openstack/keystone
Code Issues Proposed changes
13,976 Commits 8 Branches 230 Tags
1ef3828516c1b87a8ca84acca73ec593b0b8591d
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Colleen Murphy 1ef3828516 Check timestamp of signed EC2 token request 
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.

The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].

Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.

[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

Conflicts due to six removal in e2d83ae9:
	keystone/api/_shared/EC2_S3_Resource.py
	keystone/tests/unit/test_contrib_ec2_core.py

Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea7490)
(cherry picked from commit 8d5becbe4b)
(cherry picked from commit e3f65d6fbc)
2020-05-02 21:36:47 -07:00
api-ref/source
trivial: fix broken link in trust API reference
2019-03-13 19:45:49 +00:00
config-generator
Move policy generator config to config-generator/
2017-04-21 21:47:32 +00:00
devstack
Add voting k2k tests
2020-02-05 11:04:26 -08:00
doc
Docs: Make robust with using real links
2019-10-18 09:13:36 -07:00
etc
DRY: Remove redundant policies from policy.v3cloudsample.json
2019-04-02 19:41:36 +00:00
examples/pki
Remove support for PKI and PKIz tokens
2016-11-01 22:05:01 +00:00
httpd
Remove admin interface in sample Apache file
2018-03-24 12:56:02 +01:00
keystone
Check timestamp of signed EC2 token request
2020-05-02 21:36:47 -07:00
keystone_tempest_plugin
Remove the local tempest plugin
2017-06-06 11:48:37 +00:00
playbooks/legacy/keystone-dsvm-grenade-multinode
OpenDev Migration Patch
2019-04-19 19:30:50 +00:00
rally-jobs
fix rally docs url
2018-05-21 16:24:51 +08:00
releasenotes
Check timestamp of signed EC2 token request
2020-05-02 21:36:47 -07:00
tools
changed port in tools/sample_data.sh
2018-11-15 20:45:59 +05:30
.coveragerc
Change ignore-errors to ignore_errors
2015-09-21 14:27:58 +00:00
.gitignore
Tell reno to ignore the kilo branch
2020-02-21 18:56:11 +00:00
.gitreview
OpenDev Migration Patch
2019-04-19 19:30:50 +00:00
.mailmap
update mailmap with gyee's new email
2015-11-03 16:12:01 -08:00
.stestr.conf
Migrate to stestr
2017-09-22 11:07:09 -05:00
.zuul.yaml
Add voting k2k tests
2020-02-05 11:04:26 -08:00
babel.cfg
setting up babel for i18n work
2012-06-21 18:03:09 -07:00
bindep.txt
Fix bindep for SUSE
2019-02-14 16:50:33 +01:00
CONTRIBUTING.rst
Use https for docs.openstack.org references
2017-01-30 16:05:08 -08:00
HACKING.rst
Merge "Update links in keystone"
2017-10-06 16:10:56 +00:00
LICENSE
Added Apache 2.0 License information.
2012-02-15 17:48:33 -08:00
lower-constraints.txt
Pin Werkzeug in lower-constraints
2019-03-19 23:56:08 +01:00
README.rst
Add release notes link to README
2018-06-12 15:30:45 +08:00
reno.yaml
Tell reno to ignore the kilo branch
2020-02-21 18:56:11 +00:00
requirements.txt
Add PyJWT as a requirement
2019-01-31 19:42:09 +00:00
setup.cfg
Revert "Blacklist bandit 1.6.0"
2019-06-24 06:52:52 -07:00
setup.py
Updated from global requirements
2017-03-06 01:10:37 +00:00
test-requirements.txt
Use pycodestyle in place of pep8
2018-11-20 17:16:01 +00:00
tox.ini
Constraint dependencies for docs build
2020-02-19 20:23:23 -05:00

README.rst

Team and repository tags

image

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://developer.openstack.org/api-ref/identity

The canonical client library is available at:

https://git.openstack.org/cgit/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://git.openstack.org/cgit/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.

View Git Blame Copy Permalink
Description
OpenStack Identity (Keystone)
Readme 238 MiB
Languages
Python 99.5%
Shell 0.5%