OpenStack Identity (keystone)

Revocation events don't handle scoped tokens correctly

Bug #1347318 reported by Matt Riedemann
28
This bug affects 17 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Brant Knudson
OpenStack Identity (keystone) 2014.2 "juno"
Icehouse
Fix Released
High
Brant Knudson
OpenStack Identity (keystone) 2014.1.2

Bug Description

Revoking a scoped token isn't handled correctly. If a scoped token is gotten from an unscoped token and the unscoped token is revoked, the scoped token should remain valid. Horizon uses this pattern.

We've got a test for this in tempest, but because of another bug related to revocation events and MySQL (https://bugs.launchpad.net/keystone/+bug/1347961) and tempest is testing with MySQL, the tempest test didn't catch it.

When running with DB2 10.5, sqlalchemy-migrate 0.9.1 and sqlalchemy 0.8.4 on RHEL 6.5, seeing failures with the tempest.api.identity.admin.v3.test_tokens.TokensV3TestJSON.test_rescope_token (and xml) tests like this:

Traceback (most recent call last):\n File "/tmp/tempest/tempest/tempest/api/identity/admin/v3/test_tokens.py", line 145, in test_rescope_token\n domain=\'Default\')\n File "/tmp/tempest/tempest/tempest/services/identity/v3/json/identity_client.py", line 579, in auth\n resp, body = self.post(self.auth_url, body=body)\n File "/tmp/tempest/tempest/tempest/common/rest_client.py", line 218, in post\n return self.request(\'POST\', url, extra_headers, headers, body)\n File "/tmp/tempest/tempest/tempest/services/identity/v3/json/identity_client.py", line 605, in request\n \'Unexpected status code {0}\'.format(resp.status))\nIdentityError: Got identity error\nDetails: Unexpected status code 404

See original description
Brant Knudson (blk-u)
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Revision history for this message
Brant Knudson (blk-u) wrote :

The revocation code is incorrect. It revokes all tokens with the same expiration date and user and doesn't take the scope into account.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109125

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/109389

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/109819

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/109820

Brant Knudson (blk-u)
summary: - tempest.api.identity.admin.v3.test_tokens.TokensV3TestJSON.test_rescope_token
- race fails with DB2
+ Revocation events don't handle scoped tokens correctly
Revision history for this message
Brant Knudson (blk-u) wrote :

There are several commits to fix this:

https://review.openstack.org/#/c/109389/ - Fix revoking a scoped token from an unscoped token
https://review.openstack.org/#/c/109125/ - Add a test for revoking a scoped token from an unscoped
https://review.openstack.org/#/c/109820/ - Fix revoking domain-scoped tokens
https://review.openstack.org/#/c/109819/ - Correct revocation event test for domain_id

This fix also depends on the fix for https://bugs.launchpad.net/keystone/+bug/1348820

description: updated
Changed in keystone:
milestone: none → juno-3
importance: Undecided → High
Revision history for this message
Brant Knudson (blk-u) wrote :

This is a security vulnerability since tokens aren't being revoked as they should be.

information type: Public → Public Security
Dolph Mathews (dolph)
tags: removed: db2
Revision history for this message
Brant Knudson (blk-u) wrote :

To clarify, in this case there are *extra* tokens getting revoked. So the token that you expect to get revoked is revoked and other tokens are also revoked. This one may not be a security vulnerability based on the fact that it's just revoking extra tokens.

Revision history for this message
Brant Knudson (blk-u) wrote :

I opened a separate bug for domain-scoped revocation events: https://bugs.launchpad.net/keystone/+bug/1349597

Revision history for this message
Thierry Carrez (ttx) wrote :

So I'm not totally convinced this is a security issue. It's a bug that should be fixed, obviously, but revoking more tokens than you should is not actually a vulnerability... unless you can come with a scenario where that would end up being abused as DoS or something.

Changed in ossa:
status: New → Incomplete
Revision history for this message
Brant Knudson (blk-u) wrote :

OK. I wanted to have someone look at it and I agree it's not a security vulnerability.

Jeremy Stanley (fungi)
information type: Public Security → Public
no longer affects: ossa
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/109125
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=097b9aa0395e778b40c2028f45cf8d37663e387a
Submitter: Jenkins
Branch: master

commit 097b9aa0395e778b40c2028f45cf8d37663e387a
Author: Brant Knudson <email address hidden>
Date: Wed Jul 23 16:23:20 2014 -0500

    Add a test for revoking a scoped token from an unscoped

    There was no test that showed that when a scoped token created from
    an unscoped token is revoked that the unscoped token also winds up
    being revoked.

    Change-Id: I2c1574573488bb60a059c5d7f8747d6a1977aab7
    Partial-Bug: #1347318

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/109389
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=da00da732d6be0626810fe4ec87d40dab16117de
Submitter: Jenkins
Branch: master

commit da00da732d6be0626810fe4ec87d40dab16117de
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 18:03:28 2014 -0500

    Fix revoking a scoped token from an unscoped token

    When a scoped token that was created from an unscoped token was
    revoked, the original token wound up being revoked. This is because
    the scope wasn't included in the revocation event. By including the
    scope in the revocation event only the scoped token is revoked.

    Change-Id: I5652663ab7e1176d3b1efc5d218a8a020498067e
    Closes-Bug: #1347318

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112085

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112086

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/icehouse)

Reviewed: https://review.openstack.org/112085
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dfb0ff0ede16a29938abfb044ecc6cdf2066cc87
Submitter: Jenkins
Branch: stable/icehouse

commit dfb0ff0ede16a29938abfb044ecc6cdf2066cc87
Author: Brant Knudson <email address hidden>
Date: Wed Jul 23 16:23:20 2014 -0500

    Add a test for revoking a scoped token from an unscoped

    There was no test that showed that when a scoped token created from
    an unscoped token is revoked that the unscoped token also winds up
    being revoked.

    Change-Id: I2c1574573488bb60a059c5d7f8747d6a1977aab7
    Partial-Bug: #1347318
    (cherry picked from commit 097b9aa0395e778b40c2028f45cf8d37663e387a)

tags: added: in-stable-icehouse
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/112086
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5c89c89bb4f1779309c792b0e8e54931d029c61d
Submitter: Jenkins
Branch: stable/icehouse

commit 5c89c89bb4f1779309c792b0e8e54931d029c61d
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 18:03:28 2014 -0500

    Fix revoking a scoped token from an unscoped token

    When a scoped token that was created from an unscoped token was
    revoked, the original token wound up being revoked. This is because
    the scope wasn't included in the revocation event. By including the
    scope in the revocation event only the scoped token is revoked.

    Change-Id: I5652663ab7e1176d3b1efc5d218a8a020498067e
    Closes-Bug: #1347318
    (cherry picked from commit da00da732d6be0626810fe4ec87d40dab16117de)

Alan Pevec (apevec)
tags: removed: in-stable-icehouse
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/121711

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ryan Hsu (<email address hidden>) on branch: master
Review: https://review.openstack.org/121711
Reason: Testing

Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-3 → 2014.2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/253123
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3a7b97e5951280b336ca8d13596b92820a7c73a7
Submitter: Jenkins
Branch: master

commit 3a7b97e5951280b336ca8d13596b92820a7c73a7
Author: Samuel de Medeiros Queiroz <email address hidden>
Date: Thu Dec 3 15:28:36 2015 -0300

    Remove invalid FIXME note

    There are a couple of notes that does not apply to
    our code anymore.

    One because the bug it relates has been fixed; and
    another because the suggestion does not apply.

    Related-Bug: #1347318

    Change-Id: If1190c76deccf7dc501005082c5e85cf00b7b7e6

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.