def test_non_numeric_files(self):
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1')
with open(evil_file, 'w'):
pass
keys = fernet_utils.load_keys()
self.assertEqual(2, len(keys))
self.assertTrue(len(keys[0]))
def test_non_numeric_files(self):
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1')
with open(evil_file, 'w'):
pass
keys = fernet_utils.load_keys()
self.assertEqual(2, len(keys))
self.assertTrue(len(keys[0]))
def symptom_keys_in_Fernet_key_repository():
"""Fernet key repository is empty.
After configuring keystone to use the Fernet token provider, you should use
`keystone-manage fernet_setup` to initially populate your key repository
with keys, and periodically rotate your keys with `keystone-manage
fernet_rotate`.
"""
return ('fernet' in CONF.token.provider and not fernet_utils.load_keys())
def crypto(self):
"""Return a cryptography instance.
You can extend this class with a custom crypto @property to provide
your own token encoding / decoding. For example, using a different
cryptography library (e.g. ``python-keyczar``) or to meet arbitrary
security requirements.
This @property just needs to return an object that implements
``encrypt(plaintext)`` and ``decrypt(ciphertext)``.
"""
keys = utils.load_keys()
if not keys:
raise exception.KeysNotFound()
fernet_instances = [fernet.Fernet(key) for key in utils.load_keys()]
return fernet.MultiFernet(fernet_instances)
def crypto(self):
"""Return a cryptography instance.
You can extend this class with a custom crypto @property to provide
your own token encoding / decoding. For example, using a different
cryptography library (e.g. ``python-keyczar``) or to meet arbitrary
security requirements.
This @property just needs to return an object that implements
``encrypt(plaintext)`` and ``decrypt(ciphertext)``.
"""
keys = utils.load_keys()
if not keys:
raise exception.KeysNotFound()
fernet_instances = [fernet.Fernet(key) for key in utils.load_keys()]
return fernet.MultiFernet(fernet_instances)
def symptom_keys_in_Fernet_key_repository():
"""Fernet key repository is empty.
After configuring keystone to use the Fernet token provider, you should use
`keystone-manage fernet_setup` to initially populate your key repository
with keys, and periodically rotate your keys with `keystone-manage
fernet_rotate`.
"""
return (
'fernet' in CONF.token.provider
and not fernet_utils.load_keys())
def key_repository_signature(self):
"""Create a "thumbprint" of the current key repository.
Because key files are renamed, this produces a hash of the contents of
the key files, ignoring their filenames.
The resulting signature can be used, for example, to ensure that you
have a unique set of keys after you perform a key rotation (taking a
static set of keys, and simply shuffling them, would fail such a test).
"""
# Load the keys into a list.
keys = fernet_utils.load_keys()
# Sort the list of keys by the keys themselves (they were previously
# sorted by filename).
keys.sort()
# Create the thumbprint using all keys in the repository.
signature = hashlib.sha1()
for key in keys:
signature.update(key)
return signature.hexdigest()
def key_repository_signature(self):
"""Create a "thumbprint" of the current key repository.
Because key files are renamed, this produces a hash of the contents of
the key files, ignoring their filenames.
The resulting signature can be used, for example, to ensure that you
have a unique set of keys after you perform a key rotation (taking a
static set of keys, and simply shuffling them, would fail such a test).
"""
# Load the keys into a list.
keys = fernet_utils.load_keys()
# Sort the list of keys by the keys themselves (they were previously
# sorted by filename).
keys.sort()
# Create the thumbprint using all keys in the repository.
signature = hashlib.sha1()
for key in keys:
signature.update(key)
return signature.hexdigest()
