fix for CVE-2013-4222 and bug 480476

(Portage version: 2.1.12.2/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2013-09-15 02:58:58 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2013-09-15 02:58:58 +0000
commit: a70a476bbab88a2ee4f0479fef7a1227fdfea24a (patch)
tree: 7db67f05edced6970f54f23857896e64ee2c098c /sys-auth/keystone
parent: Version bump, drop old. (diff)
download: gentoo-2-a70a476bbab88a2ee4f0479fef7a1227fdfea24a.tar.gz
gentoo-2-a70a476bbab88a2ee4f0479fef7a1227fdfea24a.tar.bz2
gentoo-2-a70a476bbab88a2ee4f0479fef7a1227fdfea24a.zip
6 files changed, 369 insertions, 4 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 5705decc6e0b..c63fd2082939 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.32 2013/09/12 06:19:47 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.33 2013/09/15 02:58:58 prometheanfire Exp $
+
+*keystone-2012.2.4-r9 (15 Sep 2013)
+*keystone-2013.1.3-r3 (15 Sep 2013)
+
+  15 Sep 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/2012.2.4-CVE-2013-4222.patch, +files/2013.1.3-CVE-2013-4222.patch,
+  +keystone-2012.2.4-r9.ebuild, +keystone-2013.1.3-r3.ebuild,
+  -keystone-2012.2.4-r8.ebuild, -keystone-2013.1.3-r2.ebuild,
+  keystone-2013.1.9999.ebuild:
+  fix for CVE-2013-4222 and bug 480476
 
   12 Sep 2013; Matthew Thode <prometheanfire@gentoo.org>
   keystone-2012.2.4-r8.ebuild, keystone-2013.1.3-r2.ebuild,
diff --git a/sys-auth/keystone/files/2012.2.4-CVE-2013-4222.patch b/sys-auth/keystone/files/2012.2.4-CVE-2013-4222.patch
new file mode 100644
index 000000000000..edac4149be76
--- /dev/null
+++ b/sys-auth/keystone/files/2012.2.4-CVE-2013-4222.patch
@@ -0,0 +1,122 @@
+From 7244e5342acb86c241e2d03fc76897174302de04 Mon Sep 17 00:00:00 2001
+From: Dolph Mathews <dolph.mathews@gmail.com>
+Date: Thu, 12 Sep 2013 17:02:26 -0500
+Subject: [PATCH] Revoke user tokens when disabling/delete a tenant
+
+Revoke tokens scoped to all users from a tenant when disabling or
+deleting the tenant.
+
+Closes-Bug: #1179955
+Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
+---
+ keystone/identity/core.py    | 16 ++++++++++++++
+ tests/test_keystoneclient.py | 51 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 67 insertions(+)
+
+diff --git a/keystone/identity/core.py b/keystone/identity/core.py
+index e6f63aa..7a5408d 100644
+--- a/keystone/identity/core.py
++++ b/keystone/identity/core.py
+@@ -399,14 +399,30 @@ class TenantController(wsgi.Application):
+             context, tenant_ref['id'], tenant_ref)
+         return {'tenant': tenant}
+ 
++    def _delete_tokens_for_user(self, context, user_id, tenant_id=None):
++        self.token_api.revoke_tokens(context, user_id, tenant_id=tenant_id)
++
++    def _delete_tokens_for_tenant(self, context, tenant_id):
++        for user_ref in self.identity_api.get_tenant_users(context, tenant_id):
++            self._delete_tokens_for_user(
++                context, user_ref['id'], tenant_id=tenant_id)
++
+     def update_tenant(self, context, tenant_id, tenant):
+         self.assert_admin(context)
++
++        # If the tenant has been disabled (or enabled=False) we are
++        # deleting the tokens for that tenant.
++        if not tenant.get('enabled', True):
++            self._delete_tokens_for_tenant(context, tenant_id)
++
+         tenant_ref = self.identity_api.update_tenant(
+             context, tenant_id, tenant)
+         return {'tenant': tenant_ref}
+ 
+     def delete_tenant(self, context, tenant_id):
+         self.assert_admin(context)
++        # Delete all tokens belonging to the users for that tenant
++        self._delete_tokens_for_tenant(context, tenant_id)
+         self.identity_api.delete_tenant(context, tenant_id)
+ 
+     def get_tenant_users(self, context, tenant_id, **kw):
+diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
+index e65c7ef..a7ed79d 100644
+--- a/tests/test_keystoneclient.py
++++ b/tests/test_keystoneclient.py
+@@ -368,6 +368,51 @@ class KeystoneClientTests(object):
+                           client.tokens.authenticate,
+                           token=token_id)
+ 
++    def test_disable_tenant_invalidates_token(self):
++        from keystoneclient import exceptions as client_exceptions
++
++        admin_client = self.get_client(admin=True)
++        foo_client = self.get_client(self.user_foo)
++
++        # Disable the tenant.
++        admin_client.tenants.update(self.tenant_bar['id'], enabled=False)
++
++        # Test that the token has been removed.
++        self.assertRaises(client_exceptions.Unauthorized,
++                          foo_client.tokens.authenticate,
++                          token=foo_client.auth_token)
++
++        # Test that the user access has been disabled.
++        self.assertRaises(client_exceptions.Unauthorized,
++                          self.get_client,
++                          self.user_foo)
++
++    def test_delete_tenant_invalidates_token(self):
++        from keystoneclient import exceptions as client_exceptions
++
++        admin_client = self.get_client(admin=True)
++        foo_client = self.get_client(self.user_foo, self.tenant_bar)
++        tenant_bar = admin_client.tenants.get(self.tenant_bar['id'])
++
++        # Delete the tenant.
++        tenant_bar.delete()
++
++        # Test that the token has been removed.
++        self.assertRaises(client_exceptions.Unauthorized,
++                          foo_client.tokens.authenticate,
++                          token=foo_client.auth_token)
++
++        # Test that the user access has been disabled.
++        """
++        # FIXME(dolph): this assertion should not be skipped, but appears to be
++        #               an unrelated bug? auth succeeds, even though tenant_bar
++        #               was deleted
++        self.assertRaises(client_exceptions.Unauthorized,
++                          self.get_client,
++                          self.user_foo,
++                          self.tenant_bar)
++        """
++
+     def test_disable_user_invalidates_token(self):
+         from keystoneclient import exceptions as client_exceptions
+ 
+@@ -1111,6 +1156,12 @@ class KcEssex3TestCase(CompatTestCase, KeystoneClientTests):
+     def test_endpoint_delete_404(self):
+         raise nose.exc.SkipTest('N/A')
+ 
++    def test_disable_tenant_invalidates_token(self):
++        raise self.skipTest('N/A')
++
++    def test_delete_tenant_invalidates_token(self):
++        raise self.skipTest('N/A')
++
+ 
+ class Kc11TestCase(CompatTestCase, KeystoneClientTests):
+     def get_checkout(self):
+-- 
+1.8.1.5
+
diff --git a/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch b/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch
new file mode 100644
index 000000000000..4a4c3634b5a7
--- /dev/null
+++ b/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch
@@ -0,0 +1,227 @@
+From c70f8c61d50c2358d712b365bec4a8f288314b54 Mon Sep 17 00:00:00 2001
+From: Dolph Mathews <dolph.mathews@gmail.com>
+Date: Thu, 12 Sep 2013 17:02:26 -0500
+Subject: [PATCH] Revoke user tokens when disabling/delete a project
+
+- Revoke tokens scoped to all users from a project when disabling or
+  deleting the project.
+- Fix provided by chmouel
+
+Closes-Bug: #1179955
+Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
+---
+ keystone/common/controller.py    |  6 ++++
+ keystone/identity/controllers.py | 16 +++++++++++
+ tests/test_keystoneclient.py     | 52 ++++++++++++++++++++++++++++++++++
+ tests/test_v3_auth.py            | 61 ++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 135 insertions(+)
+
+diff --git a/keystone/common/controller.py b/keystone/common/controller.py
+index 7123adf..0ef80fc 100644
+--- a/keystone/common/controller.py
++++ b/keystone/common/controller.py
+@@ -171,6 +171,12 @@ class V2Controller(wsgi.Application):
+                                           trust['trustee_user_id'],
+                                           trust['id'])
+ 
++    def _delete_tokens_for_project(self, context, project_id):
++        for user_ref in self.identity_api.get_project_users(
++                context, project_id):
++            self._delete_tokens_for_user(
++                context, user_ref['id'], project_id=project_id)
++
+     def _require_attribute(self, ref, attr):
+         """Ensures the reference contains the specified attribute."""
+         if ref.get(attr) is None or ref.get(attr) == '':
+diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
+index e04cded..8bf13c6 100644
+--- a/keystone/identity/controllers.py
++++ b/keystone/identity/controllers.py
+@@ -111,12 +111,20 @@ class Tenant(controller.V2Controller):
+         # be specifying that
+         clean_tenant = tenant.copy()
+         clean_tenant.pop('domain_id', None)
++
++        # If the project has been disabled (or enabled=False) we are
++        # deleting the tokens for that project.
++        if not tenant.get('enabled', True):
++            self._delete_tokens_for_project(context, tenant_id)
++
+         tenant_ref = self.identity_api.update_project(
+             context, tenant_id, clean_tenant)
+         return {'tenant': tenant_ref}
+ 
+     def delete_project(self, context, tenant_id):
+         self.assert_admin(context)
++        # Delete all tokens belonging to the users for that project
++        self._delete_tokens_for_project(context, tenant_id)
+         self.identity_api.delete_project(context, tenant_id)
+ 
+     def get_project_users(self, context, tenant_id, **kw):
+@@ -571,6 +579,10 @@ class ProjectV3(controller.V3Controller):
+     def update_project(self, context, project_id, project):
+         self._require_matching_id(project_id, project)
+ 
++        # The project was disabled so we delete the tokens
++        if not project.get('enabled', True):
++            self._delete_tokens_for_project(context, project_id)
++
+         ref = self.identity_api.update_project(context, project_id, project)
+         return ProjectV3.wrap_member(context, ref)
+ 
+@@ -579,6 +591,10 @@ class ProjectV3(controller.V3Controller):
+         for cred in self.identity_api.list_credentials(context):
+             if cred['project_id'] == project_id:
+                 self.identity_api.delete_credential(context, cred['id'])
++
++        # Delete all tokens belonging to the users for that project
++        self._delete_tokens_for_project(context, project_id)
++
+         # Finally delete the project itself - the backend is
+         # responsible for deleting any role assignments related
+         # to this project
+diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
+index acd5b2f..c6cd27a 100644
+--- a/tests/test_keystoneclient.py
++++ b/tests/test_keystoneclient.py
+@@ -379,6 +379,52 @@ class KeystoneClientTests(object):
+                           client.tokens.authenticate,
+                           token=token_id)
+ 
++    def test_disable_tenant_invalidates_token(self):
++        from keystoneclient import exceptions as client_exceptions
++
++        admin_client = self.get_client(admin=True)
++        foo_client = self.get_client(self.user_foo)
++        tenant_bar = admin_client.tenants.get(self.tenant_bar['id'])
++
++        # Disable the tenant.
++        tenant_bar.update(enabled=False)
++
++        # Test that the token has been removed.
++        self.assertRaises(client_exceptions.Unauthorized,
++                          foo_client.tokens.authenticate,
++                          token=foo_client.auth_token)
++
++        # Test that the user access has been disabled.
++        self.assertRaises(client_exceptions.Unauthorized,
++                          self.get_client,
++                          self.user_foo)
++
++    def test_delete_tenant_invalidates_token(self):
++        from keystoneclient import exceptions as client_exceptions
++
++        admin_client = self.get_client(admin=True)
++        foo_client = self.get_client(self.user_foo, self.tenant_bar)
++        tenant_bar = admin_client.tenants.get(self.tenant_bar['id'])
++
++        # Delete the tenant.
++        tenant_bar.delete()
++
++        # Test that the token has been removed.
++        self.assertRaises(client_exceptions.Unauthorized,
++                          foo_client.tokens.authenticate,
++                          token=foo_client.auth_token)
++
++        # Test that the user access has been disabled.
++        """
++        # FIXME(dolph): this assertion should not be skipped, but appears to be
++        #               an unrelated bug? auth succeeds, even though tenant_bar
++        #               was deleted
++        self.assertRaises(client_exceptions.Unauthorized,
++                          self.get_client,
++                          self.user_foo,
++                          self.tenant_bar)
++        """
++
+     def test_disable_user_invalidates_token(self):
+         from keystoneclient import exceptions as client_exceptions
+ 
+@@ -1144,6 +1190,12 @@ class KcEssex3TestCase(CompatTestCase, KeystoneClientTests):
+         """Due to lack of endpoint CRUD"""
+         raise nose.exc.SkipTest('N/A')
+ 
++    def test_disable_tenant_invalidates_token(self):
++        raise self.skipTest('N/A')
++
++    def test_delete_tenant_invalidates_token(self):
++        raise self.skipTest('N/A')
++
+ 
+ class Kc11TestCase(CompatTestCase, KeystoneClientTests):
+     def get_checkout(self):
+diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
+index 9b3ab52..c2cd867 100644
+--- a/tests/test_v3_auth.py
++++ b/tests/test_v3_auth.py
+@@ -595,6 +595,67 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
+                   headers={'X-Subject-Token': token},
+                   expected_status=204)
+ 
++    def test_disabling_project_revokes_token(self):
++        resp = self.post(
++            '/auth/tokens',
++            body=self.build_authentication_request(
++                user_id=self.user3['id'],
++                password=self.user3['password'],
++                project_id=self.projectA['id']))
++        token = resp.getheader('X-Subject-Token')
++
++        # confirm token is valid
++        self.head('/auth/tokens',
++                  headers={'X-Subject-Token': token},
++                  expected_status=204)
++
++        # disable the project, which should invalidate the token
++        self.patch(
++            '/projects/%(project_id)s' % {'project_id': self.projectA['id']},
++            body={'project': {'enabled': False}})
++
++        # user should no longer have access to the project
++        self.head('/auth/tokens',
++                  headers={'X-Subject-Token': token},
++                  expected_status=401)
++        resp = self.post(
++            '/auth/tokens',
++            body=self.build_authentication_request(
++                user_id=self.user3['id'],
++                password=self.user3['password'],
++                project_id=self.projectA['id']),
++            expected_status=401)
++
++    def test_deleting_project_revokes_token(self):
++        resp = self.post(
++            '/auth/tokens',
++            body=self.build_authentication_request(
++                user_id=self.user3['id'],
++                password=self.user3['password'],
++                project_id=self.projectA['id']))
++        token = resp.getheader('X-Subject-Token')
++
++        # confirm token is valid
++        self.head('/auth/tokens',
++                  headers={'X-Subject-Token': token},
++                  expected_status=204)
++
++        # delete the project, which should invalidate the token
++        self.delete(
++            '/projects/%(project_id)s' % {'project_id': self.projectA['id']})
++
++        # user should no longer have access to the project
++        self.head('/auth/tokens',
++                  headers={'X-Subject-Token': token},
++                  expected_status=401)
++        resp = self.post(
++            '/auth/tokens',
++            body=self.build_authentication_request(
++                user_id=self.user3['id'],
++                password=self.user3['password'],
++                project_id=self.projectA['id']),
++            expected_status=401)
++
+     def test_deleting_group_grant_revokes_tokens(self):
+         """Test deleting a group grant revokes tokens.
+ 
+-- 
+1.8.1.5
+
diff --git a/sys-auth/keystone/keystone-2012.2.4-r8.ebuild b/sys-auth/keystone/keystone-2012.2.4-r9.ebuild
index 4573c7ada14c..9fc9dc5f0a5e 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r8.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r9.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r8.ebuild,v 1.2 2013/09/12 06:19:47 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r9.ebuild,v 1.1 2013/09/15 02:58:58 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -78,6 +78,7 @@ PATCHES=(
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch"
 	"${FILESDIR}/keystone-cve-2013-4294-folsom.patch"
+	"${FILESDIR}/2012.2.4-CVE-2013-4222.patch"
 	"${FILESDIR}/2012.2.4-upstream-1181157.patch"
 )
 
diff --git a/sys-auth/keystone/keystone-2013.1.3-r2.ebuild b/sys-auth/keystone/keystone-2013.1.3-r3.ebuild
index be6bfac0b534..f9a1054e11db 100644
--- a/sys-auth/keystone/keystone-2013.1.3-r2.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.3-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r2.ebuild,v 1.2 2013/09/12 06:19:47 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r3.ebuild,v 1.1 2013/09/15 02:58:58 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -70,6 +70,7 @@ RDEPEND="${DEPEND}
 #			dev-python/webtest
 #			)
 PATCHES=(
+	"${FILESDIR}/2013.1.3-CVE-2013-4222.patch"
 	"${FILESDIR}/keystone-cve-2013-4294-grizzly.patch"
 )
 #	"${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
diff --git a/sys-auth/keystone/keystone-2013.1.9999.ebuild b/sys-auth/keystone/keystone-2013.1.9999.ebuild
index 5638ebdc86cf..a2e7441474ba 100644
--- a/sys-auth/keystone/keystone-2013.1.9999.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.9999.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.9999.ebuild,v 1.5 2013/09/12 06:19:47 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.9999.ebuild,v 1.6 2013/09/15 02:58:58 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -71,6 +71,10 @@ RDEPEND="${DEPEND}
 #			dev-python/webtest
 #			)
 
+PATCHES=(
+	"${FILESDIR}/2013.1.3-CVE-2013-4222.patch"
+)
+
 python_install() {
 	distutils-r1_python_install
 	newconfd "${FILESDIR}/keystone.confd" keystone
author	Matthew Thode <prometheanfire@gentoo.org>	2013-09-15 02:58:58 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2013-09-15 02:58:58 +0000
commit	a70a476bbab88a2ee4f0479fef7a1227fdfea24a (patch)
tree	7db67f05edced6970f54f23857896e64ee2c098c /sys-auth/keystone
parent	Version bump, drop old. (diff)
download	gentoo-2-a70a476bbab88a2ee4f0479fef7a1227fdfea24a.tar.gz gentoo-2-a70a476bbab88a2ee4f0479fef7a1227fdfea24a.tar.bz2 gentoo-2-a70a476bbab88a2ee4f0479fef7a1227fdfea24a.zip