Keystone v2.0 api accepts tokens deleted with v3 api

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

The attached patch illustrates the steps described in the bug description (creating a scoped v2 token, deleting the token using v3, and then exercising the token against v2). The test runs with PKI, PKIZ and UUID tokens. It passes successfully, so I'm unable to reproduce this issue. Please review the attached patch and let me know if I'm missing any details.

In re-reviewing my patch this morning, I noticed I left a bit of sanity-check debugging in the proposed test (the first admin_request() under "Attempting to use the deleted token on v2 should fail" bypasses authentication and therefore makes an unauthenticated request to a privileged v2 resource, thus trivially expecting a 401).

The attached patch removes that extraneous call and makes the neighboring call easier to read by passing `token=v2_token` (instead of manually building headers).

This test isn't functionally different in any relevant way, I just wanted to provide a patch without the above distractions.

Josh, can you provide more precise steps in order to reproduce this bug report ?

Unless someone objects, we will remove the ossa task and open this bug report by the end of the week.

No objections here. Sorry for lack of response, I don't really have more
detailed information :/

On Mon, Jul 6, 2015 at 9:52 AM, Tristan Cacqueray <email address hidden>
wrote:

> Unless someone objects, we will remove the ossa task and open this bug
> report by the end of the week.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1464377
>
> Title:
> Keystone v2.0 api accepts tokens deleted with v3 api
>
> Status in OpenStack Identity (Keystone):
> Incomplete
> Status in OpenStack Security Advisories:
> Incomplete
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> Keystone tokens that are deleted using the v3 api are still accepted by
> the v2 api. Steps to reproduce:
>
> 1. Request a scoped token as a member of a tenant.
> 2. Delete it using DELETE /v3/auth/tokens
> 3. Request the tenants you can access with GET v2.0/tenants
> 4. The token is accepted and keystone returns the list of tenants
>
> The token was a PKI token. Admin tokens appear to be deleted correctly.
> This could be a problem if a user's access needs to be revoked but they
> are still able to access v2 functions.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1464377/+subscriptions
>

Related fix proposed to branch: master
Review: https://review.openstack.org/201738

Related fix proposed to branch: stable/kilo
Review: https://review.openstack.org/201741

Related fix proposed to branch: stable/juno
Review: https://review.openstack.org/201742

Proposed the above test to all three security-supported branches as Related-Bug, but leaving this bug as Incomplete, unless more details emerge.

Reviewed: https://review.openstack.org/201738
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0941a5e46391bfeecac1247d12604fcb78047cb7
Submitter: Jenkins
Branch: master

commit 0941a5e46391bfeecac1247d12604fcb78047cb7
Author: Dolph Mathews <email address hidden>
Date: Thu Jun 11 22:27:06 2015 +0000

    Test v2 tokens being deleted by v3

    This test illustrates that v2 tokens deleted by v3 do not work on v2.

    Change-Id: Ia87fc785afe624fde0ad191cc6f031eb7605096e
    Related-Bug: 1464377

[Expired for Keystone because there has been no activity for 60 days.]

Reviewed: https://review.openstack.org/201742
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=37b53ed54caa376b49e619c731fa451bbd0ce523
Submitter: Jenkins
Branch: stable/juno

commit 37b53ed54caa376b49e619c731fa451bbd0ce523
Author: Dolph Mathews <email address hidden>
Date: Thu Jun 11 22:27:06 2015 +0000

    Test v2 tokens being deleted by v3

    This test illustrates that v2 tokens deleted by v3 do not work on v2.

    Change-Id: Ia87fc785afe624fde0ad191cc6f031eb7605096e
    Related-Bug: 1464377
    (cherry picked from commit 0941a5e46391bfeecac1247d12604fcb78047cb7)

Reviewed: https://review.openstack.org/201741
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=385877d3b7a4339dbc90d3d70de6ff30184db986
Submitter: Jenkins
Branch: stable/kilo

commit 385877d3b7a4339dbc90d3d70de6ff30184db986
Author: Dolph Mathews <email address hidden>
Date: Thu Jun 11 22:27:06 2015 +0000

    Test v2 tokens being deleted by v3

    This test illustrates that v2 tokens deleted by v3 do not work on v2.

    Change-Id: Ia87fc785afe624fde0ad191cc6f031eb7605096e
    Related-Bug: 1464377
    (cherry picked from commit 0941a5e46391bfeecac1247d12604fcb78047cb7)