OpenStack Identity (keystone)

token 'expires' padding differs between POST and GET/HEAD on Fernet tokens

Bug #1597077 reported by Kim Jensen on 2016-06-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Medium	Unassigned

Bug Description

We are using fernet tokens and found that with Mitaka the 'expires' values returned by the token POST and token GET/HEAD differ when one would expect these to be the same.

POST /v2.0/tokens

Response:
{"access": {
   "token": {
      "issued_at": "2016-06-28T18:48:56.000000Z",
      "expires": "2016-06-28T20:48:56Z",
      "id": "gAAAAABXcsaYGn-YFLOkLMfgq0JeBePL9s4WxiYbgSOyrAC83nUJhJh4c3xMTi_ZhaXkWH1S5BmvsvJwj90I_bKgiJlv5fQf7-wCdyPtTd7O_TcAleIBj7uOhcFhC1au7Fx9qnAkdg6DBIX_EiQLaC_ylB87nl05nQ",
      "audit_ids": ["OGGd2bYeTQOi-ZHZ5vYqVw"]
   },
   "serviceCatalog": [],
   "user": {
      "username": "account1",
      "roles_links": [],
      "id": "af4012992a154f158201f0590013bc32",
      "roles": [],
      "name": "account1"
   },
   "metadata": {
      "is_admin": 0,
      "roles": []
   }
}}

GET /v2.0/tokens/gAAAAABXcsaYGn-YFLOkLMfgq0JeBePL9s4WxiYbgSOyrAC83nUJhJh4c3xMTi_ZhaXkWH1S5BmvsvJwj90I_bKgiJlv5fQf7-wCdyPtTd7O_TcAleIBj7uOhcFhC1au7Fx9qnAkdg6DBIX_EiQLaC_ylB87nl05nQ

Response:
{"access": {
   "token": {
      "issued_at": "2016-06-28T18:48:56.000000Z",
      "expires": "2016-06-28T20:48:56.000000Z",
      "id": "gAAAAABXcsaYGn-YFLOkLMfgq0JeBePL9s4WxiYbgSOyrAC83nUJhJh4c3xMTi_ZhaXkWH1S5BmvsvJwj90I_bKgiJlv5fQf7-wCdyPtTd7O_TcAleIBj7uOhcFhC1au7Fx9qnAkdg6DBIX_EiQLaC_ylB87nl05nQ",
      "audit_ids": ["OGGd2bYeTQOi-ZHZ5vYqVw"]
   },
   "serviceCatalog": [],
   "user": {
      "username": "account1",
      "roles_links": [],
      "id": "af4012992a154f158201f0590013bc32",
      "roles": [],
      "name": "account1"
   },
   "metadata": {
      "is_admin": 0,
      "roles": []
   }
}}

The POST response:"expires": "2016-06-28T20:48:56Z",
The GET response: "expires": "2016-06-28T20:48:56.000000Z",

Tags:

Matt Fischer (mfisch) on 2016-06-28

summary:

- Mitaka token 'expires' padding differs between POST and GET/HEAD
+ Mitaka token 'expires' padding differs between POST and GET/HEAD on
+ Fernet tokens

Lance Bragstad (lbragstad) on 2016-06-28

tags:

added: fernet

Revision history for this message

Brant Knudson (blk-u) wrote on 2016-06-28: Re: Mitaka token 'expires' padding differs between POST and GET/HEAD on Fernet tokens

Might be fixed with https://review.openstack.org/#/c/332493/

Revision history for this message

Brant Knudson (blk-u) wrote on 2016-06-29:

Is this causing a problem?

Revision history for this message

Kim Jensen (kim-jensen2) wrote on 2016-06-29:

Only causing some of our tests to fail as it's a regression.
So it's very minor but unexpected.

Dolph Mathews (dolph) on 2016-07-07

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-07: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/339241

Revision history for this message

Dolph Mathews (dolph) wrote on 2016-07-07: Re: Mitaka token 'expires' padding differs between POST and GET/HEAD on Fernet tokens

I would have thought the fix for this would look something like the diff below, but I expanded our test coverage above and didn't run into this issue (I'm probably doing something wrong, but wanted to leave this here for future reference).

diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py
index c40732c..b494cf7 100644
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@@ -128,7 +128,7 @@ class V2TokenDataHelper(object):
         expires = token_ref.get('expires', provider.default_expire_time())
         if expires is not None:
             if not isinstance(expires, six.text_type):
- expires = utils.isotime(expires)
+ expires = utils.isotime(expires, subsecond=True)

token_data = token_ref.get('token_data')
if token_data:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-09: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/339241
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b577af9bca528db46f005c24b353c1236f116d0b
Submitter: Jenkins
Branch: master

commit b577af9bca528db46f005c24b353c1236f116d0b
Author: Dolph Mathews <email address hidden>
Date: Thu Jul 7 20:25:31 2016 +0000

Increase test coverage for token APIs

    The token API tests were not calling our rather exhaustive
    jsonschema-based validators to ensure that the API responses were
    correctly structured. Instead, they were simply ensuring that things
    like validate token didn't blow up. This makes all those tests much
    stronger.

Relatedly, it also introduces a regex pattern for the two timestamp
fields in tokens (expires_at and created_at).

Change-Id: Idd5de04ef333c0b03a31f445ddd1f52e3a7b9b03
Related-Bug: 1597077

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-11-15: Re: Mitaka token 'expires' padding differs between POST and GET/HEAD on Fernet tokens

I played around with this a little bit locally and http://cdn.pasteraw.com/c5p7sd9oa01ot6h8yk547talrwwuhi8 seems to resolve the issue.

The patch just ensures that when we validate tokens using v2.0 we keep the subsecond precision consistent. If people are ok with the approach, I can propose it for review (along with tests).

Matt Fischer (mfisch) on 2016-11-17

summary:

- Mitaka token 'expires' padding differs between POST and GET/HEAD on
- Fernet tokens
+ token 'expires' padding differs between POST and GET/HEAD on Fernet
+ tokens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-03: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/429067

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2017-03-02

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Anthony Washington (anthony-washington)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-08-02:

Automatically unassigning due to inactivity.

Changed in keystone:
assignee:	Anthony Washington (anthony-washington) → nobody
status:	In Progress → Triaged

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-09-14:

#10

The v2.0 GET /v2.0/tokens API is being removed this release [0]. Marking this as Invalid since we won't be supporting that API anymore.

[0] https://review.openstack.org/#/c/499784/

Changed in keystone:
status:	Triaged → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-06: Change abandoned on keystone (master)

#11

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/429067
Reason: We removed v2.0 authentication in https://review.openstack.org/#/c/504465/

This is no longer needed.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.