I don't think so, looks like we just missed lifting the embargo. Based on comments above, I'll do that now. Thanks for the reminder.
** Description changed: - This issue is being treated as a potential security risk under embargo. - Please do not make any public mention of embargoed (private) security - vulnerabilities before their coordinated publication by the OpenStack - Vulnerability Management Team in the form of an official OpenStack - Security Advisory. This includes discussion of the bug or associated - fixes in public forums such as mailing lists, code review systems and - bug trackers. Please also avoid private disclosure to other individuals - not already approved for access to this information, and provide this - same reminder to those who are made aware of the issue prior to - publication. All discussion should remain confined to this private bug - report, and any proposed fixes should be added to the bug as - attachments. - If you create an unscoped token (A) and you then use token A to create a project-scoped token (B) you now have token (A) [audit_id] = audit_id_a token (A) [audit_chain_id] = [audit_id_a] token (B) [audit_id] = audit_id_b token (B) [audit_chain_id] = [audit_id_a, audit_id_b] If you Revoke(token A) then token B should also be invalid. However, this is not the case currently as there are two reasons for this. There is a bug that doesn't correctly catch this in revoke_models because it accidently changes a list to a list in a tuple: https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201 This needs to have the comma removed from not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id']) The second and main reason is because this functionality is never exposed to the user and in the code it is never run here: https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277 because revoke_chain=False in the parameter is never set to True in a call anywhere in the code. ** Information type changed from Private Security to Public ** Changed in: ossa Status: Incomplete => Won't Fix ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1680911 Title: Revoking an unscoped token does not revoke all tokens scoped from the unscoped token Status in OpenStack Identity (keystone): Triaged Status in OpenStack Security Advisory: Won't Fix Bug description: If you create an unscoped token (A) and you then use token A to create a project-scoped token (B) you now have token (A) [audit_id] = audit_id_a token (A) [audit_chain_id] = [audit_id_a] token (B) [audit_id] = audit_id_b token (B) [audit_chain_id] = [audit_id_a, audit_id_b] If you Revoke(token A) then token B should also be invalid. However, this is not the case currently as there are two reasons for this. There is a bug that doesn't correctly catch this in revoke_models because it accidently changes a list to a list in a tuple: https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201 This needs to have the comma removed from not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id']) The second and main reason is because this functionality is never exposed to the user and in the code it is never run here: https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277 because revoke_chain=False in the parameter is never set to True in a call anywhere in the code. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1680911/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
