openstack/python-keystoneclient
Code Issues Proposed changes

Merge "Refactor verify signing dir logic"

Browse Source
This commit is contained in:
Jenkins
2013-08-14 17:07:14 +00:00
committed by Gerrit Code Review
parent 60a20ddb4d 6887246449
commit ce6a274ff6
2 changed files with 46 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
keystoneclient/middleware/auth_token.py
View File

@@ -385,20 +385,7 @@ class AuthProtocol(object):
self.signing_dirname = tempfile.mkdtemp(prefix='keystone-signing-') self.signing_dirname = tempfile.mkdtemp(prefix='keystone-signing-')
self.LOG.info('Using %s as cache directory for signing certificate' % self.LOG.info('Using %s as cache directory for signing certificate' %
self.signing_dirname) self.signing_dirname)
if os.path.exists(self.signing_dirname): self.verify_signing_dir()
if not os.access(self.signing_dirname, os.W_OK):
raise ConfigurationError(
'unable to access signing_dir %s' % self.signing_dirname)
if os.stat(self.signing_dirname).st_uid != os.getuid():
self.LOG.warning(
'signing_dir is not owned by %s' % os.getuid())
current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode)
if current_mode != stat.S_IRWXU:
self.LOG.warning(
'signing_dir mode is %s instead of %s' %
(oct(current_mode), oct(stat.S_IRWXU)))
else:
os.makedirs(self.signing_dirname, stat.S_IRWXU)
val = '%s/signing_cert.pem' % self.signing_dirname val = '%s/signing_cert.pem' % self.signing_dirname
self.signing_cert_file_name = val self.signing_cert_file_name = val
@@ -1147,6 +1134,22 @@ class AuthProtocol(object):
formatted = cms.token_to_cms(signed_text) formatted = cms.token_to_cms(signed_text)
return self.cms_verify(formatted) return self.cms_verify(formatted)
def verify_signing_dir(self):
if os.path.exists(self.signing_dirname):
if not os.access(self.signing_dirname, os.W_OK):
raise ConfigurationError(
'unable to access signing_dir %s' % self.signing_dirname)
if os.stat(self.signing_dirname).st_uid != os.getuid():
self.LOG.warning(
'signing_dir is not owned by %s' % os.getuid())
current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode)
if current_mode != stat.S_IRWXU:
self.LOG.warning(
'signing_dir mode is %s instead of %s' %
(oct(current_mode), oct(stat.S_IRWXU)))
else:
os.makedirs(self.signing_dirname, stat.S_IRWXU)
@property @property
def token_revocation_list_fetched_time(self): def token_revocation_list_fetched_time(self):
if not self._token_revocation_list_fetched_time: if not self._token_revocation_list_fetched_time:
@@ -1212,11 +1215,19 @@ class AuthProtocol(object):
def fetch_signing_cert(self): def fetch_signing_cert(self):
response, data = self._http_request('GET', response, data = self._http_request('GET',
'/v2.0/certificates/signing') '/v2.0/certificates/signing')
try:
#todo check response def write_cert_file(data):
certfile = open(self.signing_cert_file_name, 'w') certfile = open(self.signing_cert_file_name, 'w')
certfile.write(data) certfile.write(data)
certfile.close() certfile.close()
try:
#todo check response
try:
write_cert_file(data)
except IOError:
self.verify_signing_dir()
write_cert_file(data)
except (AssertionError, KeyError): except (AssertionError, KeyError):
self.LOG.warn( self.LOG.warn(
"Unexpected response from keystone service: %s", data) "Unexpected response from keystone service: %s", data)

19
tests/test_auth_token_middleware.py
View File

@@ -18,10 +18,12 @@ import datetime
import iso8601 import iso8601
import os import os
import shutil import shutil
import stat
import string import string
import sys import sys
import tempfile import tempfile
import testtools import testtools
import uuid
import fixtures import fixtures
import webob import webob
@@ -910,6 +912,23 @@ class AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest):
self.middleware.verify_signed_token( self.middleware.verify_signed_token(
self.token_dict['signed_token_scoped']) self.token_dict['signed_token_scoped'])
def test_verify_signing_dir_create_while_missing(self):
tmp_name = uuid.uuid4().hex
test_parent_signing_dir = "/tmp/%s" % tmp_name
self.middleware.signing_dirname = "/tmp/%s/%s" % ((tmp_name,) * 2)
self.middleware.signing_cert_file_name = "%s/test.pem" %\
self.middleware.signing_dirname
self.middleware.verify_signing_dir()
# NOTE(wu_wenxiang): Verify if the signing dir was created as expected.
self.assertTrue(os.path.isdir(self.middleware.signing_dirname))
self.assertTrue(os.access(self.middleware.signing_dirname, os.W_OK))
self.assertEqual(os.stat(self.middleware.signing_dirname).st_uid,
os.getuid())
self.assertEqual(
stat.S_IMODE(os.stat(self.middleware.signing_dirname).st_mode),
stat.S_IRWXU)
shutil.rmtree(test_parent_signing_dir)
def test_cert_file_missing(self): def test_cert_file_missing(self):
self.assertFalse(self.middleware.cert_file_missing( self.assertFalse(self.middleware.cert_file_missing(
"openstack: /tmp/haystack: No such file or directory", "openstack: /tmp/haystack: No such file or directory",