OpenStack Identity (keystone)

python-oauth2 dependency is unmaintained and has security issues

Bug #1240382 reported by Philippe Makowski on 2013-10-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Matthieu Huin	OpenStack Identity (keystone) 2014.1 "icehouse"
	Havana	Won't Fix	High	Unassigned

Bug Description

oauth2 is not maintained and have 2 CVE issues CVE-2013-4346 and CVE-2013-4347 and is not Python3 compatible
can you remove this dependency (maybe switching to requests ? )

Tags:

Related branches

lp:~ubuntu-server-dev/keystone/icehouse

Philippe Makowski (pmakowski) on 2013-10-16

information type:

Private Security → Public Security

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2013-10-16:

links to the 2 CVE issues
https://github.com/simplegeo/python-oauth2/issues/129
https://github.com/simplegeo/python-oauth2/issues/9

Revision history for this message

Philippe Makowski (pmakowski) wrote on 2013-10-19:

https://pypi.python.org/pypi/oauthlib is certainly a better choice

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-21:

That would indeed be great.

information type:	Public Security → Public
tags:	added: security
summary:	- oauth2 dependency + oauth2 dependency is unmaintained and has security issues
Changed in keystone:
importance:	Undecided → High
status:	New → Confirmed
summary:	- oauth2 dependency is unmaintained and has security issues + python-oauth2 dependency is unmaintained and has security issues

Matthieu Huin (mhu-s) on 2013-11-22

Changed in keystone:
assignee:	nobody → Matthieu Huin (mhu-s)

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-11-22:

Not sure if we want to merge these two bugs or not, but downstream issue in ubuntu is tracked in bug 1223010

Revision history for this message

Matthieu Huin (mhu-s) wrote on 2013-12-10:

Some notes Steve Martinelli sent me to help:

1. The following are spots where we currently use the old library:
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/core.py#L33 (to 40 - plug points for the library)
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/core.py#L123 (splitting headers)
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/controllers.py#L181 (to 192 - verifying request for request token call)
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/controllers.py#L251 (to 267 - verifying request for access token call)
https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/oauth1.py#L57 (to 72 - verifying request for authenticate call)
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_oauth1.py (a bunch of places)

2a. The part that bugs me about oauthlib is the fact that you have to implement an interface (RequestValidator), https://oauthlib.readthedocs.org/en/latest/oauth1/server.html#implement-a-validator . At least this is my impression upon reading the docs.
2b. Actual RequestValidator class: https://github.com/idan/oauthlib/blob/master/oauthlib/oauth1/rfc5849/request_validator.py , raises a lot of not implemented exceptions.

3. I did find one instance of a coder that had to switch from using python-oauth2 to oauthlib, for a client application he was writing, it'll be handy for migrating the tests: https://github.com/gfairchild/yelpapi/commit/71b0a947d56445fe71750255827a07c56ce3f1e5

Indeed, the RequestValidator might be the tricky part.

Revision history for this message

Philippe Makowski (pmakowski) wrote on 2013-12-10:

any thing useful here ? http://requests-oauthlib.readthedocs.org/en/latest/index.html

Revision history for this message

Matthieu Huin (mhu-s) wrote on 2013-12-12:

@pmakowski, had a quick look, seems to be a client lib. it could be useful for testing. Thanks !

Revision history for this message

Thomas Goirand (thomas-goirand) wrote on 2013-12-30:

Hi,

I'd like to point out that, because nobody took care of fixing this issue fast enough, python-oauth2 and Keystone were removed from Debian testing today. It'd be nice if this issue could be addressed.

Revision history for this message

Matthieu Huin (mhu-s) wrote on 2013-12-30:

Hi Thomas,
I am having some trouble with the new library, as it implements oauth more strictly than the previous one. I am going to push my work as WIP, hopefully the community can provide some suggestions to go on with it.

Revision history for this message

Philippe Makowski (pmakowski) wrote on 2014-01-04:

#10

Hi Matthieu,

since in Mageia we also , as in Debian testing, removed python-oauth2, if you have any visible WIP, please tell me where I can look at. May be I can help, even if my keystone knowledge is weak today. It could be an opportunity to learn.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2014-01-06:

#11

Hi Philippe,

Here is the WIP patch: https://review.openstack.org/#/c/64427/

OpenStack Infra (hudson-openstack) on 2014-01-16

Changed in keystone:
assignee:	Matthieu Huin (mhu-s) → Dolph Mathews (dolph)
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2014-01-16

Changed in keystone:
assignee:	Dolph Mathews (dolph) → David Stanek (dstanek)

OpenStack Infra (hudson-openstack) on 2014-01-16

Changed in keystone:
assignee:	David Stanek (dstanek) → Dolph Mathews (dolph)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-18: Fix merged to keystone (master)

#12

Reviewed: https://review.openstack.org/64427
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bed88a2e724f5f23a1c839b7872b1bc56f059df5
Submitter: Jenkins
Branch: master

commit bed88a2e724f5f23a1c839b7872b1bc56f059df5
Author: Matthieu Huin <email address hidden>
Date: Mon Dec 2 10:43:10 2013 +0100

Replacing python-oauth2 by oauthlib

This patch replaces the old, unmaintained python-oauth2 library
by the better suited oauthlib in keystone oAuth modules.

The library switch comes with two notable changes in terms of use:

    * the client must set the callback uri to 'oob' (out-of-band)
      explicitly when requesting a Request Token
    * the requested_project_id header is not included in the signature
      anymore, in compliance with the oAuth1 spec.

Closes-Bug: 1240382
Change-Id: Ie553830cc80075aa818e719604e6bc4c754d2ae3

Changed in keystone:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2014-01-19

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Matthieu Huin (mhu-s)

Revision history for this message

Thomas Goirand (thomas-goirand) wrote on 2014-01-19:

#13

Hi,

Is there someone working on the backport to Havana? FYI, keystone is currently blocked from migrating from Debian Sid to Debian testing because of this problem (eg: oauth2 has been removed from testing because unmaintained).

Cheers,

Thomas

Thierry Carrez (ttx) on 2014-01-22

Changed in keystone:
milestone:	none → icehouse-2
status:	Fix Committed → Fix Released

Revision history for this message

Alan Pevec (apevec) wrote on 2014-04-09:

#14

As discussed on the stable-maint list[1] such change isn't appropriate for the stable branch.
Distros can carry the proposed patch[2] or drop oauth support in their Havana packages, to address security concerns with oauth2.

[1] http://lists.openstack.org/pipermail/openstack-stable-maint/2014-March/002242.html
[2] https://review.openstack.org/70750

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-2 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.