yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1656076] Re: The keystone server auth plugin methods could mismatch user_id in auth_context

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1656076@xxxxxxxxxxxxxxxxxx>
Date: Sat, 14 Jan 2017 10:35:27 -0000
Reply-to: Bug 1656076 <1656076@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/419693
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0f3f08c3df0dd6c32e685dae6726e945b01ea8c7
Submitter: Jenkins
Branch:    master

commit 0f3f08c3df0dd6c32e685dae6726e945b01ea8c7
Author: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date:   Thu Jan 12 15:19:48 2017 -0800

    Force use of AuthContext object in .authentcate()
    
    Force the keystone.auth.controllers.Auth.authenticate method to
    require the use of an AuthContext object instead of something
    duck-typed (dictionary). This is done to ensure the security and
    integrity of IDENTITY_KEYS are covered and values are not changed
    by a plugin due to the security built into AuthContext being
    circumvented since it was not used. This is not pythonic, this
    is being done for hardening purposes.
    
    Change-Id: I013846af59587d17b15ca4cf546e6372231f576e
    Closes-Bug: #1656076


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  Fix Released

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions

References

[Bug 1656076] [NEW] The keystone server auth pluigin methods could mismatch user_id in auth_context
From: Morgan Fainberg, 2017-01-12