From f9c3a4f1707fa637254bd8291fe3babc003b3447 Mon Sep 17 00:00:00 2001
From: Einar Forselv <einar@zetta.io>
Date: Thu, 7 Jan 2016 13:42:28 +0100
Subject: Unscoped PKI token should no longer be hashed multiple times.

When token hashing is used with pki tokens, the unscoped token
gets re-hashed when switching project. This fix checks
if the unscoped token needs to be hashed before doing so.

The project list operation when switching project in horizon
failed because the unscoped token could for example be an
md5 of an md5.

Change-Id: I64684ca251eb4d0c6164e58c078cf7d132eb3cc1
Closes-Bug: #1487372
(cherry picked from commit 5ab3908cff64fa5b5a5bd5ea4877c42096172dd3)
---
 openstack_auth/user.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/openstack_auth/user.py b/openstack_auth/user.py
index fa30fe6..45c51bb 100644
--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@@ -84,18 +84,17 @@ class Token(object):
         # Token-related attributes
         self.id = auth_ref.auth_token
         self.unscoped_token = unscoped_token
-        if (_TOKEN_HASH_ENABLED and
-                (keystone_cms.is_asn1_token(self.id)
-                    or keystone_cms.is_pkiz(self.id))):
+        if _TOKEN_HASH_ENABLED and self._is_pki_token(self.id):
             algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
                                 'md5')
             hasher = hashlib.new(algorithm)
             hasher.update(self.id)
             self.id = hasher.hexdigest()
-            # If the scoped_token is long, then unscoped_token must be too.
-            hasher = hashlib.new(algorithm)
-            hasher.update(self.unscoped_token)
-            self.unscoped_token = hasher.hexdigest()
+            # Only hash unscoped token if needed
+            if self._is_pki_token(self.unscoped_token):
+                hasher = hashlib.new(algorithm)
+                hasher.update(self.unscoped_token)
+                self.unscoped_token = hasher.hexdigest()
         self.expires = auth_ref.expires
 
         # Project-related attributes
@@ -121,6 +120,11 @@ class Token(object):
 
         self.serviceCatalog = auth_ref.service_catalog.get_data()
 
+    def _is_pki_token(self, token):
+        """Determines if this is a pki-based token (pki or pkiz)"""
+        return (keystone_cms.is_ans1_token(token)
+                or keystone_cms.is_pkiz(token))
+
 
 class User(models.AbstractBaseUser, models.AnonymousUser):
     """A User class with some extra special sauce for Keystone.
-- 
cgit v1.2.1