fix for bug 503446 CVE-2014-2237

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2014-03-16 19:54:44 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2014-03-16 19:54:44 +0000
commit: 3fb354318ceaf97f4d1b8e454c69d3403d6b4f34 (patch)
tree: f0ea8e8434bdaaa0e302dddb219931fd6120d436 /sys-auth/keystone
parent: Remove deprecated 10.0 profiles (diff)
download: historical-3fb354318ceaf97f4d1b8e454c69d3403d6b4f34.tar.gz
historical-3fb354318ceaf97f4d1b8e454c69d3403d6b4f34.tar.bz2
historical-3fb354318ceaf97f4d1b8e454c69d3403d6b4f34.zip
6 files changed, 594 insertions, 5 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index e498a750e8fb..aee5bc08fe82 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.60 2014/02/24 03:03:27 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.61 2014/03/16 19:54:35 prometheanfire Exp $
+
+*keystone-2013.2.2-r1 (16 Mar 2014)
+*keystone-2013.1.4-r3 (16 Mar 2014)
+
+  16 Mar 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/2013.1.4-CVE-2014-2237.patch, +files/2013.2.2-CVE-2014-2237.patch,
+  +keystone-2013.1.4-r3.ebuild, +keystone-2013.2.2-r1.ebuild:
+  fix for bug 503446 CVE-2014-2237
 
   24 Feb 2014; Ian Delaney <idella4@gentoo.org> -keystone-2013.2.1-r1.ebuild:
   rm old 2013.2.1 by request of maintainer
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index 0e942ba3b68a..76b9cd9a9eb5 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -3,6 +3,8 @@ Hash: SHA256
 
 AUX 2012.2.4-CVE-2013-4222.patch 4815 SHA256 3a5018cf7788fb0498ac50cb022d4ecf7803fa8e311b8c48114495fcc9604a9a SHA512 cc6d8bd63d183ca49c21c4d5dc0fa08ff87a77695dadc444306a45abb3e060e2814c303f6ba3c004adb33b8981f4c1f4c17e11ea4c241f626106d870ca952246 WHIRLPOOL b0e411aba193bbc5c5a45441c1a52680ddd006426f3aa2030840131b905d8c87beb880ad77b1a612c3a7c77853583c7de642b47533876ff709b01fe93ee80a18
 AUX 2013.1.4-CVE-2013-4477.patch 3344 SHA256 6b4ff925ec1451eefb869ed85911f23fd90220f9394c482ee133feddd10eae32 SHA512 8a8a610603f05a27b2986637f9822389ef61e92c02d1837f13f30e56ce90de3733a2f8c5517179bbd3d1e4b0c69e8307262bbfba3fbd088b526c3c909d9d0a11 WHIRLPOOL 3e11c0ccd401ffedfc9549255e2843f3a9e0807bd37bb292adbe6e6a0beb736465ca126aff2022ea5d19fab59836aa51106d26d5e998b870a61cc42cd2378537
+AUX 2013.1.4-CVE-2014-2237.patch 7137 SHA256 08b454c4fe9fe9adb5eb02dc75744f0efaee75187bf5ce556fe13027cd5f0a73 SHA512 3a1f753b247bf0714a5891a32c08b3109c0b273595be6f1dc1be12ad5e5db09870bbbaeb300a4e233ded23132d841a8e3135a1e459b79ec5ce9a56cf7156de42 WHIRLPOOL f6608e7005ba913d663652063dac0bb4d93f080ce43c2b0ce4dd9c8ed22567e81188870fef573b558fcab822747489c50c222d37d4784fe8b3d8deba1c226d33
+AUX 2013.2.2-CVE-2014-2237.patch 8412 SHA256 4039b420f5f8225b6a916a87b0c3cf068c2f25afd782705a2d803b2935d5be63 SHA512 75c947d631941a4a4faadfdf8cf3ddd8b7e443485a561321999fcf73b24c8c9c4994e9e4ebf4463b57b25401948cb99096fbefdbe3b22c181473053636771b2e WHIRLPOOL 96afe8f9b3365863978507f7018a9df70d956c20c15c2e6cbf5fdfbd4cae20685ddaf7a7a99e5d93b083603ca3da7d0c7b543dfc0ebb49645b463be01c67c6cc
 AUX keystone-cve-2013-4294-folsom.patch 5662 SHA256 69b07e87cf021b21168fe40fedd2dabd492991e0b4192f86fad378e24ef0429c SHA512 502cca91cfd71bd43f1a0dd0ada718cc9020071e41b13abd7310de175a794453bdb529e1ffb641e60e199fef9a2226aa44395f32eb3b0af8dc0b56dbf739b307 WHIRLPOOL 58f95de485b6351f78a680a65531bee8bcc2d725329aefa21116443a8a5ad6759a32d0ff39aa97a5226fa32fdcf0ac689bab1e7730207677334d1559f8c8d790
 AUX keystone-grizzly-2-CVE-2013-2157.patch 3371 SHA256 7f4e10e1c559dc8f3ece1a42115f17dc069d86140b4e4ecd6309eae5b787d341 SHA512 a9245c718548da6cd60b29e7cf6c0bd61b18a94cead8200b74d657342b5ef68ad4b4a0e1104121eb32359f960f96ad3840fec285a1d72b26b9729845ae4a8ac7 WHIRLPOOL a8494a2d6f4b5151780e6bcd1a21c409ca8921a4907aca529b72473745fd895c75dfcf926889a1a00f6d3d7446d849e44ce88c25dcfbdd74fdf96421ff78f1eb
 AUX keystone.confd 124 SHA256 50daa09c5922190a6663e36a32e9b6e5c512672e5be776fcc9b0805da40b6e8d SHA512 1cf50ddcd55421481f8b34f91f35787299b2f9044bcc0a63c70ffff372d740cb84c399d31e52d708fdacad3455d77867d02b438ec2fb39b35ac2e106a2c9e0ad WHIRLPOOL e6c2b76131846cd0ce86e8d766d3f5bbd0d8cd0643de9100d7946afa44c3f13500719feca3ee4ea49644f6881fa34bdc17c08d65a001841ae8f40fc820d334fc
@@ -11,16 +13,28 @@ AUX no_admin_token_auth-paste.ini 2646 SHA256 f98d9151f222d2143820bdc98727ce0cf3
 DIST keystone-2013.1.4.tar.gz 799682 SHA256 3673f5d7c1c19fca7529934308e2d9a6efa55bf7d100d20de1aa85e431d259b2 SHA512 7b1d9d9ae0fc6b1cadef8eb0d85f6a71fcfab754f8908076d38b14c14c3eb46d2d3c6266ec7482a60d7ae8cf54d54ba604c4d903dde65ec1243f862423060c14 WHIRLPOOL dea8adbb504ee9e3cda416f6e5a12cb0e606b88db7c0fe9b83fb8487e6f18e313e7d53041fcdaab408ae4201e355b72324cf35585b113c8769f51daf1c3f4ea4
 DIST keystone-2013.2.2.tar.gz 1086908 SHA256 0fa6c3707d856062b27cc2563fd5af2fa43f08fabce563cfb6dde1ec9029d6b6 SHA512 265b8c90a0bada1a760aca3aa273b63e6dbe0618c7315baee7f37c12caab59f8a2c9736417b53fdfe675237436c82dbe8db41ec306fbb849ddf0c23565fbc2c9 WHIRLPOOL 2c26c72bd02d99f99e1147d696f9f32227641e876e9273072e4f41531d4dee8a554bf74aec5855161410dfcfd5275315a9fca9f4c000ae03dbda5f58c2c708ff
 EBUILD keystone-2013.1.4-r2.ebuild 3108 SHA256 93b1fbb3dd9a55f2bbc1652b3255b6f6394ca3575de91878728e83fb0f28f7b5 SHA512 fcbd32999d5c12ac2ba87d8f9fdde8ee3eb5ef190689adb6a7ae05c77bdcbe9766d938e1f4d014bbefb95cd6196112395fd1e4f6a020989cc38534eecf62bb12 WHIRLPOOL 7b4e6c4d1cd0211850ec7db56355091f2d5832a03482d1df12db11f8dc5e6d5e32186a8d4ebe6dfd05a3604dc1fa3542a75776427ca6f5fea563d5069f26bda6
+EBUILD keystone-2013.1.4-r3.ebuild 3152 SHA256 9cc75567c81661312a4f5457413942c1473e6a5b0618a45b9f37aa7b64571a83 SHA512 ddd4d1c2303ca0204ee14289c57af787a3a5718ef8eb29bad37b68e13485f3a46964adc87c58c3e8b2ebf0afb98a0f41bd0a0ee4e358ee1b96876b66979ce190 WHIRLPOOL 6ff7857acc7a7e3a9b75f8564d85d9aa2c263b8b996205a5ef252841018f56ac86c14264b350c351314e498c11117a094edec7231c06e0473980b7a444a92138
 EBUILD keystone-2013.1.9999.ebuild 3057 SHA256 a514c974621787ae1625561ef62fb60082f12a14d78aaa747c0151752bcb9af8 SHA512 68a02f884659c3762a2330f4388a586a454ddf8fcc19ac5f454a69167c7080c9977b27d7e085ea36eccb52d02dd1e6e4b5b5dac51b178754202bac64f68ccdf0 WHIRLPOOL 191b24cc36e53d28c3bddd1387bb319cb492a59deaf62e1dd1c1c4aa9133804bad969f176e7dab683a0728ceae7b9e948391df875abee6c85a46ceda04bc8b34
+EBUILD keystone-2013.2.2-r1.ebuild 4764 SHA256 1c34183d989b9ad7929d4e48b06c8d0360382ae3ff846885275d68dca614a0c1 SHA512 e549bcce7d3cad014afd60900a2e1ba95e210928d4f686c6d0dcb3de4cf124a2c0cf196d988377cabb8d4db9be04c8116f2a4d03bf928700414c04ca3fbbcb78 WHIRLPOOL 63fd1b255a70e65744f3ed108da9600350eeb5dc695ac6f52f893c8e16b14d682d2890cd66caab3edf4a0042302e10c40a973d83c563268479298e063332520b
 EBUILD keystone-2013.2.2.ebuild 4716 SHA256 aa292f256b9a87f48176c7a770ff7027171b08584235c7c240f4474d92c2aa2d SHA512 7a5dbd2f93680555a70f2c772a1e8851a93824c3920051413e26bb665173319e2059f4f3237adf744716ae6cf44a6a1418a222d98840f73936444ef34904305c WHIRLPOOL 7b57ed976dced8291d3e29aee27c81a0d62321bfdbe6005266521ca92a32f045b3acb860c4869386e50c0a705d1cd5b84bcafa23ae064dfc8a37ebf275a7ef3b
 EBUILD keystone-2013.2.9999.ebuild 4395 SHA256 5dbdee3a80720d89d6b9eb44801fd0bbca01aa77bd1005a5f05e6936792612e7 SHA512 6412b32640a29783ff8bb71b6e86243128b6fb4f49ddde187eff5468ed6e22154ee1645e8694c43c0b342e27a9a7c64cf89ff54bcd7a0e6d62f5a19954e0e274 WHIRLPOOL 30eb74991df263cd0afc8e84311bb008469a16afa8c248e00eda9c78a5cb9fe46d679b7cc3c7528157f0590b18ec6db25fe0187db41f3748e3dfa4d39919bdca
 EBUILD keystone-9999.ebuild 4381 SHA256 3e9891ca3f756591b3c7f68f0fb8e287c3eaf43ba3ab12cc5b92ed48d9915e9e SHA512 e8ca3d0568fbcbd5b567e6a25d851e4f19749735596261b448d2ed64e7035f586db5d3d5fbfa8b7ec58bf6656e2b958bd4b16db49814838d7d3739953a1ba260 WHIRLPOOL a9bb8b8b5566a9ab8889e4d3d7e20afba8ec31578da583ce6e2852ce6536de064f4ffcf2ec4cf60288d82ce95e0963d218d8b596f9d55a3c119e9066cab8c7e2
-MISC ChangeLog 13032 SHA256 1f1b4927232e461cc787054fedeb403a117c2e067c679814fb4e3ba89c0c7a13 SHA512 c18bec0fdc22091c7e7947427e158c839b1f2786aacde39903f5e62ab79e09b87f9a03197acef87a371726d96f71305b7d7993373f1e195f8068550183e88de2 WHIRLPOOL 6d395be6dc5c4de5de2b6233f11378d58c294489392e32f5be54bc08f704c3422465236a342d92eb98f1c6f0f6e25edc6822a98158417e4d9ee38f2f28660efb
+MISC ChangeLog 13343 SHA256 195884bc4c48fc170e3e6ca35ee56ae27c182ffbe9e139975342e922b0ebde13 SHA512 f05841367a315e61e33fb2ff2436b1207f2daa489b6db44ebb786d85150e6134cdbaccb674dc17f69300f366e6876ecaca1a1416a64ef5c412939738d3d3ae65 WHIRLPOOL a259791b66f8da73e59354bc59b369bf368c6f8d3ef78506f18f21ffdde42db317762d8ca8f72961557535f2e86695c8b129868db81be58a4489510992a7ba69
 MISC metadata.xml 424 SHA256 c89c0232e90df5d811d17941c1594e4c4c45db48c2b6240a3c62b232caad4e84 SHA512 9d7fcca89a6f35a93f1a57790103249cdc25424cbdb374bf26b691e81b27182dc3380a8ff67b77e7aabf4ce944e4a813d619838d4bc97086b4208e5312d76f11 WHIRLPOOL 4ec9d4c5ff5c484c341b06fe77fcac8e6fdd0e0b651dbd58b6f2d5aecd05db5bf70218b94733eb749ced7436f9df5ba5c93496bae06c0ff9a62b91ecb53ab77a
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iEYEAREIAAYFAlMKtP0ACgkQso7CE7gHKw2USACcCBskpF3bthTXmkr2tfQLXi4u
-qX0An37fwrJFQFprPs61aIwCGYfdB587
-=gf3G
+iQIcBAEBCAAGBQJTJgGiAAoJECRx6z5ArFrDAdMP/Aq8xZ47lJWDyh60waV240/F
+bgzhvFPmCZZpItoPogWzBFg0pg3gFhCFuCTisqrffMUVcW4IomuZksGlLgBehUjc
+B01ONs2jCfEi6lSnapW4rPQ0MFm+WKqbuhBGGjMlS3qRoNjJz7qTTD7jQ7eBo8MQ
+xxs2QfoeHlx19qHf0lEvVMtGpEOIrdS1wm5+w8TBFb9IQBWsKbY8+0EeUqbNeEuA
+94MF2vIu/uwETHWv8rLAtypxBmwG0mu6EVXqSMYfHmKOBmqon4F8h/aooEv+ePF9
+CFuFv87G8b1BS8HTsbKIBU40x8mE/COQGvh1DS7BHGeKRYsXzCq1+MjfxGYY8fwJ
+iSy62GBeSKY+Vmdf9O6gvu4ji4rEs7icJRwuRXswRS5XX71eNknjQpXe6t+kQdBJ
+niFlJivwgxmWvhLTtfkf6rOIaoNV43yhT1yrburnGHqP+aryfkQKv+QnwJhYRMXe
+iDtywjGOJ5ULntn1VfSwdo1NIzlR0lT4EMBI8ZUmVsc3JEy7eBfA2nsnEg3lkU3n
+sQ61q81/qPiT1e62ercoMdjuTCfoPrvIuu4rQqqFnvhBfxNZLuK+TWnyTouKXN2g
+gJxuyaxIuphPsfj+7ZFL6F8v7gcsCsGBMezOz4Fztg2Z9oG81Gj5pHeGWsIWIlu4
+XOOquXyaWe2uQxKzuEFZ
+=j1GT
 -----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch b/sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch
new file mode 100644
index 000000000000..36bbe2b43323
--- /dev/null
+++ b/sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch
@@ -0,0 +1,166 @@
+From a411c944af78c36f2fdb87d305ba452dc52d7ed3 Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 21 Feb 2014 22:09:04 +0000
+Subject: Ensure tokens are added to both Trustor and Trustee indexes
+
+Tokens are now added to both the Trustor and Trustee user-token-index
+so that bulk token revocations (e.g. password change) of the trustee
+will work as expected. This is a backport of the basic code that was
+used in the Icehouse-vintage Dogpile Token KVS backend that resolves
+this issue by merging the handling of memcache and KVS backends into
+the same logic.
+
+Change-Id: I3e19e4a8fc1e11cef6db51d364e80061e97befa7
+Closes-Bug: #1260080
+---
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index c2c9b51..dc5c34e 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -62,6 +62,15 @@ class Token(token.Driver):
+         return token_ref
+ 
+     def create_token(self, token_id, data):
++
++        def update_index(user_id, token_data):
++            user_key = self._prefix_user_id(user_id)
++            if not self.client.append(user_key, ',%s' % token_data):
++                if not self.client.add(user_key, token_data):
++                    if not self.client.append(user_key, ',%s' % token_data):
++                        msg = _('Unable to add token user list.')
++                        raise exception.UnexpectedError(msg)
++
+         data_copy = copy.deepcopy(data)
+         ptk = self._prefix_token_id(token.unique_id(token_id))
+         if not data_copy.get('expires'):
+@@ -73,15 +82,19 @@ class Token(token.Driver):
+             expires_ts = utils.unixtime(data_copy['expires'])
+             kwargs['time'] = expires_ts
+         self.client.set(ptk, data_copy, **kwargs)
++        token_data = jsonutils.dumps(token_id)
+         if 'id' in data['user']:
+-            token_data = jsonutils.dumps(token_id)
+             user_id = data['user']['id']
+-            user_key = self._prefix_user_id(user_id)
+-            if not self.client.append(user_key, ',%s' % token_data):
+-                if not self.client.add(user_key, token_data):
+-                    if not self.client.append(user_key, ',%s' % token_data):
+-                        msg = _('Unable to add token user list.')
+-                        raise exception.UnexpectedError(msg)
++            update_index(user_id, token_data)
++
++        if CONF.trust.enabled and data.get('trust_id'):
++            if 'access' in data_copy:
++                trustee_user_id = data_copy['access']['trust'][
++                    'trustee_user_id']
++            else:
++                trustee_user_id = data_copy['OS-TRUST:trust'][
++                    'trustee_user_id']
++            update_index(trustee_user_id, token_data)
+         return copy.deepcopy(data_copy)
+ 
+     def _add_to_revocation_list(self, token_id, token_data):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 1af3c16..19caa0c 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -2096,7 +2096,8 @@ class TokenTests(object):
+                           self.token_api.delete_token, token_id)
+ 
+     def create_token_sample_data(self, tenant_id=None, trust_id=None,
+-                                 user_id="testuserid"):
++                                 user_id='testuserid',
++                                 trustee_user_id='testuserid2'):
+         token_id = self._create_token_id()
+         data = {'id': token_id, 'a': 'b',
+                 'user': {'id': user_id}}
+@@ -2104,6 +2105,11 @@ class TokenTests(object):
+             data['tenant'] = {'id': tenant_id, 'name': tenant_id}
+         if trust_id is not None:
+             data['trust_id'] = trust_id
++            data.setdefault('access', {}).setdefault('trust', {})
++            # Testuserid2 is used here since a trustee will be different in
++            # the cases of impersonation and therefore should not match the
++            # token's user_id.
++            data['access']['trust']['trustee_user_id'] = trustee_user_id
+         self.token_api.create_token(token_id, data)
+         return token_id
+ 
+@@ -2290,6 +2296,39 @@ class TokenTests(object):
+         for t in self.token_api.list_revoked_tokens():
+             self.assertIn('expires', t)
+ 
++    def test_token_in_trustee_and_trustor_token_list(self):
++        self.opt_in_group('trust',
++                          enabled=True)
++        trustor = self.user_foo
++        trustee = self.user_two
++        trust_id = uuid.uuid4().hex
++        trust_info = {'trustor_user_id': trustor['id'],
++                      'trustee_user_id': trustee['id'],
++                      'project_id': self.tenant_bar['id'],
++                      'expires_at': timeutils.
++                      parse_isotime('2031-02-18T18:10:00Z'),
++                      'impersonation': True}
++        self.trust_api.create_trust(trust_id, trust_info,
++                                    roles=[{'id': 'member'},
++                                           {'id': 'other'},
++                                           {'id': 'browser'}])
++
++        token_id = self.create_token_sample_data(
++            tenant_id=self.tenant_bar['id'],
++            trust_id=trust_id,
++            user_id=trustor['id'],
++            trustee_user_id=trustee['id'])
++
++        # Ensure the token id exists in both the trustor and trustee token
++        # lists
++
++        self.assertIn(token_id,
++                      self.token_api.list_tokens(self.user_two['id'],
++                                                 trust_id=trust_id))
++        self.assertIn(token_id,
++                      self.token_api.list_tokens(self.user_foo['id'],
++                                                 trust_id=trust_id))
++
+ 
+ class TrustTests(object):
+     def create_sample_trust(self, new_id):
+diff --git a/tests/test_backend_kvs.py b/tests/test_backend_kvs.py
+index f3a8ece..15a87b5 100644
+--- a/tests/test_backend_kvs.py
++++ b/tests/test_backend_kvs.py
+@@ -73,6 +73,8 @@ class KvsToken(test.TestCase, test_backend.TokenTests):
+     def setUp(self):
+         super(KvsToken, self).setUp()
+         self.token_api = token_kvs.Token(db={})
++        self.load_backends()
++        self.load_fixtures(default_fixtures)
+ 
+ 
+ class KvsTrust(test.TestCase, test_backend.TrustTests):
+diff --git a/tests/test_backend_memcache.py b/tests/test_backend_memcache.py
+index 9fbaeb9..6339e6f 100644
+--- a/tests/test_backend_memcache.py
++++ b/tests/test_backend_memcache.py
+@@ -18,6 +18,7 @@ import uuid
+ 
+ import memcache
+ 
++import default_fixtures
+ from keystone.common import utils
+ from keystone.openstack.common import timeutils
+ from keystone import test
+@@ -75,8 +76,10 @@ class MemcacheClient(object):
+ class MemcacheToken(test.TestCase, test_backend.TokenTests):
+     def setUp(self):
+         super(MemcacheToken, self).setUp()
++        self.load_backends()
+         fake_client = MemcacheClient()
+         self.token_api = token_memcache.Token(client=fake_client)
++        self.load_fixtures(default_fixtures)
+ 
+     def test_create_unicode_token_id(self):
+         token_id = unicode(self._create_token_id())
+--
+cgit v0.9.2
diff --git a/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch b/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch
new file mode 100644
index 000000000000..a19d9440258f
--- /dev/null
+++ b/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch
@@ -0,0 +1,183 @@
+From b6f0e26da0e2ab0892a5658da281a065e668637b Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 21 Feb 2014 21:33:25 +0000
+Subject: Ensure tokens are added to both Trustor and Trustee indexes
+
+Tokens are now added to both the Trustor and Trustee user-token-index
+so that bulk token revocations (e.g. password change) of the trustee
+will work as expected. This is a backport of the basic code that was
+used in the Icehouse-vintage Dogpile Token KVS backend that resolves
+this issue by merging the handling of memcache and KVS backends into
+the same logic.
+
+Change-Id: I3e19e4a8fc1e11cef6db51d364e80061e97befa7
+Closes-Bug: #1260080
+---
+diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
+index e0e81ca..1e926c8 100644
+--- a/keystone/tests/test_backend.py
++++ b/keystone/tests/test_backend.py
+@@ -25,6 +25,7 @@ from keystone import exception
+ from keystone.openstack.common import timeutils
+ from keystone import tests
+ from keystone.tests import default_fixtures
++from keystone.token import provider
+ 
+ 
+ CONF = config.CONF
+@@ -2645,7 +2646,8 @@ class TokenTests(object):
+                           self.token_api.delete_token, token_id)
+ 
+     def create_token_sample_data(self, tenant_id=None, trust_id=None,
+-                                 user_id="testuserid"):
++                                 user_id='testuserid',
++                                 trustee_user_id='testuserid2'):
+         token_id = self._create_token_id()
+         data = {'id': token_id, 'a': 'b',
+                 'user': {'id': user_id}}
+@@ -2655,6 +2657,15 @@ class TokenTests(object):
+             data['tenant'] = None
+         if trust_id is not None:
+             data['trust_id'] = trust_id
++            data.setdefault('access', {}).setdefault('trust', {})
++            # Testuserid2 is used here since a trustee will be different in
++            # the cases of impersonation and therefore should not match the
++            # token's user_id.
++            data['access']['trust']['trustee_user_id'] = trustee_user_id
++        data['token_version'] = provider.V2
++        # Issue token stores a copy of all token data at token['token_data'].
++        # This emulates that assumption as part of the test.
++        data['token_data'] = copy.deepcopy(data)
+         new_token = self.token_api.create_token(token_id, data)
+         return new_token['id']
+ 
+@@ -2907,6 +2918,39 @@ class TokenTests(object):
+         for t in self.token_api.list_revoked_tokens():
+             self.assertIn('expires', t)
+ 
++    def test_token_in_trustee_and_trustor_token_list(self):
++        self.opt_in_group('trust',
++                          enabled=True)
++        trustor = self.user_foo
++        trustee = self.user_two
++        trust_id = uuid.uuid4().hex
++        trust_info = {'trustor_user_id': trustor['id'],
++                      'trustee_user_id': trustee['id'],
++                      'project_id': self.tenant_bar['id'],
++                      'expires_at': timeutils.
++                      parse_isotime('2031-02-18T18:10:00Z'),
++                      'impersonation': True}
++        self.trust_api.create_trust(trust_id, trust_info,
++                                    roles=[{'id': 'member'},
++                                           {'id': 'other'},
++                                           {'id': 'browser'}])
++
++        token_id = self.create_token_sample_data(
++            tenant_id=self.tenant_bar['id'],
++            trust_id=trust_id,
++            user_id=trustor['id'],
++            trustee_user_id=trustee['id'])
++
++        # Ensure the token id exists in both the trustor and trustee token
++        # lists
++
++        self.assertIn(token_id,
++                      self.token_api.list_tokens(self.user_two['id'],
++                                                 trust_id=trust_id))
++        self.assertIn(token_id,
++                      self.token_api.list_tokens(self.user_foo['id'],
++                                                 trust_id=trust_id))
++
+ 
+ class TokenCacheInvalidation(object):
+     def _create_test_data(self):
+diff --git a/keystone/tests/test_backend_kvs.py b/keystone/tests/test_backend_kvs.py
+index ac9df71..a23882c 100644
+--- a/keystone/tests/test_backend_kvs.py
++++ b/keystone/tests/test_backend_kvs.py
+@@ -70,6 +70,7 @@ class KvsToken(tests.TestCase, test_backend.TokenTests):
+         identity.CONF.identity.driver = (
+             'keystone.identity.backends.kvs.Identity')
+         self.load_backends()
++        self.load_fixtures(default_fixtures)
+ 
+ 
+ class KvsTrust(tests.TestCase, test_backend.TrustTests):
+diff --git a/keystone/tests/test_backend_memcache.py b/keystone/tests/test_backend_memcache.py
+index 964d5b4..c99a6a3 100644
+--- a/keystone/tests/test_backend_memcache.py
++++ b/keystone/tests/test_backend_memcache.py
+@@ -26,6 +26,7 @@ from keystone import exception
+ from keystone.openstack.common import jsonutils
+ from keystone.openstack.common import timeutils
+ from keystone import tests
++from keystone.tests import default_fixtures
+ from keystone.tests import test_backend
+ from keystone.tests import test_utils
+ from keystone import token
+@@ -115,6 +116,7 @@ class MemcacheToken(tests.TestCase, test_backend.TokenTests):
+     def setUp(self):
+         super(MemcacheToken, self).setUp()
+         self.load_backends()
++        self.load_fixtures(default_fixtures)
+         fake_client = MemcacheClient()
+         self.token_man = token.Manager()
+         self.token_man.driver = token_memcache.Token(client=fake_client)
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index b3f991a..c0d6e36 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -150,5 +150,7 @@ class Token(kvs.Base, token.Driver):
+     def flush_expired_tokens(self):
+         now = timeutils.utcnow()
+         for token, token_ref in self.db.items():
++            if not token.startswith('revoked-token-'):
++                continue
+             if self.is_expired(now, token_ref):
+                 self.db.delete(token)
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index a6fe826..08c1c40 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -83,12 +83,33 @@ class Token(token.Driver):
+             expires_ts = utils.unixtime(data_copy['expires'])
+             kwargs['time'] = expires_ts
+         self.client.set(ptk, data_copy, **kwargs)
+-        if 'id' in data['user']:
+-            user_id = data['user']['id']
+-            user_key = self._prefix_user_id(user_id)
+-            # Append the new token_id to the token-index-list stored in the
+-            # user-key within memcache.
+-            self._update_user_list_with_cas(user_key, token_id, data_copy)
++        user_id = data['user']['id']
++        user_key = self._prefix_user_id(user_id)
++        # Append the new token_id to the token-index-list stored in the
++        # user-key within memcache.
++        self._update_user_list_with_cas(user_key, token_id, data_copy)
++        if CONF.trust.enabled and data.get('trust_id'):
++            # NOTE(morganfainberg): If trusts are enabled and this is a trust
++            # scoped token, we add the token to the trustee list as well.  This
++            # allows password changes of the trustee to also expire the token.
++            # There is no harm in placing the token in multiple lists, as
++            # _list_tokens is smart enough to handle almost any case of
++            # valid/invalid/expired for a given token.
++            token_data = data_copy['token_data']
++            if data_copy['token_version'] == token.provider.V2:
++                trustee_user_id = token_data['access']['trust'][
++                    'trustee_user_id']
++            elif data_copy['token_version'] == token.provider.V3:
++                trustee_user_id = token_data['OS-TRUST:trust'][
++                    'trustee_user_id']
++            else:
++                raise token.provider.UnsupportedTokenVersionException(
++                    _('Unknown token version %s') %
++                    data_copy.get('token_version'))
++
++            trustee_key = self._prefix_user_id(trustee_user_id)
++            self._update_user_list_with_cas(trustee_key, token_id, data_copy)
++
+         return copy.deepcopy(data_copy)
+ 
+     def _convert_user_index_from_json(self, token_list, user_key):
+--
+cgit v0.9.2
diff --git a/sys-auth/keystone/keystone-2013.1.4-r3.ebuild b/sys-auth/keystone/keystone-2013.1.4-r3.ebuild
new file mode 100644
index 000000000000..65e7499edaaf
--- /dev/null
+++ b/sys-auth/keystone/keystone-2013.1.4-r3.ebuild
@@ -0,0 +1,90 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.4-r3.ebuild,v 1.1 2014/03/16 19:54:35 prometheanfire Exp $
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+inherit distutils-r1
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python."
+HOMEPAGE="https://launchpad.net/keystone"
+SRC_URI="http://launchpad.net/${PN}/grizzly/${PV}/+download/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+sqlite mysql postgres ldap test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+#todo, seperate out rdepend via use flags
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+	test? ( dev-python/Babel
+			dev-python/decorator
+			dev-python/eventlet
+			dev-python/greenlet
+			dev-python/httplib2
+			dev-python/iso8601
+			dev-python/lxml
+			dev-python/netifaces
+			dev-python/nose
+			dev-python/nosexcover
+			dev-python/passlib
+			dev-python/paste
+			dev-python/pastedeploy
+			dev-python/python-pam
+			dev-python/repoze-lru
+			dev-python/routes
+			dev-python/sphinx
+			>=dev-python/sqlalchemy-migrate-0.7
+			dev-python/tempita
+			>=dev-python/webob-1.0.8
+			dev-python/webtest
+			dev-python/python-memcached
+			)"
+RDEPEND="dev-python/eventlet[${PYTHON_USEDEP}]
+	dev-python/greenlet[${PYTHON_USEDEP}]
+	>=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-0.2.1[${PYTHON_USEDEP}]
+	<=dev-python/python-keystoneclient-0.3[${PYTHON_USEDEP}]
+	dev-python/lxml[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-1.1.0[${PYTHON_USEDEP}]
+	<dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
+	dev-python/passlib[${PYTHON_USEDEP}]
+	dev-python/paste[${PYTHON_USEDEP}]
+	dev-python/pastedeploy[${PYTHON_USEDEP}]
+	dev-python/python-daemon[${PYTHON_USEDEP}]
+	>=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
+	dev-python/routes[${PYTHON_USEDEP}]
+	>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
+	=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
+	virtual/python-argparse[${PYTHON_USEDEP}]
+	sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
+	          <dev-python/sqlalchemy-0.7.10[sqlite,${PYTHON_USEDEP}] )
+	mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
+	         <dev-python/sqlalchemy-0.7.10[mysql,${PYTHON_USEDEP}] )
+	postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
+	            <dev-python/sqlalchemy-0.7.10[postgres,${PYTHON_USEDEP}] )
+	ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )"
+PATCHES=(
+	"${FILESDIR}/2013.1.4-CVE-2013-4477.patch"
+	"${FILESDIR}/2013.1.4-CVE-2014-2237.patch"
+)
+#	"${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
+#
+python_test() {
+	# https://bugs.launchpad.net/keystone/+bug/1241956
+	nosetests -e 'test_keystoneclient*' || die "testsuite failed under ${EPYTHON}"
+}
+
+python_install() {
+	distutils-r1_python_install
+	newconfd "${FILESDIR}/keystone.confd" keystone
+	newinitd "${FILESDIR}/keystone.initd" keystone
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates etc/policy.json
+}
diff --git a/sys-auth/keystone/keystone-2013.2.2-r1.ebuild b/sys-auth/keystone/keystone-2013.2.2-r1.ebuild
new file mode 100644
index 000000000000..ab74a474bf9d
--- /dev/null
+++ b/sys-auth/keystone/keystone-2013.2.2-r1.ebuild
@@ -0,0 +1,128 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.2-r1.ebuild,v 1.1 2014/03/16 19:54:35 prometheanfire Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit distutils-r1 user
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python."
+HOMEPAGE="https://launchpad.net/keystone"
+SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+sqlite mysql postgres ldap test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+#todo, seperate out rdepend via use flags
+RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
+	<dev-python/webob-1.3[${PYTHON_USEDEP}]
+	>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
+	>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
+	dev-python/netaddr[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	dev-python/paste[${PYTHON_USEDEP}]
+	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+	sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
+	          <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
+	mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
+	         <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
+	postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
+	            <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
+	>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
+	dev-python/passlib[${PYTHON_USEDEP}]
+	>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
+	>=dev-python/iso8601-0.1.8[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
+	>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
+	dev-python/oauth2[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.5.2[${PYTHON_USEDEP}]
+	dev-python/python-daemon[${PYTHON_USEDEP}]
+	virtual/python-argparse[${PYTHON_USEDEP}]
+	ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )
+	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
+	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+	test? ( ${RDEPEND}
+			>=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+			>=dev-python/hacking-0.5.6[${PYTHON_USEDEP}]
+			<dev-python/hacking-0.8[${PYTHON_USEDEP}]
+			dev-python/httplib2[${PYTHON_USEDEP}]
+			>=dev-python/keyring-1.6.1[${PYTHON_USEDEP}]
+			<dev-python/keyring-2.0[${PYTHON_USEDEP}]
+			>=dev-python/mox-0.5.3[${PYTHON_USEDEP}]
+			dev-python/nose[${PYTHON_USEDEP}]
+			dev-python/nosexcover[${PYTHON_USEDEP}]
+			>=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}]
+			>=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}]
+			dev-python/oslo-sphinx[${PYTHON_USEDEP}]
+			>=dev-python/requests-1.1[${PYTHON_USEDEP}]
+			>=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+			<dev-python/sphinx-1.2[${PYTHON_USEDEP}]
+			>=dev-python/testtools-0.9.32[${PYTHON_USEDEP}]
+			>=dev-python/webtest-2.0[${PYTHON_USEDEP}]
+			>=dev-python/python-memcached-1.48[${PYTHON_USEDEP}]
+			ldap? ( ~dev-python/python-ldap-2.3.13 ) )
+	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
+	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
+
+PATCHES=(
+		"${FILESDIR}/2013.2.2-CVE-2014-2237.patch"
+)
+
+pkg_setup() {
+	enewgroup keystone
+	enewuser keystone -1 -1 /var/lib/keystone keystone
+}
+
+python_prepare_all() {
+	mkdir ${PN}/tests/tmp || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	# https://bugs.launchpad.net/keystone/+bug/1262564
+	nosetests || die "testsuite failed under python2.7"
+}
+
+python_install() {
+	distutils-r1_python_install
+	newconfd "${FILESDIR}/keystone.confd" keystone
+	newinitd "${FILESDIR}/keystone.initd" keystone
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates etc/policy.json
+	doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
+
+	fowners keystone:keystone /etc/keystone /var/log/keystone
+}
+
+pkg_postinst() {
+	elog "You might want to run:"
+	elog "emerge --config =${CATEGORY}/${PF}"
+	elog "if this is a new install."
+	elog "If you have not already configured your openssl installation"
+	elog "please do it by modifying /etc/ssl/openssl.cnf"
+	elog "BEFORE issuing the configuration command."
+	elog "Otherwise default values will be used."
+}
+
+pkg_config() {
+	if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
+		einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
+		read
+		"${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+	else
+		einfo "keystone PKI certificates directory already present, skipping configuration"
+	fi
+}
author	Matt Thode <prometheanfire@gentoo.org>	2014-03-16 19:54:44 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2014-03-16 19:54:44 +0000
commit	3fb354318ceaf97f4d1b8e454c69d3403d6b4f34 (patch)
tree	f0ea8e8434bdaaa0e302dddb219931fd6120d436 /sys-auth/keystone
parent	Remove deprecated 10.0 profiles (diff)
download	historical-3fb354318ceaf97f4d1b8e454c69d3403d6b4f34.tar.gz historical-3fb354318ceaf97f4d1b8e454c69d3403d6b4f34.tar.bz2 historical-3fb354318ceaf97f4d1b8e454c69d3403d6b4f34.zip