| 1 |
commit: 405148ae5fe2b8b3fddcbbc499df304ba308e5bb |
| 2 |
Author: Michael Mair-Keimberger (asterix) <m.mairkeimberger <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Tue Aug 8 16:25:09 2017 +0000 |
| 4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Aug 8 22:36:43 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=405148ae |
| 7 |
|
| 8 |
sys-auth/keystone: remove unused patches |
| 9 |
|
| 10 |
.../files/cve-2017-2673-stable-newton.patch | 82 --------------- |
| 11 |
.../files/cve-2017-2673-stable-ocata.patch | 115 --------------------- |
| 12 |
2 files changed, 197 deletions(-) |
| 13 |
|
| 14 |
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch |
| 15 |
deleted file mode 100644 |
| 16 |
index 0f64ed5f6a6..00000000000 |
| 17 |
--- a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch |
| 18 |
+++ /dev/null |
| 19 |
@@ -1,82 +0,0 @@ |
| 20 |
-From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001 |
| 21 |
-From: Boris Bobrov <breton@××××××××××××.ru> |
| 22 |
-Date: Mon, 17 Apr 2017 00:28:07 +0300 |
| 23 |
-Subject: [PATCH] Do not fetch group assignments without groups |
| 24 |
- |
| 25 |
-Without the change, the method fetched all assignments for a project |
| 26 |
-or domain, regardless of who has the assignment, user or group. This |
| 27 |
-led to situation when federated user without groups could scope a token |
| 28 |
-with other user's rules. |
| 29 |
- |
| 30 |
-Return empty list of assignments if no groups were passed. |
| 31 |
- |
| 32 |
-Closes-Bug: 1677723 |
| 33 |
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d |
| 34 |
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) |
| 35 |
- |
| 36 |
-Conflicts: |
| 37 |
- keystone/tests/unit/test_v3_federation.py -- removed irrelevant |
| 38 |
- tests |
| 39 |
---- |
| 40 |
- keystone/assignment/core.py | 5 +++++ |
| 41 |
- keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++ |
| 42 |
- 2 files changed, 33 insertions(+) |
| 43 |
- |
| 44 |
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py |
| 45 |
-index e549abb..6a6717a 100644 |
| 46 |
---- a/keystone/assignment/core.py |
| 47 |
-+++ b/keystone/assignment/core.py |
| 48 |
-@@ -165,6 +165,11 @@ class Manager(manager.Manager): |
| 49 |
- |
| 50 |
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): |
| 51 |
- """Get a list of roles for this group on domain and/or project.""" |
| 52 |
-+ # if no group ids were passed, there are no roles. Without this check, |
| 53 |
-+ # all assignments for the project or domain will be fetched, |
| 54 |
-+ # which is not what we want. |
| 55 |
-+ if not group_ids: |
| 56 |
-+ return [] |
| 57 |
- if project_id is not None: |
| 58 |
- self.resource_api.get_project(project_id) |
| 59 |
- assignment_list = self.list_role_assignments( |
| 60 |
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py |
| 61 |
-index f3e9baa..1a7ce40 100644 |
| 62 |
---- a/keystone/tests/unit/test_v3_federation.py |
| 63 |
-+++ b/keystone/tests/unit/test_v3_federation.py |
| 64 |
-@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): |
| 65 |
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
| 66 |
- self.assertEqual(0, len(token_groups)) |
| 67 |
- |
| 68 |
-+ def test_issue_scoped_token_no_groups(self): |
| 69 |
-+ """Verify that token without groups cannot get scoped to project. |
| 70 |
-+ |
| 71 |
-+ This test is required because of bug 1677723. |
| 72 |
-+ """ |
| 73 |
-+ # issue unscoped token with no groups |
| 74 |
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') |
| 75 |
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token')) |
| 76 |
-+ token_resp = r.json_body |
| 77 |
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
| 78 |
-+ self.assertEqual(0, len(token_groups)) |
| 79 |
-+ unscoped_token = r.headers.get('X-Subject-Token') |
| 80 |
-+ |
| 81 |
-+ # let admin get roles in a project |
| 82 |
-+ self.proj_employees |
| 83 |
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id) |
| 84 |
-+ self.identity_api.create_user(admin) |
| 85 |
-+ self.assignment_api.create_grant(self.role_admin['id'], |
| 86 |
-+ user_id=admin['id'], |
| 87 |
-+ project_id=self.proj_employees['id']) |
| 88 |
-+ |
| 89 |
-+ # try to scope the token. It should fail |
| 90 |
-+ scope = self._scope_request( |
| 91 |
-+ unscoped_token, 'project', self.proj_employees['id'] |
| 92 |
-+ ) |
| 93 |
-+ self.v3_create_token( |
| 94 |
-+ scope, expected_status=http_client.UNAUTHORIZED) |
| 95 |
-+ |
| 96 |
- def test_issue_unscoped_token_malformed_environment(self): |
| 97 |
- """Test whether non string objects are filtered out. |
| 98 |
- |
| 99 |
--- |
| 100 |
-2.1.4 |
| 101 |
- |
| 102 |
|
| 103 |
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch |
| 104 |
deleted file mode 100644 |
| 105 |
index abf17489cd9..00000000000 |
| 106 |
--- a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch |
| 107 |
+++ /dev/null |
| 108 |
@@ -1,115 +0,0 @@ |
| 109 |
-From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001 |
| 110 |
-From: Boris Bobrov <breton@××××××××××××.ru> |
| 111 |
-Date: Mon, 17 Apr 2017 00:28:07 +0300 |
| 112 |
-Subject: [PATCH] Do not fetch group assignments without groups |
| 113 |
- |
| 114 |
-Without the change, the method fetched all assignments for a project |
| 115 |
-or domain, regardless of who has the assignment, user or group. This |
| 116 |
-led to situation when federated user without groups could scope a token |
| 117 |
-with other user's rules. |
| 118 |
- |
| 119 |
-Return empty list of assignments if no groups were passed. |
| 120 |
- |
| 121 |
-Closes-Bug: 1677723 |
| 122 |
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d |
| 123 |
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) |
| 124 |
---- |
| 125 |
- keystone/assignment/core.py | 5 +++ |
| 126 |
- keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++ |
| 127 |
- 2 files changed, 63 insertions(+) |
| 128 |
- |
| 129 |
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py |
| 130 |
-index eccc22d..8fba77e 100644 |
| 131 |
---- a/keystone/assignment/core.py |
| 132 |
-+++ b/keystone/assignment/core.py |
| 133 |
-@@ -126,6 +126,11 @@ class Manager(manager.Manager): |
| 134 |
- |
| 135 |
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): |
| 136 |
- """Get a list of roles for this group on domain and/or project.""" |
| 137 |
-+ # if no group ids were passed, there are no roles. Without this check, |
| 138 |
-+ # all assignments for the project or domain will be fetched, |
| 139 |
-+ # which is not what we want. |
| 140 |
-+ if not group_ids: |
| 141 |
-+ return [] |
| 142 |
- if project_id is not None: |
| 143 |
- self.resource_api.get_project(project_id) |
| 144 |
- assignment_list = self.list_role_assignments( |
| 145 |
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py |
| 146 |
-index 0f5148f..03509b8 100644 |
| 147 |
---- a/keystone/tests/unit/test_v3_federation.py |
| 148 |
-+++ b/keystone/tests/unit/test_v3_federation.py |
| 149 |
-@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): |
| 150 |
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
| 151 |
- self.assertEqual(0, len(token_groups)) |
| 152 |
- |
| 153 |
-+ def test_issue_scoped_token_no_groups(self): |
| 154 |
-+ """Verify that token without groups cannot get scoped to project. |
| 155 |
-+ |
| 156 |
-+ This test is required because of bug 1677723. |
| 157 |
-+ """ |
| 158 |
-+ # issue unscoped token with no groups |
| 159 |
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') |
| 160 |
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token')) |
| 161 |
-+ token_resp = r.json_body |
| 162 |
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
| 163 |
-+ self.assertEqual(0, len(token_groups)) |
| 164 |
-+ unscoped_token = r.headers.get('X-Subject-Token') |
| 165 |
-+ |
| 166 |
-+ # let admin get roles in a project |
| 167 |
-+ self.proj_employees |
| 168 |
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id) |
| 169 |
-+ self.identity_api.create_user(admin) |
| 170 |
-+ self.assignment_api.create_grant(self.role_admin['id'], |
| 171 |
-+ user_id=admin['id'], |
| 172 |
-+ project_id=self.proj_employees['id']) |
| 173 |
-+ |
| 174 |
-+ # try to scope the token. It should fail |
| 175 |
-+ scope = self._scope_request( |
| 176 |
-+ unscoped_token, 'project', self.proj_employees['id'] |
| 177 |
-+ ) |
| 178 |
-+ self.v3_create_token( |
| 179 |
-+ scope, expected_status=http_client.UNAUTHORIZED) |
| 180 |
-+ |
| 181 |
- def test_issue_unscoped_token_malformed_environment(self): |
| 182 |
- """Test whether non string objects are filtered out. |
| 183 |
- |
| 184 |
-@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): |
| 185 |
- self.expected_results[project_name], roles[0]['name'] |
| 186 |
- ) |
| 187 |
- |
| 188 |
-+ def test_user_gets_only_assigned_roles(self): |
| 189 |
-+ # in bug 1677723 user could get roles outside of what was assigned |
| 190 |
-+ # to them. This test verifies that this is no longer true. |
| 191 |
-+ # Authenticate once to create the projects |
| 192 |
-+ response = self._issue_unscoped_token() |
| 193 |
-+ self.assertValidMappedUser(response.json_body['token']) |
| 194 |
-+ unscoped_token = response.headers.get('X-Subject-Token') |
| 195 |
-+ |
| 196 |
-+ # Assign admin role to newly-created project to another user |
| 197 |
-+ staging_project = self.resource_api.get_project_by_name( |
| 198 |
-+ 'Staging', self.idp['domain_id'] |
| 199 |
-+ ) |
| 200 |
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id) |
| 201 |
-+ self.identity_api.create_user(admin) |
| 202 |
-+ self.assignment_api.create_grant(self.role_admin['id'], |
| 203 |
-+ user_id=admin['id'], |
| 204 |
-+ project_id=staging_project['id']) |
| 205 |
-+ |
| 206 |
-+ # Authenticate again with the federated user and verify roles |
| 207 |
-+ response = self._issue_unscoped_token() |
| 208 |
-+ self.assertValidMappedUser(response.json_body['token']) |
| 209 |
-+ unscoped_token = response.headers.get('X-Subject-Token') |
| 210 |
-+ scope = self._scope_request( |
| 211 |
-+ unscoped_token, 'project', staging_project['id'] |
| 212 |
-+ ) |
| 213 |
-+ response = self.v3_create_token(scope) |
| 214 |
-+ roles = response.json_body['token']['roles'] |
| 215 |
-+ role_ids = [r['id'] for r in roles] |
| 216 |
-+ self.assertNotIn(self.role_admin['id'], role_ids) |
| 217 |
-+ |
| 218 |
- |
| 219 |
- class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): |
| 220 |
- JSON_HOME_DATA = { |
| 221 |
--- |
| 222 |
-2.1.4 |
| 223 |
- |
Archives