diff options
| author | Colleen Murphy <colleen.murphy@suse.com> | 2020-04-16 17:05:43 -0700 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2020-05-11 19:41:13 +0000 |
| commit | b25739fa9605cc54bc98325c2a92360ba702e8d8 (patch) | |
| tree | a2a929fcfd1cc1dc67188161427c9d8921c6c8a7 | |
| parent | 0cbf809a115dd01f8582ade55b4fb637c5983932 (diff) | |
| download | keystone-b25739fa9605cc54bc98325c2a92360ba702e8d8.tar.gz | |
Check timestamp of signed EC2 token request
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
Conflicts due to six removal in e2d83ae9:
keystone/api/_shared/EC2_S3_Resource.py
keystone/tests/unit/test_contrib_ec2_core.py
Conflicts due to v2.0 API testing in stable/queens. The v2.0 tests were
removed in Rocky but in earlier releases we tested similar functionality
between v3 and v2.0. This conflict was resolved by porting the timestamp
to the v2.0 API test:
keystone/tests/unit/test_contrib_ec2_core.py
Conflicts due to flask reorg:
keystone/api/_shared/EC2_S3_Resource.py
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea749013e7f2c46260f68504f5687763e019)
(cherry picked from commit 8d5becbe4b463f6a5a24a1929dd0f48dab6ae027)
(cherry picked from commit e3f65d6fbcd18032a8ad3dfa3aaded264a282158)
(cherry picked from commit 1ef3828516c1b87a8ca84acca73ec593b0b8591d)
(cherry picked from commit 35f09e2b7c00e03cd1d52a2337b51be38dd79480)
| -rw-r--r-- | keystone/conf/credential.py | 11 | ||||
| -rw-r--r-- | keystone/contrib/ec2/controllers.py | 27 | ||||
| -rw-r--r-- | keystone/tests/unit/test_contrib_ec2_core.py | 213 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 |
4 files changed, 274 insertions, 5 deletions
diff --git a/keystone/conf/credential.py b/keystone/conf/credential.py index b7877a816..048d22283 100644 --- a/keystone/conf/credential.py +++ b/keystone/conf/credential.py @@ -46,12 +46,21 @@ share this repository with the repository used to manage keys for Fernet tokens. """)) +auth_ttl = cfg.IntOpt( + 'auth_ttl', + default=15, + help=utils.fmt(""" +The length of time in minutes for which a signed EC2 or S3 token request is +valid from the timestamp contained in the token request. +""")) + GROUP_NAME = __name__.split('.')[-1] ALL_OPTS = [ driver, provider, - key_repository + key_repository, + auth_ttl ] diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index 916223d78..87eb2d88b 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -33,11 +33,13 @@ Glance to list images needed to perform the requested task. """ import abc +import datetime import sys import uuid from keystoneclient.contrib.ec2 import utils as ec2_utils from oslo_serialization import jsonutils +from oslo_utils import timeutils import six from six.moves import http_client @@ -259,6 +261,30 @@ class Ec2ControllerCommon(provider_api.ProviderAPIMixin, object): raise exception.Unauthorized( message=_('EC2 signature not supplied.')) + def _check_timestamp(self, credentials): + timestamp = ( + # AWS Signature v1/v2 + credentials.get('params', {}).get('Timestamp') or + # AWS Signature v4 + credentials.get('headers', {}).get('X-Amz-Date') or + credentials.get('params', {}).get('X-Amz-Date') + ) + if not timestamp: + # If the signed payload doesn't include a timestamp then the signer + # must have intentionally left it off + return + try: + timestamp = timeutils.parse_isotime(timestamp) + timestamp = timeutils.normalize_time(timestamp) + except Exception as e: + raise exception.Unauthorized( + _('Credential timestamp is invalid: %s') % e) + auth_ttl = datetime.timedelta(minutes=CONF.credential.auth_ttl) + current_time = timeutils.normalize_time(timeutils.utcnow()) + if current_time > timestamp + auth_ttl: + raise exception.Unauthorized( + _('Credential is expired')) + @abc.abstractmethod def authenticate(self, context, credentials=None, ec2Credentials=None): """Validate a signed EC2 request and provide a token. @@ -317,6 +343,7 @@ class Ec2ControllerCommon(provider_api.ProviderAPIMixin, object): six.reraise(exception.Unauthorized, exception.Unauthorized(e), sys.exc_info()[2]) + self._check_timestamp(credentials) roles = self.assignment_api.get_roles_for_user_and_project( user_ref['id'], tenant_ref['id'] ) diff --git a/keystone/tests/unit/test_contrib_ec2_core.py b/keystone/tests/unit/test_contrib_ec2_core.py index 02887f75d..75bc8fa03 100644 --- a/keystone/tests/unit/test_contrib_ec2_core.py +++ b/keystone/tests/unit/test_contrib_ec2_core.py @@ -12,10 +12,15 @@ # License for the specific language governing permissions and limitations # under the License. +import datetime +import hashlib + from keystoneclient.contrib.ec2 import utils as ec2_utils +from oslo_utils import timeutils from six.moves import http_client from keystone.common import provider_api +from keystone.common import utils from keystone.contrib.ec2 import controllers from keystone.tests import unit from keystone.tests.unit import rest @@ -25,6 +30,14 @@ PROVIDERS = provider_api.ProviderAPIs class EC2ContribCoreV2(rest.RestfulTestCase): + def setUp(self): + super(EC2ContribCoreV2, self).setUp() + + self.cred_blob, self.credential = unit.new_ec2_credential( + self.user_foo['id'], self.tenant_bar['id']) + PROVIDERS.credential_api.create_credential( + self.credential['id'], self.credential) + def config_overrides(self): super(EC2ContribCoreV2, self).config_overrides() @@ -62,6 +75,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase): credential['id'], credential) signer = ec2_utils.Ec2Signer(cred_blob['secret']) + timestamp = utils.isotime(timeutils.utcnow()) credentials = { 'access': cred_blob['access'], 'secret': cred_blob['secret'], @@ -71,7 +85,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase): 'params': { 'SignatureVersion': '2', 'Action': 'Test', - 'Timestamp': '2007-01-31T23:59:59Z' + 'Timestamp': timestamp }, } credentials['signature'] = signer.generate(credentials) @@ -110,6 +124,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase): credential['id'], credential) signer = ec2_utils.Ec2Signer('totally not the secret') + timestamp = utils.isotime(timeutils.utcnow()) credentials = { 'access': cred_blob['access'], 'secret': 'totally not the secret', @@ -119,8 +134,82 @@ class EC2ContribCoreV2(rest.RestfulTestCase): 'params': { 'SignatureVersion': '2', 'Action': 'Test', - 'Timestamp': '2007-01-31T23:59:59Z' + 'Timestamp': timestamp + }, + } + credentials['signature'] = signer.generate(credentials) + self.public_request( + method='POST', + path='/v2.0/ec2tokens', + body={'credentials': credentials}, + expected_status=http_client.UNAUTHORIZED) + + def test_authenticate_expired_request(self): + self.config_fixture.config( + group='credential', + auth_ttl=5 + ) + signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) + past = timeutils.utcnow() - datetime.timedelta(minutes=10) + timestamp = utils.isotime(past) + credentials = { + 'access': self.cred_blob['access'], + 'secret': self.cred_blob['secret'], + 'host': 'localhost', + 'verb': 'GET', + 'path': '/', + 'params': { + 'SignatureVersion': '2', + 'Action': 'Test', + 'Timestamp': timestamp + }, + } + credentials['signature'] = signer.generate(credentials) + self.public_request( + method='POST', + path='/v2.0/ec2tokens', + body={'credentials': credentials}, + expected_status=http_client.UNAUTHORIZED) + + def test_authenticate_expired_request_v4(self): + self.config_fixture.config( + group='credential', + auth_ttl=5 + ) + signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) + past = timeutils.utcnow() - datetime.timedelta(minutes=10) + timestamp = utils.isotime(past) + hashed_payload = ( + 'GET\n' + '/\n' + 'Action=Test\n' + 'host:localhost\n' + 'x-amz-date:' + timestamp + '\n' + '\n' + 'host;x-amz-date\n' + 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' + ) + body_hash = hashlib.sha256(hashed_payload.encode()).hexdigest() + amz_credential = ( + 'AKIAIOSFODNN7EXAMPLE/%s/us-east-1/iam/aws4_request,' % + timestamp[:8]) + + credentials = { + 'access': self.cred_blob['access'], + 'secret': self.cred_blob['secret'], + 'host': 'localhost', + 'verb': 'GET', + 'path': '/', + 'params': { + 'Action': 'Test', + 'X-Amz-Algorithm': 'AWS4-HMAC-SHA256', + 'X-Amz-SignedHeaders': 'host,x-amz-date,', + 'X-Amz-Credential': amz_credential }, + 'headers': { + 'X-Amz-Date': timestamp + }, + 'body_hash': body_hash } credentials['signature'] = signer.generate(credentials) self.public_request( @@ -143,6 +232,7 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase): def test_valid_authentication_response_with_proper_secret(self): signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) + timestamp = utils.isotime(timeutils.utcnow()) credentials = { 'access': self.cred_blob['access'], 'secret': self.cred_blob['secret'], @@ -152,8 +242,50 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase): 'params': { 'SignatureVersion': '2', 'Action': 'Test', - 'Timestamp': '2007-01-31T23:59:59Z' + 'Timestamp': timestamp + }, + } + credentials['signature'] = signer.generate(credentials) + resp = self.post( + '/ec2tokens', + body={'credentials': credentials}, + expected_status=http_client.OK) + self.assertValidProjectScopedTokenResponse(resp, self.user) + + def test_valid_authentication_response_with_signature_v4(self): + signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) + timestamp = utils.isotime(timeutils.utcnow()) + hashed_payload = ( + 'GET\n' + '/\n' + 'Action=Test\n' + 'host:localhost\n' + 'x-amz-date:' + timestamp + '\n' + '\n' + 'host;x-amz-date\n' + 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' + ) + body_hash = hashlib.sha256(hashed_payload.encode()).hexdigest() + amz_credential = ( + 'AKIAIOSFODNN7EXAMPLE/%s/us-east-1/iam/aws4_request,' % + timestamp[:8]) + + credentials = { + 'access': self.cred_blob['access'], + 'secret': self.cred_blob['secret'], + 'host': 'localhost', + 'verb': 'GET', + 'path': '/', + 'params': { + 'Action': 'Test', + 'X-Amz-Algorithm': 'AWS4-HMAC-SHA256', + 'X-Amz-SignedHeaders': 'host,x-amz-date,', + 'X-Amz-Credential': amz_credential + }, + 'headers': { + 'X-Amz-Date': timestamp }, + 'body_hash': body_hash } credentials['signature'] = signer.generate(credentials) resp = self.post( @@ -181,6 +313,7 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase): def test_authenticate_without_proper_secret_returns_unauthorized(self): signer = ec2_utils.Ec2Signer('totally not the secret') + timestamp = utils.isotime(timeutils.utcnow()) credentials = { 'access': self.cred_blob['access'], 'secret': 'totally not the secret', @@ -190,8 +323,80 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase): 'params': { 'SignatureVersion': '2', 'Action': 'Test', - 'Timestamp': '2007-01-31T23:59:59Z' + 'Timestamp': timestamp + }, + } + credentials['signature'] = signer.generate(credentials) + self.post( + '/ec2tokens', + body={'credentials': credentials}, + expected_status=http_client.UNAUTHORIZED) + + def test_authenticate_expired_request(self): + self.config_fixture.config( + group='credential', + auth_ttl=5 + ) + signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) + past = timeutils.utcnow() - datetime.timedelta(minutes=10) + timestamp = utils.isotime(past) + credentials = { + 'access': self.cred_blob['access'], + 'secret': self.cred_blob['secret'], + 'host': 'localhost', + 'verb': 'GET', + 'path': '/', + 'params': { + 'SignatureVersion': '2', + 'Action': 'Test', + 'Timestamp': timestamp + }, + } + credentials['signature'] = signer.generate(credentials) + self.post( + '/ec2tokens', + body={'credentials': credentials}, + expected_status=http_client.UNAUTHORIZED) + + def test_authenticate_expired_request_v4(self): + self.config_fixture.config( + group='credential', + auth_ttl=5 + ) + signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) + past = timeutils.utcnow() - datetime.timedelta(minutes=10) + timestamp = utils.isotime(past) + hashed_payload = ( + 'GET\n' + '/\n' + 'Action=Test\n' + 'host:localhost\n' + 'x-amz-date:' + timestamp + '\n' + '\n' + 'host;x-amz-date\n' + 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' + ) + body_hash = hashlib.sha256(hashed_payload.encode()).hexdigest() + amz_credential = ( + 'AKIAIOSFODNN7EXAMPLE/%s/us-east-1/iam/aws4_request,' % + timestamp[:8]) + + credentials = { + 'access': self.cred_blob['access'], + 'secret': self.cred_blob['secret'], + 'host': 'localhost', + 'verb': 'GET', + 'path': '/', + 'params': { + 'Action': 'Test', + 'X-Amz-Algorithm': 'AWS4-HMAC-SHA256', + 'X-Amz-SignedHeaders': 'host,x-amz-date,', + 'X-Amz-Credential': amz_credential + }, + 'headers': { + 'X-Amz-Date': timestamp }, + 'body_hash': body_hash } credentials['signature'] = signer.generate(credentials) self.post( diff --git a/releasenotes/notes/bug-1872737-f8e1ad3b6705b766.yaml b/releasenotes/notes/bug-1872737-f8e1ad3b6705b766.yaml new file mode 100644 index 000000000..d0732ab4c --- /dev/null +++ b/releasenotes/notes/bug-1872737-f8e1ad3b6705b766.yaml @@ -0,0 +1,28 @@ +--- +feature: + - | + [`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_] + Added a new config option ``auth_ttl`` in the ``[credential]`` config + section to allow configuring the period for which a signed token request + from AWS is valid. The default is 15 minutes in accordance with the AWS + Signature V4 API reference. +upgrade: + - | + [`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_] + Added a default TTL of 15 minutes for signed EC2 credential requests, + where previously an EC2 signed token request was valid indefinitely. This + change in behavior is needed to protect against replay attacks. +security: + - | + [`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_] + Fixed an incorrect EC2 token validation implementation in which the + timestamp of the signed request was ignored, which made EC2 and S3 token + requests vulnerable to replay attacks. The default TTL is 15 minutes but + is configurable. +fixes: + - | + [`bug 1872737 <https://bugs.launchpad.net/keystone/+bug/1872737>`_] + Fixed an incorrect EC2 token validation implementation in which the + timestamp of the signed request was ignored, which made EC2 and S3 token + requests vulnerable to replay attacks. The default TTL is 15 minutes but + is configurable. |