3390
|
1 |
This upstream patch addresses CVE-2014-7144 and is tracked under
|
|
2 |
Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and
|
|
3 |
python-keystoneclient 0.11.0. It has been modified to apply cleanly
|
|
4 |
into our current python-keystoneclient 0.8.0 implementation.
|
|
5 |
|
|
6 |
commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc
|
|
7 |
Author: Qin Zhao <[email protected]>
|
|
8 |
Date: Wed Aug 6 15:47:58 2014 +0800
|
|
9 |
|
|
10 |
Fix the condition expression for ssl_insecure
|
|
11 |
|
|
12 |
In the existing code, self.ssl_insecure is a string. If insecure
|
|
13 |
option is set in nova api-paste.ini, whatever it is 'true' or
|
|
14 |
'false', kwargs['verify'] will become False. This commit corrects
|
|
15 |
the condition expression. This patch is backported from
|
|
16 |
https://review.openstack.org/#/c/113191/
|
|
17 |
|
|
18 |
Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
|
|
19 |
Closes-Bug: 1353315
|
|
20 |
|
|
21 |
diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
|
|
22 |
index d2eb29b..b0316dd 100644
|
|
23 |
--- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~ 2014-04-16 20:01:14.000000000 -0700
|
|
24 |
+++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py 2014-09-25 15:54:35.018360494 -0700
|
|
25 |
@@ -369,6 +369,27 @@ def safe_quote(s):
|
|
26 |
return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
|
|
27 |
|
|
28 |
|
|
29 |
+def _conf_values_type_convert(conf):
|
|
30 |
+ """Convert conf values into correct type."""
|
|
31 |
+ if not conf:
|
|
32 |
+ return {}
|
|
33 |
+ _opts = {}
|
|
34 |
+ opt_types = dict((o.dest, o.type) for o in opts)
|
|
35 |
+ for k, v in six.iteritems(conf):
|
|
36 |
+ try:
|
|
37 |
+ if v is None:
|
|
38 |
+ _opts[k] = v
|
|
39 |
+ else:
|
|
40 |
+ _opts[k] = opt_types[k](v)
|
|
41 |
+ except KeyError:
|
|
42 |
+ _opts[k] = v
|
|
43 |
+ except ValueError as e:
|
|
44 |
+ raise ConfigurationError(
|
|
45 |
+ 'Unable to convert the value of %s option into correct '
|
|
46 |
+ 'type: %s' % (k, e))
|
|
47 |
+ return _opts
|
|
48 |
+
|
|
49 |
+
|
|
50 |
class InvalidUserToken(Exception):
|
|
51 |
pass
|
|
52 |
|
|
53 |
@@ -404,7 +425,10 @@ class AuthProtocol(object):
|
|
54 |
def __init__(self, app, conf):
|
|
55 |
self.LOG = logging.getLogger(conf.get('log_name', __name__))
|
|
56 |
self.LOG.info('Starting keystone auth_token middleware')
|
|
57 |
- self.conf = conf
|
|
58 |
+ # NOTE(wanghong): If options are set in paste file, all the option
|
|
59 |
+ # values passed into conf are string type. So, we should convert the
|
|
60 |
+ # conf value into correct type.
|
|
61 |
+ self.conf = _conf_values_type_convert(conf)
|
|
62 |
self.app = app
|
|
63 |
|
|
64 |
# delay_auth_decision means we still allow unauthenticated requests
|
|
65 |
diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py
|
|
66 |
index 5e1a71f..d794ae3 100644
|
|
67 |
--- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~ 2014-04-16 20:01:14.000000000 -0700
|
|
68 |
+++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py 2014-09-25 15:52:13.791997920 -0700
|
|
69 |
@@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM
|
|
70 |
self.assertEqual(
|
|
71 |
set([inner_cache, outer_cache]), set(self.middleware._cache_pool))
|
|
72 |
|
|
73 |
+ def test_conf_values_type_convert(self):
|
|
74 |
+ conf = {
|
|
75 |
+ 'revocation_cache_time': '24',
|
|
76 |
+ 'identity_uri': 'https://keystone.example.com:1234',
|
|
77 |
+ 'include_service_catalog': '0',
|
|
78 |
+ 'nonexsit_option': '0',
|
|
79 |
+ }
|
|
80 |
+
|
|
81 |
+ middleware = auth_token.AuthProtocol(self.fake_app, conf)
|
|
82 |
+ self.assertEqual(datetime.timedelta(seconds=24),
|
|
83 |
+ middleware.token_revocation_list_cache_timeout)
|
|
84 |
+ self.assertEqual(False, middleware.include_service_catalog)
|
|
85 |
+ self.assertEqual('https://keystone.example.com:1234',
|
|
86 |
+ middleware.identity_uri)
|
|
87 |
+ self.assertEqual('0', middleware.conf['nonexsit_option'])
|
|
88 |
+
|
|
89 |
+ def test_conf_values_type_convert_with_wrong_value(self):
|
|
90 |
+ conf = {
|
|
91 |
+ 'include_service_catalog': '123',
|
|
92 |
+ }
|
|
93 |
+ self.assertRaises(auth_token.ConfigurationError,
|
|
94 |
+ auth_token.AuthProtocol, self.fake_app, conf)
|
|
95 |
+
|
|
96 |
|
|
97 |
class CommonAuthTokenMiddlewareTest(object):
|
|
98 |
|