diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index f1d8a4d647..a03d61dac4 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -29,9 +29,9 @@ import pbr.version from keystone.cmd import bootstrap from keystone.cmd import doctor from keystone.common import driver_hints +from keystone.common import fernet_utils from keystone.common import sql from keystone.common.sql import upgrades -from keystone.common import token_utils from keystone.common import utils import keystone.conf from keystone.credential.providers import fernet as credential_fernet @@ -395,16 +395,16 @@ class FernetSetup(BasePermissionsSetup): @classmethod def main(cls): - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' ) keystone_user_id, keystone_group_id = cls.get_user_group() - tutils.create_key_directory(keystone_user_id, keystone_group_id) - if tutils.validate_key_repository(requires_write=True): - tutils.initialize_key_repository( + futils.create_key_directory(keystone_user_id, keystone_group_id) + if futils.validate_key_repository(requires_write=True): + futils.initialize_key_repository( keystone_user_id, keystone_group_id) @@ -430,15 +430,15 @@ class FernetRotate(BasePermissionsSetup): @classmethod def main(cls): - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' ) keystone_user_id, keystone_group_id = cls.get_user_group() - if tutils.validate_key_repository(requires_write=True): - tutils.rotate_keys(keystone_user_id, keystone_group_id) + if futils.validate_key_repository(requires_write=True): + futils.rotate_keys(keystone_user_id, keystone_group_id) class TokenSetup(BasePermissionsSetup): @@ -454,7 +454,7 @@ class TokenSetup(BasePermissionsSetup): @classmethod def main(cls): - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( # TODO(gagehugo) Change this to CONF.token CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, @@ -462,9 +462,9 @@ class TokenSetup(BasePermissionsSetup): ) keystone_user_id, keystone_group_id = cls.get_user_group() - tutils.create_key_directory(keystone_user_id, keystone_group_id) - if tutils.validate_key_repository(requires_write=True): - tutils.initialize_key_repository( + futils.create_key_directory(keystone_user_id, keystone_group_id) + if futils.validate_key_repository(requires_write=True): + futils.initialize_key_repository( keystone_user_id, keystone_group_id) @@ -490,7 +490,7 @@ class TokenRotate(BasePermissionsSetup): @classmethod def main(cls): - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( # TODO(gagehugo) Change this to CONF.token CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, @@ -498,8 +498,8 @@ class TokenRotate(BasePermissionsSetup): ) keystone_user_id, keystone_group_id = cls.get_user_group() - if tutils.validate_key_repository(requires_write=True): - tutils.rotate_keys(keystone_user_id, keystone_group_id) + if futils.validate_key_repository(requires_write=True): + futils.rotate_keys(keystone_user_id, keystone_group_id) class CredentialSetup(BasePermissionsSetup): @@ -515,16 +515,16 @@ class CredentialSetup(BasePermissionsSetup): @classmethod def main(cls): - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS, 'credential' ) keystone_user_id, keystone_group_id = cls.get_user_group() - tutils.create_key_directory(keystone_user_id, keystone_group_id) - if tutils.validate_key_repository(requires_write=True): - tutils.initialize_key_repository( + futils.create_key_directory(keystone_user_id, keystone_group_id) + if futils.validate_key_repository(requires_write=True): + futils.initialize_key_repository( keystone_user_id, keystone_group_id ) @@ -587,17 +587,17 @@ class CredentialRotate(BasePermissionsSetup): @classmethod def main(cls): - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS, 'credential' ) keystone_user_id, keystone_group_id = cls.get_user_group() - if tutils.validate_key_repository(requires_write=True): + if futils.validate_key_repository(requires_write=True): klass = cls() klass.validate_primary_key() - tutils.rotate_keys(keystone_user_id, keystone_group_id) + futils.rotate_keys(keystone_user_id, keystone_group_id) class CredentialMigrate(BasePermissionsSetup): @@ -647,12 +647,12 @@ class CredentialMigrate(BasePermissionsSetup): @classmethod def main(cls): # Check to make sure we have a repository that works... - tutils = token_utils.TokenUtils( + futils = fernet_utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS, 'credential' ) - tutils.validate_key_repository(requires_write=True) + futils.validate_key_repository(requires_write=True) klass = cls() klass.migrate_credentials() diff --git a/keystone/cmd/doctor/credential.py b/keystone/cmd/doctor/credential.py index ab90a0f62f..54b11ede4c 100644 --- a/keystone/cmd/doctor/credential.py +++ b/keystone/cmd/doctor/credential.py @@ -12,7 +12,7 @@ import keystone.conf -from keystone.common import token_utils as utils +from keystone.common import fernet_utils as utils from keystone.credential.providers import fernet as credential_fernet @@ -47,14 +47,14 @@ def symptom_usability_of_credential_fernet_key_repository(): running keystone, but not world-readable, because it contains security sensitive secrets. """ - token_utils = utils.TokenUtils( + fernet_utils = utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS, 'credential' ) return ( 'fernet' in CONF.credential.provider - and not token_utils.validate_key_repository()) + and not fernet_utils.validate_key_repository()) def symptom_keys_in_credential_fernet_key_repository(): @@ -65,11 +65,11 @@ def symptom_keys_in_credential_fernet_key_repository(): key repository with keys, and periodically rotate your keys with `keystone-manage credential_rotate`. """ - token_utils = utils.TokenUtils( + fernet_utils = utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS, 'credential' ) return ( 'fernet' in CONF.credential.provider - and not token_utils.load_keys()) + and not fernet_utils.load_keys()) diff --git a/keystone/cmd/doctor/tokens_fernet.py b/keystone/cmd/doctor/tokens_fernet.py index ed92bb4dbf..e0e7a5bdd3 100644 --- a/keystone/cmd/doctor/tokens_fernet.py +++ b/keystone/cmd/doctor/tokens_fernet.py @@ -12,7 +12,7 @@ import keystone.conf -from keystone.common import token_utils as utils +from keystone.common import fernet_utils as utils CONF = keystone.conf.CONF @@ -25,14 +25,14 @@ def symptom_usability_of_Fernet_key_repository(): keystone, but not world-readable, because it contains security-sensitive secrets. """ - token_utils = utils.TokenUtils( + fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' ) return ( 'fernet' in CONF.token.provider - and not token_utils.validate_key_repository()) + and not fernet_utils.validate_key_repository()) def symptom_keys_in_Fernet_key_repository(): @@ -43,11 +43,11 @@ def symptom_keys_in_Fernet_key_repository(): with keys, and periodically rotate your keys with `keystone-manage fernet_rotate`. """ - token_utils = utils.TokenUtils( + fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' ) return ( 'fernet' in CONF.token.provider - and not token_utils.load_keys()) + and not fernet_utils.load_keys()) diff --git a/keystone/common/token_utils.py b/keystone/common/fernet_utils.py similarity index 99% rename from keystone/common/token_utils.py rename to keystone/common/fernet_utils.py index 4ff6dff6c4..be0babbb89 100644 --- a/keystone/common/token_utils.py +++ b/keystone/common/fernet_utils.py @@ -33,7 +33,7 @@ CONF = keystone.conf.CONF NULL_KEY = base64.urlsafe_b64encode(b'\x00' * 32) -class TokenUtils(object): +class FernetUtils(object): def __init__(self, key_repository=None, max_active_keys=None, config_group=None): diff --git a/keystone/credential/providers/fernet/core.py b/keystone/credential/providers/fernet/core.py index 0928b14452..11fd95676e 100644 --- a/keystone/credential/providers/fernet/core.py +++ b/keystone/credential/providers/fernet/core.py @@ -16,7 +16,7 @@ from cryptography import fernet from oslo_log import log import six -from keystone.common import token_utils +from keystone.common import fernet_utils import keystone.conf from keystone.credential.providers import core from keystone import exception @@ -36,13 +36,13 @@ LOG = log.getLogger(__name__) # could remove a key used to encrypt credentials, leaving them recoverable. # This also means that we don't need to expose a `[credential] max_active_keys` # option through configuration. Instead we will use a global configuration and -# share that across all places that need to use TokenUtils for credential +# share that across all places that need to use FernetUtils for credential # encryption. MAX_ACTIVE_KEYS = 3 def get_multi_fernet_keys(): - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.credential.key_repository, MAX_ACTIVE_KEYS, 'credential') keys = key_utils.load_keys(use_null_key=True) @@ -73,7 +73,7 @@ class Provider(core.Provider): """ crypto, keys = get_multi_fernet_keys() - if keys[0] == token_utils.NULL_KEY: + if keys[0] == fernet_utils.NULL_KEY: LOG.warning( 'Encrypting credentials with the null key. Please properly ' 'encrypt credentials using `keystone-manage credential_setup`,' @@ -95,7 +95,7 @@ class Provider(core.Provider): :param credential: an encrypted credential string :returns: a decrypted credential """ - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.credential.key_repository, MAX_ACTIVE_KEYS) keys = key_utils.load_keys(use_null_key=True) fernet_keys = [fernet.Fernet(key) for key in keys] diff --git a/keystone/tests/unit/common/test_utils.py b/keystone/tests/unit/common/test_utils.py index 0b48fd3238..660a528bfb 100644 --- a/keystone/tests/unit/common/test_utils.py +++ b/keystone/tests/unit/common/test_utils.py @@ -20,7 +20,7 @@ from oslo_config import fixture as config_fixture from oslo_log import log import six -from keystone.common import token_utils +from keystone.common import fernet_utils from keystone.common import utils as common_utils import keystone.conf from keystone.credential.providers import fernet as credential_fernet @@ -258,10 +258,10 @@ class ServiceHelperTests(unit.BaseTestCase): self.assertRaises(unit.UnexpectedExit, self._do_test) -class TokenUtilsTestCase(unit.BaseTestCase): +class FernetUtilsTestCase(unit.BaseTestCase): def setUp(self): - super(TokenUtilsTestCase, self).setUp() + super(FernetUtilsTestCase, self).setUp() self.config_fixture = self.useFixture(config_fixture.Config(CONF)) def test_debug_message_logged_when_loading_fernet_token_keys(self): @@ -273,7 +273,7 @@ class TokenUtilsTestCase(unit.BaseTestCase): ) ) logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) - fernet_utilities = token_utils.TokenUtils( + fernet_utilities = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -296,7 +296,7 @@ class TokenUtilsTestCase(unit.BaseTestCase): ) ) logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) - fernet_utilities = token_utils.TokenUtils( + fernet_utilities = fernet_utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS, 'credential' diff --git a/keystone/tests/unit/credential/test_fernet_provider.py b/keystone/tests/unit/credential/test_fernet_provider.py index 131399ad4f..c5ea7d41e8 100644 --- a/keystone/tests/unit/credential/test_fernet_provider.py +++ b/keystone/tests/unit/credential/test_fernet_provider.py @@ -16,7 +16,7 @@ import uuid from oslo_log import log -from keystone.common import token_utils +from keystone.common import fernet_utils from keystone.credential.providers import fernet as credential_fernet from keystone.tests import unit from keystone.tests.unit import ksfixtures @@ -63,7 +63,7 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase): ) def test_encryption_with_null_key(self): - null_key = token_utils.NULL_KEY + null_key = fernet_utils.NULL_KEY # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 # which is marked insecure. Keystone uses SHA1 in this case as part of # HMAC-SHA1 which is currently not insecure but will still get diff --git a/keystone/tests/unit/ksfixtures/key_repository.py b/keystone/tests/unit/ksfixtures/key_repository.py index f8f2d084e4..45be418475 100644 --- a/keystone/tests/unit/ksfixtures/key_repository.py +++ b/keystone/tests/unit/ksfixtures/key_repository.py @@ -12,7 +12,7 @@ import fixtures -from keystone.common import token_utils as utils +from keystone.common import fernet_utils as utils class KeyRepository(fixtures.Fixture): @@ -28,10 +28,10 @@ class KeyRepository(fixtures.Fixture): self.config_fixture.config(group=self.key_group, key_repository=directory) - token_utils = utils.TokenUtils( + fernet_utils = utils.FernetUtils( directory, self.max_active_keys, self.key_group ) - token_utils.create_key_directory() - token_utils.initialize_key_repository() + fernet_utils.create_key_directory() + fernet_utils.initialize_key_repository() diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index fb4df0d4c4..fa64e43971 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -841,7 +841,7 @@ class CredentialDoctorTests(unit.TestCase): def test_usability_of_cred_fernet_key_repo_raised(self, mock_utils): # Symptom Detected: credential fernet key repository is world readable self.config_fixture.config(group='credential', provider='fernet') - mock_utils.TokenUtils().validate_key_repository.return_value = False + mock_utils.FernetUtils().validate_key_repository.return_value = False self.assertTrue( credential.symptom_usability_of_credential_fernet_key_repository()) @@ -849,13 +849,13 @@ class CredentialDoctorTests(unit.TestCase): def test_usability_of_cred_fernet_key_repo_not_raised(self, mock_utils): # No Symptom Detected: Custom driver is used self.config_fixture.config(group='credential', provider='my-driver') - mock_utils.TokenUtils().validate_key_repository.return_value = True + mock_utils.FernetUtils().validate_key_repository.return_value = True self.assertFalse( credential.symptom_usability_of_credential_fernet_key_repository()) # No Symptom Detected: key repository is not world readable self.config_fixture.config(group='credential', provider='fernet') - mock_utils.TokenUtils().validate_key_repository.return_value = True + mock_utils.FernetUtils().validate_key_repository.return_value = True self.assertFalse( credential.symptom_usability_of_credential_fernet_key_repository()) @@ -863,7 +863,7 @@ class CredentialDoctorTests(unit.TestCase): def test_keys_in_credential_fernet_key_repository_raised(self, mock_utils): # Symptom Detected: Key repo is empty self.config_fixture.config(group='credential', provider='fernet') - mock_utils.TokenUtils().load_keys.return_value = False + mock_utils.FernetUtils().load_keys.return_value = False self.assertTrue( credential.symptom_keys_in_credential_fernet_key_repository()) @@ -872,13 +872,13 @@ class CredentialDoctorTests(unit.TestCase): self, mock_utils): # No Symptom Detected: Custom driver is used self.config_fixture.config(group='credential', provider='my-driver') - mock_utils.TokenUtils().load_keys.return_value = True + mock_utils.FernetUtils().load_keys.return_value = True self.assertFalse( credential.symptom_keys_in_credential_fernet_key_repository()) # No Symptom Detected: Key repo is not empty, fernet is current driver self.config_fixture.config(group='credential', provider='fernet') - mock_utils.TokenUtils().load_keys.return_value = True + mock_utils.FernetUtils().load_keys.return_value = True self.assertFalse( credential.symptom_keys_in_credential_fernet_key_repository()) @@ -1262,7 +1262,7 @@ class TokenFernetDoctorTests(unit.TestCase): def test_usability_of_Fernet_key_repository_raised(self, mock_utils): # Symptom Detected: Fernet key repo is world readable self.config_fixture.config(group='token', provider='fernet') - mock_utils.TokenUtils().validate_key_repository.return_value = False + mock_utils.FernetUtils().validate_key_repository.return_value = False self.assertTrue( tokens_fernet.symptom_usability_of_Fernet_key_repository()) @@ -1270,14 +1270,14 @@ class TokenFernetDoctorTests(unit.TestCase): def test_usability_of_Fernet_key_repository_not_raised(self, mock_utils): # No Symptom Detected: UUID is used instead of fernet self.config_fixture.config(group='token', provider='uuid') - mock_utils.TokenUtils().validate_key_repository.return_value = False + mock_utils.FernetUtils().validate_key_repository.return_value = False self.assertFalse( tokens_fernet.symptom_usability_of_Fernet_key_repository()) # No Symptom Detected: configs set properly, key repo is not world # readable but is user readable self.config_fixture.config(group='token', provider='fernet') - mock_utils.TokenUtils().validate_key_repository.return_value = True + mock_utils.FernetUtils().validate_key_repository.return_value = True self.assertFalse( tokens_fernet.symptom_usability_of_Fernet_key_repository()) @@ -1285,7 +1285,7 @@ class TokenFernetDoctorTests(unit.TestCase): def test_keys_in_Fernet_key_repository_raised(self, mock_utils): # Symptom Detected: Fernet key repository is empty self.config_fixture.config(group='token', provider='fernet') - mock_utils.TokenUtils().load_keys.return_value = False + mock_utils.FernetUtils().load_keys.return_value = False self.assertTrue( tokens_fernet.symptom_keys_in_Fernet_key_repository()) @@ -1293,14 +1293,14 @@ class TokenFernetDoctorTests(unit.TestCase): def test_keys_in_Fernet_key_repository_not_raised(self, mock_utils): # No Symptom Detected: UUID is used instead of fernet self.config_fixture.config(group='token', provider='uuid') - mock_utils.TokenUtils().load_keys.return_value = True + mock_utils.FernetUtils().load_keys.return_value = True self.assertFalse( tokens_fernet.symptom_usability_of_Fernet_key_repository()) # No Symptom Detected: configs set properly, key repo has been # populated with keys self.config_fixture.config(group='token', provider='fernet') - mock_utils.TokenUtils().load_keys.return_value = True + mock_utils.FernetUtils().load_keys.return_value = True self.assertFalse( tokens_fernet.symptom_usability_of_Fernet_key_repository()) diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index ab2ca066d6..e15d3eb1dc 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -21,8 +21,8 @@ from oslo_utils import timeutils import six from keystone import auth +from keystone.common import fernet_utils from keystone.common import provider_api -from keystone.common import token_utils from keystone.common import utils import keystone.conf from keystone import exception @@ -499,7 +499,7 @@ class TestFernetKeyRotation(unit.TestCase): """ # Load the keys into a list, keys is list of six.text_type. - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -567,7 +567,7 @@ class TestFernetKeyRotation(unit.TestCase): # Rotate the keys just enough times to fully populate the key # repository. - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -585,7 +585,7 @@ class TestFernetKeyRotation(unit.TestCase): # Rotate an additional number of times to ensure that we maintain # the desired number of active keys. - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -603,7 +603,7 @@ class TestFernetKeyRotation(unit.TestCase): # Make sure that the init key repository contains 2 keys self.assertRepositoryState(expected_size=2) - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -614,13 +614,13 @@ class TestFernetKeyRotation(unit.TestCase): file_handle = mock_open() file_handle.flush.side_effect = IOError('disk full') - with mock.patch('keystone.common.token_utils.open', mock_open): + with mock.patch('keystone.common.fernet_utils.open', mock_open): self.assertRaises(IOError, key_utils.rotate_keys) # Assert that the key repository is unchanged self.assertEqual(self.key_repository_size, 2) - with mock.patch('keystone.common.token_utils.open', mock_open): + with mock.patch('keystone.common.fernet_utils.open', mock_open): self.assertRaises(IOError, key_utils.rotate_keys) # Assert that the key repository is still unchanged, even after @@ -640,7 +640,7 @@ class TestFernetKeyRotation(unit.TestCase): empty_file = os.path.join(CONF.fernet_tokens.key_repository, '2') with open(empty_file, 'w'): pass - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -656,7 +656,7 @@ class TestFernetKeyRotation(unit.TestCase): evil_file = os.path.join(CONF.fernet_tokens.key_repository, '99.bak') with open(evil_file, 'w'): pass - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -683,7 +683,7 @@ class TestLoadKeys(unit.TestCase): evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1') with open(evil_file, 'w'): pass - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' @@ -696,7 +696,7 @@ class TestLoadKeys(unit.TestCase): empty_file = os.path.join(CONF.fernet_tokens.key_repository, '2') with open(empty_file, 'w'): pass - key_utils = token_utils.TokenUtils( + key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' diff --git a/keystone/token/token_formatters.py b/keystone/token/token_formatters.py index d7d560be3e..fc98b42c9f 100644 --- a/keystone/token/token_formatters.py +++ b/keystone/token/token_formatters.py @@ -23,7 +23,7 @@ import six from six.moves import map from keystone.auth import plugins as auth_plugins -from keystone.common import token_utils as utils +from keystone.common import fernet_utils as utils from keystone.common import utils as ks_utils import keystone.conf from keystone import exception @@ -55,12 +55,12 @@ class TokenFormatter(object): ``encrypt(plaintext)`` and ``decrypt(ciphertext)``. """ - token_utils = utils.TokenUtils( + fernet_utils = utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' ) - keys = token_utils.load_keys() + keys = fernet_utils.load_keys() if not keys: raise exception.KeysNotFound()