Log warning if null key is used for encryption
The null key doesn't provide any real encryption protection. It only provides security through obscurity since the null key is a known thing. This commit makes it so we log a warning every time it is used for encryption. Change-Id: I10e8b6697c3b35c3ae6e8a1cec5e53f0913b42e6 Related-Bug: 1619758
This commit is contained in:
parent
e9b64378e6
commit
59f117f6a8
|
@ -20,7 +20,7 @@ from keystone.common import fernet_utils
|
|||
import keystone.conf
|
||||
from keystone.credential.providers import core
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.i18n import _, _LW
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -68,6 +68,13 @@ class Provider(core.Provider):
|
|||
"""
|
||||
crypto, keys = get_multi_fernet_keys()
|
||||
|
||||
if keys[0] == fernet_utils.NULL_KEY:
|
||||
LOG.warning(_LW(
|
||||
'Encrypting credentials with the null key. Please properly '
|
||||
'encrypt credentials using `keystone-manage credential_setup`,'
|
||||
' `keystone-manage credential_migrate`, and `keystone-manage '
|
||||
'credential_rotate`'))
|
||||
|
||||
try:
|
||||
return (
|
||||
crypto.encrypt(credential.encode('utf-8')),
|
||||
|
|
|
@ -10,9 +10,12 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import fixtures
|
||||
import hashlib
|
||||
import uuid
|
||||
|
||||
from oslo_log import log
|
||||
|
||||
from keystone.common import fernet_utils
|
||||
import keystone.conf
|
||||
from keystone.credential.providers import fernet as credential_fernet
|
||||
|
@ -66,3 +69,15 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):
|
|||
|
||||
decrypted_blob = self.provider.decrypt(encrypted_blob)
|
||||
self.assertEqual(blob, decrypted_blob)
|
||||
|
||||
def test_warning_is_logged_when_encrypting_with_null_key(self):
|
||||
blob = uuid.uuid4().hex
|
||||
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||
expected_output = (
|
||||
'Encrypting credentials with the null key. Please properly '
|
||||
'encrypt credentials using `keystone-manage credential_setup`, '
|
||||
'`keystone-manage credential_migrate`, and `keystone-manage '
|
||||
'credential_rotate`'
|
||||
)
|
||||
encrypted_blob, primary_key_hash = self.provider.encrypt(blob)
|
||||
self.assertIn(expected_output, logging_fixture.output)
|
||||
|
|
Loading…
Reference in New Issue