diff options
Diffstat (limited to 'keystone-moon/keystone/token/providers')
-rw-r--r-- | keystone-moon/keystone/token/providers/fernet/token_formatters.py | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/keystone-moon/keystone/token/providers/fernet/token_formatters.py b/keystone-moon/keystone/token/providers/fernet/token_formatters.py index d1dbb08c..f0b6271d 100644 --- a/keystone-moon/keystone/token/providers/fernet/token_formatters.py +++ b/keystone-moon/keystone/token/providers/fernet/token_formatters.py @@ -21,7 +21,7 @@ from oslo_config import cfg from oslo_log import log from oslo_utils import timeutils import six -from six.moves import map, urllib +from six.moves import map from keystone.auth import plugins as auth_plugins from keystone.common import utils as ks_utils @@ -67,11 +67,14 @@ class TokenFormatter(object): def pack(self, payload): """Pack a payload for transport as a token.""" # base64 padding (if any) is not URL-safe - return urllib.parse.quote(self.crypto.encrypt(payload)) + return self.crypto.encrypt(payload).rstrip('=') def unpack(self, token): """Unpack a token, and validate the payload.""" - token = urllib.parse.unquote(six.binary_type(token)) + token = six.binary_type(token) + + # Restore padding on token before decoding it + token = TokenFormatter.restore_padding(token) try: return self.crypto.decrypt(token) @@ -80,16 +83,31 @@ class TokenFormatter(object): _('This is not a recognized Fernet token')) @classmethod + def restore_padding(cls, token): + """Restore padding based on token size. + + :param token: token to restore padding on + :returns: token with correct padding + + """ + # Re-inflate the padding + mod_returned = len(token) % 4 + if mod_returned: + missing_padding = 4 - mod_returned + token += b'=' * missing_padding + return token + + @classmethod def creation_time(cls, fernet_token): """Returns the creation time of a valid Fernet token.""" # tokens may be transmitted as Unicode, but they're just ASCII # (pypi/cryptography will refuse to operate on Unicode input) fernet_token = six.binary_type(fernet_token) - # the base64 padding on fernet tokens is made URL-safe - fernet_token = urllib.parse.unquote(fernet_token) + # Restore padding on token before decoding it + fernet_token = TokenFormatter.restore_padding(fernet_token) - # fernet tokens are base64 encoded and the padding made URL-safe + # fernet tokens are base64 encoded, so we need to unpack them first token_bytes = base64.urlsafe_b64decode(fernet_token) # slice into the byte array to get just the timestamp @@ -571,9 +589,9 @@ class FederatedUnscopedPayload(BasePayload): """Validate a federated payload. :param token_string: a string representing the token - :return: a tuple containing the user_id, auth methods, audit_ids, and - a dictionary containing federated information such as the the - group IDs, the identity provider ID, the protocol ID, and the + :return: a tuple containing the user_id, auth methods, audit_ids, and a + dictionary containing federated information such as the group + IDs, the identity provider ID, the protocol ID, and the federated domain ID """ |