From 68bfb685d12937dde11d1a335bd992203ec7c293 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 3 May 2021 20:37:35 +0000 Subject: Only log warnings about token length when length exceeds max_token_size Previously, the fernet token provider would log warnings when a fernet token exceeded 255 characters, which is common for LDAP-backed deployments. The warning is always issued, even when operators configure keystone's max_token_size to a higher value, causing confusion because it appears the configuration value is silently ignored. This commit fixes that issue by using the max_token_size configuration parameter consistently in the fernet token provider. Closes-Bug: 1926483 Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7 --- keystone/tests/unit/token/test_fernet_provider.py | 56 +++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'keystone/tests/unit/token/test_fernet_provider.py') diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index cc2a49d0b..997b5e6f7 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -17,6 +17,8 @@ import os from unittest import mock import uuid +import fixtures +from oslo_log import log from oslo_utils import timeutils from keystone import auth @@ -26,6 +28,7 @@ from keystone.common import utils import keystone.conf from keystone import exception from keystone.federation import constants as federation_constants +from keystone.models import token_model from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import ksfixtures @@ -51,6 +54,59 @@ class TestFernetTokenProvider(unit.TestCase): self.provider.validate_token, token_id) + def test_log_warning_when_token_exceeds_max_token_size_default(self): + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 255 characters' + ) + self.assertIn(expected_output, self.logging.output) + + def test_log_warning_when_token_exceeds_max_token_size_override(self): + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + self.config_fixture.config(max_token_size=250) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 250 characters' + ) + self.assertIn(expected_output, self.logging.output) + + def test_no_warning_when_token_does_not_exceed_max_token_size(self): + self.config_fixture.config(max_token_size=300) + self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO)) + + token = token_model.TokenModel() + token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef' + token.expires_at = utils.isotime( + provider.default_expire_time(), subsecond=True) + token.methods = ['password'] + token.audit_id = provider.random_urlsafe_str() + token_id, issued_at = self.provider.generate_id_and_issued_at(token) + expected_output = ( + f'Fernet token created with length of {len(token_id)} characters, ' + 'which exceeds 255 characters' + ) + self.assertNotIn(expected_output, self.logging.output) + class TestValidate(unit.TestCase): def setUp(self): -- cgit v1.2.1