Check timestamp of signed EC2 token request

EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.

The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].

Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.

[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737

keystone/conf/credential.py

@@ -61,6 +61,14 @@ Time to cache credential data in seconds. This has no effect unless global
 caching is enabled.
 """))
 
+auth_ttl = cfg.IntOpt(
+    'auth_ttl',
+    default=15,
+    help=utils.fmt("""
+The length of time in minutes for which a signed EC2 or S3 token request is
+valid from the timestamp contained in the token request.
+"""))
+
 
 GROUP_NAME = __name__.split('.')[-1]
 ALL_OPTS = [
@@ -68,7 +76,8 @@ ALL_OPTS = [
     provider,
     key_repository,
     caching,
-    cache_time
+    cache_time,
+    auth_ttl
 ]