|
1 This upstream patch addresses CVE-2014-7144 and is tracked under |
|
2 Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and |
|
3 python-keystoneclient 0.11.0. It has been modified to apply cleanly |
|
4 into our current python-keystoneclient 0.8.0 implementation. |
|
5 |
|
6 commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc |
|
7 Author: Qin Zhao <[email protected]> |
|
8 Date: Wed Aug 6 15:47:58 2014 +0800 |
|
9 |
|
10 Fix the condition expression for ssl_insecure |
|
11 |
|
12 In the existing code, self.ssl_insecure is a string. If insecure |
|
13 option is set in nova api-paste.ini, whatever it is 'true' or |
|
14 'false', kwargs['verify'] will become False. This commit corrects |
|
15 the condition expression. This patch is backported from |
|
16 https://review.openstack.org/#/c/113191/ |
|
17 |
|
18 Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03 |
|
19 Closes-Bug: 1353315 |
|
20 |
|
21 diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py |
|
22 index d2eb29b..b0316dd 100644 |
|
23 --- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~ 2014-04-16 20:01:14.000000000 -0700 |
|
24 +++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py 2014-09-25 15:54:35.018360494 -0700 |
|
25 @@ -369,6 +369,27 @@ def safe_quote(s): |
|
26 return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s |
|
27 |
|
28 |
|
29 +def _conf_values_type_convert(conf): |
|
30 + """Convert conf values into correct type.""" |
|
31 + if not conf: |
|
32 + return {} |
|
33 + _opts = {} |
|
34 + opt_types = dict((o.dest, o.type) for o in opts) |
|
35 + for k, v in six.iteritems(conf): |
|
36 + try: |
|
37 + if v is None: |
|
38 + _opts[k] = v |
|
39 + else: |
|
40 + _opts[k] = opt_types[k](v) |
|
41 + except KeyError: |
|
42 + _opts[k] = v |
|
43 + except ValueError as e: |
|
44 + raise ConfigurationError( |
|
45 + 'Unable to convert the value of %s option into correct ' |
|
46 + 'type: %s' % (k, e)) |
|
47 + return _opts |
|
48 + |
|
49 + |
|
50 class InvalidUserToken(Exception): |
|
51 pass |
|
52 |
|
53 @@ -404,7 +425,10 @@ class AuthProtocol(object): |
|
54 def __init__(self, app, conf): |
|
55 self.LOG = logging.getLogger(conf.get('log_name', __name__)) |
|
56 self.LOG.info('Starting keystone auth_token middleware') |
|
57 - self.conf = conf |
|
58 + # NOTE(wanghong): If options are set in paste file, all the option |
|
59 + # values passed into conf are string type. So, we should convert the |
|
60 + # conf value into correct type. |
|
61 + self.conf = _conf_values_type_convert(conf) |
|
62 self.app = app |
|
63 |
|
64 # delay_auth_decision means we still allow unauthenticated requests |
|
65 diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py |
|
66 index 5e1a71f..d794ae3 100644 |
|
67 --- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~ 2014-04-16 20:01:14.000000000 -0700 |
|
68 +++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py 2014-09-25 15:52:13.791997920 -0700 |
|
69 @@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM |
|
70 self.assertEqual( |
|
71 set([inner_cache, outer_cache]), set(self.middleware._cache_pool)) |
|
72 |
|
73 + def test_conf_values_type_convert(self): |
|
74 + conf = { |
|
75 + 'revocation_cache_time': '24', |
|
76 + 'identity_uri': 'https://keystone.example.com:1234', |
|
77 + 'include_service_catalog': '0', |
|
78 + 'nonexsit_option': '0', |
|
79 + } |
|
80 + |
|
81 + middleware = auth_token.AuthProtocol(self.fake_app, conf) |
|
82 + self.assertEqual(datetime.timedelta(seconds=24), |
|
83 + middleware.token_revocation_list_cache_timeout) |
|
84 + self.assertEqual(False, middleware.include_service_catalog) |
|
85 + self.assertEqual('https://keystone.example.com:1234', |
|
86 + middleware.identity_uri) |
|
87 + self.assertEqual('0', middleware.conf['nonexsit_option']) |
|
88 + |
|
89 + def test_conf_values_type_convert_with_wrong_value(self): |
|
90 + conf = { |
|
91 + 'include_service_catalog': '123', |
|
92 + } |
|
93 + self.assertRaises(auth_token.ConfigurationError, |
|
94 + auth_token.AuthProtocol, self.fake_app, conf) |
|
95 + |
|
96 |
|
97 class CommonAuthTokenMiddlewareTest(object): |
|
98 |