diff options
Diffstat (limited to 'sys-auth/keystone/files/cve-2017-2673-stable-newton.patch')
-rw-r--r-- | sys-auth/keystone/files/cve-2017-2673-stable-newton.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch new file mode 100644 index 000000000000..0f64ed5f6a6e --- /dev/null +++ b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch @@ -0,0 +1,82 @@ +From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001 +From: Boris Bobrov <breton@cynicmansion.ru> +Date: Mon, 17 Apr 2017 00:28:07 +0300 +Subject: [PATCH] Do not fetch group assignments without groups + +Without the change, the method fetched all assignments for a project +or domain, regardless of who has the assignment, user or group. This +led to situation when federated user without groups could scope a token +with other user's rules. + +Return empty list of assignments if no groups were passed. + +Closes-Bug: 1677723 +Change-Id: I65f5be915bef2f979e70b043bde27064e970349d +(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) + +Conflicts: + keystone/tests/unit/test_v3_federation.py -- removed irrelevant + tests +--- + keystone/assignment/core.py | 5 +++++ + keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py +index e549abb..6a6717a 100644 +--- a/keystone/assignment/core.py ++++ b/keystone/assignment/core.py +@@ -165,6 +165,11 @@ class Manager(manager.Manager): + + def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): + """Get a list of roles for this group on domain and/or project.""" ++ # if no group ids were passed, there are no roles. Without this check, ++ # all assignments for the project or domain will be fetched, ++ # which is not what we want. ++ if not group_ids: ++ return [] + if project_id is not None: + self.resource_api.get_project(project_id) + assignment_list = self.list_role_assignments( +diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py +index f3e9baa..1a7ce40 100644 +--- a/keystone/tests/unit/test_v3_federation.py ++++ b/keystone/tests/unit/test_v3_federation.py +@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): + token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + self.assertEqual(0, len(token_groups)) + ++ def test_issue_scoped_token_no_groups(self): ++ """Verify that token without groups cannot get scoped to project. ++ ++ This test is required because of bug 1677723. ++ """ ++ # issue unscoped token with no groups ++ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') ++ self.assertIsNotNone(r.headers.get('X-Subject-Token')) ++ token_resp = r.json_body ++ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] ++ self.assertEqual(0, len(token_groups)) ++ unscoped_token = r.headers.get('X-Subject-Token') ++ ++ # let admin get roles in a project ++ self.proj_employees ++ admin = unit.new_user_ref(CONF.identity.default_domain_id) ++ self.identity_api.create_user(admin) ++ self.assignment_api.create_grant(self.role_admin['id'], ++ user_id=admin['id'], ++ project_id=self.proj_employees['id']) ++ ++ # try to scope the token. It should fail ++ scope = self._scope_request( ++ unscoped_token, 'project', self.proj_employees['id'] ++ ) ++ self.v3_create_token( ++ scope, expected_status=http_client.UNAUTHORIZED) ++ + def test_issue_unscoped_token_malformed_environment(self): + """Test whether non string objects are filtered out. + +-- +2.1.4 + |