Use the MD5 hash of PKI-signed tokens.

Since Keystone's default token format is now PKI, the length of the tokens increased by several orders of magnitude, causing problems with session cookie size exceeding the maximum cookie size. This patch imports the "is_ans1_token" function from Keystone and uses the MD5 hash for PKI-signed tokens since that's supported in Keystone as well.
2012-11-02 14:29:27 -07:00 · 2012-11-02 14:29:27 -07:00 · b7c6d9b93e
commit b7c6d9b93e
parent ef030ff77a
3 changed files with 53 additions and 2 deletions
--- a/openstack_auth/init.py
+++ b/openstack_auth/init.py
@ -1,2 +1,2 @@
 # following PEP 386
-__version__ = "1.0.2"
+__version__ = "1.0.3"
--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@ -1,15 +1,20 @@
+import hashlib
+
 from django.contrib.auth.models import AnonymousUser

 from keystoneclient.v2_0 import client as keystone_client
 from keystoneclient import exceptions as keystone_exceptions

-from .utils import check_token_expiration
+from .utils import check_token_expiration, is_ans1_token


 def set_session_from_user(request, user):
    request.session['serviceCatalog'] = user.service_catalog
    request.session['tenant'] = user.tenant_name
    request.session['tenant_id'] = user.tenant_id
+    if is_ans1_token(user.token.id):
+        hashed_token = hashlib.md5(user.token.id).hexdigest()
+        user.token._info['token']['id'] = hashed_token
    request.session['token'] = user.token._info
    request.session['username'] = user.username
    request.session['user_id'] = user.id
--- a/openstack_auth/utils.py
+++ b/openstack_auth/utils.py
@ -57,3 +57,49 @@ def check_token_expiration(token):
        return expiration > timezone.now()
    else:
        return False
+
+
+# Copied from Keystone's keystone/common/cms.py file.
+PKI_ANS1_PREFIX = 'MII'
+
+
+def is_ans1_token(token):
+    '''
+    thx to ayoung for sorting this out.
+
+    base64 decoded hex representation of MII is 3082
+    In [3]: binascii.hexlify(base64.b64decode('MII='))
+    Out[3]: '3082'
+
+    re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+
+    pg4:  For tags from 0 to 30 the first octet is the identfier
+    pg10: Hex 30 means sequence, followed by the length of that sequence.
+    pg5:  Second octet is the length octet
+          first bit indicates short or long form, next 7 bits encode the number
+          of subsequent octets that make up the content length octets as an
+          unsigned binary int
+
+          82 = 10000010 (first bit indicates long form)
+          0000010 = 2 octets of content length
+          so read the next 2 octets to get the length of the content.
+
+    In the case of a very large content length there could be a requirement to
+    have more than 2 octets to designate the content length, therefore
+    requiring us to check for MIM, MIQ, etc.
+    In [4]: base64.b64encode(binascii.a2b_hex('3083'))
+    Out[4]: 'MIM='
+    In [5]: base64.b64encode(binascii.a2b_hex('3084'))
+    Out[5]: 'MIQ='
+    Checking for MI would become invalid at 16 octets of content length
+    10010000 = 90
+    In [6]: base64.b64encode(binascii.a2b_hex('3090'))
+    Out[6]: 'MJA='
+    Checking for just M is insufficient
+
+    But we will only check for MII:
+    Max length of the content using 2 octets is 7FFF or 32767
+    It's not practical to support a token of this length or greater in http
+    therefore, we will check for MII only and ignore the case of larger tokens
+    '''
+    return token[:3] == PKI_ANS1_PREFIX