|
15 | 15 |
|
16 | 16 | import base64 |
17 | 17 | from hashlib import sha1 |
| 18 | +from hashlib import sha512 |
18 | 19 | import hmac |
19 | 20 | from httplib import HTTPConnection |
20 | 21 | from httplib import HTTPSConnection |
|
50 | 51 | from swift.common.utils import cache_from_env |
51 | 52 | from swift.common.utils import get_logger |
52 | 53 | from swift.common.utils import get_remote_client |
| 54 | +from swift.common.utils import HASH_PATH_PREFIX |
| 55 | +from swift.common.utils import HASH_PATH_SUFFIX |
53 | 56 | from swift.common.utils import split_path |
54 | 57 | from swift.common.utils import TRUE_VALUES |
55 | 58 | from swift.common.utils import urlparse |
@@ -289,6 +292,15 @@ def __call__(self, env, start_response): |
289 | 292 | env['swift.clean_acl'] = clean_acl |
290 | 293 | return self.app(env, start_response) |
291 | 294 |
|
| 295 | + def _get_concealed_token(self, token): |
| 296 | + """Returns hashed token to be used as object name in Swift. |
| 297 | +
|
| 298 | + Tokens are stored in auth account but object names are visible in Swift |
| 299 | + logs. Object names are hashed from token. |
| 300 | + """ |
| 301 | + enc_key = "%s:%s:%s" % (HASH_PATH_PREFIX, token, HASH_PATH_SUFFIX) |
| 302 | + return sha512(enc_key).hexdigest() |
| 303 | + |
292 | 304 | def get_groups(self, env, token): |
293 | 305 | """Get groups for the given token. |
294 | 306 |
|
@@ -397,8 +409,9 @@ def get_groups(self, env, token): |
397 | 409 | memcache_key, (time() + expires_from_now, groups), |
398 | 410 | time=expires_from_now) |
399 | 411 | else: |
| 412 | + object_name = self._get_concealed_token(token) |
400 | 413 | path = quote('/v1/%s/.token_%s/%s' % |
401 | | - (self.auth_account, token[-1], token)) |
| 414 | + (self.auth_account, object_name[-1], object_name)) |
402 | 415 | resp = self.make_pre_authed_request( |
403 | 416 | env, 'GET', path).get_response(self.app) |
404 | 417 | if resp.status_int // 100 != 2: |
@@ -1168,8 +1181,9 @@ def handle_delete_user(self, req): |
1168 | 1181 | (path, resp.status)) |
1169 | 1182 | candidate_token = resp.headers.get('x-object-meta-auth-token') |
1170 | 1183 | if candidate_token: |
| 1184 | + object_name = self._get_concealed_token(candidate_token) |
1171 | 1185 | path = quote('/v1/%s/.token_%s/%s' % |
1172 | | - (self.auth_account, candidate_token[-1], candidate_token)) |
| 1186 | + (self.auth_account, object_name[-1], object_name)) |
1173 | 1187 | resp = self.make_pre_authed_request( |
1174 | 1188 | req.environ, 'DELETE', path).get_response(self.app) |
1175 | 1189 | if resp.status_int // 100 != 2 and resp.status_int != 404: |
@@ -1318,8 +1332,9 @@ def handle_get_token(self, req): |
1318 | 1332 | expires = None |
1319 | 1333 | candidate_token = resp.headers.get('x-object-meta-auth-token') |
1320 | 1334 | if candidate_token: |
| 1335 | + object_name = self._get_concealed_token(candidate_token) |
1321 | 1336 | path = quote('/v1/%s/.token_%s/%s' % |
1322 | | - (self.auth_account, candidate_token[-1], candidate_token)) |
| 1337 | + (self.auth_account, object_name[-1], object_name)) |
1323 | 1338 | delete_token = False |
1324 | 1339 | try: |
1325 | 1340 | if req.headers.get('x-auth-new-token', 'false').lower() in \ |
@@ -1362,8 +1377,9 @@ def handle_get_token(self, req): |
1362 | 1377 | # Generate new token |
1363 | 1378 | token = '%stk%s' % (self.reseller_prefix, uuid4().hex) |
1364 | 1379 | # Save token info |
| 1380 | + object_name = self._get_concealed_token(token) |
1365 | 1381 | path = quote('/v1/%s/.token_%s/%s' % |
1366 | | - (self.auth_account, token[-1], token)) |
| 1382 | + (self.auth_account, object_name[-1], object_name)) |
1367 | 1383 | try: |
1368 | 1384 | token_life = min( |
1369 | 1385 | int(req.headers.get('x-auth-token-lifetime', |
@@ -1439,8 +1455,9 @@ def handle_validate_token(self, req): |
1439 | 1455 | if expires < time(): |
1440 | 1456 | groups = None |
1441 | 1457 | if not groups: |
| 1458 | + object_name = self._get_concealed_token(token) |
1442 | 1459 | path = quote('/v1/%s/.token_%s/%s' % |
1443 | | - (self.auth_account, token[-1], token)) |
| 1460 | + (self.auth_account, object_name[-1], object_name)) |
1444 | 1461 | resp = self.make_pre_authed_request( |
1445 | 1462 | req.environ, 'GET', path).get_response(self.app) |
1446 | 1463 | if resp.status_int // 100 != 2: |
|
0 commit comments