2013.2.1 and cleaner deps

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2013-12-19 04:16:52 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2013-12-19 04:16:52 +0000
commit: c2fbd195c9901ab7335d484e8e63c389fa6cd2a8 (patch)
tree: b4a189d89bb13a555868bce26c82a694bdb44477 /sys-auth/keystone/files
parent: Automated update. (diff)
download: gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.tar.gz
gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.tar.bz2
gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.zip
2 files changed, 0 insertions, 227 deletions
diff --git a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch b/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
deleted file mode 100644
index 3f9a640a08d9..000000000000
--- a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 4221b6020e6b0b42325d8904d7b8a22577a6acc0 Mon Sep 17 00:00:00 2001
-From: Brant Knudson <bknudson@us.ibm.com>
-Date: Mon, 21 Oct 2013 15:21:12 -0500
-Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment
-
-When using the LDAP assignment backend, attempting to remove a
-role assignment when the role hadn't been used before would
-actually add the role assignment and would not return a
-404 Not Found like the SQL backend.
-
-This change makes it so that when attempt to remove a role that
-wasn't assigned then 404 Not Found is returned.
-
-Closes-Bug: #1242855
-Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
-(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
-(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
----
- keystone/assignment/backends/ldap.py | 18 ++++--------------
- keystone/tests/test_backend.py       |  9 +++++++++
- 2 files changed, 13 insertions(+), 14 deletions(-)
-
-diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
-index 851f9ec..ecf4adb 100644
---- a/keystone/assignment/backends/ldap.py
-+++ b/keystone/assignment/backends/ldap.py
-@@ -426,20 +426,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn,
-         try:
-             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
-                                      self.member_attribute, user_dn)])
--        except ldap.NO_SUCH_OBJECT:
--            if tenant_dn is None:
--                raise exception.RoleNotFound(role_id=role_id)
--            attrs = [('objectClass', [self.object_class]),
--                     (self.member_attribute, [user_dn])]
--
--            if self.use_dumb_member:
--                attrs[1][1].append(self.dumb_member)
--            try:
--                conn.add_s(role_dn, attrs)
--            except Exception as inst:
--                raise inst
--        except ldap.NO_SUCH_ATTRIBUTE:
--            raise exception.UserNotFound(user_id=user_id)
-+        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
-+            raise exception.RoleNotFound(message=_(
-+                'Cannot remove role that has not been granted, %s') %
-+                role_id)
-         finally:
-             conn.unbind_s()
- 
-diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
-index 7dd3477..e0e81ca 100644
---- a/keystone/tests/test_backend.py
-+++ b/keystone/tests/test_backend.py
-@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self):
-             self.tenant_bar['id'])
-         self.assertNotIn(self.user_two['id'], user_ids)
- 
-+    def test_remove_user_role_not_assigned(self):
-+        # Expect failure if attempt to remove a role that was never assigned to
-+        # the user.
-+        self.assertRaises(exception.RoleNotFound,
-+                          self.identity_api.remove_role_from_user_and_project,
-+                          tenant_id=self.tenant_bar['id'],
-+                          user_id=self.user_two['id'],
-+                          role_id=self.role_other['id'])
-+
-     def test_authenticate_bad_user(self):
-         self.assertRaises(AssertionError,
-                           self.identity_api.authenticate,
--- 
-1.8.4
-
diff --git a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch
deleted file mode 100644
index 52d13c4b0e51..000000000000
--- a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 2756f2ff0c49b25e17b4f833610bd5c4f16309bd Mon Sep 17 00:00:00 2001
-From: Steven Hardy <shardy@redhat.com>
-Date: Mon, 21 Oct 2013 19:49:01 +0100
-Subject: [PATCH] Fix issues handling trust tokens via ec2tokens API
-
-Trust scoped tokens are handled incorectly when making requests
-via the ec2tokens API, meaning that the restrictions enforced
-by trust-scoped tokens are not respected when obtaining a token
-via ec2token signature validation.
-
-Storing the trust_id in the blob associated with the ec2 keypair,
-and passing that id in the metadata when requesting a v2 token
-solves the issue.
-
-Change-Id: I52566384d7813ef0e2f20fb94a5076386457ff02
-Closes-Bug: #1242597
----
- keystone/contrib/ec2/controllers.py       | 19 ++++++++++--
- keystone/tests/test_keystoneclient_sql.py | 50 ++++++++++++++++++++++++++++---
- 2 files changed, 63 insertions(+), 6 deletions(-)
-
-diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py
-index 94b7430..262cbe5 100644
---- a/keystone/contrib/ec2/controllers.py
-+++ b/keystone/contrib/ec2/controllers.py
-@@ -106,6 +106,11 @@ class Ec2Controller(controller.V2Controller):
-             self.identity_api.get_roles_for_user_and_project(
-                 user_ref['id'], tenant_ref['id']))
- 
-+        trust_id = creds_ref.get('trust_id')
-+        if trust_id:
-+            metadata_ref['trust_id'] = trust_id
-+            metadata_ref['trustee_user_id'] = user_ref['id']
-+
-         # Validate that the auth info is valid and nothing is disabled
-         token.validate_auth_info(self, user_ref, tenant_ref)
- 
-@@ -146,8 +151,10 @@ class Ec2Controller(controller.V2Controller):
- 
-         self._assert_valid_user_id(user_id)
-         self._assert_valid_project_id(tenant_id)
-+        trust_id = self._context_trust_id(context)
-         blob = {'access': uuid.uuid4().hex,
--                'secret': uuid.uuid4().hex}
-+                'secret': uuid.uuid4().hex,
-+                'trust_id': trust_id}
-         credential_id = utils.hash_access_key(blob['access'])
-         cred_ref = {'user_id': user_id,
-                     'project_id': tenant_id,
-@@ -213,7 +220,8 @@ class Ec2Controller(controller.V2Controller):
-         return {'user_id': credential.get('user_id'),
-                 'tenant_id': credential.get('project_id'),
-                 'access': blob.get('access'),
--                'secret': blob.get('secret')}
-+                'secret': blob.get('secret'),
-+                'trust_id': blob.get('trust_id')}
- 
-     def _get_credentials(self, credential_id):
-         """Return credentials from an ID.
-@@ -244,6 +252,13 @@ class Ec2Controller(controller.V2Controller):
-         if token_ref['user'].get('id') != user_id:
-             raise exception.Forbidden(_('Token belongs to another user'))
- 
-+    def _context_trust_id(self, context):
-+        try:
-+            token_ref = self.token_api.get_token(context['token_id'])
-+        except exception.TokenNotFound as e:
-+            raise exception.Unauthorized(e)
-+        return token_ref.get('trust_id')
-+
-     def _is_admin(self, context):
-         """Wrap admin assertion error return statement.
- 
-diff --git a/keystone/tests/test_keystoneclient_sql.py b/keystone/tests/test_keystoneclient_sql.py
-index 5ddc33e..bd83803 100644
---- a/keystone/tests/test_keystoneclient_sql.py
-+++ b/keystone/tests/test_keystoneclient_sql.py
-@@ -88,9 +88,11 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
-         self.assertRaises(client_exceptions.NotFound, client.endpoints.delete,
-                           id=endpoint.id)
- 
--    def _send_ec2_auth_request(self, credentials):
-+    def _send_ec2_auth_request(self, credentials, client=None):
-+        if not client:
-+            client = self.default_client
-         url = '%s/ec2tokens' % self.default_client.auth_url
--        (resp, token) = self.default_client.request(
-+        (resp, token) = client.request(
-             url=url, method='POST',
-             body={'credentials': credentials})
-         return resp, token
-@@ -99,9 +101,12 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
-         cred = self. default_client.ec2.create(
-             user_id=self.user_foo['id'],
-             tenant_id=self.tenant_bar['id'])
--        signer = ec2_utils.Ec2Signer(cred.secret)
-+        return self._generate_user_ec2_credentials(cred.access, cred.secret)
-+
-+    def _generate_user_ec2_credentials(self, access, secret):
-+        signer = ec2_utils.Ec2Signer(secret)
-         credentials = {'params': {'SignatureVersion': '2'},
--                       'access': cred.access,
-+                       'access': access,
-                        'verb': 'GET',
-                        'host': 'localhost',
-                        'path': '/service/cloud'}
-@@ -115,6 +120,43 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
-         self.assertEqual(resp.status_code, 200)
-         self.assertIn('access', token)
- 
-+    def test_ec2_auth_success_trust(self):
-+        # Add "other" role user_foo and create trust delegating it to user_two
-+        self.identity_api.add_role_to_user_and_project(
-+            self.user_foo['id'],
-+            self.tenant_bar['id'],
-+            self.role_other['id'])
-+        trust_id = 'atrust123'
-+        trust = {'trustor_user_id': self.user_foo['id'],
-+                 'trustee_user_id': self.user_two['id'],
-+                 'project_id': self.tenant_bar['id'],
-+                 'impersonation': True}
-+        roles = [self.role_other]
-+        self.trust_api.create_trust(trust_id, trust, roles)
-+
-+        # Create a client for user_two, scoped to the trust
-+        client = self.get_client(self.user_two)
-+        ret = client.authenticate(trust_id=trust_id,
-+                                  tenant_id=self.tenant_bar['id'])
-+        self.assertTrue(ret)
-+        self.assertTrue(client.auth_ref.trust_scoped)
-+        self.assertEqual(trust_id, client.auth_ref.trust_id)
-+
-+        # Create an ec2 keypair using the trust client impersonating user_foo
-+        cred = client.ec2.create(user_id=self.user_foo['id'],
-+                                 tenant_id=self.tenant_bar['id'])
-+        credentials, signature = self._generate_user_ec2_credentials(
-+            cred.access, cred.secret)
-+        credentials['signature'] = signature
-+        resp, token = self._send_ec2_auth_request(credentials)
-+        self.assertEqual(resp.status_code, 200)
-+        self.assertEqual(trust_id, token['access']['trust']['id'])
-+        #TODO(shardy) we really want to check the roles and trustee
-+        # but because of where the stubbing happens we don't seem to
-+        # hit the necessary code in controllers.py _authenticate_token
-+        # so although all is OK via a real request, it incorrect in
-+        # this test..
-+
-     def test_ec2_auth_failure(self):
-         from keystoneclient import exceptions as client_exceptions
- 
--- 
-1.8.3.1
-
author	Matthew Thode <prometheanfire@gentoo.org>	2013-12-19 04:16:52 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2013-12-19 04:16:52 +0000
commit	c2fbd195c9901ab7335d484e8e63c389fa6cd2a8 (patch)
tree	b4a189d89bb13a555868bce26c82a694bdb44477 /sys-auth/keystone/files
parent	Automated update. (diff)
download	gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.tar.gz gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.tar.bz2 gentoo-2-c2fbd195c9901ab7335d484e8e63c389fa6cd2a8.zip