commit openstack-keystone for openSUSE:Factory

Wed, 17 Apr 2013 14:13:11 -0700 

Hello community,

here is the log from the commit of package openstack-keystone for 
openSUSE:Factory checked in at 2013-04-17 23:12:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openstack-keystone (Old)
 and      /work/SRC/openSUSE:Factory/.openstack-keystone.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "openstack-keystone", Maintainer is "[email protected]"

Changes:
--------
--- /work/SRC/openSUSE:Factory/openstack-keystone/openstack-keystone.changes    
2013-03-15 10:43:04.000000000 +0100
+++ 
/work/SRC/openSUSE:Factory/.openstack-keystone.new/openstack-keystone.changes   
    2013-04-17 23:13:05.000000000 +0200
@@ -0,0 +1,6 @@
+--------------------------------------------------------------------
+Wed Mar 20 16:27:29 UTC 2013 - [email protected]
+
+- Update to version 2012.2.4+git.1363796849.255b1d4:
+  + validate from backend (lp#1129713, bnc#809590, CVE-2013-1865)
+

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openstack-keystone-doc.spec ++++++
--- /var/tmp/diff_new_pack.PyXYVK/_old  2013-04-17 23:13:08.000000000 +0200
+++ /var/tmp/diff_new_pack.PyXYVK/_new  2013-04-17 23:13:08.000000000 +0200
@@ -19,7 +19,7 @@
 %define component keystone
 
 Name:           openstack-%{component}-doc
-Version:        2012.2.4+git.1362502288.8690166
+Version:        2012.2.4+git.1363796849.255b1d4
 Release:        0
 License:        Apache-2.0
 Summary:        OpenStack Identity Service (Keystone) - Documentation

++++++ openstack-keystone.spec ++++++
--- /var/tmp/diff_new_pack.PyXYVK/_old  2013-04-17 23:13:08.000000000 +0200
+++ /var/tmp/diff_new_pack.PyXYVK/_new  2013-04-17 23:13:08.000000000 +0200
@@ -23,7 +23,7 @@
 %define hybrid keystone-hybrid-backend-folsom
 
 Name:           openstack-%{component}
-Version:        2012.2.4+git.1362502288.8690166
+Version:        2012.2.4+git.1363796849.255b1d4
 Release:        0
 License:        Apache-2.0
 Summary:        OpenStack Identity Service (Keystone)

++++++ keystone-hybrid-backend-folsom.tar.gz ++++++

++++++ keystone-stable-folsom.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/keystone-2012.2.4/ChangeLog 
new/keystone-2012.2.4/ChangeLog
--- old/keystone-2012.2.4/ChangeLog     2013-03-05 15:24:55.000000000 +0100
+++ new/keystone-2012.2.4/ChangeLog     2013-03-20 16:37:10.000000000 +0100
@@ -1,3 +1,18 @@
+commit 255b1d43500f5d98ec73a0056525b492b14fec05
+Author: Adam Young <[email protected]>
+Date:   Wed Mar 20 09:49:32 2013 -0500
+
+    validate from backend (bug 1129713)
+    
+    In certain cases we were depending on CMS to validate PKI tokens
+    but that is not necessary, and by passes the revocation check
+    
+    Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
+
+ keystone/service.py   |   19 ++++++------------
+ tests/test_service.py |   51 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+), 13 deletions(-)
+
 commit 86901664189c62fce6f8f81619da0896cce469a1
 Author: Joe Heck <[email protected]>
 Date:   Thu Nov 1 15:36:31 2012 -0700
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/keystone-2012.2.4/keystone/service.py 
new/keystone-2012.2.4/keystone/service.py
--- old/keystone-2012.2.4/keystone/service.py   2013-03-05 15:22:06.000000000 
+0100
+++ new/keystone-2012.2.4/keystone/service.py   2013-03-20 16:34:21.000000000 
+0100
@@ -490,20 +490,13 @@
         """
         # TODO(termie): this stuff should probably be moved to middleware
         self.assert_admin(context)
+        data = self.token_api.get_token(context=context, token_id=token_id)
+        if belongs_to:
+            if (not data.get('tenant') or data['tenant'].get('id') !=
+                    belongs_to):
+                raise exception.Unauthorized()
 
-        if cms.is_ans1_token(token_id):
-            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
-                                             config.CONF.signing.certfile,
-                                             config.CONF.signing.ca_certs))
-            data['access']['token']['user'] = data['access']['user']
-            data['access']['token']['metadata'] = data['access']['metadata']
-            if belongs_to:
-                assert data['access']['token']['tenant']['id'] == belongs_to
-            token_ref = data['access']['token']
-        else:
-            token_ref = self.token_api.get_token(context=context,
-                                                 token_id=token_id)
-        return token_ref
+        return data
 
     # admin only
     def validate_token_head(self, context, token_id):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/keystone-2012.2.4/tests/test_service.py 
new/keystone-2012.2.4/tests/test_service.py
--- old/keystone-2012.2.4/tests/test_service.py 2013-03-05 15:22:06.000000000 
+0100
+++ new/keystone-2012.2.4/tests/test_service.py 2013-03-20 16:34:21.000000000 
+0100
@@ -150,3 +150,54 @@
         body_dict = _build_user_auth(username='FOO', password='0' * 8193)
         self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
                           {}, body_dict)
+
+
+class AuthWithToken(AuthTest):
+    def setUp(self):
+        super(AuthWithToken, self).setUp()
+
+    def test_belongs_to_no_tenant(self):
+        r = self.api.authenticate(
+            {},
+            auth={
+                'passwordCredentials': {
+                    'username': self.user_foo['name'],
+                    'password': self.user_foo['password']
+                }
+            })
+        unscoped_token_id = r['access']['token']['id']
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+            token_id=unscoped_token_id)
+
+    def test_belongs_to_wrong_tenant(self):
+        body_dict = _build_user_auth(
+            username='FOO',
+            password='foo2',
+            tenant_name="BAR")
+
+        scoped_token = self.api.authenticate({}, body_dict)
+        scoped_token_id = scoped_token['access']['token']['id']
+
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'me'}),
+            token_id=scoped_token_id)
+
+    def test_belongs_to(self):
+        body_dict = _build_user_auth(
+            username='FOO',
+            password='foo2',
+            tenant_name="BAR")
+
+        scoped_token = self.api.authenticate({}, body_dict)
+        scoped_token_id = scoped_token['access']['token']['id']
+
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+            token_id=scoped_token_id)

-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to