updating keystone for cve-2013-4294

(Portage version: 2.1.12.2/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2013-09-11 16:01:38 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2013-09-11 16:01:38 +0000
commit: 1fde3974f874ec558247be8706a29cc4a5e1f1cd (patch)
tree: 861d4dfe4dd355186e29a96f4c05e1758285f969 /sys-auth
parent: Fix failing patch wrt bug #484092. Tidy ebuild. (diff)
download: gentoo-2-1fde3974f874ec558247be8706a29cc4a5e1f1cd.tar.gz
gentoo-2-1fde3974f874ec558247be8706a29cc4a5e1f1cd.tar.bz2
gentoo-2-1fde3974f874ec558247be8706a29cc4a5e1f1cd.zip
5 files changed, 297 insertions, 3 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 7999ba7cdc76..ba893f0d6602 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.29 2013/08/19 03:26:04 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.30 2013/09/11 16:01:38 prometheanfire Exp $
+
+*keystone-2012.2.4-r7 (11 Sep 2013)
+*keystone-2013.1.3-r1 (11 Sep 2013)
+
+  11 Sep 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/keystone-cve-2013-4294-folsom.patch,
+  +files/keystone-cve-2013-4294-grizzly.patch, +keystone-2012.2.4-r7.ebuild,
+  +keystone-2013.1.3-r1.ebuild, -keystone-2012.2.4-r6.ebuild,
+  -keystone-2013.1.3.ebuild:
+  updating keystone for cve-2013-4294
 
   19 Aug 2013; Matthew Thode <prometheanfire@gentoo.org>
   keystone-2013.1.9999.ebuild:
diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch
new file mode 100644
index 000000000000..2d9e9b5a1ea4
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch
@@ -0,0 +1,143 @@
+From 8ef8be4af315d50edd661d8a5e846d260a5a3ce2 Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 23 Aug 2013 14:10:28 -0700
+Subject: [PATCH] Fix and test token revocation list API
+
+Change-Id: I07257b3704895a2af2654aa863f0b910122666da
+---
+ keystone/token/backends/kvs.py      |  2 +-
+ keystone/token/backends/memcache.py | 12 ++++++----
+ tests/test_backend.py               | 48 +++++++++++++++++++++++++++++++++----
+ 3 files changed, 51 insertions(+), 11 deletions(-)
+
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index 123e12f..e5e0ee2 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -81,7 +81,7 @@ class Token(kvs.Base, token.Driver):
+             if not token.startswith('revoked-token-'):
+                 continue
+             record = {}
+-            record['id'] = token_ref['id']
++            record['id'] = token[len('revoked-token-'):]
+             record['expires'] = token_ref['expires']
+             tokens.append(record)
+         return tokens
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index e4fa69a..815c392 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -82,8 +82,9 @@ class Token(token.Driver):
+                         raise exception.UnexpectedError(msg)
+         return copy.deepcopy(data_copy)
+ 
+-    def _add_to_revocation_list(self, data):
+-        data_json = jsonutils.dumps(data)
++    def _add_to_revocation_list(self, token_id, token_data):
++        data_json = jsonutils.dumps({'id': token_id,
++                                     'expires': token_data['expires']})
+         if not self.client.append(self.revocation_key, ',%s' % data_json):
+             if not self.client.add(self.revocation_key, data_json):
+                 if not self.client.append(self.revocation_key,
+@@ -93,10 +94,11 @@ class Token(token.Driver):
+ 
+     def delete_token(self, token_id):
+         # Test for existence
+-        data = self.get_token(self.token_to_key(token_id))
+-        ptk = self._prefix_token_id(self.token_to_key(token_id))
++        token_id = self.token_to_key(token_id)
++        data = self.get_token(token_id)
++        ptk = self._prefix_token_id(token_id)
+         result = self.client.delete(ptk)
+-        self._add_to_revocation_list(data)
++        self._add_to_revocation_list(token_id, data)
+         return result
+ 
+     def list_tokens(self, user_id, tenant_id=None):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 0a56cdb..3798e37 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -14,9 +14,11 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+ 
++import copy
+ import datetime
+-import uuid
+ import default_fixtures
++import hashlib
++import uuid
+ 
+ from keystone.catalog import core
+ from keystone import exception
+@@ -628,19 +630,29 @@ class IdentityTests(object):
+ 
+ 
+ class TokenTests(object):
++    def _create_token_id(self):
++        # Token must start with MII here otherwise it fails the asn1 test
++        # and is not hashed in a SQL backend.
++        token_id = "MII"
++        for i in range(1, 20):
++            token_id += uuid.uuid4().hex
++        return token_id
++
+     def test_token_crud(self):
+         token_id = uuid.uuid4().hex
+         data = {'id': token_id, 'a': 'b',
+                 'user': {'id': 'testuserid'}}
+         data_ref = self.token_api.create_token(token_id, data)
+-        expires = data_ref.pop('expires')
++        data_ref_copy = copy.deepcopy(data_ref)
++        expires = data_ref_copy.pop('expires')
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertDictEqual(data_ref, data)
++        self.assertDictEqual(data_ref_copy, data)
+ 
+         new_data_ref = self.token_api.get_token(token_id)
+-        expires = new_data_ref.pop('expires')
++        new_data_ref_copy = copy.deepcopy(new_data_ref)
++        expires = new_data_ref_copy.pop('expires')
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertEquals(new_data_ref, data)
++        self.assertEquals(new_data_ref_copy, data)
+ 
+         self.token_api.delete_token(token_id)
+         self.assertRaises(exception.TokenNotFound,
+@@ -758,6 +770,32 @@ class TokenTests(object):
+         self.check_list_revoked_tokens([self.delete_token()
+                                         for x in xrange(2)])
+ 
++    def test_predictable_revoked_pki_token_id(self):
++        token_id = self._create_token_id()
++        token_id_hash = hashlib.md5(token_id).hexdigest()
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id_hash, revoked_ids)
++        self.assertNotIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
++    def test_predictable_revoked_uuid_token_id(self):
++        token_id = uuid.uuid4().hex
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
+ 
+ class CommonHelperTests(test.TestCase):
+     def test_format_helper_raises_malformed_on_missing_key(self):
+-- 
+1.8.2.1 (Apple Git-45)
+
diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch
new file mode 100644
index 000000000000..d789ea38443c
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch
@@ -0,0 +1,139 @@
+From a20dcd159f9bf98e5605a3d13d4ba8de9aa1533e Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 23 Aug 2013 14:53:26 -0700
+Subject: [PATCH] Fix and test token revocation list API
+
+Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5
+---
+ keystone/token/backends/kvs.py      |  2 +-
+ keystone/token/backends/memcache.py | 12 ++++++----
+ tests/test_backend.py               | 47 +++++++++++++++++++++++++++++++------
+ 3 files changed, 48 insertions(+), 13 deletions(-)
+
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index 49f15ad..1935b41 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver):
+             if not token.startswith('revoked-token-'):
+                 continue
+             record = {}
+-            record['id'] = token_ref['id']
++            record['id'] = token[len('revoked-token-'):]
+             record['expires'] = token_ref['expires']
+             tokens.append(record)
+         return tokens
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index a62f342..c2c9b51 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -84,8 +84,9 @@ class Token(token.Driver):
+                         raise exception.UnexpectedError(msg)
+         return copy.deepcopy(data_copy)
+ 
+-    def _add_to_revocation_list(self, data):
+-        data_json = jsonutils.dumps(data)
++    def _add_to_revocation_list(self, token_id, token_data):
++        data_json = jsonutils.dumps({'id': token_id,
++                                     'expires': token_data['expires']})
+         if not self.client.append(self.revocation_key, ',%s' % data_json):
+             if not self.client.add(self.revocation_key, data_json):
+                 if not self.client.append(self.revocation_key,
+@@ -95,10 +96,11 @@ class Token(token.Driver):
+ 
+     def delete_token(self, token_id):
+         # Test for existence
+-        data = self.get_token(token.unique_id(token_id))
+-        ptk = self._prefix_token_id(token.unique_id(token_id))
++        token_id = token.unique_id(token_id)
++        data = self.get_token(token_id)
++        ptk = self._prefix_token_id(token_id)
+         result = self.client.delete(ptk)
+-        self._add_to_revocation_list(data)
++        self._add_to_revocation_list(token_id, data)
+         return result
+ 
+     def list_tokens(self, user_id, tenant_id=None, trust_id=None):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 85ac7cf..d4c2e6c 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -14,10 +14,11 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+ 
++import copy
+ import datetime
+ import default_fixtures
++import hashlib
+ import uuid
+-import nose.exc
+ 
+ from keystone.catalog import core
+ from keystone import config
+@@ -2065,17 +2066,19 @@ class TokenTests(object):
+                 'trust_id': None,
+                 'user': {'id': 'testuserid'}}
+         data_ref = self.token_api.create_token(token_id, data)
+-        expires = data_ref.pop('expires')
+-        data_ref.pop('user_id')
++        data_ref_copy = copy.deepcopy(data_ref)
++        expires = data_ref_copy.pop('expires')
++        data_ref_copy.pop('user_id')
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertDictEqual(data_ref, data)
++        self.assertDictEqual(data_ref_copy, data)
+ 
+         new_data_ref = self.token_api.get_token(token_id)
+-        expires = new_data_ref.pop('expires')
+-        new_data_ref.pop('user_id')
++        new_data_ref_copy = copy.deepcopy(new_data_ref)
++        expires = new_data_ref_copy.pop('expires')
++        new_data_ref_copy.pop('user_id')
+ 
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertEquals(new_data_ref, data)
++        self.assertEquals(new_data_ref_copy, data)
+ 
+         self.token_api.delete_token(token_id)
+         self.assertRaises(exception.TokenNotFound,
+@@ -2248,6 +2251,36 @@ class TokenTests(object):
+         self.check_list_revoked_tokens([self.delete_token()
+                                         for x in xrange(2)])
+ 
++    def test_predictable_revoked_pki_token_id(self):
++        # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the
++        #               returned token str in master, but not in grizzly.
++        #               revising _create_token_id() in grizzly to include the
++        #               previx breaks several other tests here
++        token_id = 'MII' + self._create_token_id()
++        token_id_hash = hashlib.md5(token_id).hexdigest()
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id_hash, revoked_ids)
++        self.assertNotIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
++    def test_predictable_revoked_uuid_token_id(self):
++        token_id = uuid.uuid4().hex
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
+ 
+ class TrustTests(object):
+     def create_sample_trust(self, new_id):
+-- 
+1.8.2.1 (Apple Git-45)
+
diff --git a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild
index e8eba2575642..33d6a7cff4ea 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r6.ebuild,v 1.1 2013/07/17 16:30:36 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r7.ebuild,v 1.1 2013/09/11 16:01:38 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -74,6 +74,7 @@ PATCHES=(
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch"
+	"${FILESDIR}/keystone-cve-2013-4294-folsom.patch"
 	"${FILESDIR}/2012.2.4-upstream-1181157.patch"
 )
 
diff --git a/sys-auth/keystone/keystone-2013.1.3.ebuild b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild
index 498607be2433..6a6023ca7840 100644
--- a/sys-auth/keystone/keystone-2013.1.3.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3.ebuild,v 1.1 2013/08/11 00:56:17 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r1.ebuild,v 1.1 2013/09/11 16:01:37 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -70,6 +70,7 @@ RDEPEND="${DEPEND}
 #			dev-python/webtest
 #			)
 PATCHES=(
+	"${FILESDIR}/keystone-cve-2013-4294-grizzly.patch"
 )
 #	"${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
 #
author	Matthew Thode <prometheanfire@gentoo.org>	2013-09-11 16:01:38 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2013-09-11 16:01:38 +0000
commit	1fde3974f874ec558247be8706a29cc4a5e1f1cd (patch)
tree	861d4dfe4dd355186e29a96f4c05e1758285f969 /sys-auth
parent	Fix failing patch wrt bug #484092. Tidy ebuild. (diff)
download	gentoo-2-1fde3974f874ec558247be8706a29cc4a5e1f1cd.tar.gz gentoo-2-1fde3974f874ec558247be8706a29cc4a5e1f1cd.tar.bz2 gentoo-2-1fde3974f874ec558247be8706a29cc4a5e1f1cd.zip