| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The "insecure" option was being treated as a bool when it was
actually provided as a string. The fix is to parse the string to
a bool.
Closes-Bug: 1411063
Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The oslo.config libraries are moving away from oslo-namespaced
packages.
Note that his requires oslo.config>=1.6.0
bp drop-namespace-packages
Change-Id: Ic0d4053875da0628f2359c109f2779d12aadc3eb
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The oslo libraries are moving away from namespace packages.
bp drop-namespace-packages
Change-Id: I76dc9f733b222144f0274f8854877587c3501d1e
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
oslo_utils moved out of the oslo namespace.
bp drop-namespace-packages
Change-Id: I72e67dc1f649ba137dd06f5ab7133858c6abd67d
|
| |/
|
|
|
|
|
| |
The new H238 "old style class declaration, use new style (inherit
from `object`)" rule was failing and ignored.
Change-Id: I9f616d74e4777640cc9441e96f2bd8c1873aaaca
|
| |
|
|
|
|
|
|
| |
The auth_token middleware was moved to the keystonemiddleware repo and
the middleware architecture doc was copied there. The copy in the
client repo can be removed.
Change-Id: Ic7b7f970a08746dd4f5d61dd5144c1dae168ad6d
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
|
| |/
|
|
|
|
|
| |
Some of the docstrings have ``:return:`` instead of ``:returns:``
keyword. This patch fixes that and make it consistent.
Change-Id: I4321a63798ab9e2abdf0bbd716bf2b995be22ba3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running with a havana-level of oslo.config (<1.3.0),
applications with any config options in their api-paste.ini will
fail to start with an error like
'StrOpt' object has no attribute 'type'
This is because the config options didn't have a type attribute
until 1.3.0.
During the grenade test, the havana level of oslo.config is used,
while the master level of keystoneclient is used, and also in the
havana tests the services are still using the keystoneclient
auth_token middleware.
Change-Id: I745c3e04f18941a2d41e191d43f61b926522bb9d
Closes-Bug: #1372422
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the existing code, self.ssl_insecure is a string. If insecure
option is set in nova api-paste.ini, whatever it is 'true' or
'false', kwargs['verify'] will become False. This commit corrects
the condition expression. This patch is backported from
https://review.openstack.org/#/c/113191/
Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
Closes-Bug: 1353315
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Only PKI (asn1) based tokens were checked for format and hashed
Closes-Bug: 1355125
SecurityImpact
Change-Id: Iefedde7f168e2ff1870905041fa95301934452e5
|
| |/
|
|
|
|
|
| |
The s3_token middleware in python-keystoneclient is deprecated in
favor of keystonemiddleware.s3_token.
Change-Id: I30930f16425f1825373184371f3cba995833bc22
|
| |
|
|
|
| |
Change-Id: I1faaae0373a7ae12ee528ab5c71741a2b1122d43
Closes-Bug: 1342274
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed most of the errors reported back from hacking 0.9.2.
Specifically:
- E128 continuation line under-indented for visual indent
- E251 unexpected spaces around keyword / parameter equals
- E265 block comment should start with '# '
- H305 imports not grouped correctly
- H307 like imports should be grouped together
- H402 one line docstring needs punctuation
- H904 Wrap long lines in parentheses instead of a backslash
But opted to ignore the following for now:
- E122: continuation line missing indentation or outdented
- H405: multi line docstring summary not separated with an empty line
Change-Id: Ib8e698d85fd598fa91435538657361a1f695ce89
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When auth_token stores the token in the cache, it's stored with
the expiration time; but when the token is retrieved from the
cache, if the expiration time has passed the token is treated as if
it wasn't cached. This creates extra work because now auth_token
has to check the token expiration (either by decrypting the PKI
token or online validation for UUID tokens).
With this change, getting the token from the cache will fail if the
expiration is past.
Change-Id: Id0ec6b3c2e5af4a2d910f16da4e0312733fc2198
|
| |
|
|
|
|
|
| |
The token cache members are moved from AuthToken to their own
class.
Change-Id: Ibf00d39435fa7a6d9a92a9bdfacc3f1b07f890ef
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The auth_token middleware always hashed PKI Tokens with MD5. This
change makes it so that PKI tokens can be hashed with SHA256 or any
other algorithm supported by hashlib.new(). This is for security
hardening.
auth_token has a new config option 'hash_algorithms' that is set
to the list of algorithms that will be used for hashing PKI tokens.
This will typically be set to a single hash algorithm which must
match the hash algorithm set in Keystone. Otherwise the tokens
in the revocation list will not match, leading to revoked tokens
being still usable.
During a transition from one algorithm to another,
'hash_algorithms' is set to both the new algorithm and the old
algorithm. Both of the hash algorithms will be used to match
against the revocation list and cache. Once the tokens using the
old algorithm have expired the old algorithm can be removed from
the list.
'hash_algorithms' defaults to ['md5'] for backwards compatibility.
DocImpact
SecurityImpact
Closes-Bug: #1174499
Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
auth_token was hashing the PKI token multiple times. With this
change, the token is hashed once.
Change-Id: I70d3339d09deb2d3528f141d37138971038f4075
Related-Bug: #1174499
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The auth_token test said that the cached tokens are expired. The
tokens weren't expired, so remove the code.
Change-Id: I8ce30cc09ee9bbc19cc4ebdb5d935a80d2d5d473
|
| |\ \ \ |
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There are files containing string format arguments inside
logging messages. Using logging function parameters should
be preferred.
Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e
Closes-Bug: #1320930
|
| |\ \ \
| |/ /
|/| | |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As there is no way to distinguish a v2 or v3 catalog from the headers
provided to an application we will for the meantime always return a v2
catalog. This should not cause any issues as the full token data is not
provided to the service so there is no-one that will get caught out by a
v2/v3 mix, and anyone that is already supporting the v3 catalog format
will have to support the v2 catalog format as well so it will continue
to work.
Change-Id: Ic9b38e0ba4682b47ae295bd3f89bac59ef7437cf
Closes-Bug: #1302970
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allows for a new form of document signature.
pkiz_sign will take data and encode it in a string that starts with
the substring "PKIZ_". This prefix indicates that the data has been:
1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format
2) Compressed using zlib (comparable to gzip)
3) urlsafe-base64 decoded
This process is reversed to validate the data.
middleware/auth_token.py will be capable of validating Keystone
tokens that are marshalled in the new format. The current existing
"PKI" tokens will continue to be identified with "MII", issued by
default, and validated as well. It will require corresponding changes
on the Keystone server to issue the new token format.
A separate script for generating the sample
data used in the unit tests,
examples/pki/gen_cmsz.py,
also serves as an example of how to
call the API from Python code.
Some of the sample data for the old tests had to be regenerated. A
stray comma in one of the JSON files made for non-parsing JSON.
Blueprint: compress-tokens
Closes-Bug: #1255321
Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
rules are avaialble at https://en.wikipedia.org/wiki/Wikipedia:AutoWikiBrowser/Typos
Change-Id: I67fb3e0d02c931cb7e605ac74ea8272956afa8e1
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The auth_token middleware would fail if it couldn't fetch the
revocation list. If the system is configured for UUID tokens then
the revocation list may not be available.
With this fix, the revocation list will only be checked for
cached tokens if the new check_revocations_for_cached option
is set to True.
Also, this change prevents the revocation list from being
checked twice for a PKI token that's validate off-line.
Change-Id: I5408bbe12aefda608ebcb81cf3c7ef068b2bf2f6
Closes-Bug: #1312858
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The admin_token option shouldn't be used with the auth_token
middleware. It's used to specify a token to be used to perform
operations on the identity server, so would typically be set
to the admin token. The admin token should only be used to
initially set up the Keystone server, and then the admin token
functionality should be disabled. If this recommended setup is
used then the auth_token middleware shouldn't be using the
admin token / auth_token.
In preparing for removal of the admin_token option, the option
is now deprecated. A warning will be logged if it's set.
DocImpact
Change-Id: I5bc4f4a6ad7984892151c8011ccd92f166aba4c2
Closes-Bug: #1306981
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The auth_token middleware didn't log when a token is rejected
because it's in the revocation list. This adds a log message so
that it's easier to debug problems.
Change-Id: I1388ed04641d209ba2083a1096488edc22267ebe
|
| |\ \ \
| |/ / |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We need to ensure that tokens won't stay in cache after they have been
revoked.
Changed default revocation_cache_time 300 -> 10 seconds.
revocation_cache_time has to be << than token_cache_time to make token
cache efficient.
Fixes bug #1287301
Change-Id: I14c0eacac3b431c06e40385c891a6636736e5b4a
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Need to make sure that binary and text are both handled correctly for cms calls.
Blueprint: compress-tokens
Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
|
| |/
|
|
| |
Change-Id: Ib2c828525fe3bafac8ed2f402a477ba62bbf6471
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
There were some long lines that were split using \ rather than ().
PEP8 recommends using () --
http://legacy.python.org/dev/peps/pep-0008/#maximum-line-length
Change-Id: I8e140e507d0d9991094be13ebafa7fc700c1a02e
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep
cms.is_ans1_token() around for backwards compatibility.
Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb
Closes-bug: 1306874
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
There's a race between the time that a CertificateConfigError is raised,
and when we check to see what caused it. Eliminating the checks and
unconditionally fetching certificates eliminates the race.
Giant thanks to Jamie Lennox for identifying the root cause described
above!
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: I19113496ceaecdc03e209d550e0db156df95f9b8
Closes-Bug: 1285833
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
This makes it more consistent with the CONF options.
Blueprint: identity-uri
Change-Id: If4e32d232413e539b4c29035b253e9368b3fbd06
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The need for individual auth_host, auth_port etc variables for
auth_token middleware made some sense when we were using httplib however
as we have long moved on to requests they are no longer required and are
a pain for configuration.
DocImpact: auth_schema, auth_host, auth_port, auth_admin_prefix are all
deprecated in favour of specifying the full url in the identity_uri
property.
Blueprint: identity-uri
Change-Id: I1f8f5064ea8028af60f167df9b97e215cdadba44
|
