+2 on the functionality (minor nit in that I think the assert statement for checking belongs_to is incorrectly indented)
Henry
On 20 Feb 2013, at 05:06, Adam Young wrote:
> ** Patch added: "validate-from-backend-grizzly-20130218-2.patch"
> https://bugs.launchpad.net/keystone/+bug/1129713/+attachment/3537581/+files/validate-from-backend-grizzly-20130218-2.patch
>
> --
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1129713
>
> Title:
> Validation of PKI tokens bypasses revocation check
>
> Status in OpenStack Identity (Keystone):
> Confirmed
>
> Bug description:
> for PKI tokens, we are bypassing token.get_token() call and therefore
> skipping the “valid=True” check.
>
> In Grizzly, this code is in keystone/token/controllers.py
> In Folsom, this code is in keystone/service.py
>
> The if block bypasses the backend check. It is in the backend where
> tokens are checked for revocation.
>
> def _get_token_ref(self, context, token_id, belongs_to=None):
> """Returns a token if a valid one exists.
>
> Optionally, limited to a token owned by a specific tenant.
>
> """
> # TODO(termie): this stuff should probably be moved to middleware
> self.assert_admin(context)
>
> if cms.is_ans1_token(token_id):
> data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
> CONF.signing.certfile,
> CONF.signing.ca_certs))
> data['access']['token']['user'] = data['access']['user']
> data['access']['token']['metadata'] = data['access']['metadata']
> if belongs_to:
> assert data['access']['token']['tenant']['id'] == belongs_to
> token_ref = data['access']['token']
> else:
> token_ref = self.token_api.get_token(context=context,
> token_id=token_id)
> return token_ref
>
> The exposure is limited to people that are passing the whole PKI token
> back for validation via the web service.
>
> This PKI tokens were supposed to be validated primarily via Crypto,
> but there is an option to validate them against the live server as
> well. It is only this last code path that is affected. It is
> unlikely to be triggered in Folsom, as people have to make a
> deliberate decision to use PKI tokens, and are unlikely to be
> validating them against the Keystone server.
>
> Remote services can choose to pass a Hash of the PKI token to the
> validate Web API, which web services are likely to do, as the Hash is
> short enough to fit in a cookie. The Hash is then it looked up using
> the backend get_token() behavior and works correctly.
>
> It does not effect the keystone calls that first require validating
> the token. For example if a user runs tenant_list against their own
> account, using a PKI token, they do
>
> token_ref = self.token_api.get_token(context=context,
> token_id=context['token_id'])
>
> This was discovered by Guang Yee.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1129713/+subscriptions
>
+2 on the functionality (minor nit in that I think the assert statement for checking belongs_to is incorrectly indented)
Henry
On 20 Feb 2013, at 05:06, Adam Young wrote:
> ** Patch added: "validate- from-backend- grizzly- 20130218- 2.patch" /bugs.launchpad .net/keystone/ +bug/1129713/ +attachment/ 3537581/ +files/ validate- from-backend- grizzly- 20130218- 2.patch /bugs.launchpad .net/bugs/ 1129713 token/controlle rs.py ref(self, context, token_id, belongs_to=None): admin(context) ans1_token( token_id) : cms.cms_ verify( cms.token_ to_cms( token_id) , certfile, ca_certs) ) ]['token' ]['user' ] = data['access' ]['user' ] ]['token' ]['metadata' ] = data['access' ]['metadata' ] ]['token' ]['tenant' ]['id'] == belongs_to ]['token' ] api.get_ token(context= context, api.get_ token(context= context, context[ 'token_ id']) /bugs.launchpad .net/keystone/ +bug/1129713/ +subscriptions
> https:/
>
> --
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https:/
>
> Title:
> Validation of PKI tokens bypasses revocation check
>
> Status in OpenStack Identity (Keystone):
> Confirmed
>
> Bug description:
> for PKI tokens, we are bypassing token.get_token() call and therefore
> skipping the “valid=True” check.
>
> In Grizzly, this code is in keystone/
> In Folsom, this code is in keystone/service.py
>
> The if block bypasses the backend check. It is in the backend where
> tokens are checked for revocation.
>
> def _get_token_
> """Returns a token if a valid one exists.
>
> Optionally, limited to a token owned by a specific tenant.
>
> """
> # TODO(termie): this stuff should probably be moved to middleware
> self.assert_
>
> if cms.is_
> data = json.loads(
> CONF.signing.
> CONF.signing.
> data['access'
> data['access'
> if belongs_to:
> assert data['access'
> token_ref = data['access'
> else:
> token_ref = self.token_
> token_id=token_id)
> return token_ref
>
> The exposure is limited to people that are passing the whole PKI token
> back for validation via the web service.
>
> This PKI tokens were supposed to be validated primarily via Crypto,
> but there is an option to validate them against the live server as
> well. It is only this last code path that is affected. It is
> unlikely to be triggered in Folsom, as people have to make a
> deliberate decision to use PKI tokens, and are unlikely to be
> validating them against the Keystone server.
>
> Remote services can choose to pass a Hash of the PKI token to the
> validate Web API, which web services are likely to do, as the Hash is
> short enough to fit in a cookie. The Hash is then it looked up using
> the backend get_token() behavior and works correctly.
>
> It does not effect the keystone calls that first require validating
> the token. For example if a user runs tenant_list against their own
> account, using a PKI token, they do
>
> token_ref = self.token_
> token_id=
>
> This was discovered by Guang Yee.
>
> To manage notifications about this bug go to:
> https:/
>