EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
Reviewed: https:/ /review. opendev. org/725069 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=1ef3828516c 1b87a8ca84acca7 3ec593b0b8591d
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 1ef3828516c1b87 a8ca84acca73ec5 93b0b8591d
Author: Colleen Murphy <email address hidden>
Date: Thu Apr 16 17:05:43 2020 -0700
Check timestamp of signed EC2 token request
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https:/ /docs.aws. amazon. com/general/ latest/ gr/signature- version- 2.html /docs.aws. amazon. com/general/ latest/ gr/sigv4- date-handling. html
[2] https:/
Conflicts due to six removal in e2d83ae9:
keystone/ api/_shared/ EC2_S3_ Resource. py
keystone/ tests/unit/ test_contrib_ ec2_core. py
Change-Id: Idb10267338b420 4b435df233c6360 46a1ce5711f 2c46260f68504f5 687763e019) a5a24a1929dd0f4 8dab6ae027) 2a8ad3dfa3aaded 264a282158)
Closes-bug: #1872737
(cherry picked from commit ab89ea749013e7f
(cherry picked from commit 8d5becbe4b463f6
(cherry picked from commit e3f65d6fbcd1803