auth_token: fix issue when data in cache gets corrupted

Previously token cache was not correctly handling the case when data in memcached is un-decryptable. The cache process was returning a null value that was not considered resulting a python exception raised The commit fixes the issue by adding a condition to validate the value returned. Closes-bug: #2023015 Change-Id: Ic48d20569980781febc194083651736bed446953 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
2023-06-06 11:39:21 +02:00 · 2023-06-06 11:39:21 +02:00 · 70337682d9
commit 70337682d9
parent fe644edbc5
3 changed files with 30 additions and 0 deletions
--- a/keystonemiddleware/auth_token/_cache.py
+++ b/keystonemiddleware/auth_token/_cache.py
@ -239,6 +239,10 @@ class TokenCache(object):
            serialized = serialized.encode('utf8')
        data = self._deserialize(serialized, context)

+        if data is None:
+            # In case decryption fails, e.g. data corrupted in memcached.
+            return None
+
        if not isinstance(data, str):
            data = data.decode('utf-8')

--- a/keystonemiddleware/tests/unit/auth_token/test_cache.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_cache.py
@ -13,6 +13,7 @@
 import uuid

 import fixtures
+from unittest import mock

 from keystonemiddleware.auth_token import _cache
 from keystonemiddleware.auth_token import _exceptions as exc
@ -122,6 +123,25 @@ class TestLiveMemcache(base.BaseAuthTokenTestCase):
        token_cache.set(token, data)
        self.assertEqual(token_cache.get(token), data)

+    @mock.patch("keystonemiddleware.auth_token._memcache_crypt.unprotect_data")
+    def test_corrupted_cache_data(self, mocked_decrypt_data):
+        mocked_decrypt_data.side_effect = Exception("corrupted")
+
+        conf = {
+            'memcached_servers': ','.join(MEMCACHED_SERVERS),
+            'memcache_security_strategy': 'encrypt',
+            'memcache_secret_key': 'mysecret'
+        }
+
+        token = uuid.uuid4().hex.encode()
+        data = uuid.uuid4().hex
+
+        token_cache = self.create_simple_middleware(conf=conf)._token_cache
+        token_cache.initialize({})
+
+        token_cache.set(token, data)
+        self.assertIsNone(token_cache.get(token))
+
    def test_sign_cache_data(self):
        conf = {
            'memcached_servers': ','.join(MEMCACHED_SERVERS),
--- a/releasenotes/notes/fix-cache-data-corrupted-issue-d1bd546625690581.yaml
+++ b/releasenotes/notes/fix-cache-data-corrupted-issue-d1bd546625690581.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    In situation of encryption using memcached. Its possible that data
+    in memcached becomes un-decryptable. The previous implementation
+    of token cache was not correctly handling the case.