summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Thode <prometheanfire@gentoo.org>2016-05-18 10:09:12 -0500
committerMatthew Thode <prometheanfire@gentoo.org>2016-05-18 10:09:12 -0500
commitf4d9fe6d319b3b53175aeaf39ea596b4eef68a7f (patch)
treedfc13ad4e21550e2e58296f3a97314e32fa6d514 /sys-auth/keystone/files
parentnet-misc/connman: Update xtables patch for kernel versions >= 4.6.0 (diff)
downloadgentoo-f4d9fe6d319b3b53175aeaf39ea596b4eef68a7f.tar.gz
gentoo-f4d9fe6d319b3b53175aeaf39ea596b4eef68a7f.tar.bz2
gentoo-f4d9fe6d319b3b53175aeaf39ea596b4eef68a7f.zip
sys-auth/keystone: fix CVE-2016-4911 bug 583392
Package-Manager: portage-2.2.28
Diffstat (limited to 'sys-auth/keystone/files')
-rw-r--r--sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch103
1 files changed, 103 insertions, 0 deletions
diff --git a/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch
new file mode 100644
index 00000000000..0ea6cd8bab2
--- /dev/null
+++ b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch
@@ -0,0 +1,103 @@
+From ee1dc941042d1f71699971c5c30566af1b348572 Mon Sep 17 00:00:00 2001
+From: Lance Bragstad <lbragstad@gmail.com>
+Date: Mon, 2 May 2016 19:16:11 +0000
+Subject: Fix fernet audit ids for v2.0
+
+The fernet token provider was doing some weird things with audit ids that
+caused token rescoping to not work because audit ids were never pulled from the
+original token. This commit also enables some tests for v2.0 authentication
+with the Fernet as the token provider.
+
+Closes-Bug: 1577558
+Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e
+(cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240)
+---
+ keystone/tests/unit/test_auth.py | 22 ++++++++++++++++++++++
+ keystone/token/controllers.py | 3 ++-
+ keystone/token/providers/fernet/core.py | 9 ++-------
+ 3 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py
+index b09d9ac..6f44b31 100644
+--- a/keystone/tests/unit/test_auth.py
++++ b/keystone/tests/unit/test_auth.py
+@@ -33,6 +33,7 @@ from keystone import exception
+ from keystone.models import token_model
+ from keystone.tests import unit
+ from keystone.tests.unit import default_fixtures
++from keystone.tests.unit import ksfixtures
+ from keystone.tests.unit.ksfixtures import database
+ from keystone import token
+ from keystone.token import provider
+@@ -671,6 +672,27 @@ class AuthWithToken(AuthTest):
+ token_id=token_2_id)
+
+
++class FernetAuthWithToken(AuthWithToken):
++ def config_overrides(self):
++ super(FernetAuthWithToken, self).config_overrides()
++ self.config_fixture.config(group='token', provider='fernet')
++ self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
++
++ def test_token_auth_with_binding(self):
++ self.config_fixture.config(group='token', bind=['kerberos'])
++ body_dict = _build_user_auth()
++ self.assertRaises(exception.NotImplemented,
++ self.controller.authenticate,
++ self.context_with_remote_user,
++ body_dict)
++
++ def test_revoke_with_no_audit_info(self):
++ self.skipTest('Fernet with v2.0 and revocation is broken')
++
++ def test_deleting_role_revokes_token(self):
++ self.skipTest('Fernet with v2.0 and revocation is broken')
++
++
+ class AuthWithPasswordCredentials(AuthTest):
+ def test_auth_invalid_user(self):
+ """Verify exception is raised if invalid user."""
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index f610fc4..6eeb23e 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
+@@ -180,7 +180,8 @@ class Auth(controller.V2Controller):
+ try:
+ token_model_ref = token_model.KeystoneToken(
+ token_id=old_token,
+- token_data=self.token_provider_api.validate_token(old_token))
++ token_data=self.token_provider_api.validate_v2_token(old_token)
++ )
+ except exception.NotFound as e:
+ raise exception.Unauthorized(e)
+
+diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py
+index 8042aab..ff6fe9c 100644
+--- a/keystone/token/providers/fernet/core.py
++++ b/keystone/token/providers/fernet/core.py
+@@ -15,7 +15,6 @@ from oslo_config import cfg
+ from keystone.common import dependency
+ from keystone.common import utils as ks_utils
+ from keystone.federation import constants as federation_constants
+-from keystone.token import provider
+ from keystone.token.providers import common
+ from keystone.token.providers.fernet import token_formatters as tf
+
+@@ -145,12 +144,8 @@ class Provider(common.BaseProvider):
+ expires_at = token_data['access']['token']['expires']
+ audit_ids = token_data['access']['token'].get('audit_ids')
+ methods = ['password']
+- if audit_ids:
+- parent_audit_id = token_data['access']['token'].get(
+- 'parent_audit_id')
+- audit_ids = provider.audit_info(parent_audit_id)
+- if parent_audit_id:
+- methods.append('token')
++ if len(audit_ids) > 1:
++ methods.append('token')
+ project_id = token_data['access']['token'].get('tenant', {}).get('id')
+ domain_id = None
+ trust_id = None
+--
+cgit v0.11.2
+