From 23aa49ee3d5d71c0cca25c7e16fb5fc7771d5c02 Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Tue, 30 Oct 2012 19:55:32 -0400
Subject: key all backends off of hash of pki token.

Bug 1073272

Change-Id: If55b3b595fa6f3b5e773a502fc69e7da2c3bd114
---
 keystone/common/cms.py              | 16 ++++++++++++++++
 keystone/token/backends/kvs.py      |  3 +++
 keystone/token/backends/memcache.py |  8 ++++----
 keystone/token/backends/sql.py      | 10 +---------
 keystone/token/core.py              | 10 ++++++++++
 5 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/keystone/common/cms.py b/keystone/common/cms.py
index 554a6ee1..4340b897 100644
--- a/keystone/common/cms.py
+++ b/keystone/common/cms.py
@@ -1,3 +1,4 @@
+import hashlib
 import subprocess
 
 from keystone.common import logging
@@ -134,3 +135,18 @@ def cms_to_token(cms_text):
     signed_text = signed_text.replace('\n', '')
 
     return signed_text
+
+
+def cms_hash_token(token_id):
+    """
+    return: for ans1_token, returns the hash of the passed in token
+            otherwise, returns what it was passed in.
+    """
+    if token_id is None:
+        return None
+    if is_ans1_token(token_id):
+        hasher = hashlib.md5()
+        hasher.update(token_id)
+        return hasher.hexdigest()
+    else:
+        return token_id
diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
index 392e4852..d723e505 100644
--- a/keystone/token/backends/kvs.py
+++ b/keystone/token/backends/kvs.py
@@ -26,6 +26,7 @@ class Token(kvs.Base, token.Driver):
 
     # Public interface
     def get_token(self, token_id):
+        token_id = self.token_to_key(token_id)
         try:
             token = self.db.get('token-%s' % token_id)
         except exception.NotFound:
@@ -36,6 +37,7 @@ class Token(kvs.Base, token.Driver):
             raise exception.TokenNotFound(token_id=token_id)
 
     def create_token(self, token_id, data):
+        token_id = self.token_to_key(token_id)
         data_copy = copy.deepcopy(data)
         if 'expires' not in data:
             data_copy['expires'] = self._get_default_expire_time()
@@ -43,6 +45,7 @@ class Token(kvs.Base, token.Driver):
         return copy.deepcopy(data_copy)
 
     def delete_token(self, token_id):
+        token_id = self.token_to_key(token_id)
         try:
             token_ref = self.get_token(token_id)
             self.db.delete('token-%s' % token_id)
diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
index 4efa3036..41a4e290 100644
--- a/keystone/token/backends/memcache.py
+++ b/keystone/token/backends/memcache.py
@@ -53,7 +53,7 @@ class Token(token.Driver):
 
     def get_token(self, token_id):
         if token_id is None:
-            raise exception.TokenNotFound(token_id=token_id)
+            raise exception.TokenNotFound(token_id='')
         ptk = self._prefix_token_id(token_id)
         token = self.client.get(ptk)
         if token is None:
@@ -63,7 +63,7 @@ class Token(token.Driver):
 
     def create_token(self, token_id, data):
         data_copy = copy.deepcopy(data)
-        ptk = self._prefix_token_id(token_id)
+        ptk = self._prefix_token_id(self.token_to_key(token_id))
         if 'expires' not in data_copy:
             data_copy['expires'] = self._get_default_expire_time()
         kwargs = {}
@@ -93,8 +93,8 @@ class Token(token.Driver):
 
     def delete_token(self, token_id):
         # Test for existence
-        data = self.get_token(token_id)
-        ptk = self._prefix_token_id(token_id)
+        data = self.get_token(self.token_to_key(token_id))
+        ptk = self._prefix_token_id(self.token_to_key(token_id))
         result = self.client.delete(ptk)
         self._add_to_revocation_list(data)
         return result
diff --git a/keystone/token/backends/sql.py b/keystone/token/backends/sql.py
index b8a5bf30..be880f72 100644
--- a/keystone/token/backends/sql.py
+++ b/keystone/token/backends/sql.py
@@ -16,7 +16,7 @@
 
 import copy
 import datetime
-import hashlib
+
 
 from keystone.common import cms
 from keystone.common import sql
@@ -64,14 +64,6 @@ class Token(sql.Base, token.Driver):
         else:
             raise exception.TokenNotFound(token_id=token_id)
 
-    def token_to_key(self, token_id):
-        if cms.is_ans1_token(token_id):
-            hash = hashlib.md5()
-            hash.update(token_id)
-            return hash.hexdigest()
-        else:
-            return token_id
-
     def create_token(self, token_id, data):
         data_copy = copy.deepcopy(data)
         if 'expires' not in data_copy:
diff --git a/keystone/token/core.py b/keystone/token/core.py
index e10a4ddf..56ef13fe 100644
--- a/keystone/token/core.py
+++ b/keystone/token/core.py
@@ -19,6 +19,7 @@
 import datetime
 
 from keystone.common import manager
+from keystone.common import cms
 from keystone import config
 from keystone import exception
 from keystone.openstack.common import timeutils
@@ -52,6 +53,15 @@ class Manager(manager.Manager):
 class Driver(object):
     """Interface description for a Token driver."""
 
+    def token_to_key(self, token_id):
+        """ Converts PKI tokens to their short form used for keys in
+        Database tables, memcached, and other lookup tables.
+        returns: if given a  PKI token, returns its hashed value
+                 Otherwise, returns the passed-in value if given a UUID or
+                 hash of a token.
+        """
+        return cms.cms_hash_token(token_id)
+
     def get_token(self, token_id):
         """Get a token by id.
 
-- 
cgit