1 This upstream patch addresses CVE-2014-7144 and is tracked under

     2 Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and

     3 python-keystoneclient 0.11.0. It has been modified to apply cleanly

     4 into our current python-keystoneclient 0.8.0 implementation.

     5 

     6 commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc

     7 Author: Qin Zhao <[email protected]>

     8 Date:   Wed Aug 6 15:47:58 2014 +0800

     9 

    10     Fix the condition expression for ssl_insecure

    11     

    12     In the existing code, self.ssl_insecure is a string. If insecure

    13     option is set in nova api-paste.ini, whatever it is 'true' or

    14     'false', kwargs['verify'] will become False. This commit corrects

    15     the condition expression. This patch is backported from

    16     https://review.openstack.org/#/c/113191/

    17     

    18     Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03

    19     Closes-Bug: 1353315

    20 

    21 diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py

    22 index d2eb29b..b0316dd 100644

    23 --- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~	2014-04-16 20:01:14.000000000 -0700

    24 +++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py	2014-09-25 15:54:35.018360494 -0700

    25 @@ -369,6 +369,27 @@ def safe_quote(s):

    26      return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s

    27  

    28  

    29 +def _conf_values_type_convert(conf):

    30 +    """Convert conf values into correct type."""

    31 +    if not conf:

    32 +        return {}

    33 +    _opts = {}

    34 +    opt_types = dict((o.dest, o.type) for o in opts)

    35 +    for k, v in six.iteritems(conf):

    36 +        try:

    37 +            if v is None:

    38 +                _opts[k] = v

    39 +            else:

    40 +                _opts[k] = opt_types[k](v)

    41 +        except KeyError:

    42 +            _opts[k] = v

    43 +        except ValueError as e:

    44 +            raise ConfigurationError(

    45 +                'Unable to convert the value of %s option into correct '

    46 +                'type: %s' % (k, e))

    47 +    return _opts

    48 +

    49 +

    50  class InvalidUserToken(Exception):

    51      pass

    52  

    53 @@ -404,7 +425,10 @@ class AuthProtocol(object):

    54      def __init__(self, app, conf):

    55          self.LOG = logging.getLogger(conf.get('log_name', __name__))

    56          self.LOG.info('Starting keystone auth_token middleware')

    57 -        self.conf = conf

    58 +        # NOTE(wanghong): If options are set in paste file, all the option

    59 +        # values passed into conf are string type. So, we should convert the

    60 +        # conf value into correct type.

    61 +        self.conf = _conf_values_type_convert(conf)

    62          self.app = app

    63  

    64          # delay_auth_decision means we still allow unauthenticated requests

    65 diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py

    66 index 5e1a71f..d794ae3 100644

    67 --- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~	2014-04-16 20:01:14.000000000 -0700

    68 +++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py	2014-09-25 15:52:13.791997920 -0700

    69 @@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM

    70          self.assertEqual(

    71              set([inner_cache, outer_cache]), set(self.middleware._cache_pool))

    72  

    73 +    def test_conf_values_type_convert(self):

    74 +        conf = {

    75 +            'revocation_cache_time': '24',

    76 +            'identity_uri': 'https://keystone.example.com:1234',

    77 +            'include_service_catalog': '0',

    78 +            'nonexsit_option': '0',

    79 +        }

    80 +

    81 +        middleware = auth_token.AuthProtocol(self.fake_app, conf)

    82 +        self.assertEqual(datetime.timedelta(seconds=24),

    83 +                         middleware.token_revocation_list_cache_timeout)

    84 +        self.assertEqual(False, middleware.include_service_catalog)

    85 +        self.assertEqual('https://keystone.example.com:1234',

    86 +                         middleware.identity_uri)

    87 +        self.assertEqual('0', middleware.conf['nonexsit_option'])

    88 +

    89 +    def test_conf_values_type_convert_with_wrong_value(self):

    90 +        conf = {

    91 +            'include_service_catalog': '123',

    92 +        }

    93 +        self.assertRaises(auth_token.ConfigurationError,

    94 +                          auth_token.AuthProtocol, self.fake_app, conf)

    95 +

    96  

    97  class CommonAuthTokenMiddlewareTest(object):

    98