* [gentoo-commits] gentoo-x86 commit in sys-auth/keystone/files: keystone-grizzly-2-CVE-2013-2157.patch keystone-folsom-4-CVE-2013-2157.patch
@ 2013-06-14 21:57 Matt Thode (prometheanfire)
0 siblings, 0 replies; only message in thread
From: Matt Thode (prometheanfire) @ 2013-06-14 21:57 UTC (permalink / raw
To: gentoo-commits
prometheanfire 13/06/14 21:57:36
Added: keystone-grizzly-2-CVE-2013-2157.patch
keystone-folsom-4-CVE-2013-2157.patch
Log:
keystone fixed for CVE-2013-2157 bug 473304
(Portage version: 2.1.11.62/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Revision Changes Path
1.1 sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch?rev=1.1&content-type=text/plain
Index: keystone-grizzly-2-CVE-2013-2157.patch
===================================================================
From 1eaaf4ddb94626f3ff44931e764858161468e159 Mon Sep 17 00:00:00 2001
From: Jose Castro Leon <jose.castro.leon@cern.ch>
Date: Tue, 4 Jun 2013 11:59:35 -0400
Subject: [PATCH] Force simple Bind for authentication
The authentication code was using a common code path with
other LDAP code that got an LDAP connection. If the system
was configured to do Anonymous binding, users could by pass
the authentication check.
This patch forces the authentication code to do a simple_bind.
Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
---
keystone/identity/backends/ldap/core.py | 14 ++------------
tests/test_backend_ldap.py | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 1fad1120667f4d86f6d05c0109827be7e2160248..9ada436c8b2308a300966bacf8d2a7d78b118331 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -52,18 +52,6 @@ class Identity(identity.Driver):
self.role = RoleApi(CONF)
self.group = GroupApi(CONF)
- def get_connection(self, user=None, password=None):
- if self.LDAP_URL.startswith('fake://'):
- conn = fakeldap.FakeLdap(self.LDAP_URL)
- else:
- conn = common_ldap.LdapWrapper(self.LDAP_URL)
- if user is None:
- user = self.LDAP_USER
- if password is None:
- password = self.LDAP_PASSWORD
- conn.simple_bind_s(user, password)
- return conn
-
def _validate_domain(self, ref):
"""Validate that either the default domain or nothing is specified.
@@ -109,6 +97,8 @@ class Identity(identity.Driver):
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
+ if not user_id or not password:
+ raise AssertionError('Invalid user / password')
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id),
password)
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index c0bceea52a6b550736146c88cacdc2fccb72053f..b2e33ee2c379e5662d07de8fbb0458a5acee647a 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -595,6 +595,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
'name': 'Default',
'enabled': True}])
+ def test_authenticate_requires_simple_bind(self):
+ user = {
+ 'id': 'no_meta',
+ 'name': 'NO_META',
+ 'domain_id': test_backend.DEFAULT_DOMAIN_ID,
+ 'password': 'no_meta2',
+ 'enabled': True,
+ }
+ self.identity_man.create_user({}, user['id'], user)
+ self.identity_api.add_user_to_project(self.tenant_baz['id'],
+ user['id'])
+ self.identity_api.user.LDAP_USER = None
+ self.identity_api.user.LDAP_PASSWORD = None
+
+ self.assertRaises(AssertionError,
+ self.identity_api.authenticate,
+ user_id=user['id'],
+ tenant_id=self.tenant_baz['id'],
+ password=None)
+
class LDAPIdentityEnabledEmulation(LDAPIdentity):
def setUp(self):
--
1.8.1.4
1.1 sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch?rev=1.1&content-type=text/plain
Index: keystone-folsom-4-CVE-2013-2157.patch
===================================================================
From 953fd4a2ac43ffcdf7edb4a35e0ca6a1c573092d Mon Sep 17 00:00:00 2001
From: Jose Castro Leon <jose.castro.leon@cern.ch>
Date: Thu, 6 Jun 2013 10:57:09 -0500
Subject: [PATCH] Force simple Bind for authentication
The authentication code was using a common code path with
other LDAP code that got an LDAP connection. If the system
was configured to do Anonymous binding, users could by pass
the authentication check.
This patch forces the authentication code to do a simple_bind.
Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
---
keystone/identity/backends/ldap/core.py | 14 ++------------
tests/test_backend_ldap.py | 16 ++++++++++++++++
2 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 03d3ab6..e5bfcf6 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -58,18 +58,6 @@ class Identity(identity.Driver):
self.tenant = TenantApi(CONF)
self.role = RoleApi(CONF)
- def get_connection(self, user=None, password=None):
- if self.LDAP_URL.startswith('fake://'):
- conn = fakeldap.FakeLdap(self.LDAP_URL)
- else:
- conn = common_ldap.LdapWrapper(self.LDAP_URL)
- if user is None:
- user = self.LDAP_USER
- if password is None:
- password = self.LDAP_PASSWORD
- conn.simple_bind_s(user, password)
- return conn
-
# Identity interface
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
@@ -85,6 +73,8 @@ class Identity(identity.Driver):
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
+ if not user_id or not password:
+ raise AssertionError('Invalid user / password')
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id),
password)
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index 5f0137c..88e48c5 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -65,3 +65,19 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
user_api = identity_ldap.UserApi(CONF)
self.assertTrue(user_api)
self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
+
+ def test_authenticate_requires_simple_bind(self):
+ user = {
+ 'id': uuid.uuid4().hex,
+ 'name': uuid.uuid4().hex,
+ 'password': uuid.uuid4().hex,
+ 'enabled': True,
+ }
+ self.identity_api.create_user(user['id'], user)
+ self.identity_api.user.LDAP_USER = None
+ self.identity_api.user.LDAP_PASSWORD = None
+
+ self.assertRaises(AssertionError,
+ self.identity_api.authenticate,
+ user_id=user['id'],
+ password=None)
--
1.8.2.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-06-14 21:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-14 21:57 [gentoo-commits] gentoo-x86 commit in sys-auth/keystone/files: keystone-grizzly-2-CVE-2013-2157.patch keystone-folsom-4-CVE-2013-2157.patch Matt Thode (prometheanfire)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox