19692613 problem in SERVICE/KEYSTONE s11u2-sru
authordavid.comay@oracle.com
Mon, 13 Oct 2014 19:15:19 -0700
branchs11u2-sru
changeset 3390 b1b8d4b96c7f
parent 3389 b77a52ff5cfd
child 3392 d22bbc4e4aab
19692613 problem in SERVICE/KEYSTONE
components/python/keystoneclient/patches/01-CVE-2014-7144.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/keystoneclient/patches/01-CVE-2014-7144.patch	Mon Oct 13 19:15:19 2014 -0700
@@ -0,0 +1,98 @@
+This upstream patch addresses CVE-2014-7144 and is tracked under
+Launchpad bug 1353315. It is addressed in keystonemiddleware 1.2.0 and
+python-keystoneclient 0.11.0. It has been modified to apply cleanly
+into our current python-keystoneclient 0.8.0 implementation.
+
+commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc
+Author: Qin Zhao <[email protected]>
+Date:   Wed Aug 6 15:47:58 2014 +0800
+
+    Fix the condition expression for ssl_insecure
+    
+    In the existing code, self.ssl_insecure is a string. If insecure
+    option is set in nova api-paste.ini, whatever it is 'true' or
+    'false', kwargs['verify'] will become False. This commit corrects
+    the condition expression. This patch is backported from
+    https://review.openstack.org/#/c/113191/
+    
+    Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
+    Closes-Bug: 1353315
+
+diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
+index d2eb29b..b0316dd 100644
+--- python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py.~1~	2014-04-16 20:01:14.000000000 -0700
++++ python-keystoneclient-0.8.0/keystoneclient/middleware/auth_token.py	2014-09-25 15:54:35.018360494 -0700
[email protected]@ -369,6 +369,27 @@ def safe_quote(s):
+     return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
+ 
+ 
++def _conf_values_type_convert(conf):
++    """Convert conf values into correct type."""
++    if not conf:
++        return {}
++    _opts = {}
++    opt_types = dict((o.dest, o.type) for o in opts)
++    for k, v in six.iteritems(conf):
++        try:
++            if v is None:
++                _opts[k] = v
++            else:
++                _opts[k] = opt_types[k](v)
++        except KeyError:
++            _opts[k] = v
++        except ValueError as e:
++            raise ConfigurationError(
++                'Unable to convert the value of %s option into correct '
++                'type: %s' % (k, e))
++    return _opts
++
++
+ class InvalidUserToken(Exception):
+     pass
+ 
[email protected]@ -404,7 +425,10 @@ class AuthProtocol(object):
+     def __init__(self, app, conf):
+         self.LOG = logging.getLogger(conf.get('log_name', __name__))
+         self.LOG.info('Starting keystone auth_token middleware')
+-        self.conf = conf
++        # NOTE(wanghong): If options are set in paste file, all the option
++        # values passed into conf are string type. So, we should convert the
++        # conf value into correct type.
++        self.conf = _conf_values_type_convert(conf)
+         self.app = app
+ 
+         # delay_auth_decision means we still allow unauthenticated requests
+diff --git a/keystoneclient/tests/test_auth_token_middleware.py b/keystoneclient/tests/test_auth_token_middleware.py
+index 5e1a71f..d794ae3 100644
+--- python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py.~1~	2014-04-16 20:01:14.000000000 -0700
++++ python-keystoneclient-0.8.0/keystoneclient/tests/test_auth_token_middleware.py	2014-09-25 15:52:13.791997920 -0700
[email protected]@ -484,6 +484,29 @@ class NoMemcacheAuthToken(BaseAuthTokenM
+         self.assertEqual(
+             set([inner_cache, outer_cache]), set(self.middleware._cache_pool))
+ 
++    def test_conf_values_type_convert(self):
++        conf = {
++            'revocation_cache_time': '24',
++            'identity_uri': 'https://keystone.example.com:1234',
++            'include_service_catalog': '0',
++            'nonexsit_option': '0',
++        }
++
++        middleware = auth_token.AuthProtocol(self.fake_app, conf)
++        self.assertEqual(datetime.timedelta(seconds=24),
++                         middleware.token_revocation_list_cache_timeout)
++        self.assertEqual(False, middleware.include_service_catalog)
++        self.assertEqual('https://keystone.example.com:1234',
++                         middleware.identity_uri)
++        self.assertEqual('0', middleware.conf['nonexsit_option'])
++
++    def test_conf_values_type_convert_with_wrong_value(self):
++        conf = {
++            'include_service_catalog': '123',
++        }
++        self.assertRaises(auth_token.ConfigurationError,
++                          auth_token.AuthProtocol, self.fake_app, conf)
++
+ 
+ class CommonAuthTokenMiddlewareTest(object):
+