diff options
-rw-r--r-- | keystone/auth/token_factory.py | 15 | ||||
-rw-r--r-- | keystone/common/cms.py | 7 | ||||
-rw-r--r-- | keystone/token/controllers.py | 15 | ||||
-rw-r--r-- | tests/test_cert_setup.py | 31 |
4 files changed, 56 insertions, 12 deletions
diff --git a/keystone/auth/token_factory.py b/keystone/auth/token_factory.py index 4d5c0b87..172216e9 100644 --- a/keystone/auth/token_factory.py +++ b/keystone/auth/token_factory.py @@ -17,6 +17,7 @@ """Token Factory""" import json +import subprocess import uuid import webob @@ -255,13 +256,17 @@ def create_token(context, auth_context, auth_info): if CONF.signing.token_format == 'UUID': token_id = uuid.uuid4().hex elif CONF.signing.token_format == 'PKI': - token_id = cms.cms_sign_token(json.dumps(token_data), - CONF.signing.certfile, - CONF.signing.keyfile) + try: + token_id = cms.cms_sign_token(json.dumps(token_data), + CONF.signing.certfile, + CONF.signing.keyfile) + except subprocess.CalledProcessError: + raise exception.UnexpectedError(_( + 'Unable to sign token.')) else: - raise exception.UnexpectedError( + raise exception.UnexpectedError(_( 'Invalid value for token_format: %s.' - ' Allowed values are PKI or UUID.' % + ' Allowed values are PKI or UUID.') % CONF.signing.token_format) token_api = token_module.Manager() try: diff --git a/keystone/common/cms.py b/keystone/common/cms.py index 4587b230..ed0fa60c 100644 --- a/keystone/common/cms.py +++ b/keystone/common/cms.py @@ -131,7 +131,12 @@ def cms_sign_text(text, signing_cert_file_name, signing_key_file_name): output, err = process.communicate(text) retcode = process.poll() if retcode or "Error" in err: - LOG.error(_('Signing error: %s') % err) + if retcode == 3: + LOG.error(_("Signing error: Unable to load certificate - " + "ensure you've configured PKI with " + "'keystone-manage pki_setup'")) + else: + LOG.error(_('Signing error: %s') % err) raise subprocess.CalledProcessError(retcode, "openssl") return output diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index ade2af4f..4474deaa 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -1,4 +1,5 @@ import json +import subprocess import uuid from keystone.common import cms @@ -114,13 +115,17 @@ class Auth(controller.V2Controller): if CONF.signing.token_format == 'UUID': token_id = uuid.uuid4().hex elif CONF.signing.token_format == 'PKI': - token_id = cms.cms_sign_token(json.dumps(token_data), - CONF.signing.certfile, - CONF.signing.keyfile) + try: + token_id = cms.cms_sign_token(json.dumps(token_data), + CONF.signing.certfile, + CONF.signing.keyfile) + except subprocess.CalledProcessError: + raise exception.UnexpectedError(_( + 'Unable to sign token.')) else: - raise exception.UnexpectedError( + raise exception.UnexpectedError(_( 'Invalid value for token_format: %s.' - ' Allowed values are PKI or UUID.' % + ' Allowed values are PKI or UUID.') % CONF.signing.token_format) try: self.token_api.create_token( diff --git a/tests/test_cert_setup.py b/tests/test_cert_setup.py index b11386ed..76396fd9 100644 --- a/tests/test_cert_setup.py +++ b/tests/test_cert_setup.py @@ -19,11 +19,14 @@ import os import shutil from keystone.common import openssl +from keystone import exception from keystone import test +from keystone import token ROOTDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) SSLDIR = "%s/tests/ssl/" % ROOTDIR CONF = test.CONF +DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id def rootdir(*p): @@ -42,6 +45,29 @@ class CertSetupTestCase(test.TestCase): CONF.signing.ca_certs = os.path.join(CERTDIR, "ca.pem") CONF.signing.keyfile = os.path.join(KEYDIR, "signing_key.pem") + self.load_backends() + self.controller = token.controllers.Auth() + + def test_can_handle_missing_certs(self): + self.opt_in_group('signing', token_format='PKI') + self.opt_in_group('signing', certfile='invalid') + user = { + 'id': 'fake1', + 'name': 'fake1', + 'password': 'fake1', + 'domain_id': DEFAULT_DOMAIN_ID + } + body_dict = { + 'passwordCredentials': { + 'userId': user['id'], + 'password': user['password'], + }, + } + self.identity_api.create_user(user['id'], user) + self.assertRaises(exception.UnexpectedError, + self.controller.authenticate, + {}, body_dict) + def test_create_certs(self): ssl = openssl.ConfigurePKI(None, None) ssl.run() @@ -50,5 +76,8 @@ class CertSetupTestCase(test.TestCase): self.assertTrue(os.path.exists(CONF.signing.keyfile)) def tearDown(self): - shutil.rmtree(rootdir(SSLDIR)) + try: + shutil.rmtree(rootdir(SSLDIR)) + except OSError: + pass super(CertSetupTestCase, self).tearDown() |