Fernet tokens with base64 padding are not URL-safe

Bug #1433372 reported by Lance Bragstad on 2015-03-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Dolph Mathews
keystonemiddleware
Undecided
Unassigned

Bug Description

The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.

This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3].

[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py

tags: added: fernet
description: updated
description: updated
description: updated
Lance Bragstad (lbragstad) wrote :

We are also safe_quote'ing things that are being passed in the headers, which I'm not entirely sure we need to do?

https://github.com/openstack/python-keystoneclient/blob/fc1f5a7963adb3c39f48131af5117bfafa3b07e7/keystoneclient/middleware/auth_token.py#L1127

Fix proposed to branch: master
Review: https://review.openstack.org/165269

Changed in keystonemiddleware:
assignee: nobody → Lance Bragstad (lbragstad)
status: New → In Progress
Dolph Mathews (dolph) wrote :

As it turns out, the output of base64.urlsafe_b64encode() is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.

The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation.

  https://travis-ci.org/dolph/keystone-deploy/builds/54734386

If keystone emitted URL-safe tokens in the first place, the defensive code in keystonemiddleware wouldn't be triggered, and everything works properly.

Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but apparently due to a different cause.

summary: - safe_quote doesn't work for Fernet/PKI/PKIz tokens
+ Fernet tokens with base64 padding are not URL-safe
Changed in keystone:
importance: Undecided → High
Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: New → In Progress
Changed in keystone:
milestone: none → kilo-rc1

Reviewed: https://review.openstack.org/165279
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=68a54c2cf1a7210abae9292aede5737203eb733a
Submitter: Jenkins
Branch: master

commit 68a54c2cf1a7210abae9292aede5737203eb733a
Author: Dolph Mathews <email address hidden>
Date: Wed Mar 18 03:18:31 2015 +0000

    URL quote Fernet tokens

    The padding in base64.urlsafe_b64encode()'s output is not actually URL
    safe, so you have to quote the result when it's of variable length.

    In addition, Fernet tokens can always be handled as bytes, despite being
    passed in from json.loads() as Unicode.

    Change-Id: I72dbd4ddc066706f6af6ea2f2bcd5f0a6cb9b30c
    Closes-Bug: 1433372
    Closes-Bug: 1431669

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-04-07
Changed in keystone:
status: Fix Committed → Fix Released

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/165269
Reason: abandon in favor of https://review.openstack.org/#/c/165279/

Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-rc1 → 2015.1.0
Changed in keystonemiddleware:
assignee: Lance Bragstad (lbragstad) → nobody
Lance Bragstad (lbragstad) wrote :

Closing in favor of a keystone fix - https://bugs.launchpad.net/keystone/+bug/1491926

Changed in keystonemiddleware:
status: In Progress → Invalid

Reviewed: https://review.openstack.org/220242
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3e3a653f9c9ce0f9a7ba842eff118e5887eb388
Submitter: Jenkins
Branch: master

commit f3e3a653f9c9ce0f9a7ba842eff118e5887eb388
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 3 16:09:03 2015 +0000

    Remove padding from Fernet tokens

    Fernet tokens were previously percent encoded. This can cause issues with
    clients doing their own encoding or not. By removing the padding and then
    re-establishing it when we validate the token, we don't present that problem to
    clients. This also shortens the length of a Fernet token.

    Change-Id: I674bad86ccc9027ac3b365c10b3b142fc9d73c17
    Related-Bug: 1433372
    Closes-Bug: 1491926

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/221799
Reason: no change in 60 days after a negative review, marking this as abandoned, please feel free to restore

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers