VYPR
Get started
← All advisories
High severityNVD Advisory· Published Aug 25, 2014· Updated May 6, 2026

CVE-2014-5253

CVE-2014-5253

Description

OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
keystonePyPI
< 8.0.0a08.0.0a0

Affected products

5
  • OpenStack/Keystone4 versions
    cpe:2.3:a:openstack:keystone:2014.1:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:openstack:keystone:2014.1:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:keystone:2014.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:keystone:juno-1:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:keystone:juno-2:*:*:*:*:*:*:*
  • Canonical (company)/Ubuntu Linux
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

Patches

4
3e035ebb7261

Fix revoking domain-scoped tokens

https://github.com/openstack/keystoneBrant KnudsonJul 26, 2014via ghsa
commit
2 files changed · +18 5
  • keystone/contrib/revoke/model.py+6 1 modified
    @@ -285,7 +285,12 @@ def build_token_values(token_data):
         token_values['assignment_domain_id'] = project['domain']['id']
     else:
         token_values['project_id'] = None
-        token_values['assignment_domain_id'] = None
+
+        domain = token_data.get('domain')
+        if domain is not None:
+            token_values['assignment_domain_id'] = domain['id']
+        else:
+            token_values['assignment_domain_id'] = None
 
     role_list = []
     roles = token_data.get('roles')
  • keystone/tests/test_revoke.py+12 4 modified
    @@ -444,11 +444,19 @@ def test_by_domain_project(self):
     def test_by_domain_domain(self):
         # If revoke a domain, then a token scoped to the domain is revoked.
 
-        # FIXME(blk-u): The token translation code doesn't handle domain-scoped
-        # tokens at this point. See bug #1347318. Replace this with test code
-        # similar to test_by_domain_project().
+        user_id = _new_id()
+        user_domain_id = _new_id()
+
+        domain_id = _new_id()
 
-        pass
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = user_domain_id
+        token_data['assignment_domain_id'] = domain_id
+
+        self._revoke_by_domain(domain_id)
+
+        self._assertTokenRevoked(token_data)
 
     def _assertEmpty(self, collection):
         return self.assertEqual(0, len(collection), "collection not empty")
317f9d34b4da

Fix revoking domain-scoped tokens

https://github.com/openstack/keystoneBrant KnudsonJul 26, 2014via ghsa
commit
2 files changed · +18 5
  • keystone/contrib/revoke/model.py+6 1 modified
    @@ -285,7 +285,12 @@ def build_token_values(token_data):
         token_values['assignment_domain_id'] = project['domain']['id']
     else:
         token_values['project_id'] = None
-        token_values['assignment_domain_id'] = None
+
+        domain = token_data.get('domain')
+        if domain is not None:
+            token_values['assignment_domain_id'] = domain['id']
+        else:
+            token_values['assignment_domain_id'] = None
 
     role_list = []
     roles = token_data.get('roles')
  • keystone/tests/test_revoke.py+12 4 modified
    @@ -448,11 +448,19 @@ def test_by_domain_project(self):
     def test_by_domain_domain(self):
         # If revoke a domain, then a token scoped to the domain is revoked.
 
-        # FIXME(blk-u): The token translation code doesn't handle domain-scoped
-        # tokens at this point. See bug #1347318. Replace this with test code
-        # similar to test_by_domain_project().
+        user_id = _new_id()
+        user_domain_id = _new_id()
+
+        domain_id = _new_id()
 
-        pass
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = user_domain_id
+        token_data['assignment_domain_id'] = domain_id
+
+        self._revoke_by_domain(domain_id)
+
+        self._assertTokenRevoked(token_data)
 
     def _assertEmpty(self, collection):
         return self.assertEqual(0, len(collection), "collection not empty")
c4447f16da03

Correct revocation event test for domain_id

https://github.com/openstack/keystoneBrant KnudsonJul 26, 2014via ghsa
commit
1 file changed · +48 1
  • keystone/tests/test_revoke.py+48 1 modified
    @@ -79,7 +79,7 @@ def _matches(event, token_values):
 
     # The token has two attributes that can match the domain_id
     if event.domain_id is not None:
-        for attribute_name in ['user_domain_id', 'project_domain_id']:
+        for attribute_name in ['identity_domain_id', 'assignment_domain_id']:
             if event.domain_id == token_values[attribute_name]:
                 break
         else:
@@ -293,6 +293,10 @@ def _revoke_by_domain_role_assignment(self, domain_id, role_id):
         self.events.append(event)
         return event
 
+    def _revoke_by_domain(self, domain_id):
+        event = self.tree.add_event(model.RevokeEvent(domain_id=domain_id))
+        self.events.append(event)
+
     def _user_field_test(self, field_name):
         user_id = _new_id()
         event = self._revoke_by_user(user_id)
@@ -403,6 +407,49 @@ def test_by_project_and_user_and_role(self):
         token_data['project_id'] = project_id
         self._assertTokenRevoked(token_data)
 
+    def test_by_domain_user(self):
+        # If revoke a domain, then a token for a user in the domain is revoked
+
+        user_id = _new_id()
+        domain_id = _new_id()
+
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = domain_id
+
+        self._revoke_by_domain(domain_id)
+
+        self._assertTokenRevoked(token_data)
+
+    def test_by_domain_project(self):
+        # If revoke a domain, then a token scoped to a project in the domain
+        # is revoked.
+
+        user_id = _new_id()
+        user_domain_id = _new_id()
+
+        project_id = _new_id()
+        project_domain_id = _new_id()
+
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = user_domain_id
+        token_data['project_id'] = project_id
+        token_data['assignment_domain_id'] = project_domain_id
+
+        self._revoke_by_domain(project_domain_id)
+
+        self._assertTokenRevoked(token_data)
+
+    def test_by_domain_domain(self):
+        # If revoke a domain, then a token scoped to the domain is revoked.
+
+        # FIXME(blk-u): The token translation code doesn't handle domain-scoped
+        # tokens at this point. See bug #1347318. Replace this with test code
+        # similar to test_by_domain_project().
+
+        pass
+
     def _assertEmpty(self, collection):
         return self.assertEqual(0, len(collection), "collection not empty")
cccc3f3239c6

Correct revocation event test for domain_id

https://github.com/openstack/keystoneBrant KnudsonJul 26, 2014via ghsa
commit
1 file changed · +48 1
  • keystone/tests/test_revoke.py+48 1 modified
    @@ -80,7 +80,7 @@ def _matches(event, token_values):
     # The token has two attributes that can match the domain_id
     if event.domain_id is not None:
         dom_id_matched = False
-        for attribute_name in ['user_domain_id', 'project_domain_id']:
+        for attribute_name in ['identity_domain_id', 'assignment_domain_id']:
             if event.domain_id == token_values[attribute_name]:
                 dom_id_matched = True
                 break
@@ -297,6 +297,10 @@ def _revoke_by_domain_role_assignment(self, domain_id, role_id):
         self.events.append(event)
         return event
 
+    def _revoke_by_domain(self, domain_id):
+        event = self.tree.add_event(model.RevokeEvent(domain_id=domain_id))
+        self.events.append(event)
+
     def _user_field_test(self, field_name):
         user_id = _new_id()
         event = self._revoke_by_user(user_id)
@@ -407,6 +411,49 @@ def test_by_project_and_user_and_role(self):
         token_data['project_id'] = project_id
         self._assertTokenRevoked(token_data)
 
+    def test_by_domain_user(self):
+        # If revoke a domain, then a token for a user in the domain is revoked
+
+        user_id = _new_id()
+        domain_id = _new_id()
+
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = domain_id
+
+        self._revoke_by_domain(domain_id)
+
+        self._assertTokenRevoked(token_data)
+
+    def test_by_domain_project(self):
+        # If revoke a domain, then a token scoped to a project in the domain
+        # is revoked.
+
+        user_id = _new_id()
+        user_domain_id = _new_id()
+
+        project_id = _new_id()
+        project_domain_id = _new_id()
+
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = user_domain_id
+        token_data['project_id'] = project_id
+        token_data['assignment_domain_id'] = project_domain_id
+
+        self._revoke_by_domain(project_domain_id)
+
+        self._assertTokenRevoked(token_data)
+
+    def test_by_domain_domain(self):
+        # If revoke a domain, then a token scoped to the domain is revoked.
+
+        # FIXME(blk-u): The token translation code doesn't handle domain-scoped
+        # tokens at this point. See bug #1347318. Replace this with test code
+        # similar to test_by_domain_project().
+
+        pass
+
     def _assertEmpty(self, collection):
         return self.assertEqual(0, len(collection), "collection not empty")

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

12

News mentions

0

No linked articles in our index yet.