← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #89822

[Bug 1992183] [NEW] Openstack: Application credential token remains valid longer than expected

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Description of problem:
Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.

How reproducible: 100%

Steps to Reproduce:
1. Create application credentials with short expiration time (e.g. 10 seconds)
2. openstack token issue
--> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.

```bash
#!/usr/bin/env bash

set -Eeuo pipefail

openstack image create --disk-format=raw --container-format=bare --file
<(echo 'I am a Glance image') testimage -f json > image.json

image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[]
| select(.interface=="public").url')$(jq -r '.file' image.json)"

openstack application credential create \
	--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
	token_test \
	-f json \
	> appcreds.json

cat <<EOF > clouds.yaml
clouds:
    ${OS_CLOUD}:
        auth:
            auth_url: <auth_url>
            application_credential_id: '$(jq -r '.id' appcreds.json)'
            application_credential_secret: '$(jq -r '.secret' appcreds.json)'
        auth_type: "v3applicationcredential"
        identity_api_version: 3
        interface: public
        region_name: <region_name>
EOF
# Override ~/.config/openstack/secure.yaml
touch secure.yaml

openstack token issue -f json > token.json

echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
for i in {1..10}; do
	sleep 100
	echo -ne "$(date --utc --rfc-3339=seconds)\t"
	curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
done

```

Actual results (on a cloud with tokens duration of 24h):
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:56:38+00:00       HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00       HTTP/1.1 200 OK
2022-07-08 14:00:00+00:00       HTTP/1.1 200 OK
2022-07-08 14:01:42+00:00       HTTP/1.1 200 OK
2022-07-08 14:03:23+00:00       HTTP/1.1 200 OK
2022-07-08 14:05:07+00:00       HTTP/1.1 200 OK
2022-07-08 14:06:49+00:00       HTTP/1.1 200 OK
2022-07-08 14:08:37+00:00       HTTP/1.1 200 OK
2022-07-08 14:10:18+00:00       HTTP/1.1 200 OK
2022-07-08 14:12:00+00:00       HTTP/1.1 200 OK

Expected results:
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:54:38+00:00       HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:00:00+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:01:42+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:03:23+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:05:07+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:06:49+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:08:37+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:10:18+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:12:00+00:00       HTTP/1.1 401 Unauthorized

** Affects: keystone
     Importance: High
     Assignee: David Wilde (dave-wilde)
         Status: New

** Affects: ossa
     Importance: Undecided
     Assignee: David Wilde (dave-wilde)
         Status: New

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
     Assignee: (unassigned) => David Wilde (dave-wilde)

** Changed in: keystone
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1992183

Title:
  Openstack: Application credential token remains valid longer than
  expected

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  New

Bug description:
  Description of problem:
  Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
  If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.

  How reproducible: 100%

  Steps to Reproduce:
  1. Create application credentials with short expiration time (e.g. 10 seconds)
  2. openstack token issue
  --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.

  ```bash
  #!/usr/bin/env bash

  set -Eeuo pipefail

  openstack image create --disk-format=raw --container-format=bare
  --file <(echo 'I am a Glance image') testimage -f json > image.json

  image_url="$(openstack catalog show glance -f json | jq -r
  '.endpoints[] | select(.interface=="public").url')$(jq -r '.file'
  image.json)"

  openstack application credential create \
  	--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
  	token_test \
  	-f json \
  	> appcreds.json

  cat <<EOF > clouds.yaml
  clouds:
      ${OS_CLOUD}:
          auth:
              auth_url: <auth_url>
              application_credential_id: '$(jq -r '.id' appcreds.json)'
              application_credential_secret: '$(jq -r '.secret' appcreds.json)'
          auth_type: "v3applicationcredential"
          identity_api_version: 3
          interface: public
          region_name: <region_name>
  EOF
  # Override ~/.config/openstack/secure.yaml
  touch secure.yaml

  openstack token issue -f json > token.json

  echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
  for i in {1..10}; do
  	sleep 100
  	echo -ne "$(date --utc --rfc-3339=seconds)\t"
  	curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
  done

  ```

  Actual results (on a cloud with tokens duration of 24h):
  appcreds expiration: 2022-07-08T13:55:02.000000
  2022-07-08 13:56:38+00:00       HTTP/1.1 200 OK
  2022-07-08 13:58:19+00:00       HTTP/1.1 200 OK
  2022-07-08 14:00:00+00:00       HTTP/1.1 200 OK
  2022-07-08 14:01:42+00:00       HTTP/1.1 200 OK
  2022-07-08 14:03:23+00:00       HTTP/1.1 200 OK
  2022-07-08 14:05:07+00:00       HTTP/1.1 200 OK
  2022-07-08 14:06:49+00:00       HTTP/1.1 200 OK
  2022-07-08 14:08:37+00:00       HTTP/1.1 200 OK
  2022-07-08 14:10:18+00:00       HTTP/1.1 200 OK
  2022-07-08 14:12:00+00:00       HTTP/1.1 200 OK

  Expected results:
  appcreds expiration: 2022-07-08T13:55:02.000000
  2022-07-08 13:54:38+00:00       HTTP/1.1 200 OK
  2022-07-08 13:58:19+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:00:00+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:01:42+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:03:23+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:05:07+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:06:49+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:08:37+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:10:18+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:12:00+00:00       HTTP/1.1 401 Unauthorized

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1992183/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next