diff options
| author | Dave Wilde (d34dh0r53) <dwilde@redhat.com> | 2022-10-13 15:37:53 -0500 |
|---|---|---|
| committer | David Wilde <dwilde@redhat.com> | 2022-10-30 02:28:19 +0000 |
| commit | 8e25d823e4b73e1f3285a4ea64976cc770cb2644 (patch) | |
| tree | 4e4b88c72e11ee15f5cee6b6a16519db7562c388 /keystone/token/provider.py | |
| parent | 3a8a6c89c69819510571181adde62b68ed812752 (diff) | |
| download | keystone-stable/xena.tar.gz | |
Limit token expiration to application credential expirationstable/xena
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.
Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
(cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)
Diffstat (limited to 'keystone/token/provider.py')
| -rw-r--r-- | keystone/token/provider.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/keystone/token/provider.py b/keystone/token/provider.py index 2ea4d7e08..b14b0f34e 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -267,6 +267,23 @@ class Manager(manager.Manager): default_expire_time(), subsecond=True ) + # NOTE(d34dh0r53): If this token is being issued with an application + # credential and the application credential expires before the token + # we need to set the token expiration to be the same as the application + # credential. See CVE-2022-2447 for more information. + if app_cred_id is not None: + app_cred_api = PROVIDERS.application_credential_api + app_cred = app_cred_api.get_application_credential( + token.application_credential_id) + token_time = timeutils.normalize_time( + timeutils.parse_isotime(token.expires_at)) + if (app_cred['expires_at'] is not None) and ( + token_time > app_cred['expires_at']): + token.expires_at = app_cred['expires_at'].isoformat() + LOG.debug('Resetting token expiration to the application' + ' credential expiration: %s', + app_cred['expires_at'].isoformat()) + token_id, issued_at = self.driver.generate_id_and_issued_at(token) token.mint(token_id, issued_at) |