Drop pki token check from Token class in openstack_auth

PKI Tokens got removed from Keystone in 2016[1] so this check is no longer needed. OPENSTACK_TOKEN_HASH_ALGORITHM setting is dropped as it is used only in PKI token check. [1] https://review.openstack.org/#/c/374479/ Change-Id: I2de02fe6fab531842752b03c5e17af2bcf502cd8
2018-12-06 07:51:48 +01:00 · 2018-12-06 07:51:48 +01:00 · 069329eeb2
commit 069329eeb2
parent 254e3791d3
6 changed files with 12 additions and 63 deletions
--- a/doc/source/configuration/settings.rst
+++ b/doc/source/configuration/settings.rst
@ -1346,18 +1346,6 @@ The full URL for the Keystone endpoint used for authentication. Unless you
 are using HTTPS, running your Keystone server on a nonstandard port, or using
 a nonstandard URL scheme you shouldn't need to touch this setting.

-OPENSTACK_TOKEN_HASH_ALGORITHM
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. versionadded:: 2014.2(Juno)
-
-Default: ``"md5"``
-
-The hash algorithm to use for authentication tokens. This must match the hash
-algorithm that the identity (Keystone) server and the auth_token middleware
-are using. Allowed values are the algorithms supported by Python's hashlib
-library.
-
 PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/openstack_auth/tests/data_v3.py
+++ b/openstack_auth/tests/data_v3.py
@ -17,7 +17,6 @@ import uuid
 from django.utils import datetime_safe
 from keystoneauth1.access import access
 from keystoneauth1.access import service_catalog
-from keystoneclient.common import cms
 from keystoneclient.v3 import domains
 from keystoneclient.v3 import projects
 from keystoneclient.v3 import roles
@ -55,8 +54,7 @@ class TestResponse(requests.Response):
        return self._text


-def generate_test_data(pki=False, service_providers=False,
-                       endpoint='localhost'):
+def generate_test_data(service_providers=False, endpoint='localhost'):
    '''Builds a set of test_data data as returned by Keystone V2.'''
    test_data = TestDataContainer()

@ -179,12 +177,7 @@ def generate_test_data(pki=False, service_providers=False,
    # Tokens
    tomorrow = datetime_safe.datetime.now() + datetime.timedelta(days=1)
    expiration = datetime_safe.datetime.isoformat(tomorrow)
-    if pki:
-        # We don't need a real PKI token, but just the prefix to make the
-        # keystone client treat it as a PKI token
-        auth_token = cms.PKI_ASN1_PREFIX + uuid.uuid4().hex
-    else:
-        auth_token = uuid.uuid4().hex
+    auth_token = uuid.uuid4().hex

    auth_response_headers = {
        'X-Subject-Token': auth_token
--- a/openstack_auth/tests/unit/test_user.py
+++ b/openstack_auth/tests/unit/test_user.py
@ -14,7 +14,6 @@
 from django import test
 import mock

-from openstack_auth.tests import data_v3
 from openstack_auth import user


@ -37,17 +36,3 @@ class PermTestCase(test.TestCase):
            # perm1 AND (perm2 OR perm3)
            perm_list = ['perm1', ('perm2', 'perm3')]
            self.assertTrue(testuser.has_perms(perm_list))
-
-
-class UserTestCase(test.TestCase):
-
-    def setUp(self):
-        super(UserTestCase, self).setUp()
-        self.data = data_v3.generate_test_data(pki=True)
-
-    def test_unscoped_token_is_none(self):
-        created_token = user.Token(self.data.domain_scoped_access_info,
-                                   unscoped_token=None)
-        self.assertTrue(created_token._is_pki_token(
-                        self.data.domain_scoped_access_info.auth_token))
-        self.assertFalse(created_token._is_pki_token(None))
--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@ -12,14 +12,11 @@
 # limitations under the License.

 import datetime
-import hashlib
 import logging

-from django.conf import settings
 from django.contrib.auth import models
 from django.db import models as db_models
 from keystoneauth1 import exceptions as keystone_exceptions
-from keystoneclient.common import cms as keystone_cms
 import six

 from openstack_auth import utils
@ -97,17 +94,6 @@ class Token(object):
        # Token-related attributes
        self.id = auth_ref.auth_token
        self.unscoped_token = unscoped_token
-        if self._is_pki_token(self.id):
-            algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
-                                'md5')
-            hasher = hashlib.new(algorithm)
-            hasher.update(self.id.encode('utf-8'))
-            self.id = hasher.hexdigest()
-            # Only hash unscoped token if needed
-            if self._is_pki_token(self.unscoped_token):
-                hasher = hashlib.new(algorithm)
-                hasher.update(self.unscoped_token.encode('utf-8'))
-                self.unscoped_token = hasher.hexdigest()
        self.expires = auth_ref.expires

        # Project-related attributes
@ -131,13 +117,6 @@ class Token(object):
        self.roles = [{'name': role} for role in auth_ref.role_names]
        self.serviceCatalog = auth_ref.service_catalog.catalog

-    def _is_pki_token(self, token):
-        """Determines if this is a pki-based token (pki or pkiz)"""
-        if token is None:
-            return False
-        return (keystone_cms.is_ans1_token(token) or
-                keystone_cms.is_pkiz(token))
-

 class User(models.AbstractBaseUser, models.AnonymousUser):
    """A User class with some extra special sauce for Keystone.
--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@ -795,12 +795,6 @@ SECURITY_GROUP_RULES = {
 # See Metadata Definitions on:
 # https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html

-# The hash algorithm to use for authentication tokens. This must
-# match the hash algorithm that the identity server and the
-# auth_token middleware are using. Allowed values are the
-# algorithms supported by Python's hashlib library.
-#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
-
 # AngularJS requires some settings to be made available to
 # the client side. Some settings are required by in-tree / built-in horizon
 # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
--- a/releasenotes/notes/drop-pki-token-d8bc4d665887aedf.yaml
+++ b/releasenotes/notes/drop-pki-token-d8bc4d665887aedf.yaml
@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    PKI token support has been dropped from horizon. PKI token was removed
+    from keystone in Ocata release which was released two years ago.
+    It is a good timing to drop its support.
+
+    ``OPENSTACK_TOKEN_HASH_ALGORITHM`` setting was removed because it was
+    used only for PKI token check. Unless you use PKI token before upgrading,
+    there is no affect and you can safely drop it from your local_settings.py.