keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify
keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify_token_no_files
failing with: Command 'openssl' returned non-zero exit status 1
I think its OpenSSL >= 1.1 bug, which returns wrong exit code (1 instead of
2) if input file not exists.
Change-Id: I776596487f305c759b88c0d4c604571c33c6ef70
Closes-Bug: #1646858
Currently tox ignores D202 and D203.
D202: No blank lines allowed after function docstring.
D203: 1 blank required before class docstring.
This change removes D202 and D203 ignores in tox and fix violations.
Change-Id: I97ef88c9cfd56774e47f789cbbcf8ccfe85d7737
Currently tox ignores D400.
D400: First line should end with a period.
This change removes it and make keystoneclient docstrings compliant with it.
Change-Id: I29ecb4c58bb03c0b9a3be0b7a74d18fb06a350f2
Currently tox ignores D401.
401: First line should be in imperative mood.
This change removes it and make keystoneclient docstrings compliant with it.
Change-Id: If34ff12d18390b357342cf29f2d116dd3c86a44d
Removing old configuration options for build-in defaults of latest
bandit functionality. Also, marking flagged items with _# nosec_
with a descriptive comment on why the code is acceptable as is.
Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com>
Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com>
Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d
Previously, there were a string of commits to keystone that addresed ignored
hacking checks. This commit does the same for H405 in keystoneclient. This
also modifies our tox.ini so that we no longer ignore H405 violations.
Change-Id: I2af152e5425a0e9c82314039fdbb90d661c22680
Closes-Bug: 1482773
This improves on commit 4350c176048b8d159d08b82b915e9544ac9dee6f
We found a major performance regression in keystoneclient
when using PKI tokens, related to http://bugs.python.org/issue25870
It can be tested with
time python -c "import textwrap; textwrap.wrap('x'*9000, 64)"
which has a complexity of O(n*n)
because it uses certain regexps in python versions before 3.5.
Closes-Bug: #1526686
Related-Bug: #1404402
Change-Id: Ibc81907c4d9db2c09fff41ccf21345fbdb19202d
Recently, the error message in _process_communicate_handle_oserror()
has been i18n'ed, which caused the regression as another code path
appended a string to it, which causes the TypeError to be raised.
Fix it by using string formatting instead of '+' to force it
to convert to string before concatenating.
Closes-Bug: 1421652
Change-Id: I7229b46888f798ac4a69c140ab389afed49b8c3c
is_ans1_token wasn't properly deprecated since it used LOG.warn
rather than warnings/debtcollector. Proper deprecation requires use
of warnings and documentation.
bp deprecations
Change-Id: I81be2844014745a5951ce91a336e9e9ecf4d5328
A comment on a function doesn't deprecate it since users aren't
going to see it.
The removed deprecation comment is doubly useless since this
function can't be deprecated. There's no alternative given and it's
actively used by keystonemiddleware.
bp deprecations
Change-Id: Ib9bf1b6e0631423094ebe60ff2a718dd659b5561
The new H238 "old style class declaration, use new style (inherit
from `object`)" rule was failing and ignored.
Change-Id: I9f616d74e4777640cc9441e96f2bd8c1873aaaca
The functions for creating signed tokens in common.cms always used
sha256 for the message digest. This might be inadequate in the future
so the digest algorithm shouldn't be hard-coded. A parameter is added
to allow choosing a different digest algorithm.
SecurityImpact
Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef
Related-Bug: #1362343
The comment of function is_asn1_token says "Max length of the
content using 2 octets is 7FFF or 32767", which should be 3FFF or
16383. Using Base64 string "MII" as the pki asn1 prefix, whose
binary form is 0x3082+0b00, the two octets for content length will
start with 0b00, so the max length is 0b0011+0xFFF(0x3FFF).
Change-Id: I6c3cedc0243a60328e0e7bd45957616ad272f524
This change replaces a home made text wrapper by textwrap module. It is
a non-functional change which is covered by existing tests.
Closes-Bug: #1404402
Change-Id: I5cc4da61205f64b478366c29e6d7ff9929ad4d16
Magic numbers were used for the return codes from the openssl
command. These are replaced with named symbols for readability.
Change-Id: I01a77927bd577bcf81b728a1df23c2058c1a9ae3
This same log message is going to be printed twice, or an
alternative message is logged instead, so remove it.
Change-Id: I858660830f2397a5e25aada48cc5590222d0f82a
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
The current way of using Popen does not close pipes properly,
and therefore long-running keystone processes, which depends on
keystoneclient.common.cms for data sigining, eventually hit
open file limit and stop working. Passing close_fds=True seems
to have solved the problem.
Change-Id: Ife452ab6843c1af5eb39debb8db453e45f78cba9
Closes-Bug: 1382906
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
cms_sign_data was not passing the md parameter to openssl, so it was
using the default digest of sha1. Some security standards require a
SHA2 algorithm for the digest.
This if for security hardening.
SecurityImpact
Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
Closes-Bug: #1362343
Adjust the code to raise exceptions.CertificateConfigError
when the certificates are still missing even in the Python
2.6 subprocess bug-workaround case.
Change-Id: I9fdfa830e6f9bc9e8eab496da2597e4118577ec5
Closes-Bug: #1324921
There are files containing string format arguments inside
logging messages. Using logging function parameters should
be preferred.
Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e
Closes-Bug: #1320930
Allows for a new form of document signature.
pkiz_sign will take data and encode it in a string that starts with
the substring "PKIZ_". This prefix indicates that the data has been:
1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format
2) Compressed using zlib (comparable to gzip)
3) urlsafe-base64 decoded
This process is reversed to validate the data.
middleware/auth_token.py will be capable of validating Keystone
tokens that are marshalled in the new format. The current existing
"PKI" tokens will continue to be identified with "MII", issued by
default, and validated as well. It will require corresponding changes
on the Keystone server to issue the new token format.
A separate script for generating the sample
data used in the unit tests,
examples/pki/gen_cmsz.py,
also serves as an example of how to
call the API from Python code.
Some of the sample data for the old tests had to be regenerated. A
stray comma in one of the JSON files made for non-parsing JSON.
Blueprint: compress-tokens
Closes-Bug: #1255321
Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
Need to make sure that binary and text are both handled correctly for cms calls.
Blueprint: compress-tokens
Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep
cms.is_ans1_token() around for backwards compatibility.
Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb
Closes-bug: 1306874
The token hash functions always used MD5. With this change, the
hash function can be passed in to the hash functions.
SecurityImpact
Related-Bug: #1174499
Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
There were some parts that had invalid RST in their docstrings
which caused warnings and errors to be generated.
Related-Bug: #1278662
Change-Id: Ibb53e6f49b5fa100fa6ecfe47331f9a70729d03b
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae
Closes-Bug: #1229324
The Python documentation states that "the type of [the first argument of
subprocess.communicate()] must be bytes or, if universal_newlines was True, a
string"[1]. Currently, in Python 3, a text string is given to
subprocess.communicate(), even though the process was created with
universal_newlines=False (the default value).
Rather than converting strings to bytes (and the other way around) everywhere
in the code, just create the process with universal_newlines=True. The side
effect is that '\n', '\r\n' and '\r' will be recognized as ending lines[2],
which should not be an issue.
[1] http://docs.python.org/3/library/subprocess.html?highlight=popen#subprocess.Popen.communicate
[2] http://docs.python.org/3/glossary.html#term-universal-newlines
Change-Id: I668b187ba8ed00ad6d55ec487af623b79b21589d
Checking oinly for monkeypatching of the ``os`` module is
insufficient. A process might have chosen not to patch ``os`` but
still needs to use the eventlet version of Popen to deal with proper
forks. This version checks if any modules have been monkeypatched
with the eventlet versions.
Closes-Bug: #1277231
Change-Id: Ia8d7150e9e7ced58132e8e90e7ad68fb3c7c3b9f
This fixes calls to the hash_signed_token() and cms_hash_token() functions, by
making sure they are given bytes.
Change-Id: I83ac48a845cd09150b01afad6f0549ee83c20ddd
Python 2.6 can raise OSError when too much data is
written to STDIN and the process died prematurely.
In the case of keystoneclient this happens during
the first cms_verify() call of a process. The calling
logic expects a useful error message in order to
refetch the CA or singing CERT, which is missing in the
case of an OSError. So just fake it instead.
Add basic unit tests to cover all of the public methods from
keystone.common.cms, raising test coverage to 77%. Add
unit test for this specific bug (test_cms_verify_token_no_oserror).
Closes-Bug: LP Bug#1235252
Change-Id: I6e650ab9494c605b4e41c78c87a9505e09d5fc29
- Add checking the openssl return code 2, related to following review
https://review.openstack.org/#/c/22716/
- Add support set subprocess to the cms, when we already know which
subprocess to use.
Closes-Bug: #1142574
Change-Id: I3f86e6ca8bb7738f57051ce7f0f5662b20e7a22b
Don't log in the keystoneclient.common.cms as there are some errors
that are expected. Instead, log in the middleware
bug 1189539
Change-Id: I1e80e2ab35e073d9b8d25fd16b31c64c34cd001d
In an attempt to unify both implementations in order to
be able to remove one of the duplicated ones, merge the
changes from this commit in keystone:
Author: Dolph Mathews <dolph.mathews@gmail.com>
Date: Fri May 24 11:36:44 2013 -0500
Cleanup docstrings (flake8 H401, H402, H403, H404)
Change-Id: Ib23c9ab5066cfdcdda4e07cd30fa8f6ff47949bd
