diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2013-05-10 04:00:42 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2013-05-10 04:00:42 +0000 |
| commit | 72a4860e10cbbfa8056b38f33840569d2bc1c704 (patch) | |
| tree | dc7521207346c00111482da1ac9eb6a66e2dbe08 | |
| parent | Restricting pypy1.9 as webob doesn't support it (diff) | |
| download | gentoo-2-72a4860e10cbbfa8056b38f33840569d2bc1c704.tar.gz gentoo-2-72a4860e10cbbfa8056b38f33840569d2bc1c704.tar.bz2 gentoo-2-72a4860e10cbbfa8056b38f33840569d2bc1c704.zip | |
CVE-2013-2030 fix for keystone folsom
(Portage version: 2.1.11.55/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
| -rw-r--r-- | sys-auth/keystone/ChangeLog | 13 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-0270.patch | 230 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-0282.patch | 91 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch | 52 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch | 107 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch | 50 | ||||
| -rw-r--r-- | sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch | 41 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2012.2.4-r1.ebuild (renamed from sys-auth/keystone/keystone-2012.2.4.ebuild) | 3 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2013.1-r1.ebuild | 89 |
9 files changed, 64 insertions, 612 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 9057ae3ff554..f94a340e1440 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,17 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.15 2013/05/10 02:47:10 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.16 2013/05/10 04:00:42 prometheanfire Exp $ + +*keystone-2012.2.4-r1 (10 May 2013) + + 10 May 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/keystone-folsom-4-CVE-2013-2030.patch, +keystone-2012.2.4-r1.ebuild, + -files/keystone-CVE-2013-0270.patch, -files/keystone-CVE-2013-0282.patch, + -files/keystone-CVE-2013-1664_1665.patch, + -files/keystone-folsom-3-CVE-2013-1865.patch, + -files/keystone-grizzly-1-CVE-2013-2006.patch, -keystone-2012.2.4.ebuild, + -keystone-2013.1-r1.ebuild: + CVE-2013-2030 fix for keystone folsom *keystone-2012.2.4 (10 May 2013) *keystone-2013.1.1 (10 May 2013) diff --git a/sys-auth/keystone/files/keystone-CVE-2013-0270.patch b/sys-auth/keystone/files/keystone-CVE-2013-0270.patch deleted file mode 100644 index 41b77c571d64..000000000000 --- a/sys-auth/keystone/files/keystone-CVE-2013-0270.patch +++ /dev/null @@ -1,230 +0,0 @@ -From bb2226f944aaa38beb7fc08ce0a78796e51e2680 Mon Sep 17 00:00:00 2001 -From: Dan Prince <dprince@redhat.com> -Date: Thu, 10 Jan 2013 15:31:28 -0500 -Subject: [PATCH] Add size validations for /tokens. - -Updates /tokens controller so that it explicitly checks the max -size of userId, username, tenantId, tenantname, token, and password -before continuing with a request. - -Previously, when used with the SQL keystone backend an unauthenticated -user could send in *really* large requests which would ultimately -log large SQL exceptions and could thus fill up keystone logs on the -disk. - -Change-Id: I0904d307bf79a3bf851ac052c11101f8380a12a7 ---- - keystone/config.py | 3 ++ - keystone/exception.py | 13 +++++++++ - keystone/service.py | 27 ++++++++++++++++++ - tests/test_service.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 118 insertions(+) - -diff --git a/keystone/config.py b/keystone/config.py -index 5fed916..c7d2f79 100644 ---- a/keystone/config.py -+++ b/keystone/config.py -@@ -117,6 +117,9 @@ register_str('admin_port', default=35357) - register_str('public_port', default=5000) - register_str('onready') - register_str('auth_admin_prefix', default='') -+register_int('max_param_size', default=64) -+# we allow tokens to be a bit larger to accomidate PKI -+register_int('max_token_size', default=8192) - - #ssl options - register_bool('enable', group='ssl', default=False) -diff --git a/keystone/exception.py b/keystone/exception.py -index c3b3ec8..bb4da37 100644 ---- a/keystone/exception.py -+++ b/keystone/exception.py -@@ -51,6 +51,19 @@ class ValidationError(Error): - title = 'Bad Request' - - -+class ValidationSizeError(Error): -+ """Request attribute %(attribute)s must be less than or equal to %(size)i. -+ -+ The server could not comply with the request because the attribute -+ size is invalid (too large). -+ -+ The client is assumed to be in error. -+ -+ """ -+ code = 400 -+ title = 'Bad Request' -+ -+ - class Unauthorized(Error): - """The request you have made requires authentication.""" - code = 401 -diff --git a/keystone/service.py b/keystone/service.py -index d54c073..c088986 100644 ---- a/keystone/service.py -+++ b/keystone/service.py -@@ -22,6 +22,7 @@ from keystone import config - from keystone import catalog - from keystone.common import cms - from keystone.common import logging -+from keystone.common import utils - from keystone.common import wsgi - from keystone import exception - from keystone import identity -@@ -31,6 +32,8 @@ from keystone import token - - - LOG = logging.getLogger(__name__) -+MAX_PARAM_SIZE = config.CONF.max_param_size -+MAX_TOKEN_SIZE = config.CONF.max_token_size - - - class AdminRouter(wsgi.ComposingRouter): -@@ -288,9 +291,23 @@ class TokenController(wsgi.Application): - - if 'passwordCredentials' in auth: - user_id = auth['passwordCredentials'].get('userId', None) -+ if user_id and len(user_id) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='userId', -+ size=MAX_PARAM_SIZE) - username = auth['passwordCredentials'].get('username', '') -+ if len(username) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='username', -+ size=MAX_PARAM_SIZE) - password = auth['passwordCredentials'].get('password', '') -+ max_pw_size = utils.MAX_PASSWORD_LENGTH -+ if len(password) > max_pw_size: -+ raise exception.ValidationSizeError(attribute='password', -+ size=max_pw_size) -+ - tenant_name = auth.get('tenantName', None) -+ if tenant_name and len(tenant_name) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='tenantName', -+ size=MAX_PARAM_SIZE) - - if username: - try: -@@ -302,6 +319,9 @@ class TokenController(wsgi.Application): - - # more compat - tenant_id = auth.get('tenantId', None) -+ if tenant_id and len(tenant_id) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='tenantId', -+ size=MAX_PARAM_SIZE) - if tenant_name: - try: - tenant_ref = self.identity_api.get_tenant_by_name( -@@ -342,7 +362,14 @@ class TokenController(wsgi.Application): - catalog_ref = {} - elif 'token' in auth: - old_token = auth['token'].get('id', None) -+ -+ if len(old_token) > MAX_TOKEN_SIZE: -+ raise exception.ValidationSizeError(attribute='token', -+ size=MAX_TOKEN_SIZE) - tenant_name = auth.get('tenantName') -+ if tenant_name and len(tenant_name) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='tenantName', -+ size=MAX_PARAM_SIZE) - - try: - old_token_ref = self.token_api.get_token(context=context, -diff --git a/tests/test_service.py b/tests/test_service.py -index 6fb98c6..f48bd9a 100644 ---- a/tests/test_service.py -+++ b/tests/test_service.py -@@ -17,6 +17,7 @@ import time - import default_fixtures - - from keystone import config -+from keystone import exception - from keystone import service - from keystone import test - from keystone.identity.backends import kvs as kvs_identity -@@ -25,6 +26,31 @@ from keystone.identity.backends import kvs as kvs_identity - CONF = config.CONF - - -+def _build_user_auth(token=None, user_id=None, username=None, -+ password=None, tenant_id=None, tenant_name=None): -+ """Build auth dictionary. -+ -+ It will create an auth dictionary based on all the arguments -+ that it receives. -+ """ -+ auth_json = {} -+ if token is not None: -+ auth_json['token'] = token -+ if username or password: -+ auth_json['passwordCredentials'] = {} -+ if username is not None: -+ auth_json['passwordCredentials']['username'] = username -+ if user_id is not None: -+ auth_json['passwordCredentials']['userId'] = user_id -+ if password is not None: -+ auth_json['passwordCredentials']['password'] = password -+ if tenant_name is not None: -+ auth_json['tenantName'] = tenant_name -+ if tenant_id is not None: -+ auth_json['tenantId'] = tenant_id -+ return auth_json -+ -+ - class TokenExpirationTest(test.TestCase): - def setUp(self): - super(TokenExpirationTest, self).setUp() -@@ -75,3 +101,52 @@ class TokenExpirationTest(test.TestCase): - def test_maintain_uuid_token_expiration(self): - self.opt_in_group('signing', token_format='UUID') - self._maintain_token_expiration() -+ -+ -+class AuthTest(test.TestCase): -+ def setUp(self): -+ super(AuthTest, self).setUp() -+ -+ CONF.identity.driver = 'keystone.identity.backends.kvs.Identity' -+ self.load_backends() -+ self.load_fixtures(default_fixtures) -+ self.api = service.TokenController() -+ -+ def test_authenticate_user_id_too_large(self): -+ """Verify sending large 'userId' raises the right exception.""" -+ body_dict = _build_user_auth(user_id='0' * 65, username='FOO', -+ password='foo2') -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_username_too_large(self): -+ """Verify sending large 'username' raises the right exception.""" -+ body_dict = _build_user_auth(username='0' * 65, password='foo2') -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_tenant_id_too_large(self): -+ """Verify sending large 'tenantId' raises the right exception.""" -+ body_dict = _build_user_auth(username='FOO', password='foo2', -+ tenant_id='0' * 65) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_tenant_name_too_large(self): -+ """Verify sending large 'tenantName' raises the right exception.""" -+ body_dict = _build_user_auth(username='FOO', password='foo2', -+ tenant_name='0' * 65) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_token_too_large(self): -+ """Verify sending large 'token' raises the right exception.""" -+ body_dict = _build_user_auth(token={'id': '0' * 8193}) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_password_too_large(self): -+ """Verify sending large 'password' raises the right exception.""" -+ body_dict = _build_user_auth(username='FOO', password='0' * 8193) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) --- -1.7.9.5 - diff --git a/sys-auth/keystone/files/keystone-CVE-2013-0282.patch b/sys-auth/keystone/files/keystone-CVE-2013-0282.patch deleted file mode 100644 index d411847c3fe0..000000000000 --- a/sys-auth/keystone/files/keystone-CVE-2013-0282.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Nathanael Burton <nathanael.i.burton.work@gmail.com> -Date: Tue, 19 Feb 2013 15:27:04 +0000 (-0600) -Subject: Ensure user and tenant enabled in EC2 -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=f0b4d300db5cc61d4f079f8bce9da8e8bea1081a - -Ensure user and tenant enabled in EC2 - -Fixes bug 1121494. - -Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc ---- - -diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py -index 064474c..ffc0eee 100644 ---- a/keystone/contrib/ec2/core.py -+++ b/keystone/contrib/ec2/core.py -@@ -37,6 +37,7 @@ glance to list images needed to perform the requested task. - import uuid - - from keystone import catalog -+from keystone.common import logging - from keystone.common import manager - from keystone.common import utils - from keystone.common import wsgi -@@ -49,6 +50,7 @@ from keystone import token - - - CONF = config.CONF -+LOG = logging.getLogger(__name__) - - - class Manager(manager.Manager): -@@ -117,9 +119,9 @@ class Ec2Controller(wsgi.Application): - credentials['host'] = hostname - signature = signer.generate(credentials) - if not utils.auth_str_equal(credentials.signature, signature): -- raise exception.Unauthorized(message='Invalid EC2 signature.') -+ raise exception.Unauthorized() - else: -- raise exception.Unauthorized(message='EC2 signature not supplied.') -+ raise exception.Unauthorized() - - def authenticate(self, context, credentials=None, ec2Credentials=None): - """Validate a signed EC2 request and provide a token. -@@ -149,7 +151,7 @@ class Ec2Controller(wsgi.Application): - credentials = ec2Credentials - - if not 'access' in credentials: -- raise exception.Unauthorized(message='EC2 signature not supplied.') -+ raise exception.Unauthorized() - - creds_ref = self._get_credentials(context, - credentials['access']) -@@ -161,9 +163,19 @@ class Ec2Controller(wsgi.Application): - tenant_ref = self.identity_api.get_tenant( - context=context, - tenant_id=creds_ref['tenant_id']) -+ # If the tenant is disabled don't allow them to authenticate -+ if tenant_ref and not tenant_ref.get('enabled', True): -+ msg = 'Tenant %s is disabled' % tenant_ref['id'] -+ LOG.warning(msg) -+ raise exception.Unauthorized() - user_ref = self.identity_api.get_user( - context=context, - user_id=creds_ref['user_id']) -+ # If the user is disabled don't allow them to authenticate -+ if not user_ref.get('enabled', True): -+ msg = 'User %s is disabled' % user_ref['id'] -+ LOG.warning(msg) -+ raise exception.Unauthorized() - metadata_ref = self.identity_api.get_metadata( - context=context, - user_id=user_ref['id'], -@@ -174,7 +186,7 @@ class Ec2Controller(wsgi.Application): - # fill out the roles in the metadata - roles = metadata_ref.get('roles', []) - if not roles: -- raise exception.Unauthorized(message='User not valid for tenant.') -+ raise exception.Unauthorized() - roles_ref = [self.identity_api.get_role(context, role_id) - for role_id in roles] - -@@ -279,7 +291,7 @@ class Ec2Controller(wsgi.Application): - creds = self.ec2_api.get_credential(context, - credential_id) - if not creds: -- raise exception.Unauthorized(message='EC2 access key not found.') -+ raise exception.Unauthorized() - return creds - - def _assert_identity(self, context, user_id): diff --git a/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch b/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch deleted file mode 100644 index e87ca0be3cff..000000000000 --- a/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Dolph Mathews <dolph.mathews@gmail.com> -Date: Tue, 19 Feb 2013 15:04:11 +0000 (-0600) -Subject: Disable XML entity parsing -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=8a2274595ac628b2373eab0cb14690f866b7a024 - -Disable XML entity parsing - -Fixes bug 1100282 and bug 1100279. - -Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123 ---- - -diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py -index 734f7d1..72fe7f1 100644 ---- a/keystone/common/serializer.py -+++ b/keystone/common/serializer.py -@@ -29,6 +29,16 @@ import re - DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>' - XMLNS = 'http://docs.openstack.org/identity/api/v2.0' - -+PARSER = etree.XMLParser( -+ resolve_entities=False, -+ remove_comments=True, -+ remove_pis=True) -+ -+# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an -+# lxml.etree._Entity instance, which doesn't appear to be part of the -+# public API, so we discover the type dynamically to be safe -+ENTITY_TYPE = type(etree.Entity('x')) -+ - - def from_xml(xml): - """Deserialize XML to a dictionary.""" -@@ -51,7 +61,7 @@ def to_xml(d, xmlns=None): - class XmlDeserializer(object): - def __call__(self, xml_str): - """Returns a dictionary populated by decoding the given xml string.""" -- dom = etree.fromstring(xml_str.strip()) -+ dom = etree.fromstring(xml_str.strip(), PARSER) - return self.walk_element(dom) - - @staticmethod -@@ -87,7 +97,8 @@ class XmlDeserializer(object): - # current spec does not have attributes on an element with text - values = values or text or {} - -- for child in [self.walk_element(x) for x in element]: -+ for child in [self.walk_element(x) for x in element -+ if not isinstance(x, ENTITY_TYPE)]: - values = dict(values.items() + child.items()) - - return {XmlDeserializer._tag_name(element.tag): values} diff --git a/sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch b/sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch deleted file mode 100644 index 49660f291869..000000000000 --- a/sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 255b1d43500f5d98ec73a0056525b492b14fec05 Mon Sep 17 00:00:00 2001 -From: Adam Young <ayoung@redhat.com> -Date: Wed, 20 Mar 2013 09:49:32 -0500 -Subject: [PATCH] validate from backend (bug 1129713) - -In certain cases we were depending on CMS to validate PKI tokens -but that is not necessary, and by passes the revocation check - -Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4 ---- - keystone/service.py | 19 ++++++------------- - tests/test_service.py | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 57 insertions(+), 13 deletions(-) - -diff --git a/keystone/service.py b/keystone/service.py -index c088986..9799e3a 100644 ---- a/keystone/service.py -+++ b/keystone/service.py -@@ -490,20 +490,13 @@ class TokenController(wsgi.Application): - """ - # TODO(termie): this stuff should probably be moved to middleware - self.assert_admin(context) -+ data = self.token_api.get_token(context=context, token_id=token_id) -+ if belongs_to: -+ if (not data.get('tenant') or data['tenant'].get('id') != -+ belongs_to): -+ raise exception.Unauthorized() - -- if cms.is_ans1_token(token_id): -- data = json.loads(cms.cms_verify(cms.token_to_cms(token_id), -- config.CONF.signing.certfile, -- config.CONF.signing.ca_certs)) -- data['access']['token']['user'] = data['access']['user'] -- data['access']['token']['metadata'] = data['access']['metadata'] -- if belongs_to: -- assert data['access']['token']['tenant']['id'] == belongs_to -- token_ref = data['access']['token'] -- else: -- token_ref = self.token_api.get_token(context=context, -- token_id=token_id) -- return token_ref -+ return data - - # admin only - def validate_token_head(self, context, token_id): -diff --git a/tests/test_service.py b/tests/test_service.py -index f48bd9a..487e5ac 100644 ---- a/tests/test_service.py -+++ b/tests/test_service.py -@@ -150,3 +150,54 @@ class AuthTest(test.TestCase): - body_dict = _build_user_auth(username='FOO', password='0' * 8193) - self.assertRaises(exception.ValidationSizeError, self.api.authenticate, - {}, body_dict) -+ -+ -+class AuthWithToken(AuthTest): -+ def setUp(self): -+ super(AuthWithToken, self).setUp() -+ -+ def test_belongs_to_no_tenant(self): -+ r = self.api.authenticate( -+ {}, -+ auth={ -+ 'passwordCredentials': { -+ 'username': self.user_foo['name'], -+ 'password': self.user_foo['password'] -+ } -+ }) -+ unscoped_token_id = r['access']['token']['id'] -+ self.assertRaises( -+ exception.Unauthorized, -+ self.api.validate_token, -+ dict(is_admin=True, query_string={'belongsTo': 'BAR'}), -+ token_id=unscoped_token_id) -+ -+ def test_belongs_to_wrong_tenant(self): -+ body_dict = _build_user_auth( -+ username='FOO', -+ password='foo2', -+ tenant_name="BAR") -+ -+ scoped_token = self.api.authenticate({}, body_dict) -+ scoped_token_id = scoped_token['access']['token']['id'] -+ -+ self.assertRaises( -+ exception.Unauthorized, -+ self.api.validate_token, -+ dict(is_admin=True, query_string={'belongsTo': 'me'}), -+ token_id=scoped_token_id) -+ -+ def test_belongs_to(self): -+ body_dict = _build_user_auth( -+ username='FOO', -+ password='foo2', -+ tenant_name="BAR") -+ -+ scoped_token = self.api.authenticate({}, body_dict) -+ scoped_token_id = scoped_token['access']['token']['id'] -+ -+ self.assertRaises( -+ exception.Unauthorized, -+ self.api.validate_token, -+ dict(is_admin=True, query_string={'belongsTo': 'BAR'}), -+ token_id=scoped_token_id) --- -1.8.1.5 - diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch new file mode 100644 index 000000000000..616143be18c9 --- /dev/null +++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch @@ -0,0 +1,50 @@ +From 24c25b38ed6fc95ed919ab34463cdb10bdcc57fd Mon Sep 17 00:00:00 2001 +From: Dolph Mathews <dolph.mathews@gmail.com> +Date: Wed, 8 May 2013 10:49:20 -0500 +Subject: [PATCH] Securely create signing_dir (bug 1174608) + +Also verifies the security of an existing signing_dir. + +Change-Id: I0685b4274a94ad3974a2b2a7ab3f45830d3934bb +(cherry picked from python-keystoneclient 1736e2ffb12f70eeebed019448bc14def48aa036) +--- + keystone/middleware/auth_token.py | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py +index ddadf9f..01e6c58 100644 +--- a/keystone/middleware/auth_token.py ++++ b/keystone/middleware/auth_token.py +@@ -219,15 +219,20 @@ class AuthProtocol(object): + self.signing_dirname = '%s/keystone-signing' % os.environ['HOME'] + LOG.info('Using %s as cache directory for signing certificate' % + self.signing_dirname) +- if (os.path.exists(self.signing_dirname) and +- not os.access(self.signing_dirname, os.W_OK)): +- raise ConfigurationError("unable to access signing dir %s" % +- self.signing_dirname) +- +- if not os.path.exists(self.signing_dirname): +- os.makedirs(self.signing_dirname) +- #will throw IOError if it cannot change permissions +- os.chmod(self.signing_dirname, stat.S_IRWXU) ++ if os.path.exists(self.signing_dirname): ++ if not os.access(self.signing_dirname, os.W_OK): ++ raise ConfigurationError( ++ 'unable to access signing_dir %s' % self.signing_dirname) ++ if os.stat(self.signing_dirname).st_uid != os.getuid(): ++ LOG.warning( ++ 'signing_dir is not owned by %s' % os.getlogin()) ++ current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode) ++ if current_mode != stat.S_IRWXU: ++ LOG.warning( ++ 'signing_dir mode is %s instead of %s' % ++ (oct(current_mode), oct(stat.S_IRWXU))) ++ else: ++ os.makedirs(self.signing_dirname, stat.S_IRWXU) + + val = '%s/signing_cert.pem' % self.signing_dirname + self.signing_cert_file_name = val +-- +1.8.1.5 + diff --git a/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch b/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch deleted file mode 100644 index d9b0b3472ceb..000000000000 --- a/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd Mon Sep 17 00:00:00 2001 -From: Xuhan Peng <xuhanp@cn.ibm.com> -Date: Fri, 12 Apr 2013 16:19:37 +0800 -Subject: [PATCH] Mark LDAP password and admin_token secret - -Add secret=True to LDAP password and admin_token -of keystone configuration. - -Fix bug #1172195 - -Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75 -(cherry picked from commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8) ---- - keystone/common/config.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/keystone/common/config.py b/keystone/common/config.py -index edecee0..82c31e6 100644 ---- a/keystone/common/config.py -+++ b/keystone/common/config.py -@@ -188,7 +188,7 @@ def configure(): - register_cli_str('pydev-debug-host', default=None) - register_cli_int('pydev-debug-port', default=None) - -- register_str('admin_token', default='ADMIN') -+ register_str('admin_token', secret=True, default='ADMIN') - register_str('bind_host', default='0.0.0.0') - register_int('compute_port', default=8774) - register_int('admin_port', default=35357) -@@ -271,7 +271,7 @@ def configure(): - # ldap - register_str('url', group='ldap', default='ldap://localhost') - register_str('user', group='ldap', default=None) -- register_str('password', group='ldap', default=None) -+ register_str('password', group='ldap', secret=True, default=None) - register_str('suffix', group='ldap', default='cn=example,cn=com') - register_bool('use_dumb_member', group='ldap', default=False) - register_str('dumb_member', group='ldap', default='cn=dumb,dc=nonexistent') --- -1.8.1.5 - diff --git a/sys-auth/keystone/keystone-2012.2.4.ebuild b/sys-auth/keystone/keystone-2012.2.4-r1.ebuild index ccde2c02c823..b138eb805c28 100644 --- a/sys-auth/keystone/keystone-2012.2.4.ebuild +++ b/sys-auth/keystone/keystone-2012.2.4-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4.ebuild,v 1.1 2013/05/10 02:47:10 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r1.ebuild,v 1.1 2013/05/10 04:00:42 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -70,6 +70,7 @@ RDEPEND="${DEPEND} #} PATCHES=( + "${FILESDIR}/keystone-folsom-4-CVE-2013-2030.patch" ) python_install() { diff --git a/sys-auth/keystone/keystone-2013.1-r1.ebuild b/sys-auth/keystone/keystone-2013.1-r1.ebuild deleted file mode 100644 index cf05507f7dbc..000000000000 --- a/sys-auth/keystone/keystone-2013.1-r1.ebuild +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1-r1.ebuild,v 1.1 2013/05/06 15:57:35 prometheanfire Exp $ - -EAPI=5 -#test restricted becaues of bad requirements given (old webob for instance) -RESTRICT="test" -PYTHON_COMPAT=( python2_7 ) - -inherit distutils-r1 - -DESCRIPTION="Keystone is the Openstack authentication, authorization, and -service catalog written in Python." -HOMEPAGE="https://launchpad.net/keystone" -SRC_URI="http://launchpad.net/${PN}/grizzly/${PV}/+download/${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="folsom" -KEYWORDS="~amd64 ~x86" -IUSE="+sqlite mysql postgres ldap" -#IUSE="+sqlite mysql postgres ldap test" -REQUIRED_USE="|| ( ldap mysql postgres sqlite )" - -#todo, seperate out rdepend via use flags -DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]" -RDEPEND="${DEPEND} - dev-python/eventlet[${PYTHON_USEDEP}] - dev-python/greenlet[${PYTHON_USEDEP}] - >=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}] - >=dev-python/python-keystoneclient-0.2.1[${PYTHON_USEDEP}] - <=dev-python/python-keystoneclient-0.3[${PYTHON_USEDEP}] - dev-python/lxml[${PYTHON_USEDEP}] - >=dev-python/oslo-config-1.1.0[${PYTHON_USEDEP}] - dev-python/passlib[${PYTHON_USEDEP}] - dev-python/paste[${PYTHON_USEDEP}] - dev-python/pastedeploy[${PYTHON_USEDEP}] - dev-python/python-daemon - >=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}] - dev-python/routes[${PYTHON_USEDEP}] - >=dev-python/sqlalchemy-migrate-0.7.2 - =dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] - virtual/python-argparse[${PYTHON_USEDEP}] - sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite] - <=dev-python/sqlalchemy-0.7.9[sqlite] ) - mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql] - <=dev-python/sqlalchemy-0.7.9[mysql] ) - postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres] - <=dev-python/sqlalchemy-0.7.9[postgres] ) - ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )" -# test? ( dev-python/Babel -# dev-python/decorator -# dev-python/eventlet -# dev-python/greenlet -# dev-python/httplib2 -# dev-python/iso8601 -# dev-python/lxml -# dev-python/netifaces -# dev-python/nose -# dev-python/nosexcover -# dev-python/passlib -# dev-python/paste -# dev-python/pastedeploy -# dev-python/python-pam -# dev-python/repoze-lru -# dev-python/routes -# dev-python/sphinx -# >=dev-python/sqlalchemy-migrate-0.7 -# dev-python/tempita -# >=dev-python/webob-1.0.8 -# dev-python/webtest -# ) -PATCHES=( "${FILESDIR}"/keystone-grizzly-1-CVE-2013-2006.patch ) -# -#python_test() { -# "${PYTHON}" setup.py nosetests || die -#} - -python_install() { - distutils-r1_python_install - newconfd "${FILESDIR}/keystone.confd" keystone - newinitd "${FILESDIR}/keystone.initd" keystone - - diropts -m 0750 - dodir /var/run/keystone /var/log/keystone /etc/keystone - keepdir /etc/keystone - insinto /etc/keystone - doins etc/keystone.conf.sample etc/logging.conf.sample - doins etc/default_catalog.templates etc/policy.json -} |