[Yahoo-eng-team] [Bug 1477600] Re: Token Validation API returns 401 not 404 on invalid fernet token

Tue, 13 Oct 2015 12:27:19 -0700 

** Changed in: keystone/kilo
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1477600

Title:
  Token Validation API returns 401 not 404 on invalid fernet token

Status in Keystone:
  Fix Released
Status in Keystone kilo series:
  Fix Released

Bug description:
  Validate token API specifies 404 response for invalid Subject tokens:
   * 
http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
   * http://developer.openstack.org/api-ref-identity-v3.html#validateTokens 
(not clear, but KSC auth middleware has the same logic as v2.0)

  For Fernet tokens, this API returns 401 for invalid token:

  curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' 
localhost:5000/v3/auth/tokens
  {"error": {"message": "The request you have made requires authentication. 
(Disable debug mode to suppress these details.)", "code": 401, "title": 
"Unauthorized"}}

  I've check the tests and found incorrect one. API spec requires 404,
  test check for 401
  
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51

  Looks like it's broken in one of this places:
   * Controller doesn't check the return 
https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L448
   * Fernet token's core doesn't check the return here 
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
   * Fernet token goes raises 401 here 
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201

  Note that UUID token raises 404 here as expected
  
https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679

  Also, note that KSC auth middleware https://github.com/openstack
  /python-
  keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1147
  we're expect 404 for invalid USER token, and and 401 for invalid ADMIN
  token. So 401 for invalid user token makes middleware go for new admin
  token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1477600/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to