summaryrefslogtreecommitdiff
path: root/keystoneclient/common
Commit message (Collapse)AuthorAgeFilesLines
* Follow bandit B105: hardcoded_password_stringVishakha Agarwal2019-06-261-1/+2
| | | | | | | | | | | | tox -e bandit failing due to the string 'token' in [1]. According to the bandit 105 any password assigned to a string should not contain any of the variables in [2] [1]https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/common/cms.py#L41 [2]https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html Change-Id: I822e1195532df2b701f10087cabceda458211986
* Remove log translations in python-keystoneclientwingwj2017-03-211-5/+5
| | | | | | | | | | | | Log messages are no longer being translated. This removes all use of the _LE, _LI, and _LW translation markers to simplify logging and to avoid confusion with new contributions. See: http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html Change-Id: Ia77819cbb133903d20e821bff0c45766b11ef07b
* Fix Failing tests with openssl >= 1.1.0Ondřej Kobližek2016-12-041-4/+15
| | | | | | | | | | | | | keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify_token_no_files failing with: Command 'openssl' returned non-zero exit status 1 I think its OpenSSL >= 1.1 bug, which returns wrong exit code (1 instead of 2) if input file not exists. Change-Id: I776596487f305c759b88c0d4c604571c33c6ef70 Closes-Bug: #1646858
* Fixing D202 and D203 PEP257 violation.Navid Pustchi2016-05-041-1/+0
| | | | | | | | | Currently tox ignores D202 and D203. D202: No blank lines allowed after function docstring. D203: 1 blank required before class docstring. This change removes D202 and D203 ignores in tox and fix violations. Change-Id: I97ef88c9cfd56774e47f789cbbcf8ccfe85d7737
* Fix D400 PEP257 violation.Navid Pustchi2016-04-231-1/+1
| | | | | | | | Currently tox ignores D400. D400: First line should end with a period. This change removes it and make keystoneclient docstrings compliant with it. Change-Id: I29ecb4c58bb03c0b9a3be0b7a74d18fb06a350f2
* Fix D401 PEP257 violation.Navid Pustchi2016-04-231-4/+4
| | | | | | | | Currently tox ignores D401. 401: First line should be in imperative mood. This change removes it and make keystoneclient docstrings compliant with it. Change-Id: If34ff12d18390b357342cf29f2d116dd3c86a44d
* Removing bandit.yaml in favor of defaultsChristopher J Schaefer2016-04-191-2/+8
| | | | | | | | | | | Removing old configuration options for build-in defaults of latest bandit functionality. Also, marking flagged items with _# nosec_ with a descriptive comment on why the code is acceptable as is. Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com> Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com> Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d
* Address hacking check H405lin-hua-cheng2016-01-131-0/+1
| | | | | | | | | Previously, there were a string of commits to keystone that addresed ignored hacking checks. This commit does the same for H405 in keystoneclient. This also modifies our tox.ini so that we no longer ignore H405 violations. Change-Id: I2af152e5425a0e9c82314039fdbb90d661c22680 Closes-Bug: 1482773
* Replace textwrap with fast standard codeBernhard M. Wiedemann2015-12-161-2/+1
| | | | | | | | | | | | | | | | | | This improves on commit 4350c176048b8d159d08b82b915e9544ac9dee6f We found a major performance regression in keystoneclient when using PKI tokens, related to http://bugs.python.org/issue25870 It can be tested with time python -c "import textwrap; textwrap.wrap('x'*9000, 64)" which has a complexity of O(n*n) because it uses certain regexps in python versions before 3.5. Closes-Bug: #1526686 Related-Bug: #1404402 Change-Id: Ibc81907c4d9db2c09fff41ccf21345fbdb19202d
* Removes py26 supportDavid Stanek2015-11-251-6/+2
| | | | | | | We are removing Python 2.6 support from the Keystone libraries. Change-Id: I1c7a79edd41a73946c9d77bfb8cd2075e2500760 Closes-Bug: 1519449
* Avoid message concatenation in error pathDirk Mueller2015-09-091-5/+16
| | | | | | | | | | | | | Recently, the error message in _process_communicate_handle_oserror() has been i18n'ed, which caused the regression as another code path appended a string to it, which causes the TypeError to be raised. Fix it by using string formatting instead of '+' to force it to convert to string before concatenating. Closes-Bug: 1421652 Change-Id: I7229b46888f798ac4a69c140ab389afed49b8c3c
* Merge "Remove confusing deprecation comment from token_to_cms"Jenkins2015-08-061-2/+0
|\
| * Remove confusing deprecation comment from token_to_cmsBrant Knudson2015-07-111-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | A comment on a function doesn't deprecate it since users aren't going to see it. The removed deprecation comment is doubly useless since this function can't be deprecated. There's no alternative given and it's actively used by keystonemiddleware. bp deprecations Change-Id: Ib9bf1b6e0631423094ebe60ff2a718dd659b5561
* | Proper deprecation for is_ans1_tokenBrant Knudson2015-07-261-4/+9
|/ | | | | | | | | | is_ans1_token wasn't properly deprecated since it used LOG.warn rather than warnings/debtcollector. Proper deprecation requires use of warnings and documentation. bp deprecations Change-Id: I81be2844014745a5951ce91a336e9e9ecf4d5328
* Document non-standard encoding of the PKI token.Deepti Ramakrishna2015-04-211-1/+23
| | | | | | | | More details by the code author in his blog post at http://adam.younglogic.com/2014/02/compressed-tokens/. Change-Id: I35c5eca2e04a74236bd8c7fb6daab3ea46b59b0e Closes-Bug: #1352314
* pep8 fix for CMSAdam Young2015-04-061-2/+2
| | | | Change-Id: I5bd4f46b34f0bbb21f1b6a6bfeeb2a26f5544156
* Merge "token signing support alternative message digest"Jenkins2015-03-101-9/+16
|\
| * token signing support alternative message digestBrant Knudson2015-01-051-9/+16
| | | | | | | | | | | | | | | | | | | | | | | | The functions for creating signed tokens in common.cms always used sha256 for the message digest. This might be inadequate in the future so the digest algorithm shouldn't be hard-coded. A parameter is added to allow choosing a different digest algorithm. SecurityImpact Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef Related-Bug: #1362343
* | Merge "Fix a comment error in cms.py"Jenkins2015-02-121-1/+1
|\ \
| * | Fix a comment error in cms.pyzhiyuan_cai2015-01-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The comment of function is_asn1_token says "Max length of the content using 2 octets is 7FFF or 32767", which should be 3FFF or 16383. Using Base64 string "MII" as the pki asn1 prefix, whose binary form is 0x3082+0b00, the two octets for content length will start with 0b00, so the max length is 0b0011+0xFFF(0x3FFF). Change-Id: I6c3cedc0243a60328e0e7bd45957616ad272f524
* | | Correct failures for check H238Brant Knudson2015-01-211-1/+1
| |/ |/| | | | | | | | | | | The new H238 "old style class declaration, use new style (inherit from `object`)" rule was failing and ignored. Change-Id: I9f616d74e4777640cc9441e96f2bd8c1873aaaca
* | Use textwrap instead of home made implementationCedric Brandily2014-12-191-14/+5
|/ | | | | | | | This change replaces a home made text wrapper by textwrap module. It is a non-functional change which is covered by existing tests. Closes-Bug: #1404402 Change-Id: I5cc4da61205f64b478366c29e6d7ff9929ad4d16
* Replace magic numbers with named symbolsBrant Knudson2014-11-291-14/+14
| | | | | | | Magic numbers were used for the return codes from the openssl command. These are replaced with named symbols for readability. Change-Id: I01a77927bd577bcf81b728a1df23c2058c1a9ae3
* Merge "Remove useless log message"Jenkins2014-11-261-1/+0
|\
| * Remove useless log messageBrant Knudson2014-11-071-1/+0
| | | | | | | | | | | | | | This same log message is going to be printed twice, or an alternative message is logged instead, so remove it. Change-Id: I858660830f2397a5e25aada48cc5590222d0f82a
* | Merge "Cleanup docs - raises class"Jenkins2014-11-181-2/+4
|\ \ | |/ |/|
| * Cleanup docs - raises classBrant Knudson2014-10-181-2/+4
| | | | | | | | | | | | | | | | | | The argument to the :raises: directive is the class name. If the class name is a valid reference it's rendered as a link to the class. This change cleans up the :raises: directives to use the reference correctly and use a valid class reference. Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
* | I18nBrant Knudson2014-10-281-11/+14
| | | | | | | | | | | | | | | | | | | | | | Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
* | set close_fds=True in PopenXu (Simon) Chen2014-10-201-2/+4
|/ | | | | | | | | | | The current way of using Popen does not close pipes properly, and therefore long-running keystone processes, which depends on keystoneclient.common.cms for data sigining, eventually hit open file limit and stop working. Passing close_fds=True seems to have solved the problem. Change-Id: Ife452ab6843c1af5eb39debb8db453e45f78cba9 Closes-Bug: 1382906
* Change cms_sign_data to use sha256 message digestBrant Knudson2014-09-241-1/+2
| | | | | | | | | | | | | cms_sign_data was not passing the md parameter to openssl, so it was using the default digest of sha1. Some security standards require a SHA2 algorithm for the digest. This if for security hardening. SecurityImpact Change-Id: Iff063149e1f12df69bbf9015222d09d798980872 Closes-Bug: #1362343
* Adjust Python 2.6 OSerror-on-EPIPE workaroundDirk Mueller2014-06-161-3/+14
| | | | | | | | | Adjust the code to raise exceptions.CertificateConfigError when the certificates are still missing even in the Python 2.6 subprocess bug-workaround case. Change-Id: I9fdfa830e6f9bc9e8eab496da2597e4118577ec5 Closes-Bug: #1324921
* replace string format arguments with function parametersChristian Berendt2014-05-201-1/+1
| | | | | | | | | There are files containing string format arguments inside logging messages. Using logging function parameters should be preferred. Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e Closes-Bug: #1320930
* Compressed Signature and ValidationAdam Young2014-05-091-9/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allows for a new form of document signature. pkiz_sign will take data and encode it in a string that starts with the substring "PKIZ_". This prefix indicates that the data has been: 1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format 2) Compressed using zlib (comparable to gzip) 3) urlsafe-base64 decoded This process is reversed to validate the data. middleware/auth_token.py will be capable of validating Keystone tokens that are marshalled in the new format. The current existing "PKI" tokens will continue to be identified with "MII", issued by default, and validated as well. It will require corresponding changes on the Keystone server to issue the new token format. A separate script for generating the sample data used in the unit tests, examples/pki/gen_cmsz.py, also serves as an example of how to call the API from Python code. Some of the sample data for the old tests had to be regenerated. A stray comma in one of the JSON files made for non-parsing JSON. Blueprint: compress-tokens Closes-Bug: #1255321 Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
* remove universal_newlinesAdam Young2014-04-211-12/+14
| | | | | | | | Need to make sure that binary and text are both handled correctly for cms calls. Blueprint: compress-tokens Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
* replace double quotes with single.Adam Young2014-04-211-24/+24
| | | | Change-Id: Ib2c828525fe3bafac8ed2f402a477ba62bbf6471
* Fix typo of ANS1 to ASN1mathrock2014-04-141-5/+12
| | | | | | | | Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep cms.is_ans1_token() around for backwards compatibility. Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb Closes-bug: 1306874
* Hash functions support different hash algorithmsBrant Knudson2014-04-091-2/+2
| | | | | | | | | | The token hash functions always used MD5. With this change, the hash function can be passed in to the hash functions. SecurityImpact Related-Bug: #1174499 Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
* Fix doc build errorsBrant Knudson2014-03-131-22/+29
| | | | | | | | There were some parts that had invalid RST in their docstrings which caused warnings and errors to be generated. Related-Bug: #1278662 Change-Id: Ibb53e6f49b5fa100fa6ecfe47331f9a70729d03b
* Merge "Remove vim header"Jenkins2014-02-131-2/+0
|\
| * Remove vim headerEric Guo2014-02-081-2/+0
| | | | | | | | | | | | | | | | We don't need vim modelines in each source file, it can be set in user's vimrc. Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae Closes-Bug: #1229324
* | Merge "cms: Use universal_newlines=True in subprocess.Popen()"Jenkins2014-02-101-2/+4
|\ \ | |/ |/|
| * cms: Use universal_newlines=True in subprocess.Popen()Cyril Roelandt2014-02-071-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Python documentation states that "the type of [the first argument of subprocess.communicate()] must be bytes or, if universal_newlines was True, a string"[1]. Currently, in Python 3, a text string is given to subprocess.communicate(), even though the process was created with universal_newlines=False (the default value). Rather than converting strings to bytes (and the other way around) everywhere in the code, just create the process with universal_newlines=True. The side effect is that '\n', '\r\n' and '\r' will be recognized as ending lines[2], which should not be an issue. [1] http://docs.python.org/3/library/subprocess.html?highlight=popen#subprocess.Popen.communicate [2] http://docs.python.org/3/glossary.html#term-universal-newlines Change-Id: I668b187ba8ed00ad6d55ec487af623b79b21589d
* | Merge "Check for any monkeypatching"Jenkins2014-02-061-1/+1
|\ \ | |/ |/|
| * Check for any monkeypatchingAdam Young2014-02-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Checking oinly for monkeypatching of the ``os`` module is insufficient. A process might have chosen not to patch ``os`` but still needs to use the eventlet version of Popen to deal with proper forks. This version checks if any modules have been monkeypatched with the eventlet versions. Closes-Bug: #1277231 Change-Id: Ia8d7150e9e7ced58132e8e90e7ad68fb3c7c3b9f
* | Python 3: make tests from v2_0/test_access.py passCyril Roelandt2014-02-041-0/+3
|/ | | | | | | This fixes calls to the hash_signed_token() and cms_hash_token() functions, by making sure they are given bytes. Change-Id: I83ac48a845cd09150b01afad6f0549ee83c20ddd
* Add workaround for OSError raised by Popen.communicate()Dirk Mueller2013-11-281-4/+47
| | | | | | | | | | | | | | | | | | | Python 2.6 can raise OSError when too much data is written to STDIN and the process died prematurely. In the case of keystoneclient this happens during the first cms_verify() call of a process. The calling logic expects a useful error message in order to refetch the CA or singing CERT, which is missing in the case of an OSError. So just fake it instead. Add basic unit tests to cover all of the public methods from keystone.common.cms, raising test coverage to 77%. Add unit test for this specific bug (test_cms_verify_token_no_oserror). Closes-Bug: LP Bug#1235252 Change-Id: I6e650ab9494c605b4e41c78c87a9505e09d5fc29
* Migrate the keystone.common.cms to keystoneclientLei Zhang2013-10-281-4/+38
| | | | | | | | | | | | - Add checking the openssl return code 2, related to following review https://review.openstack.org/#/c/22716/ - Add support set subprocess to the cms, when we already know which subprocess to use. Closes-Bug: #1142574 Change-Id: I3f86e6ca8bb7738f57051ce7f0f5662b20e7a22b
* Fix License Headers and Enable Gating on H102Morgan Fainberg2013-08-271-0/+14
| | | | | | | | Add ASLv2 headers to files that were missing it. fixes bug #1211587 Change-Id: Iede918e1ce84993cee4ecbb2d9c2606627fa412e
* no logging on cms failureAdam Young2013-07-261-2/+6
| | | | | | | | | Don't log in the keystoneclient.common.cms as there are some errors that are expected. Instead, log in the middleware bug 1189539 Change-Id: I1e80e2ab35e073d9b8d25fd16b31c64c34cd001d
* Merge " Cleanup docstrings " from keystone/common/cms.pyDirk Mueller2013-07-091-6/+6
| | | | | | | | | | | | | In an attempt to unify both implementations in order to be able to remove one of the duplicated ones, merge the changes from this commit in keystone: Author: Dolph Mathews <dolph.mathews@gmail.com> Date: Fri May 24 11:36:44 2013 -0500 Cleanup docstrings (flake8 H401, H402, H403, H404) Change-Id: Ib23c9ab5066cfdcdda4e07cd30fa8f6ff47949bd
View Lorry Controller Status