Merge "Add key repository uniqueness check to doctor"

2016-08-24 11:29:33 +00:00 · 2016-08-24 11:29:33 +00:00 · beb7c1ccd9
commit beb7c1ccd9
parent 3de1713f2d 25d359186f
2 changed files with 39 additions and 0 deletions
--- a/keystone/cmd/doctor/init.py
+++ b/keystone/cmd/doctor/init.py
@ -13,6 +13,7 @@
 from oslo_log import log

 from keystone.cmd.doctor import caching
+from keystone.cmd.doctor import credential
 from keystone.cmd.doctor import database
 from keystone.cmd.doctor import federation
 from keystone.cmd.doctor import ldap
@ -28,6 +29,7 @@ LOG = log.getLogger(__name__)
 SYMPTOM_PREFIX = 'symptom_'
 SYMPTOM_MODULES = [
    caching,
+    credential,
    database,
    federation,
    ldap,
--- a/keystone/cmd/doctor/credential.py
+++ b/keystone/cmd/doctor/credential.py
@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import keystone.conf
+
+
+CONF = keystone.conf.CONF
+
+
+def symptom_unique_key_repositories():
+    """Key repositories for encryption should be unique.
+
+    Even though credentials are encrypted using the same mechanism as Fernet
+    tokens, they should have key repository locations that are independent of
+    one another. Using the same repository to encrypt credentials and tokens
+    can be considered a security vulnerability because ciphertext from the keys
+    used to encrypt credentials is exposed as the token ID. Sharing a key
+    repository can also lead to premature key removal during key rotation. This
+    could result in indecipherable credentials, rendering them completely
+    useless, or early token invalidation because the key that was used to
+    encrypt the entity has been deleted.
+
+    Ensure `keystone.conf [credential] key_repository` and `keystone.conf
+    [fernet_tokens] key_repository` are not pointing to the same location.
+    """
+    return (
+        CONF.credential.key_repository == CONF.fernet_tokens.key_repository
+    )