← Back to branch summary

~ubuntu-branches/debian/jessie/keystone/jessie

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch

  • Committer: Package Import Robot
  • Author(s): Thomas Goirand
  • Date: 2012-10-01 05:52:23 UTC
  • Revision ID: package-import@ubuntu.com-20121001055223-7fldz5pv6lc80w9f
Tags: 2012.1.1-9
http://bugs.debian.org/689210
* Fixes sometimes failing keystone.postrm (db_get in some conditions can
return false), and fixed non-consistant indenting.
* Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
/keystone.conf.sample for temporary storing the conf file (this was a policy
violation, as the doc folder should never be required).
* Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch
 
1
Description: Raise unauthorized if tenant disabled
 
2
 If the client attempts to explicitly authenticate against a disabled
 
3
 tenant, keystone should return HTTP 401 Unauthorized.
 
4
Bug-Debian: http://bugs.debian.org/689210
 
5
Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/988920
 
6
Author: Dolph Mathews <dolph.mathews@gmail.com>
 
7
Origin: upstream
 
8
 
 
9
Index: keystone/keystone/service.py
 
10
===================================================================
 
11
--- keystone.orig/keystone/service.py   2012-10-01 06:25:28.000000000 +0000
 
12
+++ keystone/keystone/service.py        2012-10-01 06:25:41.000000000 +0000
 
13
@@ -280,6 +280,11 @@
 
14
                 if not user_ref.get('enabled', True):
 
15
                     LOG.warning('User %s is disabled' % user_id)
 
16
                     raise exception.Unauthorized()
 
17
+
 
18
+                # If the tenant is disabled don't allow them to authenticate
 
19
+                if tenant_ref and not tenant_ref.get('enabled', True):
 
20
+                    LOG.warning('Tenant %s is disabled' % tenant_id)
 
21
+                    raise exception.Unauthorized()
 
22
             except AssertionError as e:
 
23
                 raise exception.Unauthorized(e.message)
 
24
 
 
25
@@ -333,6 +338,12 @@
 
26
 
 
27
             tenant_ref = self.identity_api.get_tenant(context=context,
 
28
                                                       tenant_id=tenant_id)
 
29
+
 
30
+            # If the tenant is disabled don't allow them to authenticate
 
31
+            if tenant_ref and not tenant_ref.get('enabled', True):
 
32
+                LOG.warning('Tenant %s is disabled' % tenant_id)
 
33
+                raise exception.Unauthorized()
 
34
+
 
35
             if tenant_ref:
 
36
                 metadata_ref = self.identity_api.get_metadata(
 
37
                         context=context,
 
38
Index: keystone/tests/test_keystoneclient.py
 
39
===================================================================
 
40
--- keystone.orig/tests/test_keystoneclient.py  2012-10-01 06:25:41.000000000 +0000
 
41
+++ keystone/tests/test_keystoneclient.py       2012-10-01 06:25:41.000000000 +0000
 
42
@@ -176,6 +176,53 @@
 
43
                           self.get_client,
 
44
                           user_ref)
 
45
 
 
46
+    def test_authenticate_disabled_tenant(self):
 
47
+        from keystoneclient import exceptions as client_exceptions
 
48
+
 
49
+        admin_client = self.get_client(admin=True)
 
50
+
 
51
+        tenant = {
 
52
+            'name': uuid.uuid4().hex,
 
53
+            'description': uuid.uuid4().hex,
 
54
+            'enabled': False,
 
55
+        }
 
56
+        tenant_ref = admin_client.tenants.create(
 
57
+            tenant_name=tenant['name'],
 
58
+            description=tenant['description'],
 
59
+            enabled=tenant['enabled'])
 
60
+        tenant['id'] = tenant_ref.id
 
61
+
 
62
+        user = {
 
63
+            'name': uuid.uuid4().hex,
 
64
+            'password': uuid.uuid4().hex,
 
65
+            'email': uuid.uuid4().hex,
 
66
+            'tenant_id': tenant['id'],
 
67
+        }
 
68
+        user_ref = admin_client.users.create(
 
69
+            name=user['name'],
 
70
+            password=user['password'],
 
71
+            email=user['email'],
 
72
+            tenant_id=user['tenant_id'])
 
73
+        user['id'] = user_ref.id
 
74
+
 
75
+        # password authentication
 
76
+        self.assertRaises(
 
77
+            client_exceptions.Unauthorized,
 
78
+            self._client,
 
79
+            username=user['name'],
 
80
+            password=user['password'],
 
81
+            tenant_id=tenant['id'])
 
82
+
 
83
+        # token authentication
 
84
+        client = self._client(
 
85
+            username=user['name'],
 
86
+            password=user['password'])
 
87
+        self.assertRaises(
 
88
+            client_exceptions.Unauthorized,
 
89
+            self._client,
 
90
+            token=client.auth_token,
 
91
+            tenant_id=tenant['id'])
 
92
+
 
93
     # FIXME(ja): this test should require the "keystone:admin" roled
 
94
     #            (probably the role set via --keystone_admin_role flag)
 
95
     # FIXME(ja): add a test that admin endpoint is only sent to admin user