Fix kms_keymaster under Python 3

Depending on how the key was stored in Barbican, it may come out of Castellan as a native string, which would not be suitable on Python 3. Now, check that the secret is a byte string, and if it isn't, encode as UTF-8 (to match Barbican's internal encoding). Change-Id: I6da047716c05e4f2a9e1e74ca19afb62e812d172 Closes-Bug: #1847755
2019-10-11 14:12:01 +02:00 · 2019-10-11 14:12:01 +02:00 · 85d3658d62
commit 85d3658d62
parent 29d46ca9f6
3 changed files with 17 additions and 3 deletions
--- a/swift/common/middleware/crypto/keymaster.py
+++ b/swift/common/middleware/crypto/keymaster.py
@ -214,6 +214,10 @@ class BaseKeyMaster(object):
        if self.active_secret_id not in self._root_secrets:
            raise ValueError('No secret loaded for active_root_secret_id %s' %
                             self.active_secret_id)
+        for secret_id, secret in self._root_secrets.items():
+            if not isinstance(secret, bytes):
+                raise ValueError('Secret with id %s is %s, not bytes' % (
+                    secret_id, type(secret)))

    @property
    def root_secret(self):
--- a/swift/common/middleware/crypto/kms_keymaster.py
+++ b/swift/common/middleware/crypto/kms_keymaster.py
@ -96,7 +96,10 @@ class KmsKeyMaster(BaseKeyMaster):
            except Exception:
                raise ValueError("Secret with key_id '%s' is not a symmetric "
                                 "key (type: %s)" % (key_id, str(type(key))))
-            root_secrets[secret_id] = key.get_encoded()
+            secret = key.get_encoded()
+            if not isinstance(secret, bytes):
+                secret = secret.encode('utf-8')
+            root_secrets[secret_id] = secret
        return root_secrets


--- a/test/unit/common/middleware/crypto/test_kms_keymaster.py
+++ b/test/unit/common/middleware/crypto/test_kms_keymaster.py
@ -129,7 +129,10 @@ class MockBarbicanKeyManager(object):
            raise ValueError(ERR_MESSAGE_SECRET_INCORRECTLY_SPECIFIED)
        elif key_id == TEST_KMS_NONE_KEY_ID:
            return None
-        key_str = (str(key_id[0]) * 32).encode('utf8')
+        if 'unicode' in key_id:
+            key_str = key_id[0] * 32
+        else:
+            key_str = (str(key_id[0]) * 32).encode('utf8')
        return MockBarbicanKey(key_str, key_id)


@ -806,6 +809,8 @@ class TestKmsKeymaster(unittest.TestCase):
        config.update({
            'key_id_foo': 'foo-valid_kms_key_id-123456',
            'key_id_bar': 'bar-valid_kms_key_id-123456',
+            'key_id_baz': 'zz-valid_unicode_kms_key_id-123456',
+            'key_id_non_ascii': u'\N{SNOWMAN}_unicode_key_id',
            'active_root_secret_id': 'foo'})

        # Set side_effect functions.
@ -825,7 +830,9 @@ class TestKmsKeymaster(unittest.TestCase):
        expected_secrets = {
            None: b'vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv',
            'foo': b'ffffffffffffffffffffffffffffffff',
-            'bar': b'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'}
+            'bar': b'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
+            'baz': b'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz',
+            'non_ascii': b'\xe2\x98\x83' * 32}
        self.assertDictEqual(self.app._root_secrets, expected_secrets)
        self.assertEqual(self.app.active_secret_id, 'foo')