* [gentoo-commits] repo/gentoo:master commit in: sys-auth/keystone/files/
@ 2017-02-09 22:37 David Seifert
0 siblings, 0 replies; 2+ messages in thread
From: David Seifert @ 2017-02-09 22:37 UTC (permalink / raw
To: gentoo-commits
commit: dbbea4ae54fc9b929140741fca9c1e878548495b
Author: Michael Mair-Keimberger (asterix) <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Tue Feb 7 16:40:24 2017 +0000
Commit: David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Thu Feb 9 22:37:01 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbbea4ae
sys-auth/keystone: remove unused initd/confd files
Closes: https://github.com/gentoo/gentoo/pull/3870
sys-auth/keystone/files/keystone.confd | 3 ---
sys-auth/keystone/files/keystone.initd | 17 -----------------
2 files changed, 20 deletions(-)
diff --git a/sys-auth/keystone/files/keystone.confd b/sys-auth/keystone/files/keystone.confd
deleted file mode 100644
index 669fa0a7ad..0000000000
--- a/sys-auth/keystone/files/keystone.confd
+++ /dev/null
@@ -1,3 +0,0 @@
-#KEYSTONE_CONF=/etc/keystone/keystone.conf
-#KEYSTONE_USER=keystone
-KEYSTONE_ARGS="--logfile /var/log/keystone/keystone.log"
diff --git a/sys-auth/keystone/files/keystone.initd b/sys-auth/keystone/files/keystone.initd
deleted file mode 100644
index cc98974d3a..0000000000
--- a/sys-auth/keystone/files/keystone.initd
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-description="Starts both the service and administrative APIs in a single process to provide catalog, authorization, and authentication services for OpenStack"
-
-command=/usr/bin/keystone-all
-pidfile=/var/run/keystone.pid
-required_files="${KEYSTONE_CONF:-/etc/keystone/keystone.conf}"
-
-start_stop_daemon_args="--background --make-pidfile --user ${KEYSTONE_USER:-keystone}"
-command_args="${KEYSTONE_ARGS}"
-
-depend() {
- need net
-}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-auth/keystone/files/
@ 2017-08-08 22:37 Matt Thode
0 siblings, 0 replies; 2+ messages in thread
From: Matt Thode @ 2017-08-08 22:37 UTC (permalink / raw
To: gentoo-commits
commit: 405148ae5fe2b8b3fddcbbc499df304ba308e5bb
Author: Michael Mair-Keimberger (asterix) <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Tue Aug 8 16:25:09 2017 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Tue Aug 8 22:36:43 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=405148ae
sys-auth/keystone: remove unused patches
.../files/cve-2017-2673-stable-newton.patch | 82 ---------------
.../files/cve-2017-2673-stable-ocata.patch | 115 ---------------------
2 files changed, 197 deletions(-)
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
deleted file mode 100644
index 0f64ed5f6a6..00000000000
--- a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001
-From: Boris Bobrov <breton@cynicmansion.ru>
-Date: Mon, 17 Apr 2017 00:28:07 +0300
-Subject: [PATCH] Do not fetch group assignments without groups
-
-Without the change, the method fetched all assignments for a project
-or domain, regardless of who has the assignment, user or group. This
-led to situation when federated user without groups could scope a token
-with other user's rules.
-
-Return empty list of assignments if no groups were passed.
-
-Closes-Bug: 1677723
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
-
-Conflicts:
- keystone/tests/unit/test_v3_federation.py -- removed irrelevant
- tests
----
- keystone/assignment/core.py | 5 +++++
- keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++
- 2 files changed, 33 insertions(+)
-
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
-index e549abb..6a6717a 100644
---- a/keystone/assignment/core.py
-+++ b/keystone/assignment/core.py
-@@ -165,6 +165,11 @@ class Manager(manager.Manager):
-
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
- """Get a list of roles for this group on domain and/or project."""
-+ # if no group ids were passed, there are no roles. Without this check,
-+ # all assignments for the project or domain will be fetched,
-+ # which is not what we want.
-+ if not group_ids:
-+ return []
- if project_id is not None:
- self.resource_api.get_project(project_id)
- assignment_list = self.list_role_assignments(
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
-index f3e9baa..1a7ce40 100644
---- a/keystone/tests/unit/test_v3_federation.py
-+++ b/keystone/tests/unit/test_v3_federation.py
-@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
- self.assertEqual(0, len(token_groups))
-
-+ def test_issue_scoped_token_no_groups(self):
-+ """Verify that token without groups cannot get scoped to project.
-+
-+ This test is required because of bug 1677723.
-+ """
-+ # issue unscoped token with no groups
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token'))
-+ token_resp = r.json_body
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-+ self.assertEqual(0, len(token_groups))
-+ unscoped_token = r.headers.get('X-Subject-Token')
-+
-+ # let admin get roles in a project
-+ self.proj_employees
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+ self.identity_api.create_user(admin)
-+ self.assignment_api.create_grant(self.role_admin['id'],
-+ user_id=admin['id'],
-+ project_id=self.proj_employees['id'])
-+
-+ # try to scope the token. It should fail
-+ scope = self._scope_request(
-+ unscoped_token, 'project', self.proj_employees['id']
-+ )
-+ self.v3_create_token(
-+ scope, expected_status=http_client.UNAUTHORIZED)
-+
- def test_issue_unscoped_token_malformed_environment(self):
- """Test whether non string objects are filtered out.
-
---
-2.1.4
-
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
deleted file mode 100644
index abf17489cd9..00000000000
--- a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001
-From: Boris Bobrov <breton@cynicmansion.ru>
-Date: Mon, 17 Apr 2017 00:28:07 +0300
-Subject: [PATCH] Do not fetch group assignments without groups
-
-Without the change, the method fetched all assignments for a project
-or domain, regardless of who has the assignment, user or group. This
-led to situation when federated user without groups could scope a token
-with other user's rules.
-
-Return empty list of assignments if no groups were passed.
-
-Closes-Bug: 1677723
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
----
- keystone/assignment/core.py | 5 +++
- keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++
- 2 files changed, 63 insertions(+)
-
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
-index eccc22d..8fba77e 100644
---- a/keystone/assignment/core.py
-+++ b/keystone/assignment/core.py
-@@ -126,6 +126,11 @@ class Manager(manager.Manager):
-
- def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
- """Get a list of roles for this group on domain and/or project."""
-+ # if no group ids were passed, there are no roles. Without this check,
-+ # all assignments for the project or domain will be fetched,
-+ # which is not what we want.
-+ if not group_ids:
-+ return []
- if project_id is not None:
- self.resource_api.get_project(project_id)
- assignment_list = self.list_role_assignments(
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
-index 0f5148f..03509b8 100644
---- a/keystone/tests/unit/test_v3_federation.py
-+++ b/keystone/tests/unit/test_v3_federation.py
-@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
- token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
- self.assertEqual(0, len(token_groups))
-
-+ def test_issue_scoped_token_no_groups(self):
-+ """Verify that token without groups cannot get scoped to project.
-+
-+ This test is required because of bug 1677723.
-+ """
-+ # issue unscoped token with no groups
-+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
-+ self.assertIsNotNone(r.headers.get('X-Subject-Token'))
-+ token_resp = r.json_body
-+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-+ self.assertEqual(0, len(token_groups))
-+ unscoped_token = r.headers.get('X-Subject-Token')
-+
-+ # let admin get roles in a project
-+ self.proj_employees
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+ self.identity_api.create_user(admin)
-+ self.assignment_api.create_grant(self.role_admin['id'],
-+ user_id=admin['id'],
-+ project_id=self.proj_employees['id'])
-+
-+ # try to scope the token. It should fail
-+ scope = self._scope_request(
-+ unscoped_token, 'project', self.proj_employees['id']
-+ )
-+ self.v3_create_token(
-+ scope, expected_status=http_client.UNAUTHORIZED)
-+
- def test_issue_unscoped_token_malformed_environment(self):
- """Test whether non string objects are filtered out.
-
-@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
- self.expected_results[project_name], roles[0]['name']
- )
-
-+ def test_user_gets_only_assigned_roles(self):
-+ # in bug 1677723 user could get roles outside of what was assigned
-+ # to them. This test verifies that this is no longer true.
-+ # Authenticate once to create the projects
-+ response = self._issue_unscoped_token()
-+ self.assertValidMappedUser(response.json_body['token'])
-+ unscoped_token = response.headers.get('X-Subject-Token')
-+
-+ # Assign admin role to newly-created project to another user
-+ staging_project = self.resource_api.get_project_by_name(
-+ 'Staging', self.idp['domain_id']
-+ )
-+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+ self.identity_api.create_user(admin)
-+ self.assignment_api.create_grant(self.role_admin['id'],
-+ user_id=admin['id'],
-+ project_id=staging_project['id'])
-+
-+ # Authenticate again with the federated user and verify roles
-+ response = self._issue_unscoped_token()
-+ self.assertValidMappedUser(response.json_body['token'])
-+ unscoped_token = response.headers.get('X-Subject-Token')
-+ scope = self._scope_request(
-+ unscoped_token, 'project', staging_project['id']
-+ )
-+ response = self.v3_create_token(scope)
-+ roles = response.json_body['token']['roles']
-+ role_ids = [r['id'] for r in roles]
-+ self.assertNotIn(self.role_admin['id'], role_ids)
-+
-
- class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
- JSON_HOME_DATA = {
---
-2.1.4
-
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-08 22:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-08 22:37 [gentoo-commits] repo/gentoo:master commit in: sys-auth/keystone/files/ Matt Thode
-- strict thread matches above, loose matches on Subject: below --
2017-02-09 22:37 David Seifert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox