Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/patches/04-CVE-2013-4477.patch
changeset 1944 56ac2df1785b
parent 1943 1a27f000029f
child 1945 3dc1935a2189 
--- a/components/openstack/keystone/patches/04-CVE-2013-4477.patch	Tue Jun 10 14:07:48 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,72 +0,0 @@
-Upstream patch fixed in Havana 2013.2.1
-
-commit 82dcde08f60c45002955875664a3cf82d1d211bc
-Author: Brant Knudson <[email protected]>
-Date:   Mon Oct 21 15:21:12 2013 -0500
-
-    Fix remove role assignment adds role using LDAP assignment
-    
-    When using the LDAP assignment backend, attempting to remove a
-    role assignment when the role hadn't been used before would
-    actually add the role assignment and would not return a
-    404 Not Found like the SQL backend.
-    
-    This change makes it so that when attempt to remove a role that
-    wasn't assigned then 404 Not Found is returned.
-    
-    Closes-Bug: #1242855
-    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
-    (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
-    (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
-    (cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)
-
-diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
-index 8ac7395..3d016c0 100644
---- a/keystone/identity/backends/ldap/core.py
-+++ b/keystone/identity/backends/ldap/core.py
-@@ -704,21 +704,10 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
-         try:
-             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
-                                      self.member_attribute, user_dn)])
--        except ldap.NO_SUCH_OBJECT:
--            if tenant_id is None or self.get(role_id) is None:
--                raise exception.RoleNotFound(role_id=role_id)
--            attrs = [('objectClass', [self.object_class]),
--                     (self.member_attribute, [user_dn])]
--
--            if self.use_dumb_member:
--                attrs[1][1].append(self.dumb_member)
--            try:
--                conn.add_s(role_dn, attrs)
--            except Exception as inst:
--                raise inst
--
--        except ldap.NO_SUCH_ATTRIBUTE:
--            raise exception.UserNotFound(user_id=user_id)
-+        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
-+            raise exception.RoleNotFound(message=_(
-+                'Cannot remove role that has not been granted, %s') %
-+                role_id)
- 
-     def get_role_assignments(self, tenant_id):
-         conn = self.get_connection()
-diff --git a/tests/test_backend.py b/tests/test_backend.py
-index d4c2e6c..1af3c16 100644
---- a/tests/test_backend.py
-+++ b/tests/test_backend.py
-@@ -57,6 +57,15 @@ class IdentityTests(object):
-         user_refs = self.identity_api.get_project_users(self.tenant_bar['id'])
-         self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs])
- 
-+    def test_remove_user_role_not_assigned(self):
-+        # Expect failure if attempt to remove a role that was never assigned to
-+        # the user.
-+        self.assertRaises(exception.RoleNotFound,
-+                          self.identity_api.remove_role_from_user_and_project,
-+                          tenant_id=self.tenant_bar['id'],
-+                          user_id=self.user_two['id'],
-+                          role_id=self.role_other['id'])
-+
-     def test_authenticate_bad_user(self):
-         self.assertRaises(AssertionError,
-                           self.identity_api.authenticate,
upstream/oracle/userland-gate