yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45070
[Bug 1477600] Re: Token Validation API returns 401 not 404 on invalid fernet token
** Changed in: keystone/kilo
Status: Fix Released => Fix Committed
** Changed in: keystone/kilo
Milestone: 2015.1.2 => 2015.1.3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1477600
Title:
Token Validation API returns 401 not 404 on invalid fernet token
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Committed
Bug description:
Validate token API specifies 404 response for invalid Subject tokens:
* http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
* http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404,
test check for 401
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
* Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L448
* Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
* Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected
https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
Also, note that KSC auth middleware https://github.com/openstack
/python-
keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147
we're expect 404 for invalid USER token, and and 401 for invalid ADMIN
token. So 401 for invalid user token makes middleware go for new admin
token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1477600/+subscriptions
References