OpenStack Identity (keystone)

Fernet tokens don't return audit_ids

Bug #1428829 reported by Lance Bragstad on 2015-03-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Dolph Mathews	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

The Fernet token formatters accidentally pop the audit_ids from the token_data [1]. The audit_ids shouldn't be removed from the token_data because we need them in the response.

[1] https://github.com/openstack/keystone/blob/d36e499a837074d65365ffa440470516c64e2ab6/keystone/token/providers/fernet/token_formatters.py#L126

See original description

Tags:

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-05:

Patch is already proposed that will fix this:

https://review.openstack.org/#/c/161855/

description:	updated
tags:	added: fernet

Lance Bragstad (lbragstad) on 2015-03-05

Changed in keystone:
importance:	Undecided → Medium
status:	New → In Progress
assignee:	nobody → Dolph Mathews (dolph)

Dolph Mathews (dolph) on 2015-03-05

tags:	added: security
Changed in keystone:
milestone:	none → kilo-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/162196

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/161855
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=13f7cf70d59e5d865200f505db085a57eb3ba1eb
Submitter: Jenkins
Branch: master

commit 13f7cf70d59e5d865200f505db085a57eb3ba1eb
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 19:36:08 2015 +0000

Refactor: remove token formatters dep on 'token_data' on create()

    The calling module already has to understand how token_data is composed,
    so there's no reason for the token formatters create() method to work
    with such complex data. This patch ensures that token formatters only
    see primitive strings (of datetimes, audit IDs, and trust IDs) when
    creating tokens, which they're free to encode however they wish.

The subsequent patch removes the same dependency in validate().

    As part of this refactor, bug 1428829 is also addressed by simplifying
    how audit_ids are handled (they're not mutated any more than strictly
    necessary).

Change-Id: Ia07c57ef183d188acea7fc1f731b94a8792c2875
Closes-Bug: 1428829

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.