--- a/components/python/keystoneclient/patches/01-CVE-2014-7144.patch Thu Apr 16 01:36:32 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,98 +0,0 @@
-This upstream patch addresses CVE-2014-7144 and is tracked under
-Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and
-python-keystoneclient 0.11.0. It has been modified to apply cleanly
-into our current python-keystoneclient 0.8.0 implementation.
-
-commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc
-Author: Qin Zhao <[email protected]>
-Date: Wed Aug 6 15:47:58 2014 +0800
-
- Fix the condition expression for ssl_insecure
-
- In the existing code, self.ssl_insecure is a string. If insecure
- option is set in nova api-paste.ini, whatever it is 'true' or
- 'false', kwargs['verify'] will become False. This commit corrects
- the condition expression. This patch is backported from
- https://review.openstack.org/#/c/113191/
-
- Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
- Closes-Bug: 1353315
-
-diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
-index d2eb29b..b0316dd 100644
---- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~ 2014-04-16 20:01:14.000000000 -0700
-+++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py 2014-09-25 15:54:35.018360494 -0700
-@@ -369,6 +369,27 @@ def safe_quote(s):
- return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
-
-
-+def _conf_values_type_convert(conf):
-+ """Convert conf values into correct type."""
-+ if not conf:
-+ return {}
-+ _opts = {}
-+ opt_types = dict((o.dest, o.type) for o in opts)
-+ for k, v in six.iteritems(conf):
-+ try:
-+ if v is None:
-+ _opts[k] = v
-+ else:
-+ _opts[k] = opt_types[k](v)
-+ except KeyError:
-+ _opts[k] = v
-+ except ValueError as e:
-+ raise ConfigurationError(
-+ 'Unable to convert the value of %s option into correct '
-+ 'type: %s' % (k, e))
-+ return _opts
-+
-+
- class InvalidUserToken(Exception):
- pass
-
-@@ -404,7 +425,10 @@ class AuthProtocol(object):
- def __init__(self, app, conf):
- self.LOG = logging.getLogger(conf.get('log_name', __name__))
- self.LOG.info('Starting keystone auth_token middleware')
-- self.conf = conf
-+ # NOTE(wanghong): If options are set in paste file, all the option
-+ # values passed into conf are string type. So, we should convert the
-+ # conf value into correct type.
-+ self.conf = _conf_values_type_convert(conf)
- self.app = app
-
- # delay_auth_decision means we still allow unauthenticated requests
-diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py
-index 5e1a71f..d794ae3 100644
---- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~ 2014-04-16 20:01:14.000000000 -0700
-+++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py 2014-09-25 15:52:13.791997920 -0700
-@@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM
- self.assertEqual(
- set([inner_cache, outer_cache]), set(self.middleware._cache_pool))
-
-+ def test_conf_values_type_convert(self):
-+ conf = {
-+ 'revocation_cache_time': '24',
-+ 'identity_uri': 'https://keystone.example.com:1234',
-+ 'include_service_catalog': '0',
-+ 'nonexsit_option': '0',
-+ }
-+
-+ middleware = auth_token.AuthProtocol(self.fake_app, conf)
-+ self.assertEqual(datetime.timedelta(seconds=24),
-+ middleware.token_revocation_list_cache_timeout)
-+ self.assertEqual(False, middleware.include_service_catalog)
-+ self.assertEqual('https://keystone.example.com:1234',
-+ middleware.identity_uri)
-+ self.assertEqual('0', middleware.conf['nonexsit_option'])
-+
-+ def test_conf_values_type_convert_with_wrong_value(self):
-+ conf = {
-+ 'include_service_catalog': '123',
-+ }
-+ self.assertRaises(auth_token.ConfigurationError,
-+ auth_token.AuthProtocol, self.fake_app, conf)
-+
-
- class CommonAuthTokenMiddlewareTest(object):
-