def test_non_numeric_files(self): self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1') with open(evil_file, 'w'): pass keys = fernet_utils.load_keys() self.assertEqual(2, len(keys)) self.assertTrue(len(keys[0]))
def symptom_keys_in_Fernet_key_repository(): """Fernet key repository is empty. After configuring keystone to use the Fernet token provider, you should use `keystone-manage fernet_setup` to initially populate your key repository with keys, and periodically rotate your keys with `keystone-manage fernet_rotate`. """ return ('fernet' in CONF.token.provider and not fernet_utils.load_keys())
def crypto(self): """Return a cryptography instance. You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g. ``python-keyczar``) or to meet arbitrary security requirements. This @property just needs to return an object that implements ``encrypt(plaintext)`` and ``decrypt(ciphertext)``. """ keys = utils.load_keys() if not keys: raise exception.KeysNotFound() fernet_instances = [fernet.Fernet(key) for key in utils.load_keys()] return fernet.MultiFernet(fernet_instances)
def symptom_keys_in_Fernet_key_repository(): """Fernet key repository is empty. After configuring keystone to use the Fernet token provider, you should use `keystone-manage fernet_setup` to initially populate your key repository with keys, and periodically rotate your keys with `keystone-manage fernet_rotate`. """ return ( 'fernet' in CONF.token.provider and not fernet_utils.load_keys())
def key_repository_signature(self): """Create a "thumbprint" of the current key repository. Because key files are renamed, this produces a hash of the contents of the key files, ignoring their filenames. The resulting signature can be used, for example, to ensure that you have a unique set of keys after you perform a key rotation (taking a static set of keys, and simply shuffling them, would fail such a test). """ # Load the keys into a list. keys = fernet_utils.load_keys() # Sort the list of keys by the keys themselves (they were previously # sorted by filename). keys.sort() # Create the thumbprint using all keys in the repository. signature = hashlib.sha1() for key in keys: signature.update(key) return signature.hexdigest()