summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Mair-Keimberger (asterix) <m.mairkeimberger@gmail.com>2017-08-08 18:25:09 +0200
committerMatthew Thode <prometheanfire@gentoo.org>2017-08-08 17:36:43 -0500
commit405148ae5fe2b8b3fddcbbc499df304ba308e5bb (patch)
tree627f551f0bc9bda9851f8429e3b78d76558b08db /sys-auth/keystone/files
parentapp-admin/puppet: remove unused patch (diff)
downloadgentoo-405148ae5fe2b8b3fddcbbc499df304ba308e5bb.tar.gz
gentoo-405148ae5fe2b8b3fddcbbc499df304ba308e5bb.tar.bz2
gentoo-405148ae5fe2b8b3fddcbbc499df304ba308e5bb.zip
sys-auth/keystone: remove unused patches
Diffstat (limited to 'sys-auth/keystone/files')
-rw-r--r--sys-auth/keystone/files/cve-2017-2673-stable-newton.patch82
-rw-r--r--sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch115
2 files changed, 0 insertions, 197 deletions
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
deleted file mode 100644
index 0f64ed5f6a6..00000000000
--- a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001
-From: Boris Bobrov <breton@cynicmansion.ru>
-Date: Mon, 17 Apr 2017 00:28:07 +0300
-Subject: [PATCH] Do not fetch group assignments without groups
-
-Without the change, the method fetched all assignments for a project
-or domain, regardless of who has the assignment, user or group. This
-led to situation when federated user without groups could scope a token
-with other user's rules.
-
-Return empty list of assignments if no groups were passed.
-
-Closes-Bug: 1677723
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
-
-Conflicts:
- keystone/tests/unit/test_v3_federation.py -- removed irrelevant
- tests
----
- keystone/assignment/core.py | 5 +++++
- keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++
- 2 files changed, 33 insertions(+)
-
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
-index e549abb..6a6717a 100644
---- a/keystone/assignment/core.py
-+++ b/keystone/assignment/core.py
-@@ -165,6 +165,11 @@ class Manager(manager.Manager):
-
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
- """Get a list of roles for this group on domain and/or project."""
-+ # if no group ids were passed, there are no roles. Without this check,
-+ # all assignments for the project or domain will be fetched,
-+ # which is not what we want.
-+ if not group_ids:
-+ return []
- if project_id is not None:
- self.resource_api.get_project(project_id)
- assignment_list = self.list_role_assignments(
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
-index f3e9baa..1a7ce40 100644
---- a/keystone/tests/unit/test_v3_federation.py
-+++ b/keystone/tests/unit/test_v3_federation.py
-@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
- self.assertEqual(0, len(token_groups))
-
-+ def test_issue_scoped_token_no_groups(self):
-+ """Verify that token without groups cannot get scoped to project.
-+
-+ This test is required because of bug 1677723.
-+ """
-+ # issue unscoped token with no groups
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token'))
-+ token_resp = r.json_body
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-+ self.assertEqual(0, len(token_groups))
-+ unscoped_token = r.headers.get('X-Subject-Token')
-+
-+ # let admin get roles in a project
-+ self.proj_employees
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+ self.identity_api.create_user(admin)
-+ self.assignment_api.create_grant(self.role_admin['id'],
-+ user_id=admin['id'],
-+ project_id=self.proj_employees['id'])
-+
-+ # try to scope the token. It should fail
-+ scope = self._scope_request(
-+ unscoped_token, 'project', self.proj_employees['id']
-+ )
-+ self.v3_create_token(
-+ scope, expected_status=http_client.UNAUTHORIZED)
-+
- def test_issue_unscoped_token_malformed_environment(self):
- """Test whether non string objects are filtered out.
-
---
-2.1.4
-
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
deleted file mode 100644
index abf17489cd9..00000000000
--- a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001
-From: Boris Bobrov <breton@cynicmansion.ru>
-Date: Mon, 17 Apr 2017 00:28:07 +0300
-Subject: [PATCH] Do not fetch group assignments without groups
-
-Without the change, the method fetched all assignments for a project
-or domain, regardless of who has the assignment, user or group. This
-led to situation when federated user without groups could scope a token
-with other user's rules.
-
-Return empty list of assignments if no groups were passed.
-
-Closes-Bug: 1677723
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
----
- keystone/assignment/core.py | 5 +++
- keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++
- 2 files changed, 63 insertions(+)
-
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
-index eccc22d..8fba77e 100644
---- a/keystone/assignment/core.py
-+++ b/keystone/assignment/core.py
-@@ -126,6 +126,11 @@ class Manager(manager.Manager):
-
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
- """Get a list of roles for this group on domain and/or project."""
-+ # if no group ids were passed, there are no roles. Without this check,
-+ # all assignments for the project or domain will be fetched,
-+ # which is not what we want.
-+ if not group_ids:
-+ return []
- if project_id is not None:
- self.resource_api.get_project(project_id)
- assignment_list = self.list_role_assignments(
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
-index 0f5148f..03509b8 100644
---- a/keystone/tests/unit/test_v3_federation.py
-+++ b/keystone/tests/unit/test_v3_federation.py
-@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
- self.assertEqual(0, len(token_groups))
-
-+ def test_issue_scoped_token_no_groups(self):
-+ """Verify that token without groups cannot get scoped to project.
-+
-+ This test is required because of bug 1677723.
-+ """
-+ # issue unscoped token with no groups
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token'))
-+ token_resp = r.json_body
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-+ self.assertEqual(0, len(token_groups))
-+ unscoped_token = r.headers.get('X-Subject-Token')
-+
-+ # let admin get roles in a project
-+ self.proj_employees
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+ self.identity_api.create_user(admin)
-+ self.assignment_api.create_grant(self.role_admin['id'],
-+ user_id=admin['id'],
-+ project_id=self.proj_employees['id'])
-+
-+ # try to scope the token. It should fail
-+ scope = self._scope_request(
-+ unscoped_token, 'project', self.proj_employees['id']
-+ )
-+ self.v3_create_token(
-+ scope, expected_status=http_client.UNAUTHORIZED)
-+
- def test_issue_unscoped_token_malformed_environment(self):
- """Test whether non string objects are filtered out.
-
-@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
- self.expected_results[project_name], roles[0]['name']
- )
-
-+ def test_user_gets_only_assigned_roles(self):
-+ # in bug 1677723 user could get roles outside of what was assigned
-+ # to them. This test verifies that this is no longer true.
-+ # Authenticate once to create the projects
-+ response = self._issue_unscoped_token()
-+ self.assertValidMappedUser(response.json_body['token'])
-+ unscoped_token = response.headers.get('X-Subject-Token')
-+
-+ # Assign admin role to newly-created project to another user
-+ staging_project = self.resource_api.get_project_by_name(
-+ 'Staging', self.idp['domain_id']
-+ )
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+ self.identity_api.create_user(admin)
-+ self.assignment_api.create_grant(self.role_admin['id'],
-+ user_id=admin['id'],
-+ project_id=staging_project['id'])
-+
-+ # Authenticate again with the federated user and verify roles
-+ response = self._issue_unscoped_token()
-+ self.assertValidMappedUser(response.json_body['token'])
-+ unscoped_token = response.headers.get('X-Subject-Token')
-+ scope = self._scope_request(
-+ unscoped_token, 'project', staging_project['id']
-+ )
-+ response = self.v3_create_token(scope)
-+ roles = response.json_body['token']['roles']
-+ role_ids = [r['id'] for r in roles]
-+ self.assertNotIn(self.role_admin['id'], role_ids)
-+
-
- class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
- JSON_HOME_DATA = {
---
-2.1.4
-