OpenStack Identity (keystone)

Bug #1459483
Comment #0

Comment 0 for bug 1459483

Revision history for this message

Matt Fischer (mfisch) wrote on 2015-05-28: able to verify a Fernet token with garbage at the end

I am able to verify Fernet tokens that contain garbage at the end, not so with UUID tokens.

For example.

UUID:

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2

Works

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2-GARBAGE
{"error": {"message": "Could not find token: 84db9247b27d4fe6bd0a09b7b39281e2-GARBAGE", "code": 404, "title": "Not Found"}}

Fernet on the other hand happily validates it even with garbage and even inserts -GARBAGE into the ID.

curl -H "X-Auth-Token:gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D" http://localhostt:35357/v2.0/tokens/gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D

        "token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },

        "token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=-GARBAGE",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },

I am able to verify Fernet tokens that contain garbage at the end, not so with UUID tokens.

For example.

UUID:

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2

Works

Fernet on the other hand happily validates it even with garbage and even inserts -GARBAGE into the ID.

"token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=-GARBAGE",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },