1 |
commit: 405148ae5fe2b8b3fddcbbc499df304ba308e5bb |
2 |
Author: Michael Mair-Keimberger (asterix) <m.mairkeimberger <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Aug 8 16:25:09 2017 +0000 |
4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Aug 8 22:36:43 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=405148ae |
7 |
|
8 |
sys-auth/keystone: remove unused patches |
9 |
|
10 |
.../files/cve-2017-2673-stable-newton.patch | 82 --------------- |
11 |
.../files/cve-2017-2673-stable-ocata.patch | 115 --------------------- |
12 |
2 files changed, 197 deletions(-) |
13 |
|
14 |
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch |
15 |
deleted file mode 100644 |
16 |
index 0f64ed5f6a6..00000000000 |
17 |
--- a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch |
18 |
+++ /dev/null |
19 |
@@ -1,82 +0,0 @@ |
20 |
-From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001 |
21 |
-From: Boris Bobrov <breton@××××××××××××.ru> |
22 |
-Date: Mon, 17 Apr 2017 00:28:07 +0300 |
23 |
-Subject: [PATCH] Do not fetch group assignments without groups |
24 |
- |
25 |
-Without the change, the method fetched all assignments for a project |
26 |
-or domain, regardless of who has the assignment, user or group. This |
27 |
-led to situation when federated user without groups could scope a token |
28 |
-with other user's rules. |
29 |
- |
30 |
-Return empty list of assignments if no groups were passed. |
31 |
- |
32 |
-Closes-Bug: 1677723 |
33 |
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d |
34 |
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) |
35 |
- |
36 |
-Conflicts: |
37 |
- keystone/tests/unit/test_v3_federation.py -- removed irrelevant |
38 |
- tests |
39 |
---- |
40 |
- keystone/assignment/core.py | 5 +++++ |
41 |
- keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++ |
42 |
- 2 files changed, 33 insertions(+) |
43 |
- |
44 |
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py |
45 |
-index e549abb..6a6717a 100644 |
46 |
---- a/keystone/assignment/core.py |
47 |
-+++ b/keystone/assignment/core.py |
48 |
-@@ -165,6 +165,11 @@ class Manager(manager.Manager): |
49 |
- |
50 |
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): |
51 |
- """Get a list of roles for this group on domain and/or project.""" |
52 |
-+ # if no group ids were passed, there are no roles. Without this check, |
53 |
-+ # all assignments for the project or domain will be fetched, |
54 |
-+ # which is not what we want. |
55 |
-+ if not group_ids: |
56 |
-+ return [] |
57 |
- if project_id is not None: |
58 |
- self.resource_api.get_project(project_id) |
59 |
- assignment_list = self.list_role_assignments( |
60 |
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py |
61 |
-index f3e9baa..1a7ce40 100644 |
62 |
---- a/keystone/tests/unit/test_v3_federation.py |
63 |
-+++ b/keystone/tests/unit/test_v3_federation.py |
64 |
-@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): |
65 |
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
66 |
- self.assertEqual(0, len(token_groups)) |
67 |
- |
68 |
-+ def test_issue_scoped_token_no_groups(self): |
69 |
-+ """Verify that token without groups cannot get scoped to project. |
70 |
-+ |
71 |
-+ This test is required because of bug 1677723. |
72 |
-+ """ |
73 |
-+ # issue unscoped token with no groups |
74 |
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') |
75 |
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token')) |
76 |
-+ token_resp = r.json_body |
77 |
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
78 |
-+ self.assertEqual(0, len(token_groups)) |
79 |
-+ unscoped_token = r.headers.get('X-Subject-Token') |
80 |
-+ |
81 |
-+ # let admin get roles in a project |
82 |
-+ self.proj_employees |
83 |
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id) |
84 |
-+ self.identity_api.create_user(admin) |
85 |
-+ self.assignment_api.create_grant(self.role_admin['id'], |
86 |
-+ user_id=admin['id'], |
87 |
-+ project_id=self.proj_employees['id']) |
88 |
-+ |
89 |
-+ # try to scope the token. It should fail |
90 |
-+ scope = self._scope_request( |
91 |
-+ unscoped_token, 'project', self.proj_employees['id'] |
92 |
-+ ) |
93 |
-+ self.v3_create_token( |
94 |
-+ scope, expected_status=http_client.UNAUTHORIZED) |
95 |
-+ |
96 |
- def test_issue_unscoped_token_malformed_environment(self): |
97 |
- """Test whether non string objects are filtered out. |
98 |
- |
99 |
--- |
100 |
-2.1.4 |
101 |
- |
102 |
|
103 |
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch |
104 |
deleted file mode 100644 |
105 |
index abf17489cd9..00000000000 |
106 |
--- a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch |
107 |
+++ /dev/null |
108 |
@@ -1,115 +0,0 @@ |
109 |
-From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001 |
110 |
-From: Boris Bobrov <breton@××××××××××××.ru> |
111 |
-Date: Mon, 17 Apr 2017 00:28:07 +0300 |
112 |
-Subject: [PATCH] Do not fetch group assignments without groups |
113 |
- |
114 |
-Without the change, the method fetched all assignments for a project |
115 |
-or domain, regardless of who has the assignment, user or group. This |
116 |
-led to situation when federated user without groups could scope a token |
117 |
-with other user's rules. |
118 |
- |
119 |
-Return empty list of assignments if no groups were passed. |
120 |
- |
121 |
-Closes-Bug: 1677723 |
122 |
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d |
123 |
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) |
124 |
---- |
125 |
- keystone/assignment/core.py | 5 +++ |
126 |
- keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++ |
127 |
- 2 files changed, 63 insertions(+) |
128 |
- |
129 |
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py |
130 |
-index eccc22d..8fba77e 100644 |
131 |
---- a/keystone/assignment/core.py |
132 |
-+++ b/keystone/assignment/core.py |
133 |
-@@ -126,6 +126,11 @@ class Manager(manager.Manager): |
134 |
- |
135 |
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): |
136 |
- """Get a list of roles for this group on domain and/or project.""" |
137 |
-+ # if no group ids were passed, there are no roles. Without this check, |
138 |
-+ # all assignments for the project or domain will be fetched, |
139 |
-+ # which is not what we want. |
140 |
-+ if not group_ids: |
141 |
-+ return [] |
142 |
- if project_id is not None: |
143 |
- self.resource_api.get_project(project_id) |
144 |
- assignment_list = self.list_role_assignments( |
145 |
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py |
146 |
-index 0f5148f..03509b8 100644 |
147 |
---- a/keystone/tests/unit/test_v3_federation.py |
148 |
-+++ b/keystone/tests/unit/test_v3_federation.py |
149 |
-@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): |
150 |
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
151 |
- self.assertEqual(0, len(token_groups)) |
152 |
- |
153 |
-+ def test_issue_scoped_token_no_groups(self): |
154 |
-+ """Verify that token without groups cannot get scoped to project. |
155 |
-+ |
156 |
-+ This test is required because of bug 1677723. |
157 |
-+ """ |
158 |
-+ # issue unscoped token with no groups |
159 |
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') |
160 |
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token')) |
161 |
-+ token_resp = r.json_body |
162 |
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] |
163 |
-+ self.assertEqual(0, len(token_groups)) |
164 |
-+ unscoped_token = r.headers.get('X-Subject-Token') |
165 |
-+ |
166 |
-+ # let admin get roles in a project |
167 |
-+ self.proj_employees |
168 |
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id) |
169 |
-+ self.identity_api.create_user(admin) |
170 |
-+ self.assignment_api.create_grant(self.role_admin['id'], |
171 |
-+ user_id=admin['id'], |
172 |
-+ project_id=self.proj_employees['id']) |
173 |
-+ |
174 |
-+ # try to scope the token. It should fail |
175 |
-+ scope = self._scope_request( |
176 |
-+ unscoped_token, 'project', self.proj_employees['id'] |
177 |
-+ ) |
178 |
-+ self.v3_create_token( |
179 |
-+ scope, expected_status=http_client.UNAUTHORIZED) |
180 |
-+ |
181 |
- def test_issue_unscoped_token_malformed_environment(self): |
182 |
- """Test whether non string objects are filtered out. |
183 |
- |
184 |
-@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): |
185 |
- self.expected_results[project_name], roles[0]['name'] |
186 |
- ) |
187 |
- |
188 |
-+ def test_user_gets_only_assigned_roles(self): |
189 |
-+ # in bug 1677723 user could get roles outside of what was assigned |
190 |
-+ # to them. This test verifies that this is no longer true. |
191 |
-+ # Authenticate once to create the projects |
192 |
-+ response = self._issue_unscoped_token() |
193 |
-+ self.assertValidMappedUser(response.json_body['token']) |
194 |
-+ unscoped_token = response.headers.get('X-Subject-Token') |
195 |
-+ |
196 |
-+ # Assign admin role to newly-created project to another user |
197 |
-+ staging_project = self.resource_api.get_project_by_name( |
198 |
-+ 'Staging', self.idp['domain_id'] |
199 |
-+ ) |
200 |
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id) |
201 |
-+ self.identity_api.create_user(admin) |
202 |
-+ self.assignment_api.create_grant(self.role_admin['id'], |
203 |
-+ user_id=admin['id'], |
204 |
-+ project_id=staging_project['id']) |
205 |
-+ |
206 |
-+ # Authenticate again with the federated user and verify roles |
207 |
-+ response = self._issue_unscoped_token() |
208 |
-+ self.assertValidMappedUser(response.json_body['token']) |
209 |
-+ unscoped_token = response.headers.get('X-Subject-Token') |
210 |
-+ scope = self._scope_request( |
211 |
-+ unscoped_token, 'project', staging_project['id'] |
212 |
-+ ) |
213 |
-+ response = self.v3_create_token(scope) |
214 |
-+ roles = response.json_body['token']['roles'] |
215 |
-+ role_ids = [r['id'] for r in roles] |
216 |
-+ self.assertNotIn(self.role_admin['id'], role_ids) |
217 |
-+ |
218 |
- |
219 |
- class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): |
220 |
- JSON_HOME_DATA = { |
221 |
--- |
222 |
-2.1.4 |
223 |
- |