keystone

History

Colleen Murphy 1c1cf556f8 Check timestamp of signed EC2 token request EC2 token requests contain a signature that signs the entire request, including the access timestamp. While the signature is checked, the timestamp is not, and so these signed requests remain valid indefinitely, leaving the token API vulnerable to replay attacks. This change introduces a configurable TTL for signed token requests and ensures that the timestamp is actually validated against it. The check will work for either an AWS Signature v1/v2 'Timestamp' parameter[1] or the AWS Signature v4 'X-Aws-Date' header or parameter[2]. Although this technically adds a new feature and the default value of the feature changes behavior, this change is required to protect credential holders and therefore must be backported to all supported branches. [1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html Conflicts due to six removal in e2d83ae9: keystone/api/_shared/EC2_S3_Resource.py keystone/tests/unit/test_contrib_ec2_core.py Conflicts due to v2.0 API testing in stable/queens. The v2.0 tests were removed in Rocky but in earlier releases we tested similar functionality between v3 and v2.0. This conflict was resolved by porting the timestamp to the v2.0 API test: keystone/tests/unit/test_contrib_ec2_core.py Conflicts due to flask reorg: keystone/api/_shared/EC2_S3_Resource.py Change-Id: Idb10267338b4204b435df233c636046a1ce5711f Closes-bug: #1872737 (cherry picked from commit `ab89ea7490`) (cherry picked from commit `8d5becbe4b`) (cherry picked from commit `e3f65d6fbc`) (cherry picked from commit `1ef3828516`) (cherry picked from commit `35f09e2b7c`) (cherry picked from commit `d6f1006dd0`)	2020-05-31 22:16:05 -07:00
..
notes	Check timestamp of signed EC2 token request	2020-05-31 22:16:05 -07:00
source	Update pike to ignore specific release notes	2017-08-22 20:55:54 +00:00

Colleen Murphy 1c1cf556f8 Check timestamp of signed EC2 token request

EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.

The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].

Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.

[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

Conflicts due to six removal in e2d83ae9:
	keystone/api/_shared/EC2_S3_Resource.py
	keystone/tests/unit/test_contrib_ec2_core.py

Conflicts due to v2.0 API testing in stable/queens. The v2.0 tests were
removed in Rocky but in earlier releases we tested similar functionality
between v3 and v2.0. This conflict was resolved by porting the timestamp
to the v2.0 API test:
	keystone/tests/unit/test_contrib_ec2_core.py

Conflicts due to flask reorg:
	keystone/api/_shared/EC2_S3_Resource.py

Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea7490)
(cherry picked from commit 8d5becbe4b)
(cherry picked from commit e3f65d6fbc)
(cherry picked from commit 1ef3828516)
(cherry picked from commit 35f09e2b7c)
(cherry picked from commit d6f1006dd0)

2020-05-31 22:16:05 -07:00

notes Check timestamp of signed EC2 token request 2020-05-31 22:16:05 -07:00

source Update pike to ignore specific release notes 2017-08-22 20:55:54 +00:00