diff options
| author | Einar Forselv <einar@zetta.io> | 2016-01-07 13:42:28 +0100 |
|---|---|---|
| committer | Dimitri Mazmanov <dimitri.mazmanov@ericsson.com> | 2016-02-23 15:16:14 +0000 |
| commit | f9c3a4f1707fa637254bd8291fe3babc003b3447 (patch) | |
| tree | 20af39a10f45a9e0c5b03d34e1e3a2189e26800b | |
| parent | dc981578062a6a8d2f026cd8a03b892fd1e779dd (diff) | |
| download | django_openstack_auth-f9c3a4f1707fa637254bd8291fe3babc003b3447.tar.gz | |
Unscoped PKI token should no longer be hashed multiple times.
When token hashing is used with pki tokens, the unscoped token
gets re-hashed when switching project. This fix checks
if the unscoped token needs to be hashed before doing so.
The project list operation when switching project in horizon
failed because the unscoped token could for example be an
md5 of an md5.
Change-Id: I64684ca251eb4d0c6164e58c078cf7d132eb3cc1
Closes-Bug: #1487372
(cherry picked from commit 5ab3908cff64fa5b5a5bd5ea4877c42096172dd3)
| -rw-r--r-- | openstack_auth/user.py | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/openstack_auth/user.py b/openstack_auth/user.py index fa30fe6..45c51bb 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -84,18 +84,17 @@ class Token(object): # Token-related attributes self.id = auth_ref.auth_token self.unscoped_token = unscoped_token - if (_TOKEN_HASH_ENABLED and - (keystone_cms.is_asn1_token(self.id) - or keystone_cms.is_pkiz(self.id))): + if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id): algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM', 'md5') hasher = hashlib.new(algorithm) hasher.update(self.id) self.id = hasher.hexdigest() - # If the scoped_token is long, then unscoped_token must be too. - hasher = hashlib.new(algorithm) - hasher.update(self.unscoped_token) - self.unscoped_token = hasher.hexdigest() + # Only hash unscoped token if needed + if self._is_pki_token(self.unscoped_token): + hasher = hashlib.new(algorithm) + hasher.update(self.unscoped_token) + self.unscoped_token = hasher.hexdigest() self.expires = auth_ref.expires # Project-related attributes @@ -121,6 +120,11 @@ class Token(object): self.serviceCatalog = auth_ref.service_catalog.get_data() + def _is_pki_token(self, token): + """Determines if this is a pki-based token (pki or pkiz)""" + return (keystone_cms.is_ans1_token(token) + or keystone_cms.is_pkiz(token)) + class User(models.AbstractBaseUser, models.AnonymousUser): """A User class with some extra special sauce for Keystone. |