diff -r 4be1f488dda8 -r db0cec748ec0 components/python/keystoneclient/patches/01-CVE-2014-7144.patch --- a/components/python/keystoneclient/patches/01-CVE-2014-7144.patch Tue Apr 07 15:49:29 2015 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,98 +0,0 @@ -This upstream patch addresses CVE-2014-7144 and is tracked under -Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and -python-keystoneclient 0.11.0. It has been modified to apply cleanly -into our current python-keystoneclient 0.8.0 implementation. - -commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc -Author: Qin Zhao -Date: Wed Aug 6 15:47:58 2014 +0800 - - Fix the condition expression for ssl_insecure - - In the existing code, self.ssl_insecure is a string. If insecure - option is set in nova api-paste.ini, whatever it is 'true' or - 'false', kwargs['verify'] will become False. This commit corrects - the condition expression. This patch is backported from - https://review.openstack.org/#/c/113191/ - - Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03 - Closes-Bug: 1353315 - -diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py -index d2eb29b..b0316dd 100644 ---- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~ 2014-04-16 20:01:14.000000000 -0700 -+++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py 2014-09-25 15:54:35.018360494 -0700 -@@ -369,6 +369,27 @@ def safe_quote(s): - return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s - - -+def _conf_values_type_convert(conf): -+ """Convert conf values into correct type.""" -+ if not conf: -+ return {} -+ _opts = {} -+ opt_types = dict((o.dest, o.type) for o in opts) -+ for k, v in six.iteritems(conf): -+ try: -+ if v is None: -+ _opts[k] = v -+ else: -+ _opts[k] = opt_types[k](v) -+ except KeyError: -+ _opts[k] = v -+ except ValueError as e: -+ raise ConfigurationError( -+ 'Unable to convert the value of %s option into correct ' -+ 'type: %s' % (k, e)) -+ return _opts -+ -+ - class InvalidUserToken(Exception): - pass - -@@ -404,7 +425,10 @@ class AuthProtocol(object): - def __init__(self, app, conf): - self.LOG = logging.getLogger(conf.get('log_name', __name__)) - self.LOG.info('Starting keystone auth_token middleware') -- self.conf = conf -+ # NOTE(wanghong): If options are set in paste file, all the option -+ # values passed into conf are string type. So, we should convert the -+ # conf value into correct type. -+ self.conf = _conf_values_type_convert(conf) - self.app = app - - # delay_auth_decision means we still allow unauthenticated requests -diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py -index 5e1a71f..d794ae3 100644 ---- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~ 2014-04-16 20:01:14.000000000 -0700 -+++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py 2014-09-25 15:52:13.791997920 -0700 -@@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM - self.assertEqual( - set([inner_cache, outer_cache]), set(self.middleware._cache_pool)) - -+ def test_conf_values_type_convert(self): -+ conf = { -+ 'revocation_cache_time': '24', -+ 'identity_uri': 'https://keystone.example.com:1234', -+ 'include_service_catalog': '0', -+ 'nonexsit_option': '0', -+ } -+ -+ middleware = auth_token.AuthProtocol(self.fake_app, conf) -+ self.assertEqual(datetime.timedelta(seconds=24), -+ middleware.token_revocation_list_cache_timeout) -+ self.assertEqual(False, middleware.include_service_catalog) -+ self.assertEqual('https://keystone.example.com:1234', -+ middleware.identity_uri) -+ self.assertEqual('0', middleware.conf['nonexsit_option']) -+ -+ def test_conf_values_type_convert_with_wrong_value(self): -+ conf = { -+ 'include_service_catalog': '123', -+ } -+ self.assertRaises(auth_token.ConfigurationError, -+ auth_token.AuthProtocol, self.fake_app, conf) -+ - - class CommonAuthTokenMiddlewareTest(object): -