python-keystoneclient

Merge lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545 into lp:~ubuntu-server-dev/python-keystoneclient/kilo

  1. kilo-fix-lp-1368545
  2. Merge into kilo
Proposed by Jorge Niedbalski
Status: Merged
Merged at revision: 100
Proposed branch: lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545
Merge into: lp:~ubuntu-server-dev/python-keystoneclient/kilo
Diff against target: 145 lines (+123/-0)
4 files modified
debian/changelog (+17/-0)
debian/patches/CVE-2015-1852.patch (+79/-0)
debian/patches/fix-1368545.patch (+25/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545
Reviewer Review Type Date Requested Status
Corey Bryant Approve
Review via email: mp+267361@code.launchpad.net

Description of the change

Fixes LP: #1368545

To post a comment you must log in.
lp:~niedbalski/python-keystoneclient/kilo-fix-lp-1368545 updated
104. By Jorge Niedbalski

Typo on description

Revision history for this message
Corey Bryant (corey.bryant) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2015-03-05 14:03:29 +0000
+++ debian/changelog 2015-08-07 15:08:21 +0000
@@ -1,3 +1,20 @@
1python-keystoneclient (1:1.2.0-0ubuntu1.2) vivid; urgency=medium
2
3 * debian/patches/fix-1368545.patch: Changing the value type of
4 http_connect_timeout to IntOpt. (LP: #1368545)
5
6 -- Jorge Niedbalski <jorge.niedbalski@canonical.com> Fri, 07 Aug 2015 11:53:37 -0300
7
8python-keystoneclient (1:1.2.0-0ubuntu1.1) vivid-security; urgency=medium
9
10 * SECURITY UPDATE: incorrect cert verification with ssl_insecure option
11 - debian/patches/CVE-2015-1852.patch: properly parse option in
12 keystoneclient/middleware/s3_token.py, added test to
13 keystoneclient/tests/unit/test_s3_token_middleware.py.
14 - CVE-2015-1852
15
16 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 16 Jul 2015 14:44:43 -0400
17
1python-keystoneclient (1:1.2.0-0ubuntu1) vivid; urgency=medium18python-keystoneclient (1:1.2.0-0ubuntu1) vivid; urgency=medium
219
3 * New upstream release. 20 * New upstream release.
421
=== added file 'debian/patches/CVE-2015-1852.patch'
--- debian/patches/CVE-2015-1852.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/CVE-2015-1852.patch 2015-08-07 15:08:21 +0000
@@ -0,0 +1,79 @@
1From 85eeecbd3d06e98011def3d0d8329646cc175163 Mon Sep 17 00:00:00 2001
2From: Brant Knudson <bknudson@us.ibm.com>
3Date: Tue, 7 Apr 2015 19:38:29 +0000
4Subject: [PATCH] Fix s3_token middleware parsing insecure option
5
6The "insecure" option was being treated as a bool when it was
7actually provided as a string. The fix is to parse the string to
8a bool.
9
10Closes-Bug: 1411063
11Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
12---
13 keystoneclient/middleware/s3_token.py | 3 ++-
14 .../tests/unit/test_s3_token_middleware.py | 24 +++++++++++++++++++++-
15 2 files changed, 25 insertions(+), 2 deletions(-)
16
17Index: python-keystoneclient-1.2.0/keystoneclient/middleware/s3_token.py
18===================================================================
19--- python-keystoneclient-1.2.0.orig/keystoneclient/middleware/s3_token.py 2015-07-16 14:44:32.325609427 -0400
20+++ python-keystoneclient-1.2.0/keystoneclient/middleware/s3_token.py 2015-07-16 14:44:32.321609377 -0400
21@@ -34,6 +34,7 @@
22 import logging
23
24 from oslo_serialization import jsonutils
25+from oslo_utils import strutils
26 import requests
27 import six
28 from six.moves import urllib
29@@ -116,7 +117,7 @@
30 self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
31
32 # SSL
33- insecure = conf.get('insecure', False)
34+ insecure = strutils.bool_from_string(conf.get('insecure', False))
35 cert_file = conf.get('certfile')
36 key_file = conf.get('keyfile')
37
38Index: python-keystoneclient-1.2.0/keystoneclient/tests/unit/test_s3_token_middleware.py
39===================================================================
40--- python-keystoneclient-1.2.0.orig/keystoneclient/tests/unit/test_s3_token_middleware.py 2015-07-16 14:44:32.325609427 -0400
41+++ python-keystoneclient-1.2.0/keystoneclient/tests/unit/test_s3_token_middleware.py 2015-07-16 14:44:32.325609427 -0400
42@@ -122,7 +122,7 @@
43 @mock.patch.object(requests, 'post')
44 def test_insecure(self, MOCK_REQUEST):
45 self.middleware = (
46- s3_token.filter_factory({'insecure': True})(FakeApp()))
47+ s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
48
49 text_return_value = jsonutils.dumps(GOOD_RESPONSE)
50 if six.PY3:
51@@ -140,6 +140,28 @@
52 mock_args, mock_kwargs = MOCK_REQUEST.call_args
53 self.assertIs(mock_kwargs['verify'], False)
54
55+ def test_insecure_option(self):
56+ # insecure is passed as a string.
57+
58+ # Some non-secure values.
59+ true_values = ['true', 'True', '1', 'yes']
60+ for val in true_values:
61+ config = {'insecure': val, 'certfile': 'false_ind'}
62+ middleware = s3_token.filter_factory(config)(FakeApp())
63+ self.assertIs(False, middleware.verify)
64+
65+ # Some "secure" values, including unexpected value.
66+ false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
67+ for val in false_values:
68+ config = {'insecure': val, 'certfile': 'false_ind'}
69+ middleware = s3_token.filter_factory(config)(FakeApp())
70+ self.assertEqual('false_ind', middleware.verify)
71+
72+ # Default is secure.
73+ config = {'certfile': 'false_ind'}
74+ middleware = s3_token.filter_factory(config)(FakeApp())
75+ self.assertIs('false_ind', middleware.verify)
76+
77
78 class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
79 def setUp(self):
080
=== added file 'debian/patches/fix-1368545.patch'
--- debian/patches/fix-1368545.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/fix-1368545.patch 2015-08-07 15:08:21 +0000
@@ -0,0 +1,25 @@
1Description: Changing the value type of http_connect_timeout
2
3The value type of http_connect_timeout definition
4is changed from Bool to Int value. Python treats
5a value more than 1 as True but oslo config defines
6Boolean values as 'true, '1', 'yes' and 'on'.
7So http_connect_timeout is only configured 1 or None.
8
9Change-Id: I53075cc04d0ccea543f8e657279534208ed03058
10Closes-bug: #1368545.
11
12Origin: upstream, https://review.openstack.org/#/c/126543
13Bug-Ubuntu: https://bugs.launchpad.net/keystonemiddleware/+bug/1368545
14
15--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/auth_token.py
16+++ python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py
17@@ -212,7 +212,7 @@ opts = [
18 help='Do not handle authorization requests within the'
19 ' middleware, but delegate the authorization decision to'
20 ' downstream WSGI components'),
21- cfg.BoolOpt('http_connect_timeout',
22+ cfg.IntOpt('http_connect_timeout',
23 default=None,
24 help='Request timeout value for communicating with Identity'
25 ' API server.'),
026
=== added file 'debian/patches/series'
--- debian/patches/series 1970-01-01 00:00:00 +0000
+++ debian/patches/series 2015-08-07 15:08:21 +0000
@@ -0,0 +1,2 @@
1CVE-2015-1852.patch
2fix-1368545.patch

Subscribers

People subscribed via source and target branches