diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-03-11 00:40:56 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-03-11 00:40:56 +0000 |
commit | 2a8acb81435ec292d1bd2c4b44cc5fd28a0a0bf0 (patch) | |
tree | fc5a2833e592fb4491db95685c4ec5e4b191be1b | |
parent | 3f035859bd6b52e1e25ecdb163ff76c5a8509d68 (diff) | |
parent | f9c3a4f1707fa637254bd8291fe3babc003b3447 (diff) | |
download | django_openstack_auth-2a8acb81435ec292d1bd2c4b44cc5fd28a0a0bf0.tar.gz |
Merge "Unscoped PKI token should no longer be hashed multiple times." into stable/liberty
-rw-r--r-- | openstack_auth/user.py | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/openstack_auth/user.py b/openstack_auth/user.py index fa30fe6..45c51bb 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -84,18 +84,17 @@ class Token(object): # Token-related attributes self.id = auth_ref.auth_token self.unscoped_token = unscoped_token - if (_TOKEN_HASH_ENABLED and - (keystone_cms.is_asn1_token(self.id) - or keystone_cms.is_pkiz(self.id))): + if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id): algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM', 'md5') hasher = hashlib.new(algorithm) hasher.update(self.id) self.id = hasher.hexdigest() - # If the scoped_token is long, then unscoped_token must be too. - hasher = hashlib.new(algorithm) - hasher.update(self.unscoped_token) - self.unscoped_token = hasher.hexdigest() + # Only hash unscoped token if needed + if self._is_pki_token(self.unscoped_token): + hasher = hashlib.new(algorithm) + hasher.update(self.unscoped_token) + self.unscoped_token = hasher.hexdigest() self.expires = auth_ref.expires # Project-related attributes @@ -121,6 +120,11 @@ class Token(object): self.serviceCatalog = auth_ref.service_catalog.get_data() + def _is_pki_token(self, token): + """Determines if this is a pki-based token (pki or pkiz)""" + return (keystone_cms.is_ans1_token(token) + or keystone_cms.is_pkiz(token)) + class User(models.AbstractBaseUser, models.AnonymousUser): """A User class with some extra special sauce for Keystone. |