Skip to content

Commit 2497586

Browse files
whu-lyftwhu-lyft
committed
Update the VERSION
1 parent 89df3e1 commit 2497586

File tree

2 files changed

+41
-32
lines changed

2 files changed

+41
-32
lines changed

kmsauth/__init__.py

Lines changed: 40 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -247,15 +247,16 @@ def decrypt_token(self, username, token):
247247
'''
248248
Decrypt a token.
249249
'''
250+
time_start = datetime.datetime.utcnow()
250251
version, user_type, _from = self._parse_username(username)
251252
if (version > self.maximum_token_version or
252253
version < self.minimum_token_version):
253254
raise TokenValidationError('Unacceptable token version.')
254255
if self.stats:
255-
self.stats.incr('token_version_{0}'.format(version))
256-
self.stats.incr(f'cache_key.from.{_from}')
257-
self.stats.incr(f'cache_key.to.{self.to_auth_context}')
258-
self.stats.incr(f'cache_key.user_type.{user_type}')
256+
self.stats.incr('token_version_{version}')
257+
self.stats.incr(f'cache_key_from_{_from}')
258+
self.stats.incr(f'cache_key_to_{self.to_auth_context}')
259+
self.stats.incr(f'cache_key_user_type_{user_type}')
259260
try:
260261
token_key = '{0}{1}{2}{3}'.format(
261262
hashlib.sha256(ensure_bytes(token)).hexdigest(),
@@ -267,10 +268,10 @@ def decrypt_token(self, username, token):
267268
raise TokenValidationError('Authentication error.')
268269
if token_key not in self.TOKENS:
269270
if self.stats:
270-
self.stats.incr('token_cache.miss')
271-
self.stats.gauge('token_cache.size_at_miss', len(self.TOKENS))
271+
self.stats.incr('token_cache_miss')
272+
self.stats.gauge('token_cache_size_at_miss', len(self.TOKENS))
272273
if len(self.TOKENS) >= self.token_cache_size:
273-
self.stats.incr('token_cache.eviction')
274+
self.stats.incr('token_cache_eviction')
274275

275276
try:
276277
token = base64.b64decode(token)
@@ -295,25 +296,27 @@ def decrypt_token(self, username, token):
295296
# Decrypt doesn't take KeyId as an argument. We need to verify
296297
# the correct key was used to do the decryption.
297298
# Annoyingly, the KeyId from the data is actually an arn.
298-
key_arn = data['KeyId']
299-
if user_type == 'service':
300-
if not self._valid_service_auth_key(key_arn):
301-
raise TokenValidationError(
302-
'Authentication error (wrong KMS key).'
303-
)
304-
elif user_type == 'user':
305-
if not self._valid_user_auth_key(key_arn):
306-
raise TokenValidationError(
307-
'Authentication error (wrong KMS key).'
308-
)
309-
else:
310-
raise TokenValidationError(
311-
'Authentication error. Unsupported user_type.'
312-
)
313-
plaintext = data['Plaintext']
314-
payload = json.loads(plaintext)
315-
key_alias = self._get_key_alias_from_cache(key_arn)
316-
ret = {'payload': payload, 'key_alias': key_alias}
299+
if self.stats:
300+
with self.stats.timer('kms_decrypt_token_post_validation'):
301+
key_arn = data['KeyId']
302+
if user_type == 'service':
303+
if not self._valid_service_auth_key(key_arn):
304+
raise TokenValidationError(
305+
'Authentication error (wrong KMS key).'
306+
)
307+
elif user_type == 'user':
308+
if not self._valid_user_auth_key(key_arn):
309+
raise TokenValidationError(
310+
'Authentication error (wrong KMS key).'
311+
)
312+
else:
313+
raise TokenValidationError(
314+
'Authentication error. Unsupported user_type.'
315+
)
316+
plaintext = data['Plaintext']
317+
payload = json.loads(plaintext)
318+
key_alias = self._get_key_alias_from_cache(key_arn)
319+
ret = {'payload': payload, 'key_alias': key_alias}
317320
except TokenValidationError:
318321
raise
319322
except (ConnectionError, EndpointConnectionError):
@@ -330,9 +333,12 @@ def decrypt_token(self, username, token):
330333
)
331334
else:
332335
if self.stats:
333-
self.stats.incr('token_cache.hit')
336+
self.stats.incr('token_cache_hit')
334337
ret = self.TOKENS[token_key]
338+
335339
now = datetime.datetime.utcnow()
340+
if self.stats:
341+
self.stats.timing('decrypt_token_post_validation_duration', (now - time_start).total_seconds() * 1000) # noqa: E501
336342
try:
337343
not_before = datetime.datetime.strptime(
338344
ret['payload']['not_before'],
@@ -344,14 +350,14 @@ def decrypt_token(self, username, token):
344350
)
345351
except Exception:
346352
logging.exception(
347-
'Failed to get not_before and not_after from token payload.'
353+
'Failed to get not_before and not_after from token payload.' # noqa: E501
348354
)
349355
raise TokenValidationError(
350356
'Authentication error. Missing validity.'
351357
)
352358
delta = (not_after - not_before).seconds / 60
353359
if delta > self.auth_token_max_lifetime:
354-
logging.warning('Token used which exceeds max token lifetime.')
360+
logging.warning('Token used which exceeds max token lifetime.') # noqa: E501
355361
raise TokenValidationError(
356362
'Authentication error. Token lifetime exceeded.'
357363
)
@@ -361,9 +367,12 @@ def decrypt_token(self, username, token):
361367
'Authentication error. Invalid time validity for token.'
362368
)
363369
if self.stats:
364-
self.stats.incr('token_cache.set')
365-
self.stats.gauge('token_cache.size_at_set', len(self.TOKENS))
370+
self.stats.incr('token_cache_set')
371+
self.stats.gauge('token_cache_size_at_set', len(self.TOKENS)) # noqa: E501
366372
self.TOKENS[token_key] = ret
373+
duration = (datetime.datetime.utcnow() - now).total_seconds() * 1000
374+
if self.stats:
375+
self.stats.timing('decrypt_token_duration_last_set', duration) # noqa: E501
367376
return self.TOKENS[token_key]
368377

369378

setup.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
from setuptools import setup, find_packages
1515

16-
VERSION = "0.6.3"
16+
VERSION = "0.6.4.dev1"
1717

1818
requirements = [
1919
# Boto3 is the Amazon Web Services (AWS) Software Development Kit (SDK)

0 commit comments

Comments
 (0)