Merge "Exclusively use restore_padding method in unpacking fernet tokens"

This commit is contained in:
Jenkins 2017-02-28 02:29:07 +00:00 committed by Gerrit Code Review
commit 51c922e6ff
2 changed files with 1 additions and 56 deletions

View File

@ -17,10 +17,8 @@ import mock
import os
import uuid
import msgpack
from oslo_utils import timeutils
import six
from six.moves import urllib
from keystone import auth
from keystone.common import fernet_utils
@ -257,46 +255,6 @@ class TestTokenFormatter(unit.TestCase):
)
self.assertEqual(encoded_string, encoded_str_with_padding_restored)
def test_legacy_padding_validation(self):
first_value = uuid.uuid4().hex
second_value = uuid.uuid4().hex
payload = (first_value, second_value)
msgpack_payload = msgpack.packb(payload)
# msgpack_payload is six.binary_type.
tf = token_formatters.TokenFormatter()
# NOTE(lbragstad): This method preserves the way that keystone used to
# percent encode the tokens, prior to bug #1491926.
def legacy_pack(payload):
# payload is six.binary_type.
encrypted_payload = tf.crypto.encrypt(payload)
# encrypted_payload is six.binary_type.
# the encrypted_payload is returned with padding appended
self.assertTrue(encrypted_payload.endswith(b'='))
# using urllib.parse.quote will percent encode the padding, like
# keystone did in Kilo.
percent_encoded_payload = urllib.parse.quote(encrypted_payload)
# percent_encoded_payload is six.text_type.
# ensure that the padding was actually percent encoded
self.assertTrue(percent_encoded_payload.endswith('%3D'))
return percent_encoded_payload
token_with_legacy_padding = legacy_pack(msgpack_payload)
# token_with_legacy_padding is six.text_type.
# demonstrate the we can validate a payload that has been percent
# encoded with the Fernet logic that existed in Kilo
serialized_payload = tf.unpack(token_with_legacy_padding)
# serialized_payload is six.binary_type.
returned_payload = msgpack.unpackb(serialized_payload)
# returned_payload contains six.binary_type.
self.assertEqual(first_value, returned_payload[0].decode('utf-8'))
self.assertEqual(second_value, returned_payload[1].decode('utf-8'))
class TestPayloads(unit.TestCase):
def assertTimestampsEqual(self, expected, actual):

View File

@ -21,7 +21,6 @@ from oslo_log import log
from oslo_utils import timeutils
import six
from six.moves import map
from six.moves import urllib
from keystone.auth import plugins as auth_plugins
from keystone.common import fernet_utils as utils
@ -86,19 +85,7 @@ class TokenFormatter(object):
:rtype: six.binary_type
"""
# TODO(lbragstad): Restore padding on token before decoding it.
# Initially in Kilo, Fernet tokens were returned to the user with
# padding appended to the token. Later in Liberty this padding was
# removed and restored in the Fernet provider. The following if
# statement ensures that we can validate tokens with and without token
# padding, in the event of an upgrade and the tokens that are issued
# throughout the upgrade. Remove this if statement when Mitaka opens
# for development and exclusively use the restore_padding() class
# method.
if token.endswith('%3D'):
token = urllib.parse.unquote(token)
else:
token = TokenFormatter.restore_padding(token)
token = TokenFormatter.restore_padding(token)
try:
return self.crypto.decrypt(token.encode('utf-8'))