yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40106
[Bug 1477600] Re: Token Validation API returns 401 not 404 on invalid fernet token
** Changed in: keystone/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1477600
Title:
Token Validation API returns 401 not 404 on invalid fernet token
Status in Keystone:
Fix Released
Status in Keystone kilo series:
Fix Released
Bug description:
Validate token API specifies 404 response for invalid Subject tokens:
* http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
* http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404,
test check for 401
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
* Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L448
* Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
* Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected
https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
Also, note that KSC auth middleware https://github.com/openstack
/python-
keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147
we're expect 404 for invalid USER token, and and 401 for invalid ADMIN
token. So 401 for invalid user token makes middleware go for new admin
token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1477600/+subscriptions
References