This same log message is going to be printed twice, or an
alternative message is logged instead, so remove it.
Change-Id: I858660830f2397a5e25aada48cc5590222d0f82a
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
The current way of using Popen does not close pipes properly,
and therefore long-running keystone processes, which depends on
keystoneclient.common.cms for data sigining, eventually hit
open file limit and stop working. Passing close_fds=True seems
to have solved the problem.
Change-Id: Ife452ab6843c1af5eb39debb8db453e45f78cba9
Closes-Bug: 1382906
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
cms_sign_data was not passing the md parameter to openssl, so it was
using the default digest of sha1. Some security standards require a
SHA2 algorithm for the digest.
This if for security hardening.
SecurityImpact
Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
Closes-Bug: #1362343
Adjust the code to raise exceptions.CertificateConfigError
when the certificates are still missing even in the Python
2.6 subprocess bug-workaround case.
Change-Id: I9fdfa830e6f9bc9e8eab496da2597e4118577ec5
Closes-Bug: #1324921
There are files containing string format arguments inside
logging messages. Using logging function parameters should
be preferred.
Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e
Closes-Bug: #1320930
Allows for a new form of document signature.
pkiz_sign will take data and encode it in a string that starts with
the substring "PKIZ_". This prefix indicates that the data has been:
1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format
2) Compressed using zlib (comparable to gzip)
3) urlsafe-base64 decoded
This process is reversed to validate the data.
middleware/auth_token.py will be capable of validating Keystone
tokens that are marshalled in the new format. The current existing
"PKI" tokens will continue to be identified with "MII", issued by
default, and validated as well. It will require corresponding changes
on the Keystone server to issue the new token format.
A separate script for generating the sample
data used in the unit tests,
examples/pki/gen_cmsz.py,
also serves as an example of how to
call the API from Python code.
Some of the sample data for the old tests had to be regenerated. A
stray comma in one of the JSON files made for non-parsing JSON.
Blueprint: compress-tokens
Closes-Bug: #1255321
Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
Need to make sure that binary and text are both handled correctly for cms calls.
Blueprint: compress-tokens
Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep
cms.is_ans1_token() around for backwards compatibility.
Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb
Closes-bug: 1306874
The token hash functions always used MD5. With this change, the
hash function can be passed in to the hash functions.
SecurityImpact
Related-Bug: #1174499
Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
There were some parts that had invalid RST in their docstrings
which caused warnings and errors to be generated.
Related-Bug: #1278662
Change-Id: Ibb53e6f49b5fa100fa6ecfe47331f9a70729d03b
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae
Closes-Bug: #1229324
The Python documentation states that "the type of [the first argument of
subprocess.communicate()] must be bytes or, if universal_newlines was True, a
string"[1]. Currently, in Python 3, a text string is given to
subprocess.communicate(), even though the process was created with
universal_newlines=False (the default value).
Rather than converting strings to bytes (and the other way around) everywhere
in the code, just create the process with universal_newlines=True. The side
effect is that '\n', '\r\n' and '\r' will be recognized as ending lines[2],
which should not be an issue.
[1] http://docs.python.org/3/library/subprocess.html?highlight=popen#subprocess.Popen.communicate
[2] http://docs.python.org/3/glossary.html#term-universal-newlines
Change-Id: I668b187ba8ed00ad6d55ec487af623b79b21589d
Checking oinly for monkeypatching of the ``os`` module is
insufficient. A process might have chosen not to patch ``os`` but
still needs to use the eventlet version of Popen to deal with proper
forks. This version checks if any modules have been monkeypatched
with the eventlet versions.
Closes-Bug: #1277231
Change-Id: Ia8d7150e9e7ced58132e8e90e7ad68fb3c7c3b9f
This fixes calls to the hash_signed_token() and cms_hash_token() functions, by
making sure they are given bytes.
Change-Id: I83ac48a845cd09150b01afad6f0549ee83c20ddd
Python 2.6 can raise OSError when too much data is
written to STDIN and the process died prematurely.
In the case of keystoneclient this happens during
the first cms_verify() call of a process. The calling
logic expects a useful error message in order to
refetch the CA or singing CERT, which is missing in the
case of an OSError. So just fake it instead.
Add basic unit tests to cover all of the public methods from
keystone.common.cms, raising test coverage to 77%. Add
unit test for this specific bug (test_cms_verify_token_no_oserror).
Closes-Bug: LP Bug#1235252
Change-Id: I6e650ab9494c605b4e41c78c87a9505e09d5fc29
- Add checking the openssl return code 2, related to following review
https://review.openstack.org/#/c/22716/
- Add support set subprocess to the cms, when we already know which
subprocess to use.
Closes-Bug: #1142574
Change-Id: I3f86e6ca8bb7738f57051ce7f0f5662b20e7a22b
Don't log in the keystoneclient.common.cms as there are some errors
that are expected. Instead, log in the middleware
bug 1189539
Change-Id: I1e80e2ab35e073d9b8d25fd16b31c64c34cd001d
In an attempt to unify both implementations in order to
be able to remove one of the duplicated ones, merge the
changes from this commit in keystone:
Author: Dolph Mathews <dolph.mathews@gmail.com>
Date: Fri May 24 11:36:44 2013 -0500
Cleanup docstrings (flake8 H401, H402, H403, H404)
Change-Id: Ib23c9ab5066cfdcdda4e07cd30fa8f6ff47949bd
In general we probably do want to log these types of errors... but
not as ERRORS. I think log Warning messages are probably more
appropriate here since it would be possible to hit this when
expired certs are refreshed...
Fixes LP Bug #1190230.
Change-Id: I0383f7e490ddcdfb31a62cd3760102152a8d16d9
- F401: imported but unused
- F999: syntax error in doctest
Fixing a couple of the F401's simply required fixing the doctests syntax
where the imports were actually in use.
Change-Id: If78abbb143daf8d005a71c5ab52836df29c5e0cd
Python 2.6 did not have a keyword argument 'output'
in the constructor defined yet, which caused a TypeError
exception
Change-Id: I4d455bef3480a7511172c58fd4794fa1e8acce8c
This step in the process duplicates the auth-token code to keystoneclient but,
for the moment, leaves a copy in its origional location in keystone.
Testing for auth-token is also copied across, as is the cms support file.
Although no other project will yet pick up the code here in the client, since
the paste.ini files haev not yet been updated, it would work if anyone
did reference it.
Once the client code is in, the next step is to update all the other
project paste files, and then finally retire the code from keystone.
Change-Id: I88853a373d406020d54b61cba5a5e887380e3b3e
