diff options
| author | Dolph Mathews <dolph.mathews@gmail.com> | 2016-07-13 11:22:17 -0500 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@gmail.com> | 2016-07-13 11:22:19 -0500 |
| commit | d90281e4d933af47e767f8067dfb4fa4196c15a5 (patch) | |
| tree | b6e7d3f73abb9400ea17494735432f174bfa57e3 /keystone/common/wsgi.py | |
| parent | 7923a4669278c1386bea2520adf097760a3ec4fd (diff) | |
| download | keystone-d90281e4d933af47e767f8067dfb4fa4196c15a5.tar.gz | |
Clean up token binding validation code
This patch makes two changes to the token binding validation code easier
to read and provide a better user experience.
Firstly, "if a != b" is used instead of "if not (a == b)" which is
easier to read.
Secondly, validation failures are included in 401 unauthorized responses
instead of the default 401 message. Because the Unauthorized class is
also a SecurityError, insecure_debug will need to be enabled in
keystone.conf in order to expose these details to the API. So, the user
experience for operators trying to debug their token binding
configuration will be improved, but security is not unnecessarily
weakened.
Change-Id: Icc78cacd39a31a33680f891cde1acf4ff41f6ae7
Diffstat (limited to 'keystone/common/wsgi.py')
| -rw-r--r-- | keystone/common/wsgi.py | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index 577bd42a6..abc3b07ea 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -92,27 +92,31 @@ def validate_token_bind(context, token_ref): for bind_type, identifier in bind.items(): if bind_type == 'kerberos': - if not (context['environment'].get('AUTH_TYPE', '').lower() - == 'negotiate'): - LOG.info(_LI("Kerberos credentials required and not present")) - raise exception.Unauthorized() + if (context['environment'].get('AUTH_TYPE', '').lower() != + 'negotiate'): + msg = _('Kerberos credentials required and not present') + LOG.info(msg) + raise exception.Unauthorized(msg) - if not context['environment'].get('REMOTE_USER') == identifier: - LOG.info(_LI("Kerberos credentials do not match " - "those in bind")) - raise exception.Unauthorized() + if context['environment'].get('REMOTE_USER') != identifier: + msg = _('Kerberos credentials do not match those in bind') + LOG.info(msg) + raise exception.Unauthorized(msg) - LOG.info(_LI("Kerberos bind authentication successful")) + LOG.info(_LI('Kerberos bind authentication successful')) elif bind_mode == 'permissive': - LOG.debug(("Ignoring unknown bind for permissive mode: " - "{%(bind_type)s: %(identifier)s}"), - {'bind_type': bind_type, 'identifier': identifier}) + LOG.debug(("Ignoring unknown bind (due to permissive mode): " + "{%(bind_type)s: %(identifier)s}"), { + 'bind_type': bind_type, + 'identifier': identifier}) else: - LOG.info(_LI("Couldn't verify unknown bind: " - "{%(bind_type)s: %(identifier)s}"), - {'bind_type': bind_type, 'identifier': identifier}) - raise exception.Unauthorized() + msg = _('Could not verify unknown bind: {%(bind_type)s: ' + '%(identifier)s}') % { + 'bind_type': bind_type, + 'identifier': identifier} + LOG.info(msg) + raise exception.Unauthorized(msg) def best_match_language(req): |