~ubuntu-branches/debian/jessie/keystone/jessie

Viewing changes to debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch

Committer: Package Import Robot
Author(s): Thomas Goirand
Date: 2012-10-01 05:52:23 UTC
Revision ID: package-import@ubuntu.com-20121001055223-7fldz5pv6lc80w9f

Tags: 2012.1.1-9

http://bugs.debian.org/689210

* Fixes sometimes failing keystone.postrm (db_get in some conditions can
return false), and fixed non-consistant indenting.
* Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
/keystone.conf.sample for temporary storing the conf file (this was a policy
violation, as the doc folder should never be required).
* Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).

files added:
.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/keystone

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/keystone/catalog

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/keystone/catalog/core.py

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/keystone/identity

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/keystone/identity/core.py

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/tests

.pc/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch/tests/test_content_types.py

.pc/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch

.pc/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch/keystone

.pc/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch/keystone/service.py

.pc/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch/tests

.pc/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch/tests/test_keystoneclient.py

debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch

debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch

files modified:
.pc/applied-patches

debian/changelog

debian/keystone.postinst

debian/keystone.postrm

debian/patches/series

debian/rules

keystone/catalog/core.py

keystone/identity/core.py

keystone/service.py

tests/test_content_types.py

tests/test_keystoneclient.py

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch

Description: Require authz for user role list

Jason Xu (yinyangxu@gmail.com) discovered several vulnerabilities in OpenStack

Keystone token verification:

The first occurs in the API /v2.0/OS-KSADM/services and

/v2.0/OS-KSADM/services/{service_id}, the second occurs in

/v2.0/tenants/{tenant_id}/users/{user_id}/roles

In both cases the OpenStack Keystone code fails to check if the tokens are

valid. These issues have been addressed by adding checks in the form of

test_service_crud_requires_auth() and test_user_role_list_requires_auth().

Bug-Debian: http://bugs.debian.org/689210

Bug-Ubuntu: https://bugs.launchpad.net/+bug/1006815

Author: Dolph Mathews <dolph.mathews@gmail.com>

Origin: Upstream

Index: keystone/keystone/identity/core.py

===================================================================

--- keystone.orig/keystone/identity/core.py 2012-10-01 06:25:52.000000000 +0000

+++ keystone/keystone/identity/core.py 2012-10-01 06:25:52.000000000 +0000

@@ -458,6 +458,7 @@

not implementing them in hopes that the idea will die off.

"""

+ self.assert_admin(context)

if tenant_id is None:

raise exception.NotImplemented(message='User roles not supported: '

'tenant ID required')

Index: keystone/tests/test_content_types.py

===================================================================

--- keystone.orig/tests/test_content_types.py 2012-10-01 06:25:48.000000000 +0000

+++ keystone/tests/test_content_types.py 2012-10-01 06:25:52.000000000 +0000

@@ -16,6 +16,7 @@

import httplib

import json

+import uuid

from lxml import etree

import nose.exc

@@ -554,6 +555,49 @@

def assertValidVersionResponse(self, r):

self.assertValidVersion(r.body.get('version'))

+ def test_user_role_list_requires_auth(self):

+ """User role list should 401 without an X-Auth-Token (bug 1006815)."""

+ # values here don't matter because we should 401 before they're checked

+ path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % {

+ 'tenant_id': uuid.uuid4().hex,

+ 'user_id': uuid.uuid4().hex,

+ }

+ r = self.admin_request(path=path, expected_status=401)

+ self.assertValidErrorResponse(r)

+ def test_service_crud_requires_auth(self):

+ """Service CRUD should 401 without an X-Auth-Token (bug 1006822)."""

+ # values here don't matter because we should 401 before they're checked

+ service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex

+ service_body = {

+ 'OS-KSADM:service': {

+ 'name': uuid.uuid4().hex,

+ 'type': uuid.uuid4().hex,

+ },

+ }

+ r = self.admin_request(method='GET',

+ path='/v2.0/OS-KSADM/services',

+ expected_status=401)

+ self.assertValidErrorResponse(r)

+ r = self.admin_request(method='POST',

+ path='/v2.0/OS-KSADM/services',

+ body=service_body,

+ expected_status=401)

+ self.assertValidErrorResponse(r)

+ r = self.admin_request(method='GET',

+ path=service_path,

+ expected_status=401)

+ self.assertValidErrorResponse(r)

+ r = self.admin_request(method='DELETE',

+ path=service_path,

+ expected_status=401)

+ self.assertValidErrorResponse(r)

class XmlTestCase(RestfulTestCase, CoreApiTests):

xmlns = 'http://docs.openstack.org/identity/api/v2.0'

Index: keystone/keystone/catalog/core.py

===================================================================

--- keystone.orig/keystone/catalog/core.py 2012-10-01 06:25:48.000000000 +0000

+++ keystone/keystone/catalog/core.py 2012-10-01 06:25:52.000000000 +0000

@@ -116,29 +116,36 @@

class ServiceController(wsgi.Application):

def __init__(self):

self.catalog_api = Manager()

+ self.identity_api = identity.Manager()

100

+ self.policy_api = policy.Manager()

101

+ self.token_api = token.Manager()

102

super(ServiceController, self).__init__()

103

104

# CRUD extensions

105

# NOTE(termie): this OS-KSADM stuff is not very consistent

106

def get_services(self, context):

107

+ self.assert_admin(context)

108

service_list = self.catalog_api.list_services(context)

109

service_refs = [self.catalog_api.get_service(context, x)

110

for x in service_list]

111

return {'OS-KSADM:services': service_refs}

112

113

def get_service(self, context, service_id):

114

+ self.assert_admin(context)

115

service_ref = self.catalog_api.get_service(context, service_id)

116

if not service_ref:

117

raise exception.ServiceNotFound(service_id=service_id)

118

return {'OS-KSADM:service': service_ref}

119

120

def delete_service(self, context, service_id):

121

+ self.assert_admin(context)

122

service_ref = self.catalog_api.get_service(context, service_id)

123

if not service_ref:

124

raise exception.ServiceNotFound(service_id=service_id)

125

self.catalog_api.delete_service(context, service_id)

126

127

def create_service(self, context, OS_KSADM_service):

128

+ self.assert_admin(context)

129

service_id = uuid.uuid4().hex

130

service_ref = OS_KSADM_service.copy()

131

service_ref['id'] = service_id

Older »