--- a/components/openstack/keystone/patches/CVE-2015-7546.patch Wed Sep 07 14:48:41 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,195 +0,0 @@
-From 9c9c1331e0c004897d5f4c5847f7143b56373f10 Mon Sep 17 00:00:00 2001
-From: Brant Knudson <[email protected]>
-Date: Tue, 1 Dec 2015 11:09:14 -0600
-Subject: [PATCH] Add audit IDs to revocation events
-
-The revoked tokens' audit ID is now included in the data returned in
-the revocation list.
-
-Closes-Bug: 1490804
-Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
-(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0)
-Conflicts:
- keystone/tests/unit/test_backend.py
----
- keystone/tests/unit/test_backend.py | 39 ++++++++++++++++++++----------
- keystone/tests/unit/test_backend_sql.py | 3 ++-
- keystone/token/persistence/backends/kvs.py | 9 +++++++
- keystone/token/persistence/backends/sql.py | 12 ++++++++-
- 4 files changed, 48 insertions(+), 15 deletions(-)
-
-diff --git a/keystone/tests/unit/test_backend.py b/keystone/tests/unit/test_backend.py
-index 6cf0649..9c82502 100644
---- a/keystone/tests/unit/test_backend.py
-+++ b/keystone/tests/unit/test_backend.py
-@@ -3778,7 +3778,9 @@ class TokenTests(object):
- token_id = self._create_token_id()
- data = {'id': token_id, 'a': 'b',
- 'trust_id': None,
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'access': {'token': {
-+ 'audit_ids': [uuid.uuid4().hex]}}}}
- data_ref = self.token_provider_api._persistence.create_token(token_id,
- data)
- expires = data_ref.pop('expires')
-@@ -3813,7 +3815,8 @@ class TokenTests(object):
- # FIXME(morganfainberg): These tokens look nothing like "Real" tokens.
- # This should be fixed when token issuance is cleaned up.
- data = {'id': token_id, 'a': 'b',
-- 'user': {'id': user_id}}
-+ 'user': {'id': user_id},
-+ 'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
- if tenant_id is not None:
- data['tenant'] = {'id': tenant_id, 'name': tenant_id}
- if tenant_id is NULL_OBJECT:
-@@ -3822,7 +3825,7 @@ class TokenTests(object):
- data['expires'] = expires
- if trust_id is not None:
- data['trust_id'] = trust_id
-- data.setdefault('access', {}).setdefault('trust', {})
-+ data['access'].setdefault('trust', {})
- # Testuserid2 is used here since a trustee will be different in
- # the cases of impersonation and therefore should not match the
- # token's user_id.
-@@ -3988,17 +3991,21 @@ class TokenTests(object):
-
- self.assertEqual(data_ref, new_data_ref)
-
-- def check_list_revoked_tokens(self, token_ids):
-- revoked_ids = [x['id']
-- for x in self.token_provider_api.list_revoked_tokens()]
-+ def check_list_revoked_tokens(self, token_infos):
-+ revocation_list = self.token_provider_api.list_revoked_tokens()
-+ revoked_ids = [x['id'] for x in revocation_list]
-+ revoked_audit_ids = [x['audit_id'] for x in revocation_list]
- self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
-- for token_id in token_ids:
-+ for token_id, audit_id in token_infos:
- self.assertIn(token_id, revoked_ids)
-+ self.assertIn(audit_id, revoked_audit_ids)
-
- def delete_token(self):
- token_id = uuid.uuid4().hex
-+ audit_id = uuid.uuid4().hex
- data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'token': {'audit_ids': [audit_id]}}}
- data_ref = self.token_provider_api._persistence.create_token(token_id,
- data)
- self.token_provider_api._persistence.delete_token(token_id)
-@@ -4010,7 +4017,7 @@ class TokenTests(object):
- exception.TokenNotFound,
- self.token_provider_api._persistence.delete_token,
- data_ref['id'])
-- return token_id
-+ return (token_id, audit_id)
-
- def test_list_revoked_tokens_returns_empty_list(self):
- revoked_ids = [x['id']
-@@ -4061,12 +4068,16 @@ class TokenTests(object):
- token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
- 'expires': expire_time,
- 'trust_id': None,
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'token': {
-+ 'audit_ids': [uuid.uuid4().hex]}}}
- token2_id = uuid.uuid4().hex
- token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b',
- 'expires': expire_time,
- 'trust_id': None,
-- 'user': {'id': 'testuserid'}}
-+ 'user': {'id': 'testuserid'},
-+ 'token_data': {'token': {
-+ 'audit_ids': [uuid.uuid4().hex]}}}
- # Create 2 Tokens.
- self.token_provider_api._persistence.create_token(token_id,
- token_data)
-@@ -4101,7 +4112,8 @@ class TokenTests(object):
- def _test_predictable_revoked_pki_token_id(self, hash_fn):
- token_id = self._create_token_id()
- token_id_hash = hash_fn(token_id).hexdigest()
-- token = {'user': {'id': uuid.uuid4().hex}}
-+ token = {'user': {'id': uuid.uuid4().hex},
-+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
-
- self.token_provider_api._persistence.create_token(token_id, token)
- self.token_provider_api._persistence.delete_token(token_id)
-@@ -4123,7 +4135,8 @@ class TokenTests(object):
-
- def test_predictable_revoked_uuid_token_id(self):
- token_id = uuid.uuid4().hex
-- token = {'user': {'id': uuid.uuid4().hex}}
-+ token = {'user': {'id': uuid.uuid4().hex},
-+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
-
- self.token_provider_api._persistence.create_token(token_id, token)
- self.token_provider_api._persistence.delete_token(token_id)
-diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py
-index a7c63bf..7adc936 100644
---- a/keystone/tests/unit/test_backend_sql.py
-+++ b/keystone/tests/unit/test_backend_sql.py
-@@ -441,7 +441,8 @@ class SqlToken(SqlTests, test_backend.TokenTests):
- # necessary.
-
- expected_query_args = (token_sql.TokenModel.id,
-- token_sql.TokenModel.expires)
-+ token_sql.TokenModel.expires,
-+ token_sql.TokenModel.extra,)
-
- with mock.patch.object(token_sql, 'sql') as mock_sql:
- tok = token_sql.Token()
-diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py
-index b4807bf..9a7ccea 100644
---- a/keystone/token/persistence/backends/kvs.py
-+++ b/keystone/token/persistence/backends/kvs.py
-@@ -211,6 +211,15 @@ class Token(token.persistence.Driver):
- subsecond=True)
- revoked_token_data['id'] = data['id']
-
-+ token_data = data['token_data']
-+ if 'access' in token_data:
-+ # It's a v2 token.
-+ audit_ids = token_data['access']['token']['audit_ids']
-+ else:
-+ # It's a v3 token.
-+ audit_ids = token_data['token']['audit_ids']
-+ revoked_token_data['audit_id'] = audit_ids[0]
-+
- token_list = self._get_key_or_default(self.revocation_key, default=[])
- if not isinstance(token_list, list):
- # NOTE(morganfainberg): In the case that the revocation list is not
-diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py
-index 08c3a21..7c5c11d 100644
---- a/keystone/token/persistence/backends/sql.py
-+++ b/keystone/token/persistence/backends/sql.py
-@@ -228,13 +228,23 @@ class Token(token.persistence.Driver):
- session = sql.get_session()
- tokens = []
- now = timeutils.utcnow()
-- query = session.query(TokenModel.id, TokenModel.expires)
-+ query = session.query(TokenModel.id, TokenModel.expires,
-+ TokenModel.extra)
- query = query.filter(TokenModel.expires > now)
- token_references = query.filter_by(valid=False)
- for token_ref in token_references:
-+ token_data = token_ref[2]['token_data']
-+ if 'access' in token_data:
-+ # It's a v2 token.
-+ audit_ids = token_data['access']['token']['audit_ids']
-+ else:
-+ # It's a v3 token.
-+ audit_ids = token_data['token']['audit_ids']
-+
- record = {
- 'id': token_ref[0],
- 'expires': token_ref[1],
-+ 'audit_id': audit_ids[0],
- }
- tokens.append(record)
- return tokens
---
-1.9.1
-