,17 @@ class Token(object):
        # Token-related attributes
        self.id = auth_ref.auth_token
        self.unscoped_token = unscoped_token
-        if (_TOKEN_HASH_ENABLED and
-                (keystone_cms.is_asn1_token(self.id)
-                    or keystone_cms.is_pkiz(self.id))):
+        if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id):
            algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
                                'md5')
            hasher = hashlib.new(algorithm)
            hasher.update(self.id)
            self.id = hasher.hexdigest()
-            # If the scoped_token is long, then unscoped_token must be too.
-            hasher = hashlib.new(algorithm)
-            hasher.update(self.unscoped_token)
-            self.unscoped_token = hasher.hexdigest()
+            # Only hash unscoped token if needed
+            if self._is_pki_token(self.unscoped_token):
+                hasher = hashlib.new(algorithm)
+                hasher.update(self.unscoped_token)
+                self.unscoped_token = hasher.hexdigest()
        self.expires = auth_ref.expires

        # Project-related attributes
@ -116,6 +115,11 @@ class Token(object):
        self.roles = [{'name': role} for role in auth_ref.role_names]
        self.serviceCatalog = auth_ref.service_catalog.catalog

+    def _is_pki_token(self, token):
+        """Determines if this is a pki-based token (pki or pkiz)"""
+        return (keystone_cms.is_ans1_token(token)
+                or keystone_cms.is_pkiz(token))
+

 class User(models.AbstractBaseUser, models.AnonymousUser):
    """A User class with some extra special sauce for Keystone.