OpenStack Identity (keystone)

  1. Bug #1872737
  2. Comment #24

Comment 24 for bug 1872737

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/724954
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e3f65d6fbcd18032a8ad3dfa3aaded264a282158
Submitter: Zuul
Branch: stable/train

commit e3f65d6fbcd18032a8ad3dfa3aaded264a282158
Author: Colleen Murphy <email address hidden>
Date: Thu Apr 16 17:05:43 2020 -0700

    Check timestamp of signed EC2 token request

    EC2 token requests contain a signature that signs the entire request,
    including the access timestamp. While the signature is checked, the
    timestamp is not, and so these signed requests remain valid
    indefinitely, leaving the token API vulnerable to replay attacks. This
    change introduces a configurable TTL for signed token requests and
    ensures that the timestamp is actually validated against it.

    The check will work for either an AWS Signature v1/v2 'Timestamp'
    parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
    parameter[2].

    Although this technically adds a new feature and the default value of
    the feature changes behavior, this change is required to protect
    credential holders and therefore must be backported to all supported
    branches.

    [1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
    [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

    Conflicts due to six removal in e2d83ae9:
            keystone/api/_shared/EC2_S3_Resource.py
            keystone/tests/unit/test_contrib_ec2_core.py

    Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
    Closes-bug: #1872737
    (cherry picked from commit ab89ea749013e7f2c46260f68504f5687763e019)
    (cherry picked from commit 8d5becbe4b463f6a5a24a1929dd0f48dab6ae027)