~ubuntu-branches/ubuntu/quantal/nova/quantal-proposed

Viewing changes to nova/consoleauth/manager.py

Committer: Package Import Robot
Author(s): James Page
Date: 2013-03-22 12:40:07 UTC
Revision ID: package-import@ubuntu.com-20130322124007-yulmow8qdfbxsigv

Tags: 2012.2.3-0ubuntu2

* Re-sync with latest security updates.
* SECURITY UPDATE: fix denial of service via fixed IPs when using extensions
  - debian/patches/CVE-2013-1838.patch: add explicit quota for fixed IP
  - CVE-2013-1838
* SECURITY UPDATE: fix VNC token validation
  - debian/patches/CVE-2013-0335.patch: force console auth service to flush
    all tokens associated with an instance when it is deleted
  - CVE-2013-0335
* SECURITY UPDATE: fix denial of service
  - CVE-2013-1664.patch: Add a new utils.safe_minidom_parse_string function
    and update external API facing Nova modules to use it
  - CVE-2013-1664

files added:
.pc/CVE-2013-0335.patch

.pc/CVE-2013-0335.patch/nova

.pc/CVE-2013-0335.patch/nova/common

.pc/CVE-2013-0335.patch/nova/common/memorycache.py

.pc/CVE-2013-0335.patch/nova/compute

.pc/CVE-2013-0335.patch/nova/compute/api.py

.pc/CVE-2013-0335.patch/nova/compute/manager.py

.pc/CVE-2013-0335.patch/nova/compute/rpcapi.py

.pc/CVE-2013-0335.patch/nova/consoleauth

.pc/CVE-2013-0335.patch/nova/consoleauth/manager.py

.pc/CVE-2013-0335.patch/nova/consoleauth/rpcapi.py

.pc/CVE-2013-0335.patch/nova/tests

.pc/CVE-2013-0335.patch/nova/tests/compute

.pc/CVE-2013-0335.patch/nova/tests/compute/test_compute.py

.pc/CVE-2013-0335.patch/nova/tests/compute/test_rpcapi.py

.pc/CVE-2013-0335.patch/nova/tests/consoleauth

.pc/CVE-2013-0335.patch/nova/tests/consoleauth/test_consoleauth.py

.pc/CVE-2013-0335.patch/nova/tests/consoleauth/test_rpcapi.py

.pc/CVE-2013-1664.patch

.pc/CVE-2013-1664.patch/nova

.pc/CVE-2013-1664.patch/nova/api

.pc/CVE-2013-1664.patch/nova/api/openstack

.pc/CVE-2013-1664.patch/nova/api/openstack/common.py

.pc/CVE-2013-1664.patch/nova/api/openstack/compute

.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib

.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/hosts.py

.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/security_groups.py

.pc/CVE-2013-1664.patch/nova/api/openstack/compute/contrib/volumes.py

.pc/CVE-2013-1664.patch/nova/api/openstack/compute/servers.py

.pc/CVE-2013-1664.patch/nova/api/openstack/volume

.pc/CVE-2013-1664.patch/nova/api/openstack/volume/contrib

.pc/CVE-2013-1664.patch/nova/api/openstack/volume/contrib/volume_actions.py

.pc/CVE-2013-1664.patch/nova/api/openstack/volume/volumes.py

.pc/CVE-2013-1664.patch/nova/api/openstack/wsgi.py

.pc/CVE-2013-1664.patch/nova/tests

.pc/CVE-2013-1664.patch/nova/tests/test_utils.py

.pc/CVE-2013-1664.patch/nova/utils.py

.pc/CVE-2013-1838.patch

.pc/CVE-2013-1838.patch/nova

.pc/CVE-2013-1838.patch/nova/db

.pc/CVE-2013-1838.patch/nova/db/api.py

.pc/CVE-2013-1838.patch/nova/db/sqlalchemy

.pc/CVE-2013-1838.patch/nova/db/sqlalchemy/api.py

.pc/CVE-2013-1838.patch/nova/exception.py

.pc/CVE-2013-1838.patch/nova/network

.pc/CVE-2013-1838.patch/nova/network/manager.py

.pc/CVE-2013-1838.patch/nova/quota.py

.pc/CVE-2013-1838.patch/nova/tests

.pc/CVE-2013-1838.patch/nova/tests/api

.pc/CVE-2013-1838.patch/nova/tests/api/openstack

.pc/CVE-2013-1838.patch/nova/tests/api/openstack/compute

.pc/CVE-2013-1838.patch/nova/tests/api/openstack/compute/contrib

.pc/CVE-2013-1838.patch/nova/tests/api/openstack/compute/contrib/test_quota_classes.py

.pc/CVE-2013-1838.patch/nova/tests/api/openstack/compute/contrib/test_quotas.py

.pc/CVE-2013-1838.patch/nova/tests/network

.pc/CVE-2013-1838.patch/nova/tests/network/test_manager.py

.pc/CVE-2013-1838.patch/nova/tests/test_quota.py

debian/patches/CVE-2013-0335.patch

debian/patches/CVE-2013-1664.patch

debian/patches/CVE-2013-1838.patch

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

nova/api/openstack/common.py

nova/api/openstack/compute/contrib/hosts.py

nova/api/openstack/compute/contrib/security_groups.py

nova/api/openstack/compute/contrib/volumes.py

nova/api/openstack/compute/servers.py

nova/api/openstack/volume/contrib/volume_actions.py

nova/api/openstack/volume/volumes.py

nova/api/openstack/wsgi.py

nova/common/memorycache.py

nova/compute/api.py

nova/compute/manager.py

nova/compute/rpcapi.py

nova/consoleauth/manager.py

nova/consoleauth/rpcapi.py

nova/db/api.py

nova/db/sqlalchemy/api.py

nova/exception.py

nova/network/manager.py

nova/quota.py

nova/tests/api/openstack/compute/contrib/test_quota_classes.py

nova/tests/api/openstack/compute/contrib/test_quotas.py

nova/tests/compute/test_compute.py

nova/tests/compute/test_rpcapi.py

nova/tests/consoleauth/test_consoleauth.py

nova/tests/consoleauth/test_rpcapi.py

nova/tests/network/test_manager.py

nova/tests/test_quota.py

nova/tests/test_utils.py

nova/utils.py

Show diffs side-by-side

added added

removed removed

nova/consoleauth/manager.py

import time

from nova.compute import rpcapi as compute_rpcapi

from nova.db import api as db

from nova import flags

from nova import manager

from nova.openstack.common import cfg

from nova.common import memorycache as memcache

self.mc = memcache.Client(FLAGS.memcached_servers,

debug=0)

self.compute_rpcapi = compute_rpcapi.ComputeAPI()

def _get_tokens_for_instance(self, instance_uuid):

tokens_str = self.mc.get(instance_uuid.encode('UTF-8'))

if not tokens_str:

tokens = []

else:

tokens = jsonutils.loads(tokens_str)

return tokens

def authorize_console(self, context, token, console_type, host, port,

internal_access_path):

internal_access_path, instance_uuid=None):

token_dict = {'token': token,

'instance_uuid': instance_uuid,

'console_type': console_type,

'host': host,

'port': port,

'last_activity_at': time.time()}

data = jsonutils.dumps(token_dict)

self.mc.set(token.encode('UTF-8'), data, FLAGS.console_token_ttl)

if instance_uuid is not None:

tokens = self._get_tokens_for_instance(instance_uuid)

tokens.append(token)

self.mc.set(instance_uuid.encode('UTF-8'),

jsonutils.dumps(tokens))

LOG.audit(_("Received Token: %(token)s, %(token_dict)s)"), locals())

def _validate_token(self, context, token):

instance_uuid = token['instance_uuid']

if instance_uuid is None:

return False

instance = db.instance_get_by_uuid(context, instance_uuid)

return self.compute_rpcapi.validate_console_port(context,

instance,

token['port'],

token['console_type'])

100

101

def check_token(self, context, token):

102

token_str = self.mc.get(token.encode('UTF-8'))

103

token_valid = (token_str is not None)

104

LOG.audit(_("Checking Token: %(token)s, %(token_valid)s)"), locals())

105

if token_valid:

return jsonutils.loads(token_str)

106

token = jsonutils.loads(token_str)

107

if self._validate_token(context, token):

108

return token

109

110

def delete_tokens_for_instance(self, context, instance_uuid):

111

tokens = self._get_tokens_for_instance(instance_uuid)

112

for token in tokens:

113

self.mc.delete(token)

114

self.mc.delete(instance_uuid.encode('UTF-8'))

Older »