| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
tox -e bandit failing due to the string 'token'
in [1]. According to the bandit 105 any password
assigned to a string should not contain any of the
variables in [2]
[1]https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/common/cms.py#L41
[2]https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
Change-Id: I822e1195532df2b701f10087cabceda458211986
|
|
|
|
|
|
|
|
|
|
|
|
| |
Log messages are no longer being translated. This removes all use of
the _LE, _LI, and _LW translation markers to simplify logging and to
avoid confusion with new contributions.
See:
http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html
http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html
Change-Id: Ia77819cbb133903d20e821bff0c45766b11ef07b
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify
keystoneclient.tests.unit.test_cms.CMSTest.test_cms_verify_token_no_files
failing with: Command 'openssl' returned non-zero exit status 1
I think its OpenSSL >= 1.1 bug, which returns wrong exit code (1 instead of
2) if input file not exists.
Change-Id: I776596487f305c759b88c0d4c604571c33c6ef70
Closes-Bug: #1646858
|
|
|
|
|
|
|
|
|
| |
Currently tox ignores D202 and D203.
D202: No blank lines allowed after function docstring.
D203: 1 blank required before class docstring.
This change removes D202 and D203 ignores in tox and fix violations.
Change-Id: I97ef88c9cfd56774e47f789cbbcf8ccfe85d7737
|
|
|
|
|
|
|
|
| |
Currently tox ignores D400.
D400: First line should end with a period.
This change removes it and make keystoneclient docstrings compliant with it.
Change-Id: I29ecb4c58bb03c0b9a3be0b7a74d18fb06a350f2
|
|
|
|
|
|
|
|
| |
Currently tox ignores D401.
401: First line should be in imperative mood.
This change removes it and make keystoneclient docstrings compliant with it.
Change-Id: If34ff12d18390b357342cf29f2d116dd3c86a44d
|
|
|
|
|
|
|
|
|
|
|
| |
Removing old configuration options for build-in defaults of latest
bandit functionality. Also, marking flagged items with _# nosec_
with a descriptive comment on why the code is acceptable as is.
Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com>
Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com>
Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d
|
|
|
|
|
|
|
|
|
| |
Previously, there were a string of commits to keystone that addresed ignored
hacking checks. This commit does the same for H405 in keystoneclient. This
also modifies our tox.ini so that we no longer ignore H405 violations.
Change-Id: I2af152e5425a0e9c82314039fdbb90d661c22680
Closes-Bug: 1482773
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This improves on commit 4350c176048b8d159d08b82b915e9544ac9dee6f
We found a major performance regression in keystoneclient
when using PKI tokens, related to http://bugs.python.org/issue25870
It can be tested with
time python -c "import textwrap; textwrap.wrap('x'*9000, 64)"
which has a complexity of O(n*n)
because it uses certain regexps in python versions before 3.5.
Closes-Bug: #1526686
Related-Bug: #1404402
Change-Id: Ibc81907c4d9db2c09fff41ccf21345fbdb19202d
|
|
|
|
|
|
|
| |
We are removing Python 2.6 support from the Keystone libraries.
Change-Id: I1c7a79edd41a73946c9d77bfb8cd2075e2500760
Closes-Bug: 1519449
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently, the error message in _process_communicate_handle_oserror()
has been i18n'ed, which caused the regression as another code path
appended a string to it, which causes the TypeError to be raised.
Fix it by using string formatting instead of '+' to force it
to convert to string before concatenating.
Closes-Bug: 1421652
Change-Id: I7229b46888f798ac4a69c140ab389afed49b8c3c
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A comment on a function doesn't deprecate it since users aren't
going to see it.
The removed deprecation comment is doubly useless since this
function can't be deprecated. There's no alternative given and it's
actively used by keystonemiddleware.
bp deprecations
Change-Id: Ib9bf1b6e0631423094ebe60ff2a718dd659b5561
|
|/
|
|
|
|
|
|
|
|
| |
is_ans1_token wasn't properly deprecated since it used LOG.warn
rather than warnings/debtcollector. Proper deprecation requires use
of warnings and documentation.
bp deprecations
Change-Id: I81be2844014745a5951ce91a336e9e9ecf4d5328
|
|
|
|
|
|
|
|
| |
More details by the code author in his blog post at
http://adam.younglogic.com/2014/02/compressed-tokens/.
Change-Id: I35c5eca2e04a74236bd8c7fb6daab3ea46b59b0e
Closes-Bug: #1352314
|
|
|
|
| |
Change-Id: I5bd4f46b34f0bbb21f1b6a6bfeeb2a26f5544156
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The functions for creating signed tokens in common.cms always used
sha256 for the message digest. This might be inadequate in the future
so the digest algorithm shouldn't be hard-coded. A parameter is added
to allow choosing a different digest algorithm.
SecurityImpact
Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef
Related-Bug: #1362343
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The comment of function is_asn1_token says "Max length of the
content using 2 octets is 7FFF or 32767", which should be 3FFF or
16383. Using Base64 string "MII" as the pki asn1 prefix, whose
binary form is 0x3082+0b00, the two octets for content length will
start with 0b00, so the max length is 0b0011+0xFFF(0x3FFF).
Change-Id: I6c3cedc0243a60328e0e7bd45957616ad272f524
|
| |/
|/|
| |
| |
| |
| |
| | |
The new H238 "old style class declaration, use new style (inherit
from `object`)" rule was failing and ignored.
Change-Id: I9f616d74e4777640cc9441e96f2bd8c1873aaaca
|
|/
|
|
|
|
|
|
| |
This change replaces a home made text wrapper by textwrap module. It is
a non-functional change which is covered by existing tests.
Closes-Bug: #1404402
Change-Id: I5cc4da61205f64b478366c29e6d7ff9929ad4d16
|
|
|
|
|
|
|
| |
Magic numbers were used for the return codes from the openssl
command. These are replaced with named symbols for readability.
Change-Id: I01a77927bd577bcf81b728a1df23c2058c1a9ae3
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
This same log message is going to be printed twice, or an
alternative message is logged instead, so remove it.
Change-Id: I858660830f2397a5e25aada48cc5590222d0f82a
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
|
|/
|
|
|
|
|
|
|
|
|
| |
The current way of using Popen does not close pipes properly,
and therefore long-running keystone processes, which depends on
keystoneclient.common.cms for data sigining, eventually hit
open file limit and stop working. Passing close_fds=True seems
to have solved the problem.
Change-Id: Ife452ab6843c1af5eb39debb8db453e45f78cba9
Closes-Bug: 1382906
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cms_sign_data was not passing the md parameter to openssl, so it was
using the default digest of sha1. Some security standards require a
SHA2 algorithm for the digest.
This if for security hardening.
SecurityImpact
Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
Closes-Bug: #1362343
|
|
|
|
|
|
|
|
|
| |
Adjust the code to raise exceptions.CertificateConfigError
when the certificates are still missing even in the Python
2.6 subprocess bug-workaround case.
Change-Id: I9fdfa830e6f9bc9e8eab496da2597e4118577ec5
Closes-Bug: #1324921
|
|
|
|
|
|
|
|
|
| |
There are files containing string format arguments inside
logging messages. Using logging function parameters should
be preferred.
Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e
Closes-Bug: #1320930
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allows for a new form of document signature.
pkiz_sign will take data and encode it in a string that starts with
the substring "PKIZ_". This prefix indicates that the data has been:
1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format
2) Compressed using zlib (comparable to gzip)
3) urlsafe-base64 decoded
This process is reversed to validate the data.
middleware/auth_token.py will be capable of validating Keystone
tokens that are marshalled in the new format. The current existing
"PKI" tokens will continue to be identified with "MII", issued by
default, and validated as well. It will require corresponding changes
on the Keystone server to issue the new token format.
A separate script for generating the sample
data used in the unit tests,
examples/pki/gen_cmsz.py,
also serves as an example of how to
call the API from Python code.
Some of the sample data for the old tests had to be regenerated. A
stray comma in one of the JSON files made for non-parsing JSON.
Blueprint: compress-tokens
Closes-Bug: #1255321
Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
|
|
|
|
|
|
|
|
| |
Need to make sure that binary and text are both handled correctly for cms calls.
Blueprint: compress-tokens
Change-Id: If3ed5f339b53942d4ed6d6b2d9fc4eebd7180b0a
|
|
|
|
| |
Change-Id: Ib2c828525fe3bafac8ed2f402a477ba62bbf6471
|
|
|
|
|
|
|
|
| |
Replace all occurrences of 'ANS1|ans1' with 'ASN1|asn1'. Keep
cms.is_ans1_token() around for backwards compatibility.
Change-Id: I89da78b89aa9daf2637754dc93031d7ca81e85cb
Closes-bug: 1306874
|
|
|
|
|
|
|
|
|
|
| |
The token hash functions always used MD5. With this change, the
hash function can be passed in to the hash functions.
SecurityImpact
Related-Bug: #1174499
Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
|
|
|
|
|
|
|
|
| |
There were some parts that had invalid RST in their docstrings
which caused warnings and errors to be generated.
Related-Bug: #1278662
Change-Id: Ibb53e6f49b5fa100fa6ecfe47331f9a70729d03b
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae
Closes-Bug: #1229324
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Python documentation states that "the type of [the first argument of
subprocess.communicate()] must be bytes or, if universal_newlines was True, a
string"[1]. Currently, in Python 3, a text string is given to
subprocess.communicate(), even though the process was created with
universal_newlines=False (the default value).
Rather than converting strings to bytes (and the other way around) everywhere
in the code, just create the process with universal_newlines=True. The side
effect is that '\n', '\r\n' and '\r' will be recognized as ending lines[2],
which should not be an issue.
[1] http://docs.python.org/3/library/subprocess.html?highlight=popen#subprocess.Popen.communicate
[2] http://docs.python.org/3/glossary.html#term-universal-newlines
Change-Id: I668b187ba8ed00ad6d55ec487af623b79b21589d
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Checking oinly for monkeypatching of the ``os`` module is
insufficient. A process might have chosen not to patch ``os`` but
still needs to use the eventlet version of Popen to deal with proper
forks. This version checks if any modules have been monkeypatched
with the eventlet versions.
Closes-Bug: #1277231
Change-Id: Ia8d7150e9e7ced58132e8e90e7ad68fb3c7c3b9f
|
|/
|
|
|
|
|
| |
This fixes calls to the hash_signed_token() and cms_hash_token() functions, by
making sure they are given bytes.
Change-Id: I83ac48a845cd09150b01afad6f0549ee83c20ddd
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 2.6 can raise OSError when too much data is
written to STDIN and the process died prematurely.
In the case of keystoneclient this happens during
the first cms_verify() call of a process. The calling
logic expects a useful error message in order to
refetch the CA or singing CERT, which is missing in the
case of an OSError. So just fake it instead.
Add basic unit tests to cover all of the public methods from
keystone.common.cms, raising test coverage to 77%. Add
unit test for this specific bug (test_cms_verify_token_no_oserror).
Closes-Bug: LP Bug#1235252
Change-Id: I6e650ab9494c605b4e41c78c87a9505e09d5fc29
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add checking the openssl return code 2, related to following review
https://review.openstack.org/#/c/22716/
- Add support set subprocess to the cms, when we already know which
subprocess to use.
Closes-Bug: #1142574
Change-Id: I3f86e6ca8bb7738f57051ce7f0f5662b20e7a22b
|
|
|
|
|
|
|
|
| |
Add ASLv2 headers to files that were missing it.
fixes bug #1211587
Change-Id: Iede918e1ce84993cee4ecbb2d9c2606627fa412e
|
|
|
|
|
|
|
|
|
| |
Don't log in the keystoneclient.common.cms as there are some errors
that are expected. Instead, log in the middleware
bug 1189539
Change-Id: I1e80e2ab35e073d9b8d25fd16b31c64c34cd001d
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In an attempt to unify both implementations in order to
be able to remove one of the duplicated ones, merge the
changes from this commit in keystone:
Author: Dolph Mathews <dolph.mathews@gmail.com>
Date: Fri May 24 11:36:44 2013 -0500
Cleanup docstrings (flake8 H401, H402, H403, H404)
Change-Id: Ib23c9ab5066cfdcdda4e07cd30fa8f6ff47949bd
|