Use the MD5 hash of PKI-signed tokens.1.0.3

Since Keystone's default token format is now PKI, the length
of the tokens increased by several orders of magnitude, causing
problems with session cookie size exceeding the maximum
cookie size.

This patch imports the "is_ans1_token" function from Keystone
and uses the MD5 hash for PKI-signed tokens since that's supported
in Keystone as well.

3 files changed, 53 insertions, 2 deletions

diff --git a/openstack_auth/__init__.py b/openstack_auth/__init__.py
index 2d3bb52..cdadd83 100644
--- a/openstack_auth/__init__.py
+++ b/openstack_auth/__init__.py
@@ -1,2 +1,2 @@
 # following PEP 386
-__version__ = "1.0.2"
+__version__ = "1.0.3"
diff --git a/openstack_auth/user.py b/openstack_auth/user.py
index 74fac4e..d02b3bc 100644
--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@@ -1,15 +1,20 @@
+import hashlib
+
 from django.contrib.auth.models import AnonymousUser
 
 from keystoneclient.v2_0 import client as keystone_client
 from keystoneclient import exceptions as keystone_exceptions
 
-from .utils import check_token_expiration
+from .utils import check_token_expiration, is_ans1_token
 
 
 def set_session_from_user(request, user):
     request.session['serviceCatalog'] = user.service_catalog
     request.session['tenant'] = user.tenant_name
     request.session['tenant_id'] = user.tenant_id
+    if is_ans1_token(user.token.id):
+        hashed_token = hashlib.md5(user.token.id).hexdigest()
+        user.token._info['token']['id'] = hashed_token
     request.session['token'] = user.token._info
     request.session['username'] = user.username
     request.session['user_id'] = user.id
diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py
index 5499fc4..7ccd87c 100644
--- a/openstack_auth/utils.py
+++ b/openstack_auth/utils.py
@@ -57,3 +57,49 @@ def check_token_expiration(token):
         return expiration > timezone.now()
     else:
         return False
+
+
+# Copied from Keystone's keystone/common/cms.py file.
+PKI_ANS1_PREFIX = 'MII'
+
+
+def is_ans1_token(token):
+    '''
+    thx to ayoung for sorting this out.
+
+    base64 decoded hex representation of MII is 3082
+    In [3]: binascii.hexlify(base64.b64decode('MII='))
+    Out[3]: '3082'
+
+    re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+
+    pg4:  For tags from 0 to 30 the first octet is the identfier
+    pg10: Hex 30 means sequence, followed by the length of that sequence.
+    pg5:  Second octet is the length octet
+          first bit indicates short or long form, next 7 bits encode the number
+          of subsequent octets that make up the content length octets as an
+          unsigned binary int
+
+          82 = 10000010 (first bit indicates long form)
+          0000010 = 2 octets of content length
+          so read the next 2 octets to get the length of the content.
+
+    In the case of a very large content length there could be a requirement to
+    have more than 2 octets to designate the content length, therefore
+    requiring us to check for MIM, MIQ, etc.
+    In [4]: base64.b64encode(binascii.a2b_hex('3083'))
+    Out[4]: 'MIM='
+    In [5]: base64.b64encode(binascii.a2b_hex('3084'))
+    Out[5]: 'MIQ='
+    Checking for MI would become invalid at 16 octets of content length
+    10010000 = 90
+    In [6]: base64.b64encode(binascii.a2b_hex('3090'))
+    Out[6]: 'MJA='
+    Checking for just M is insufficient
+
+    But we will only check for MII:
+    Max length of the content using 2 octets is 7FFF or 32767
+    It's not practical to support a token of this length or greater in http
+    therefore, we will check for MII only and ignore the case of larger tokens
+    '''
+    return token[:3] == PKI_ANS1_PREFIX