diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2014-04-06 06:01:38 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2014-04-06 06:01:38 +0000 |
| commit | 513c83f6ec64b505eda6d3218d553ccb7e8a046a (patch) | |
| tree | f79b7ba752b7baad0b9bb99930356e3e568ace04 /sys-auth | |
| parent | more security (diff) | |
| download | gentoo-2-513c83f6ec64b505eda6d3218d553ccb7e8a046a.tar.gz gentoo-2-513c83f6ec64b505eda6d3218d553ccb7e8a046a.tar.bz2 gentoo-2-513c83f6ec64b505eda6d3218d553ccb7e8a046a.zip | |
update to 2013.2.3
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-auth')
| -rw-r--r-- | sys-auth/keystone/ChangeLog | 9 | ||||
| -rw-r--r-- | sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch | 183 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2013.2.3.ebuild (renamed from sys-auth/keystone/keystone-2013.2.2-r1.ebuild) | 3 |
3 files changed, 9 insertions, 186 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index c80e8339e4d8..20c6e3844dbc 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.63 2014/04/06 05:32:54 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.64 2014/04/06 06:01:38 prometheanfire Exp $ + +*keystone-2013.2.3 (06 Apr 2014) + + 06 Apr 2014; Matthew Thode <prometheanfire@gentoo.org> + +keystone-2013.2.3.ebuild, -files/2013.2.2-CVE-2014-2237.patch, + -keystone-2013.2.2-r1.ebuild: + update to 2013.2.3 06 Apr 2014; Matthew Thode <prometheanfire@gentoo.org> -keystone-2013.1.5.ebuild, -keystone-2013.1.9999.ebuild, diff --git a/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch b/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch deleted file mode 100644 index a19d9440258f..000000000000 --- a/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch +++ /dev/null @@ -1,183 +0,0 @@ -From b6f0e26da0e2ab0892a5658da281a065e668637b Mon Sep 17 00:00:00 2001 -From: Morgan Fainberg <m@metacloud.com> -Date: Fri, 21 Feb 2014 21:33:25 +0000 -Subject: Ensure tokens are added to both Trustor and Trustee indexes - -Tokens are now added to both the Trustor and Trustee user-token-index -so that bulk token revocations (e.g. password change) of the trustee -will work as expected. This is a backport of the basic code that was -used in the Icehouse-vintage Dogpile Token KVS backend that resolves -this issue by merging the handling of memcache and KVS backends into -the same logic. - -Change-Id: I3e19e4a8fc1e11cef6db51d364e80061e97befa7 -Closes-Bug: #1260080 ---- -diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py -index e0e81ca..1e926c8 100644 ---- a/keystone/tests/test_backend.py -+++ b/keystone/tests/test_backend.py -@@ -25,6 +25,7 @@ from keystone import exception - from keystone.openstack.common import timeutils - from keystone import tests - from keystone.tests import default_fixtures -+from keystone.token import provider - - - CONF = config.CONF -@@ -2645,7 +2646,8 @@ class TokenTests(object): - self.token_api.delete_token, token_id) - - def create_token_sample_data(self, tenant_id=None, trust_id=None, -- user_id="testuserid"): -+ user_id='testuserid', -+ trustee_user_id='testuserid2'): - token_id = self._create_token_id() - data = {'id': token_id, 'a': 'b', - 'user': {'id': user_id}} -@@ -2655,6 +2657,15 @@ class TokenTests(object): - data['tenant'] = None - if trust_id is not None: - data['trust_id'] = trust_id -+ data.setdefault('access', {}).setdefault('trust', {}) -+ # Testuserid2 is used here since a trustee will be different in -+ # the cases of impersonation and therefore should not match the -+ # token's user_id. -+ data['access']['trust']['trustee_user_id'] = trustee_user_id -+ data['token_version'] = provider.V2 -+ # Issue token stores a copy of all token data at token['token_data']. -+ # This emulates that assumption as part of the test. -+ data['token_data'] = copy.deepcopy(data) - new_token = self.token_api.create_token(token_id, data) - return new_token['id'] - -@@ -2907,6 +2918,39 @@ class TokenTests(object): - for t in self.token_api.list_revoked_tokens(): - self.assertIn('expires', t) - -+ def test_token_in_trustee_and_trustor_token_list(self): -+ self.opt_in_group('trust', -+ enabled=True) -+ trustor = self.user_foo -+ trustee = self.user_two -+ trust_id = uuid.uuid4().hex -+ trust_info = {'trustor_user_id': trustor['id'], -+ 'trustee_user_id': trustee['id'], -+ 'project_id': self.tenant_bar['id'], -+ 'expires_at': timeutils. -+ parse_isotime('2031-02-18T18:10:00Z'), -+ 'impersonation': True} -+ self.trust_api.create_trust(trust_id, trust_info, -+ roles=[{'id': 'member'}, -+ {'id': 'other'}, -+ {'id': 'browser'}]) -+ -+ token_id = self.create_token_sample_data( -+ tenant_id=self.tenant_bar['id'], -+ trust_id=trust_id, -+ user_id=trustor['id'], -+ trustee_user_id=trustee['id']) -+ -+ # Ensure the token id exists in both the trustor and trustee token -+ # lists -+ -+ self.assertIn(token_id, -+ self.token_api.list_tokens(self.user_two['id'], -+ trust_id=trust_id)) -+ self.assertIn(token_id, -+ self.token_api.list_tokens(self.user_foo['id'], -+ trust_id=trust_id)) -+ - - class TokenCacheInvalidation(object): - def _create_test_data(self): -diff --git a/keystone/tests/test_backend_kvs.py b/keystone/tests/test_backend_kvs.py -index ac9df71..a23882c 100644 ---- a/keystone/tests/test_backend_kvs.py -+++ b/keystone/tests/test_backend_kvs.py -@@ -70,6 +70,7 @@ class KvsToken(tests.TestCase, test_backend.TokenTests): - identity.CONF.identity.driver = ( - 'keystone.identity.backends.kvs.Identity') - self.load_backends() -+ self.load_fixtures(default_fixtures) - - - class KvsTrust(tests.TestCase, test_backend.TrustTests): -diff --git a/keystone/tests/test_backend_memcache.py b/keystone/tests/test_backend_memcache.py -index 964d5b4..c99a6a3 100644 ---- a/keystone/tests/test_backend_memcache.py -+++ b/keystone/tests/test_backend_memcache.py -@@ -26,6 +26,7 @@ from keystone import exception - from keystone.openstack.common import jsonutils - from keystone.openstack.common import timeutils - from keystone import tests -+from keystone.tests import default_fixtures - from keystone.tests import test_backend - from keystone.tests import test_utils - from keystone import token -@@ -115,6 +116,7 @@ class MemcacheToken(tests.TestCase, test_backend.TokenTests): - def setUp(self): - super(MemcacheToken, self).setUp() - self.load_backends() -+ self.load_fixtures(default_fixtures) - fake_client = MemcacheClient() - self.token_man = token.Manager() - self.token_man.driver = token_memcache.Token(client=fake_client) -diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py -index b3f991a..c0d6e36 100644 ---- a/keystone/token/backends/kvs.py -+++ b/keystone/token/backends/kvs.py -@@ -150,5 +150,7 @@ class Token(kvs.Base, token.Driver): - def flush_expired_tokens(self): - now = timeutils.utcnow() - for token, token_ref in self.db.items(): -+ if not token.startswith('revoked-token-'): -+ continue - if self.is_expired(now, token_ref): - self.db.delete(token) -diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py -index a6fe826..08c1c40 100644 ---- a/keystone/token/backends/memcache.py -+++ b/keystone/token/backends/memcache.py -@@ -83,12 +83,33 @@ class Token(token.Driver): - expires_ts = utils.unixtime(data_copy['expires']) - kwargs['time'] = expires_ts - self.client.set(ptk, data_copy, **kwargs) -- if 'id' in data['user']: -- user_id = data['user']['id'] -- user_key = self._prefix_user_id(user_id) -- # Append the new token_id to the token-index-list stored in the -- # user-key within memcache. -- self._update_user_list_with_cas(user_key, token_id, data_copy) -+ user_id = data['user']['id'] -+ user_key = self._prefix_user_id(user_id) -+ # Append the new token_id to the token-index-list stored in the -+ # user-key within memcache. -+ self._update_user_list_with_cas(user_key, token_id, data_copy) -+ if CONF.trust.enabled and data.get('trust_id'): -+ # NOTE(morganfainberg): If trusts are enabled and this is a trust -+ # scoped token, we add the token to the trustee list as well. This -+ # allows password changes of the trustee to also expire the token. -+ # There is no harm in placing the token in multiple lists, as -+ # _list_tokens is smart enough to handle almost any case of -+ # valid/invalid/expired for a given token. -+ token_data = data_copy['token_data'] -+ if data_copy['token_version'] == token.provider.V2: -+ trustee_user_id = token_data['access']['trust'][ -+ 'trustee_user_id'] -+ elif data_copy['token_version'] == token.provider.V3: -+ trustee_user_id = token_data['OS-TRUST:trust'][ -+ 'trustee_user_id'] -+ else: -+ raise token.provider.UnsupportedTokenVersionException( -+ _('Unknown token version %s') % -+ data_copy.get('token_version')) -+ -+ trustee_key = self._prefix_user_id(trustee_user_id) -+ self._update_user_list_with_cas(trustee_key, token_id, data_copy) -+ - return copy.deepcopy(data_copy) - - def _convert_user_index_from_json(self, token_list, user_key): --- -cgit v0.9.2 diff --git a/sys-auth/keystone/keystone-2013.2.2-r1.ebuild b/sys-auth/keystone/keystone-2013.2.3.ebuild index ab74a474bf9d..f2f23f5f790f 100644 --- a/sys-auth/keystone/keystone-2013.2.2-r1.ebuild +++ b/sys-auth/keystone/keystone-2013.2.3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.2-r1.ebuild,v 1.1 2014/03/16 19:54:35 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.3.ebuild,v 1.1 2014/04/06 06:01:38 prometheanfire Exp $ EAPI=5 @@ -73,7 +73,6 @@ DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] <dev-python/pbr-1.0[${PYTHON_USEDEP}]" PATCHES=( - "${FILESDIR}/2013.2.2-CVE-2014-2237.patch" ) pkg_setup() { |