Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/patches/04-CVE-2013-4477.patch
branchs11-update
changeset 3028 5e73a3a3f66a 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/04-CVE-2013-4477.patch	Mon Mar 31 16:44:02 2014 -0700
@@ -0,0 +1,72 @@
+Upstream patch fixed in Havana 2013.2.1
+
+commit 82dcde08f60c45002955875664a3cf82d1d211bc
+Author: Brant Knudson <[email protected]>
+Date:   Mon Oct 21 15:21:12 2013 -0500
+
+    Fix remove role assignment adds role using LDAP assignment
+    
+    When using the LDAP assignment backend, attempting to remove a
+    role assignment when the role hadn't been used before would
+    actually add the role assignment and would not return a
+    404 Not Found like the SQL backend.
+    
+    This change makes it so that when attempt to remove a role that
+    wasn't assigned then 404 Not Found is returned.
+    
+    Closes-Bug: #1242855
+    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
+    (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
+    (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
+    (cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 8ac7395..3d016c0 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -704,21 +704,10 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
+         try:
+             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
+                                      self.member_attribute, user_dn)])
+-        except ldap.NO_SUCH_OBJECT:
+-            if tenant_id is None or self.get(role_id) is None:
+-                raise exception.RoleNotFound(role_id=role_id)
+-            attrs = [('objectClass', [self.object_class]),
+-                     (self.member_attribute, [user_dn])]
+-
+-            if self.use_dumb_member:
+-                attrs[1][1].append(self.dumb_member)
+-            try:
+-                conn.add_s(role_dn, attrs)
+-            except Exception as inst:
+-                raise inst
+-
+-        except ldap.NO_SUCH_ATTRIBUTE:
+-            raise exception.UserNotFound(user_id=user_id)
++        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
++            raise exception.RoleNotFound(message=_(
++                'Cannot remove role that has not been granted, %s') %
++                role_id)
+ 
+     def get_role_assignments(self, tenant_id):
+         conn = self.get_connection()
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index d4c2e6c..1af3c16 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -57,6 +57,15 @@ class IdentityTests(object):
+         user_refs = self.identity_api.get_project_users(self.tenant_bar['id'])
+         self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs])
+ 
++    def test_remove_user_role_not_assigned(self):
++        # Expect failure if attempt to remove a role that was never assigned to
++        # the user.
++        self.assertRaises(exception.RoleNotFound,
++                          self.identity_api.remove_role_from_user_and_project,
++                          tenant_id=self.tenant_bar['id'],
++                          user_id=self.user_two['id'],
++                          role_id=self.role_other['id'])
++
+     def test_authenticate_bad_user(self):
+         self.assertRaises(AssertionError,
+                           self.identity_api.authenticate,
upstream/oracle/userland-gate