--- a/components/openstack/keystone/patches/07-CVE-2014-3520.patch Fri Mar 20 03:13:26 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-This upstream patch addresses CVE-2014-3520 and is tracked under
-Launchpad bug 1331912. It is addressed in Icehouse 2014.1.2 and Havana
-2013.2.4.
-
-commit 96d9bcf230a74d6122a2b14e00ef10915c8f76e3
-Author: Jamie Lennox <[email protected]>
-Date: Thu Jun 19 14:41:22 2014 +1000
-
- Ensure that in v2 auth tenant_id matches trust
-
- Previously if a trustee requests a trust scoped token for a project that
- is different to the one in the trust, however the trustor has the
- appropriate roles then a token would be issued.
-
- Ensure that the trust that was given matches the project that was
- specified in the scope.
-
- (cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
-
- Closes-Bug: #1331912
- Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
-
-diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
-index 6371caf..0d97f44 100644
---- a/keystone/tests/test_auth.py
-+++ b/keystone/tests/test_auth.py
-@@ -624,13 +624,15 @@ class AuthWithTrust(AuthTest):
- self.new_trust = self.trust_controller.create_trust(
- context, trust=trust_data)['trust']
-
-- def build_v2_token_request(self, username, password):
-+ def build_v2_token_request(self, username, password, tenant_id=None):
-+ if not tenant_id:
-+ tenant_id = self.tenant_bar['id']
- body_dict = _build_user_auth(username=username, password=password)
- self.unscoped_token = self.controller.authenticate({}, body_dict)
- unscoped_token_id = self.unscoped_token['access']['token']['id']
- request_body = _build_user_auth(token={'id': unscoped_token_id},
- trust_id=self.new_trust['id'],
-- tenant_id=self.tenant_bar['id'])
-+ tenant_id=tenant_id)
- return request_body
-
- def test_create_trust_bad_data_fails(self):
-@@ -704,6 +706,15 @@ class AuthWithTrust(AuthTest):
- exception.Forbidden,
- self.controller.authenticate, {}, request_body)
-
-+ def test_token_from_trust_wrong_project_fails(self):
-+ for assigned_role in self.assigned_roles:
-+ self.assignment_api.add_role_to_user_and_project(
-+ self.trustor['id'], self.tenant_baz['id'], assigned_role)
-+ request_body = self.build_v2_token_request('TWO', 'two2',
-+ self.tenant_baz['id'])
-+ self.assertRaises(exception.Forbidden, self.controller.authenticate,
-+ {}, request_body)
-+
- def fetch_v2_token_from_trust(self):
- request_body = self.build_v2_token_request('TWO', 'two2')
- auth_response = self.controller.authenticate({}, request_body)
-diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
-index 72486a1..de7e473 100644
---- a/keystone/token/controllers.py
-+++ b/keystone/token/controllers.py
-@@ -160,6 +160,8 @@ class Auth(controller.V2Controller):
-
- user_ref = old_token_ref['user']
- user_id = user_ref['id']
-+ tenant_id = self._get_project_id_from_auth(auth)
-+
- if not CONF.trust.enabled and 'trust_id' in auth:
- raise exception.Forbidden('Trusts are disabled.')
- elif CONF.trust.enabled and 'trust_id' in auth:
-@@ -168,6 +170,9 @@ class Auth(controller.V2Controller):
- raise exception.Forbidden()
- if user_id != trust_ref['trustee_user_id']:
- raise exception.Forbidden()
-+ if (trust_ref['project_id'] and
-+ tenant_id != trust_ref['project_id']):
-+ raise exception.Forbidden()
- if ('expires' in trust_ref) and (trust_ref['expires']):
- expiry = trust_ref['expires']
- if expiry < timeutils.parse_isotime(timeutils.isotime()):
-@@ -190,7 +195,6 @@ class Auth(controller.V2Controller):
- current_user_ref = self.identity_api.get_user(user_id)
-
- metadata_ref = {}
-- tenant_id = self._get_project_id_from_auth(auth)
- tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
- user_id, tenant_id)
-