OpenStack Identity (keystone)

Merge lp:~james-page/keystone/folsom-resync into lp:~openstack-ubuntu-testing/keystone/folsom

  1. folsom-resync
  2. Merge into folsom
Proposed by James Page
Status: Merged
Approved by: Chuck Short
Approved revision: 162
Merged at revision: 161
Proposed branch: lp:~james-page/keystone/folsom-resync
Merge into: lp:~openstack-ubuntu-testing/keystone/folsom
Diff against target: 169 lines (+135/-1)
3 files modified
debian/changelog (+27/-1)
debian/patches/CVE-2013-1865.patch (+107/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~james-page/keystone/folsom-resync
Reviewer Review Type Date Requested Status
Openstack Ubuntu Testers Pending
Review via email: mp+154954@code.launchpad.net

Description of the change

Resync of pending SRU with security updates

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2013-02-21 00:51:14 +0000
+++ debian/changelog 2013-03-22 13:42:10 +0000
@@ -1,4 +1,4 @@
1keystone (2012.2.3+stable-20130220-37b35328-0ubuntu1) quantal-proposed; urgency=low1keystone (2012.2.3+stable-20130220-37b35328-0ubuntu1) UNRELEASED; urgency=low
22
3 * Dropped patches, applied upstream:3 * Dropped patches, applied upstream:
4 - debian/patches/CVE-2013-0282.patch: [f0b4d30]4 - debian/patches/CVE-2013-0282.patch: [f0b4d30]
@@ -11,6 +11,23 @@
1111
12 -- Adam Gandelman <adamg@ubuntu.com> Wed, 20 Feb 2013 16:32:14 -040012 -- Adam Gandelman <adamg@ubuntu.com> Wed, 20 Feb 2013 16:32:14 -0400
1313
14keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu2) quantal-proposed; urgency=low
15
16 * Resync with latest security updates.
17 * SECURITY UPDATE: fix PKI revocation bypass
18 - debian/patches/CVE-2013-1865.patch: validate tokens from the backend
19 - CVE-2013-1865
20 * SECURITY UPDATE: fix EC2-style authentication for disabled users
21 - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
22 to ensure user and tenant are enabled in EC2
23 - CVE-2013-0282
24 * SECURITY UPDATE: fix denial of service
25 - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
26 - CVE-2013-1664
27 - CVE-2013-1665
28
29 -- James Page <james.page@ubuntu.com> Fri, 22 Mar 2013 12:02:56 +0000
30
14keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu1) quantal-proposed; urgency=low31keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu1) quantal-proposed; urgency=low
1532
16 [ Adam Gandelman ]33 [ Adam Gandelman ]
@@ -31,6 +48,15 @@
3148
32 -- Adam Gandelman <adamg@ubuntu.com> Wed, 06 Feb 2013 11:13:12 -040049 -- Adam Gandelman <adamg@ubuntu.com> Wed, 06 Feb 2013 11:13:12 -0400
3350
51keystone (2012.2.1-0ubuntu1.3) quantal-security; urgency=low
52
53 * SECURITY UPDATE: fix PKI revocation bypass
54 - debian/patches/CVE-2013-1865.patch: validate tokens from the backend
55 - CVE-2013-1865
56 - LP: #1129713
57
58 -- Jamie Strandboge <jamie@ubuntu.com> Wed, 20 Mar 2013 08:45:09 -0500
59
34keystone (2012.2.1-0ubuntu1.2) quantal-security; urgency=low60keystone (2012.2.1-0ubuntu1.2) quantal-security; urgency=low
3561
36 * SECURITY UPDATE: fix EC2-style authentication for disabled users62 * SECURITY UPDATE: fix EC2-style authentication for disabled users
3763
=== added file 'debian/patches/CVE-2013-1865.patch'
--- debian/patches/CVE-2013-1865.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/CVE-2013-1865.patch 2013-03-22 13:42:10 +0000
@@ -0,0 +1,107 @@
1From 176f11421236156f4c48bac0c4732c281527d563 Mon Sep 17 00:00:00 2001
2From: Adam Young <ayoung@redhat.com>
3Date: Thu, 14 Mar 2013 12:05:24 -0500
4Subject: [PATCH] validate from backend
5
6In certain cases we were depending on CMS to validate PKI tokens
7but that is not necessary, and by passes the revocation check
8
9Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
10---
11 keystone/service.py | 19 ++++++-------------
12 tests/test_service.py | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
13 2 files changed, 57 insertions(+), 13 deletions(-)
14
15diff --git a/keystone/service.py b/keystone/service.py
16index c088986..9799e3a 100644
17--- a/keystone/service.py
18+++ b/keystone/service.py
19@@ -490,20 +490,13 @@ class TokenController(wsgi.Application):
20 """
21 # TODO(termie): this stuff should probably be moved to middleware
22 self.assert_admin(context)
23+ data = self.token_api.get_token(context=context, token_id=token_id)
24+ if belongs_to:
25+ if (not data.get('tenant') or data['tenant'].get('id') !=
26+ belongs_to):
27+ raise exception.Unauthorized()
28
29- if cms.is_ans1_token(token_id):
30- data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
31- config.CONF.signing.certfile,
32- config.CONF.signing.ca_certs))
33- data['access']['token']['user'] = data['access']['user']
34- data['access']['token']['metadata'] = data['access']['metadata']
35- if belongs_to:
36- assert data['access']['token']['tenant']['id'] == belongs_to
37- token_ref = data['access']['token']
38- else:
39- token_ref = self.token_api.get_token(context=context,
40- token_id=token_id)
41- return token_ref
42+ return data
43
44 # admin only
45 def validate_token_head(self, context, token_id):
46diff --git a/tests/test_service.py b/tests/test_service.py
47index f48bd9a..487e5ac 100644
48--- a/tests/test_service.py
49+++ b/tests/test_service.py
50@@ -150,3 +150,54 @@ class AuthTest(test.TestCase):
51 body_dict = _build_user_auth(username='FOO', password='0' * 8193)
52 self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
53 {}, body_dict)
54+
55+
56+class AuthWithToken(AuthTest):
57+ def setUp(self):
58+ super(AuthWithToken, self).setUp()
59+
60+ def test_belongs_to_no_tenant(self):
61+ r = self.api.authenticate(
62+ {},
63+ auth={
64+ 'passwordCredentials': {
65+ 'username': self.user_foo['name'],
66+ 'password': self.user_foo['password']
67+ }
68+ })
69+ unscoped_token_id = r['access']['token']['id']
70+ self.assertRaises(
71+ exception.Unauthorized,
72+ self.api.validate_token,
73+ dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
74+ token_id=unscoped_token_id)
75+
76+ def test_belongs_to_wrong_tenant(self):
77+ body_dict = _build_user_auth(
78+ username='FOO',
79+ password='foo2',
80+ tenant_name="BAR")
81+
82+ scoped_token = self.api.authenticate({}, body_dict)
83+ scoped_token_id = scoped_token['access']['token']['id']
84+
85+ self.assertRaises(
86+ exception.Unauthorized,
87+ self.api.validate_token,
88+ dict(is_admin=True, query_string={'belongsTo': 'me'}),
89+ token_id=scoped_token_id)
90+
91+ def test_belongs_to(self):
92+ body_dict = _build_user_auth(
93+ username='FOO',
94+ password='foo2',
95+ tenant_name="BAR")
96+
97+ scoped_token = self.api.authenticate({}, body_dict)
98+ scoped_token_id = scoped_token['access']['token']['id']
99+
100+ self.assertRaises(
101+ exception.Unauthorized,
102+ self.api.validate_token,
103+ dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
104+ token_id=scoped_token_id)
105--
1061.8.1.3
107
0108
=== modified file 'debian/patches/series'
--- debian/patches/series 2012-06-22 16:27:53 +0000
+++ debian/patches/series 2013-03-22 13:42:10 +0000
@@ -1,2 +1,3 @@
1fix-ubuntu-tests.patch1fix-ubuntu-tests.patch
2sql_connection.patch2sql_connection.patch
3CVE-2013-1865.patch

Subscribers

People subscribed via source and target branches