Revoking an unscoped token does not revoke all tokens scoped from the unscoped token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https:/
This needs to have the comma removed from
not in (token_
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https:/
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.