+2 on the functionality (minor nit in that I think the assert statement for checking belongs_to is incorrectly indented)

Henry
On 20 Feb 2013, at 05:06, Adam Young wrote:

> ** Patch added: "validate-from-backend-grizzly-20130218-2.patch"
>   https://bugs.launchpad.net/keystone/+bug/1129713/+attachment/3537581/+files/validate-from-backend-grizzly-20130218-2.patch
> 
> -- 
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1129713
> 
> Title:
>  Validation of PKI tokens bypasses revocation check
> 
> Status in OpenStack Identity (Keystone):
>  Confirmed
> 
> Bug description:
>  for PKI tokens, we are bypassing token.get_token() call and therefore
>  skipping the “valid=True” check.
> 
>  In Grizzly, this code is in keystone/token/controllers.py
>  In Folsom, this code is in keystone/service.py
> 
>  The if block bypasses the backend  check.  It is in the backend where
>  tokens are checked for revocation.
> 
>  def _get_token_ref(self, context, token_id, belongs_to=None):
>          """Returns a token if a valid one exists.
> 
>  Optionally, limited to a token owned by a specific tenant.
> 
>  """
>          # TODO(termie): this stuff should probably be moved to middleware
>          self.assert_admin(context)
> 
>          if cms.is_ans1_token(token_id):
>              data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
>                                               CONF.signing.certfile,
>                                               CONF.signing.ca_certs))
>              data['access']['token']['user'] = data['access']['user']
>              data['access']['token']['metadata'] = data['access']['metadata']
>              if belongs_to:
>                  assert data['access']['token']['tenant']['id'] == belongs_to
>              token_ref = data['access']['token']
>          else:
>              token_ref = self.token_api.get_token(context=context,
>                                                   token_id=token_id)
>          return token_ref
> 
>  The exposure is limited to people that are passing the whole PKI token
>  back for validation via the web service.
> 
>  This PKI tokens were supposed to be validated primarily via Crypto,
>  but there is an option to validate them against the live server as
>  well.  It is only this last code path that is affected.   It is
>  unlikely to be triggered in Folsom, as people have to make a
>  deliberate decision to  use PKI tokens, and  are unlikely to be
>  validating them against the Keystone server.
> 
>  Remote services can choose to pass a Hash of the PKI token to the
>  validate Web API, which web services are likely to do, as the Hash is
>  short enough to fit in a cookie.  The Hash is then it looked up using
>  the backend get_token()  behavior and works correctly.
> 
>   It does not effect the keystone calls that first require validating
>  the token.  For example if a user runs tenant_list against their own
>  account, using a PKI token, they do
> 
>   token_ref = self.token_api.get_token(context=context,
>                                        token_id=context['token_id'])
> 
>  This was discovered by Guang Yee.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1129713/+subscriptions
>