2015-03-18 00:43:51 |
Lance Bragstad |
bug |
|
|
added bug |
2015-03-18 00:44:47 |
Lance Bragstad |
tags |
|
fernet |
|
2015-03-18 00:45:44 |
Lance Bragstad |
description |
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/5q54as6rz3ifmj1vpj1rsoisuoxpb91 |
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
This can be recreated using keystone-deploy [3].
[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/5q54as6rz3ifmj1vpj1rsoisuoxpb91
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py |
|
2015-03-18 00:47:01 |
Lance Bragstad |
description |
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
This can be recreated using keystone-deploy [3].
[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/5q54as6rz3ifmj1vpj1rsoisuoxpb91
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py |
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3].
[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/5q54as6rz3ifmj1vpj1rsoisuoxpb91
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py |
|
2015-03-18 00:48:04 |
Lance Bragstad |
description |
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3].
[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/5q54as6rz3ifmj1vpj1rsoisuoxpb91
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py |
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3].
[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py |
|
2015-03-18 01:27:35 |
OpenStack Infra |
keystonemiddleware: status |
New |
In Progress |
|
2015-03-18 01:27:35 |
OpenStack Infra |
keystonemiddleware: assignee |
|
Lance Bragstad (lbragstad) |
|
2015-03-18 03:29:10 |
Dolph Mathews |
summary |
safe_quote doesn't work for Fernet/PKI/PKIz tokens |
Fernet tokens with base64 padding are not URL-safe |
|
2015-03-18 03:31:55 |
Dolph Mathews |
bug task added |
|
keystone |
|
2015-03-18 03:32:04 |
Dolph Mathews |
keystone: importance |
Undecided |
High |
|
2015-03-18 03:32:20 |
OpenStack Infra |
keystone: status |
New |
In Progress |
|
2015-03-18 03:32:20 |
OpenStack Infra |
keystone: assignee |
|
Dolph Mathews (dolph) |
|
2015-03-18 20:45:56 |
Lance Bragstad |
keystone: milestone |
|
kilo-rc1 |
|
2015-03-18 22:59:19 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Committed |
|
2015-04-07 21:37:11 |
Thierry Carrez |
keystone: status |
Fix Committed |
Fix Released |
|
2015-04-30 08:06:40 |
Thierry Carrez |
keystone: milestone |
kilo-rc1 |
2015.1.0 |
|
2015-09-03 16:03:04 |
Lance Bragstad |
keystonemiddleware: assignee |
Lance Bragstad (lbragstad) |
|
|
2015-09-03 16:51:22 |
Lance Bragstad |
keystonemiddleware: status |
In Progress |
Invalid |
|