)]}'
{"id":"openstack%2Fkeystone~725069","triplet_id":"openstack%2Fkeystone~stable%2Fstein~Idb10267338b4204b435df233c636046a1ce5711f","project":"openstack/keystone","branch":"stable/stein","topic":"SEC-bug-1872737-stable/stein","hashtags":[],"change_id":"Idb10267338b4204b435df233c636046a1ce5711f","subject":"Check timestamp of signed EC2 token request","status":"MERGED","created":"2020-05-03 04:37:11.000000000","updated":"2020-05-05 00:27:35.000000000","submitted":"2020-05-04 06:14:35.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"725069-1588572875531-111d3b5a","meta_rev_id":"4afc691951aa7be05570a22bb46cadde88c1d796","_number":725069,"virtual_id_number":725069,"owner":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2020-05-04 06:14:35.000000000","post_submit":true,"permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"value":0,"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2020-05-04 01:28:05.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"value":0,"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"value":1,"date":"2020-05-04 04:41:47.000000000","_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2020-05-04 01:28:05.000000000","updated_by":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"reviewer":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"state":"REVIEWER"},{"updated":"2020-05-04 06:14:35.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"c78b0c1af8449433c5563f56fe396b74b2f9fbff","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-05-03 04:37:11.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"9ac164445f7eb6eb66605f3f56bd26adde874f94","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-05-03 06:05:45.000000000","message":"Patch Set 1: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/363a66b24b6d4755856f01fa8dfdd296 : SUCCESS in 28m 05s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/fee2f36b3d564507b115f4b2c0645d20 : SUCCESS in 27m 40s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/acc4bf3b4157445cb1604e3a48432463 : SUCCESS in 5m 31s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/d59d35f304b34814b31ad8eebab1f696 : SUCCESS in 21m 50s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/dd370ea54f65482f964bafd049c9b912 : SUCCESS in 26m 29s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/aba3dbb8412a4eaca1e30628ac7f6bce : SUCCESS in 25m 25s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/5af46bea8340476a95e694d338eb679c : SUCCESS in 9m 28s\n- tempest-full https://zuul.opendev.org/t/openstack/build/d6ba48b0d58a48dea5b9bc62c719c6ac : SUCCESS in 1h 28m 00s\n- neutron-grenade https://zuul.opendev.org/t/openstack/build/7cde0c03bfee47a09f816e2c106b2f8c : SUCCESS in 54m 00s\n- grenade-py3 https://zuul.opendev.org/t/openstack/build/e7e54d12ada1473091bb3b070b90f6da : SUCCESS in 52m 48s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/220592dbffe04353a5c1036c90588e96 : SUCCESS in 1h 22m 59s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/f147050eb4244012973fdd8ec5446bce : SUCCESS in 18m 05s\n- keystone-dsvm-functional https://zuul.opendev.org/t/openstack/build/318cc8793b674f50aafe9e91ba1c1f9f : SUCCESS in 31m 47s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/3e558557d9ea4dddbd6282269615dc0c : SUCCESS in 35m 15s\n- keystone-dsvm-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/688f99a5df7a4c95accada15d04baf01 : POST_FAILURE in 30m 41s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/bee1018ebc40498cb3cfbcb96232644c : SUCCESS in 34m 25s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/d8181a604e4c468fa00a38ad7f27a5bb : FAILURE in 33m 09s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/f7e1a5153f604b8ab383d2f9c495693e : SUCCESS in 15m 08s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/6b9ef001608b437797af88142c1977dc : SUCCESS in 35m 00s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"e82c6c3f981deef3156e6978a8c93d8a3796f74a","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-05-03 07:55:57.000000000","message":"Patch Set 1:\n\nrecheck","accounts_in_message":[],"_revision_number":1},{"id":"ffe6f6f3d7f9f399b58d907a53b3557c3fbf5d14","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-05-03 09:35:28.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/5d7837fae50f4300a6da30818c4916d8 : SUCCESS in 29m 41s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/4498f038c60e4871b25a6d2f87eb40b5 : SUCCESS in 25m 53s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/cee3b09923ad4e7b9c8557dcad420235 : SUCCESS in 5m 28s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/cdddc38595e54913baa620c5355195b0 : SUCCESS in 24m 15s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/d1a42129d1a34aa9879cdbf2e6558fb2 : SUCCESS in 24m 46s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/0a4404b2e1e04dd394d5124d674352b7 : SUCCESS in 26m 12s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/a494dc047726442686512ab1ed83e898 : SUCCESS in 10m 32s\n- tempest-full https://zuul.opendev.org/t/openstack/build/d6f59f6f2a55427d948f1864893e2466 : SUCCESS in 1h 27m 34s\n- neutron-grenade https://zuul.opendev.org/t/openstack/build/ff7d0adab0fc4a3096b66a340e6df915 : SUCCESS in 52m 17s\n- grenade-py3 https://zuul.opendev.org/t/openstack/build/b962696519324fa7821a90d1c792b368 : SUCCESS in 55m 49s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/b081f208ea73488a9577a08b8d795f62 : SUCCESS in 1h 37m 47s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/c8c76db875d341acb61543e51778a6a4 : SUCCESS in 18m 28s\n- keystone-dsvm-functional https://zuul.opendev.org/t/openstack/build/94153bc5ff464177b8ac3503a2449af0 : SUCCESS in 30m 54s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/4f0b8732418f42dbb6c0fc147186a552 : SUCCESS in 30m 52s\n- keystone-dsvm-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/3ef906c05a464c2a89a6368e10143e4c : POST_FAILURE in 30m 21s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/4430378eb5ba465992156283412557e4 : SUCCESS in 36m 50s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/4a86cd73059042d290672fa2c9f3ba37 : SUCCESS in 37m 30s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/28e8a64b7e954f46a3a08ef6e1b13c6a : SUCCESS in 18m 18s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/ce4c66e4d29c466e8cb845f29bb8d388 : SUCCESS in 40m 08s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"e9474cbf4a2c852408152dcfff65acfc05633873","author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"date":"2020-05-04 01:28:05.000000000","message":"Patch Set 1: Code-Review+2","accounts_in_message":[],"_revision_number":1},{"id":"9ad8758d030328510b16a1f32c0966c90d3b88ea","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-05-04 04:41:47.000000000","message":"Patch Set 1: Workflow+1","accounts_in_message":[],"_revision_number":1},{"id":"c8001c1f6270a005541eb63210a4492f31ee697e","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-05-04 04:42:00.000000000","message":"Patch Set 1: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":1},{"id":"7021e356459d653184f1c6461a9cf6211ec508f7","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-05-04 06:14:35.000000000","message":"Patch Set 1: Verified+2\n\nBuild succeeded (gate pipeline).\n\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/97b391f4be1249eabf158ce2b29a6400 : SUCCESS in 32m 56s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/8b9a2830c73440e2a87a38450fbbdca3 : SUCCESS in 5m 50s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/e02ce6d681054ad3862d3816d2373b9c : SUCCESS in 21m 01s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/4a13f6bee87e42809526a1e97f70dd98 : SUCCESS in 25m 20s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/a53568ba33cb4c2fae9f1ac442724375 : SUCCESS in 26m 26s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/b268c1b1bbb740f5ab7976a38c704df5 : SUCCESS in 8m 51s\n- tempest-full https://zuul.opendev.org/t/openstack/build/0f4452ec4d1b41e7956c8fcfd0c3b708 : SUCCESS in 1h 27m 47s\n- neutron-grenade https://zuul.opendev.org/t/openstack/build/6830e8d068f641d1910fb891fc9b641d : SUCCESS in 55m 21s\n- grenade-py3 https://zuul.opendev.org/t/openstack/build/d8980c8f88664db6b431fc8f1b6a4fce : SUCCESS in 1h 00m 58s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/595655e62747481f903cb3f9d2dfb16c : SUCCESS in 1h 17m 00s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/a13357ca8254461c938779af1ccf8e43 : SUCCESS in 18m 53s\n- keystone-dsvm-functional https://zuul.opendev.org/t/openstack/build/48b8ba2a4fd7412eb3e2f21c413b7d2f : SUCCESS in 32m 24s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/f20a71bbd53b40f889ed442d083c7871 : SUCCESS in 34m 15s\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/22e7b18f66d74310b73a9880401aa0d4 : SUCCESS in 38m 53s","accounts_in_message":[],"_revision_number":1},{"id":"8e4de4a2b938c3a7104a90dbb1cf580a8f7a681c","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-05-04 06:14:35.000000000","message":"Change has been successfully merged by Zuul","accounts_in_message":[],"_revision_number":1},{"id":"94e4468474c474c39bf020b9f265edd9352d6536","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-05-04 06:18:19.000000000","message":"Patch Set 1:\n\nBuild succeeded (promote pipeline).\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/180ea7542638468698bf51afcd660c36 : SUCCESS in 2m 02s\n- promote-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/8d7db2d5b7a84e32a365643ab4c0732f : SUCCESS in 3m 11s","accounts_in_message":[],"_revision_number":1},{"id":"923e529248a821ab7033fb3cd49e037610930f3d","author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"date":"2020-05-05 00:27:35.000000000","message":"Patch Set 1:\n\nlgtm","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"1ef3828516c1b87a8ca84acca73ec593b0b8591d","revisions":{"1ef3828516c1b87a8ca84acca73ec593b0b8591d":{"kind":"REWORK","_number":1,"created":"2020-05-03 04:37:11.000000000","uploader":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"ref":"refs/changes/69/725069/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/69/725069/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/69/725069/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/69/725069/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/69/725069/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/69/725069/1"}}},"commit":{"parents":[{"commit":"e57e44c0ecf4491bba4ed451e6b3016552824ff5","subject":"Add cadf auditing to credentials","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/e57e44c0ecf4491bba4ed451e6b3016552824ff5"}]}],"author":{"name":"Colleen Murphy","email":"colleen.murphy@suse.com","date":"2020-04-17 00:05:43.000000000","tz":-420},"committer":{"name":"Colleen Murphy","email":"colleen.murphy@suse.com","date":"2020-05-03 04:36:47.000000000","tz":-420},"subject":"Check timestamp of signed EC2 token request","message":"Check timestamp of signed EC2 token request\n\nEC2 token requests contain a signature that signs the entire request,\nincluding the access timestamp. While the signature is checked, the\ntimestamp is not, and so these signed requests remain valid\nindefinitely, leaving the token API vulnerable to replay attacks. This\nchange introduces a configurable TTL for signed token requests and\nensures that the timestamp is actually validated against it.\n\nThe check will work for either an AWS Signature v1/v2 \u0027Timestamp\u0027\nparameter[1] or the AWS Signature v4 \u0027X-Aws-Date\u0027 header or\nparameter[2].\n\nAlthough this technically adds a new feature and the default value of\nthe feature changes behavior, this change is required to protect\ncredential holders and therefore must be backported to all supported\nbranches.\n\n[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html\n[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html\n\nConflicts due to six removal in e2d83ae9:\n\tkeystone/api/_shared/EC2_S3_Resource.py\n\tkeystone/tests/unit/test_contrib_ec2_core.py\n\nChange-Id: Idb10267338b4204b435df233c636046a1ce5711f\nCloses-bug: #1872737\n(cherry picked from commit ab89ea749013e7f2c46260f68504f5687763e019)\n(cherry picked from commit 8d5becbe4b463f6a5a24a1929dd0f48dab6ae027)\n(cherry picked from commit e3f65d6fbcd18032a8ad3dfa3aaded264a282158)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1ef3828516c1b87a8ca84acca73ec593b0b8591d"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1ef3828516c1b87a8ca84acca73ec593b0b8591d"}]},"branch":"refs/heads/stable/stein"}},"requirements":[],"submit_records":[],"submit_requirements":[]}