| 2015-07-23 13:57:21 |
Atsuko Ito |
bug |
|
|
added bug |
| 2015-07-23 14:10:53 |
jiaxi |
keystone: assignee |
|
jiaxi (tjxiter) |
|
| 2015-07-23 14:11:02 |
Atsuko Ito |
description |
Validate token API specifies 404 response for invalid Subject tokens:
http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC/middleware/auth_token has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404, test check for 401.
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679 |
Validate token API specifies 404 response for invalid Subject tokens:
* http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
* http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404, test check for 401.
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
* Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
* Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
* Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
Also, note that KSC auth middleware https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147 we're expect 404 for invalid USER token, and and 401 for invalid ADMIN token. So 401 for invalid user token makes middleware go for new admin token. |
|
| 2015-07-23 14:26:35 |
Atsuko Ito |
description |
Validate token API specifies 404 response for invalid Subject tokens:
* http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
* http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404, test check for 401.
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
* Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
* Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
* Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
Also, note that KSC auth middleware https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147 we're expect 404 for invalid USER token, and and 401 for invalid ADMIN token. So 401 for invalid user token makes middleware go for new admin token. |
Validate token API specifies 404 response for invalid Subject tokens:
* http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
* http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404, test check for 401 https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
* Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L448
* Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
* Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
Also, note that KSC auth middleware https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147 we're expect 404 for invalid USER token, and and 401 for invalid ADMIN token. So 401 for invalid user token makes middleware go for new admin token. |
|
| 2015-07-23 18:06:49 |
Dolph Mathews |
keystone: importance |
Undecided |
Medium |
|
| 2015-07-23 18:07:04 |
Dolph Mathews |
keystone: status |
New |
Triaged |
|
| 2015-07-23 18:08:15 |
Dolph Mathews |
tags |
|
fernet kilo-backport-potential |
|
| 2015-07-23 23:47:00 |
jiaxi |
keystone: assignee |
jiaxi (tjxiter) |
|
|
| 2015-07-24 14:26:23 |
OpenStack Infra |
keystone: status |
Triaged |
In Progress |
|
| 2015-07-24 14:26:23 |
OpenStack Infra |
keystone: assignee |
|
Vladimir Eremin (yottatsa) |
|
| 2015-07-25 19:39:41 |
Atsuko Ito |
keystone: status |
In Progress |
Fix Committed |
|
| 2015-07-28 17:26:47 |
Dolph Mathews |
nominated for series |
|
keystone/kilo |
|
| 2015-07-28 17:26:47 |
Dolph Mathews |
bug task added |
|
keystone/kilo |
|
| 2015-07-28 17:26:55 |
Dolph Mathews |
keystone/kilo: importance |
Undecided |
Medium |
|
| 2015-07-28 17:27:00 |
Dolph Mathews |
tags |
fernet kilo-backport-potential |
fernet |
|
| 2015-07-28 17:27:32 |
Dolph Mathews |
keystone: status |
Fix Committed |
In Progress |
|
| 2015-07-28 17:29:39 |
Dolph Mathews |
keystone/kilo: status |
New |
In Progress |
|
| 2015-07-28 17:29:52 |
Dolph Mathews |
keystone/kilo: assignee |
|
Vladimir Eremin (yottatsa) |
|
| 2015-07-28 20:03:19 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Committed |
|
| 2015-07-29 05:57:56 |
Atsuko Ito |
summary |
Token Validation API returns 401 not 404 on invalid token |
Token Validation API returns 401 not 404 on invalid fernet token |
|
| 2015-07-29 14:40:38 |
Doug Hellmann |
keystone: status |
Fix Committed |
Fix Released |
|
| 2015-07-29 14:40:38 |
Doug Hellmann |
keystone: milestone |
|
liberty-2 |
|
| 2015-08-14 03:06:40 |
OpenStack Infra |
keystone/kilo: assignee |
Vladimir Eremin (yottatsa) |
Dolph Mathews (dolph) |
|
| 2015-08-20 11:12:29 |
OpenStack Infra |
keystone/kilo: status |
In Progress |
Fix Committed |
|
| 2015-10-11 14:17:58 |
Chuck Short |
keystone/kilo: milestone |
|
2015.1.2 |
|
| 2015-10-13 19:20:19 |
Chuck Short |
keystone/kilo: status |
Fix Committed |
Fix Released |
|
| 2015-10-15 09:57:09 |
Thierry Carrez |
keystone: milestone |
liberty-2 |
8.0.0 |
|
| 2016-01-21 20:27:04 |
Dave Walker |
keystone/kilo: status |
Fix Released |
Fix Committed |
|
| 2016-01-21 20:27:04 |
Dave Walker |
keystone/kilo: milestone |
2015.1.2 |
2015.1.3 |
|
| 2016-01-21 23:16:16 |
Dave Walker |
keystone/kilo: status |
Fix Committed |
Fix Released |
|
