yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #03212
[Bug 1041396] Re: [OSSA 2012-014] Token validation includes revoked roles (CVE-2012-4413)
** Summary changed:
- Token validation includes revoked roles (CVE-2012-4413)
+ [OSSA 2012-014] Token validation includes revoked roles (CVE-2012-4413)
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Fix Released
** Changed in: ossa
Assignee: (unassigned) => Thierry Carrez (ttx)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1041396
Title:
[OSSA 2012-014] Token validation includes revoked roles
(CVE-2012-4413)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone essex series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Status in “keystone” package in Ubuntu:
Fix Released
Bug description:
To reproduce:
1) Initial setup: http://paste.openstack.org/raw/20477/
2) Authenticate as a normal user, generating a token
3) On the admin API, revoke a role from that user
4) On the admin API, validate the user's generated token
The revoked role is included in the validation response. Ideally, the
token should be entirely invalidated and return 404, although at the
very least, the revoked role should *NOT* be included in the
validation response.
Full example:
Authenticate as a user who has been granted the 'manager' role:
POST http://127.0.0.1:5000/v2.0/tokens
======================================
Content-Type: application/json
{
"auth": {
"tenantName": "project-x",
"passwordCredentials": {
"username": "joe",
"password": "secret"
}
}
}
200 OK
======
Date: Fri, 24 Aug 2012 22:43:24 GMT
Vary: X-Auth-Token
Content-Length: 448
Status: 200
Content-Type: application/json
{
"access": {
"token": {
"expires": "2012-08-25T22:43:24Z",
"id": "c0db082bdb7f47e4845d7be551558620",
"tenant": {
"id": "10e2a090121748388cf39e915d376f29",
"enabled": true,
"description": null,
"name": "project-x"
}
},
"serviceCatalog": {},
"user": {
"username": "joe",
"roles_links": [],
"id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
"roles": [
{
"name": "manager"
}
],
"name": "joe"
},
"metadata": {
"is_admin": 0,
"roles": [
"facd80ce22d44eae87375f11295f8e51"
]
}
}
}
Validate the user's token (note the presence of the 'manager' role):
GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
=======================================================================
X-Auth-Token: ADMIN
200 OK
======
Status: 200
Content-Length: 490
Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
Vary: X-Auth-Token
Date: Fri, 24 Aug 2012 22:44:01 GMT
Content-Type: application/json
{
"access": {
"token": {
"expires": "2012-08-25T22:43:24Z",
"id": "c0db082bdb7f47e4845d7be551558620",
"tenant": {
"description": null,
"enabled": true,
"id": "10e2a090121748388cf39e915d376f29",
"name": "project-x"
}
},
"serviceCatalog": {},
"user": {
"username": "joe",
"roles_links": [],
"id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
"roles": [
{
"id": "facd80ce22d44eae87375f11295f8e51",
"name": "manager"
}
],
"name": "joe"
},
"metadata": {
"is_admin": 0,
"roles": [
"facd80ce22d44eae87375f11295f8e51"
]
}
}
}
As admin, revoke the 'manager' role from the user:
$ keystone user-role-remove --user-
id=b2a6f8d5dbb249f3b9ac8a46e8cb77e6 --role-
id=facd80ce22d44eae87375f11295f8e51 --tenant-
id=10e2a090121748388cf39e915d376f29
As admin, the validation response remains unchanged (including the
revoked 'manager' role):
GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
=======================================================================
X-Auth-Token: ADMIN
200 OK
======
Status: 200
Content-Length: 490
Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
Vary: X-Auth-Token
Date: Fri, 24 Aug 2012 22:44:46 GMT
Content-Type: application/json
{
"access": {
"token": {
"expires": "2012-08-25T22:43:24Z",
"id": "c0db082bdb7f47e4845d7be551558620",
"tenant": {
"description": null,
"enabled": true,
"id": "10e2a090121748388cf39e915d376f29",
"name": "project-x"
}
},
"serviceCatalog": {},
"user": {
"username": "joe",
"roles_links": [],
"id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
"roles": [
{
"id": "facd80ce22d44eae87375f11295f8e51",
"name": "manager"
}
],
"name": "joe"
},
"metadata": {
"is_admin": 0,
"roles": [
"facd80ce22d44eae87375f11295f8e51"
]
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1041396/+subscriptions
