diff options
| author |   Matt Thode <prometheanfire@gentoo.org> | 2014-08-19 02:39:45 +0000 |
|---|---|---|
| committer | Matt Thode <prometheanfire@gentoo.org> | 2014-08-19 02:39:45 +0000 |
| commit | 7cd537783558d899e5a3359e854bf4aad61b793a (patch) | |
| tree | 00ee4bf9a81e03767241d32ae44505e0f8ccfacb /sys-auth | |
| parent | version bump, bug 513944 (diff) | |
| download | historical-7cd537783558d899e5a3359e854bf4aad61b793a.tar.gz historical-7cd537783558d899e5a3359e854bf4aad61b793a.tar.bz2 historical-7cd537783558d899e5a3359e854bf4aad61b793a.zip | |
fixing bug 519144
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-auth')
| -rw-r--r-- | sys-auth/keystone/ChangeLog | 9 | ||||
| -rw-r--r-- | sys-auth/keystone/Manifest | 22 | ||||
| -rw-r--r-- | sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch | 94 | ||||
| -rw-r--r-- | sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch | 308 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2014.1.2.1.ebuild | 151 |
5 files changed, 175 insertions, 409 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 31a00b32e7cd..7923e324ac32 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.77 2014/08/10 20:21:57 slyfox Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.78 2014/08/19 02:39:33 prometheanfire Exp $ + +*keystone-2014.1.2.1 (19 Aug 2014) + + 19 Aug 2014; Matthew Thode <prometheanfire@gentoo.org> + +keystone-2014.1.2.1.ebuild, -files/2014.1.1-CVE-2014-3250.patch, + -files/2014.1.1-CVE-2014-3476.patch: + fixing bug 519144 10 Aug 2014; Sergei Trofimovich <slyfox@gentoo.org> keystone-2014.1.1-r2.ebuild, keystone-2014.1.9999.ebuild, diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest index 1778d8af4f18..7b0a7f179cee 100644 --- a/sys-auth/keystone/Manifest +++ b/sys-auth/keystone/Manifest @@ -1,21 +1,31 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 -AUX 2014.1.1-CVE-2014-3250.patch 4199 SHA256 c2bf10df39df4bc993c4a68491734c177428da21a2fc6bcd4673f8864910d6d8 SHA512 6dfe72e051eeabafb2fcf5f91fc6422de363420cad68c8cd6700db54507fcd7138b2a90077d772a8f9fd378ab889eeaad62c95f7a1db04f70811f2d2dab0a87d WHIRLPOOL e748dce4f854ec1b5c5663efd2ffa673c4a79d3dca98891a761c3ead266536eb72b2a98be63e664236650db08ca6f33591d441f10f6aee9238a9e4d98ab82679 -AUX 2014.1.1-CVE-2014-3476.patch 11956 SHA256 c7680ffdb145253f5dfa3bf5ca499ea675199bf1b7cb26d3fdb99d9123c909b7 SHA512 bf364409a14415aa2ce5ff2dea4af1fab4f433d704d88d7fc3b831a020136b1ad70a32ce95010747ffe75167a94006fa337a3973ef3f2868fb77b3a2dcc6522f WHIRLPOOL dfc3831f47ab35258e1c68bd1c9ffbc5e24fc9a816e3d4d976ccd76eeec76910daf14dc4639a7be0d1ad60ebd8e9a3db797ea28449ab88a1f00d8aac48beeced AUX keystone.confd 124 SHA256 50daa09c5922190a6663e36a32e9b6e5c512672e5be776fcc9b0805da40b6e8d SHA512 1cf50ddcd55421481f8b34f91f35787299b2f9044bcc0a63c70ffff372d740cb84c399d31e52d708fdacad3455d77867d02b438ec2fb39b35ac2e106a2c9e0ad WHIRLPOOL e6c2b76131846cd0ce86e8d766d3f5bbd0d8cd0643de9100d7946afa44c3f13500719feca3ee4ea49644f6881fa34bdc17c08d65a001841ae8f40fc820d334fc AUX keystone.initd 674 SHA256 fc556365de7198de035ebf083b10f59043aa3266270d3ab708d613311f1a719a SHA512 10066c2197973aeee2444ae1bff0ffc3d2a7360a632b55b9c2f66bf064285491e698721ec1525a22b18c0b74a8a6c5c4b84d2cf73812a0f93b2dbfffba799718 WHIRLPOOL 7969003cec68ca8017de003e6a5cfb4bd239a149b06dd9304c9ba8200b4fedfe8ae7e8d3c443e741d1c19cedc5d67150f1d236eef565685a64aa4a998c1ec509 AUX no_admin_token_auth-paste.ini 2646 SHA256 f98d9151f222d2143820bdc98727ce0cf3f4450a4dbdc54f1fb6e36bb63bf2df SHA512 c855dd2bb05e765c6594359f55b76f7f6e0649c8e8f4517b274c7432f136e51c408168ec24e0074f4ebc49eb641d658acfda205aef97fe68fe8fc016be4cb08d WHIRLPOOL faad0f98d0684cf206e2f2afb5fba6c6aab73f97bcf63e38038be49a2ae1303e8cb5434d8fab34492888c666462dcd751c678c04cd0039d9024fd42ddde30646 DIST keystone-2014.1.1.tar.gz 1429884 SHA256 3da9908541776470dd7f22ec27f6e77ce7e20fb8761cbbc11e99e782f39e5b73 SHA512 86bdb09f906a6b6d7d084a5efe38ad55b9b57731680635c89fc90387ce1bd3eded7fb0534d8301fef42191422e2a42f2761953906800f742eebb16f8512e466b WHIRLPOOL 3c0f271c00e4adfb26cb4a57afa255783201fef8b5c3f29809a90323deb20cff0f263ffa2aeef82b312dd0267f82adb9baededc9b9a4b75435168131ac8491f5 +DIST keystone-2014.1.2.1.tar.gz 1435549 SHA256 52deabea5f22aa060e8ee5a20277b5a38a1960b6bbca7200b9c8479245074c32 SHA512 1eb6d6f610bb53e1d6f437fc24e0452edfc61881160178c2818bb3b8bb6887a4a8e0f0a664200265a138f607f826bf933e427b8057415e4523ea145bde7adf9b WHIRLPOOL 8bbf619b01ba1aa7ad7e1b498478f8752cf2669f227737ce29bf61791d7b7ed3475b81bf66d7d90571d8aef79828931581801caf7d5ebd5deee74f9c4b82af48 EBUILD keystone-2014.1.1-r2.ebuild 5533 SHA256 e41d42441d0a073501919d07a43beeadd6328a8b0b133b3d19f3ebfe283aed3f SHA512 c7487b4d51f9a227a7b4ee902307b6ca2d946539769cf91f59ec3b6b45345f349a1c20b48167ce39c22889446834645d6bbd2699cf5735e8df3a7ba1ecd78edb WHIRLPOOL 3a1261abb8aa60f9543a8e3e3d973cc1ce6b129d066fb1707724d56a450de174eb8835a4b8aa67db87d0b7ab614fec38c4e21749b34e4b4b4e5cfd92db15fcaf +EBUILD keystone-2014.1.2.1.ebuild 5530 SHA256 57c2c888104ed758ae5b3512ac1af759c79050c214e6a9e08c1146905eaa4dee SHA512 642c901212424d7cec385d228f95816b89c7706e890ca4233f66c4844b85c9ca608cd89ce2bd62f7f6571e10b0d54ba96a91162871fd7ec133843036bb71b2b5 WHIRLPOOL 8804103cab79d6d04c630f00bc9bb24d0407fbf89eee80ca18b87d2a7867b7e0c3a05b9c251eafe9649a131fca626983c4c974fb8aef608029482e523c659cdd EBUILD keystone-2014.1.9999.ebuild 5347 SHA256 706581928c27c1fa09093a6cfb696a3826903dd29eded1349e86778432ce7e44 SHA512 66a18e8145bc247d06a0e9ccec5b5aaa14d58051f72cc31534e4fe46e3faf5c43af142cc681eef0d077bb96d6b2f9ac97f9338586382354b9954376c83b51bae WHIRLPOOL 25f98da8ec0e113c01f568fd5793c19d1ce3d8c1fe50096281efd0ca39f2c2fa3a1e99abe6c01680423c82b1bb648d825ad79c406b5e8fba478858dd7e86d911 EBUILD keystone-9999.ebuild 4688 SHA256 c1fc32ab0fe5c1ee6dbd0d4cae9c0fc65c11b6274e24f88683b1368c29129561 SHA512 8c9428f8692ec0fdc980cbe74d4871e12fa70adb70828f615ddf9d11012cfc2a8461ddb0afd0140427e209d4b28742e2bb41446e472370112b45890410fa9ba3 WHIRLPOOL 120b8146e44eb1d31f9515978f2cacab478faeae7d2c880f515e1b9f50049503ca4bc75589c3b628ba0dc4ce856f0d872930fc5a98c0469d9283234eee276d00 -MISC ChangeLog 16731 SHA256 a8ada78cca98fe8acbe6113f6520bf2ac9d65e6bcc66ffe8ef621d704b30dbb8 SHA512 a778ee7e88c023e1dff820222525994776908c9f3111272e304ba00599406396a226c5af9811733624afd9a5108f80c60f96c1d58f23c9202511b696a6e5140a WHIRLPOOL da82e06bc1a0e8b9bdd172b052782307570f588b2a0463ac86a6b48f066e069691a4e9b076291070c0fa5ca1fc22ab449a61224189cbf5b144e9943303818d9c +MISC ChangeLog 16960 SHA256 4f92251d88d5fa8d6e166023513dceda6c3678e01dd940722bdf0b24c3fd5a5a SHA512 d66b0243a304276d9c85234e2be4b4279231aa2abac05a8ad4c9de6f16690746af6fe939ea8121f8801e9726f46dd13118483716450c37f731673ca3937e6560 WHIRLPOOL b012e6e0d5a4fa4aea8b0fb9237dbbfd4ac47c3c9a398e269539549fdf9aa441c40bb7a01fa4ef5e4065bb646b8272438b2e528c40b3dc49bc2a8266496a1025 MISC metadata.xml 424 SHA256 c89c0232e90df5d811d17941c1594e4c4c45db48c2b6240a3c62b232caad4e84 SHA512 9d7fcca89a6f35a93f1a57790103249cdc25424cbdb374bf26b691e81b27182dc3380a8ff67b77e7aabf4ce944e4a813d619838d4bc97086b4208e5312d76f11 WHIRLPOOL 4ec9d4c5ff5c484c341b06fe77fcac8e6fdd0e0b651dbd58b6f2d5aecd05db5bf70218b94733eb749ced7436f9df5ba5c93496bae06c0ff9a62b91ecb53ab77a -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iEYEAREIAAYFAlPn1GYACgkQcaHudmEf86r/QQCffi255d1JHK3wVDZkVHmrP7a7 -JDQAoIanM2uZ4Eewo0uMqHcEC1lMzxB9 -=FG5+ +iQIcBAEBCAAGBQJT8rj7AAoJECRx6z5ArFrDIIoQAJjLYkP5eAXnBSFDE9cA5tSC +5a/0hOVmgzFmJTdHG4QhauCzAaJnNo+Q1s4PCKN2tVrxvDqsbKdCHAZZ7LUlZv4d +KxcUjgB2Qsp0eQfbg/FeMzBi2CMNHPcAitDB5b5jp7tTq6UwFJvyI1I1i+RCak2m +5GuseCEOjw3e6QLL6XEXPLzHXYq+0r4LF1EEba2UiF1nUyOwhqdIuv9QWoqQTV+d +xHdLY4FiVIa5hecLjPlZmygj9/9b71ycU51apYH7mrf9/x35mxwxGzfOyvcA8WG0 +5wK9fT9gT9SyCGpq5r2ZATzELqWxoB7QG+c0v5sqw55+ITk1A+iijkf5vD4qRnz8 +xkHXWLN6XH4VYIYyydYUqD228eocGB36r/LP8ULhyHo9p7kquRSvU1pGbsmA5k6i +pxAN7qCTksXp4j9WeddIGi6h6RIbe9JujTIdxzLdJ4p7pU6PvlmjtvooYYsjyna+ +3sDgFOk+CttbfGBQdZC4EmVu/PdxKGFIdOD5zCtaPpF4XYos/9b2/elN/Mq5JKtA +0bDouToSyo/eDbl3VBRva0o5YRv4o45feyH7cB1EvDbBTgdgfvStfvOBFOkL7KZC +Px+0O9TzPyfs23ufwML/tsobXRZTrHrpQHd2Tc9eWVqfWVzEBtDO4WVJCYCPq6Jf +5dZpYQ5iFr6DXFi4a/3R +=pnDx -----END PGP SIGNATURE----- diff --git a/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch b/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch deleted file mode 100644 index 0bf2bb6e2a2c..000000000000 --- a/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 8ac8484e1daadfda3f36b3135a8f6de56fc41795 Mon Sep 17 00:00:00 2001 -From: Jamie Lennox <jamielennox@redhat.com> -Date: Thu, 19 Jun 2014 14:41:22 +1000 -Subject: [PATCH] Ensure that in v2 auth tenant_id matches trust - -Previously if a trustee requests a trust scoped token for a project that -is different to the one in the trust, however the trustor has the -appropriate roles then a token would be issued. - -Ensure that the trust that was given matches the project that was -specified in the scope. - -(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a) - -Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc -Closes-Bug: #1331912 ---- - keystone/tests/test_auth.py | 15 +++++++++++++-- - keystone/token/controllers.py | 6 +++++- - 2 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py -index 6d93e7f..4d9d9da 100644 ---- a/keystone/tests/test_auth.py -+++ b/keystone/tests/test_auth.py -@@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest): - self.new_trust = self.trust_controller.create_trust( - context, trust=trust_data)['trust'] - -- def build_v2_token_request(self, username, password): -+ def build_v2_token_request(self, username, password, tenant_id=None): -+ if not tenant_id: -+ tenant_id = self.tenant_bar['id'] - body_dict = _build_user_auth(username=username, password=password) - self.unscoped_token = self.controller.authenticate({}, body_dict) - unscoped_token_id = self.unscoped_token['access']['token']['id'] - request_body = _build_user_auth(token={'id': unscoped_token_id}, - trust_id=self.new_trust['id'], -- tenant_id=self.tenant_bar['id']) -+ tenant_id=tenant_id) - return request_body - - def test_create_trust_bad_data_fails(self): -@@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest): - exception.Forbidden, - self.controller.authenticate, {}, request_body) - -+ def test_token_from_trust_wrong_project_fails(self): -+ for assigned_role in self.assigned_roles: -+ self.assignment_api.add_role_to_user_and_project( -+ self.trustor['id'], self.tenant_baz['id'], assigned_role) -+ request_body = self.build_v2_token_request('TWO', 'two2', -+ self.tenant_baz['id']) -+ self.assertRaises(exception.Forbidden, self.controller.authenticate, -+ {}, request_body) -+ - def fetch_v2_token_from_trust(self): - request_body = self.build_v2_token_request('TWO', 'two2') - auth_response = self.controller.authenticate({}, request_body) -diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py -index bcae12c..be16145 100644 ---- a/keystone/token/controllers.py -+++ b/keystone/token/controllers.py -@@ -164,6 +164,8 @@ class Auth(controller.V2Controller): - - user_ref = old_token_ref['user'] - user_id = user_ref['id'] -+ tenant_id = self._get_project_id_from_auth(auth) -+ - if not CONF.trust.enabled and 'trust_id' in auth: - raise exception.Forbidden('Trusts are disabled.') - elif CONF.trust.enabled and 'trust_id' in auth: -@@ -172,6 +174,9 @@ class Auth(controller.V2Controller): - raise exception.Forbidden() - if user_id != trust_ref['trustee_user_id']: - raise exception.Forbidden() -+ if (trust_ref['project_id'] and -+ tenant_id != trust_ref['project_id']): -+ raise exception.Forbidden() - if ('expires' in trust_ref) and (trust_ref['expires']): - expiry = trust_ref['expires'] - if expiry < timeutils.parse_isotime(timeutils.isotime()): -@@ -196,7 +201,6 @@ class Auth(controller.V2Controller): - current_user_ref = self.identity_api.get_user(user_id) - - metadata_ref = {} -- tenant_id = self._get_project_id_from_auth(auth) - tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( - user_id, tenant_id) - --- -1.9.3 - - diff --git a/sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch b/sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch deleted file mode 100644 index ae231593756d..000000000000 --- a/sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch +++ /dev/null @@ -1,308 +0,0 @@ -From 73785122eefe523bb57c819e085c7f6ec97d779c Mon Sep 17 00:00:00 2001 -From: Adam Young <ayoung@redhat.com> -Date: Thu, 29 May 2014 13:56:17 -0400 -Subject: [PATCH] Block delegation escalation of privilege - -Forbids doing the following with either a trust - or oauth based token: - creating a trust - approving a request_token - listing request tokens - -Change-Id: I1528f9dd003f5e03cbc50b78e1b32dbbf85ffcc2 -Closes-Bug: 1324592 ---- - keystone/common/authorization.py | 36 ++++++++++++- - keystone/contrib/oauth1/controllers.py | 12 +++++ - keystone/tests/test_v3_auth.py | 36 +++++++++++++ - keystone/tests/test_v3_oauth1.py | 97 ++++++++++++++++++++++++++++++++++ - keystone/trust/controllers.py | 9 ++++ - 5 files changed, 188 insertions(+), 2 deletions(-) - -diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py -index 6dc7435..11d0d79 100644 ---- a/keystone/common/authorization.py -+++ b/keystone/common/authorization.py -@@ -67,7 +67,7 @@ def is_v3_token(token): - - - def v3_token_to_auth_context(token): -- creds = {} -+ creds = {'is_delegated_auth': False} - token_data = token['token'] - try: - creds['user_id'] = token_data['user']['id'] -@@ -87,11 +87,31 @@ def v3_token_to_auth_context(token): - creds['group_ids'] = [ - g['id'] for g in token_data['user'].get(federation.FEDERATION, {}).get( - 'groups', [])] -+ -+ trust = token_data.get('OS-TRUST:trust') -+ if trust is None: -+ creds['trust_id'] = None -+ creds['trustor_id'] = None -+ creds['trustee_id'] = None -+ else: -+ creds['trust_id'] = trust['id'] -+ creds['trustor_id'] = trust['trustor_user']['id'] -+ creds['trustee_id'] = trust['trustee_user']['id'] -+ creds['is_delegated_auth'] = True -+ -+ oauth1 = token_data.get('OS-OAUTH1') -+ if oauth1 is None: -+ creds['consumer_id'] = None -+ creds['access_token_id'] = None -+ else: -+ creds['consumer_id'] = oauth1['consumer_id'] -+ creds['access_token_id'] = oauth1['access_token_id'] -+ creds['is_delegated_auth'] = True - return creds - - - def v2_token_to_auth_context(token): -- creds = {} -+ creds = {'is_delegated_auth': False} - token_data = token['access'] - try: - creds['user_id'] = token_data['user']['id'] -@@ -105,6 +125,18 @@ def v2_token_to_auth_context(token): - if 'roles' in token_data['user']: - creds['roles'] = [role['name'] for - role in token_data['user']['roles']] -+ -+ trust = token_data.get('trust') -+ if trust is None: -+ creds['trust_id'] = None -+ creds['trustor_id'] = None -+ creds['trustee_id'] = None -+ else: -+ creds['trust_id'] = trust.get('id') -+ creds['trustor_id'] = trust.get('trustor_id') -+ creds['trustee_id'] = trust.get('trustee_id') -+ creds['is_delegated_auth'] = True -+ - return creds - - -diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py -index 2c938ba..a185e4f 100644 ---- a/keystone/contrib/oauth1/controllers.py -+++ b/keystone/contrib/oauth1/controllers.py -@@ -95,6 +95,12 @@ def get_access_token(self, context, user_id, access_token_id): - - @controller.protected() - def list_access_tokens(self, context, user_id): -+ auth_context = context.get('environment', -+ {}).get('KEYSTONE_AUTH_CONTEXT', {}) -+ if auth_context.get('is_delegated_auth'): -+ raise exception.Forbidden( -+ _('Cannot list request tokens' -+ ' with a token issued via delegation.')) - refs = self.oauth_api.list_access_tokens(user_id) - formatted_refs = ([self._format_token_entity(context, x) - for x in refs]) -@@ -310,6 +316,12 @@ def authorize_request_token(self, context, request_token_id, roles): - there is not another easy way to make sure the user knows which roles - are being requested before authorizing. - """ -+ auth_context = context.get('environment', -+ {}).get('KEYSTONE_AUTH_CONTEXT', {}) -+ if auth_context.get('is_delegated_auth'): -+ raise exception.Forbidden( -+ _('Cannot authorize a request token' -+ ' with a token issued via delegation.')) - - req_token = self.oauth_api.get_request_token(request_token_id) - -diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py -index 5de7e02..8a27a38 100644 ---- a/keystone/tests/test_v3_auth.py -+++ b/keystone/tests/test_v3_auth.py -@@ -2777,6 +2777,42 @@ def test_exercise_trust_scoped_token_with_impersonation(self): - self.assertEqual(r.result['token']['project']['name'], - self.project['name']) - -+ def test_impersonation_token_cannot_create_new_trust(self): -+ ref = self.new_trust_ref( -+ trustor_user_id=self.user_id, -+ trustee_user_id=self.trustee_user_id, -+ project_id=self.project_id, -+ impersonation=True, -+ expires=dict(minutes=1), -+ role_ids=[self.role_id]) -+ del ref['id'] -+ -+ r = self.post('/OS-TRUST/trusts', body={'trust': ref}) -+ trust = self.assertValidTrustResponse(r) -+ -+ auth_data = self.build_authentication_request( -+ user_id=self.trustee_user['id'], -+ password=self.trustee_user['password'], -+ trust_id=trust['id']) -+ r = self.post('/auth/tokens', body=auth_data) -+ -+ trust_token = r.headers['X-Subject-Token'] -+ -+ # Build second trust -+ ref = self.new_trust_ref( -+ trustor_user_id=self.user_id, -+ trustee_user_id=self.trustee_user_id, -+ project_id=self.project_id, -+ impersonation=True, -+ expires=dict(minutes=1), -+ role_ids=[self.role_id]) -+ del ref['id'] -+ -+ self.post('/OS-TRUST/trusts', -+ body={'trust': ref}, -+ token=trust_token, -+ expected_status=403) -+ - def assertTrustTokensRevoked(self, trust_id): - revocation_response = self.get('/OS-REVOKE/events', - expected_status=200) -diff --git a/keystone/tests/test_v3_oauth1.py b/keystone/tests/test_v3_oauth1.py -index b653855..d993889 100644 ---- a/keystone/tests/test_v3_oauth1.py -+++ b/keystone/tests/test_v3_oauth1.py -@@ -13,6 +13,8 @@ - # under the License. - - import copy -+import os -+import tempfile - import uuid - - from six.moves import urllib -@@ -26,6 +28,7 @@ - from keystone import exception - from keystone.openstack.common.db.sqlalchemy import migration - from keystone.openstack.common import importutils -+from keystone.openstack.common import jsonutils - from keystone.tests import test_v3 - - -@@ -486,6 +489,100 @@ def test_delete_keystone_tokens_by_consumer_id(self): - self.assertRaises(exception.TokenNotFound, self.token_api.get_token, - self.keystone_token_id) - -+ def _create_trust_get_token(self): -+ ref = self.new_trust_ref( -+ trustor_user_id=self.user_id, -+ trustee_user_id=self.user_id, -+ project_id=self.project_id, -+ impersonation=True, -+ expires=dict(minutes=1), -+ role_ids=[self.role_id]) -+ del ref['id'] -+ -+ r = self.post('/OS-TRUST/trusts', body={'trust': ref}) -+ trust = self.assertValidTrustResponse(r) -+ -+ auth_data = self.build_authentication_request( -+ user_id=self.user['id'], -+ password=self.user['password'], -+ trust_id=trust['id']) -+ r = self.post('/auth/tokens', body=auth_data) -+ -+ trust_token = r.headers['X-Subject-Token'] -+ return trust_token -+ -+ def _approve_request_token_url(self): -+ consumer = self._create_single_consumer() -+ consumer_id = consumer['id'] -+ consumer_secret = consumer['secret'] -+ self.consumer = {'key': consumer_id, 'secret': consumer_secret} -+ self.assertIsNotNone(self.consumer['secret']) -+ -+ url, headers = self._create_request_token(self.consumer, -+ self.project_id) -+ content = self.post(url, headers=headers) -+ credentials = urllib.parse.parse_qs(content.result) -+ request_key = credentials['oauth_token'][0] -+ request_secret = credentials['oauth_token_secret'][0] -+ self.request_token = oauth1.Token(request_key, request_secret) -+ self.assertIsNotNone(self.request_token.key) -+ -+ url = self._authorize_request_token(request_key) -+ -+ return url -+ -+ def test_oauth_token_cannot_create_new_trust(self): -+ self.test_oauth_flow() -+ ref = self.new_trust_ref( -+ trustor_user_id=self.user_id, -+ trustee_user_id=self.user_id, -+ project_id=self.project_id, -+ impersonation=True, -+ expires=dict(minutes=1), -+ role_ids=[self.role_id]) -+ del ref['id'] -+ -+ self.post('/OS-TRUST/trusts', -+ body={'trust': ref}, -+ token=self.keystone_token_id, -+ expected_status=403) -+ -+ def test_oauth_token_cannot_authorize_request_token(self): -+ self.test_oauth_flow() -+ url = self._approve_request_token_url() -+ body = {'roles': [{'id': self.role_id}]} -+ self.put(url, body=body, token=self.keystone_token_id, -+ expected_status=403) -+ -+ def test_oauth_token_cannot_list_request_tokens(self): -+ self._set_policy({"identity:list_access_tokens": [], -+ "identity:create_consumer": [], -+ "identity:authorize_request_token": []}) -+ self.test_oauth_flow() -+ url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id -+ self.get(url, token=self.keystone_token_id, -+ expected_status=403) -+ -+ def _set_policy(self, new_policy): -+ _unused, self.tmpfilename = tempfile.mkstemp() -+ self.config_fixture.config(policy_file=self.tmpfilename) -+ with open(self.tmpfilename, "w") as policyfile: -+ policyfile.write(jsonutils.dumps(new_policy)) -+ self.addCleanup(os.remove, self.tmpfilename) -+ -+ def test_trust_token_cannot_authorize_request_token(self): -+ trust_token = self._create_trust_get_token() -+ url = self._approve_request_token_url() -+ body = {'roles': [{'id': self.role_id}]} -+ self.put(url, body=body, token=trust_token, expected_status=403) -+ -+ def test_trust_token_cannot_list_request_tokens(self): -+ self._set_policy({"identity:list_access_tokens": [], -+ "identity:create_trust": []}) -+ trust_token = self._create_trust_get_token() -+ url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id -+ self.get(url, token=trust_token, expected_status=403) -+ - - class MaliciousOAuth1Tests(OAuth1Tests): - -diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py -index cc3cc1f..552db44 100644 ---- a/keystone/trust/controllers.py -+++ b/keystone/trust/controllers.py -@@ -132,6 +132,15 @@ def create_trust(self, context, trust=None): - - # TODO(ayoung): instead of raising ValidationError on the first - # problem, return a collection of all the problems. -+ -+ # Explicitly prevent a trust token from creating a new trust. -+ auth_context = context.get('environment', -+ {}).get('KEYSTONE_AUTH_CONTEXT', {}) -+ if auth_context.get('is_delegated_auth'): -+ raise exception.Forbidden( -+ _('Cannot create a trust' -+ ' with a token issued via delegation.')) -+ - if not trust: - raise exception.ValidationError(attribute='trust', - target='request') --- -1.9.3 - diff --git a/sys-auth/keystone/keystone-2014.1.2.1.ebuild b/sys-auth/keystone/keystone-2014.1.2.1.ebuild new file mode 100644 index 000000000000..7739994faf3e --- /dev/null +++ b/sys-auth/keystone/keystone-2014.1.2.1.ebuild @@ -0,0 +1,151 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1.2.1.ebuild,v 1.1 2014/08/19 02:39:33 prometheanfire Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 user + +DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python" +HOMEPAGE="https://launchpad.net/keystone" +#SRC_URI="http://launchpad.net/${PN}/icehouse/${PV}/+download/${P}.tar.gz" +SRC_URI="http://launchpad.net/${PN}/icehouse/2014.1.2/+download/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="+sqlite mysql postgres ldap test" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +#todo, seperate out rdepend via use flags +# python-ldap needs to be relaxed... +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + >=dev-python/pbr-0.6[${PYTHON_USEDEP}] + <dev-python/pbr-1.0[${PYTHON_USEDEP}] + test? ( ${RDEPEND} + >=dev-python/hacking-0.8[${PYTHON_USEDEP}] + <dev-python/hacking-0.9[${PYTHON_USEDEP}] + dev-lang/python[sqlite] + >=dev-python/python-memcached-1.48[${PYTHON_USEDEP}] + >=dev-python/pymongo-2.4[${PYTHON_USEDEP}] + ldap? ( dev-python/python-ldap ) + >=dev-python/coverage-3.6[${PYTHON_USEDEP}] + >=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}] + >=dev-python/mock-1.0[${PYTHON_USEDEP}] + >=dev-python/mox-0.5.3[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] + <dev-python/sphinx-1.2[${PYTHON_USEDEP}] + >=dev-python/webtest-2.0[${PYTHON_USEDEP}] + >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}] + >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}] + >=dev-python/testtools-0.9.34[${PYTHON_USEDEP}] + >=dev-python/testscenarios-0.4[${PYTHON_USEDEP}] + >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}] + >=dev-python/requests-1.1[${PYTHON_USEDEP}] + >=dev-python/keyring-2.1[${PYTHON_USEDEP}] + dev-python/oslo-sphinx[${PYTHON_USEDEP}] + >=dev-python/kombu-2.4.8[${PYTHON_USEDEP}] + >=dev-python/lockfile-0.8[${PYTHON_USEDEP}] + >=dev-python/stevedore-0.14[${PYTHON_USEDEP}] + )" +RDEPEND=">=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] + >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}] + >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] + >=dev-python/netaddr-0.7.6[${PYTHON_USEDEP}] + >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] + >=dev-python/six-1.6.0[${PYTHON_USEDEP}] + sqlite? ( + >=dev-python/sqlalchemy-0.8.0[sqlite,${PYTHON_USEDEP}] + !~dev-python/sqlalchemy-0.9.5[sqlite,${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}] + ) + mysql? ( + dev-python/mysql-python + >=dev-python/sqlalchemy-0.8.0[${PYTHON_USEDEP}] + !~dev-python/sqlalchemy-0.9.5[${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] + ) + postgres? ( + dev-python/psycopg:2 + >=dev-python/sqlalchemy-0.8.0[${PYTHON_USEDEP}] + !~dev-python/sqlalchemy-0.9.5[${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] + ) + >=dev-python/sqlalchemy-migrate-0.9[${PYTHON_USEDEP}] + dev-python/passlib[${PYTHON_USEDEP}] + >=dev-python/lxml-2.3[${PYTHON_USEDEP}] + >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-0.7.0[${PYTHON_USEDEP}] + >=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}] + >=dev-python/oslo-messaging-1.3.0[${PYTHON_USEDEP}] + >=dev-python/Babel-1.3[${PYTHON_USEDEP}] + >=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}] + >=dev-python/dogpile-cache-0.5.0[${PYTHON_USEDEP}] + >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}] + <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}] + >=dev-python/pycadf-0.4.1[${PYTHON_USEDEP}] + ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )" + +PATCHES=( +) + +pkg_setup() { + enewgroup keystone + enewuser keystone -1 -1 /var/lib/keystone keystone +} + +python_prepare_all() { + # it's in git, but not in the tarball..... + mkdir -p ${PN}/tests/tmp/ || die + cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die + distutils-r1_python_prepare_all +} + +# Ignore (naughty) test_.py files & 1 test that connect to the network +#-I 'test_keystoneclient*' \ +python_test() { + nosetests -I 'test_keystoneclient*' \ + -e test_static_translated_string_is_Message \ + -e test_get_token_id_error_handling \ + -e test_provider_token_expiration_validation \ + -e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7" +} + +python_install() { + distutils-r1_python_install + newconfd "${FILESDIR}/keystone.confd" keystone + newinitd "${FILESDIR}/keystone.initd" keystone + + diropts -m 0750 + keepdir /etc/keystone /var/log/keystone + insinto /etc/keystone + doins etc/keystone.conf.sample etc/logging.conf.sample + doins etc/default_catalog.templates etc/policy.json + doins etc/policy.v3cloudsample.json etc/keystone-paste.ini + + fowners keystone:keystone /etc/keystone /var/log/keystone +} + +pkg_postinst() { + elog "You might want to run:" + elog "emerge --config =${CATEGORY}/${PF}" + elog "if this is a new install." + elog "If you have not already configured your openssl installation" + elog "please do it by modifying /etc/ssl/openssl.cnf" + elog "BEFORE issuing the configuration command." + elog "Otherwise default values will be used." +} + +pkg_config() { + if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then + einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." + read + "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone + else + einfo "keystone PKI certificates directory already present, skipping configuration" + fi +} |