diff options
author | 2013-12-19 04:16:52 +0000 | |
---|---|---|
committer | 2013-12-19 04:16:52 +0000 | |
commit | c2fbd195c9901ab7335d484e8e63c389fa6cd2a8 (patch) | |
tree | b4a189d89bb13a555868bce26c82a694bdb44477 /sys-auth/keystone/files | |
parent | Automated update. (diff) | |
download | gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.tar.gz gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.tar.bz2 gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.zip |
2013.2.1 and cleaner deps
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-auth/keystone/files')
-rw-r--r-- | sys-auth/keystone/files/2013.2-CVE-2013-4477.patch | 74 | ||||
-rw-r--r-- | sys-auth/keystone/files/cve-2013-6391_2013.2.patch | 153 |
2 files changed, 0 insertions, 227 deletions
diff --git a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch b/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch deleted file mode 100644 index 3f9a640a08d9..000000000000 --- a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 4221b6020e6b0b42325d8904d7b8a22577a6acc0 Mon Sep 17 00:00:00 2001 -From: Brant Knudson <bknudson@us.ibm.com> -Date: Mon, 21 Oct 2013 15:21:12 -0500 -Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment - -When using the LDAP assignment backend, attempting to remove a -role assignment when the role hadn't been used before would -actually add the role assignment and would not return a -404 Not Found like the SQL backend. - -This change makes it so that when attempt to remove a role that -wasn't assigned then 404 Not Found is returned. - -Closes-Bug: #1242855 -Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3 -(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0) -(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa) ---- - keystone/assignment/backends/ldap.py | 18 ++++-------------- - keystone/tests/test_backend.py | 9 +++++++++ - 2 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py -index 851f9ec..ecf4adb 100644 ---- a/keystone/assignment/backends/ldap.py -+++ b/keystone/assignment/backends/ldap.py -@@ -426,20 +426,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn, - try: - conn.modify_s(role_dn, [(ldap.MOD_DELETE, - self.member_attribute, user_dn)]) -- except ldap.NO_SUCH_OBJECT: -- if tenant_dn is None: -- raise exception.RoleNotFound(role_id=role_id) -- attrs = [('objectClass', [self.object_class]), -- (self.member_attribute, [user_dn])] -- -- if self.use_dumb_member: -- attrs[1][1].append(self.dumb_member) -- try: -- conn.add_s(role_dn, attrs) -- except Exception as inst: -- raise inst -- except ldap.NO_SUCH_ATTRIBUTE: -- raise exception.UserNotFound(user_id=user_id) -+ except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): -+ raise exception.RoleNotFound(message=_( -+ 'Cannot remove role that has not been granted, %s') % -+ role_id) - finally: - conn.unbind_s() - -diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py -index 7dd3477..e0e81ca 100644 ---- a/keystone/tests/test_backend.py -+++ b/keystone/tests/test_backend.py -@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self): - self.tenant_bar['id']) - self.assertNotIn(self.user_two['id'], user_ids) - -+ def test_remove_user_role_not_assigned(self): -+ # Expect failure if attempt to remove a role that was never assigned to -+ # the user. -+ self.assertRaises(exception.RoleNotFound, -+ self.identity_api.remove_role_from_user_and_project, -+ tenant_id=self.tenant_bar['id'], -+ user_id=self.user_two['id'], -+ role_id=self.role_other['id']) -+ - def test_authenticate_bad_user(self): - self.assertRaises(AssertionError, - self.identity_api.authenticate, --- -1.8.4 - diff --git a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch deleted file mode 100644 index 52d13c4b0e51..000000000000 --- a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 2756f2ff0c49b25e17b4f833610bd5c4f16309bd Mon Sep 17 00:00:00 2001 -From: Steven Hardy <shardy@redhat.com> -Date: Mon, 21 Oct 2013 19:49:01 +0100 -Subject: [PATCH] Fix issues handling trust tokens via ec2tokens API - -Trust scoped tokens are handled incorectly when making requests -via the ec2tokens API, meaning that the restrictions enforced -by trust-scoped tokens are not respected when obtaining a token -via ec2token signature validation. - -Storing the trust_id in the blob associated with the ec2 keypair, -and passing that id in the metadata when requesting a v2 token -solves the issue. - -Change-Id: I52566384d7813ef0e2f20fb94a5076386457ff02 -Closes-Bug: #1242597 ---- - keystone/contrib/ec2/controllers.py | 19 ++++++++++-- - keystone/tests/test_keystoneclient_sql.py | 50 ++++++++++++++++++++++++++++--- - 2 files changed, 63 insertions(+), 6 deletions(-) - -diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py -index 94b7430..262cbe5 100644 ---- a/keystone/contrib/ec2/controllers.py -+++ b/keystone/contrib/ec2/controllers.py -@@ -106,6 +106,11 @@ class Ec2Controller(controller.V2Controller): - self.identity_api.get_roles_for_user_and_project( - user_ref['id'], tenant_ref['id'])) - -+ trust_id = creds_ref.get('trust_id') -+ if trust_id: -+ metadata_ref['trust_id'] = trust_id -+ metadata_ref['trustee_user_id'] = user_ref['id'] -+ - # Validate that the auth info is valid and nothing is disabled - token.validate_auth_info(self, user_ref, tenant_ref) - -@@ -146,8 +151,10 @@ class Ec2Controller(controller.V2Controller): - - self._assert_valid_user_id(user_id) - self._assert_valid_project_id(tenant_id) -+ trust_id = self._context_trust_id(context) - blob = {'access': uuid.uuid4().hex, -- 'secret': uuid.uuid4().hex} -+ 'secret': uuid.uuid4().hex, -+ 'trust_id': trust_id} - credential_id = utils.hash_access_key(blob['access']) - cred_ref = {'user_id': user_id, - 'project_id': tenant_id, -@@ -213,7 +220,8 @@ class Ec2Controller(controller.V2Controller): - return {'user_id': credential.get('user_id'), - 'tenant_id': credential.get('project_id'), - 'access': blob.get('access'), -- 'secret': blob.get('secret')} -+ 'secret': blob.get('secret'), -+ 'trust_id': blob.get('trust_id')} - - def _get_credentials(self, credential_id): - """Return credentials from an ID. -@@ -244,6 +252,13 @@ class Ec2Controller(controller.V2Controller): - if token_ref['user'].get('id') != user_id: - raise exception.Forbidden(_('Token belongs to another user')) - -+ def _context_trust_id(self, context): -+ try: -+ token_ref = self.token_api.get_token(context['token_id']) -+ except exception.TokenNotFound as e: -+ raise exception.Unauthorized(e) -+ return token_ref.get('trust_id') -+ - def _is_admin(self, context): - """Wrap admin assertion error return statement. - -diff --git a/keystone/tests/test_keystoneclient_sql.py b/keystone/tests/test_keystoneclient_sql.py -index 5ddc33e..bd83803 100644 ---- a/keystone/tests/test_keystoneclient_sql.py -+++ b/keystone/tests/test_keystoneclient_sql.py -@@ -88,9 +88,11 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): - self.assertRaises(client_exceptions.NotFound, client.endpoints.delete, - id=endpoint.id) - -- def _send_ec2_auth_request(self, credentials): -+ def _send_ec2_auth_request(self, credentials, client=None): -+ if not client: -+ client = self.default_client - url = '%s/ec2tokens' % self.default_client.auth_url -- (resp, token) = self.default_client.request( -+ (resp, token) = client.request( - url=url, method='POST', - body={'credentials': credentials}) - return resp, token -@@ -99,9 +101,12 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): - cred = self. default_client.ec2.create( - user_id=self.user_foo['id'], - tenant_id=self.tenant_bar['id']) -- signer = ec2_utils.Ec2Signer(cred.secret) -+ return self._generate_user_ec2_credentials(cred.access, cred.secret) -+ -+ def _generate_user_ec2_credentials(self, access, secret): -+ signer = ec2_utils.Ec2Signer(secret) - credentials = {'params': {'SignatureVersion': '2'}, -- 'access': cred.access, -+ 'access': access, - 'verb': 'GET', - 'host': 'localhost', - 'path': '/service/cloud'} -@@ -115,6 +120,43 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): - self.assertEqual(resp.status_code, 200) - self.assertIn('access', token) - -+ def test_ec2_auth_success_trust(self): -+ # Add "other" role user_foo and create trust delegating it to user_two -+ self.identity_api.add_role_to_user_and_project( -+ self.user_foo['id'], -+ self.tenant_bar['id'], -+ self.role_other['id']) -+ trust_id = 'atrust123' -+ trust = {'trustor_user_id': self.user_foo['id'], -+ 'trustee_user_id': self.user_two['id'], -+ 'project_id': self.tenant_bar['id'], -+ 'impersonation': True} -+ roles = [self.role_other] -+ self.trust_api.create_trust(trust_id, trust, roles) -+ -+ # Create a client for user_two, scoped to the trust -+ client = self.get_client(self.user_two) -+ ret = client.authenticate(trust_id=trust_id, -+ tenant_id=self.tenant_bar['id']) -+ self.assertTrue(ret) -+ self.assertTrue(client.auth_ref.trust_scoped) -+ self.assertEqual(trust_id, client.auth_ref.trust_id) -+ -+ # Create an ec2 keypair using the trust client impersonating user_foo -+ cred = client.ec2.create(user_id=self.user_foo['id'], -+ tenant_id=self.tenant_bar['id']) -+ credentials, signature = self._generate_user_ec2_credentials( -+ cred.access, cred.secret) -+ credentials['signature'] = signature -+ resp, token = self._send_ec2_auth_request(credentials) -+ self.assertEqual(resp.status_code, 200) -+ self.assertEqual(trust_id, token['access']['trust']['id']) -+ #TODO(shardy) we really want to check the roles and trustee -+ # but because of where the stubbing happens we don't seem to -+ # hit the necessary code in controllers.py _authenticate_token -+ # so although all is OK via a real request, it incorrect in -+ # this test.. -+ - def test_ec2_auth_failure(self): - from keystoneclient import exceptions as client_exceptions - --- -1.8.3.1 - |