diff options
-rw-r--r-- | keystone/tests/unit/token/test_fernet_provider.py | 56 | ||||
-rw-r--r-- | keystone/token/token_formatters.py | 9 | ||||
-rw-r--r-- | releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml | 7 |
3 files changed, 68 insertions, 4 deletions
diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index cc2a49d0b..997b5e6f7 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -17,6 +17,8 @@ import os from unittest import mock import uuid +import fixtures +from oslo_log import log from oslo_utils import timeutils from keystone import auth @@ -26,6 +28,7 @@ from keystone.common import utils import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants +from keystone.models import token_model from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import ksfixtures @@ -51,6 +54,59 @@ class TestFernetTokenProvider(unit.TestCase): self.provider.validate_token, token_id) + def test_log_warning_when_token_exceeds_max_token_size_default(self): + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 255 characters' + ) + self.assertIn(expected_output, self.logging.output) + + def test_log_warning_when_token_exceeds_max_token_size_override(self): + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + self.config_fixture.config(max_token_size=250) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 250 characters' + ) + self.assertIn(expected_output, self.logging.output) + + def test_no_warning_when_token_does_not_exceed_max_token_size(self): + self.config_fixture.config(max_token_size=300) + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 255 characters' + ) + self.assertNotIn(expected_output, self.logging.output) + class TestValidate(unit.TestCase): def setUp(self): diff --git a/keystone/token/token_formatters.py b/keystone/token/token_formatters.py index bb407ab09..76220b0ef 100644 --- a/keystone/token/token_formatters.py +++ b/keystone/token/token_formatters.py @@ -156,10 +156,11 @@ class TokenFormatter(object): # characters. Even though Keystone isn't storing a Fernet token # anywhere, we can't say it isn't being stored somewhere else with # those kind of backend constraints. - if len(token) > 255: - LOG.info('Fernet token created with length of %d ' - 'characters, which exceeds 255 characters', - len(token)) + if len(token) > CONF.max_token_size: + LOG.info( + f'Fernet token created with length of {len(token)} ' + f'characters, which exceeds {CONF.max_token_size} characters', + ) return token diff --git a/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml b/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml new file mode 100644 index 000000000..040811b79 --- /dev/null +++ b/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1926483 <https://bugs.launchpad.net/keystone/+bug/1926483>`_] + Keystone will only log warnings about token length for Fernet tokens when + the token length exceeds the value of `keystone.conf [DEFAULT] + max_token_size`. |