Fernet tokens don't return audit_ids

Bug #1428829 reported by Lance Bragstad on 2015-03-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Dolph Mathews

Bug Description

The Fernet token formatters accidentally pop the audit_ids from the token_data [1]. The audit_ids shouldn't be removed from the token_data because we need them in the response.

[1] https://github.com/openstack/keystone/blob/d36e499a837074d65365ffa440470516c64e2ab6/keystone/token/providers/fernet/token_formatters.py#L126

Lance Bragstad (lbragstad) wrote :

Patch is already proposed that will fix this:

https://review.openstack.org/#/c/161855/

description: updated
tags: added: fernet
Changed in keystone:
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → Dolph Mathews (dolph)
Dolph Mathews (dolph) on 2015-03-05
tags: added: security
Changed in keystone:
milestone: none → kilo-3

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

Reviewed: https://review.openstack.org/161855
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=13f7cf70d59e5d865200f505db085a57eb3ba1eb
Submitter: Jenkins
Branch: master

commit 13f7cf70d59e5d865200f505db085a57eb3ba1eb
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 19:36:08 2015 +0000

    Refactor: remove token formatters dep on 'token_data' on create()

    The calling module already has to understand how token_data is composed,
    so there's no reason for the token formatters create() method to work
    with such complex data. This patch ensures that token formatters only
    see primitive strings (of datetimes, audit IDs, and trust IDs) when
    creating tokens, which they're free to encode however they wish.

    The subsequent patch removes the same dependency in validate().

    As part of this refactor, bug 1428829 is also addressed by simplifying
    how audit_ids are handled (they're not mutated any more than strictly
    necessary).

    Change-Id: Ia07c57ef183d188acea7fc1f731b94a8792c2875
    Closes-Bug: 1428829

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers