← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #96012

[Bug 2102096] Re: When MFA rule set contains a part that is composed of unavailable methods only, all available auth methods are allowed

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/keystone/+/945429
Committed: https://opendev.org/openstack/keystone/commit/b834722f117e566fcf49f0bdbaaf9da345dfacde
Submitter: "Zuul (22348)"
Branch:    master

commit b834722f117e566fcf49f0bdbaaf9da345dfacde
Author: Artem Goncharov <artem.goncharov@xxxxxxxxx>
Date:   Tue Mar 25 09:13:55 2025 +0100

    Prevent MFA bypass
    
    When user MFA rule contain only invalid auth methods no other rules are
    respected allowing user to bypass MFA rules. Improve the intersection
    check ignoring the rule when no valid auth method is included, but also
    implement fallback mechanism that allows user to login with other
    credentials when no MFA rules are valid.
    
    Closes-bug: 2102096
    
    Change-Id: I53723bfe6e56443c555bce7f5cc302fac89d25b2
    Signed-off-by: Artem Goncharov <artem.goncharov@xxxxxxxxx>


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2102096

Title:
  When MFA rule set contains a part that is composed of unavailable
  methods only, all available auth methods are allowed

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Assume that there is a user whose MFA rule like below. And unknown-
  method-1 and unknown-method-2 are unavailable auth method (the reason
  of the unavailablility does not matter here).

  "options": {
    "multi_factor_auth_enabled": true,
    "multi_factor_auth_rules": [
      ["password", "totp"],
      ["unknown-method-1", "unknown-method-2"]
    ]
  }

  Then, the user can authenticate with any combinations of methods that
  are not listed in the rule, in particular, only password or only totp.
  I guess this is not intended behavior.

  In code: https://opendev.org/openstack/keystone/src/tag/26.0.0/keystone/auth/core.py#L494
  when checking the rule ["unknown-method-1", "unknown-method-2"], r_set becomes an empty set thus `set(auth_method).issuperset(r_set)` is always True and any auth_method can pass the check.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2102096/+subscriptions
  Thread PreviousDate PreviousThread Next