[Openstack-security] [Bug 1680911] Re: Revoking an unscoped token does not revoke all tokens scoped from the unscoped token
Jeremy Stanley
fungi at yuggoth.org
Mon Jan 8 20:46:59 UTC 2018
I don't think so, looks like we just missed lifting the embargo. Based
on comments above, I'll do that now. Thanks for the reminder.
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1680911
Title:
Revoking an unscoped token does not revoke all tokens scoped from the
unscoped token
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1680911/+subscriptions
More information about the Openstack-security
mailing list