is_revoked bails out on first unrelated branch
Bug #1294292 reported by
Yuriy Taraday
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
High
|
Adam Young | ||
Bug Description
When verifying if token is revoked using revocation tree, is_revoked immediately returns False if on another level we get first tree in a bundle that has no branches related to the token.
This happens because new bundle is verified too early. This check needs to be shifted to upper level.
Example:
* create a token for one user in some project;
* revoke some other user's tokens;
* revoke this user's tokens in the same project.
The token created in the first step will still be considered valid.
| Changed in keystone: | |
| assignee: | nobody → Yuriy Taraday (yorik-sar) |
Revision history for this message
| Adam Young (ayoung) wrote | #1 |
| Changed in keystone: | |
| milestone: | none → icehouse-rc1 |
| importance: | Undecided → High |
| description: | updated |
| Changed in keystone: | |
| status: | New → In Progress |
Revision history for this message
| Dolph Mathews (dolph) wrote | #2 |
| Changed in keystone: | |
| assignee: | Yuriy Taraday (yorik-sar) → Adam Young (ayoung) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #3 |
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
| Changed in keystone: | |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
One variation of this I have seen is where a user has a project/role revoked, then gets a token for a second project/role. If the whole user is then disabled, the token is would not be considered invalid.
and a token comes in with a different role/project in it.