diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2013-12-13 16:53:02 +0000 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2013-12-13 16:53:02 +0000 |
commit | 0389554dad187a3e0ab2260e6b22e232d31040cb (patch) | |
tree | 52d83e5efbf4b2e9caecdc11043310acc2c107fa /sys-auth/keystone | |
parent | Cleanup old versions (diff) | |
download | gentoo-2-0389554dad187a3e0ab2260e6b22e232d31040cb.tar.gz gentoo-2-0389554dad187a3e0ab2260e6b22e232d31040cb.tar.bz2 gentoo-2-0389554dad187a3e0ab2260e6b22e232d31040cb.zip |
fix for CVE-2013-6391
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-auth/keystone')
-rw-r--r-- | sys-auth/keystone/ChangeLog | 8 | ||||
-rw-r--r-- | sys-auth/keystone/files/cve-2013-6391_2013.2.patch | 153 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2013.2-r2.ebuild | 107 |
3 files changed, 267 insertions, 1 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 7f52f59f6439..440df584e3f7 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.48 2013/11/28 04:51:37 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.49 2013/12/13 16:53:02 prometheanfire Exp $ + +*keystone-2013.2-r2 (13 Dec 2013) + + 13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/cve-2013-6391_2013.2.patch, +keystone-2013.2-r2.ebuild: + fix for CVE-2013-6391 28 Nov 2013; Ian Delaney <idella4@gentoo.org> keystone-2013.2-r1.ebuild, keystone-2013.2.9999.ebuild, keystone-9999.ebuild: diff --git a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch new file mode 100644 index 000000000000..52d13c4b0e51 --- /dev/null +++ b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch @@ -0,0 +1,153 @@ +From 2756f2ff0c49b25e17b4f833610bd5c4f16309bd Mon Sep 17 00:00:00 2001 +From: Steven Hardy <shardy@redhat.com> +Date: Mon, 21 Oct 2013 19:49:01 +0100 +Subject: [PATCH] Fix issues handling trust tokens via ec2tokens API + +Trust scoped tokens are handled incorectly when making requests +via the ec2tokens API, meaning that the restrictions enforced +by trust-scoped tokens are not respected when obtaining a token +via ec2token signature validation. + +Storing the trust_id in the blob associated with the ec2 keypair, +and passing that id in the metadata when requesting a v2 token +solves the issue. + +Change-Id: I52566384d7813ef0e2f20fb94a5076386457ff02 +Closes-Bug: #1242597 +--- + keystone/contrib/ec2/controllers.py | 19 ++++++++++-- + keystone/tests/test_keystoneclient_sql.py | 50 ++++++++++++++++++++++++++++--- + 2 files changed, 63 insertions(+), 6 deletions(-) + +diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py +index 94b7430..262cbe5 100644 +--- a/keystone/contrib/ec2/controllers.py ++++ b/keystone/contrib/ec2/controllers.py +@@ -106,6 +106,11 @@ class Ec2Controller(controller.V2Controller): + self.identity_api.get_roles_for_user_and_project( + user_ref['id'], tenant_ref['id'])) + ++ trust_id = creds_ref.get('trust_id') ++ if trust_id: ++ metadata_ref['trust_id'] = trust_id ++ metadata_ref['trustee_user_id'] = user_ref['id'] ++ + # Validate that the auth info is valid and nothing is disabled + token.validate_auth_info(self, user_ref, tenant_ref) + +@@ -146,8 +151,10 @@ class Ec2Controller(controller.V2Controller): + + self._assert_valid_user_id(user_id) + self._assert_valid_project_id(tenant_id) ++ trust_id = self._context_trust_id(context) + blob = {'access': uuid.uuid4().hex, +- 'secret': uuid.uuid4().hex} ++ 'secret': uuid.uuid4().hex, ++ 'trust_id': trust_id} + credential_id = utils.hash_access_key(blob['access']) + cred_ref = {'user_id': user_id, + 'project_id': tenant_id, +@@ -213,7 +220,8 @@ class Ec2Controller(controller.V2Controller): + return {'user_id': credential.get('user_id'), + 'tenant_id': credential.get('project_id'), + 'access': blob.get('access'), +- 'secret': blob.get('secret')} ++ 'secret': blob.get('secret'), ++ 'trust_id': blob.get('trust_id')} + + def _get_credentials(self, credential_id): + """Return credentials from an ID. +@@ -244,6 +252,13 @@ class Ec2Controller(controller.V2Controller): + if token_ref['user'].get('id') != user_id: + raise exception.Forbidden(_('Token belongs to another user')) + ++ def _context_trust_id(self, context): ++ try: ++ token_ref = self.token_api.get_token(context['token_id']) ++ except exception.TokenNotFound as e: ++ raise exception.Unauthorized(e) ++ return token_ref.get('trust_id') ++ + def _is_admin(self, context): + """Wrap admin assertion error return statement. + +diff --git a/keystone/tests/test_keystoneclient_sql.py b/keystone/tests/test_keystoneclient_sql.py +index 5ddc33e..bd83803 100644 +--- a/keystone/tests/test_keystoneclient_sql.py ++++ b/keystone/tests/test_keystoneclient_sql.py +@@ -88,9 +88,11 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): + self.assertRaises(client_exceptions.NotFound, client.endpoints.delete, + id=endpoint.id) + +- def _send_ec2_auth_request(self, credentials): ++ def _send_ec2_auth_request(self, credentials, client=None): ++ if not client: ++ client = self.default_client + url = '%s/ec2tokens' % self.default_client.auth_url +- (resp, token) = self.default_client.request( ++ (resp, token) = client.request( + url=url, method='POST', + body={'credentials': credentials}) + return resp, token +@@ -99,9 +101,12 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): + cred = self. default_client.ec2.create( + user_id=self.user_foo['id'], + tenant_id=self.tenant_bar['id']) +- signer = ec2_utils.Ec2Signer(cred.secret) ++ return self._generate_user_ec2_credentials(cred.access, cred.secret) ++ ++ def _generate_user_ec2_credentials(self, access, secret): ++ signer = ec2_utils.Ec2Signer(secret) + credentials = {'params': {'SignatureVersion': '2'}, +- 'access': cred.access, ++ 'access': access, + 'verb': 'GET', + 'host': 'localhost', + 'path': '/service/cloud'} +@@ -115,6 +120,43 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): + self.assertEqual(resp.status_code, 200) + self.assertIn('access', token) + ++ def test_ec2_auth_success_trust(self): ++ # Add "other" role user_foo and create trust delegating it to user_two ++ self.identity_api.add_role_to_user_and_project( ++ self.user_foo['id'], ++ self.tenant_bar['id'], ++ self.role_other['id']) ++ trust_id = 'atrust123' ++ trust = {'trustor_user_id': self.user_foo['id'], ++ 'trustee_user_id': self.user_two['id'], ++ 'project_id': self.tenant_bar['id'], ++ 'impersonation': True} ++ roles = [self.role_other] ++ self.trust_api.create_trust(trust_id, trust, roles) ++ ++ # Create a client for user_two, scoped to the trust ++ client = self.get_client(self.user_two) ++ ret = client.authenticate(trust_id=trust_id, ++ tenant_id=self.tenant_bar['id']) ++ self.assertTrue(ret) ++ self.assertTrue(client.auth_ref.trust_scoped) ++ self.assertEqual(trust_id, client.auth_ref.trust_id) ++ ++ # Create an ec2 keypair using the trust client impersonating user_foo ++ cred = client.ec2.create(user_id=self.user_foo['id'], ++ tenant_id=self.tenant_bar['id']) ++ credentials, signature = self._generate_user_ec2_credentials( ++ cred.access, cred.secret) ++ credentials['signature'] = signature ++ resp, token = self._send_ec2_auth_request(credentials) ++ self.assertEqual(resp.status_code, 200) ++ self.assertEqual(trust_id, token['access']['trust']['id']) ++ #TODO(shardy) we really want to check the roles and trustee ++ # but because of where the stubbing happens we don't seem to ++ # hit the necessary code in controllers.py _authenticate_token ++ # so although all is OK via a real request, it incorrect in ++ # this test.. ++ + def test_ec2_auth_failure(self): + from keystoneclient import exceptions as client_exceptions + +-- +1.8.3.1 + diff --git a/sys-auth/keystone/keystone-2013.2-r2.ebuild b/sys-auth/keystone/keystone-2013.2-r2.ebuild new file mode 100644 index 000000000000..e3de7b4a2775 --- /dev/null +++ b/sys-auth/keystone/keystone-2013.2-r2.ebuild @@ -0,0 +1,107 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2-r2.ebuild,v 1.1 2013/12/13 16:53:02 prometheanfire Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 + +DESCRIPTION="Keystone is the Openstack authentication, authorization, and +service catalog written in Python." +HOMEPAGE="https://launchpad.net/keystone" +SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="grizzly" +KEYWORDS="~amd64 ~x86" +IUSE="+sqlite mysql postgres ldap test" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +#todo, seperate out rdepend via use flags +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + test? ( dev-python/Babel + dev-python/decorator + dev-python/eventlet + dev-python/greenlet + dev-python/httplib2 + dev-python/iso8601 + dev-python/lxml + dev-python/netifaces + dev-python/nose + dev-python/nosexcover + dev-python/passlib + dev-python/paste + dev-python/pastedeploy + dev-python/python-pam + dev-python/repoze-lru + dev-python/routes + dev-python/sphinx + >=dev-python/sqlalchemy-migrate-0.7 + dev-python/tempita + >=dev-python/webob-1.0.8 + dev-python/webtest + dev-python/python-memcached ) + >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}] + <dev-python/pbr-1.0[${PYTHON_USEDEP}]" +RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}] + >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] + <dev-python/webob-1.3[${PYTHON_USEDEP}] + >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}] + >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] + dev-python/netaddr[${PYTHON_USEDEP}] + >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] + sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] ) + mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] ) + postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] ) + >=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}] + dev-python/passlib[${PYTHON_USEDEP}] + >=dev-python/lxml-2.3[${PYTHON_USEDEP}] + >=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}] + >=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}] + >=dev-python/Babel-0.9.6[${PYTHON_USEDEP}] + dev-python/oauth2[${PYTHON_USEDEP}] + >=dev-python/dogpile-cache-0.5.0[${PYTHON_USEDEP}] + dev-python/python-daemon[${PYTHON_USEDEP}] + virtual/python-argparse[${PYTHON_USEDEP}] + ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] ) + >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}] + <dev-python/pbr-1.0[${PYTHON_USEDEP}]" + +PATCHES=( + "${FILESDIR}/2013.2-CVE-2013-4477.patch" + "${FILESDIR}/cve-2013-6391_2013.2.patch" +) + +python_prepare_all() { + mkdir ${PN}/tests/tmp || die + cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die + distutils-r1_python_prepare_all +} + +python_test() { + # Ignore (naughty) test_.py files & 1 test that connect to the network + nosetests -I 'test_keystoneclient*' \ + -e test_import || die "testsuite failed under python2.7" +} + +python_install() { + distutils-r1_python_install + newconfd "${FILESDIR}/keystone.confd" keystone + newinitd "${FILESDIR}/keystone.initd" keystone + + diropts -m 0750 + dodir /var/run/keystone /var/log/keystone /etc/keystone + keepdir /etc/keystone + insinto /etc/keystone + doins etc/keystone.conf.sample etc/logging.conf.sample + doins etc/default_catalog.templates etc/policy.json + doins etc/policy.v3cloudsample.json etc/keystone-paste.ini +} |