summaryrefslogtreecommitdiff
path: root/keystoneclient/common/cms.py
Commit message (Collapse)AuthorAgeFilesLines
* Replace magic numbers with named symbolsBrant Knudson2014-11-291-14/+14
| | | | | | | Magic numbers were used for the return codes from the openssl command. These are replaced with named symbols for readability. Change-Id: I01a77927bd577bcf81b728a1df23c2058c1a9ae3
* Merge "Remove useless log message"Jenkins2014-11-261-1/+0
|\
| * Remove useless log messageBrant Knudson2014-11-071-1/+0
| | | | | | | | | | | | | | This same log message is going to be printed twice, or an alternative message is logged instead, so remove it. Change-Id: I858660830f2397a5e25aada48cc5590222d0f82a
* | Merge "Cleanup docs - raises class"Jenkins2014-11-181-2/+4
|\ \ | |/ |/|
| * Cleanup docs - raises classBrant Knudson2014-10-181-2/+4
| | | | | | | | | | | | | | | | | | The argument to the :raises: directive is the class name. If the class name is a valid reference it's rendered as a link to the class. This change cleans up the :raises: directives to use the reference correctly and use a valid class reference. Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
* | I18nBrant Knudson2014-10-281-11/+14
| | | | | | | | | | | | | | | | | | | | | | Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
* | set close_fds=True in PopenXu (Simon) Chen2014-10-201-2/+4
|/ | | | | | | | | | | The current way of using Popen does not close pipes properly, and therefore long-running keystone processes, which depends on keystoneclient.common.cms for data sigining, eventually hit open file limit and stop working. Passing close_fds=True seems to have solved the problem. Change-Id: Ife452ab6843c1af5eb39debb8db453e45f78cba9 Closes-Bug: 1382906
* Change cms_sign_data to use sha256 message digestBrant Knudson2014-09-241-1/+2
| | | | | | | | | | | | | cms_sign_data was not passing the md parameter to openssl, so it was using the default digest of sha1. Some security standards require a SHA2 algorithm for the digest. This if for security hardening. SecurityImpact Change-Id: Iff063149e1f12df69bbf9015222d09d798980872 Closes-Bug: #1362343
* Adjust Python 2.6 OSerror-on-EPIPE workaroundDirk Mueller2014-06-161-3/+14
| | | | | | | | | Adjust the code to raise exceptions.CertificateConfigError when the certificates are still missing even in the Python 2.6 subprocess bug-workaround case. Change-Id: I9fdfa830e6f9bc9e8eab496da2597e4118577ec5 Closes-Bug: #1324921
* replace string format arguments with function parametersChristian Berendt2014-05-201-1/+1
| | | | | | | | | There are files containing string format arguments inside logging messages. Using logging function parameters should be preferred. Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e Closes-Bug: #1320930
* Compressed Signature and ValidationAdam Young2014-05-091-9/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allows for a new form of document signature. pkiz_sign will take data and encode it in a string that starts with the substring "PKIZ_". This prefix indicates that the data has been: 1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format 2) Compressed using zlib (comparable to gzip) 3) urlsafe-base64 decoded This process is reversed to validate the data. middleware/auth_token.py will be capable of validating Keystone tokens that are marshalled in the new format. The current existing "PKI" tokens will continue to be identified with "MII", issued by default, and validated as well. It will require corresponding changes on the Keystone server to issue the new token format. A separate script for generating the sample data used in the unit tests, examples/pki/gen_cmsz.py, also serves as an example of how to call the API from Python code. Some of the sample data for the old tests had to be regenerated. A stray comma in one of the JSON files made for non-parsing JSON. Blueprint: compress-tokens Closes-Bug: #1255321 Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
* remove universal_newlinesAdam Young2014-04-211-12/+14
| | | | | | | | Need to make sure that binary and text are both handled correctly for cms calls. Blueprint: compress-tokens Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
* replace double quotes with single.Adam Young2014-04-211-24/+24
| | | | Change-Id: Ib2c828525fe3bafac8ed2f402a477ba62bbf6471
* Fix typo of ANS1 to ASN1mathrock2014-04-141-5/+12
| | | | | | | | Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep cms.is_ans1_token() around for backwards compatibility. Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb Closes-bug: 1306874
* Hash functions support different hash algorithmsBrant Knudson2014-04-091-2/+2
| | | | | | | | | | The token hash functions always used MD5. With this change, the hash function can be passed in to the hash functions. SecurityImpact Related-Bug: #1174499 Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
* Fix doc build errorsBrant Knudson2014-03-131-22/+29
| | | | | | | | There were some parts that had invalid RST in their docstrings which caused warnings and errors to be generated. Related-Bug: #1278662 Change-Id: Ibb53e6f49b5fa100fa6ecfe47331f9a70729d03b
* Merge "Remove vim header"Jenkins2014-02-131-2/+0
|\
| * Remove vim headerEric Guo2014-02-081-2/+0
| | | | | | | | | | | | | | | | We don't need vim modelines in each source file, it can be set in user's vimrc. Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae Closes-Bug: #1229324
* | Merge "cms: Use universal_newlines=True in subprocess.Popen()"Jenkins2014-02-101-2/+4
|\ \ | |/ |/|
| * cms: Use universal_newlines=True in subprocess.Popen()Cyril Roelandt2014-02-071-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Python documentation states that "the type of [the first argument of subprocess.communicate()] must be bytes or, if universal_newlines was True, a string"[1]. Currently, in Python 3, a text string is given to subprocess.communicate(), even though the process was created with universal_newlines=False (the default value). Rather than converting strings to bytes (and the other way around) everywhere in the code, just create the process with universal_newlines=True. The side effect is that '\n', '\r\n' and '\r' will be recognized as ending lines[2], which should not be an issue. [1] http://docs.python.org/3/library/subprocess.html?highlight=popen#subprocess.Popen.communicate [2] http://docs.python.org/3/glossary.html#term-universal-newlines Change-Id: I668b187ba8ed00ad6d55ec487af623b79b21589d
* | Merge "Check for any monkeypatching"Jenkins2014-02-061-1/+1
|\ \ | |/ |/|
| * Check for any monkeypatchingAdam Young2014-02-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Checking oinly for monkeypatching of the ``os`` module is insufficient. A process might have chosen not to patch ``os`` but still needs to use the eventlet version of Popen to deal with proper forks. This version checks if any modules have been monkeypatched with the eventlet versions. Closes-Bug: #1277231 Change-Id: Ia8d7150e9e7ced58132e8e90e7ad68fb3c7c3b9f
* | Python 3: make tests from v2_0/test_access.py passCyril Roelandt2014-02-041-0/+3
|/ | | | | | | This fixes calls to the hash_signed_token() and cms_hash_token() functions, by making sure they are given bytes. Change-Id: I83ac48a845cd09150b01afad6f0549ee83c20ddd
* Add workaround for OSError raised by Popen.communicate()Dirk Mueller2013-11-281-4/+47
| | | | | | | | | | | | | | | | | | | Python 2.6 can raise OSError when too much data is written to STDIN and the process died prematurely. In the case of keystoneclient this happens during the first cms_verify() call of a process. The calling logic expects a useful error message in order to refetch the CA or singing CERT, which is missing in the case of an OSError. So just fake it instead. Add basic unit tests to cover all of the public methods from keystone.common.cms, raising test coverage to 77%. Add unit test for this specific bug (test_cms_verify_token_no_oserror). Closes-Bug: LP Bug#1235252 Change-Id: I6e650ab9494c605b4e41c78c87a9505e09d5fc29
* Migrate the keystone.common.cms to keystoneclientLei Zhang2013-10-281-4/+38
| | | | | | | | | | | | - Add checking the openssl return code 2, related to following review https://review.openstack.org/#/c/22716/ - Add support set subprocess to the cms, when we already know which subprocess to use. Closes-Bug: #1142574 Change-Id: I3f86e6ca8bb7738f57051ce7f0f5662b20e7a22b
* Fix License Headers and Enable Gating on H102Morgan Fainberg2013-08-271-0/+14
| | | | | | | | Add ASLv2 headers to files that were missing it. fixes bug #1211587 Change-Id: Iede918e1ce84993cee4ecbb2d9c2606627fa412e
* no logging on cms failureAdam Young2013-07-261-2/+6
| | | | | | | | | Don't log in the keystoneclient.common.cms as there are some errors that are expected. Instead, log in the middleware bug 1189539 Change-Id: I1e80e2ab35e073d9b8d25fd16b31c64c34cd001d
* Merge " Cleanup docstrings " from keystone/common/cms.pyDirk Mueller2013-07-091-6/+6
| | | | | | | | | | | | | In an attempt to unify both implementations in order to be able to remove one of the duplicated ones, merge the changes from this commit in keystone: Author: Dolph Mathews <dolph.mathews@gmail.com> Date: Fri May 24 11:36:44 2013 -0500 Cleanup docstrings (flake8 H401, H402, H403, H404) Change-Id: Ib23c9ab5066cfdcdda4e07cd30fa8f6ff47949bd
* Merge "Log cms_verify issues as warnings (not errors)."Jenkins2013-07-091-1/+1
|\
| * Log cms_verify issues as warnings (not errors).Dan Prince2013-06-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | In general we probably do want to log these types of errors... but not as ERRORS. I think log Warning messages are probably more appropriate here since it would be possible to hit this when expired certs are refreshed... Fixes LP Bug #1190230. Change-Id: I0383f7e490ddcdfb31a62cd3760102152a8d16d9
* | Fix and enable H401Dirk Mueller2013-06-271-1/+2
|/ | | | | | Remove leading spaces from doc comments. Change-Id: I75b055c0d64dda478c63839d44158e301900107f
* Fix unused imports(flake8 F401, F999)Dolph Mathews2013-06-031-1/+1
| | | | | | | | | | - F401: imported but unused - F999: syntax error in doctest Fixing a couple of the F401's simply required fixing the doctests syntax where the imports were actually in use. Change-Id: If78abbb143daf8d005a71c5ab52836df29c5e0cd
* Restore Python 2.6 compatibilityDirk Mueller2013-01-221-1/+5
| | | | | | | | Python 2.6 did not have a keyword argument 'output' in the constructor defined yet, which caused a TypeError exception Change-Id: I4d455bef3480a7511172c58fd4794fa1e8acce8c
* Add auth-token code to keystoneclient, along with supporting filesHenry Nash2012-11-121-0/+169
This step in the process duplicates the auth-token code to keystoneclient but, for the moment, leaves a copy in its origional location in keystone. Testing for auth-token is also copied across, as is the cms support file. Although no other project will yet pick up the code here in the client, since the paste.ini files haev not yet been updated, it would work if anyone did reference it. Once the client code is in, the next step is to update all the other project paste files, and then finally retire the code from keystone. Change-Id: I88853a373d406020d54b61cba5a5e887380e3b3e
View Lorry Controller Status