From 70337682d97d13276ca17309505e55add1405d73 Mon Sep 17 00:00:00 2001 From: Sahid Orentino Ferdjaoui Date: Tue, 6 Jun 2023 11:39:21 +0200 Subject: [PATCH] auth_token: fix issue when data in cache gets corrupted Previously token cache was not correctly handling the case when data in memcached is un-decryptable. The cache process was returning a null value that was not considered resulting a python exception raised The commit fixes the issue by adding a condition to validate the value returned. Closes-bug: #2023015 Change-Id: Ic48d20569980781febc194083651736bed446953 Signed-off-by: Sahid Orentino Ferdjaoui --- keystonemiddleware/auth_token/_cache.py | 4 ++++ .../tests/unit/auth_token/test_cache.py | 20 +++++++++++++++++++ ...data-corrupted-issue-d1bd546625690581.yaml | 6 ++++++ 3 files changed, 30 insertions(+) create mode 100644 releasenotes/notes/fix-cache-data-corrupted-issue-d1bd546625690581.yaml diff --git a/keystonemiddleware/auth_token/_cache.py b/keystonemiddleware/auth_token/_cache.py index 8b9b178e..c2828b5e 100644 --- a/keystonemiddleware/auth_token/_cache.py +++ b/keystonemiddleware/auth_token/_cache.py @@ -239,6 +239,10 @@ class TokenCache(object): serialized = serialized.encode('utf8') data = self._deserialize(serialized, context) + if data is None: + # In case decryption fails, e.g. data corrupted in memcached. + return None + if not isinstance(data, str): data = data.decode('utf-8') diff --git a/keystonemiddleware/tests/unit/auth_token/test_cache.py b/keystonemiddleware/tests/unit/auth_token/test_cache.py index d3e279bf..c6fcbcbf 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_cache.py +++ b/keystonemiddleware/tests/unit/auth_token/test_cache.py @@ -13,6 +13,7 @@ import uuid import fixtures +from unittest import mock from keystonemiddleware.auth_token import _cache from keystonemiddleware.auth_token import _exceptions as exc @@ -122,6 +123,25 @@ class TestLiveMemcache(base.BaseAuthTokenTestCase): token_cache.set(token, data) self.assertEqual(token_cache.get(token), data) + @mock.patch("keystonemiddleware.auth_token._memcache_crypt.unprotect_data") + def test_corrupted_cache_data(self, mocked_decrypt_data): + mocked_decrypt_data.side_effect = Exception("corrupted") + + conf = { + 'memcached_servers': ','.join(MEMCACHED_SERVERS), + 'memcache_security_strategy': 'encrypt', + 'memcache_secret_key': 'mysecret' + } + + token = uuid.uuid4().hex.encode() + data = uuid.uuid4().hex + + token_cache = self.create_simple_middleware(conf=conf)._token_cache + token_cache.initialize({}) + + token_cache.set(token, data) + self.assertIsNone(token_cache.get(token)) + def test_sign_cache_data(self): conf = { 'memcached_servers': ','.join(MEMCACHED_SERVERS), diff --git a/releasenotes/notes/fix-cache-data-corrupted-issue-d1bd546625690581.yaml b/releasenotes/notes/fix-cache-data-corrupted-issue-d1bd546625690581.yaml new file mode 100644 index 00000000..bf504937 --- /dev/null +++ b/releasenotes/notes/fix-cache-data-corrupted-issue-d1bd546625690581.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + In situation of encryption using memcached. Its possible that data + in memcached becomes un-decryptable. The previous implementation + of token cache was not correctly handling the case.