Token Validation API returns 401 not 404 on invalid fernet token

Bug #1477600 reported by Vladimir Eremin on 2015-07-23
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Vladimir Eremin
Kilo
Medium
Dolph Mathews

Bug Description

Validate token API specifies 404 response for invalid Subject tokens:
 * http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
 * http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)

For Fernet tokens, this API returns 401 for invalid token:

curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}

I've check the tests and found incorrect one. API spec requires 404, test check for 401 https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51

Looks like it's broken in one of this places:
 * Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L448
 * Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
 * Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201

Note that UUID token raises 404 here as expected https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679

Also, note that KSC auth middleware https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147 we're expect 404 for invalid USER token, and and 401 for invalid ADMIN token. So 401 for invalid user token makes middleware go for new admin token.

jiaxi (tjxiter) on 2015-07-23
Changed in keystone:
assignee: nobody → jiaxi (tjxiter)
description: updated
description: updated

Fernet should be raising a 404 itself, which should be caught and replaced with a 404 closer to the controller.

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
tags: added: fernet kilo-backport-potential
jiaxi (tjxiter) on 2015-07-23
Changed in keystone:
assignee: jiaxi (tjxiter) → nobody

Fix proposed to branch: master
Review: https://review.openstack.org/205554

Changed in keystone:
assignee: nobody → Vladimir Eremin (yottatsa)
status: Triaged → In Progress
Changed in keystone:
status: In Progress → Fix Committed

Fix Committed indicates that the fix has merged, not that it is still in review.

tags: removed: kilo-backport-potential
Changed in keystone:
status: Fix Committed → In Progress

Reviewed: https://review.openstack.org/205554
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7bdeef83535dafae8f3e1ba95ad661e90912938b
Submitter: Jenkins
Branch: master

commit 7bdeef83535dafae8f3e1ba95ad661e90912938b
Author: Vladimir Eremin <email address hidden>
Date: Thu Jul 23 18:55:54 2015 +0300

    Replace 401 to 404 when token is invalid

    According to specs, keystone should return 404 when token is invalid.
    This commit fixes it, and fixes validate_token return.

    Change-Id: Ia44ea94c6f72ab6f46c0799056d41deddcbfb051
    Closes-Bug: 1477600

Changed in keystone:
status: In Progress → Fix Committed
summary: - Token Validation API returns 401 not 404 on invalid token
+ Token Validation API returns 401 not 404 on invalid fernet token
Changed in keystone:
milestone: none → liberty-2
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/205130
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fb7f4a7ee1c0da299b00c8fb54870d1c37738b83
Submitter: Jenkins
Branch: stable/kilo

commit fb7f4a7ee1c0da299b00c8fb54870d1c37738b83
Author: Vladimir Eremin <email address hidden>
Date: Thu Jul 23 18:55:54 2015 +0300

    Replace 401 to 404 when token is invalid

    According to specs, keystone should return 404 when token is invalid.
    This commit fixes it, and fixes validate_token return.

    Change-Id: Ia44ea94c6f72ab6f46c0799056d41deddcbfb051
    Closes-Bug: 1477600
    (cherry picked from commit 7bdeef83535dafae8f3e1ba95ad661e90912938b)

Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-2 → 8.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers