keystonemiddleware

Fernet tokens with base64 padding are not URL-safe

Bug #1433372 reported by Lance Bragstad on 2015-03-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Dolph Mathews	OpenStack Identity (keystone) 2015.1.0 "kilo"
	keystonemiddleware	Invalid	Undecided	Unassigned

Bug Description

The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.

This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3].

[1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p
[3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py

See original description

Tags:

Lance Bragstad (lbragstad) on 2015-03-18

tags:	added: fernet
description:	updated
description:	updated
description:	updated

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-18:

We are also safe_quote'ing things that are being passed in the headers, which I'm not entirely sure we need to do?

https://github.com/openstack/python-keystoneclient/blob/fc1f5a7963adb3c39f48131af5117bfafa3b07e7/keystoneclient/middleware/auth_token.py#L1127

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-18: Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/165269

Changed in keystonemiddleware:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	New → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-18:

As it turns out, the output of base64.urlsafe_b64encode() is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.

The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation.

https://travis-ci.org/dolph/keystone-deploy/builds/54734386

If keystone emitted URL-safe tokens in the first place, the defensive code in keystonemiddleware wouldn't be triggered, and everything works properly.

Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but apparently due to a different cause.

summary:	- safe_quote doesn't work for Fernet/PKI/PKIz tokens + Fernet tokens with base64 padding are not URL-safe
Changed in keystone:
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2015-03-18

Changed in keystone:
assignee:	nobody → Dolph Mathews (dolph)
status:	New → In Progress

Lance Bragstad (lbragstad) on 2015-03-18

Changed in keystone:
milestone:	none → kilo-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-18: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/165279
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=68a54c2cf1a7210abae9292aede5737203eb733a
Submitter: Jenkins
Branch: master

commit 68a54c2cf1a7210abae9292aede5737203eb733a
Author: Dolph Mathews <email address hidden>
Date: Wed Mar 18 03:18:31 2015 +0000

URL quote Fernet tokens

The padding in base64.urlsafe_b64encode()'s output is not actually URL
safe, so you have to quote the result when it's of variable length.

In addition, Fernet tokens can always be handled as bytes, despite being
passed in from json.loads() as Unicode.

    Change-Id: I72dbd4ddc066706f6af6ea2f2bcd5f0a6cb9b30c
    Closes-Bug: 1433372
    Closes-Bug: 1431669

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-04-07

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-17: Change abandoned on keystonemiddleware (master)

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/165269
Reason: abandon in favor of https://review.openstack.org/#/c/165279/

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-rc1 → 2015.1.0

Lance Bragstad (lbragstad) on 2015-09-03

Changed in keystonemiddleware:
assignee:	Lance Bragstad (lbragstad) → nobody

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-09-03:

Closing in favor of a keystone fix - https://bugs.launchpad.net/keystone/+bug/1491926

Changed in keystonemiddleware:
status:	In Progress → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-03: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/220242

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-09: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/220242
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3e3a653f9c9ce0f9a7ba842eff118e5887eb388
Submitter: Jenkins
Branch: master

commit f3e3a653f9c9ce0f9a7ba842eff118e5887eb388
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 3 16:09:03 2015 +0000

Remove padding from Fernet tokens

    Fernet tokens were previously percent encoded. This can cause issues with
    clients doing their own encoding or not. By removing the padding and then
    re-establishing it when we validate the token, we don't present that problem to
    clients. This also shortens the length of a Fernet token.

    Change-Id: I674bad86ccc9027ac3b365c10b3b142fc9d73c17
    Related-Bug: 1433372
    Closes-Bug: 1491926

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-09: Related fix proposed to keystone (stable/kilo)

Related fix proposed to branch: stable/kilo
Review: https://review.openstack.org/221799

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-01: Change abandoned on keystone (stable/kilo)

#10

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/221799
Reason: no change in 60 days after a negative review, marking this as abandoned, please feel free to restore

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.