python-keystoneclient

Revocation list file last modified local time compared to utc

Bug #1204000 reported by Kieran Spear on 2013-07-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Invalid	Undecided	Unassigned
	python-keystoneclient	Fix Released	Medium	Kieran Spear	python-keystoneclient 0.4.2

Bug Description

On a restart of a service using auth_token middleware, the last modified time of the revocation list file is checked to decide whether to get the fresh list from keystone. In server timezones that are ahead of UTC, this compares a local time with UTC. This means whenever a service is restarted it doesn't update the revocation list for the length of the timezone offset from UTC. Where I live that's 10 hours. I'm beginning to rue my Australian heritage...

Note: this is only an issue for servers with timezones set ahead of UTC, and it only delays the first update. Updates after that obey token_revocation_list_cache_timeout.

https://github.com/openstack/python-keystoneclient/blob/fca985c09e11c581b61b9edcae19673e3112093a/keystoneclient/middleware/auth_token.py#L1061-L1092

>>> import os, datetime
>>> from keystone.openstack.common import timeutils

>>> os.path.getmtime('/var/lib/nova/keystone-signing/revoked.pem')
1374563990.4148088
>>> datetime.datetime.fromtimestamp(1374563990.4148088)
datetime.datetime(2013, 7, 23, 17, 19, 50, 414809)
>>> timeutils.utcnow() < datetime.datetime.fromtimestamp(mtime)
True

The modification time should be converted to UTC:

>>> timeutils.utcnow() < datetime.datetime.utcfromtimestamp(mtime)
False

Revision history for this message

Kieran Spear (kspear) wrote on 2013-07-23:

0001-Convert-revocation-list-file-last-modified-to-UTC.patch Edit (1.5 KiB, text/plain)

Jeremy Stanley (fungi) on 2013-07-27

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-07-29:

While this is definitely a bug, i don't think it warrants an advisory, since the exploitation scenario is a bit unlikely (server not set to UTC time, then restarted) and the impact is limited (revoked tokens are valid for slightly more time).

My take would be to open this publicly and get it fixed (and backported if necessary). Thoughts ?

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-07-31:

Yes, I think this is reasonable to fix in the open without any announcement. The situations under which this could be maliciously exploited are arguably contrived and would require some contributing vulnerabiity (ability to force reboot of a provider's server, et cetera).

Revision history for this message

Kieran Spear (kspear) wrote on 2013-07-31:

Agree, I was just being careful here by marking it security.

Jeremy Stanley (fungi) on 2013-07-31

Changed in ossa:
status:	Incomplete → Invalid
information type:	Private Security → Public

Dolph Mathews (dolph) on 2013-08-12

Changed in python-keystoneclient:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-29: Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/54232

Changed in python-keystoneclient:
assignee:	nobody → Kieran Spear (kspear)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-03: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/54232
Committed: http://github.com/openstack/python-keystoneclient/commit/275315a46e69a0c072259705b7738272baad9f8d
Submitter: Jenkins
Branch: master

commit 275315a46e69a0c072259705b7738272baad9f8d
Author: Kieran Spear <email address hidden>
Date: Tue Jul 23 17:28:09 2013 +1000

Convert revocation list file last modified to UTC

    On a restart of a service using auth_token middleware, the last modified
    time of the revocation list file is checked to decide whether to get the
    fresh list from keystone. In server timezones that are ahead of UTC,
    this compares a local time with UTC. This means whenever a service is
    restarted it doesn't update the revocation list for the length of the
    timezone offset from UTC.

This change converts the last modified time to UTC when it's first
read, so the comparison is valid.

Closes-bug: 1204000
Change-Id: I623b6273beb56f8da2a8649a10a64318da8cd6bc

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2014-01-13

Changed in python-keystoneclient:
milestone:	none → 0.4.2

Dolph Mathews (dolph) on 2014-01-30

Changed in python-keystoneclient:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

0001-Convert-revocation-list-file-last-modified-to-UTC.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.