Encode PKI token (back port changes to Havana)

Bug #1299130 reported by Priti Desai on 2014-03-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Priti Desai

Bug Description

Authenticating a user based on pre-existing PKI token is not supported in Havana. PKI tokens are much longer and different from its id (id column from token table). When PKI tokens are passed as token_id to POST …/auth/tokens, it does not encode PKI token to generate its ID which is happening in IceHouse.

Havana is missing this if statement:

if isinstance(token_id, six.text_type):
            token_id = token_id.encode('utf-8')

https://github.com/openstack/keystone/blob/stable/havana/keystone/common/cms.py

if is_ans1_token(token_id):
        hasher = hashlib.md5()
        hasher.update(token_id)
        return hasher.hexdigest()

IceHouse version:

if is_ans1_token(token_id):
        hasher = hashlib.md5()
        if isinstance(token_id, six.text_type):
            token_id = token_id.encode('utf-8')
        hasher.update(token_id)
        return hasher.hexdigest()

Is it possible to backport these changes into Havana?

More info:
https://ask.openstack.org/en/question/25971/is-there-a-rest-api-to-retrieve-token-id-id-column-from-token-table-of-an-pki-token/

Changed in keystone:
assignee: nobody → Priti Desai (priti-desai)
Dolph Mathews (dolph) wrote :

PKI token ID's are either the base64 encoded token itself (for the purposes of X-Auth-Token / X-Subject-Token), or an MD5 hash of the base64 encoded token (for the purposes of HTTP resources) (the hash method likely becoming configurable in Juno or rendered unnecessary by token compression).

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers