openstack/horizon
Code Issues Proposed changes

Drop pki token check from Token class in openstack_auth

Browse Source 
PKI Tokens got removed from Keystone in 2016[1] so this check is no
longer needed.

OPENSTACK_TOKEN_HASH_ALGORITHM setting is dropped
as it is used only in PKI token check.

[1] https://review.openstack.org/#/c/374479/

Change-Id: I2de02fe6fab531842752b03c5e17af2bcf502cd8
This commit is contained in:
Thomas Bechtold 2018-12-06 07:51:48 +01:00 committed by Akihiro Motoki
parent 254e3791d3
commit 069329eeb2
6 changed files with 12 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/source/configuration/settings.rst
View File

@ -1346,18 +1346,6 @@ The full URL for the Keystone endpoint used for authentication. Unless you
are using HTTPS, running your Keystone server on a nonstandard port, or using are using HTTPS, running your Keystone server on a nonstandard port, or using
a nonstandard URL scheme you shouldn't need to touch this setting. a nonstandard URL scheme you shouldn't need to touch this setting.
OPENSTACK_TOKEN_HASH_ALGORITHM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. versionadded:: 2014.2(Juno)
Default: ``"md5"``
The hash algorithm to use for authentication tokens. This must match the hash
algorithm that the identity (Keystone) server and the auth_token middleware
are using. Allowed values are the algorithms supported by Python's hashlib
library.
PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

9
openstack_auth/tests/data_v3.py
View File

@ -17,7 +17,6 @@ import uuid
from django.utils import datetime_safe from django.utils import datetime_safe
from keystoneauth1.access import access from keystoneauth1.access import access
from keystoneauth1.access import service_catalog from keystoneauth1.access import service_catalog
from keystoneclient.common import cms
from keystoneclient.v3 import domains from keystoneclient.v3 import domains
from keystoneclient.v3 import projects from keystoneclient.v3 import projects
from keystoneclient.v3 import roles from keystoneclient.v3 import roles
@ -55,8 +54,7 @@ class TestResponse(requests.Response):
return self._text return self._text
def generate_test_data(pki=False, service_providers=False, def generate_test_data(service_providers=False, endpoint='localhost'):
endpoint='localhost'):
'''Builds a set of test_data data as returned by Keystone V2.''' '''Builds a set of test_data data as returned by Keystone V2.'''
test_data = TestDataContainer() test_data = TestDataContainer()
@ -179,11 +177,6 @@ def generate_test_data(pki=False, service_providers=False,
# Tokens # Tokens
tomorrow = datetime_safe.datetime.now() + datetime.timedelta(days=1) tomorrow = datetime_safe.datetime.now() + datetime.timedelta(days=1)
expiration = datetime_safe.datetime.isoformat(tomorrow) expiration = datetime_safe.datetime.isoformat(tomorrow)
if pki:
# We don't need a real PKI token, but just the prefix to make the
# keystone client treat it as a PKI token
auth_token = cms.PKI_ASN1_PREFIX + uuid.uuid4().hex
else:
auth_token = uuid.uuid4().hex auth_token = uuid.uuid4().hex
auth_response_headers = { auth_response_headers = {

15
openstack_auth/tests/unit/test_user.py
View File

@ -14,7 +14,6 @@
from django import test from django import test
import mock import mock
from openstack_auth.tests import data_v3
from openstack_auth import user from openstack_auth import user
@ -37,17 +36,3 @@ class PermTestCase(test.TestCase):
# perm1 AND (perm2 OR perm3) # perm1 AND (perm2 OR perm3)
perm_list = ['perm1', ('perm2', 'perm3')] perm_list = ['perm1', ('perm2', 'perm3')]
self.assertTrue(testuser.has_perms(perm_list)) self.assertTrue(testuser.has_perms(perm_list))
class UserTestCase(test.TestCase):
def setUp(self):
super(UserTestCase, self).setUp()
self.data = data_v3.generate_test_data(pki=True)
def test_unscoped_token_is_none(self):
created_token = user.Token(self.data.domain_scoped_access_info,
unscoped_token=None)
self.assertTrue(created_token._is_pki_token(
self.data.domain_scoped_access_info.auth_token))
self.assertFalse(created_token._is_pki_token(None))

21
openstack_auth/user.py
View File

@ -12,14 +12,11 @@
# limitations under the License. # limitations under the License.
import datetime import datetime
import hashlib
import logging import logging
from django.conf import settings
from django.contrib.auth import models from django.contrib.auth import models
from django.db import models as db_models from django.db import models as db_models
from keystoneauth1 import exceptions as keystone_exceptions from keystoneauth1 import exceptions as keystone_exceptions
from keystoneclient.common import cms as keystone_cms
import six import six
from openstack_auth import utils from openstack_auth import utils
@ -97,17 +94,6 @@ class Token(object):
# Token-related attributes # Token-related attributes
self.id = auth_ref.auth_token self.id = auth_ref.auth_token
self.unscoped_token = unscoped_token self.unscoped_token = unscoped_token
if self._is_pki_token(self.id):
algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
'md5')
hasher = hashlib.new(algorithm)
hasher.update(self.id.encode('utf-8'))
self.id = hasher.hexdigest()
# Only hash unscoped token if needed
if self._is_pki_token(self.unscoped_token):
hasher = hashlib.new(algorithm)
hasher.update(self.unscoped_token.encode('utf-8'))
self.unscoped_token = hasher.hexdigest()
self.expires = auth_ref.expires self.expires = auth_ref.expires
# Project-related attributes # Project-related attributes
@ -131,13 +117,6 @@ class Token(object):
self.roles = [{'name': role} for role in auth_ref.role_names] self.roles = [{'name': role} for role in auth_ref.role_names]
self.serviceCatalog = auth_ref.service_catalog.catalog self.serviceCatalog = auth_ref.service_catalog.catalog
def _is_pki_token(self, token):
"""Determines if this is a pki-based token (pki or pkiz)"""
if token is None:
return False
return (keystone_cms.is_ans1_token(token) or
keystone_cms.is_pkiz(token))
class User(models.AbstractBaseUser, models.AnonymousUser): class User(models.AbstractBaseUser, models.AnonymousUser):
"""A User class with some extra special sauce for Keystone. """A User class with some extra special sauce for Keystone.

6
openstack_dashboard/local/local_settings.py.example
View File

@ -795,12 +795,6 @@ SECURITY_GROUP_RULES = {
# See Metadata Definitions on: # See Metadata Definitions on:
# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html # https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html
# The hash algorithm to use for authentication tokens. This must
# match the hash algorithm that the identity server and the
# auth_token middleware are using. Allowed values are the
# algorithms supported by Python's hashlib library.
#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
# AngularJS requires some settings to be made available to # AngularJS requires some settings to be made available to
# the client side. Some settings are required by in-tree / built-in horizon # the client side. Some settings are required by in-tree / built-in horizon
# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the

10
releasenotes/notes/drop-pki-token-d8bc4d665887aedf.yaml Normal file
View File

@ -0,0 +1,10 @@
---
upgrade:
- |
PKI token support has been dropped from horizon. PKI token was removed
from keystone in Ocata release which was released two years ago.
It is a good timing to drop its support.
``OPENSTACK_TOKEN_HASH_ALGORITHM`` setting was removed because it was
used only for PKI token check. Unless you use PKI token before upgrading,
there is no affect and you can safely drop it from your local_settings.py.