[Openstack-security] [Bug 1381405] Re: user token is not checked for UUID type before sending request for token validation
Dolph Mathews
1381405 at bugs.launchpad.net
Thu Oct 16 15:58:20 UTC 2014
That's entirely by design. PKI tokens are a bit special in that they can
be validated on the remote service side (in keystone middleware), and
keystone itself supports pluggable token formats.
So if the extra entropy was desirable in my environment, I could issue
128 character base 62 tokens from keystone, and I'd expect keystone
middleware to call back to keystone to validate them.
** Changed in: keystonemiddleware
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381405
Title:
user token is not checked for UUID type before sending request for
token validation
Status in OpenStack Identity (Keystone) Middleware:
Invalid
Bug description:
user token is not checked for UUID type before sending token
validation request.
def _validate_token(self, token, env, retry=True):
...
if cms.is_pkiz(token):
verified = self._verify_pkiz_token(token, token_ids)
data = jsonutils.loads(verified)
expires = _confirm_token_not_expired(data)
elif cms.is_asn1_token(token):
verified = self._verify_signed_token(token, token_ids)
data = jsonutils.loads(verified)
expires = _confirm_token_not_expired(data)
else:
data = self._identity_server.verify_token(token,
retry)
The 'else' allows any value in token which is not in PKI format be sent to the Identity API for token
validation. A sanitation check here for UUID type can reduce the load for token validation
towards Identity API
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1381405/+subscriptions
More information about the Openstack-security
mailing list