is_revoked bails out on first unrelated branch
Bug #1294292 reported by
Yuriy Taraday
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Adam Young |
Bug Description
When verifying if token is revoked using revocation tree, is_revoked immediately returns False if on another level we get first tree in a bundle that has no branches related to the token.
This happens because new bundle is verified too early. This check needs to be shifted to upper level.
Example:
* create a token for one user in some project;
* revoke some other user's tokens;
* revoke this user's tokens in the same project.
The token created in the first step will still be considered valid.
Changed in keystone: | |
assignee: | nobody → Yuriy Taraday (yorik-sar) |
Changed in keystone: | |
milestone: | none → icehouse-rc1 |
importance: | Undecided → High |
description: | updated |
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
assignee: | Yuriy Taraday (yorik-sar) → Adam Young (ayoung) |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
One variation of this I have seen is where a user has a project/role revoked, then gets a token for a second project/role. If the whole user is then disabled, the token is would not be considered invalid.
and a token comes in with a different role/project in it.