def test_legacy_padding_validation(self):
first_value = uuid.uuid4().hex
second_value = uuid.uuid4().hex
payload = (first_value, second_value)
msgpack_payload = msgpack.packb(payload)
# NOTE(lbragstad): This method perserves the way that keystone used to
# percent encode the tokens, prior to bug #1491926.
def legacy_pack(payload):
tf = token_formatters.TokenFormatter()
encrypted_payload = tf.crypto.encrypt(payload)
# the encrypted_payload is returned with padding appended
self.assertTrue(encrypted_payload.endswith('='))
# using urllib.parse.quote will percent encode the padding, like
# keystone did in Kilo.
percent_encoded_payload = urllib.parse.quote(encrypted_payload)
# ensure that the padding was actaully percent encoded
self.assertTrue(percent_encoded_payload.endswith('%3D'))
return percent_encoded_payload
token_with_legacy_padding = legacy_pack(msgpack_payload)
tf = token_formatters.TokenFormatter()
# demonstrate the we can validate a payload that has been percent
# encoded with the Fernet logic that existed in Kilo
serialized_payload = tf.unpack(token_with_legacy_padding)
returned_payload = msgpack.unpackb(serialized_payload)
self.assertEqual(first_value, returned_payload[0])
self.assertEqual(second_value, returned_payload[1])
def legacy_pack(payload):
tf = token_formatters.TokenFormatter()
encrypted_payload = tf.crypto.encrypt(payload)
# the encrypted_payload is returned with padding appended
self.assertTrue(encrypted_payload.endswith('='))
# using urllib.parse.quote will percent encode the padding, like
# keystone did in Kilo.
percent_encoded_payload = urllib.parse.quote(encrypted_payload)
# ensure that the padding was actaully percent encoded
self.assertTrue(percent_encoded_payload.endswith('%3D'))
return percent_encoded_payload
def __init__(self, *args, **kwargs):
super(Provider, self).__init__(*args, **kwargs)
# NOTE(lbragstad): We add these checks here because if the fernet
# provider is going to be used and either the `key_repository` is empty
# or doesn't exist we should fail, hard. It doesn't make sense to start
# keystone and just 500 because we can't do anything with an empty or
# non-existant key repository.
if not os.path.exists(CONF.fernet_tokens.key_repository):
subs = {'key_repo': CONF.fernet_tokens.key_repository}
raise SystemExit(_('%(key_repo)s does not exist') % subs)
if not os.listdir(CONF.fernet_tokens.key_repository):
subs = {'key_repo': CONF.fernet_tokens.key_repository}
raise SystemExit(_('%(key_repo)s does not contain keys, use '
'keystone-manage fernet_setup to create '
'Fernet keys.') % subs)
self.token_formatter = tf.TokenFormatter()
def __init__(self, *args, **kwargs):
super(Provider, self).__init__(*args, **kwargs)
self.token_formatter = tf.TokenFormatter()
