Log warning if null key is used for encryption
The null key doesn't provide any real encryption protection. It only provides security through obscurity since the null key is a known thing. This commit makes it so we log a warning every time it is used for encryption. Change-Id: I10e8b6697c3b35c3ae6e8a1cec5e53f0913b42e6 Related-Bug: 1619758
This commit is contained in:
parent
e9b64378e6
commit
59f117f6a8
@ -20,7 +20,7 @@ from keystone.common import fernet_utils
|
|||||||
import keystone.conf
|
import keystone.conf
|
||||||
from keystone.credential.providers import core
|
from keystone.credential.providers import core
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _, _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
@ -68,6 +68,13 @@ class Provider(core.Provider):
|
|||||||
"""
|
"""
|
||||||
crypto, keys = get_multi_fernet_keys()
|
crypto, keys = get_multi_fernet_keys()
|
||||||
|
|
||||||
|
if keys[0] == fernet_utils.NULL_KEY:
|
||||||
|
LOG.warning(_LW(
|
||||||
|
'Encrypting credentials with the null key. Please properly '
|
||||||
|
'encrypt credentials using `keystone-manage credential_setup`,'
|
||||||
|
' `keystone-manage credential_migrate`, and `keystone-manage '
|
||||||
|
'credential_rotate`'))
|
||||||
|
|
||||||
try:
|
try:
|
||||||
return (
|
return (
|
||||||
crypto.encrypt(credential.encode('utf-8')),
|
crypto.encrypt(credential.encode('utf-8')),
|
||||||
|
@ -10,9 +10,12 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
import fixtures
|
||||||
import hashlib
|
import hashlib
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
|
from oslo_log import log
|
||||||
|
|
||||||
from keystone.common import fernet_utils
|
from keystone.common import fernet_utils
|
||||||
import keystone.conf
|
import keystone.conf
|
||||||
from keystone.credential.providers import fernet as credential_fernet
|
from keystone.credential.providers import fernet as credential_fernet
|
||||||
@ -66,3 +69,15 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):
|
|||||||
|
|
||||||
decrypted_blob = self.provider.decrypt(encrypted_blob)
|
decrypted_blob = self.provider.decrypt(encrypted_blob)
|
||||||
self.assertEqual(blob, decrypted_blob)
|
self.assertEqual(blob, decrypted_blob)
|
||||||
|
|
||||||
|
def test_warning_is_logged_when_encrypting_with_null_key(self):
|
||||||
|
blob = uuid.uuid4().hex
|
||||||
|
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||||
|
expected_output = (
|
||||||
|
'Encrypting credentials with the null key. Please properly '
|
||||||
|
'encrypt credentials using `keystone-manage credential_setup`, '
|
||||||
|
'`keystone-manage credential_migrate`, and `keystone-manage '
|
||||||
|
'credential_rotate`'
|
||||||
|
)
|
||||||
|
encrypted_blob, primary_key_hash = self.provider.encrypt(blob)
|
||||||
|
self.assertIn(expected_output, logging_fixture.output)
|
||||||
|
Loading…
Reference in New Issue
Block a user