From f4d9fe6d319b3b53175aeaf39ea596b4eef68a7f Mon Sep 17 00:00:00 2001
From: Matthew Thode <prometheanfire@gentoo.org>
Date: Wed, 18 May 2016 10:09:12 -0500
Subject: sys-auth/keystone: fix CVE-2016-4911 bug 583392

Package-Manager: portage-2.2.28
---
 sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch | 103 ++++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch

(limited to 'sys-auth/keystone/files')

diff --git a/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch
new file mode 100644
index 000000000000..0ea6cd8bab20
--- /dev/null
+++ b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch
@@ -0,0 +1,103 @@
+From ee1dc941042d1f71699971c5c30566af1b348572 Mon Sep 17 00:00:00 2001
+From: Lance Bragstad <lbragstad@gmail.com>
+Date: Mon, 2 May 2016 19:16:11 +0000
+Subject: Fix fernet audit ids for v2.0
+
+The fernet token provider was doing some weird things with audit ids that
+caused token rescoping to not work because audit ids were never pulled from the
+original token. This commit also enables some tests for v2.0 authentication
+with the Fernet as the token provider.
+
+Closes-Bug: 1577558
+Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e
+(cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240)
+---
+ keystone/tests/unit/test_auth.py        | 22 ++++++++++++++++++++++
+ keystone/token/controllers.py           |  3 ++-
+ keystone/token/providers/fernet/core.py |  9 ++-------
+ 3 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py
+index b09d9ac..6f44b31 100644
+--- a/keystone/tests/unit/test_auth.py
++++ b/keystone/tests/unit/test_auth.py
+@@ -33,6 +33,7 @@ from keystone import exception
+ from keystone.models import token_model
+ from keystone.tests import unit
+ from keystone.tests.unit import default_fixtures
++from keystone.tests.unit import ksfixtures
+ from keystone.tests.unit.ksfixtures import database
+ from keystone import token
+ from keystone.token import provider
+@@ -671,6 +672,27 @@ class AuthWithToken(AuthTest):
+                               token_id=token_2_id)
+ 
+ 
++class FernetAuthWithToken(AuthWithToken):
++    def config_overrides(self):
++        super(FernetAuthWithToken, self).config_overrides()
++        self.config_fixture.config(group='token', provider='fernet')
++        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
++
++    def test_token_auth_with_binding(self):
++        self.config_fixture.config(group='token', bind=['kerberos'])
++        body_dict = _build_user_auth()
++        self.assertRaises(exception.NotImplemented,
++                          self.controller.authenticate,
++                          self.context_with_remote_user,
++                          body_dict)
++
++    def test_revoke_with_no_audit_info(self):
++        self.skipTest('Fernet with v2.0 and revocation is broken')
++
++    def test_deleting_role_revokes_token(self):
++        self.skipTest('Fernet with v2.0 and revocation is broken')
++
++
+ class AuthWithPasswordCredentials(AuthTest):
+     def test_auth_invalid_user(self):
+         """Verify exception is raised if invalid user."""
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index f610fc4..6eeb23e 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
+@@ -180,7 +180,8 @@ class Auth(controller.V2Controller):
+         try:
+             token_model_ref = token_model.KeystoneToken(
+                 token_id=old_token,
+-                token_data=self.token_provider_api.validate_token(old_token))
++                token_data=self.token_provider_api.validate_v2_token(old_token)
++            )
+         except exception.NotFound as e:
+             raise exception.Unauthorized(e)
+ 
+diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py
+index 8042aab..ff6fe9c 100644
+--- a/keystone/token/providers/fernet/core.py
++++ b/keystone/token/providers/fernet/core.py
+@@ -15,7 +15,6 @@ from oslo_config import cfg
+ from keystone.common import dependency
+ from keystone.common import utils as ks_utils
+ from keystone.federation import constants as federation_constants
+-from keystone.token import provider
+ from keystone.token.providers import common
+ from keystone.token.providers.fernet import token_formatters as tf
+ 
+@@ -145,12 +144,8 @@ class Provider(common.BaseProvider):
+         expires_at = token_data['access']['token']['expires']
+         audit_ids = token_data['access']['token'].get('audit_ids')
+         methods = ['password']
+-        if audit_ids:
+-            parent_audit_id = token_data['access']['token'].get(
+-                'parent_audit_id')
+-            audit_ids = provider.audit_info(parent_audit_id)
+-            if parent_audit_id:
+-                methods.append('token')
++        if len(audit_ids) > 1:
++            methods.append('token')
+         project_id = token_data['access']['token'].get('tenant', {}).get('id')
+         domain_id = None
+         trust_id = None
+-- 
+cgit v0.11.2
+
-- 
cgit v1.2.3-65-gdbad