Handle non-numeric files in key_repository

It is very likely administrators will leave behind bits and pieces in a
live environment. One cannot assume that all of the files in a directory
will be the ones created by Keystone.

Change-Id: I5841a11f599f79d2efbe1a176f499e280a91cb37
Closes-Bug: #1478656
(cherry picked from commit 7223bb1c035d98ebb1a49e115f05cb69ad7928d4)

2 files changed, 37 insertions, 2 deletions

diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py
index 19c82a3d3..426c379ae 100644
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@@ -389,3 +389,28 @@ class TestFernetKeyRotation(tests.TestCase):
                 exp_keys.append(key_no)
                 key_no += 1
                 self.assertEqual(exp_keys, self.keys)
+
+    def test_non_numeric_files(self):
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
+        evil_file = os.path.join(CONF.fernet_tokens.key_repository, '99.bak')
+        with open(evil_file, 'w'):
+            pass
+        fernet_utils.rotate_keys()
+        self.assertTrue(os.path.isfile(evil_file))
+        keys = 0
+        for x in os.listdir(CONF.fernet_tokens.key_repository):
+            if x == '99.bak':
+                continue
+            keys += 1
+        self.assertEqual(3, keys)
+
+
+class TestLoadKeys(tests.TestCase):
+    def test_non_numeric_files(self):
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
+        evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1')
+        with open(evil_file, 'w'):
+            pass
+        keys = fernet_utils.load_keys()
+        self.assertEqual(2, len(keys))
+        self.assertTrue(len(keys[0]))
diff --git a/keystone/token/providers/fernet/utils.py b/keystone/token/providers/fernet/utils.py
index 0d0c1332b..ab5859da8 100644
--- a/keystone/token/providers/fernet/utils.py
+++ b/keystone/token/providers/fernet/utils.py
@@ -174,7 +174,12 @@ def rotate_keys(keystone_user_id=None, keystone_group_id=None):
     for filename in os.listdir(CONF.fernet_tokens.key_repository):
         path = os.path.join(CONF.fernet_tokens.key_repository, str(filename))
         if os.path.isfile(path):
-            key_files[int(filename)] = path
+            try:
+                key_id = int(filename)
+            except ValueError:
+                pass
+            else:
+                key_files[key_id] = path
 
     LOG.info(_LI('Starting key rotation with %(count)s key files: %(list)s'), {
         'count': len(key_files),
@@ -234,7 +239,12 @@ def load_keys():
         path = os.path.join(CONF.fernet_tokens.key_repository, str(filename))
         if os.path.isfile(path):
             with open(path, 'r') as key_file:
-                keys[int(filename)] = key_file.read()
+                try:
+                    key_id = int(filename)
+                except ValueError:
+                    pass
+                else:
+                    keys[key_id] = key_file.read()
 
     LOG.info(_LI(
         'Loaded %(count)s encryption keys from: %(dir)s'), {