--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/07-CVE-2014-3520.patch Thu Jul 10 13:27:03 2014 -0700
@@ -0,0 +1,91 @@
+This upstream patch addresses CVE-2014-3520 and is tracked under
+Launchpad bug 1331912. It is addressed in Icehouse 2014.1.2 and Havana
+2013.2.4.
+
+commit 96d9bcf230a74d6122a2b14e00ef10915c8f76e3
+Author: Jamie Lennox <[email protected]>
+Date: Thu Jun 19 14:41:22 2014 +1000
+
+ Ensure that in v2 auth tenant_id matches trust
+
+ Previously if a trustee requests a trust scoped token for a project that
+ is different to the one in the trust, however the trustor has the
+ appropriate roles then a token would be issued.
+
+ Ensure that the trust that was given matches the project that was
+ specified in the scope.
+
+ (cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
+
+ Closes-Bug: #1331912
+ Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
+
+diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
+index 6371caf..0d97f44 100644
+--- a/keystone/tests/test_auth.py
++++ b/keystone/tests/test_auth.py
+@@ -624,13 +624,15 @@ class AuthWithTrust(AuthTest):
+ self.new_trust = self.trust_controller.create_trust(
+ context, trust=trust_data)['trust']
+
+- def build_v2_token_request(self, username, password):
++ def build_v2_token_request(self, username, password, tenant_id=None):
++ if not tenant_id:
++ tenant_id = self.tenant_bar['id']
+ body_dict = _build_user_auth(username=username, password=password)
+ self.unscoped_token = self.controller.authenticate({}, body_dict)
+ unscoped_token_id = self.unscoped_token['access']['token']['id']
+ request_body = _build_user_auth(token={'id': unscoped_token_id},
+ trust_id=self.new_trust['id'],
+- tenant_id=self.tenant_bar['id'])
++ tenant_id=tenant_id)
+ return request_body
+
+ def test_create_trust_bad_data_fails(self):
+@@ -704,6 +706,15 @@ class AuthWithTrust(AuthTest):
+ exception.Forbidden,
+ self.controller.authenticate, {}, request_body)
+
++ def test_token_from_trust_wrong_project_fails(self):
++ for assigned_role in self.assigned_roles:
++ self.assignment_api.add_role_to_user_and_project(
++ self.trustor['id'], self.tenant_baz['id'], assigned_role)
++ request_body = self.build_v2_token_request('TWO', 'two2',
++ self.tenant_baz['id'])
++ self.assertRaises(exception.Forbidden, self.controller.authenticate,
++ {}, request_body)
++
+ def fetch_v2_token_from_trust(self):
+ request_body = self.build_v2_token_request('TWO', 'two2')
+ auth_response = self.controller.authenticate({}, request_body)
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index 72486a1..de7e473 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
+@@ -160,6 +160,8 @@ class Auth(controller.V2Controller):
+
+ user_ref = old_token_ref['user']
+ user_id = user_ref['id']
++ tenant_id = self._get_project_id_from_auth(auth)
++
+ if not CONF.trust.enabled and 'trust_id' in auth:
+ raise exception.Forbidden('Trusts are disabled.')
+ elif CONF.trust.enabled and 'trust_id' in auth:
+@@ -168,6 +170,9 @@ class Auth(controller.V2Controller):
+ raise exception.Forbidden()
+ if user_id != trust_ref['trustee_user_id']:
+ raise exception.Forbidden()
++ if (trust_ref['project_id'] and
++ tenant_id != trust_ref['project_id']):
++ raise exception.Forbidden()
+ if ('expires' in trust_ref) and (trust_ref['expires']):
+ expiry = trust_ref['expires']
+ if expiry < timeutils.parse_isotime(timeutils.isotime()):
+@@ -190,7 +195,6 @@ class Auth(controller.V2Controller):
+ current_user_ref = self.identity_api.get_user(user_id)
+
+ metadata_ref = {}
+- tenant_id = self._get_project_id_from_auth(auth)
+ tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
+ user_id, tenant_id)
+