aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/token/providers
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/token/providers')
-rw-r--r--keystone-moon/keystone/token/providers/fernet/token_formatters.py36
1 files changed, 27 insertions, 9 deletions
diff --git a/keystone-moon/keystone/token/providers/fernet/token_formatters.py b/keystone-moon/keystone/token/providers/fernet/token_formatters.py
index d1dbb08c..f0b6271d 100644
--- a/keystone-moon/keystone/token/providers/fernet/token_formatters.py
+++ b/keystone-moon/keystone/token/providers/fernet/token_formatters.py
@@ -21,7 +21,7 @@ from oslo_config import cfg
from oslo_log import log
from oslo_utils import timeutils
import six
-from six.moves import map, urllib
+from six.moves import map
from keystone.auth import plugins as auth_plugins
from keystone.common import utils as ks_utils
@@ -67,11 +67,14 @@ class TokenFormatter(object):
def pack(self, payload):
"""Pack a payload for transport as a token."""
# base64 padding (if any) is not URL-safe
- return urllib.parse.quote(self.crypto.encrypt(payload))
+ return self.crypto.encrypt(payload).rstrip('=')
def unpack(self, token):
"""Unpack a token, and validate the payload."""
- token = urllib.parse.unquote(six.binary_type(token))
+ token = six.binary_type(token)
+
+ # Restore padding on token before decoding it
+ token = TokenFormatter.restore_padding(token)
try:
return self.crypto.decrypt(token)
@@ -80,16 +83,31 @@ class TokenFormatter(object):
_('This is not a recognized Fernet token'))
@classmethod
+ def restore_padding(cls, token):
+ """Restore padding based on token size.
+
+ :param token: token to restore padding on
+ :returns: token with correct padding
+
+ """
+ # Re-inflate the padding
+ mod_returned = len(token) % 4
+ if mod_returned:
+ missing_padding = 4 - mod_returned
+ token += b'=' * missing_padding
+ return token
+
+ @classmethod
def creation_time(cls, fernet_token):
"""Returns the creation time of a valid Fernet token."""
# tokens may be transmitted as Unicode, but they're just ASCII
# (pypi/cryptography will refuse to operate on Unicode input)
fernet_token = six.binary_type(fernet_token)
- # the base64 padding on fernet tokens is made URL-safe
- fernet_token = urllib.parse.unquote(fernet_token)
+ # Restore padding on token before decoding it
+ fernet_token = TokenFormatter.restore_padding(fernet_token)
- # fernet tokens are base64 encoded and the padding made URL-safe
+ # fernet tokens are base64 encoded, so we need to unpack them first
token_bytes = base64.urlsafe_b64decode(fernet_token)
# slice into the byte array to get just the timestamp
@@ -571,9 +589,9 @@ class FederatedUnscopedPayload(BasePayload):
"""Validate a federated payload.
:param token_string: a string representing the token
- :return: a tuple containing the user_id, auth methods, audit_ids, and
- a dictionary containing federated information such as the the
- group IDs, the identity provider ID, the protocol ID, and the
+ :return: a tuple containing the user_id, auth methods, audit_ids, and a
+ dictionary containing federated information such as the group
+ IDs, the identity provider ID, the protocol ID, and the
federated domain ID
"""