openstack
/
keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
13,177 Commits 9 Branches 40 Tags 231 MiB
Python 99.5%
Shell 0.5%
Go to file
Colleen Murphy 35f09e2b7c Check timestamp of signed EC2 token request 
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.

The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].

Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.

[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

Conflicts due to six removal in e2d83ae9:
	keystone/api/_shared/EC2_S3_Resource.py
	keystone/tests/unit/test_contrib_ec2_core.py

Conflicts due to flask reorg:
	keystone/api/_shared/EC2_S3_Resource.py

Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
(cherry picked from commit ab89ea7490)
(cherry picked from commit 8d5becbe4b)
(cherry picked from commit e3f65d6fbc)
(cherry picked from commit 1ef3828516)
 		2020-05-04 15:47:41 -07:00
api-ref/source Update API version to 3.11 2018-10-17 14:29:41 +02:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Switch devstack plugin to samltest.id 2019-03-15 15:43:55 +01:00
doc Add the missing packages when install keystone 2020-02-05 19:31:29 +00:00
etc correct the admin_or_target_domain rule 2019-01-28 09:07:34 -08:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove admin interface in sample Apache file 2018-03-24 12:56:02 +01:00
keystone Check timestamp of signed EC2 token request 2020-05-04 15:47:41 -07:00
keystone_tempest_plugin Remove the local tempest plugin 2017-06-06 11:48:37 +00:00
playbooks/legacy OpenDev Migration Patch 2019-04-19 19:30:46 +00:00
rally-jobs fix rally docs url 2018-05-21 16:24:51 +08:00
releasenotes Check timestamp of signed EC2 token request 2020-05-04 15:47:41 -07:00
tools Increase MySQL max_connections for unit tests 2018-01-30 23:49:04 +01:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Tell reno to ignore the kilo branch 2020-02-21 18:55:26 +00:00
.gitreview OpenDev Migration Patch 2019-04-19 19:30:46 +00:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Import LDAP job into project 2019-10-15 10:25:32 -07:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
README.rst Add release notes link to README 2018-06-12 15:30:45 +08:00
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Differentiate between dpkg and rpm for libssl-dev 2017-03-31 11:27:25 -04:00
lower-constraints.txt PY3: switch to using unicode text values 2019-03-19 12:07:12 -04:00
reno.yaml Tell reno to ignore the kilo branch 2020-02-21 18:55:26 +00:00
requirements.txt Update the minimimum required version of oslo.log 2019-03-18 14:58:12 +01:00
setup.cfg Revert "Blacklist bandit 1.6.0" 2019-06-26 12:23:54 -04:00
setup.py Updated from global requirements 2017-03-06 01:10:37 +00:00
test-requirements.txt Follow the new PTI for document build 2018-04-09 01:13:58 +09:00
tox.ini Revert "Blacklist bandit 1.6.0" 2019-06-26 12:23:54 -04:00

README.rst

Team and repository tags

image

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://developer.openstack.org/api-ref/identity

The canonical client library is available at:

https://git.openstack.org/cgit/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://git.openstack.org/cgit/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.