"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/credential/providers/fernet/core.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

core.py  (keystone-16.0.1):core.py  (keystone-17.0.0)
skipping to change at line 17 skipping to change at line 17
# Unless required by applicable law or agreed to in writing, software # Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import hashlib import hashlib
from cryptography import fernet from cryptography import fernet
from oslo_log import log from oslo_log import log
import six
from keystone.common import fernet_utils from keystone.common import fernet_utils
import keystone.conf import keystone.conf
from keystone.credential.providers import core from keystone.credential.providers import core
from keystone import exception from keystone import exception
from keystone.i18n import _ from keystone.i18n import _
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
LOG = log.getLogger(__name__) LOG = log.getLogger(__name__)
skipping to change at line 55 skipping to change at line 54
'credential') 'credential')
keys = key_utils.load_keys(use_null_key=True) keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys] fernet_keys = [fernet.Fernet(key) for key in keys]
crypto = fernet.MultiFernet(fernet_keys) crypto = fernet.MultiFernet(fernet_keys)
return crypto, keys return crypto, keys
def primary_key_hash(keys): def primary_key_hash(keys):
"""Calculate a hash of the primary key used for encryption.""" """Calculate a hash of the primary key used for encryption."""
if isinstance(keys[0], six.text_type): if isinstance(keys[0], str):
keys[0] = keys[0].encode('utf-8') keys[0] = keys[0].encode('utf-8')
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which
# is marked as insecure. However, this hash function is used alongside # is marked as insecure. However, this hash function is used alongside
# encrypted blobs to implement HMAC-SHA1, which is currently not insecure # encrypted blobs to implement HMAC-SHA1, which is currently not insecure
# but will still trigger when scanned by bandit. # but will still trigger when scanned by bandit.
return hashlib.sha1(keys[0]).hexdigest() # nosec return hashlib.sha1(keys[0]).hexdigest() # nosec
class Provider(core.Provider): class Provider(core.Provider):
def encrypt(self, credential): def encrypt(self, credential):
"""Attempt to encrypt a plaintext credential. """Attempt to encrypt a plaintext credential.
skipping to change at line 102 skipping to change at line 101
:param credential: an encrypted credential string :param credential: an encrypted credential string
:returns: a decrypted credential :returns: a decrypted credential
""" """
key_utils = fernet_utils.FernetUtils( key_utils = fernet_utils.FernetUtils(
CONF.credential.key_repository, MAX_ACTIVE_KEYS) CONF.credential.key_repository, MAX_ACTIVE_KEYS)
keys = key_utils.load_keys(use_null_key=True) keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys] fernet_keys = [fernet.Fernet(key) for key in keys]
crypto = fernet.MultiFernet(fernet_keys) crypto = fernet.MultiFernet(fernet_keys)
try: try:
if isinstance(credential, six.text_type): if isinstance(credential, str):
credential = credential.encode('utf-8') credential = credential.encode('utf-8')
return crypto.decrypt(credential).decode('utf-8') return crypto.decrypt(credential).decode('utf-8')
except (fernet.InvalidToken, TypeError, ValueError): except (fernet.InvalidToken, TypeError, ValueError):
msg = ('Credential could not be decrypted. Please contact the ' msg = ('Credential could not be decrypted. Please contact the '
'administrator') 'administrator')
tr_msg = _('Credential could not be decrypted. Please contact the ' tr_msg = _('Credential could not be decrypted. Please contact the '
'administrator') 'administrator')
LOG.error(msg) LOG.error(msg)
raise exception.CredentialEncryptionError(tr_msg) raise exception.CredentialEncryptionError(tr_msg)
 End of changes. 3 change blocks. 
3 lines changed or deleted 2 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)