OpenStack Identity (keystone)

The keystone server auth plugin methods could mismatch user_id in auth_context

Series mitaka
Bug #1656076

Bug #1656076 reported by Morgan Fainberg on 2017-01-12

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) ocata-3 "o3"
Mitaka	Invalid	Medium	Morgan Fainberg
Newton	Invalid	Medium	Morgan Fainberg
Ocata	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) ocata-3 "o3"

Bug Description

The keystone server blindly overwrites the auth_context.user_id in each auth method that is run. This means that the last auth_method that is run for a given authentication request dictates the user_id.

While this is not exploitable externally without misconfiguration of the external plugin methods and supporting services, this is a bad state that could relatively easily result in someone ending up authenticated with the wrong user_id.

The simplest fix will be to have the for loop in the authentication controller (that iterates over the methods) to verify the user_id does not change between auth_methods executed.

https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

This has been marked as public security for hardening purposes, likely a "Class D" https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Tags:

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-01-12:

This probably should also be a lower-prio backport if possible. not a huge risk, but good to ensure we aren't in a bad state if auth methods mutate the user-id between method validation.

tags:

added: authentication security

Morgan Fainberg (mdrnstm) on 2017-01-12

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
assignee:	nobody → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-12: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/419693

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-12: Fix proposed to keystone (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/419694

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-12: Fix proposed to keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/419695

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-01-13: Re: The keystone server auth pluigin methods could mismatch user_id in auth_context

Turns out the issue comes from the test suite not using the AuthContext object. A new patch to ensure we are using AuthContext not a dict will be proposed in lieu of the current fix.

Rodrigo Duarte (rodrigodsousa) on 2017-01-13

summary:

- The keystone server auth pluigin methods could mismatch user_id in
+ The keystone server auth plugin methods could mismatch user_id in
auth_context

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-13: Change abandoned on keystone (stable/mitaka)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/419695

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-13: Change abandoned on keystone (stable/newton)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/419694

OpenStack Infra (hudson-openstack) on 2017-01-13

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Steve Martinelli (stevemar)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-14: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/419693
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0f3f08c3df0dd6c32e685dae6726e945b01ea8c7
Submitter: Jenkins
Branch: master

commit 0f3f08c3df0dd6c32e685dae6726e945b01ea8c7
Author: Morgan Fainberg <email address hidden>
Date: Thu Jan 12 15:19:48 2017 -0800

Force use of AuthContext object in .authentcate()

    Force the keystone.auth.controllers.Auth.authenticate method to
    require the use of an AuthContext object instead of something
    duck-typed (dictionary). This is done to ensure the security and
    integrity of IDENTITY_KEYS are covered and values are not changed
    by a plugin due to the security built into AuthContext being
    circumvented since it was not used. This is not pythonic, this
    is being done for hardening purposes.

Change-Id: I013846af59587d17b15ca4cf546e6372231f576e
Closes-Bug: #1656076

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix included in openstack/keystone 11.0.0.0b3

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.