*** This bug is a security vulnerability *** Public security bug reported:
Description of problem: Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them. If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes. How reproducible: 100% Steps to Reproduce: 1. Create application credentials with short expiration time (e.g. 10 seconds) 2. openstack token issue --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired. ```bash #!/usr/bin/env bash set -Eeuo pipefail openstack image create --disk-format=raw --container-format=bare --file <(echo 'I am a Glance image') testimage -f json > image.json image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[] | select(.interface=="public").url')$(jq -r '.file' image.json)" openstack application credential create \ --expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \ token_test \ -f json \ > appcreds.json cat <<EOF > clouds.yaml clouds: ${OS_CLOUD}: auth: auth_url: <auth_url> application_credential_id: '$(jq -r '.id' appcreds.json)' application_credential_secret: '$(jq -r '.secret' appcreds.json)' auth_type: "v3applicationcredential" identity_api_version: 3 interface: public region_name: <region_name> EOF # Override ~/.config/openstack/secure.yaml touch secure.yaml openstack token issue -f json > token.json echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)" for i in {1..10}; do sleep 100 echo -ne "$(date --utc --rfc-3339=seconds)\t" curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1 done ``` Actual results (on a cloud with tokens duration of 24h): appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK 2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK 2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK 2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK 2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK 2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK 2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK 2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK 2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK Expected results: appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized ** Affects: keystone Importance: High Assignee: David Wilde (dave-wilde) Status: New ** Affects: ossa Importance: Undecided Assignee: David Wilde (dave-wilde) Status: New ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Assignee: (unassigned) => David Wilde (dave-wilde) ** Changed in: keystone Importance: Undecided => High -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1992183 Title: Openstack: Application credential token remains valid longer than expected Status in OpenStack Identity (keystone): New Status in OpenStack Security Advisory: New Bug description: Description of problem: Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them. If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes. How reproducible: 100% Steps to Reproduce: 1. Create application credentials with short expiration time (e.g. 10 seconds) 2. openstack token issue --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired. ```bash #!/usr/bin/env bash set -Eeuo pipefail openstack image create --disk-format=raw --container-format=bare --file <(echo 'I am a Glance image') testimage -f json > image.json image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[] | select(.interface=="public").url')$(jq -r '.file' image.json)" openstack application credential create \ --expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \ token_test \ -f json \ > appcreds.json cat <<EOF > clouds.yaml clouds: ${OS_CLOUD}: auth: auth_url: <auth_url> application_credential_id: '$(jq -r '.id' appcreds.json)' application_credential_secret: '$(jq -r '.secret' appcreds.json)' auth_type: "v3applicationcredential" identity_api_version: 3 interface: public region_name: <region_name> EOF # Override ~/.config/openstack/secure.yaml touch secure.yaml openstack token issue -f json > token.json echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)" for i in {1..10}; do sleep 100 echo -ne "$(date --utc --rfc-3339=seconds)\t" curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1 done ``` Actual results (on a cloud with tokens duration of 24h): appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK 2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK 2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK 2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK 2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK 2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK 2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK 2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK 2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK Expected results: appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1992183/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp