Reviewed: https://review.opendev.org/c/openstack/keystone/+/945429 Committed: https://opendev.org/openstack/keystone/commit/b834722f117e566fcf49f0bdbaaf9da345dfacde Submitter: "Zuul (22348)" Branch: master
commit b834722f117e566fcf49f0bdbaaf9da345dfacde Author: Artem Goncharov <[email protected]> Date: Tue Mar 25 09:13:55 2025 +0100 Prevent MFA bypass When user MFA rule contain only invalid auth methods no other rules are respected allowing user to bypass MFA rules. Improve the intersection check ignoring the rule when no valid auth method is included, but also implement fallback mechanism that allows user to login with other credentials when no MFA rules are valid. Closes-bug: 2102096 Change-Id: I53723bfe6e56443c555bce7f5cc302fac89d25b2 Signed-off-by: Artem Goncharov <[email protected]> ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2102096 Title: When MFA rule set contains a part that is composed of unavailable methods only, all available auth methods are allowed Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Assume that there is a user whose MFA rule like below. And unknown- method-1 and unknown-method-2 are unavailable auth method (the reason of the unavailablility does not matter here). "options": { "multi_factor_auth_enabled": true, "multi_factor_auth_rules": [ ["password", "totp"], ["unknown-method-1", "unknown-method-2"] ] } Then, the user can authenticate with any combinations of methods that are not listed in the rule, in particular, only password or only totp. I guess this is not intended behavior. In code: https://opendev.org/openstack/keystone/src/tag/26.0.0/keystone/auth/core.py#L494 when checking the rule ["unknown-method-1", "unknown-method-2"], r_set becomes an empty set thus `set(auth_method).issuperset(r_set)` is always True and any auth_method can pass the check. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2102096/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
