fixing cve and 490764 and 490766

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

7 files changed, 153 insertions, 303 deletions

diff --git a/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch b/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch
deleted file mode 100644
index 4a4c3634b5a7..000000000000
--- a/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch
+++ /dev/null
@@ -1,227 +0,0 @@
-From c70f8c61d50c2358d712b365bec4a8f288314b54 Mon Sep 17 00:00:00 2001
-From: Dolph Mathews <dolph.mathews@gmail.com>
-Date: Thu, 12 Sep 2013 17:02:26 -0500
-Subject: [PATCH] Revoke user tokens when disabling/delete a project
-
-- Revoke tokens scoped to all users from a project when disabling or
-  deleting the project.
-- Fix provided by chmouel
-
-Closes-Bug: #1179955
-Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
----
- keystone/common/controller.py    |  6 ++++
- keystone/identity/controllers.py | 16 +++++++++++
- tests/test_keystoneclient.py     | 52 ++++++++++++++++++++++++++++++++++
- tests/test_v3_auth.py            | 61 ++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 135 insertions(+)
-
-diff --git a/keystone/common/controller.py b/keystone/common/controller.py
-index 7123adf..0ef80fc 100644
---- a/keystone/common/controller.py
-+++ b/keystone/common/controller.py
-@@ -171,6 +171,12 @@ class V2Controller(wsgi.Application):
-                                           trust['trustee_user_id'],
-                                           trust['id'])
- 
-+    def _delete_tokens_for_project(self, context, project_id):
-+        for user_ref in self.identity_api.get_project_users(
-+                context, project_id):
-+            self._delete_tokens_for_user(
-+                context, user_ref['id'], project_id=project_id)
-+
-     def _require_attribute(self, ref, attr):
-         """Ensures the reference contains the specified attribute."""
-         if ref.get(attr) is None or ref.get(attr) == '':
-diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
-index e04cded..8bf13c6 100644
---- a/keystone/identity/controllers.py
-+++ b/keystone/identity/controllers.py
-@@ -111,12 +111,20 @@ class Tenant(controller.V2Controller):
-         # be specifying that
-         clean_tenant = tenant.copy()
-         clean_tenant.pop('domain_id', None)
-+
-+        # If the project has been disabled (or enabled=False) we are
-+        # deleting the tokens for that project.
-+        if not tenant.get('enabled', True):
-+            self._delete_tokens_for_project(context, tenant_id)
-+
-         tenant_ref = self.identity_api.update_project(
-             context, tenant_id, clean_tenant)
-         return {'tenant': tenant_ref}
- 
-     def delete_project(self, context, tenant_id):
-         self.assert_admin(context)
-+        # Delete all tokens belonging to the users for that project
-+        self._delete_tokens_for_project(context, tenant_id)
-         self.identity_api.delete_project(context, tenant_id)
- 
-     def get_project_users(self, context, tenant_id, **kw):
-@@ -571,6 +579,10 @@ class ProjectV3(controller.V3Controller):
-     def update_project(self, context, project_id, project):
-         self._require_matching_id(project_id, project)
- 
-+        # The project was disabled so we delete the tokens
-+        if not project.get('enabled', True):
-+            self._delete_tokens_for_project(context, project_id)
-+
-         ref = self.identity_api.update_project(context, project_id, project)
-         return ProjectV3.wrap_member(context, ref)
- 
-@@ -579,6 +591,10 @@ class ProjectV3(controller.V3Controller):
-         for cred in self.identity_api.list_credentials(context):
-             if cred['project_id'] == project_id:
-                 self.identity_api.delete_credential(context, cred['id'])
-+
-+        # Delete all tokens belonging to the users for that project
-+        self._delete_tokens_for_project(context, project_id)
-+
-         # Finally delete the project itself - the backend is
-         # responsible for deleting any role assignments related
-         # to this project
-diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
-index acd5b2f..c6cd27a 100644
---- a/tests/test_keystoneclient.py
-+++ b/tests/test_keystoneclient.py
-@@ -379,6 +379,52 @@ class KeystoneClientTests(object):
-                           client.tokens.authenticate,
-                           token=token_id)
- 
-+    def test_disable_tenant_invalidates_token(self):
-+        from keystoneclient import exceptions as client_exceptions
-+
-+        admin_client = self.get_client(admin=True)
-+        foo_client = self.get_client(self.user_foo)
-+        tenant_bar = admin_client.tenants.get(self.tenant_bar['id'])
-+
-+        # Disable the tenant.
-+        tenant_bar.update(enabled=False)
-+
-+        # Test that the token has been removed.
-+        self.assertRaises(client_exceptions.Unauthorized,
-+                          foo_client.tokens.authenticate,
-+                          token=foo_client.auth_token)
-+
-+        # Test that the user access has been disabled.
-+        self.assertRaises(client_exceptions.Unauthorized,
-+                          self.get_client,
-+                          self.user_foo)
-+
-+    def test_delete_tenant_invalidates_token(self):
-+        from keystoneclient import exceptions as client_exceptions
-+
-+        admin_client = self.get_client(admin=True)
-+        foo_client = self.get_client(self.user_foo, self.tenant_bar)
-+        tenant_bar = admin_client.tenants.get(self.tenant_bar['id'])
-+
-+        # Delete the tenant.
-+        tenant_bar.delete()
-+
-+        # Test that the token has been removed.
-+        self.assertRaises(client_exceptions.Unauthorized,
-+                          foo_client.tokens.authenticate,
-+                          token=foo_client.auth_token)
-+
-+        # Test that the user access has been disabled.
-+        """
-+        # FIXME(dolph): this assertion should not be skipped, but appears to be
-+        #               an unrelated bug? auth succeeds, even though tenant_bar
-+        #               was deleted
-+        self.assertRaises(client_exceptions.Unauthorized,
-+                          self.get_client,
-+                          self.user_foo,
-+                          self.tenant_bar)
-+        """
-+
-     def test_disable_user_invalidates_token(self):
-         from keystoneclient import exceptions as client_exceptions
- 
-@@ -1144,6 +1190,12 @@ class KcEssex3TestCase(CompatTestCase, KeystoneClientTests):
-         """Due to lack of endpoint CRUD"""
-         raise nose.exc.SkipTest('N/A')
- 
-+    def test_disable_tenant_invalidates_token(self):
-+        raise self.skipTest('N/A')
-+
-+    def test_delete_tenant_invalidates_token(self):
-+        raise self.skipTest('N/A')
-+
- 
- class Kc11TestCase(CompatTestCase, KeystoneClientTests):
-     def get_checkout(self):
-diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
-index 9b3ab52..c2cd867 100644
---- a/tests/test_v3_auth.py
-+++ b/tests/test_v3_auth.py
-@@ -595,6 +595,67 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
-                   headers={'X-Subject-Token': token},
-                   expected_status=204)
- 
-+    def test_disabling_project_revokes_token(self):
-+        resp = self.post(
-+            '/auth/tokens',
-+            body=self.build_authentication_request(
-+                user_id=self.user3['id'],
-+                password=self.user3['password'],
-+                project_id=self.projectA['id']))
-+        token = resp.getheader('X-Subject-Token')
-+
-+        # confirm token is valid
-+        self.head('/auth/tokens',
-+                  headers={'X-Subject-Token': token},
-+                  expected_status=204)
-+
-+        # disable the project, which should invalidate the token
-+        self.patch(
-+            '/projects/%(project_id)s' % {'project_id': self.projectA['id']},
-+            body={'project': {'enabled': False}})
-+
-+        # user should no longer have access to the project
-+        self.head('/auth/tokens',
-+                  headers={'X-Subject-Token': token},
-+                  expected_status=401)
-+        resp = self.post(
-+            '/auth/tokens',
-+            body=self.build_authentication_request(
-+                user_id=self.user3['id'],
-+                password=self.user3['password'],
-+                project_id=self.projectA['id']),
-+            expected_status=401)
-+
-+    def test_deleting_project_revokes_token(self):
-+        resp = self.post(
-+            '/auth/tokens',
-+            body=self.build_authentication_request(
-+                user_id=self.user3['id'],
-+                password=self.user3['password'],
-+                project_id=self.projectA['id']))
-+        token = resp.getheader('X-Subject-Token')
-+
-+        # confirm token is valid
-+        self.head('/auth/tokens',
-+                  headers={'X-Subject-Token': token},
-+                  expected_status=204)
-+
-+        # delete the project, which should invalidate the token
-+        self.delete(
-+            '/projects/%(project_id)s' % {'project_id': self.projectA['id']})
-+
-+        # user should no longer have access to the project
-+        self.head('/auth/tokens',
-+                  headers={'X-Subject-Token': token},
-+                  expected_status=401)
-+        resp = self.post(
-+            '/auth/tokens',
-+            body=self.build_authentication_request(
-+                user_id=self.user3['id'],
-+                password=self.user3['password'],
-+                project_id=self.projectA['id']),
-+            expected_status=401)
-+
-     def test_deleting_group_grant_revokes_tokens(self):
-         """Test deleting a group grant revokes tokens.
- 
--- 
-1.8.1.5
-
diff --git a/sys-auth/keystone/files/2013.1.4-CVE-2013-4477.patch b/sys-auth/keystone/files/2013.1.4-CVE-2013-4477.patch
new file mode 100644
index 000000000000..aadddf55efb7
--- /dev/null
+++ b/sys-auth/keystone/files/2013.1.4-CVE-2013-4477.patch
@@ -0,0 +1,76 @@
+From 82dcde08f60c45002955875664a3cf82d1d211bc Mon Sep 17 00:00:00 2001
+From: Brant Knudson <bknudson@us.ibm.com>
+Date: Mon, 21 Oct 2013 15:21:12 -0500
+Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment
+
+When using the LDAP assignment backend, attempting to remove a
+role assignment when the role hadn't been used before would
+actually add the role assignment and would not return a
+404 Not Found like the SQL backend.
+
+This change makes it so that when attempt to remove a role that
+wasn't assigned then 404 Not Found is returned.
+
+Closes-Bug: #1242855
+Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
+(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
+(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
+(cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)
+---
+ keystone/identity/backends/ldap/core.py | 19 ++++---------------
+ tests/test_backend.py                   |  9 +++++++++
+ 2 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 8ac7395..3d016c0 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -704,21 +704,10 @@ def delete_user(self, role_id, user_id, tenant_id):
+         try:
+             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
+                                      self.member_attribute, user_dn)])
+-        except ldap.NO_SUCH_OBJECT:
+-            if tenant_id is None or self.get(role_id) is None:
+-                raise exception.RoleNotFound(role_id=role_id)
+-            attrs = [('objectClass', [self.object_class]),
+-                     (self.member_attribute, [user_dn])]
+-
+-            if self.use_dumb_member:
+-                attrs[1][1].append(self.dumb_member)
+-            try:
+-                conn.add_s(role_dn, attrs)
+-            except Exception as inst:
+-                raise inst
+-
+-        except ldap.NO_SUCH_ATTRIBUTE:
+-            raise exception.UserNotFound(user_id=user_id)
++        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
++            raise exception.RoleNotFound(message=_(
++                'Cannot remove role that has not been granted, %s') %
++                role_id)
+ 
+     def get_role_assignments(self, tenant_id):
+         conn = self.get_connection()
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index d4c2e6c..1af3c16 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -57,6 +57,15 @@ def test_project_add_and_remove_user_role(self):
+         user_refs = self.identity_api.get_project_users(self.tenant_bar['id'])
+         self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs])
+ 
++    def test_remove_user_role_not_assigned(self):
++        # Expect failure if attempt to remove a role that was never assigned to
++        # the user.
++        self.assertRaises(exception.RoleNotFound,
++                          self.identity_api.remove_role_from_user_and_project,
++                          tenant_id=self.tenant_bar['id'],
++                          user_id=self.user_two['id'],
++                          role_id=self.role_other['id'])
++
+     def test_authenticate_bad_user(self):
+         self.assertRaises(AssertionError,
+                           self.identity_api.authenticate,
+-- 
+1.8.4
+
diff --git a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch b/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
new file mode 100644
index 000000000000..3f9a640a08d9
--- /dev/null
+++ b/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
@@ -0,0 +1,74 @@
+From 4221b6020e6b0b42325d8904d7b8a22577a6acc0 Mon Sep 17 00:00:00 2001
+From: Brant Knudson <bknudson@us.ibm.com>
+Date: Mon, 21 Oct 2013 15:21:12 -0500
+Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment
+
+When using the LDAP assignment backend, attempting to remove a
+role assignment when the role hadn't been used before would
+actually add the role assignment and would not return a
+404 Not Found like the SQL backend.
+
+This change makes it so that when attempt to remove a role that
+wasn't assigned then 404 Not Found is returned.
+
+Closes-Bug: #1242855
+Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
+(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
+(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
+---
+ keystone/assignment/backends/ldap.py | 18 ++++--------------
+ keystone/tests/test_backend.py       |  9 +++++++++
+ 2 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
+index 851f9ec..ecf4adb 100644
+--- a/keystone/assignment/backends/ldap.py
++++ b/keystone/assignment/backends/ldap.py
+@@ -426,20 +426,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn,
+         try:
+             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
+                                      self.member_attribute, user_dn)])
+-        except ldap.NO_SUCH_OBJECT:
+-            if tenant_dn is None:
+-                raise exception.RoleNotFound(role_id=role_id)
+-            attrs = [('objectClass', [self.object_class]),
+-                     (self.member_attribute, [user_dn])]
+-
+-            if self.use_dumb_member:
+-                attrs[1][1].append(self.dumb_member)
+-            try:
+-                conn.add_s(role_dn, attrs)
+-            except Exception as inst:
+-                raise inst
+-        except ldap.NO_SUCH_ATTRIBUTE:
+-            raise exception.UserNotFound(user_id=user_id)
++        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
++            raise exception.RoleNotFound(message=_(
++                'Cannot remove role that has not been granted, %s') %
++                role_id)
+         finally:
+             conn.unbind_s()
+ 
+diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
+index 7dd3477..e0e81ca 100644
+--- a/keystone/tests/test_backend.py
++++ b/keystone/tests/test_backend.py
+@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self):
+             self.tenant_bar['id'])
+         self.assertNotIn(self.user_two['id'], user_ids)
+ 
++    def test_remove_user_role_not_assigned(self):
++        # Expect failure if attempt to remove a role that was never assigned to
++        # the user.
++        self.assertRaises(exception.RoleNotFound,
++                          self.identity_api.remove_role_from_user_and_project,
++                          tenant_id=self.tenant_bar['id'],
++                          user_id=self.user_two['id'],
++                          role_id=self.role_other['id'])
++
+     def test_authenticate_bad_user(self):
+         self.assertRaises(AssertionError,
+                           self.identity_api.authenticate,
+-- 
+1.8.4
+
diff --git a/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-1977.patch b/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-1977.patch
deleted file mode 100644
index 355d4a33edd2..000000000000
--- a/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-1977.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8 Mon Sep 17 00:00:00 2001
-From: Xuhan Peng <xuhanp@cn.ibm.com>
-Date: Fri, 12 Apr 2013 16:19:37 +0800
-Subject: [PATCH] Mark LDAP password and admin_token secret
-
-Add secret=True to LDAP password and admin_token
-of keystone configuration.
-
-Fix bug #1172195
-
-Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75
----
- keystone/common/config.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/keystone/common/config.py b/keystone/common/config.py
-index d7b6ff7..84ea83f 100644
---- a/keystone/common/config.py
-+++ b/keystone/common/config.py
-@@ -188,7 +188,7 @@ def configure():
-     register_cli_str('pydev-debug-host', default=None)
-     register_cli_int('pydev-debug-port', default=None)
- 
--    register_str('admin_token', default='ADMIN')
-+    register_str('admin_token', secret=True, default='ADMIN')
-     register_str('bind_host', default='0.0.0.0')
-     register_int('compute_port', default=8774)
-     register_int('admin_port', default=35357)
-@@ -286,7 +286,7 @@ def configure():
-     # ldap
-     register_str('url', group='ldap', default='ldap://localhost')
-     register_str('user', group='ldap', default=None)
--    register_str('password', group='ldap', default=None)
-+    register_str('password', group='ldap', secret=True, default=None)
-     register_str('suffix', group='ldap', default='cn=example,cn=com')
-     register_bool('use_dumb_member', group='ldap', default=False)
-     register_str('dumb_member', group='ldap', default='cn=dumb,dc=nonexistent')
--- 
-1.8.1.5
-
diff --git a/sys-auth/keystone/files/keystone.confd b/sys-auth/keystone/files/keystone.confd
index 7bc656505435..670ec22b3757 100644
--- a/sys-auth/keystone/files/keystone.confd
+++ b/sys-auth/keystone/files/keystone.confd
@@ -1,2 +1,3 @@
 CONFIG_FILE=/etc/keystone/keystone.conf
+LOG_FILE=/var/log/keystone/keystone.log
 PID_PATH=/var/run/keystone
diff --git a/sys-auth/keystone/files/keystone.initd b/sys-auth/keystone/files/keystone.initd
index c88d20b4f7db..f7c4acd01626 100644
--- a/sys-auth/keystone/files/keystone.initd
+++ b/sys-auth/keystone/files/keystone.initd
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/files/keystone.initd,v 1.2 2013/08/13 16:36:17 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/files/keystone.initd,v 1.3 2013/11/18 03:24:30 prometheanfire Exp $
 
 depend() {
 	need net
@@ -35,8 +35,7 @@ start() {
 	
 	ebegin "Starting ${SVCNAME}"
 	
-	start-stop-daemon --start --quiet --make-pidfile --pidfile "${PID_PATH}/${SVCNAME}.pid" \
-					  --exec /usr/bin/${SVCNAME}-all --background -- --config-file=${CONFIG_FILE}
+	start-stop-daemon --start --quiet --make-pidfile --pidfile "${PID_PATH}/${SVCNAME}.pid" --exec /usr/bin/${SVCNAME}-all --background -- --config-file=${CONFIG_FILE} --log-file=${LOG_FILE}
 	
 	eend $? "Failed to start ${SVCNAME}"
 }
diff --git a/sys-auth/keystone/files/keystone_test-requires.patch b/sys-auth/keystone/files/keystone_test-requires.patch
deleted file mode 100644
index 7af7c1d41c52..000000000000
--- a/sys-auth/keystone/files/keystone_test-requires.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff -u tools.orig/test-requires tools/test-requires
---- tools.orig/test-requires	2012-09-25 20:27:12.000000000 -0400
-+++ tools/test-requires	2013-01-01 02:43:38.316340359 -0500
-@@ -2,7 +2,7 @@
- python-memcached
- 
- # Optional backend: LDAP
--python-ldap==2.3.13 # authenticate against an existing LDAP server
-+python-ldap # authenticate against an existing LDAP server
- 
- # Testing
- coverage # computes code coverage percentages
-@@ -12,15 +12,16 @@
- openstack.nose_plugin
- nosehtmloutput
- pylint # static code analysis
--pep8==1.3.3 # checks for PEP8 code style compliance
--Sphinx>=1.1.2 # required to build documentation
-+pep8 # checks for PEP8 code style compliance
-+Sphinx # required to build documentation
- unittest2 # backport of unittest lib in python 2.7
- webtest # test wsgi apps without starting an http server
--distribute>=0.6.24
-+distribute
- 
- # for python-keystoneclient
- httplib2
--python-keystoneclient>=0.1,<0.2
-+#python-keystoneclient>=0.1,<0.2
-+python-keystoneclient
- 
- # swift_auth test dependencies
- http://tarballs.openstack.org/swift/swift-master.tar.gz#egg=swift