| author | david.comay@oracle.com |
| Thu, 10 Jul 2014 13:27:03 -0700 | |
| branch | s11-update |
| changeset 3200 | 16d08ab96b7f |
| permissions | -rw-r--r-- |
|
3200
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
1 |
This upstream patch addresses CVE-2014-3520 and is tracked under |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
2 |
Launchpad bug 1331912. It is addressed in Icehouse 2014.1.2 and Havana |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
3 |
2013.2.4. |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
4 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
5 |
commit 96d9bcf230a74d6122a2b14e00ef10915c8f76e3 |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
6 |
Author: Jamie Lennox <[email protected]> |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
7 |
Date: Thu Jun 19 14:41:22 2014 +1000 |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
8 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
9 |
Ensure that in v2 auth tenant_id matches trust |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
10 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
11 |
Previously if a trustee requests a trust scoped token for a project that |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
12 |
is different to the one in the trust, however the trustor has the |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
13 |
appropriate roles then a token would be issued. |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
14 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
15 |
Ensure that the trust that was given matches the project that was |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
16 |
specified in the scope. |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
17 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
18 |
(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
19 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
20 |
Closes-Bug: #1331912 |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
21 |
Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
22 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
23 |
diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
24 |
index 6371caf..0d97f44 100644 |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
25 |
--- a/keystone/tests/test_auth.py |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
26 |
+++ b/keystone/tests/test_auth.py |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
27 |
@@ -624,13 +624,15 @@ class AuthWithTrust(AuthTest): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
28 |
self.new_trust = self.trust_controller.create_trust( |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
29 |
context, trust=trust_data)['trust'] |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
30 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
31 |
- def build_v2_token_request(self, username, password): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
32 |
+ def build_v2_token_request(self, username, password, tenant_id=None): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
33 |
+ if not tenant_id: |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
34 |
+ tenant_id = self.tenant_bar['id'] |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
35 |
body_dict = _build_user_auth(username=username, password=password) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
36 |
self.unscoped_token = self.controller.authenticate({}, body_dict)
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
37 |
unscoped_token_id = self.unscoped_token['access']['token']['id'] |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
38 |
request_body = _build_user_auth(token={'id': unscoped_token_id},
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
39 |
trust_id=self.new_trust['id'], |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
40 |
- tenant_id=self.tenant_bar['id']) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
41 |
+ tenant_id=tenant_id) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
42 |
return request_body |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
43 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
44 |
def test_create_trust_bad_data_fails(self): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
45 |
@@ -704,6 +706,15 @@ class AuthWithTrust(AuthTest): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
46 |
exception.Forbidden, |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
47 |
self.controller.authenticate, {}, request_body)
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
48 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
49 |
+ def test_token_from_trust_wrong_project_fails(self): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
50 |
+ for assigned_role in self.assigned_roles: |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
51 |
+ self.assignment_api.add_role_to_user_and_project( |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
52 |
+ self.trustor['id'], self.tenant_baz['id'], assigned_role) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
53 |
+ request_body = self.build_v2_token_request('TWO', 'two2',
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
54 |
+ self.tenant_baz['id']) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
55 |
+ self.assertRaises(exception.Forbidden, self.controller.authenticate, |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
56 |
+ {}, request_body)
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
57 |
+ |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
58 |
def fetch_v2_token_from_trust(self): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
59 |
request_body = self.build_v2_token_request('TWO', 'two2')
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
60 |
auth_response = self.controller.authenticate({}, request_body)
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
61 |
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
62 |
index 72486a1..de7e473 100644 |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
63 |
--- a/keystone/token/controllers.py |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
64 |
+++ b/keystone/token/controllers.py |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
65 |
@@ -160,6 +160,8 @@ class Auth(controller.V2Controller): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
66 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
67 |
user_ref = old_token_ref['user'] |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
68 |
user_id = user_ref['id'] |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
69 |
+ tenant_id = self._get_project_id_from_auth(auth) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
70 |
+ |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
71 |
if not CONF.trust.enabled and 'trust_id' in auth: |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
72 |
raise exception.Forbidden('Trusts are disabled.')
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
73 |
elif CONF.trust.enabled and 'trust_id' in auth: |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
74 |
@@ -168,6 +170,9 @@ class Auth(controller.V2Controller): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
75 |
raise exception.Forbidden() |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
76 |
if user_id != trust_ref['trustee_user_id']: |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
77 |
raise exception.Forbidden() |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
78 |
+ if (trust_ref['project_id'] and |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
79 |
+ tenant_id != trust_ref['project_id']): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
80 |
+ raise exception.Forbidden() |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
81 |
if ('expires' in trust_ref) and (trust_ref['expires']):
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
82 |
expiry = trust_ref['expires'] |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
83 |
if expiry < timeutils.parse_isotime(timeutils.isotime()): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
84 |
@@ -190,7 +195,6 @@ class Auth(controller.V2Controller): |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
85 |
current_user_ref = self.identity_api.get_user(user_id) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
86 |
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
87 |
metadata_ref = {}
|
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
88 |
- tenant_id = self._get_project_id_from_auth(auth) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
89 |
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
90 |
user_id, tenant_id) |
|
16d08ab96b7f
18686478 kstat warning every minute in nova-compute log on SPARC
david.comay@oracle.com
parents:
diff
changeset
|
91 |