--- a/components/openstack/keystone/patches/04-CVE-2013-4477.patch Tue Jun 10 14:07:48 2014 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,72 +0,0 @@
-Upstream patch fixed in Havana 2013.2.1
-
-commit 82dcde08f60c45002955875664a3cf82d1d211bc
-Author: Brant Knudson <[email protected]>
-Date: Mon Oct 21 15:21:12 2013 -0500
-
- Fix remove role assignment adds role using LDAP assignment
-
- When using the LDAP assignment backend, attempting to remove a
- role assignment when the role hadn't been used before would
- actually add the role assignment and would not return a
- 404 Not Found like the SQL backend.
-
- This change makes it so that when attempt to remove a role that
- wasn't assigned then 404 Not Found is returned.
-
- Closes-Bug: #1242855
- Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
- (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
- (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
- (cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)
-
-diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
-index 8ac7395..3d016c0 100644
---- a/keystone/identity/backends/ldap/core.py
-+++ b/keystone/identity/backends/ldap/core.py
-@@ -704,21 +704,10 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
- try:
- conn.modify_s(role_dn, [(ldap.MOD_DELETE,
- self.member_attribute, user_dn)])
-- except ldap.NO_SUCH_OBJECT:
-- if tenant_id is None or self.get(role_id) is None:
-- raise exception.RoleNotFound(role_id=role_id)
-- attrs = [('objectClass', [self.object_class]),
-- (self.member_attribute, [user_dn])]
--
-- if self.use_dumb_member:
-- attrs[1][1].append(self.dumb_member)
-- try:
-- conn.add_s(role_dn, attrs)
-- except Exception as inst:
-- raise inst
--
-- except ldap.NO_SUCH_ATTRIBUTE:
-- raise exception.UserNotFound(user_id=user_id)
-+ except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
-+ raise exception.RoleNotFound(message=_(
-+ 'Cannot remove role that has not been granted, %s') %
-+ role_id)
-
- def get_role_assignments(self, tenant_id):
- conn = self.get_connection()
-diff --git a/tests/test_backend.py b/tests/test_backend.py
-index d4c2e6c..1af3c16 100644
---- a/tests/test_backend.py
-+++ b/tests/test_backend.py
-@@ -57,6 +57,15 @@ class IdentityTests(object):
- user_refs = self.identity_api.get_project_users(self.tenant_bar['id'])
- self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs])
-
-+ def test_remove_user_role_not_assigned(self):
-+ # Expect failure if attempt to remove a role that was never assigned to
-+ # the user.
-+ self.assertRaises(exception.RoleNotFound,
-+ self.identity_api.remove_role_from_user_and_project,
-+ tenant_id=self.tenant_bar['id'],
-+ user_id=self.user_two['id'],
-+ role_id=self.role_other['id'])
-+
- def test_authenticate_bad_user(self):
- self.assertRaises(AssertionError,
- self.identity_api.authenticate,