Only log warnings about token length when length exceeds max_token_size
Previously, the fernet token provider would log warnings when a fernet
token exceeded 255 characters, which is common for LDAP-backed
deployments. The warning is always issued, even when operators configure
keystone's max_token_size to a higher value, causing confusion because
it appears the configuration value is silently ignored.
This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.
Closes-Bug: 1926483
Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
(cherry picked from commit 68bfb685d1
)
This commit is contained in:
parent
6c75b65735
commit
7810813d22
|
@ -17,6 +17,8 @@ import os
|
||||||
from unittest import mock
|
from unittest import mock
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
|
import fixtures
|
||||||
|
from oslo_log import log
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
|
|
||||||
from keystone import auth
|
from keystone import auth
|
||||||
|
@ -26,6 +28,7 @@ from keystone.common import utils
|
||||||
import keystone.conf
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import constants as federation_constants
|
from keystone.federation import constants as federation_constants
|
||||||
|
from keystone.models import token_model
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import default_fixtures
|
from keystone.tests.unit import default_fixtures
|
||||||
from keystone.tests.unit import ksfixtures
|
from keystone.tests.unit import ksfixtures
|
||||||
|
@ -51,6 +54,59 @@ class TestFernetTokenProvider(unit.TestCase):
|
||||||
self.provider.validate_token,
|
self.provider.validate_token,
|
||||||
token_id)
|
token_id)
|
||||||
|
|
||||||
|
def test_log_warning_when_token_exceeds_max_token_size_default(self):
|
||||||
|
self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
|
||||||
|
|
||||||
|
token = token_model.TokenModel()
|
||||||
|
token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
|
||||||
|
token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
|
||||||
|
token.expires_at = utils.isotime(
|
||||||
|
provider.default_expire_time(), subsecond=True)
|
||||||
|
token.methods = ['password']
|
||||||
|
token.audit_id = provider.random_urlsafe_str()
|
||||||
|
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
|
||||||
|
expected_output = (
|
||||||
|
f'Fernet token created with length of {len(token_id)} characters, '
|
||||||
|
'which exceeds 255 characters'
|
||||||
|
)
|
||||||
|
self.assertIn(expected_output, self.logging.output)
|
||||||
|
|
||||||
|
def test_log_warning_when_token_exceeds_max_token_size_override(self):
|
||||||
|
self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
|
||||||
|
self.config_fixture.config(max_token_size=250)
|
||||||
|
|
||||||
|
token = token_model.TokenModel()
|
||||||
|
token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
|
||||||
|
token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
|
||||||
|
token.expires_at = utils.isotime(
|
||||||
|
provider.default_expire_time(), subsecond=True)
|
||||||
|
token.methods = ['password']
|
||||||
|
token.audit_id = provider.random_urlsafe_str()
|
||||||
|
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
|
||||||
|
expected_output = (
|
||||||
|
f'Fernet token created with length of {len(token_id)} characters, '
|
||||||
|
'which exceeds 250 characters'
|
||||||
|
)
|
||||||
|
self.assertIn(expected_output, self.logging.output)
|
||||||
|
|
||||||
|
def test_no_warning_when_token_does_not_exceed_max_token_size(self):
|
||||||
|
self.config_fixture.config(max_token_size=300)
|
||||||
|
self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
|
||||||
|
|
||||||
|
token = token_model.TokenModel()
|
||||||
|
token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
|
||||||
|
token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
|
||||||
|
token.expires_at = utils.isotime(
|
||||||
|
provider.default_expire_time(), subsecond=True)
|
||||||
|
token.methods = ['password']
|
||||||
|
token.audit_id = provider.random_urlsafe_str()
|
||||||
|
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
|
||||||
|
expected_output = (
|
||||||
|
f'Fernet token created with length of {len(token_id)} characters, '
|
||||||
|
'which exceeds 255 characters'
|
||||||
|
)
|
||||||
|
self.assertNotIn(expected_output, self.logging.output)
|
||||||
|
|
||||||
|
|
||||||
class TestValidate(unit.TestCase):
|
class TestValidate(unit.TestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
|
|
@ -156,10 +156,11 @@ class TokenFormatter(object):
|
||||||
# characters. Even though Keystone isn't storing a Fernet token
|
# characters. Even though Keystone isn't storing a Fernet token
|
||||||
# anywhere, we can't say it isn't being stored somewhere else with
|
# anywhere, we can't say it isn't being stored somewhere else with
|
||||||
# those kind of backend constraints.
|
# those kind of backend constraints.
|
||||||
if len(token) > 255:
|
if len(token) > CONF.max_token_size:
|
||||||
LOG.info('Fernet token created with length of %d '
|
LOG.info(
|
||||||
'characters, which exceeds 255 characters',
|
f'Fernet token created with length of {len(token)} '
|
||||||
len(token))
|
f'characters, which exceeds {CONF.max_token_size} characters',
|
||||||
|
)
|
||||||
|
|
||||||
return token
|
return token
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1926483 <https://bugs.launchpad.net/keystone/+bug/1926483>`_]
|
||||||
|
Keystone will only log warnings about token length for Fernet tokens when
|
||||||
|
the token length exceeds the value of `keystone.conf [DEFAULT]
|
||||||
|
max_token_size`.
|
Loading…
Reference in New Issue