Fernet tokens do not maintain expires time across rescope (V2 tokens)

Bug #1469563 reported by Morgan Fainberg on 2015-06-28
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad
Kilo
High
Dolph Mathews

Bug Description

Fernet tokens do not maintain the expiration time when rescoping tokens.

Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: fernet
summary: - Fernet tokens do not maintain expires time across rescope
+ Fernet tokens do not maintain expires time across rescope (V2 tokens)
Changed in keystone:
assignee: nobody → Morgan Fainberg (mdrnstm)
status: Triaged → In Progress
Lance Bragstad (lbragstad) wrote :

I can reproduce this.

Here is an authentication response using passwordCredentials and the uuid provider: http://cdn.pasteraw.com/ve3ghqtx670q92a7tkz45lq4vzjrx7

Here is the response authenticating with the token above (rescoping): http://cdn.pasteraw.com/891ceexx0j1k5nom2muemdawdt4o6l2

The original token and the rescoped tokens both expire at 2015-06-29T15:59:21Z

The following is an authentication response using the fernet provider: http://cdn.pasteraw.com/8wtpp3b98ci647dgr5zg0j2py336tkb

The fernet token should expire at 2015-06-29T15:55:34.952246Z. The response from rescoping the fernet token bumps the expiration to 2015-06-29T15:56:09.663074Z : http://cdn.pasteraw.com/nud9m8000yyusa6ntqy2234ko8cnbwf

Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Lance Bragstad (lbragstad)
Dolph Mathews (dolph) wrote :

https://review.openstack.org/#/c/192739/ includes a new test called test_rescoping_token() which should be triggering this behavior, but it's running into bug 1459790 instead of the issue described here, even when I add a time.sleep() to the parent class' test. The microseconds simply differ between a zero and non-zero value, because Fernet cannot persist microseconds.

If this issue is truly distinct from bug 1459790, how do we reproduce it that differs from test_rescoping_token()?

Changed in keystone:
milestone: liberty-2 → liberty-3

Reviewed: https://review.openstack.org/196475
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e641c40b680bd4b68b5e319831c47473e6f7754e
Submitter: Jenkins
Branch: master

commit e641c40b680bd4b68b5e319831c47473e6f7754e
Author: Morgan Fainberg <email address hidden>
Date: Sun Jun 28 13:30:40 2015 -0700

    Maintain the expiry of v2 fernet tokens

    The v2 fernet provider didn't carry the expiration of a token from it's
    parent token when handling a rescope. This means that a rescope of fernet
    tokens could extend the session indefinitely.

    Change-Id: Id1ec725fd89cd32260b7be4eead24a0fc84abfe1
    closes-bug: #1469563

Changed in keystone:
status: In Progress → Fix Committed
Changed in keystone:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/214641
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8bd9b221807ffbce2a52861f14ecf503fdc644a6
Submitter: Jenkins
Branch: stable/kilo

commit 8bd9b221807ffbce2a52861f14ecf503fdc644a6
Author: Morgan Fainberg <email address hidden>
Date: Sun Jun 28 13:30:40 2015 -0700

    Maintain the expiry of v2 fernet tokens

    The v2 fernet provider didn't carry the expiration of a token from it's
    parent token when handling a rescope. This means that a rescope of fernet
    tokens could extend the session indefinitely.

    Change-Id: Id1ec725fd89cd32260b7be4eead24a0fc84abfe1
    closes-bug: #1469563
    (cherry picked from commit e641c40b680bd4b68b5e319831c47473e6f7754e)

Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-3 → 8.0.0
no longer affects: keystone/liberty
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers