public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] gentoo-x86 commit in sys-cluster/nova/files: CVE-2014-0167-2013.2.3.patch
@ 2014-04-11 15:12 Matt Thode (prometheanfire)
  0 siblings, 0 replies; 2+ messages in thread
From: Matt Thode (prometheanfire) @ 2014-04-11 15:12 UTC (permalink / raw
  To: gentoo-commits

prometheanfire    14/04/11 15:12:49

  Added:                CVE-2014-0167-2013.2.3.patch
  Log:
  fix for CVE-2014-0167
  
  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

Revision  Changes    Path
1.1                  sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch?rev=1.1&content-type=text/plain

Index: CVE-2014-0167-2013.2.3.patch
===================================================================
From 5a1adb94e77f7be4885e4d86087140b94421c963 Mon Sep 17 00:00:00 2001
From: Andrew Laski <andrew.laski@rackspace.com>
Date: Thu, 3 Apr 2014 16:37:36 -0400
Subject: [PATCH] Add RBAC policy for ec2 API security groups calls

The revoke_security_group_ingress, revoke_security_group_ingress, and
delete_security_group calls in the ec2 API were not restricted by policy
checks.  This prevented a deployer from restricting their usage via
roles or other checks.  Checks have been added for these calls.

Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
---
 nova/api/ec2/cloud.py            |   10 +++++++++
 nova/tests/api/ec2/test_cloud.py |   44 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index 94ff160..36c2f12 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -30,6 +30,7 @@ from oslo.config import cfg
 from nova.api.ec2 import ec2utils
 from nova.api.ec2 import inst_state
 from nova.api.metadata import password
+from nova.api.openstack import extensions
 from nova.api import validator
 from nova import availability_zones
 from nova import block_device
@@ -85,6 +86,9 @@ LOG = logging.getLogger(__name__)
 
 QUOTAS = quota.QUOTAS
 
+security_group_authorizer = extensions.extension_authorizer('compute',
+                                                            'security_groups')
+
 
 def validate_ec2_id(val):
     if not validator.validate_str()(val):
@@ -631,6 +635,8 @@ class CloudController(object):
         security_group = self.security_group_api.get(context, group_name,
                                                      group_id)
 
+        security_group_authorizer(context, security_group)
+
         prevalues = kwargs.get('ip_permissions', [kwargs])
 
         rule_ids = []
@@ -665,6 +671,8 @@ class CloudController(object):
         security_group = self.security_group_api.get(context, group_name,
                                                      group_id)
 
+        security_group_authorizer(context, security_group)
+
         prevalues = kwargs.get('ip_permissions', [kwargs])
         postvalues = []
         for values in prevalues:
@@ -737,6 +745,8 @@ class CloudController(object):
         security_group = self.security_group_api.get(context, group_name,
                                                      group_id)
 
+        security_group_authorizer(context, security_group)
+
         self.security_group_api.destroy(context, security_group)
 
         return True
diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py
index 269a738..b28d194 100644
--- a/nova/tests/api/ec2/test_cloud.py
+++ b/nova/tests/api/ec2/test_cloud.py
@@ -23,6 +23,7 @@ import copy
 import datetime
 import functools
 import iso8601
+import mock
 import os
 import string
 import tempfile
@@ -47,6 +48,7 @@ from nova.image import s3
 from nova.network import api as network_api
 from nova.network import neutronv2
 from nova.openstack.common import log as logging
+from nova.openstack.common import policy as common_policy
 from nova.openstack.common import timeutils
 from nova import test
 from nova.tests.api.openstack.compute.contrib import (
@@ -471,6 +473,34 @@ class CloudTestCase(test.TestCase):
         delete = self.cloud.delete_security_group
         self.assertRaises(exception.MissingParameter, delete, self.context)
 
+    def test_delete_security_group_policy_not_allowed(self):
+        rules = common_policy.Rules(
+                {'compute_extension:security_groups':
+                    common_policy.parse_rule('project_id:%(project_id)s')})
+        common_policy.set_rules(rules)
+
+        with mock.patch.object(self.cloud.security_group_api,
+                'get') as get:
+            get.return_value = {'project_id': 'invalid'}
+
+            self.assertRaises(exception.PolicyNotAuthorized,
+                    self.cloud.delete_security_group, self.context,
+                    'fake-name', 'fake-id')
+
+    def test_authorize_security_group_ingress_policy_not_allowed(self):
+        rules = common_policy.Rules(
+                {'compute_extension:security_groups':
+                    common_policy.parse_rule('project_id:%(project_id)s')})
+        common_policy.set_rules(rules)
+
+        with mock.patch.object(self.cloud.security_group_api,
+                'get') as get:
+            get.return_value = {'project_id': 'invalid'}
+
+            self.assertRaises(exception.PolicyNotAuthorized,
+                    self.cloud.authorize_security_group_ingress, self.context,
+                    'fake-name', 'fake-id')
+
     def test_authorize_security_group_ingress(self):
         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
         sec = db.security_group_create(self.context, kwargs)
@@ -575,6 +605,20 @@ class CloudTestCase(test.TestCase):
         db.security_group_destroy(self.context, sec2['id'])
         db.security_group_destroy(self.context, sec1['id'])
 
+    def test_revoke_security_group_ingress_policy_not_allowed(self):
+        rules = common_policy.Rules(
+                {'compute_extension:security_groups':
+                    common_policy.parse_rule('project_id:%(project_id)s')})
+        common_policy.set_rules(rules)
+
+        with mock.patch.object(self.cloud.security_group_api,
+                'get') as get:
+            get.return_value = {'project_id': 'invalid'}
+
+            self.assertRaises(exception.PolicyNotAuthorized,
+                    self.cloud.revoke_security_group_ingress, self.context,
+                    'fake-name', 'fake-id')
+
     def test_revoke_security_group_ingress(self):
         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
         sec = db.security_group_create(self.context, kwargs)
-- 
1.7.9.5







^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [gentoo-commits] gentoo-x86 commit in sys-cluster/nova/files: CVE-2014-0167-2013.2.3.patch
@ 2014-06-15  4:31 Matt Thode (prometheanfire)
  0 siblings, 0 replies; 2+ messages in thread
From: Matt Thode (prometheanfire) @ 2014-06-15  4:31 UTC (permalink / raw
  To: gentoo-commits

prometheanfire    14/06/15 04:31:29

  Removed:              CVE-2014-0167-2013.2.3.patch
  Log:
  removing the old badness fixes bug 512296 CVE-2014-2573
  
  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-06-15  4:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-11 15:12 [gentoo-commits] gentoo-x86 commit in sys-cluster/nova/files: CVE-2014-0167-2013.2.3.patch Matt Thode (prometheanfire)
  -- strict thread matches above, loose matches on Subject: below --
2014-06-15  4:31 Matt Thode (prometheanfire)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox