yahoo-eng-team team mailing list archive

[Nathan Kinder <nkinder@xxxxxxxxxx>]

Public bug reported:

During the OpenStack Security Group Juno midcycle, some threat modelling
work around Keystone trusts identified some threat scenarios that the
existing unit tests do not cover.  It should be made clear that these
scenarios are handled correctly by Keystone form a security standpoint,
but tests should be added to protect against regressions in these
security sensitive areas.

Scenario 1:
-------------
The first scenario is related to deletion of a grant that has been previously delegated via a trust.  We need to ensure that executing a trust for a role that the trustor no longer has is rejected.  For example, consider the following chain of events:

- User A is granted 'somerole' on 'someproject'.
- User A creates a trust to delegate 'somerole' on 'someproject' to User B.
- The grant for 'somerole' on 'someproject' for user A is deleted.
- User B attempts to execute the trust, which should be rejected.


Scenario 2:
-------------
The second scenario is related to an attempt to use a trust token with impersonation to execute another trust as the impersonated user.  We need to ensure that a trust token can't be used to execute another trust.  For example, consider the following chain of events:

- User A creates a trust to delegate some roles to User B.
- User B creates a trust to delegate some roles to User C.
- User C successfully executes the trust to impersonate User B.
- User C uses the trust token that impersonates User B to attempt to execute the trust created by User A, which should be rejected.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1347909

Title:
  Trust unit tests should target additional threat scenarios

Status in OpenStack Identity (Keystone):
  New

Bug description:
  During the OpenStack Security Group Juno midcycle, some threat
  modelling work around Keystone trusts identified some threat scenarios
  that the existing unit tests do not cover.  It should be made clear
  that these scenarios are handled correctly by Keystone form a security
  standpoint, but tests should be added to protect against regressions
  in these security sensitive areas.

  Scenario 1:
  -------------
  The first scenario is related to deletion of a grant that has been previously delegated via a trust.  We need to ensure that executing a trust for a role that the trustor no longer has is rejected.  For example, consider the following chain of events:

  - User A is granted 'somerole' on 'someproject'.
  - User A creates a trust to delegate 'somerole' on 'someproject' to User B.
  - The grant for 'somerole' on 'someproject' for user A is deleted.
  - User B attempts to execute the trust, which should be rejected.

  
  Scenario 2:
  -------------
  The second scenario is related to an attempt to use a trust token with impersonation to execute another trust as the impersonated user.  We need to ensure that a trust token can't be used to execute another trust.  For example, consider the following chain of events:

  - User A creates a trust to delegate some roles to User B.
  - User B creates a trust to delegate some roles to User C.
  - User C successfully executes the trust to impersonate User B.
  - User C uses the trust token that impersonates User B to attempt to execute the trust created by User A, which should be rejected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1347909/+subscriptions