OpenStack Identity (keystone)

Bug #1129713
Comment #10

Comment 10 for bug 1129713

Revision history for this message

Henry Nash (henry-nash) wrote on 2013-02-22: Re: [Bug 1129713] Validation of PKI tokens bypasses revocation check

#10

+2 on the functionality (minor nit in that I think the assert statement for checking belongs_to is incorrectly indented)

Henry
On 20 Feb 2013, at 05:06, Adam Young wrote:

> ** Patch added: "validate-from-backend-grizzly-20130218-2.patch"
> https://bugs.launchpad.net/keystone/+bug/1129713/+attachment/3537581/+files/validate-from-backend-grizzly-20130218-2.patch
>
> --
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1129713
>
> Title:
> Validation of PKI tokens bypasses revocation check
>
> Status in OpenStack Identity (Keystone):
> Confirmed
>
> Bug description:
> for PKI tokens, we are bypassing token.get_token() call and therefore
> skipping the “valid=True” check.
>
> In Grizzly, this code is in keystone/token/controllers.py
> In Folsom, this code is in keystone/service.py
>
> The if block bypasses the backend check. It is in the backend where
> tokens are checked for revocation.
>
> def _get_token_ref(self, context, token_id, belongs_to=None):
> """Returns a token if a valid one exists.
>
> Optionally, limited to a token owned by a specific tenant.
>
> """
> # TODO(termie): this stuff should probably be moved to middleware
> self.assert_admin(context)
>
> if cms.is_ans1_token(token_id):
> data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
> CONF.signing.certfile,
> CONF.signing.ca_certs))
> data['access']['token']['user'] = data['access']['user']
> data['access']['token']['metadata'] = data['access']['metadata']
> if belongs_to:
> assert data['access']['token']['tenant']['id'] == belongs_to
> token_ref = data['access']['token']
> else:
> token_ref = self.token_api.get_token(context=context,
> token_id=token_id)
> return token_ref
>
> The exposure is limited to people that are passing the whole PKI token
> back for validation via the web service.
>
> This PKI tokens were supposed to be validated primarily via Crypto,
> but there is an option to validate them against the live server as
> well. It is only this last code path that is affected. It is
> unlikely to be triggered in Folsom, as people have to make a
> deliberate decision to use PKI tokens, and are unlikely to be
> validating them against the Keystone server.
>
> Remote services can choose to pass a Hash of the PKI token to the
> validate Web API, which web services are likely to do, as the Hash is
> short enough to fit in a cookie. The Hash is then it looked up using
> the backend get_token() behavior and works correctly.
>
> It does not effect the keystone calls that first require validating
> the token. For example if a user runs tenant_list against their own
> account, using a PKI token, they do
>
> token_ref = self.token_api.get_token(context=context,
> token_id=context['token_id'])
>
> This was discovered by Guang Yee.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1129713/+subscriptions
>

+2 on the functionality (minor nit in that I think the assert statement for checking belongs_to is incorrectly indented)

Henry
On 20 Feb 2013, at 05:06, Adam Young wrote:

> ** Patch added: "validate-from-backend-grizzly-20130218-2.patch"
>   https://bugs.launchpad.net/keystone/+bug/1129713/+attachment/3537581/+files/validate-from-backend-grizzly-20130218-2.patch
> 
> -- 
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1129713
> 
> Title:
>  Validation of PKI tokens bypasses revocation check
> 
> Status in OpenStack Identity (Keystone):
>  Confirmed
> 
> Bug description:
>  for PKI tokens, we are bypassing token.get_token() call and therefore
>  skipping the “valid=True” check.
> 
>  In Grizzly, this code is in keystone/token/controllers.py
>  In Folsom, this code is in keystone/service.py
> 
>  The if block bypasses the backend  check.  It is in the backend where
>  tokens are checked for revocation.
> 
>  def _get_token_ref(self, context, token_id, belongs_to=None):
>          """Returns a token if a valid one exists.
> 
>  Optionally, limited to a token owned by a specific tenant.
> 
>  """
>          # TODO(termie): this stuff should probably be moved to middleware
>          self.assert_admin(context)
> 
>          if cms.is_ans1_token(token_id):
>              data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
>                                               CONF.signing.certfile,
>                                               CONF.signing.ca_certs))
>              data['access']['token']['user'] = data['access']['user']
>              data['access']['token']['metadata'] = data['access']['metadata']
>              if belongs_to:
>                  assert data['access']['token']['tenant']['id'] == belongs_to
>              token_ref = data['access']['token']
>          else:
>              token_ref = self.token_api.get_token(context=context,
>                                                   token_id=token_id)
>          return token_ref
> 
>  The exposure is limited to people that are passing the whole PKI token
>  back for validation via the web service.
> 
>  This PKI tokens were supposed to be validated primarily via Crypto,
>  but there is an option to validate them against the live server as
>  well.  It is only this last code path that is affected.   It is
>  unlikely to be triggered in Folsom, as people have to make a
>  deliberate decision to  use PKI tokens, and  are unlikely to be
>  validating them against the Keystone server.
> 
>  Remote services can choose to pass a Hash of the PKI token to the
>  validate Web API, which web services are likely to do, as the Hash is
>  short enough to fit in a cookie.  The Hash is then it looked up using
>  the backend get_token()  behavior and works correctly.
> 
>   It does not effect the keystone calls that first require validating
>  the token.  For example if a user runs tenant_list against their own
>  account, using a PKI token, they do
> 
>   token_ref = self.token_api.get_token(context=context,
>                                        token_id=context['token_id'])
> 
>  This was discovered by Guang Yee.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1129713/+subscriptions
>