diff options
author | Clint Byrum <clint@fewbar.com> | 2015-07-27 11:14:30 -0700 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2015-08-18 20:40:56 +0000 |
commit | 6c106e980075a301b21e1907ab0c681dd5d91e88 (patch) | |
tree | b52c4eefcdbd1f44b792047ec2192d735dec3193 | |
parent | fb7f4a7ee1c0da299b00c8fb54870d1c37738b83 (diff) | |
download | keystone-6c106e980075a301b21e1907ab0c681dd5d91e88.tar.gz |
Handle non-numeric files in key_repository
It is very likely administrators will leave behind bits and pieces in a
live environment. One cannot assume that all of the files in a directory
will be the ones created by Keystone.
Change-Id: I5841a11f599f79d2efbe1a176f499e280a91cb37
Closes-Bug: #1478656
(cherry picked from commit 7223bb1c035d98ebb1a49e115f05cb69ad7928d4)
-rw-r--r-- | keystone/tests/unit/token/test_fernet_provider.py | 25 | ||||
-rw-r--r-- | keystone/token/providers/fernet/utils.py | 14 |
2 files changed, 37 insertions, 2 deletions
diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index 19c82a3d3..426c379ae 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -389,3 +389,28 @@ class TestFernetKeyRotation(tests.TestCase): exp_keys.append(key_no) key_no += 1 self.assertEqual(exp_keys, self.keys) + + def test_non_numeric_files(self): + self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) + evil_file = os.path.join(CONF.fernet_tokens.key_repository, '99.bak') + with open(evil_file, 'w'): + pass + fernet_utils.rotate_keys() + self.assertTrue(os.path.isfile(evil_file)) + keys = 0 + for x in os.listdir(CONF.fernet_tokens.key_repository): + if x == '99.bak': + continue + keys += 1 + self.assertEqual(3, keys) + + +class TestLoadKeys(tests.TestCase): + def test_non_numeric_files(self): + self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) + evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1') + with open(evil_file, 'w'): + pass + keys = fernet_utils.load_keys() + self.assertEqual(2, len(keys)) + self.assertTrue(len(keys[0])) diff --git a/keystone/token/providers/fernet/utils.py b/keystone/token/providers/fernet/utils.py index 0d0c1332b..ab5859da8 100644 --- a/keystone/token/providers/fernet/utils.py +++ b/keystone/token/providers/fernet/utils.py @@ -174,7 +174,12 @@ def rotate_keys(keystone_user_id=None, keystone_group_id=None): for filename in os.listdir(CONF.fernet_tokens.key_repository): path = os.path.join(CONF.fernet_tokens.key_repository, str(filename)) if os.path.isfile(path): - key_files[int(filename)] = path + try: + key_id = int(filename) + except ValueError: + pass + else: + key_files[key_id] = path LOG.info(_LI('Starting key rotation with %(count)s key files: %(list)s'), { 'count': len(key_files), @@ -234,7 +239,12 @@ def load_keys(): path = os.path.join(CONF.fernet_tokens.key_repository, str(filename)) if os.path.isfile(path): with open(path, 'r') as key_file: - keys[int(filename)] = key_file.read() + try: + key_id = int(filename) + except ValueError: + pass + else: + keys[key_id] = key_file.read() LOG.info(_LI( 'Loaded %(count)s encryption keys from: %(dir)s'), { |