← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1477600] Re: Token Validation API returns 401 not 404 on invalid fernet token

 

** Changed in: keystone/kilo
       Status: Fix Released => Fix Committed

** Changed in: keystone/kilo
    Milestone: 2015.1.2 => 2015.1.3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1477600

Title:
  Token Validation API returns 401 not 404 on invalid fernet token

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) kilo series:
  Fix Committed

Bug description:
  Validate token API specifies 404 response for invalid Subject tokens:
   * http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
   * http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC auth middleware has the same logic as v2.0)

  For Fernet tokens, this API returns 401 for invalid token:

  curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
  {"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}

  I've check the tests and found incorrect one. API spec requires 404,
  test check for 401
  https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51

  Looks like it's broken in one of this places:
   * Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L448
   * Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
   * Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201

  Note that UUID token raises 404 here as expected
  https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679

  Also, note that KSC auth middleware https://github.com/openstack
  /python-
  keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147
  we're expect 404 for invalid USER token, and and 401 for invalid ADMIN
  token. So 401 for invalid user token makes middleware go for new admin
  token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1477600/+subscriptions


References