From b54a183dd82914e18bd3ddaae8605e029c4ad14d Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Fri, 30 Sep 2016 18:43:23 -0500 Subject: openstack p2, newton is done, will add heat later --- sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch | 216 ---------------------- sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch | 103 ----------- sys-auth/keystone/keystone-2016.2.9999.ebuild | 4 +- 3 files changed, 2 insertions(+), 321 deletions(-) delete mode 100644 sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch delete mode 100644 sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch (limited to 'sys-auth') diff --git a/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch b/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch deleted file mode 100644 index 82bff1edbe94..000000000000 --- a/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch +++ /dev/null @@ -1,216 +0,0 @@ -From bff03b5726fe5cac93d44a66715eea49b89c8cb0 Mon Sep 17 00:00:00 2001 -From: Brant Knudson -Date: Tue, 1 Dec 2015 11:09:14 -0600 -Subject: [PATCH] Add audit IDs to revocation events - -The revoked tokens' audit ID is now included in the data returned in -the revocation list. - -Closes-Bug: 1490804 -Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f -(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0) -Conflicts: - keystone/tests/unit/test_backend.py ---- - keystone/tests/unit/test_backend.py | 39 ++++++++++++++-------- - keystone/tests/unit/test_backend_sql.py | 3 +- - keystone/token/persistence/backends/kvs.py | 9 +++++ - keystone/token/persistence/backends/sql.py | 12 ++++++- - .../notes/bug-1490804-de58a9606edb31eb.yaml | 13 ++++++++ - 5 files changed, 61 insertions(+), 15 deletions(-) - create mode 100644 releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml - -diff --git a/keystone/tests/unit/test_backend.py b/keystone/tests/unit/test_backend.py -index 2340645..1273736 100644 ---- a/keystone/tests/unit/test_backend.py -+++ b/keystone/tests/unit/test_backend.py -@@ -4426,7 +4426,9 @@ class TokenTests(object): - token_id = self._create_token_id() - data = {'id': token_id, 'a': 'b', - 'trust_id': None, -- 'user': {'id': 'testuserid'}} -+ 'user': {'id': 'testuserid'}, -+ 'token_data': {'access': {'token': { -+ 'audit_ids': [uuid.uuid4().hex]}}}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) - expires = data_ref.pop('expires') -@@ -4461,7 +4463,8 @@ class TokenTests(object): - # FIXME(morganfainberg): These tokens look nothing like "Real" tokens. - # This should be fixed when token issuance is cleaned up. - data = {'id': token_id, 'a': 'b', -- 'user': {'id': user_id}} -+ 'user': {'id': user_id}, -+ 'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}} - if tenant_id is not None: - data['tenant'] = {'id': tenant_id, 'name': tenant_id} - if tenant_id is NULL_OBJECT: -@@ -4470,7 +4473,7 @@ class TokenTests(object): - data['expires'] = expires - if trust_id is not None: - data['trust_id'] = trust_id -- data.setdefault('access', {}).setdefault('trust', {}) -+ data['access'].setdefault('trust', {}) - # Testuserid2 is used here since a trustee will be different in - # the cases of impersonation and therefore should not match the - # token's user_id. -@@ -4633,17 +4636,21 @@ class TokenTests(object): - - self.assertEqual(data_ref, new_data_ref) - -- def check_list_revoked_tokens(self, token_ids): -- revoked_ids = [x['id'] -- for x in self.token_provider_api.list_revoked_tokens()] -+ def check_list_revoked_tokens(self, token_infos): -+ revocation_list = self.token_provider_api.list_revoked_tokens() -+ revoked_ids = [x['id'] for x in revocation_list] -+ revoked_audit_ids = [x['audit_id'] for x in revocation_list] - self._assert_revoked_token_list_matches_token_persistence(revoked_ids) -- for token_id in token_ids: -+ for token_id, audit_id in token_infos: - self.assertIn(token_id, revoked_ids) -+ self.assertIn(audit_id, revoked_audit_ids) - - def delete_token(self): - token_id = uuid.uuid4().hex -+ audit_id = uuid.uuid4().hex - data = {'id_hash': token_id, 'id': token_id, 'a': 'b', -- 'user': {'id': 'testuserid'}} -+ 'user': {'id': 'testuserid'}, -+ 'token_data': {'token': {'audit_ids': [audit_id]}}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) - self.token_provider_api._persistence.delete_token(token_id) -@@ -4655,7 +4662,7 @@ class TokenTests(object): - exception.TokenNotFound, - self.token_provider_api._persistence.delete_token, - data_ref['id']) -- return token_id -+ return (token_id, audit_id) - - def test_list_revoked_tokens_returns_empty_list(self): - revoked_ids = [x['id'] -@@ -4706,12 +4713,16 @@ class TokenTests(object): - token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b', - 'expires': expire_time, - 'trust_id': None, -- 'user': {'id': 'testuserid'}} -+ 'user': {'id': 'testuserid'}, -+ 'token_data': {'token': { -+ 'audit_ids': [uuid.uuid4().hex]}}} - token2_id = uuid.uuid4().hex - token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b', - 'expires': expire_time, - 'trust_id': None, -- 'user': {'id': 'testuserid'}} -+ 'user': {'id': 'testuserid'}, -+ 'token_data': {'token': { -+ 'audit_ids': [uuid.uuid4().hex]}}} - # Create 2 Tokens. - self.token_provider_api._persistence.create_token(token_id, - token_data) -@@ -4746,7 +4757,8 @@ class TokenTests(object): - def _test_predictable_revoked_pki_token_id(self, hash_fn): - token_id = self._create_token_id() - token_id_hash = hash_fn(token_id).hexdigest() -- token = {'user': {'id': uuid.uuid4().hex}} -+ token = {'user': {'id': uuid.uuid4().hex}, -+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} - - self.token_provider_api._persistence.create_token(token_id, token) - self.token_provider_api._persistence.delete_token(token_id) -@@ -4768,7 +4780,8 @@ class TokenTests(object): - - def test_predictable_revoked_uuid_token_id(self): - token_id = uuid.uuid4().hex -- token = {'user': {'id': uuid.uuid4().hex}} -+ token = {'user': {'id': uuid.uuid4().hex}, -+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} - - self.token_provider_api._persistence.create_token(token_id, token) - self.token_provider_api._persistence.delete_token(token_id) -diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py -index 69fac63..51221a3 100644 ---- a/keystone/tests/unit/test_backend_sql.py -+++ b/keystone/tests/unit/test_backend_sql.py -@@ -492,7 +492,8 @@ class SqlToken(SqlTests, test_backend.TokenTests): - # necessary. - - expected_query_args = (token_sql.TokenModel.id, -- token_sql.TokenModel.expires) -+ token_sql.TokenModel.expires, -+ token_sql.TokenModel.extra,) - - with mock.patch.object(token_sql, 'sql') as mock_sql: - tok = token_sql.Token() -diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py -index 5193158..60f7931 100644 ---- a/keystone/token/persistence/backends/kvs.py -+++ b/keystone/token/persistence/backends/kvs.py -@@ -210,6 +210,15 @@ class Token(token.persistence.TokenDriverV8): - subsecond=True) - revoked_token_data['id'] = data['id'] - -+ token_data = data['token_data'] -+ if 'access' in token_data: -+ # It's a v2 token. -+ audit_ids = token_data['access']['token']['audit_ids'] -+ else: -+ # It's a v3 token. -+ audit_ids = token_data['token']['audit_ids'] -+ revoked_token_data['audit_id'] = audit_ids[0] -+ - token_list = self._get_key_or_default(self.revocation_key, default=[]) - if not isinstance(token_list, list): - # NOTE(morganfainberg): In the case that the revocation list is not -diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py -index 6fc1d22..d677620 100644 ---- a/keystone/token/persistence/backends/sql.py -+++ b/keystone/token/persistence/backends/sql.py -@@ -228,13 +228,23 @@ class Token(token.persistence.TokenDriverV8): - session = sql.get_session() - tokens = [] - now = timeutils.utcnow() -- query = session.query(TokenModel.id, TokenModel.expires) -+ query = session.query(TokenModel.id, TokenModel.expires, -+ TokenModel.extra) - query = query.filter(TokenModel.expires > now) - token_references = query.filter_by(valid=False) - for token_ref in token_references: -+ token_data = token_ref[2]['token_data'] -+ if 'access' in token_data: -+ # It's a v2 token. -+ audit_ids = token_data['access']['token']['audit_ids'] -+ else: -+ # It's a v3 token. -+ audit_ids = token_data['token']['audit_ids'] -+ - record = { - 'id': token_ref[0], - 'expires': token_ref[1], -+ 'audit_id': audit_ids[0], - } - tokens.append(record) - return tokens -diff --git a/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml b/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml -new file mode 100644 -index 0000000..0d5c203 ---- /dev/null -+++ b/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml -@@ -0,0 +1,13 @@ -+--- -+features: -+ - > -+ [`bug 1490804 `_] -+ Audit IDs are included in the token revocation list. -+security: -+ - > -+ [`bug 1490804 `_] -+ [`CVE-2015-7546 `_] -+ A bug is fixed where an attacker could avoid token revocation when the PKI -+ or PKIZ token provider is used. The complete remediation for this -+ vulnerability requires the corresponding fix in the keystonemiddleware -+ project. --- -1.9.1 - diff --git a/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch deleted file mode 100644 index 0ea6cd8bab20..000000000000 --- a/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch +++ /dev/null @@ -1,103 +0,0 @@ -From ee1dc941042d1f71699971c5c30566af1b348572 Mon Sep 17 00:00:00 2001 -From: Lance Bragstad -Date: Mon, 2 May 2016 19:16:11 +0000 -Subject: Fix fernet audit ids for v2.0 - -The fernet token provider was doing some weird things with audit ids that -caused token rescoping to not work because audit ids were never pulled from the -original token. This commit also enables some tests for v2.0 authentication -with the Fernet as the token provider. - -Closes-Bug: 1577558 -Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e -(cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240) ---- - keystone/tests/unit/test_auth.py | 22 ++++++++++++++++++++++ - keystone/token/controllers.py | 3 ++- - keystone/token/providers/fernet/core.py | 9 ++------- - 3 files changed, 26 insertions(+), 8 deletions(-) - -diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py -index b09d9ac..6f44b31 100644 ---- a/keystone/tests/unit/test_auth.py -+++ b/keystone/tests/unit/test_auth.py -@@ -33,6 +33,7 @@ from keystone import exception - from keystone.models import token_model - from keystone.tests import unit - from keystone.tests.unit import default_fixtures -+from keystone.tests.unit import ksfixtures - from keystone.tests.unit.ksfixtures import database - from keystone import token - from keystone.token import provider -@@ -671,6 +672,27 @@ class AuthWithToken(AuthTest): - token_id=token_2_id) - - -+class FernetAuthWithToken(AuthWithToken): -+ def config_overrides(self): -+ super(FernetAuthWithToken, self).config_overrides() -+ self.config_fixture.config(group='token', provider='fernet') -+ self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) -+ -+ def test_token_auth_with_binding(self): -+ self.config_fixture.config(group='token', bind=['kerberos']) -+ body_dict = _build_user_auth() -+ self.assertRaises(exception.NotImplemented, -+ self.controller.authenticate, -+ self.context_with_remote_user, -+ body_dict) -+ -+ def test_revoke_with_no_audit_info(self): -+ self.skipTest('Fernet with v2.0 and revocation is broken') -+ -+ def test_deleting_role_revokes_token(self): -+ self.skipTest('Fernet with v2.0 and revocation is broken') -+ -+ - class AuthWithPasswordCredentials(AuthTest): - def test_auth_invalid_user(self): - """Verify exception is raised if invalid user.""" -diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py -index f610fc4..6eeb23e 100644 ---- a/keystone/token/controllers.py -+++ b/keystone/token/controllers.py -@@ -180,7 +180,8 @@ class Auth(controller.V2Controller): - try: - token_model_ref = token_model.KeystoneToken( - token_id=old_token, -- token_data=self.token_provider_api.validate_token(old_token)) -+ token_data=self.token_provider_api.validate_v2_token(old_token) -+ ) - except exception.NotFound as e: - raise exception.Unauthorized(e) - -diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py -index 8042aab..ff6fe9c 100644 ---- a/keystone/token/providers/fernet/core.py -+++ b/keystone/token/providers/fernet/core.py -@@ -15,7 +15,6 @@ from oslo_config import cfg - from keystone.common import dependency - from keystone.common import utils as ks_utils - from keystone.federation import constants as federation_constants --from keystone.token import provider - from keystone.token.providers import common - from keystone.token.providers.fernet import token_formatters as tf - -@@ -145,12 +144,8 @@ class Provider(common.BaseProvider): - expires_at = token_data['access']['token']['expires'] - audit_ids = token_data['access']['token'].get('audit_ids') - methods = ['password'] -- if audit_ids: -- parent_audit_id = token_data['access']['token'].get( -- 'parent_audit_id') -- audit_ids = provider.audit_info(parent_audit_id) -- if parent_audit_id: -- methods.append('token') -+ if len(audit_ids) > 1: -+ methods.append('token') - project_id = token_data['access']['token'].get('tenant', {}).get('id') - domain_id = None - trust_id = None --- -cgit v0.11.2 - diff --git a/sys-auth/keystone/keystone-2016.2.9999.ebuild b/sys-auth/keystone/keystone-2016.2.9999.ebuild index 29978b01e622..01e73dd33f69 100644 --- a/sys-auth/keystone/keystone-2016.2.9999.ebuild +++ b/sys-auth/keystone/keystone-2016.2.9999.ebuild @@ -4,14 +4,14 @@ EAPI=6 -PYTHON_COMPAT=( python2_7 ) +PYTHON_COMPAT=( python2_7 python3_4 ) inherit distutils-r1 git-r3 user DESCRIPTION="The Openstack authentication, authorization, and service catalog" HOMEPAGE="https://launchpad.net/keystone" EGIT_REPO_URI="https://github.com/openstack/keystone.git" -EGIT_BRANCH="stable/mitaka" +EGIT_BRANCH="stable/newton" LICENSE="Apache-2.0" SLOT="0" -- cgit v1.2.3-65-gdbad