diff options
author | Matt Thode <prometheanfire@gentoo.org> | 2013-09-11 16:01:46 +0000 |
---|---|---|
committer | Matt Thode <prometheanfire@gentoo.org> | 2013-09-11 16:01:46 +0000 |
commit | 8ed21562b0d4bf9e11d0e6cc791ed53792674c83 (patch) | |
tree | 2917cd4651c4bcb41f514c36d65489228beb92f3 /sys-auth/keystone | |
parent | Fix failing patch wrt bug #484092. Tidy ebuild. (diff) | |
download | historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.gz historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.bz2 historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.zip |
updating keystone for cve-2013-4294
Package-Manager: portage-2.1.12.2/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-auth/keystone')
-rw-r--r-- | sys-auth/keystone/ChangeLog | 12 | ||||
-rw-r--r-- | sys-auth/keystone/Manifest | 34 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch | 143 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch | 139 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2012.2.4-r7.ebuild (renamed from sys-auth/keystone/keystone-2012.2.4-r6.ebuild) | 3 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2013.1.3-r1.ebuild (renamed from sys-auth/keystone/keystone-2013.1.3.ebuild) | 3 |
6 files changed, 315 insertions, 19 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 7999ba7cdc76..ba893f0d6602 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.29 2013/08/19 03:26:04 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.30 2013/09/11 16:01:38 prometheanfire Exp $ + +*keystone-2012.2.4-r7 (11 Sep 2013) +*keystone-2013.1.3-r1 (11 Sep 2013) + + 11 Sep 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/keystone-cve-2013-4294-folsom.patch, + +files/keystone-cve-2013-4294-grizzly.patch, +keystone-2012.2.4-r7.ebuild, + +keystone-2013.1.3-r1.ebuild, -keystone-2012.2.4-r6.ebuild, + -keystone-2013.1.3.ebuild: + updating keystone for cve-2013-4294 19 Aug 2013; Matthew Thode <prometheanfire@gentoo.org> keystone-2013.1.9999.ebuild: diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest index b5c1496ed3c0..844466d2a978 100644 --- a/sys-auth/keystone/Manifest +++ b/sys-auth/keystone/Manifest @@ -2,6 +2,8 @@ Hash: SHA256 AUX 2012.2.4-upstream-1181157.patch 1336 SHA256 355c3e49e2c0ea0924bfb7eaf2d6a82120d2eb0f31fc4863ef6bf1b9791c94d4 SHA512 b90d41bcd9b60886af2f37de3cbc33c3583eef65b9ed4a92e2b55e8701f883f3662b8f5e00a4c65d869914b8c9718364b8024604197a5f6cc5403508e3fb8827 WHIRLPOOL 0454536a2c9ed28c6b164c9f64af6c472f8d22b38a509d27d4d0d22a238737f4d51ed17f416c04c7fe3b43790741e0914b09e0435c6dbc8e34c7c1debf75eb19 +AUX keystone-cve-2013-4294-folsom.patch 5662 SHA256 69b07e87cf021b21168fe40fedd2dabd492991e0b4192f86fad378e24ef0429c SHA512 502cca91cfd71bd43f1a0dd0ada718cc9020071e41b13abd7310de175a794453bdb529e1ffb641e60e199fef9a2226aa44395f32eb3b0af8dc0b56dbf739b307 WHIRLPOOL 58f95de485b6351f78a680a65531bee8bcc2d725329aefa21116443a8a5ad6759a32d0ff39aa97a5226fa32fdcf0ac689bab1e7730207677334d1559f8c8d790 +AUX keystone-cve-2013-4294-grizzly.patch 5704 SHA256 86a7f54c72675d5041b648dff4f607e7e20659dbdd56084aec4424e3e552e419 SHA512 b58bb75fa4bbfcc09b3a02ee407c05b031dce54976b949e140894f43b5691048ee62921496e132f0ac1d0c47e9a7a75b5ac238fa84f870289563abcda2e72d28 WHIRLPOOL 775365acc88a7486dd8ede7b999fb4811cca493a1487a9177b9af0ca8d0093aa2cc45e9ba6583b4b069671f3c44402269ae63875ca057d76e707e970d0a175e0 AUX keystone-folsom-4-CVE-2013-1977.patch 1114 SHA256 af81df239364cab3f94b14636359a19e6c8474f8282d2c174e3e75208fa508c6 SHA512 e9139487cdf6185d0405fd034a48c451c15ab568ebb6d4e58c2c50160ef8dc6b926a31fd0b31c646ecfccf68f2b667d9577bbe6e169ef28f8abfc06ae9031210 WHIRLPOOL c2ed7858f514f3d4a45303b0a307eb259c3c53373160ad35afcb7012ca63f9360d152f4869745579b678d990ed6f929ef050b1c68683bac656123a0aea394ec0 AUX keystone-folsom-4-CVE-2013-2030.patch 2318 SHA256 fd824a4000da663568f26dbcfa6de031911ebdca1dea2c0958b3d5398d4d9ba6 SHA512 6b00a6d9062dd418299f9f02891fbfaa86f8f69db394ccfff31367555d1d7dbad1cf0d5a8647b61addeaabd2107b9f75cdc1986df8186de5c428f33533abffab WHIRLPOOL 842c4adb14c4a4501ea84c0082c0f28295027e27fee9957eafea6db9397a26c4955eb355b955d625bf5df818c1178af2267270aedec93bc47da8f17b59eaeca2 AUX keystone-folsom-4-CVE-2013-2059.patch 2340 SHA256 9c3a1d953abd719c55c77fd13295c0aa5caf730a4656f3a111a1bfc1d92a282c SHA512 c6f50ed21c95c7be256f0a15ef804eaf16f32fec038be53742ce85b9a303f4c613728c95af606aafd779009f298a68517668594a590fa40258dbbb6646c3fbed WHIRLPOOL 723b4d0e5573a2e7473e4613fcfc717d1e0d90ff18a7559baa7fe0a21c6c5fcb84648afcb227ea9231ed87738e0c17cf79153287d2d6b14a65974a67e78dbd2f @@ -14,26 +16,26 @@ AUX keystone.initd 1245 SHA256 16f50903b74dd21ef0641333e013f2c6b661590ee519b6f6c AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5 DIST keystone-2012.2.4.tar.gz 555448 SHA256 ab3a9a6c1f8ef9b95a73920883294f888f298db6330b8d4ed43e28354e8ca7af SHA512 481bde4372525c92144059c94d95ddac95dc720e486428f2e7ad1d5e0c6c2b6eb9a17be40f83c5866b522a512a2a3d331a08498c6704b794fea343fc2c0c1d93 WHIRLPOOL 243d9fe82988fd6057ffdae7971b570cb129a168fba3f6a38ea105fadc51e7e9fbfd29d88bb389572fc00cfbe0cc17e9e4c4f4ebf9d61ff589148b1b0c171558 DIST keystone-2013.1.3.tar.gz 799651 SHA256 e097170ebb1cf22de50f2d5ab2216a5116ffe0934720dbad8b02d61c370b8261 SHA512 0d0a5f6902f78c5962ee19d29645081380d247a22d4de942a28e7fa28a4f6dca396114d94c6e8188d618b4de12d3b90187a4832575b37394a2b84c5eb9592876 WHIRLPOOL d74459c5e4f64287c3734384c075523ed2b88d4e4d044e5d45345009f2ce9b98d708367dcb3cc968df90b97972d0fd52d49ffb289a1982533370e5f9b075833b -EBUILD keystone-2012.2.4-r6.ebuild 2740 SHA256 12aa067203a588a93f2f1da80d6fbf1bde8518addb32938028735e28235e05ea SHA512 26a7fae98ae28cd749f89f66b76ebe16c1124fcaf78c87354a98b4bce583fa1005a9bb9875d8574239fa1d6ed64ca48035818d50715a344580c6bc576f51c26c WHIRLPOOL 551b2a7f9004d552998881d73e116aa62643bb82a0232da7fe34663874fc75dfe88ac0925ea95a72f639d61b769e7d6a754334431f4785caf9899e595d2fe61a -EBUILD keystone-2013.1.3.ebuild 2976 SHA256 2a20baff08b1a09ac51c1de0f214e8ab758d264d2da74223e26491ee03486ef9 SHA512 391c0b833f1de04030abd996dd14c8361e27ee2adaf7db6b5a8a0632f1b1d55b240a662e593f0f25abef0ef2cd766d321b210b503379ee1f904448e3a9c047bb WHIRLPOOL 4253883fe0c682301d0aab615e0edcad9620795bf7cf24782d42366707cbd34a057d5424c10b24ad57d81861e59553c74a322d61a896ba3982b35d4280cb0075 +EBUILD keystone-2012.2.4-r7.ebuild 2791 SHA256 27ce95c013742fcba83a1dc8a0afe55255bb961815de447063f85356abf69cae SHA512 ad23ebf40fe647e5159cbfce92fe53f3bb3c0bbc6cea5d4bfd6f02a5a64f8bdcfa1fdc0576827b42a3b0491c437ea760a346a4c47635515ee440998465620893 WHIRLPOOL d27995dbfca7f164408d2cc6f5287bbd0de6d09218fa88d8e16a60aad40768fcc3302a1a6a4a04479086c091ba3626f6f97cf46a2c960f3b60515d6ff3eb5b01 +EBUILD keystone-2013.1.3-r1.ebuild 3031 SHA256 9e8d5c65055eb7362704cf83b90ab7111e598f0b8a9582e77c1447854a857e52 SHA512 b84ce60a9d51bded4ac7c6519b0aa53e95d3b3717e2f1bf80372bc339351f00eede55c56d56d919e1a532432d1cd6a80aca4a6e30e63f29fac271b7ad2531da3 WHIRLPOOL 3ec1d5449e6bf39ec2960f573ad8b49ccac9eb08de3106dc3e06f40f281c19b17e9a7a237ec5f58ba6499cd7e8585a123758d5b86226c1e65efd4167aba0b221 EBUILD keystone-2013.1.9999.ebuild 2859 SHA256 d3ea8321720c2ace785900affc03531f4774405cfb57eb1bc58460cfec9f6d89 SHA512 6bc083d4dab8dea112ebcd32c1016a6e78b4fc96f4c3fb5dbb6ea5ece142bf781328b0cf9a568d15413ee44d73b99a5ab895037fcf248530441fd66d54ff3dd2 WHIRLPOOL 20cf4775024c9bc1bdcdc9668538c037ae671efa759447a709939ba0ed86f5093c1f5665233769b12bfdd642123d44ccccdda06f0469fb735579056cff5cc64a EBUILD keystone-9999.ebuild 2942 SHA256 048862e16792a3de401129f16b01fdfedbbcebc0f126dd1a39fb63c0118cd030 SHA512 767dccb4ce53d3162156f965c97bb4d33ff6d1d7dfd5efaa3a223d66915694f2d946e6e7774b73ac1c4f5a42af6228dafd3f30d3fb57da59bc293bae141a18a7 WHIRLPOOL 944e87af5b6a7f4276d49751d0b578052257c833350a568e7dd031f138b20a1714e38874f4992486fd8ca51d83e01516c055a244c634ec35e931149d120fdbc2 -MISC ChangeLog 6196 SHA256 cceff3b78d07888b5004853a8bab4bddccc54d4622baa6b3a095cc92a6377714 SHA512 4168f656a0f7e4966a319188269eb2d2c3b6571324ae0890c3ff0625f4d0e73d123275e21e58da0f4273523d8dbc44dcad540356237707ab82799a495997e3d3 WHIRLPOOL 5916276ba81afe9a552aaca6e2898eb023729a54287dedc4780791bc8b9c56dea3f4d3a41178bdd07f59c98e36629818dc8bcfcfd21dc37bf4ccb370c7f12f14 +MISC ChangeLog 6579 SHA256 50de7e8a86a6f1ef8d04d7e047cb9908c7a9b65060a59660c2699371302702aa SHA512 b4635410af93a013485c9e1b095c5b7c4c288efaea3efba1585abc06ccf44d3acd9c3cc5a113fb5c921e27292f26f87fbecd73c35c5e23ca2b2d59af390b3b08 WHIRLPOOL cc38c58a1128e76aa3614dd08756d5038120018760e333bb292fdc6899748c4e222fc4f134cd97027f6c09d8e77d6b6338edcb2160f00bb3a36aa0140e495238 MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) -iQIcBAEBCAAGBQJSEZCPAAoJECRx6z5ArFrDFTsQAJCcvrWOpSAKRbGWyq9ePL+4 -BuDOVn+oBa+0RBavR5qb8pVvXEHVLggq/A89/7pB4cqi6G1jtKDRuRBloCWNN7TO -KjKAe6sv/cQ7ZuIBfwXi6qV+WWeFbuZ+dzIP42OKkxeXhSUJ3CbcN+uZ4YXIJvJZ -n9XVHF45+h690cLNH+p7St6Jd+t1ILqyK042CEiBTSrHVlNf5SKpaiRDUgj2iYFh -TpIrcr8dg3XJKb9yrc5iEajQUsf+2PM5PFtMbfIMJUa7HySO6UUujHKydj7su/5n -yqSsBSNw5sz59BeJWeYHqPdNTlWjXk8ip2nkaA3hy+N9nH5Woe5g9T5B37nVK0wj -7SJ6jvU9ss0jxo440JQM1PSRikaOeIZMgpydmradZoh2cZ0ApGtSlUi7wUNBWiGU -fqQqK0bqQw/hX4OiDmFAKmnkSbcZdcGxkceq0zWACsIlwIRTmXtr0BJpFlAsIQio -qQ6HTnPipoJ7GvYJcKHg8+M/0UB810GV/NSJe0ehza/KPaVZaKEuvAKYKaQA1oBp -s9tem6WVm0Ob6grEFjYYLOWM2SeoEGURtX+cRI4/R/SG23HHj+GQWrdyNofXiwYj -2JYJdYQ7tZMXmi6O/5tfZNfX0gzAMLaCdA2qhLC4XZiQcB4fslyzX3YZ38HVIX9N -mDFgogI0EhniBjesqSSj -=5Ixl +iQIcBAEBCAAGBQJSMJQ5AAoJECRx6z5ArFrDDHEQAN/szHyi9lFgicUTgKHz17VU +ctVCPpgw2BGDkBseUOkkiVuhK+KIaRHneEynJC8WjicfbpVBszbalkRos089SXpC +Ujn1mSYWaaMTfQpiWYBZlkr0sIHqiI6NEOWwpeL8HOFDyRZYYmRK3tX7uLkEz3u6 +dTqQt/CO3BFqTXWt2mae8Zl6j3nDg9GjsTVp07Ue7IOFU3+HZ9Sc8KiFzn676ZSi +v0AbxB2rL6NOx5X0w4rBV2+7zOcsYCX1TLBbnWq/UT67cq6gToBRnqE2AjKzgqmi +lapYe9it6z6fuCl3cn3xNGQoVtdtsk43voFydYsZVrFANzn4+ATUoxKZEOd1wDrw +sMAWFGs9JXAAnkPxjtyNvtX1R1VHArG91hs7mQqrBft7oSCLd1iU0c1VeCngSpS0 +7Z+ycPyXYN1hv2nRyHgGAxwUBP4pDgAkGeBtgqEVCYntdiShvfJxwHM9/4fq7BO5 +uiVXTk3G+sRlfir+8ajunnNMdjTJFy7WB4/B7Ct6i0TR7SmqrmyTEf3NbaXsd8Z4 +tKZcnGNKPa/a6AEGD3Y4Tw8vR7Lj6+kcLqQn8iE9r6BLMFQFQLAvrf4cS81PHHBU +6zkYm/fRYUc7HhHk/ERXpj1U1sywmRZAKESO/XjeOI3+vNPRFaa9ZRjp8htJw6J/ +uuz2TJzub2PxHqg8ICH9 +=AvOU -----END PGP SIGNATURE----- diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch new file mode 100644 index 000000000000..2d9e9b5a1ea4 --- /dev/null +++ b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch @@ -0,0 +1,143 @@ +From 8ef8be4af315d50edd661d8a5e846d260a5a3ce2 Mon Sep 17 00:00:00 2001 +From: Morgan Fainberg <m@metacloud.com> +Date: Fri, 23 Aug 2013 14:10:28 -0700 +Subject: [PATCH] Fix and test token revocation list API + +Change-Id: I07257b3704895a2af2654aa863f0b910122666da +--- + keystone/token/backends/kvs.py | 2 +- + keystone/token/backends/memcache.py | 12 ++++++---- + tests/test_backend.py | 48 +++++++++++++++++++++++++++++++++---- + 3 files changed, 51 insertions(+), 11 deletions(-) + +diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py +index 123e12f..e5e0ee2 100644 +--- a/keystone/token/backends/kvs.py ++++ b/keystone/token/backends/kvs.py +@@ -81,7 +81,7 @@ class Token(kvs.Base, token.Driver): + if not token.startswith('revoked-token-'): + continue + record = {} +- record['id'] = token_ref['id'] ++ record['id'] = token[len('revoked-token-'):] + record['expires'] = token_ref['expires'] + tokens.append(record) + return tokens +diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py +index e4fa69a..815c392 100644 +--- a/keystone/token/backends/memcache.py ++++ b/keystone/token/backends/memcache.py +@@ -82,8 +82,9 @@ class Token(token.Driver): + raise exception.UnexpectedError(msg) + return copy.deepcopy(data_copy) + +- def _add_to_revocation_list(self, data): +- data_json = jsonutils.dumps(data) ++ def _add_to_revocation_list(self, token_id, token_data): ++ data_json = jsonutils.dumps({'id': token_id, ++ 'expires': token_data['expires']}) + if not self.client.append(self.revocation_key, ',%s' % data_json): + if not self.client.add(self.revocation_key, data_json): + if not self.client.append(self.revocation_key, +@@ -93,10 +94,11 @@ class Token(token.Driver): + + def delete_token(self, token_id): + # Test for existence +- data = self.get_token(self.token_to_key(token_id)) +- ptk = self._prefix_token_id(self.token_to_key(token_id)) ++ token_id = self.token_to_key(token_id) ++ data = self.get_token(token_id) ++ ptk = self._prefix_token_id(token_id) + result = self.client.delete(ptk) +- self._add_to_revocation_list(data) ++ self._add_to_revocation_list(token_id, data) + return result + + def list_tokens(self, user_id, tenant_id=None): +diff --git a/tests/test_backend.py b/tests/test_backend.py +index 0a56cdb..3798e37 100644 +--- a/tests/test_backend.py ++++ b/tests/test_backend.py +@@ -14,9 +14,11 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import copy + import datetime +-import uuid + import default_fixtures ++import hashlib ++import uuid + + from keystone.catalog import core + from keystone import exception +@@ -628,19 +630,29 @@ class IdentityTests(object): + + + class TokenTests(object): ++ def _create_token_id(self): ++ # Token must start with MII here otherwise it fails the asn1 test ++ # and is not hashed in a SQL backend. ++ token_id = "MII" ++ for i in range(1, 20): ++ token_id += uuid.uuid4().hex ++ return token_id ++ + def test_token_crud(self): + token_id = uuid.uuid4().hex + data = {'id': token_id, 'a': 'b', + 'user': {'id': 'testuserid'}} + data_ref = self.token_api.create_token(token_id, data) +- expires = data_ref.pop('expires') ++ data_ref_copy = copy.deepcopy(data_ref) ++ expires = data_ref_copy.pop('expires') + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertDictEqual(data_ref, data) ++ self.assertDictEqual(data_ref_copy, data) + + new_data_ref = self.token_api.get_token(token_id) +- expires = new_data_ref.pop('expires') ++ new_data_ref_copy = copy.deepcopy(new_data_ref) ++ expires = new_data_ref_copy.pop('expires') + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertEquals(new_data_ref, data) ++ self.assertEquals(new_data_ref_copy, data) + + self.token_api.delete_token(token_id) + self.assertRaises(exception.TokenNotFound, +@@ -758,6 +770,32 @@ class TokenTests(object): + self.check_list_revoked_tokens([self.delete_token() + for x in xrange(2)]) + ++ def test_predictable_revoked_pki_token_id(self): ++ token_id = self._create_token_id() ++ token_id_hash = hashlib.md5(token_id).hexdigest() ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id_hash, revoked_ids) ++ self.assertNotIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ ++ def test_predictable_revoked_uuid_token_id(self): ++ token_id = uuid.uuid4().hex ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ + + class CommonHelperTests(test.TestCase): + def test_format_helper_raises_malformed_on_missing_key(self): +-- +1.8.2.1 (Apple Git-45) + diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch new file mode 100644 index 000000000000..d789ea38443c --- /dev/null +++ b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch @@ -0,0 +1,139 @@ +From a20dcd159f9bf98e5605a3d13d4ba8de9aa1533e Mon Sep 17 00:00:00 2001 +From: Morgan Fainberg <m@metacloud.com> +Date: Fri, 23 Aug 2013 14:53:26 -0700 +Subject: [PATCH] Fix and test token revocation list API + +Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5 +--- + keystone/token/backends/kvs.py | 2 +- + keystone/token/backends/memcache.py | 12 ++++++---- + tests/test_backend.py | 47 +++++++++++++++++++++++++++++++------ + 3 files changed, 48 insertions(+), 13 deletions(-) + +diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py +index 49f15ad..1935b41 100644 +--- a/keystone/token/backends/kvs.py ++++ b/keystone/token/backends/kvs.py +@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver): + if not token.startswith('revoked-token-'): + continue + record = {} +- record['id'] = token_ref['id'] ++ record['id'] = token[len('revoked-token-'):] + record['expires'] = token_ref['expires'] + tokens.append(record) + return tokens +diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py +index a62f342..c2c9b51 100644 +--- a/keystone/token/backends/memcache.py ++++ b/keystone/token/backends/memcache.py +@@ -84,8 +84,9 @@ class Token(token.Driver): + raise exception.UnexpectedError(msg) + return copy.deepcopy(data_copy) + +- def _add_to_revocation_list(self, data): +- data_json = jsonutils.dumps(data) ++ def _add_to_revocation_list(self, token_id, token_data): ++ data_json = jsonutils.dumps({'id': token_id, ++ 'expires': token_data['expires']}) + if not self.client.append(self.revocation_key, ',%s' % data_json): + if not self.client.add(self.revocation_key, data_json): + if not self.client.append(self.revocation_key, +@@ -95,10 +96,11 @@ class Token(token.Driver): + + def delete_token(self, token_id): + # Test for existence +- data = self.get_token(token.unique_id(token_id)) +- ptk = self._prefix_token_id(token.unique_id(token_id)) ++ token_id = token.unique_id(token_id) ++ data = self.get_token(token_id) ++ ptk = self._prefix_token_id(token_id) + result = self.client.delete(ptk) +- self._add_to_revocation_list(data) ++ self._add_to_revocation_list(token_id, data) + return result + + def list_tokens(self, user_id, tenant_id=None, trust_id=None): +diff --git a/tests/test_backend.py b/tests/test_backend.py +index 85ac7cf..d4c2e6c 100644 +--- a/tests/test_backend.py ++++ b/tests/test_backend.py +@@ -14,10 +14,11 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import copy + import datetime + import default_fixtures ++import hashlib + import uuid +-import nose.exc + + from keystone.catalog import core + from keystone import config +@@ -2065,17 +2066,19 @@ class TokenTests(object): + 'trust_id': None, + 'user': {'id': 'testuserid'}} + data_ref = self.token_api.create_token(token_id, data) +- expires = data_ref.pop('expires') +- data_ref.pop('user_id') ++ data_ref_copy = copy.deepcopy(data_ref) ++ expires = data_ref_copy.pop('expires') ++ data_ref_copy.pop('user_id') + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertDictEqual(data_ref, data) ++ self.assertDictEqual(data_ref_copy, data) + + new_data_ref = self.token_api.get_token(token_id) +- expires = new_data_ref.pop('expires') +- new_data_ref.pop('user_id') ++ new_data_ref_copy = copy.deepcopy(new_data_ref) ++ expires = new_data_ref_copy.pop('expires') ++ new_data_ref_copy.pop('user_id') + + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertEquals(new_data_ref, data) ++ self.assertEquals(new_data_ref_copy, data) + + self.token_api.delete_token(token_id) + self.assertRaises(exception.TokenNotFound, +@@ -2248,6 +2251,36 @@ class TokenTests(object): + self.check_list_revoked_tokens([self.delete_token() + for x in xrange(2)]) + ++ def test_predictable_revoked_pki_token_id(self): ++ # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the ++ # returned token str in master, but not in grizzly. ++ # revising _create_token_id() in grizzly to include the ++ # previx breaks several other tests here ++ token_id = 'MII' + self._create_token_id() ++ token_id_hash = hashlib.md5(token_id).hexdigest() ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id_hash, revoked_ids) ++ self.assertNotIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ ++ def test_predictable_revoked_uuid_token_id(self): ++ token_id = uuid.uuid4().hex ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ + + class TrustTests(object): + def create_sample_trust(self, new_id): +-- +1.8.2.1 (Apple Git-45) + diff --git a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild index e8eba2575642..33d6a7cff4ea 100644 --- a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild +++ b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r6.ebuild,v 1.1 2013/07/17 16:30:36 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r7.ebuild,v 1.1 2013/09/11 16:01:38 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -74,6 +74,7 @@ PATCHES=( "${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch" "${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch" "${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch" + "${FILESDIR}/keystone-cve-2013-4294-folsom.patch" "${FILESDIR}/2012.2.4-upstream-1181157.patch" ) diff --git a/sys-auth/keystone/keystone-2013.1.3.ebuild b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild index 498607be2433..6a6023ca7840 100644 --- a/sys-auth/keystone/keystone-2013.1.3.ebuild +++ b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3.ebuild,v 1.1 2013/08/11 00:56:17 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r1.ebuild,v 1.1 2013/09/11 16:01:37 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -70,6 +70,7 @@ RDEPEND="${DEPEND} # dev-python/webtest # ) PATCHES=( + "${FILESDIR}/keystone-cve-2013-4294-grizzly.patch" ) # "${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch" # |