* [gentoo-commits] gentoo-x86 commit in sys-auth/keystone/files: keystone.initd 2013.2-CVE-2013-4477.patch 2013.1.4-CVE-2013-4477.patch keystone.confd keystone_test-requires.patch keystone-grizzly-1-CVE-2013-1977.patch 2013.1.3-CVE-2013-4222.patch
@ 2013-11-18 3:24 Matt Thode (prometheanfire)
0 siblings, 0 replies; only message in thread
From: Matt Thode (prometheanfire) @ 2013-11-18 3:24 UTC (permalink / raw
To: gentoo-commits
prometheanfire 13/11/18 03:24:30
Modified: keystone.initd keystone.confd
Added: 2013.2-CVE-2013-4477.patch
2013.1.4-CVE-2013-4477.patch
Removed: keystone_test-requires.patch
keystone-grizzly-1-CVE-2013-1977.patch
2013.1.3-CVE-2013-4222.patch
Log:
fixing cve and 490764 and 490766
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Revision Changes Path
1.3 sys-auth/keystone/files/keystone.initd
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone.initd?rev=1.3&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone.initd?rev=1.3&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone.initd?r1=1.2&r2=1.3
Index: keystone.initd
===================================================================
RCS file: /var/cvsroot/gentoo-x86/sys-auth/keystone/files/keystone.initd,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- keystone.initd 13 Aug 2013 16:36:17 -0000 1.2
+++ keystone.initd 18 Nov 2013 03:24:30 -0000 1.3
@@ -1,7 +1,7 @@
#!/sbin/runscript
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/files/keystone.initd,v 1.2 2013/08/13 16:36:17 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/files/keystone.initd,v 1.3 2013/11/18 03:24:30 prometheanfire Exp $
depend() {
need net
@@ -35,8 +35,7 @@
ebegin "Starting ${SVCNAME}"
- start-stop-daemon --start --quiet --make-pidfile --pidfile "${PID_PATH}/${SVCNAME}.pid" \
- --exec /usr/bin/${SVCNAME}-all --background -- --config-file=${CONFIG_FILE}
+ start-stop-daemon --start --quiet --make-pidfile --pidfile "${PID_PATH}/${SVCNAME}.pid" --exec /usr/bin/${SVCNAME}-all --background -- --config-file=${CONFIG_FILE} --log-file=${LOG_FILE}
eend $? "Failed to start ${SVCNAME}"
}
1.2 sys-auth/keystone/files/keystone.confd
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone.confd?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone.confd?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/keystone.confd?r1=1.1&r2=1.2
Index: keystone.confd
===================================================================
RCS file: /var/cvsroot/gentoo-x86/sys-auth/keystone/files/keystone.confd,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- keystone.confd 9 Dec 2012 21:57:11 -0000 1.1
+++ keystone.confd 18 Nov 2013 03:24:30 -0000 1.2
@@ -1,2 +1,3 @@
CONFIG_FILE=/etc/keystone/keystone.conf
+LOG_FILE=/var/log/keystone/keystone.log
PID_PATH=/var/run/keystone
1.1 sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch?rev=1.1&content-type=text/plain
Index: 2013.2-CVE-2013-4477.patch
===================================================================
From 4221b6020e6b0b42325d8904d7b8a22577a6acc0 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Mon, 21 Oct 2013 15:21:12 -0500
Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment
When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.
This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.
Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
---
keystone/assignment/backends/ldap.py | 18 ++++--------------
keystone/tests/test_backend.py | 9 +++++++++
2 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
index 851f9ec..ecf4adb 100644
--- a/keystone/assignment/backends/ldap.py
+++ b/keystone/assignment/backends/ldap.py
@@ -426,20 +426,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn,
try:
conn.modify_s(role_dn, [(ldap.MOD_DELETE,
self.member_attribute, user_dn)])
- except ldap.NO_SUCH_OBJECT:
- if tenant_dn is None:
- raise exception.RoleNotFound(role_id=role_id)
- attrs = [('objectClass', [self.object_class]),
- (self.member_attribute, [user_dn])]
-
- if self.use_dumb_member:
- attrs[1][1].append(self.dumb_member)
- try:
- conn.add_s(role_dn, attrs)
- except Exception as inst:
- raise inst
- except ldap.NO_SUCH_ATTRIBUTE:
- raise exception.UserNotFound(user_id=user_id)
+ except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+ raise exception.RoleNotFound(message=_(
+ 'Cannot remove role that has not been granted, %s') %
+ role_id)
finally:
conn.unbind_s()
diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
index 7dd3477..e0e81ca 100644
--- a/keystone/tests/test_backend.py
+++ b/keystone/tests/test_backend.py
@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self):
self.tenant_bar['id'])
self.assertNotIn(self.user_two['id'], user_ids)
+ def test_remove_user_role_not_assigned(self):
+ # Expect failure if attempt to remove a role that was never assigned to
+ # the user.
+ self.assertRaises(exception.RoleNotFound,
+ self.identity_api.remove_role_from_user_and_project,
+ tenant_id=self.tenant_bar['id'],
+ user_id=self.user_two['id'],
+ role_id=self.role_other['id'])
+
def test_authenticate_bad_user(self):
self.assertRaises(AssertionError,
self.identity_api.authenticate,
--
1.8.4
1.1 sys-auth/keystone/files/2013.1.4-CVE-2013-4477.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2013.1.4-CVE-2013-4477.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2013.1.4-CVE-2013-4477.patch?rev=1.1&content-type=text/plain
Index: 2013.1.4-CVE-2013-4477.patch
===================================================================
From 82dcde08f60c45002955875664a3cf82d1d211bc Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Mon, 21 Oct 2013 15:21:12 -0500
Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment
When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.
This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.
Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
(cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)
---
keystone/identity/backends/ldap/core.py | 19 ++++---------------
tests/test_backend.py | 9 +++++++++
2 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 8ac7395..3d016c0 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -704,21 +704,10 @@ def delete_user(self, role_id, user_id, tenant_id):
try:
conn.modify_s(role_dn, [(ldap.MOD_DELETE,
self.member_attribute, user_dn)])
- except ldap.NO_SUCH_OBJECT:
- if tenant_id is None or self.get(role_id) is None:
- raise exception.RoleNotFound(role_id=role_id)
- attrs = [('objectClass', [self.object_class]),
- (self.member_attribute, [user_dn])]
-
- if self.use_dumb_member:
- attrs[1][1].append(self.dumb_member)
- try:
- conn.add_s(role_dn, attrs)
- except Exception as inst:
- raise inst
-
- except ldap.NO_SUCH_ATTRIBUTE:
- raise exception.UserNotFound(user_id=user_id)
+ except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+ raise exception.RoleNotFound(message=_(
+ 'Cannot remove role that has not been granted, %s') %
+ role_id)
def get_role_assignments(self, tenant_id):
conn = self.get_connection()
diff --git a/tests/test_backend.py b/tests/test_backend.py
index d4c2e6c..1af3c16 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -57,6 +57,15 @@ def test_project_add_and_remove_user_role(self):
user_refs = self.identity_api.get_project_users(self.tenant_bar['id'])
self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs])
+ def test_remove_user_role_not_assigned(self):
+ # Expect failure if attempt to remove a role that was never assigned to
+ # the user.
+ self.assertRaises(exception.RoleNotFound,
+ self.identity_api.remove_role_from_user_and_project,
+ tenant_id=self.tenant_bar['id'],
+ user_id=self.user_two['id'],
+ role_id=self.role_other['id'])
+
def test_authenticate_bad_user(self):
self.assertRaises(AssertionError,
self.identity_api.authenticate,
--
1.8.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-11-18 3:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-18 3:24 [gentoo-commits] gentoo-x86 commit in sys-auth/keystone/files: keystone.initd 2013.2-CVE-2013-4477.patch 2013.1.4-CVE-2013-4477.patch keystone.confd keystone_test-requires.patch keystone-grizzly-1-CVE-2013-1977.patch 2013.1.3-CVE-2013-4222.patch Matt Thode (prometheanfire)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox