Non PKI Tokens longer than 32 characters can never be valid

Bug #1060389 reported by Adam Young
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Dan Radez
Folsom
Fix Released
High
Joseph Heck
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

The current check is based on length, but 32 characters is insufficient. Devstack makes tokens of length 80.

These fail validation by triggering the PKI code path.

A better approach is to prepend a hint to non-uuid token schemes like PKI.

Revision history for this message
Adam Young (ayoung) wrote :

however, hardcoded admin_token values could be anything

put in a check
if admin_token[:4] == 'PKI-' throw a warning, or if we can't do base64 decode, then we can try the uuid route

Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Joseph Heck (heckj)
Changed in keystone:
status: New → Confirmed
importance: Undecided → High
tags: added: folsom-backport
Revision history for this message
Adam Young (ayoung) wrote :

It looks like the PKI tokens always start with MII

For example

MIIFMwYJKoZIhvcNAQcCo
MIIE9wYJKoZIhvcNAQcCo

This is probably the starting point of how to correctly identify what the Token-Format is.

I'd rather not change the token format if we don't have to.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/14309

Changed in keystone:
assignee: Adam Young (ayoung) → Dan Radez (dradez)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/14309
Committed: http://github.com/openstack/keystone/commit/8b6b07faed21df8d1a9832df105d72dc5c834398
Submitter: Jenkins
Branch: master

commit 8b6b07faed21df8d1a9832df105d72dc5c834398
Author: Dan Radez <email address hidden>
Date: Mon Oct 8 17:30:41 2012 -0400

    replacing PKI token detection from content length to content prefix. (bug 1060389)

    Change-Id: I68b0e4126f2e339c04271fd982f5f5dab198c630

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/14857

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/folsom)

Reviewed: https://review.openstack.org/14857
Committed: http://github.com/openstack/keystone/commit/094c49424e72373b134384174749887e51fd847a
Submitter: Jenkins
Branch: stable/folsom

commit 094c49424e72373b134384174749887e51fd847a
Author: Dan Radez <email address hidden>
Date: Mon Oct 8 17:30:41 2012 -0400

    replacing PKI token detection from content length to content prefix. (bug 1060389)

    Change-Id: I68b0e4126f2e339c04271fd982f5f5dab198c630

tags: added: in-stable-folsom
Joseph Heck (heckj)
Changed in keystone:
milestone: none → grizzly-1
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Adam, or anyone else affected,

Accepted keystone into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in keystone (Ubuntu Quantal):
status: Confirmed → Fix Committed
tags: added: verification-needed
Mark McLoughlin (markmc)
tags: removed: folsom-backport in-stable-folsom
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keystone - 2012.2.1-0ubuntu1

---------------
keystone (2012.2.1-0ubuntu1) quantal-proposed; urgency=low

  * Ubuntu updates:
    - debian/control: Ensure keystoneclient is upgraded with keystone,
      require python-keystoneclient >= 1:0.1.3. (LP: #1073273)
    - Dropped patches, applied upsteram:
      - debian/patches/CVE-2012-5563.patch
      - debian/patches/CVE-2012-5571.patch
      - debian/patches/fix-ssl-tests-lp1068851.patch
  * Resynchronize with stable/folsom (7869c3ec) (LP: #1085255):
    - [f9d4766] token expires time incorrect for auth by one token
      (LP: #1079216)
    - [80d63c8] keystone throws error when removing user from tenant.
      (LP: #1078497)
    - [37308dd] Removing user from a tenant isn't invalidating user access to
      tenant (LP: #1064914)
    - [bec9b68] Redo part of bp/sql-identiy-pam undone by bug 968519
      (LP: #1068674)
    - [ee645e6] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [094c494] Non PKI Tokens longer than 32 characters can never be valid
      (LP: #1060389)
    - [3cd343b] Openssl tests rely on expired certificate (LP: #1068851)
    - [2f9807e] Set defaultbranch in .gitreview to stable/folsom
 -- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:41 -0800

Changed in keystone (Ubuntu Quantal):
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-1 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.