Revocation list file last modified local time compared to utc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
python-keystoneclient |
Fix Released
|
Medium
|
Kieran Spear |
Bug Description
On a restart of a service using auth_token middleware, the last modified time of the revocation list file is checked to decide whether to get the fresh list from keystone. In server timezones that are ahead of UTC, this compares a local time with UTC. This means whenever a service is restarted it doesn't update the revocation list for the length of the timezone offset from UTC. Where I live that's 10 hours. I'm beginning to rue my Australian heritage...
Note: this is only an issue for servers with timezones set ahead of UTC, and it only delays the first update. Updates after that obey token_revocatio
>>> import os, datetime
>>> from keystone.
>>> os.path.
1374563990.4148088
>>> datetime.
datetime.
>>> timeutils.utcnow() < datetime.
True
The modification time should be converted to UTC:
>>> timeutils.utcnow() < datetime.
False
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossa: | |
status: | Incomplete → Invalid |
information type: | Private Security → Public |
Changed in python-keystoneclient: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in python-keystoneclient: | |
milestone: | none → 0.4.2 |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
While this is definitely a bug, i don't think it warrants an advisory, since the exploitation scenario is a bit unlikely (server not set to UTC time, then restarted) and the impact is limited (revoked tokens are valid for slightly more time).
My take would be to open this publicly and get it fixed (and backported if necessary). Thoughts ?