summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Thode <prometheanfire@gentoo.org>2014-06-15 17:01:12 +0000
committerMatt Thode <prometheanfire@gentoo.org>2014-06-15 17:01:12 +0000
commit4f7bbbaf486ed3518739aea185790cfcc51dc8b8 (patch)
treecbb7c4aa8e9f95485247e786e7852df50585dd85 /sys-auth/keystone
parentVersion bump KDE SC 4.13.2 (diff)
downloadhistorical-4f7bbbaf486ed3518739aea185790cfcc51dc8b8.tar.gz
historical-4f7bbbaf486ed3518739aea185790cfcc51dc8b8.tar.bz2
historical-4f7bbbaf486ed3518739aea185790cfcc51dc8b8.zip
fixes for bug 513086 CVE-2014-3476
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 RepoMan-Options: --force Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-auth/keystone')
-rw-r--r--sys-auth/keystone/ChangeLog10
-rw-r--r--sys-auth/keystone/Manifest37
-rw-r--r--sys-auth/keystone/files/2014.1-CVE-2014-0204.patch522
-rw-r--r--sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch308
-rw-r--r--sys-auth/keystone/keystone-2013.2.3-r1.ebuild128
-rw-r--r--sys-auth/keystone/keystone-2013.2.9999.ebuild130
-rw-r--r--sys-auth/keystone/keystone-2014.1.1.ebuild (renamed from sys-auth/keystone/keystone-2014.1-r2.ebuild)6
7 files changed, 337 insertions, 804 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 73bf016f9d3c..f8d150c07a7e 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for sys-auth/keystone
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.71 2014/06/01 03:51:29 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.72 2014/06/15 17:01:02 prometheanfire Exp $
+
+*keystone-2014.1.1 (15 Jun 2014)
+
+ 15 Jun 2014; Matthew Thode <prometheanfire@gentoo.org>
+ +files/2014.1.1-CVE-2014-3476.patch, +keystone-2014.1.1.ebuild,
+ -files/2014.1-CVE-2014-0204.patch, -keystone-2013.2.3-r1.ebuild,
+ -keystone-2013.2.9999.ebuild, -keystone-2014.1-r2.ebuild:
+ fixes for bug 513086 CVE-2014-3476
01 Jun 2014; Matthew Thode <prometheanfire@gentoo.org>
keystone-2014.1.9999.ebuild:
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index 3574df804226..76ae4827017f 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -1,34 +1,31 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
-AUX 2014.1-CVE-2014-0204.patch 21197 SHA256 1125298db7d1c7f016cd133bb71a36429475a311cfccd9b2ec9ebc7819299f24 SHA512 b42a6ab40dc99e6e273d60f0e9ed85e7e745a855e11a5b492cc06af433a78b8b5b61cc0b3958f46f5375a033d612d94b8a6c4f86b0dc94c57b9edea02a2a00ae WHIRLPOOL 528734f09658e51e46fb36c95f80b2e564fee4f8f0054f6a982796d1390929eb480222e52bb40e031eef97722b8ff7a97dc08fdc51ca6e2c6a01709199c964fb
+AUX 2014.1.1-CVE-2014-3476.patch 11956 SHA256 c7680ffdb145253f5dfa3bf5ca499ea675199bf1b7cb26d3fdb99d9123c909b7 SHA512 bf364409a14415aa2ce5ff2dea4af1fab4f433d704d88d7fc3b831a020136b1ad70a32ce95010747ffe75167a94006fa337a3973ef3f2868fb77b3a2dcc6522f WHIRLPOOL dfc3831f47ab35258e1c68bd1c9ffbc5e24fc9a816e3d4d976ccd76eeec76910daf14dc4639a7be0d1ad60ebd8e9a3db797ea28449ab88a1f00d8aac48beeced
AUX CVE-2014-2828-2013.2.3.patch 2518 SHA256 25ab1d0d633e087d6b8e9ac0aca3be53011abf59d67cd42dc4781df6f3a16247 SHA512 29d08b69226b2e0130b621991ef37f74ef41b0acdcf09e7ab7b991ebf423d999d906ea4e7be4672fb9786f129f6f015246a57c1de36d7321c90b8a87a96ca4e5 WHIRLPOOL 67d27a94110545c02685b769b2b2f2bd291dd7c6c893bfa010e1e36143f485783a9bea27a56347c256f9ad0b6a693f63c9fb7bade60a6a35efe79dc5bf878f6d
AUX keystone.confd 124 SHA256 50daa09c5922190a6663e36a32e9b6e5c512672e5be776fcc9b0805da40b6e8d SHA512 1cf50ddcd55421481f8b34f91f35787299b2f9044bcc0a63c70ffff372d740cb84c399d31e52d708fdacad3455d77867d02b438ec2fb39b35ac2e106a2c9e0ad WHIRLPOOL e6c2b76131846cd0ce86e8d766d3f5bbd0d8cd0643de9100d7946afa44c3f13500719feca3ee4ea49644f6881fa34bdc17c08d65a001841ae8f40fc820d334fc
AUX keystone.initd 674 SHA256 fc556365de7198de035ebf083b10f59043aa3266270d3ab708d613311f1a719a SHA512 10066c2197973aeee2444ae1bff0ffc3d2a7360a632b55b9c2f66bf064285491e698721ec1525a22b18c0b74a8a6c5c4b84d2cf73812a0f93b2dbfffba799718 WHIRLPOOL 7969003cec68ca8017de003e6a5cfb4bd239a149b06dd9304c9ba8200b4fedfe8ae7e8d3c443e741d1c19cedc5d67150f1d236eef565685a64aa4a998c1ec509
AUX no_admin_token_auth-paste.ini 2646 SHA256 f98d9151f222d2143820bdc98727ce0cf3f4450a4dbdc54f1fb6e36bb63bf2df SHA512 c855dd2bb05e765c6594359f55b76f7f6e0649c8e8f4517b274c7432f136e51c408168ec24e0074f4ebc49eb641d658acfda205aef97fe68fe8fc016be4cb08d WHIRLPOOL faad0f98d0684cf206e2f2afb5fba6c6aab73f97bcf63e38038be49a2ae1303e8cb5434d8fab34492888c666462dcd751c678c04cd0039d9024fd42ddde30646
-DIST keystone-2013.2.3.tar.gz 1093050 SHA256 0d27a32c6c211706f8b13aafe2fd51c7ddbea97897be90663fd8c2527ef56032 SHA512 ca86845d076f35732085604cfef36cbb7e6c565dbf125180aa4b7bf2c07e7f5996e891dde7d1094058cc8b4f55b3eb9e1879013a6e4510bb2da9864712a09c91 WHIRLPOOL b940acb76f7693fe81f3aa5a7d8bc46977423eb191b6befa56f91585029d40f2e01a0553c21327c4da77ae93769e8747d8610b4bbca3e95c028f8336bd353a2c
-DIST keystone-2014.1.tar.gz 1419245 SHA256 51254ea84afd3d98e2744c0cf4877b765e16053e262c5c668aa291bdfdb93900 SHA512 a33e3a511623cace4baa876366c21a5b866221244aa128fec79ab884e8ad6cbfa36ed72f90304b6ebdb81fa7d810cd3714bf67605511a2fd35085ff7adef9e03 WHIRLPOOL 1048ab3410eac9487241805e1428911c6c78a3a7a7b517526ec378732c451d6e33efafb5d5e37f32ed29a7fc08fae5257d6051455588704a4058fdebd1110590
-EBUILD keystone-2013.2.3-r1.ebuild 4764 SHA256 5c128452ba5682b689497505cf3b45875e73d8ad2aa907b902c18f44585edb38 SHA512 dfff973ffb1e28b7565186293c9c0443e7591f204bf87ba4adf921e361bab908195c190d6dd46ec22070f895ab52cf83eb6c273255bec6f9d1653022f5a05219 WHIRLPOOL 84d92d56c22059f993110f50ba130dabae50e461cd8c14c5da51a8677b318603b099f93766feb4af2a589e8fe343599c21ed6de122706cdbe4f06f60aaacb3f0
-EBUILD keystone-2013.2.9999.ebuild 4377 SHA256 385e06b8c937d146a17664fbd0ed22b58e9cadaf3d3e412ec83454fdaafb8dbf SHA512 17468c45b38e61d254f45389bc7c88929494a8a943b0a4e800bbd1ef788a50d506fa812eb649797e4f6fa8a8340974efae53bb3b07fea504065962b087e3f04e WHIRLPOOL ceab5a177fc6a8dfd6f074434244ecae19b66bfb754df54310b84b3556d513b136152d169fef53945d4a01d1e037022bc14c3cd7c2524374917283d89541e351
-EBUILD keystone-2014.1-r2.ebuild 4924 SHA256 1648c0629787be53a6f591e9b8ef6a1805954581ab69aba50307bb67579f4eba SHA512 d9dc36343e65a2509ce50469fcd64c7aadbe6135fcb2cd3b50f6f82d9143ec1c31c4fad437ff4a0964ec53f14b710911fd96754cc6fcf18a54009a6580d36e3c WHIRLPOOL 4bddf48be788fd635a48f917be5cc133c7725121289b8262b8a77d3e7d4ff52ae855f1b5157e7a6170cdb795599cf0c91de4d51cd6787e6c01f6bfef8ea00310
+DIST keystone-2014.1.1.tar.gz 1429884 SHA256 3da9908541776470dd7f22ec27f6e77ce7e20fb8761cbbc11e99e782f39e5b73 SHA512 86bdb09f906a6b6d7d084a5efe38ad55b9b57731680635c89fc90387ce1bd3eded7fb0534d8301fef42191422e2a42f2761953906800f742eebb16f8512e466b WHIRLPOOL 3c0f271c00e4adfb26cb4a57afa255783201fef8b5c3f29809a90323deb20cff0f263ffa2aeef82b312dd0267f82adb9baededc9b9a4b75435168131ac8491f5
+EBUILD keystone-2014.1.1.ebuild 4925 SHA256 bbc0a3d6ac7d5d5fd10aada1d8bda46aebeea93e36bb1f21d42a1ed09e69f506 SHA512 0780bf2670de4408d09fc752798d68f1e280599025fd20ffa2f22fea4b810d1e4f4898d9220a3012d0bad729ff6fab32f9f22873123b53494400dbc9ad126ba4 WHIRLPOOL 799f0a19b220f62fe5d340a654b853c6cbbd6c45a516e7cb9a6c4705e5341d175bae885c60e42d4c30f7a265ee3f99293987036148b69fff8773ee00ffce8c6d
EBUILD keystone-2014.1.9999.ebuild 4989 SHA256 3c24b141a8c95bfee91ad661761fc8d6b920c8051a4ab6cb382e22213f51f721 SHA512 7a115ea1db8d7f9dee0a072083c7f27a80924a1e0c3a410ddef9a9fb49f3ac9340365879015080141c3a6f0bc035cedebf8312fd0af385b19c0379847994a647 WHIRLPOOL 38d82c18fe26f5d80da5432fb1cad399b78704f196ddb2e983164025d0da43285edac6e512b8cb7cbda80c9286264fbc4e47de2a652f58561d20d4e0482d138b
EBUILD keystone-9999.ebuild 4363 SHA256 fe7aaf23f6dd4bced7a44d2092fc3ac2148a79088c792808e099439f92385f0f SHA512 818d48bfe82fe801a11ef6b2f65398b99497a4a943ab1882657d3d69224060204300b11288aa48befb3572079c52963cba2e5f5d1d9165bcb3664b444a201369 WHIRLPOOL 08c4f0f9089c7d166f7155d9fb5d5fbb1e05ab9adb784a9c6274f51d3efe1c73bc25818cc237507803e71c7818728e69c52a6c11dafac2d2c0f0fd585f1b1228
-MISC ChangeLog 15333 SHA256 8a75cc32d9612f42ec258677d1c1f50f06562f162cfc346c52c674f2fa064476 SHA512 1f2d2a600e68916b75398b8cb2cf3e578366a195f88af9a99b6d7a296c22ab090b67b9c16e0b9dbc42106384ce1d70c8f94a9308bfe7adddc70ac9d3922d4917 WHIRLPOOL f857b264d3d0a13cdf5bff7b95a7f8b27c1b973fb124b4485b11fc51d7fe0b309b6e7a40dee23d33cd348161f986de02142ad9019323982187b2362a0948cb6c
+MISC ChangeLog 15655 SHA256 a207c0204c2f0e48154bad0577866f711b97bae4ff72395b45a7db88aac0a3ce SHA512 b020726fdd2730273f34baab1832efe4920a20fa036ab07792683866d86486e1e150c503884b088d2ed678e5c736c05fb06c6203c44f4cea94fa39917b8e4b14 WHIRLPOOL cc9c1f5e039d36161da8f396d3bf1323993a22e3d83f1f28b4c6b7835d4a7a8713feb4fd2795e0ad95c9071cc9d9268377ce945a6d7885402c43ccbbf33de32e
MISC metadata.xml 424 SHA256 c89c0232e90df5d811d17941c1594e4c4c45db48c2b6240a3c62b232caad4e84 SHA512 9d7fcca89a6f35a93f1a57790103249cdc25424cbdb374bf26b691e81b27182dc3380a8ff67b77e7aabf4ce944e4a813d619838d4bc97086b4208e5312d76f11 WHIRLPOOL 4ec9d4c5ff5c484c341b06fe77fcac8e6fdd0e0b651dbd58b6f2d5aecd05db5bf70218b94733eb749ced7436f9df5ba5c93496bae06c0ff9a62b91ecb53ab77a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-iQIcBAEBCAAGBQJTiqNJAAoJECRx6z5ArFrD88UP/i3OYIC7dXwBndqp+doRyrtB
-6fMxMguEEprUqjiln+5Z0L0udeQiYQ/rG7LNrm2eFPe7wYU/kIHrwPuWpOLMMQBs
-+hCp1b/BnM24FcmzElUQeJDaMP5KkZZlFKTbk/JyfWrs9zdueMvdJj7DZMgGtBDm
-h+9cLCYZG30vw0co7KdH0gZZ8akSH1vqPM4kyTbn/5G2YUdZh/e/PDug1IOf1Rd8
-ZXGafXLSbbGRVy1ASUNRbI9wkmI3hL9VNUWIaKlfWMZVPWJAHk1VUp2oWDSZDcO5
-ZbKy5ADKqsw38KkaVbZ9OoWY9bWT5PA6WwbEMJR7Ejlgk9fo0CBXv7aaBF1r0l70
-1T/lZpUxQqYYA93dlVRmGHZ6vWmIfw6bG2UKaQh1G4kSWmN2yUCSEC8E0kRrZ0ya
-rsArnhcBeGi5d166+C2W+f66DvXyfUdmUrKPo/Cthgy5H1LJcb48uMPakDAPhvNu
-GgEbd58jnZaco1Cetel220NisvT0V9U0HQ4r95hlzmsX94JZjuPUuinktOpyFNQd
-IpjzXvrM91cMKMRera6iY8mhSg/ghNO7o4UtYty2GYZX36TWgK21vfC5WSbEsBBr
-ipxbJo7+ayiwnp7YY9kUXwpIJf5Z7dMkICULLnbQqA8gSQzqIpMv1C/xpjy4GSTD
-b326oDF6LZGB/5yagMea
-=kYyO
+iQIcBAEBCAAGBQJTndFjAAoJECRx6z5ArFrDykkP/igvkGR345PGsAyYdGSiS2ZB
+43C+0wtlv6MW1pbBd4asJYjUkZHDWTPB6aVV8TbCOMRQyWUnFT3RvNZ7QFZHKjDb
+2eZkZrCEZhn8PIMYtL0t9BG5YYHu1ZgXr8u5kRpTRUx+yCu9Gh1lyKcZtuhy0mmN
+DjVe6a46cibpfFqHBWmufDoXnwwYB415ZltXa4oG5NQ2uzUZh58Mozpd0IHu6Ste
+9Z8OHHTH+sODNmw1LOMpeDQNfReViImVgF9VgP76tRkJAAv2M4okTP372rYX8JtH
+9oBeW3zSnaZ8u52uKfNe/U6u6fWVQFDRehLOWaSHFgCZGwCwIO3OZAePHwnB/lWH
+SIMzyBtYbN5+VJul4YiKsf9sA9UzCauDlq9zw/NTN8TD58Nb8Iyfu4OQKqAI26Kr
+CusqjSTFR0RZUGETI6QrivEJxLswL+zmZrWzsdqSLnO4iOyMB85bOqQIUJvQSTwQ
+uH5slSzu/R0pkKI79D7qj7HroWKmry4DSAGyZdVzI+u5+hSOEYgUti30bACz4nlo
+MfwXW2kCVnpGONHKWRkujJ8KtzZg4tNhP7c5i1kQbzw4PRta3C8yi0H5Fs6A2uck
+H1chUwDg2sL0hdz13sfC3x93yMD45GPpaBeyhcVrET16wflPs5ZGvk6EELZ05ev2
+fSSwodnRzo7u2J6joien
+=C4dg
-----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/2014.1-CVE-2014-0204.patch b/sys-auth/keystone/files/2014.1-CVE-2014-0204.patch
deleted file mode 100644
index b5fc3ba64cc1..000000000000
--- a/sys-auth/keystone/files/2014.1-CVE-2014-0204.patch
+++ /dev/null
@@ -1,522 +0,0 @@
-From 786af9829c5329a982e3451f77afebbfb21850bd Mon Sep 17 00:00:00 2001
-From: Brant Knudson <bknudson@us.ibm.com>
-Date: Fri, 18 Apr 2014 11:18:42 -0500
-Subject: [PATCH] SQL and LDAP fixes for get_roles_for_user_and_project
- user=group ID
-
-When there was a role assigned to a group with the same ID as a user,
-the SQL and LDAP assignment backends would incorrectly return the
-assignment to the group when requesting roles for the user via the
-get_roles_for_user_and_project method.
-
-With this change, assignments to a group with the same ID are not
-returned for the user when calling get_roles_for_user_and_project.
-
-Functions were added to compare DNs more accurately based on the
-LDAP RFCs.
-
-The fakeldap code was changed to normalize the values when
-comparing values for checking if the values match the filter.
-
-Co-Authored By: Nathan Kinder <nkinder@redhat.com>
-Co-Authored By: Adam Young <ayoung@redhat.com>
-
-Change-Id: Id3d6f66c995e65e37d909359420d71ecdde86b69
-Closes-Bug: #1309228
----
- keystone/assignment/backends/ldap.py | 11 +--
- keystone/assignment/backends/sql.py | 15 +++
- keystone/common/ldap/core.py | 110 +++++++++++++++++++++
- keystone/tests/fakeldap.py | 17 +++-
- keystone/tests/test_backend.py | 37 +++++++
- keystone/tests/test_backend_ldap.py | 28 ++++++
- keystone/tests/unit/common/test_ldap.py | 169 ++++++++++++++++++++++++++++++++
- 7 files changed, 378 insertions(+), 9 deletions(-)
- create mode 100644 keystone/tests/unit/common/test_ldap.py
-
-diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
-index 2afd339..09b0f01 100644
---- a/keystone/assignment/backends/ldap.py
-+++ b/keystone/assignment/backends/ldap.py
-@@ -88,24 +88,19 @@ def _get_metadata(self, user_id=None, tenant_id=None,
-
- def _get_roles_for_just_user_and_project(user_id, tenant_id):
- self.get_project(tenant_id)
-+ user_dn = self.user._id_to_dn(user_id)
- return [self.role._dn_to_id(a.role_dn)
- for a in self.role.get_role_assignments
- (self.project._id_to_dn(tenant_id))
-- if self.user._dn_to_id(a.user_dn) == user_id]
-+ if common_ldap.is_dn_equal(a.user_dn, user_dn)]
-
- def _get_roles_for_group_and_project(group_id, project_id):
- self.get_project(project_id)
- group_dn = self.group._id_to_dn(group_id)
-- # NOTE(marcos-fermin-lobo): In Active Directory, for functions
-- # such as "self.role.get_role_assignments", it returns
-- # the key "CN" or "OU" in uppercase.
-- # The group_dn var has "CN" and "OU" in lowercase.
-- # For this reason, it is necessary to use the "upper()"
-- # function so both are consistent.
- return [self.role._dn_to_id(a.role_dn)
- for a in self.role.get_role_assignments
- (self.project._id_to_dn(project_id))
-- if a.user_dn.upper() == group_dn.upper()]
-+ if common_ldap.is_dn_equal(a.user_dn, group_dn)]
-
- if domain_id is not None:
- msg = _('Domain metadata not supported by LDAP')
-diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py
-index 1d8c78f..b546a42 100644
---- a/keystone/assignment/backends/sql.py
-+++ b/keystone/assignment/backends/sql.py
-@@ -86,6 +86,21 @@ def _get_metadata(self, user_id=None, tenant_id=None,
- session = sql.get_session()
-
- q = session.query(RoleAssignment)
-+
-+ def _calc_assignment_type():
-+ # Figure out the assignment type we're checking for from the args.
-+ if user_id:
-+ if tenant_id:
-+ return AssignmentType.USER_PROJECT
-+ else:
-+ return AssignmentType.USER_DOMAIN
-+ else:
-+ if tenant_id:
-+ return AssignmentType.GROUP_PROJECT
-+ else:
-+ return AssignmentType.GROUP_DOMAIN
-+
-+ q = q.filter_by(type=_calc_assignment_type())
- q = q.filter_by(actor_id=user_id or group_id)
- q = q.filter_by(target_id=tenant_id or domain_id)
- refs = q.all()
-diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
-index e8d1dc0..9561650 100644
---- a/keystone/common/ldap/core.py
-+++ b/keystone/common/ldap/core.py
-@@ -13,6 +13,7 @@
- # under the License.
-
- import os.path
-+import re
-
- import ldap
- import ldap.filter
-@@ -101,6 +102,115 @@ def ldap_scope(scope):
- 'options': ', '.join(LDAP_SCOPES.keys())})
-
-
-+def prep_case_insensitive(value):
-+ """Prepare a string for case-insensitive comparison.
-+
-+ This is defined in RFC4518. For simplicity, all this function does is
-+ lowercase all the characters, strip leading and trailing whitespace,
-+ and compress sequences of spaces to a single space.
-+ """
-+ value = re.sub(r'\s+', ' ', value.strip().lower())
-+ return value
-+
-+
-+def is_ava_value_equal(attribute_type, val1, val2):
-+ """Returns True if and only if the AVAs are equal.
-+
-+ When comparing AVAs, the equality matching rule for the attribute type
-+ should be taken into consideration. For simplicity, this implementation
-+ does a case-insensitive comparison.
-+
-+ Note that this function uses prep_case_insenstive so the limitations of
-+ that function apply here.
-+
-+ """
-+
-+ return prep_case_insensitive(val1) == prep_case_insensitive(val2)
-+
-+
-+def is_rdn_equal(rdn1, rdn2):
-+ """Returns True if and only if the RDNs are equal.
-+
-+ * RDNs must have the same number of AVAs.
-+ * Each AVA of the RDNs must be the equal for the same attribute type. The
-+ order isn't significant. Note that an attribute type will only be in one
-+ AVA in an RDN, otherwise the DN wouldn't be valid.
-+ * Attribute types aren't case sensitive. Note that attribute type
-+ comparison is more complicated than implemented. This function only
-+ compares case-insentive. The code should handle multiple names for an
-+ attribute type (e.g., cn, commonName, and 2.5.4.3 are the same).
-+
-+ Note that this function uses is_ava_value_equal to compare AVAs so the
-+ limitations of that function apply here.
-+
-+ """
-+
-+ if len(rdn1) != len(rdn2):
-+ return False
-+
-+ for attr_type_1, val1, dummy in rdn1:
-+ found = False
-+ for attr_type_2, val2, dummy in rdn2:
-+ if attr_type_1.lower() != attr_type_2.lower():
-+ continue
-+
-+ found = True
-+ if not is_ava_value_equal(attr_type_1, val1, val2):
-+ return False
-+ break
-+ if not found:
-+ return False
-+
-+ return True
-+
-+
-+def is_dn_equal(dn1, dn2):
-+ """Returns True if and only if the DNs are equal.
-+
-+ Two DNs are equal if they've got the same number of RDNs and if the RDNs
-+ are the same at each position. See RFC4517.
-+
-+ Note that this function uses is_rdn_equal to compare RDNs so the
-+ limitations of that function apply here.
-+
-+ :param dn1: Either a string DN or a DN parsed by ldap.dn.str2dn.
-+ :param dn2: Either a string DN or a DN parsed by ldap.dn.str2dn.
-+
-+ """
-+
-+ if not isinstance(dn1, list):
-+ dn1 = ldap.dn.str2dn(dn1)
-+ if not isinstance(dn2, list):
-+ dn2 = ldap.dn.str2dn(dn2)
-+
-+ if len(dn1) != len(dn2):
-+ return False
-+
-+ for rdn1, rdn2 in zip(dn1, dn2):
-+ if not is_rdn_equal(rdn1, rdn2):
-+ return False
-+ return True
-+
-+
-+def dn_startswith(descendant_dn, dn):
-+ """Returns True if and only if the descendant_dn is under the dn.
-+
-+ :param descendant_dn: Either a string DN or a DN parsed by ldap.dn.str2dn.
-+ :param dn: Either a string DN or a DN parsed by ldap.dn.str2dn.
-+
-+ """
-+
-+ if not isinstance(descendant_dn, list):
-+ descendant_dn = ldap.dn.str2dn(descendant_dn)
-+ if not isinstance(dn, list):
-+ dn = ldap.dn.str2dn(dn)
-+
-+ if len(descendant_dn) <= len(dn):
-+ return False
-+
-+ return is_dn_equal(descendant_dn[len(dn):], dn)
-+
-+
- _HANDLERS = {}
-
-
-diff --git a/keystone/tests/fakeldap.py b/keystone/tests/fakeldap.py
-index 8347d68..21e1bd3 100644
---- a/keystone/tests/fakeldap.py
-+++ b/keystone/tests/fakeldap.py
-@@ -51,6 +51,19 @@ def _process_attr(attr_name, value_or_values):
-
- def normalize_dn(dn):
- # Capitalize the attribute names as an LDAP server might.
-+
-+ # NOTE(blk-u): Special case for this tested value, used with
-+ # test_user_id_comma. The call to str2dn here isn't always correct
-+ # here, because `dn` is escaped for an LDAP filter. str2dn() normally
-+ # works only because there's no special characters in `dn`.
-+ if dn == 'cn=Doe\\5c, John,ou=Users,cn=example,cn=com':
-+ return 'CN=Doe\\, John,OU=Users,CN=example,CN=com'
-+
-+ # NOTE(blk-u): Another special case for this tested value. When a
-+ # roleOccupant has an escaped comma, it gets converted to \2C.
-+ if dn == 'cn=Doe\\, John,ou=Users,cn=example,cn=com':
-+ return 'CN=Doe\\2C John,OU=Users,CN=example,CN=com'
-+
- dn = ldap.dn.str2dn(dn)
- norm = []
- for part in dn:
-@@ -118,7 +131,9 @@ def _match(key, value, attrs):
- str_sids = [str(x) for x in attrs[key]]
- return str(value) in str_sids
- if key != 'objectclass':
-- return _process_attr(key, value)[0] in attrs[key]
-+ check_value = _process_attr(key, value)[0]
-+ norm_values = list(_process_attr(key, x)[0] for x in attrs[key])
-+ return check_value in norm_values
- # it is an objectclass check, so check subclasses
- values = _subs(value)
- for v in values:
-diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
-index c8d7341..b42b209 100644
---- a/keystone/tests/test_backend.py
-+++ b/keystone/tests/test_backend.py
-@@ -1377,6 +1377,43 @@ def test_multi_group_grants_on_project_domain(self):
- self.assertIn(role_list[1]['id'], combined_role_list)
- self.assertIn(role_list[2]['id'], combined_role_list)
-
-+ def test_get_roles_for_user_and_project_user_group_same_id(self):
-+ """When a user has the same ID as a group,
-+ get_roles_for_user_and_project returns only the roles for the user and
-+ not the group.
-+
-+ """
-+
-+ # Setup: create user, group with same ID, role, and project;
-+ # assign the group the role on the project.
-+
-+ user_group_id = uuid.uuid4().hex
-+
-+ user1 = {'id': user_group_id, 'name': uuid.uuid4().hex,
-+ 'domain_id': DEFAULT_DOMAIN_ID, }
-+ self.identity_api.create_user(user_group_id, user1)
-+
-+ group1 = {'id': user_group_id, 'name': uuid.uuid4().hex,
-+ 'domain_id': DEFAULT_DOMAIN_ID, }
-+ self.identity_api.create_group(user_group_id, group1)
-+
-+ role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
-+ self.assignment_api.create_role(role1['id'], role1)
-+
-+ project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
-+ 'domain_id': DEFAULT_DOMAIN_ID, }
-+ self.assignment_api.create_project(project1['id'], project1)
-+
-+ self.assignment_api.create_grant(role1['id'],
-+ group_id=user_group_id,
-+ project_id=project1['id'])
-+
-+ # Check the roles, shouldn't be any since the user wasn't granted any.
-+ roles = self.assignment_api.get_roles_for_user_and_project(
-+ user_group_id, project1['id'])
-+
-+ self.assertEqual([], roles, 'role for group is %s' % role1['id'])
-+
- def test_delete_role_with_user_and_group_grants(self):
- role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
- self.assignment_api.create_role(role1['id'], role1)
-diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py
-index 310fbbc..9964527 100644
---- a/keystone/tests/test_backend_ldap.py
-+++ b/keystone/tests/test_backend_ldap.py
-@@ -546,6 +546,34 @@ def test_new_arbitrary_attributes_are_returned_from_update_user(self):
- def test_updated_arbitrary_attributes_are_returned_from_update_user(self):
- self.skipTest("Using arbitrary attributes doesn't work under LDAP")
-
-+ def test_user_id_comma_grants(self):
-+ """Even if the user has a , in their ID, can get user and group grants.
-+ """
-+
-+ # Create a user with a , in their ID
-+ # NOTE(blk-u): the DN for this user is hard-coded in fakeldap!
-+ user_id = u'Doe, John'
-+ user = {
-+ 'id': user_id,
-+ 'name': self.getUniqueString(),
-+ 'password': self.getUniqueString(),
-+ 'domain_id': CONF.identity.default_domain_id,
-+ }
-+ self.identity_api.create_user(user_id, user)
-+
-+ # Grant the user a role on a project.
-+
-+ role_id = 'member'
-+ project_id = self.tenant_baz['id']
-+
-+ self.assignment_api.create_grant(role_id, user_id=user_id,
-+ project_id=project_id)
-+
-+ role_ref = self.assignment_api.get_grant(role_id, user_id=user_id,
-+ project_id=project_id)
-+
-+ self.assertEqual(role_id, role_ref['id'])
-+
-
- class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
- def setUp(self):
-diff --git a/keystone/tests/unit/common/test_ldap.py b/keystone/tests/unit/common/test_ldap.py
-new file mode 100644
-index 0000000..220bf1a
---- /dev/null
-+++ b/keystone/tests/unit/common/test_ldap.py
-@@ -0,0 +1,169 @@
-+# Licensed under the Apache License, Version 2.0 (the "License"); you may
-+# not use this file except in compliance with the License. You may obtain
-+# a copy of the License at
-+#
-+# http://www.apache.org/licenses/LICENSE-2.0
-+#
-+# Unless required by applicable law or agreed to in writing, software
-+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-+# License for the specific language governing permissions and limitations
-+# under the License.
-+
-+import ldap.dn
-+
-+from keystone.common import ldap as ks_ldap
-+from keystone import tests
-+
-+
-+class DnCompareTest(tests.BaseTestCase):
-+ """Tests for the DN comparison functions in keystone.common.ldap.core."""
-+
-+ def test_prep(self):
-+ # prep_case_insensitive returns the string with spaces at the front and
-+ # end if it's already lowercase and no insignificant characters.
-+ value = 'lowercase value'
-+ self.assertEqual(value, ks_ldap.prep_case_insensitive(value))
-+
-+ def test_prep_lowercase(self):
-+ # prep_case_insensitive returns the string with spaces at the front and
-+ # end and lowercases the value.
-+ value = 'UPPERCASE VALUE'
-+ exp_value = value.lower()
-+ self.assertEqual(exp_value, ks_ldap.prep_case_insensitive(value))
-+
-+ def test_prep_insignificant(self):
-+ # prep_case_insensitive remove insignificant spaces.
-+ value = 'before after'
-+ exp_value = 'before after'
-+ self.assertEqual(exp_value, ks_ldap.prep_case_insensitive(value))
-+
-+ def test_prep_insignificant_pre_post(self):
-+ # prep_case_insensitive remove insignificant spaces.
-+ value = ' value '
-+ exp_value = 'value'
-+ self.assertEqual(exp_value, ks_ldap.prep_case_insensitive(value))
-+
-+ def test_ava_equal_same(self):
-+ # is_ava_value_equal returns True if the two values are the same.
-+ value = 'val1'
-+ self.assertTrue(ks_ldap.is_ava_value_equal('cn', value, value))
-+
-+ def test_ava_equal_complex(self):
-+ # is_ava_value_equal returns True if the two values are the same using
-+ # a value that's got different capitalization and insignificant chars.
-+ val1 = 'before after'
-+ val2 = ' BEFORE afTer '
-+ self.assertTrue(ks_ldap.is_ava_value_equal('cn', val1, val2))
-+
-+ def test_ava_different(self):
-+ # is_ava_value_equal returns False if the values aren't the same.
-+ self.assertFalse(ks_ldap.is_ava_value_equal('cn', 'val1', 'val2'))
-+
-+ def test_rdn_same(self):
-+ # is_rdn_equal returns True if the two values are the same.
-+ rdn = ldap.dn.str2dn('cn=val1')[0]
-+ self.assertTrue(ks_ldap.is_rdn_equal(rdn, rdn))
-+
-+ def test_rdn_diff_length(self):
-+ # is_rdn_equal returns False if the RDNs have a different number of
-+ # AVAs.
-+ rdn1 = ldap.dn.str2dn('cn=cn1')[0]
-+ rdn2 = ldap.dn.str2dn('cn=cn1+ou=ou1')[0]
-+ self.assertFalse(ks_ldap.is_rdn_equal(rdn1, rdn2))
-+
-+ def test_rdn_multi_ava_same_order(self):
-+ # is_rdn_equal returns True if the RDNs have the same number of AVAs
-+ # and the values are the same.
-+ rdn1 = ldap.dn.str2dn('cn=cn1+ou=ou1')[0]
-+ rdn2 = ldap.dn.str2dn('cn=CN1+ou=OU1')[0]
-+ self.assertTrue(ks_ldap.is_rdn_equal(rdn1, rdn2))
-+
-+ def test_rdn_multi_ava_diff_order(self):
-+ # is_rdn_equal returns True if the RDNs have the same number of AVAs
-+ # and the values are the same, even if in a different order
-+ rdn1 = ldap.dn.str2dn('cn=cn1+ou=ou1')[0]
-+ rdn2 = ldap.dn.str2dn('ou=OU1+cn=CN1')[0]
-+ self.assertTrue(ks_ldap.is_rdn_equal(rdn1, rdn2))
-+
-+ def test_rdn_multi_ava_diff_type(self):
-+ # is_rdn_equal returns False if the RDNs have the same number of AVAs
-+ # and the attribute types are different.
-+ rdn1 = ldap.dn.str2dn('cn=cn1+ou=ou1')[0]
-+ rdn2 = ldap.dn.str2dn('cn=cn1+sn=sn1')[0]
-+ self.assertFalse(ks_ldap.is_rdn_equal(rdn1, rdn2))
-+
-+ def test_rdn_attr_type_case_diff(self):
-+ # is_rdn_equal returns True for same RDNs even when attr type case is
-+ # different.
-+ rdn1 = ldap.dn.str2dn('cn=cn1')[0]
-+ rdn2 = ldap.dn.str2dn('CN=cn1')[0]
-+ self.assertTrue(ks_ldap.is_rdn_equal(rdn1, rdn2))
-+
-+ def test_rdn_attr_type_alias(self):
-+ # is_rdn_equal returns False for same RDNs even when attr type alias is
-+ # used. Note that this is a limitation since an LDAP server should
-+ # consider them equal.
-+ rdn1 = ldap.dn.str2dn('cn=cn1')[0]
-+ rdn2 = ldap.dn.str2dn('2.5.4.3=cn1')[0]
-+ self.assertFalse(ks_ldap.is_rdn_equal(rdn1, rdn2))
-+
-+ def test_dn_same(self):
-+ # is_dn_equal returns True if the DNs are the same.
-+ dn = 'cn=Babs Jansen,ou=OpenStack'
-+ self.assertTrue(ks_ldap.is_dn_equal(dn, dn))
-+
-+ def test_dn_diff_length(self):
-+ # is_dn_equal returns False if the DNs don't have the same number of
-+ # RDNs
-+ dn1 = 'cn=Babs Jansen,ou=OpenStack'
-+ dn2 = 'cn=Babs Jansen,ou=OpenStack,dc=example.com'
-+ self.assertFalse(ks_ldap.is_dn_equal(dn1, dn2))
-+
-+ def test_dn_equal_rdns(self):
-+ # is_dn_equal returns True if the DNs have the same number of RDNs
-+ # and each RDN is the same.
-+ dn1 = 'cn=Babs Jansen,ou=OpenStack+cn=OpenSource'
-+ dn2 = 'CN=Babs Jansen,cn=OpenSource+ou=OpenStack'
-+ self.assertTrue(ks_ldap.is_dn_equal(dn1, dn2))
-+
-+ def test_dn_parsed_dns(self):
-+ # is_dn_equal can also accept parsed DNs.
-+ dn_str1 = ldap.dn.str2dn('cn=Babs Jansen,ou=OpenStack+cn=OpenSource')
-+ dn_str2 = ldap.dn.str2dn('CN=Babs Jansen,cn=OpenSource+ou=OpenStack')
-+ self.assertTrue(ks_ldap.is_dn_equal(dn_str1, dn_str2))
-+
-+ def test_startswith_under_child(self):
-+ # dn_startswith returns True if descendant_dn is a child of dn.
-+ child = 'cn=Babs Jansen,ou=OpenStack'
-+ parent = 'ou=OpenStack'
-+ self.assertTrue(ks_ldap.dn_startswith(child, parent))
-+
-+ def test_startswith_parent(self):
-+ # dn_startswith returns False if descendant_dn is a parent of dn.
-+ child = 'cn=Babs Jansen,ou=OpenStack'
-+ parent = 'ou=OpenStack'
-+ self.assertFalse(ks_ldap.dn_startswith(parent, child))
-+
-+ def test_startswith_same(self):
-+ # dn_startswith returns False if DNs are the same.
-+ dn = 'cn=Babs Jansen,ou=OpenStack'
-+ self.assertFalse(ks_ldap.dn_startswith(dn, dn))
-+
-+ def test_startswith_not_parent(self):
-+ # dn_startswith returns False if descendant_dn is not under the dn
-+ child = 'cn=Babs Jansen,ou=OpenStack'
-+ parent = 'dc=example.com'
-+ self.assertFalse(ks_ldap.dn_startswith(child, parent))
-+
-+ def test_startswith_descendant(self):
-+ # dn_startswith returns True if descendant_dn is a descendant of dn.
-+ descendant = 'cn=Babs Jansen,ou=Keystone,ou=OpenStack,dc=example.com'
-+ dn = 'ou=OpenStack,dc=example.com'
-+ self.assertTrue(ks_ldap.dn_startswith(descendant, dn))
-+
-+ def test_startswith_parsed_dns(self):
-+ # dn_startswith also accepts parsed DNs.
-+ descendant = ldap.dn.str2dn('cn=Babs Jansen,ou=OpenStack')
-+ dn = ldap.dn.str2dn('ou=OpenStack')
-+ self.assertTrue(ks_ldap.dn_startswith(descendant, dn))
---
-1.9.3
-
diff --git a/sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch b/sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch
new file mode 100644
index 000000000000..ae231593756d
--- /dev/null
+++ b/sys-auth/keystone/files/2014.1.1-CVE-2014-3476.patch
@@ -0,0 +1,308 @@
+From 73785122eefe523bb57c819e085c7f6ec97d779c Mon Sep 17 00:00:00 2001
+From: Adam Young <ayoung@redhat.com>
+Date: Thu, 29 May 2014 13:56:17 -0400
+Subject: [PATCH] Block delegation escalation of privilege
+
+Forbids doing the following with either a trust
+ or oauth based token:
+ creating a trust
+ approving a request_token
+ listing request tokens
+
+Change-Id: I1528f9dd003f5e03cbc50b78e1b32dbbf85ffcc2
+Closes-Bug: 1324592
+---
+ keystone/common/authorization.py | 36 ++++++++++++-
+ keystone/contrib/oauth1/controllers.py | 12 +++++
+ keystone/tests/test_v3_auth.py | 36 +++++++++++++
+ keystone/tests/test_v3_oauth1.py | 97 ++++++++++++++++++++++++++++++++++
+ keystone/trust/controllers.py | 9 ++++
+ 5 files changed, 188 insertions(+), 2 deletions(-)
+
+diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py
+index 6dc7435..11d0d79 100644
+--- a/keystone/common/authorization.py
++++ b/keystone/common/authorization.py
+@@ -67,7 +67,7 @@ def is_v3_token(token):
+
+
+ def v3_token_to_auth_context(token):
+- creds = {}
++ creds = {'is_delegated_auth': False}
+ token_data = token['token']
+ try:
+ creds['user_id'] = token_data['user']['id']
+@@ -87,11 +87,31 @@ def v3_token_to_auth_context(token):
+ creds['group_ids'] = [
+ g['id'] for g in token_data['user'].get(federation.FEDERATION, {}).get(
+ 'groups', [])]
++
++ trust = token_data.get('OS-TRUST:trust')
++ if trust is None:
++ creds['trust_id'] = None
++ creds['trustor_id'] = None
++ creds['trustee_id'] = None
++ else:
++ creds['trust_id'] = trust['id']
++ creds['trustor_id'] = trust['trustor_user']['id']
++ creds['trustee_id'] = trust['trustee_user']['id']
++ creds['is_delegated_auth'] = True
++
++ oauth1 = token_data.get('OS-OAUTH1')
++ if oauth1 is None:
++ creds['consumer_id'] = None
++ creds['access_token_id'] = None
++ else:
++ creds['consumer_id'] = oauth1['consumer_id']
++ creds['access_token_id'] = oauth1['access_token_id']
++ creds['is_delegated_auth'] = True
+ return creds
+
+
+ def v2_token_to_auth_context(token):
+- creds = {}
++ creds = {'is_delegated_auth': False}
+ token_data = token['access']
+ try:
+ creds['user_id'] = token_data['user']['id']
+@@ -105,6 +125,18 @@ def v2_token_to_auth_context(token):
+ if 'roles' in token_data['user']:
+ creds['roles'] = [role['name'] for
+ role in token_data['user']['roles']]
++
++ trust = token_data.get('trust')
++ if trust is None:
++ creds['trust_id'] = None
++ creds['trustor_id'] = None
++ creds['trustee_id'] = None
++ else:
++ creds['trust_id'] = trust.get('id')
++ creds['trustor_id'] = trust.get('trustor_id')
++ creds['trustee_id'] = trust.get('trustee_id')
++ creds['is_delegated_auth'] = True
++
+ return creds
+
+
+diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py
+index 2c938ba..a185e4f 100644
+--- a/keystone/contrib/oauth1/controllers.py
++++ b/keystone/contrib/oauth1/controllers.py
+@@ -95,6 +95,12 @@ def get_access_token(self, context, user_id, access_token_id):
+
+ @controller.protected()
+ def list_access_tokens(self, context, user_id):
++ auth_context = context.get('environment',
++ {}).get('KEYSTONE_AUTH_CONTEXT', {})
++ if auth_context.get('is_delegated_auth'):
++ raise exception.Forbidden(
++ _('Cannot list request tokens'
++ ' with a token issued via delegation.'))
+ refs = self.oauth_api.list_access_tokens(user_id)
+ formatted_refs = ([self._format_token_entity(context, x)
+ for x in refs])
+@@ -310,6 +316,12 @@ def authorize_request_token(self, context, request_token_id, roles):
+ there is not another easy way to make sure the user knows which roles
+ are being requested before authorizing.
+ """
++ auth_context = context.get('environment',
++ {}).get('KEYSTONE_AUTH_CONTEXT', {})
++ if auth_context.get('is_delegated_auth'):
++ raise exception.Forbidden(
++ _('Cannot authorize a request token'
++ ' with a token issued via delegation.'))
+
+ req_token = self.oauth_api.get_request_token(request_token_id)
+
+diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
+index 5de7e02..8a27a38 100644
+--- a/keystone/tests/test_v3_auth.py
++++ b/keystone/tests/test_v3_auth.py
+@@ -2777,6 +2777,42 @@ def test_exercise_trust_scoped_token_with_impersonation(self):
+ self.assertEqual(r.result['token']['project']['name'],
+ self.project['name'])
+
++ def test_impersonation_token_cannot_create_new_trust(self):
++ ref = self.new_trust_ref(
++ trustor_user_id=self.user_id,
++ trustee_user_id=self.trustee_user_id,
++ project_id=self.project_id,
++ impersonation=True,
++ expires=dict(minutes=1),
++ role_ids=[self.role_id])
++ del ref['id']
++
++ r = self.post('/OS-TRUST/trusts', body={'trust': ref})
++ trust = self.assertValidTrustResponse(r)
++
++ auth_data = self.build_authentication_request(
++ user_id=self.trustee_user['id'],
++ password=self.trustee_user['password'],
++ trust_id=trust['id'])
++ r = self.post('/auth/tokens', body=auth_data)
++
++ trust_token = r.headers['X-Subject-Token']
++
++ # Build second trust
++ ref = self.new_trust_ref(
++ trustor_user_id=self.user_id,
++ trustee_user_id=self.trustee_user_id,
++ project_id=self.project_id,
++ impersonation=True,
++ expires=dict(minutes=1),
++ role_ids=[self.role_id])
++ del ref['id']
++
++ self.post('/OS-TRUST/trusts',
++ body={'trust': ref},
++ token=trust_token,
++ expected_status=403)
++
+ def assertTrustTokensRevoked(self, trust_id):
+ revocation_response = self.get('/OS-REVOKE/events',
+ expected_status=200)
+diff --git a/keystone/tests/test_v3_oauth1.py b/keystone/tests/test_v3_oauth1.py
+index b653855..d993889 100644
+--- a/keystone/tests/test_v3_oauth1.py
++++ b/keystone/tests/test_v3_oauth1.py
+@@ -13,6 +13,8 @@
+ # under the License.
+
+ import copy
++import os
++import tempfile
+ import uuid
+
+ from six.moves import urllib
+@@ -26,6 +28,7 @@
+ from keystone import exception
+ from keystone.openstack.common.db.sqlalchemy import migration
+ from keystone.openstack.common import importutils
++from keystone.openstack.common import jsonutils
+ from keystone.tests import test_v3
+
+
+@@ -486,6 +489,100 @@ def test_delete_keystone_tokens_by_consumer_id(self):
+ self.assertRaises(exception.TokenNotFound, self.token_api.get_token,
+ self.keystone_token_id)
+
++ def _create_trust_get_token(self):
++ ref = self.new_trust_ref(
++ trustor_user_id=self.user_id,
++ trustee_user_id=self.user_id,
++ project_id=self.project_id,
++ impersonation=True,
++ expires=dict(minutes=1),
++ role_ids=[self.role_id])
++ del ref['id']
++
++ r = self.post('/OS-TRUST/trusts', body={'trust': ref})
++ trust = self.assertValidTrustResponse(r)
++
++ auth_data = self.build_authentication_request(
++ user_id=self.user['id'],
++ password=self.user['password'],
++ trust_id=trust['id'])
++ r = self.post('/auth/tokens', body=auth_data)
++
++ trust_token = r.headers['X-Subject-Token']
++ return trust_token
++
++ def _approve_request_token_url(self):
++ consumer = self._create_single_consumer()
++ consumer_id = consumer['id']
++ consumer_secret = consumer['secret']
++ self.consumer = {'key': consumer_id, 'secret': consumer_secret}
++ self.assertIsNotNone(self.consumer['secret'])
++
++ url, headers = self._create_request_token(self.consumer,
++ self.project_id)
++ content = self.post(url, headers=headers)
++ credentials = urllib.parse.parse_qs(content.result)
++ request_key = credentials['oauth_token'][0]
++ request_secret = credentials['oauth_token_secret'][0]
++ self.request_token = oauth1.Token(request_key, request_secret)
++ self.assertIsNotNone(self.request_token.key)
++
++ url = self._authorize_request_token(request_key)
++
++ return url
++
++ def test_oauth_token_cannot_create_new_trust(self):
++ self.test_oauth_flow()
++ ref = self.new_trust_ref(
++ trustor_user_id=self.user_id,
++ trustee_user_id=self.user_id,
++ project_id=self.project_id,
++ impersonation=True,
++ expires=dict(minutes=1),
++ role_ids=[self.role_id])
++ del ref['id']
++
++ self.post('/OS-TRUST/trusts',
++ body={'trust': ref},
++ token=self.keystone_token_id,
++ expected_status=403)
++
++ def test_oauth_token_cannot_authorize_request_token(self):
++ self.test_oauth_flow()
++ url = self._approve_request_token_url()
++ body = {'roles': [{'id': self.role_id}]}
++ self.put(url, body=body, token=self.keystone_token_id,
++ expected_status=403)
++
++ def test_oauth_token_cannot_list_request_tokens(self):
++ self._set_policy({"identity:list_access_tokens": [],
++ "identity:create_consumer": [],
++ "identity:authorize_request_token": []})
++ self.test_oauth_flow()
++ url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id
++ self.get(url, token=self.keystone_token_id,
++ expected_status=403)
++
++ def _set_policy(self, new_policy):
++ _unused, self.tmpfilename = tempfile.mkstemp()
++ self.config_fixture.config(policy_file=self.tmpfilename)
++ with open(self.tmpfilename, "w") as policyfile:
++ policyfile.write(jsonutils.dumps(new_policy))
++ self.addCleanup(os.remove, self.tmpfilename)
++
++ def test_trust_token_cannot_authorize_request_token(self):
++ trust_token = self._create_trust_get_token()
++ url = self._approve_request_token_url()
++ body = {'roles': [{'id': self.role_id}]}
++ self.put(url, body=body, token=trust_token, expected_status=403)
++
++ def test_trust_token_cannot_list_request_tokens(self):
++ self._set_policy({"identity:list_access_tokens": [],
++ "identity:create_trust": []})
++ trust_token = self._create_trust_get_token()
++ url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id
++ self.get(url, token=trust_token, expected_status=403)
++
+
+ class MaliciousOAuth1Tests(OAuth1Tests):
+
+diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py
+index cc3cc1f..552db44 100644
+--- a/keystone/trust/controllers.py
++++ b/keystone/trust/controllers.py
+@@ -132,6 +132,15 @@ def create_trust(self, context, trust=None):
+
+ # TODO(ayoung): instead of raising ValidationError on the first
+ # problem, return a collection of all the problems.
++
++ # Explicitly prevent a trust token from creating a new trust.
++ auth_context = context.get('environment',
++ {}).get('KEYSTONE_AUTH_CONTEXT', {})
++ if auth_context.get('is_delegated_auth'):
++ raise exception.Forbidden(
++ _('Cannot create a trust'
++ ' with a token issued via delegation.'))
++
+ if not trust:
+ raise exception.ValidationError(attribute='trust',
+ target='request')
+--
+1.9.3
+
diff --git a/sys-auth/keystone/keystone-2013.2.3-r1.ebuild b/sys-auth/keystone/keystone-2013.2.3-r1.ebuild
deleted file mode 100644
index 209c91e14445..000000000000
--- a/sys-auth/keystone/keystone-2013.2.3-r1.ebuild
+++ /dev/null
@@ -1,128 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:28:59 prometheanfire Exp $
-
-EAPI=5
-
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 user
-
-DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python."
-HOMEPAGE="https://launchpad.net/keystone"
-SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="+sqlite mysql postgres ldap test"
-REQUIRED_USE="|| ( mysql postgres sqlite )"
-
-#todo, seperate out rdepend via use flags
-RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
- >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
- <dev-python/webob-1.3[${PYTHON_USEDEP}]
- >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
- >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
- dev-python/netaddr[${PYTHON_USEDEP}]
- >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
- dev-python/paste[${PYTHON_USEDEP}]
- >=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
- sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
- mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
- postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
- >=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
- dev-python/passlib[${PYTHON_USEDEP}]
- >=dev-python/lxml-2.3[${PYTHON_USEDEP}]
- >=dev-python/iso8601-0.1.8[${PYTHON_USEDEP}]
- >=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
- >=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
- >=dev-python/Babel-1.3[${PYTHON_USEDEP}]
- dev-python/oauth2[${PYTHON_USEDEP}]
- >=dev-python/dogpile-cache-0.5.2[${PYTHON_USEDEP}]
- dev-python/python-daemon[${PYTHON_USEDEP}]
- virtual/python-argparse[${PYTHON_USEDEP}]
- ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )
- >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
- <dev-python/pbr-1.0[${PYTHON_USEDEP}]"
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
- test? ( ${RDEPEND}
- >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
- >=dev-python/hacking-0.5.6[${PYTHON_USEDEP}]
- <dev-python/hacking-0.8[${PYTHON_USEDEP}]
- dev-python/httplib2[${PYTHON_USEDEP}]
- >=dev-python/keyring-1.6.1[${PYTHON_USEDEP}]
- <dev-python/keyring-2.0[${PYTHON_USEDEP}]
- >=dev-python/mox-0.5.3[${PYTHON_USEDEP}]
- dev-python/nose[${PYTHON_USEDEP}]
- dev-python/nosexcover[${PYTHON_USEDEP}]
- >=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}]
- >=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}]
- dev-python/oslo-sphinx[${PYTHON_USEDEP}]
- >=dev-python/requests-1.1[${PYTHON_USEDEP}]
- >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
- <dev-python/sphinx-1.2[${PYTHON_USEDEP}]
- >=dev-python/testtools-0.9.32[${PYTHON_USEDEP}]
- >=dev-python/webtest-2.0[${PYTHON_USEDEP}]
- >=dev-python/python-memcached-1.48[${PYTHON_USEDEP}]
- ldap? ( ~dev-python/python-ldap-2.3.13 ) )
- >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
- <dev-python/pbr-1.0[${PYTHON_USEDEP}]"
-
-PATCHES=(
- "${FILESDIR}/CVE-2014-2828-2013.2.3.patch"
-)
-
-pkg_setup() {
- enewgroup keystone
- enewuser keystone -1 -1 /var/lib/keystone keystone
-}
-
-python_prepare_all() {
- mkdir ${PN}/tests/tmp || die
- cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
- distutils-r1_python_prepare_all
-}
-
-python_test() {
- # https://bugs.launchpad.net/keystone/+bug/1262564
- nosetests || die "testsuite failed under python2.7"
-}
-
-python_install() {
- distutils-r1_python_install
- newconfd "${FILESDIR}/keystone.confd" keystone
- newinitd "${FILESDIR}/keystone.initd" keystone
-
- diropts -m 0750
- keepdir /etc/keystone /var/log/keystone
- insinto /etc/keystone
- doins etc/keystone.conf.sample etc/logging.conf.sample
- doins etc/default_catalog.templates etc/policy.json
- doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
-
- fowners keystone:keystone /etc/keystone /var/log/keystone
-}
-
-pkg_postinst() {
- elog "You might want to run:"
- elog "emerge --config =${CATEGORY}/${PF}"
- elog "if this is a new install."
- elog "If you have not already configured your openssl installation"
- elog "please do it by modifying /etc/ssl/openssl.cnf"
- elog "BEFORE issuing the configuration command."
- elog "Otherwise default values will be used."
-}
-
-pkg_config() {
- if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
- einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
- read
- "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
- else
- einfo "keystone PKI certificates directory already present, skipping configuration"
- fi
-}
diff --git a/sys-auth/keystone/keystone-2013.2.9999.ebuild b/sys-auth/keystone/keystone-2013.2.9999.ebuild
deleted file mode 100644
index 871a4ad8088c..000000000000
--- a/sys-auth/keystone/keystone-2013.2.9999.ebuild
+++ /dev/null
@@ -1,130 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.9999.ebuild,v 1.11 2014/04/21 01:30:04 floppym Exp $
-
-EAPI=5
-
-PYTHON_COMPAT=( python2_7 )
-
-inherit git-2 distutils-r1 user
-
-DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python."
-HOMEPAGE="https://launchpad.net/keystone"
-EGIT_REPO_URI="https://github.com/openstack/keystone.git"
-EGIT_BRANCH="stable/havana"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS=""
-IUSE="+sqlite mysql postgres ldap test"
-REQUIRED_USE="|| ( mysql postgres sqlite )"
-
-#todo, seperate out rdepend via use flags
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
- test? ( dev-python/Babel
- dev-python/decorator
- dev-python/eventlet
- dev-python/greenlet
- dev-python/httplib2
- dev-python/iso8601
- dev-python/lxml
- dev-python/netifaces
- dev-python/nose
- dev-python/nosexcover
- dev-python/passlib
- dev-python/paste
- dev-python/pastedeploy
- dev-python/python-pam
- dev-python/repoze-lru
- dev-python/routes
- dev-python/sphinx
- >=dev-python/sqlalchemy-migrate-0.7
- dev-python/tempita
- >=dev-python/webob-1.0.8
- dev-python/webtest
- dev-python/python-memcached )
- >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
- <dev-python/pbr-1.0[${PYTHON_USEDEP}]"
-RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
- >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
- <dev-python/webob-1.3[${PYTHON_USEDEP}]
- >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
- >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
- dev-python/netaddr[${PYTHON_USEDEP}]
- >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
- dev-python/paste[${PYTHON_USEDEP}]
- >=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
- sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
- mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
- postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
- >=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
- dev-python/passlib[${PYTHON_USEDEP}]
- >=dev-python/lxml-2.3[${PYTHON_USEDEP}]
- >=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}]
- >=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
- >=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
- >=dev-python/Babel-0.9.6[${PYTHON_USEDEP}]
- dev-python/oauth2[${PYTHON_USEDEP}]
- >=dev-python/dogpile-cache-0.5.0[${PYTHON_USEDEP}]
- dev-python/python-daemon[${PYTHON_USEDEP}]
- virtual/python-argparse[${PYTHON_USEDEP}]
- ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )
- >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
- <dev-python/pbr-1.0[${PYTHON_USEDEP}]"
-
-PATCHES=(
-)
-
-pkg_setup() {
- enewgroup keystone
- enewuser keystone -1 -1 /var/lib/keystone keystone
-}
-
-python_prepare_all() {
- cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
- distutils-r1_python_prepare_all
-}
-
-python_test() {
- # Ignore (naughty) test_.py files & 1 test that connect to the network
- nosetests -I 'test_keystoneclient*' \
- -e test_import || die "testsuite failed under python2.7"
-}
-
-python_install() {
- distutils-r1_python_install
- newconfd "${FILESDIR}/keystone.confd" keystone
- newinitd "${FILESDIR}/keystone.initd" keystone
-
- diropts -m 0750
- keepdir /etc/keystone /var/log/keystone
- insinto /etc/keystone
- doins etc/keystone.conf.sample etc/logging.conf.sample
- doins etc/default_catalog.templates etc/policy.json
- doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
-
- fowners keystone:keystone /etc/keystone /var/log/keystone
-}
-
-pkg_postinst() {
- elog "You might want to run:"
- elog "emerge --config =${CATEGORY}/${PF}"
- elog "if this is a new install."
- elog "If you have not already configured your openssl installation"
- elog "please do it by modifying /etc/ssl/openssl.cnf"
- elog "BEFORE issuing the configuration command."
- elog "Otherwise default values will be used."
-}
-
-pkg_config() {
- if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
- einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
- read
- "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
- else
- einfo "keystone PKI certificates directory already present, skipping configuration"
- fi
-}
diff --git a/sys-auth/keystone/keystone-2014.1-r2.ebuild b/sys-auth/keystone/keystone-2014.1.1.ebuild
index 7d9a842a0d51..993421b9ca90 100644
--- a/sys-auth/keystone/keystone-2014.1-r2.ebuild
+++ b/sys-auth/keystone/keystone-2014.1.1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1-r2.ebuild,v 1.1 2014/06/01 02:19:16 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1.1.ebuild,v 1.1 2014/06/15 17:01:02 prometheanfire Exp $
EAPI=5
@@ -55,7 +55,7 @@ RDEPEND=">=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
dev-python/paste[${PYTHON_USEDEP}]
>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
- >=dev-python/six-1.5.2[${PYTHON_USEDEP}]
+ >=dev-python/six-1.6.0[${PYTHON_USEDEP}]
>=dev-python/sqlalchemy-0.7.8[${PYTHON_USEDEP}]
<dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
mysql? ( dev-python/mysql-python[${PYTHON_USEDEP}] )
@@ -77,7 +77,7 @@ RDEPEND=">=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )"
PATCHES=(
- "${FILESDIR}/2014.1-CVE-2014-0204.patch"
+ "${FILESDIR}/2014.1.1-CVE-2014-3476.patch"
)
pkg_setup() {