def test_legacy_padding_validation(self): first_value = uuid.uuid4().hex second_value = uuid.uuid4().hex payload = (first_value, second_value) msgpack_payload = msgpack.packb(payload) # NOTE(lbragstad): This method perserves the way that keystone used to # percent encode the tokens, prior to bug #1491926. def legacy_pack(payload): tf = token_formatters.TokenFormatter() encrypted_payload = tf.crypto.encrypt(payload) # the encrypted_payload is returned with padding appended self.assertTrue(encrypted_payload.endswith('=')) # using urllib.parse.quote will percent encode the padding, like # keystone did in Kilo. percent_encoded_payload = urllib.parse.quote(encrypted_payload) # ensure that the padding was actaully percent encoded self.assertTrue(percent_encoded_payload.endswith('%3D')) return percent_encoded_payload token_with_legacy_padding = legacy_pack(msgpack_payload) tf = token_formatters.TokenFormatter() # demonstrate the we can validate a payload that has been percent # encoded with the Fernet logic that existed in Kilo serialized_payload = tf.unpack(token_with_legacy_padding) returned_payload = msgpack.unpackb(serialized_payload) self.assertEqual(first_value, returned_payload[0]) self.assertEqual(second_value, returned_payload[1])
def legacy_pack(payload): tf = token_formatters.TokenFormatter() encrypted_payload = tf.crypto.encrypt(payload) # the encrypted_payload is returned with padding appended self.assertTrue(encrypted_payload.endswith('=')) # using urllib.parse.quote will percent encode the padding, like # keystone did in Kilo. percent_encoded_payload = urllib.parse.quote(encrypted_payload) # ensure that the padding was actaully percent encoded self.assertTrue(percent_encoded_payload.endswith('%3D')) return percent_encoded_payload
def __init__(self, *args, **kwargs): super(Provider, self).__init__(*args, **kwargs) # NOTE(lbragstad): We add these checks here because if the fernet # provider is going to be used and either the `key_repository` is empty # or doesn't exist we should fail, hard. It doesn't make sense to start # keystone and just 500 because we can't do anything with an empty or # non-existant key repository. if not os.path.exists(CONF.fernet_tokens.key_repository): subs = {'key_repo': CONF.fernet_tokens.key_repository} raise SystemExit(_('%(key_repo)s does not exist') % subs) if not os.listdir(CONF.fernet_tokens.key_repository): subs = {'key_repo': CONF.fernet_tokens.key_repository} raise SystemExit(_('%(key_repo)s does not contain keys, use ' 'keystone-manage fernet_setup to create ' 'Fernet keys.') % subs) self.token_formatter = tf.TokenFormatter()
def __init__(self, *args, **kwargs): super(Provider, self).__init__(*args, **kwargs) self.token_formatter = tf.TokenFormatter()