diff options
Diffstat (limited to 'keystone/token/provider.py')
-rw-r--r-- | keystone/token/provider.py | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/keystone/token/provider.py b/keystone/token/provider.py index 2ea4d7e08..9d888fdbc 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -154,8 +154,8 @@ class Manager(manager.Manager): def _validate_token(self, token_id): (user_id, methods, audit_ids, system, domain_id, project_id, trust_id, federated_group_ids, identity_provider_id, - protocol_id, access_token_id, app_cred_id, issued_at, - expires_at) = self.driver.validate_token(token_id) + protocol_id, access_token_id, app_cred_id, thumbprint, + issued_at, expires_at) = self.driver.validate_token(token_id) token = token_model.TokenModel() token.user_id = user_id @@ -169,6 +169,7 @@ class Manager(manager.Manager): token.trust_id = trust_id token.access_token_id = access_token_id token.application_credential_id = app_cred_id + token.oauth2_thumbprint = thumbprint token.expires_at = expires_at if federated_group_ids is not None: token.is_federated = True @@ -221,7 +222,7 @@ class Manager(manager.Manager): def issue_token(self, user_id, method_names, expires_at=None, system=None, project_id=None, domain_id=None, auth_context=None, trust_id=None, app_cred_id=None, - parent_audit_id=None): + thumbprint=None, parent_audit_id=None): # NOTE(lbragstad): Grab a blank token object and use composition to # build the token according to the authentication and authorization @@ -235,6 +236,7 @@ class Manager(manager.Manager): token.trust_id = trust_id token.application_credential_id = app_cred_id token.audit_id = random_urlsafe_str() + token.oauth2_thumbprint = thumbprint token.parent_audit_id = parent_audit_id if auth_context: @@ -267,6 +269,23 @@ class Manager(manager.Manager): default_expire_time(), subsecond=True ) + # NOTE(d34dh0r53): If this token is being issued with an application + # credential and the application credential expires before the token + # we need to set the token expiration to be the same as the application + # credential. See CVE-2022-2447 for more information. + if app_cred_id is not None: + app_cred_api = PROVIDERS.application_credential_api + app_cred = app_cred_api.get_application_credential( + token.application_credential_id) + token_time = timeutils.normalize_time( + timeutils.parse_isotime(token.expires_at)) + if (app_cred['expires_at'] is not None) and ( + token_time > app_cred['expires_at']): + token.expires_at = app_cred['expires_at'].isoformat() + LOG.debug('Resetting token expiration to the application' + ' credential expiration: %s', + app_cred['expires_at'].isoformat()) + token_id, issued_at = self.driver.generate_id_and_issued_at(token) token.mint(token_id, issued_at) |