Trust unit tests should target additional threat scenarios

Bug #1347909 reported by Nathan Kinder
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Nathan Kinder

Bug Description

During the OpenStack Security Group Juno midcycle, some threat modelling work around Keystone trusts identified some threat scenarios that the existing unit tests do not cover. It should be made clear that these scenarios are handled correctly by Keystone form a security standpoint, but tests should be added to protect against regressions in these security sensitive areas.

Scenario 1:
-------------
The first scenario is related to deletion of a grant that has been previously delegated via a trust. We need to ensure that executing a trust for a role that the trustor no longer has is rejected. For example, consider the following chain of events:

- User A is granted 'somerole' on 'someproject'.
- User A creates a trust to delegate 'somerole' on 'someproject' to User B.
- The grant for 'somerole' on 'someproject' for user A is deleted.
- User B attempts to execute the trust, which should be rejected.

Scenario 2:
-------------
The second scenario is related to an attempt to use a trust token with impersonation to execute another trust as the impersonated user. We need to ensure that a trust token can't be used to execute another trust. For example, consider the following chain of events:

- User A creates a trust to delegate some roles to User B.
- User B creates a trust to delegate some roles to User C.
- User C successfully executes the trust to impersonate User B.
- User C uses the trust token that impersonates User B to attempt to execute the trust created by User A, which should be rejected.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109120

Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress
Changed in keystone:
assignee: Nathan Kinder (nkinder) → Priti Desai (priti-desai)
Changed in keystone:
assignee: Priti Desai (priti-desai) → Nathan Kinder (nkinder)
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
tags: added: test-improvement
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/109120
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=23b2c8476051eacf3c4f08fbe32667886c7aa234
Submitter: Jenkins
Branch: master

commit 23b2c8476051eacf3c4f08fbe32667886c7aa234
Author: Nathan Kinder <email address hidden>
Date: Wed Jul 23 12:06:22 2014 -0700

    Trust unit tests should target additional threat scenarios

    This adds unit tests for two threat scenarios around the trust functionality
    that are not currently tested.

    The first scenario is related to deletion of a grant that has been previously
    delegated via a trust. We need to ensure that executing a trust for a role that
    the trustor no longer has is rejected.

    The second scenario is related to an attempt to use a trust token with
    impersonation to execute another trust as the impersonated user. We need to
    ensure that a trust token can't be used to execute another trust.

    SecurityImpact
    Closes-Bug: #1347909
    Change-Id: Ie1a0c286ff7e513cd964d4a93855230c78b98c6c

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.