upstream/oracle/userland-gate: components/python/keystoneclient/patches/01-CVE-2014-7144.patch@b1b8d4b96c7f (annotated)

3390 b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	1	This upstream patch addresses CVE-2014-7144 and is tracked under
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	2	Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	3	python-keystoneclient 0.11.0. It has been modified to apply cleanly
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	4	into our current python-keystoneclient 0.8.0 implementation.
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	5
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	6	commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	7	Author: Qin Zhao <[email protected]>
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	8	Date: Wed Aug 6 15:47:58 2014 +0800
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	9
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	10	Fix the condition expression for ssl_insecure
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	11
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	12	In the existing code, self.ssl_insecure is a string. If insecure
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	13	option is set in nova api-paste.ini, whatever it is 'true' or
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	14	'false', kwargs['verify'] will become False. This commit corrects
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	15	the condition expression. This patch is backported from
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	16	https://review.openstack.org/#/c/113191/
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	17
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	18	Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	19	Closes-Bug: 1353315
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	20
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	21	diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	22	index d2eb29b..b0316dd 100644
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	23	--- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~ 2014-04-16 20:01:14.000000000 -0700
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	24	+++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py 2014-09-25 15:54:35.018360494 -0700
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	25	@@ -369,6 +369,27 @@ def safe_quote(s):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	26	return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	27
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	28
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	29	+def _conf_values_type_convert(conf):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	30	+ """Convert conf values into correct type."""
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	31	+ if not conf:
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	32	+ return {}
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	33	+ _opts = {}
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	34	+ opt_types = dict((o.dest, o.type) for o in opts)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	35	+ for k, v in six.iteritems(conf):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	36	+ try:
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	37	+ if v is None:
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	38	+ _opts[k] = v
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	39	+ else:
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	40	+ _opts[k] = opt_types[k](v)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	41	+ except KeyError:
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	42	+ _opts[k] = v
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	43	+ except ValueError as e:
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	44	+ raise ConfigurationError(
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	45	+ 'Unable to convert the value of %s option into correct '
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	46	+ 'type: %s' % (k, e))
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	47	+ return _opts
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	48	+
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	49	+
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	50	class InvalidUserToken(Exception):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	51	pass
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	52
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	53	@@ -404,7 +425,10 @@ class AuthProtocol(object):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	54	def __init__(self, app, conf):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	55	self.LOG = logging.getLogger(conf.get('log_name', __name__))
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	56	self.LOG.info('Starting keystone auth_token middleware')
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	57	- self.conf = conf
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	58	+ # NOTE(wanghong): If options are set in paste file, all the option
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	59	+ # values passed into conf are string type. So, we should convert the
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	60	+ # conf value into correct type.
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	61	+ self.conf = _conf_values_type_convert(conf)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	62	self.app = app
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	63
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	64	# delay_auth_decision means we still allow unauthenticated requests
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	65	diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	66	index 5e1a71f..d794ae3 100644
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	67	--- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~ 2014-04-16 20:01:14.000000000 -0700
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	68	+++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py 2014-09-25 15:52:13.791997920 -0700
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	69	@@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	70	self.assertEqual(
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	71	set([inner_cache, outer_cache]), set(self.middleware._cache_pool))
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	72
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	73	+ def test_conf_values_type_convert(self):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	74	+ conf = {
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	75	+ 'revocation_cache_time': '24',
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	76	+ 'identity_uri': 'https://keystone.example.com:1234',
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	77	+ 'include_service_catalog': '0',
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	78	+ 'nonexsit_option': '0',
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	79	+ }
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	80	+
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	81	+ middleware = auth_token.AuthProtocol(self.fake_app, conf)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	82	+ self.assertEqual(datetime.timedelta(seconds=24),
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	83	+ middleware.token_revocation_list_cache_timeout)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	84	+ self.assertEqual(False, middleware.include_service_catalog)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	85	+ self.assertEqual('https://keystone.example.com:1234',
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	86	+ middleware.identity_uri)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	87	+ self.assertEqual('0', middleware.conf['nonexsit_option'])
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	88	+
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	89	+ def test_conf_values_type_convert_with_wrong_value(self):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	90	+ conf = {
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	91	+ 'include_service_catalog': '123',
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	92	+ }
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	93	+ self.assertRaises(auth_token.ConfigurationError,
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	94	+ auth_token.AuthProtocol, self.fake_app, conf)
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	95	+
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	96
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	97	class CommonAuthTokenMiddlewareTest(object):
b1b8d4b96c7f 19692613 problem in SERVICE/KEYSTONE david.comay@oracle.com parents: diff changeset	98

author	david.comay@oracle.com
	Mon, 13 Oct 2014 19:15:19 -0700
branch	s11u2-sru
changeset 3390	b1b8d4b96c7f
permissions	-rw-r--r--