Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
I have applied upstream patches for CVE-2012-445{6,7} (yes, yet another
CVE in keystone...), and fixed bad handling of /etc/keystone/keystone.conf.
The later modifications have already been investigated by Julien, and I
believe they are into shape now.
If the release team prefers that I first undo keystone.conf changes so
that only the CVE fixes can migrate first, then the keystone.conf handling
gets the standard 10 days testing, that can be done too. I have no problem
doing this in 2 steps, to give more testing time for the keystone.conf
handling. But I believe it should be ok now.
The debdiff is attached. It's unfortunately not so small.
Thanks for your time working on the Wheezy release,
Please unblock keystone/2012.1.1-9,
Cheers,
Thomas Goirand (zigo)
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
--- keystone-2012.1.1/debian/changelog 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.000000000 +0000
@@ -1,3 +1,28 @@
+keystone (2012.1.1-9) unstable; urgency=high
+
+ * Fixes sometimes failing keystone.postrm (db_get in some conditions can
+ return false), and fixed non-consistant indenting.
+ * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
+ /keystone.conf.sample for temporary storing the conf file (this was a policy
+ violation, as the doc folder should never be required).
+ * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
+ CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 01 Oct 2012 05:52:23 +0000
+
+keystone (2012.1.1-8) unstable; urgency=low
+
+ * Fixes parsing of the SQL connection in keystone.config.
+
+ -- Thomas Goirand <zigo@debian.org> Sun, 30 Sep 2012 01:48:50 +0000
+
+keystone (2012.1.1-7) unstable; urgency=low
+
+ * Fixes band handling (eg: policy violation) of keystone.conf which was
+ conffiles, but changed in the posinst (Closes: #687311).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 12 Sep 2012 17:09:47 +0000
+
keystone (2012.1.1-6) unstable; urgency=high
* CVE-2012-4413: Revoking a role does not affect existing tokens
diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config
--- keystone-2012.1.1/debian/keystone.config 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.config 2012-10-01 06:51:43.000000000 +0000
@@ -1,19 +1,79 @@
#!/bin/sh
+
set -e
. /usr/share/debconf/confmodule
+### Reading of values in the keystone config file ###
+### and setting default for dbconfig-common accordingly ###
+KEY_CONF=/etc/keystone/keystone.conf
+
+if [ -e "${KEY_CONF}" ] ; then
+ KEY_CONF_AUTH_TOKEN=`grep -E "^([ \t])*admin_token([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ if [ -n "${KEY_CONF_AUTH_TOKEN}" ] ; then
+ db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN}
+ fi
+fi
db_input low keystone/auth-token || true
db_input low keystone/configure_db || true
db_go
+
db_get keystone/configure_db
-if [ "$RET" = "true" ]; then
- if [ -f /usr/share/dbconfig-common/dpkg/config ];
- then
- dbc_dbtypes="sqlite3, mysql, pgsql"
- db_authmethod_user="password"
- dbc_basepath="/var/lib/keystone"
+if [ "$RET" = "true" ] && [ -e "${KEY_CONF}" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
. /usr/share/dbconfig-common/dpkg/config
+ KEY_CONF_DB_CON_INFO=`grep -E "^([ \t])*connection([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d":" -f1`
+ # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite)
+ if [ "${KEY_CONF_DB_TYPE}" != "sqlite" ] && [ "${KEY_CONF_DB_TYPE}" != "mysql" ] && [ "${KEY_CONF_DB_TYPE}" != "pgsql" ] ; then
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+ KEY_CONF_DB_TYPE="sqlite"
+ fi
+ if [ "${KEY_CONF_DB_TYPE}" = "sqlite" ] ; then
+ # This is the invalid default in the etc/keystone.conf in the source package
+ if [ "${KEY_CONF_DB_CON_INFO}" = "sqlite:///keystone.db" ] ; then
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+ fi
+
+ KEY_CONF_DB_PATH=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,11)}'`
+ if [ -z "${KEY_CONF_DB_PATH}" ] ; then
+ KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite
+ fi
+ dbc_basepath=`dirname "${KEY_CONF_DB_PATH}"`
+ dbc_dbname=`basename "${KEY_CONF_DB_PATH}"`
+ dbc_dbtypes="sqlite3, mysql, pgsql"
+ else
+ # Later, the postinst does: mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
+ # so we are supposed to parse that if it exists
+ KEY_CONF_ADDR=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,9)}'`
+ KEY_CONF_BEFORE_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f1`
+ KEY_CONF_AFTER_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f2`
+
+ KEY_CONF_USER=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f2`
+ KEY_CONF_USER=`echo "${KEY_CONF_USER}" | cut -d"/" -f3`
+ KEY_CONF_PASS=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f3`
+ KEY_CONF_SERVER_PORT=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f1`
+ KEY_CONF_DB_NAME=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f2`
+
+ KEY_CONF_SERVER=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f1`
+ if echo "${KEY_CONF_SERVER_PORT}" | grep -Eq ":" ; then
+ KEY_CONF_PORT=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f2`
+ else
+ KEY_CONF_PORT=""
+ fi
+
+ if [ -n "${KEY_CONF_USER}" ] && [ -n "${KEY_CONF_PASS}" ] && [ -n "${KEY_CONF_SERVER}" ] && [ -n "${KEY_CONF_DB_NAME}" ] ; then
+ dbc_dbuser=${KEY_CONF_USER}
+ dbc_dbpass=${KEY_CONF_PASS}
+ dbc_dbserver=${KEY_CONF_SERVER}
+ dbc_dbport=${KEY_CONF_PORT}
+ dbc_dbname=${KEY_CONF_DB_NAME}
+ fi
+ if [ "${KEY_CONF_DB_TYPE}" = "mysql" ] ; then
+ dbc_dbtypes="mysql, pgsql, sqlite3"
+ else
+ dbc_dbtypes="pgsql, mysql, sqlite3"
+ fi
+ db_authmethod_user="password"
+ fi
dbc_go keystone $@
- fi
fi
diff -Nru keystone-2012.1.1/debian/keystone.install keystone-2012.1.1/debian/keystone.install
--- keystone-2012.1.1/debian/keystone.install 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.install 2012-10-01 06:51:43.000000000 +0000
@@ -1,2 +1,4 @@
usr/bin/*
-etc/* etc/keystone
\ No newline at end of file
+etc/default_catalog.templates /etc/keystone
+etc/logging.conf.sample /usr/share/doc/keystone
+etc/policy.json /etc/keystone
diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst
--- keystone-2012.1.1/debian/keystone.postinst 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.000000000 +0000
@@ -1,77 +1,64 @@
#!/bin/sh
+
set -e
-if [ "$1" = "configure" ]
-then
- . /usr/share/debconf/confmodule
- . /usr/share/dbconfig-common/dpkg/postinst
-
- adduser --system \
- --home /var/lib/keystone \
- --no-create-home \
- --quiet \
- --disabled-password \
- --group keystone
-
-
- db_get keystone/configure_db
- if [ "$RET" = "true" ]; then
- db_get keystone/database-type
- if [ $RET = "sqlite3" ]
- then
- dbc_name="keystone.sqlite"
- db_set keystone/db/dbname $dbc_name
+if [ "$1" = "configure" ] ; then
+ . /usr/share/debconf/confmodule
+ . /usr/share/dbconfig-common/dpkg/postinst
+
+ # Create config files if they don't exist
+ KEY_CONF=/etc/keystone/keystone.conf
+ if ! [ -e /etc/keystone ] ; then
+ mkdir /etc/keystone
+ fi
+ if ! [ -e "${KEY_CONF}" ] && [ -r /usr/share/keystone/keystone.conf ] ; then
+ cp -auxf /usr/share/keystone/keystone.conf ${KEY_CONF}
fi
- dbc_dbfile_owner="keystone:keystone"
-
- dbc_go keystone $@
-
- if [ "$dbc_install" = "true" ]
- then
- case "$dbc_dbtype" in
- sqlite3)
- SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
- ;;
- mysql)
- [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
- SQL_CONNECTION="mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
- ;;
- pgsql)
- [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
- SQL_CONNECTION="pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
- ;;
- *)
- SQL_CONNECTION="sqlite:////var/lib/keystone/$dbc_dbname"
- ;;
- esac
-
- sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i /etc/keystone/keystone.conf
- if [ "$dbc_upgrade" = "true" ]
- then
- keystone-manage db_sync
- fi
+ adduser --system \
+ --home /var/lib/keystone \
+ --no-create-home \
+ --quiet \
+ --disabled-password \
+ --group keystone
+
+ db_get keystone/configure_db
+ if [ "$RET" = "true" ] ; then
+ db_get keystone/database-type
+ dbc_dbfile_owner="keystone:keystone"
+
+ dbc_go keystone $@
+ if [ "$dbc_install" = "true" ] ; then
+ if [ "$dbc_dbtype" = "mysql" ] || [ "$dbc_dbtype" = "pgsql" ] ; then
+ if [ -n "$dbc_dbport" ] ; then
+ dbport=:$dbc_dbport
+ fi
+ SQL_CONNECTION="$dbc_dbtype://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
+ else
+ SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
+ fi
+ fi
+
+ sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i ${KEY_CONF}
+
+ if [ "$dbc_upgrade" = "true" ] ; then
+ keystone-manage db_sync
+ fi
fi
- fi
- if [ -z "$2" ]
- then
db_get keystone/auth-token
AUTH_TOKEN=${RET:-ADMIN}
- sed -s "s,^admin_token = ADMIN,admin_token = $AUTH_TOKEN," -i /etc/keystone/keystone.conf
- fi
+ sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}
- chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
- chmod 0750 /etc/keystone
- chmod 0750 /var/log/keystone
+ chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
+ chmod 0750 /etc/keystone
+ chmod 0750 /var/log/keystone
+ # On first install, create basics configuration and add roles
+ if [ -z "$2" ] ; then
+ keystone-manage db_sync
+ fi
fi
#DEBHELPER#
-# On first install, create basics configuration and add roles
-if [ -z "$2" ]
-then
- keystone-manage db_sync
-fi
-
exit 0
diff -Nru keystone-2012.1.1/debian/keystone.postrm keystone-2012.1.1/debian/keystone.postrm
--- keystone-2012.1.1/debian/keystone.postrm 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.postrm 2012-10-01 06:51:43.000000000 +0000
@@ -2,24 +2,24 @@
set -e
-if [ -f /usr/share/debconf/confmodule ]
-then
- . /usr/share/debconf/confmodule
+if [ -f /usr/share/debconf/confmodule ] ;then
+ . /usr/share/debconf/confmodule
+ db_get keystone/configure_db || true
+ DEBCONF_CONFIGURE_DB=$RET
fi
-db_get keystone/configure_db
-if [ "$RET" = "true" ]; then
- if [ -f /usr/share/dbconfig-common/dpkg/postrm ]
- then
- . /usr/share/dbconfig-common/dpkg/postrm
- dbc_go keystone $@
- fi
+if [ "${DEBCONF_CONFIGURE_DB}" = "true" ] ; then
+ if [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then
+ . /usr/share/dbconfig-common/dpkg/postrm
+ dbc_go keystone $@
+ fi
fi
case "$1" in
- purge)
- rm -rf /var/log/keystone
+purge)
+ rm -rf /var/log/keystone
rm -rf /var/lib/keystone
+ rm -rf /etc/keystone
esac
#DEBHELPER#
diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch
--- keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch 1970-01-01 00:00:00.000000000 +0000
+++ keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch 2012-10-01 06:51:43.000000000 +0000
@@ -0,0 +1,131 @@
+Description: Require authz for user role list
+ Jason Xu (yinyangxu@gmail.com) discovered several vulnerabilities in OpenStack
+ Keystone token verification:
+ .
+ The first occurs in the API /v2.0/OS-KSADM/services and
+ /v2.0/OS-KSADM/services/{service_id}, the second occurs in
+ /v2.0/tenants/{tenant_id}/users/{user_id}/roles
+ .
+ In both cases the OpenStack Keystone code fails to check if the tokens are
+ valid. These issues have been addressed by adding checks in the form of
+ test_service_crud_requires_auth() and test_user_role_list_requires_auth().
+Bug-Debian: http://bugs.debian.org/689210
+Bug-Ubuntu: https://bugs.launchpad.net/+bug/1006815
+Author: Dolph Mathews <dolph.mathews@gmail.com>
+Origin: Upstream
+
+Index: keystone/keystone/identity/core.py
+===================================================================
+--- keystone.orig/keystone/identity/core.py 2012-10-01 06:25:52.000000000 +0000
++++ keystone/keystone/identity/core.py 2012-10-01 06:25:52.000000000 +0000
+@@ -458,6 +458,7 @@
+ not implementing them in hopes that the idea will die off.
+
+ """
++ self.assert_admin(context)
+ if tenant_id is None:
+ raise exception.NotImplemented(message='User roles not supported: '
+ 'tenant ID required')
+Index: keystone/tests/test_content_types.py
+===================================================================
+--- keystone.orig/tests/test_content_types.py 2012-10-01 06:25:48.000000000 +0000
++++ keystone/tests/test_content_types.py 2012-10-01 06:25:52.000000000 +0000
+@@ -16,6 +16,7 @@
+
+ import httplib
+ import json
++import uuid
+
+ from lxml import etree
+ import nose.exc
+@@ -554,6 +555,49 @@
+ def assertValidVersionResponse(self, r):
+ self.assertValidVersion(r.body.get('version'))
+
++ def test_user_role_list_requires_auth(self):
++ """User role list should 401 without an X-Auth-Token (bug 1006815)."""
++ # values here don't matter because we should 401 before they're checked
++ path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % {
++ 'tenant_id': uuid.uuid4().hex,
++ 'user_id': uuid.uuid4().hex,
++ }
++
++ r = self.admin_request(path=path, expected_status=401)
++ self.assertValidErrorResponse(r)
++
++ def test_service_crud_requires_auth(self):
++ """Service CRUD should 401 without an X-Auth-Token (bug 1006822)."""
++ # values here don't matter because we should 401 before they're checked
++ service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex
++ service_body = {
++ 'OS-KSADM:service': {
++ 'name': uuid.uuid4().hex,
++ 'type': uuid.uuid4().hex,
++ },
++ }
++
++ r = self.admin_request(method='GET',
++ path='/v2.0/OS-KSADM/services',
++ expected_status=401)
++ self.assertValidErrorResponse(r)
++
++ r = self.admin_request(method='POST',
++ path='/v2.0/OS-KSADM/services',
++ body=service_body,
++ expected_status=401)
++ self.assertValidErrorResponse(r)
++
++ r = self.admin_request(method='GET',
++ path=service_path,
++ expected_status=401)
++ self.assertValidErrorResponse(r)
++
++ r = self.admin_request(method='DELETE',
++ path=service_path,
++ expected_status=401)
++ self.assertValidErrorResponse(r)
++
+
+ class XmlTestCase(RestfulTestCase, CoreApiTests):
+ xmlns = 'http://docs.openstack.org/identity/api/v2.0'
+Index: keystone/keystone/catalog/core.py
+===================================================================
+--- keystone.orig/keystone/catalog/core.py 2012-10-01 06:25:48.000000000 +0000
++++ keystone/keystone/catalog/core.py 2012-10-01 06:25:52.000000000 +0000
+@@ -116,29 +116,36 @@
+ class ServiceController(wsgi.Application):
+ def __init__(self):
+ self.catalog_api = Manager()
++ self.identity_api = identity.Manager()
++ self.policy_api = policy.Manager()
++ self.token_api = token.Manager()
+ super(ServiceController, self).__init__()
+
+ # CRUD extensions
+ # NOTE(termie): this OS-KSADM stuff is not very consistent
+ def get_services(self, context):
++ self.assert_admin(context)
+ service_list = self.catalog_api.list_services(context)
+ service_refs = [self.catalog_api.get_service(context, x)
+ for x in service_list]
+ return {'OS-KSADM:services': service_refs}
+
+ def get_service(self, context, service_id):
++ self.assert_admin(context)
+ service_ref = self.catalog_api.get_service(context, service_id)
+ if not service_ref:
+ raise exception.ServiceNotFound(service_id=service_id)
+ return {'OS-KSADM:service': service_ref}
+
+ def delete_service(self, context, service_id):
++ self.assert_admin(context)
+ service_ref = self.catalog_api.get_service(context, service_id)
+ if not service_ref:
+ raise exception.ServiceNotFound(service_id=service_id)
+ self.catalog_api.delete_service(context, service_id)
+
+ def create_service(self, context, OS_KSADM_service):
++ self.assert_admin(context)
+ service_id = uuid.uuid4().hex
+ service_ref = OS_KSADM_service.copy()
+ service_ref['id'] = service_id
diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch
--- keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch 1970-01-01 00:00:00.000000000 +0000
+++ keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch 2012-10-01 06:51:43.000000000 +0000
@@ -0,0 +1,95 @@
+Description: Raise unauthorized if tenant disabled
+ If the client attempts to explicitly authenticate against a disabled
+ tenant, keystone should return HTTP 401 Unauthorized.
+Bug-Debian: http://bugs.debian.org/689210
+Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/988920
+Author: Dolph Mathews <dolph.mathews@gmail.com>
+Origin: upstream
+
+Index: keystone/keystone/service.py
+===================================================================
+--- keystone.orig/keystone/service.py 2012-10-01 06:25:28.000000000 +0000
++++ keystone/keystone/service.py 2012-10-01 06:25:41.000000000 +0000
+@@ -280,6 +280,11 @@
+ if not user_ref.get('enabled', True):
+ LOG.warning('User %s is disabled' % user_id)
+ raise exception.Unauthorized()
++
++ # If the tenant is disabled don't allow them to authenticate
++ if tenant_ref and not tenant_ref.get('enabled', True):
++ LOG.warning('Tenant %s is disabled' % tenant_id)
++ raise exception.Unauthorized()
+ except AssertionError as e:
+ raise exception.Unauthorized(e.message)
+
+@@ -333,6 +338,12 @@
+
+ tenant_ref = self.identity_api.get_tenant(context=context,
+ tenant_id=tenant_id)
++
++ # If the tenant is disabled don't allow them to authenticate
++ if tenant_ref and not tenant_ref.get('enabled', True):
++ LOG.warning('Tenant %s is disabled' % tenant_id)
++ raise exception.Unauthorized()
++
+ if tenant_ref:
+ metadata_ref = self.identity_api.get_metadata(
+ context=context,
+Index: keystone/tests/test_keystoneclient.py
+===================================================================
+--- keystone.orig/tests/test_keystoneclient.py 2012-10-01 06:25:41.000000000 +0000
++++ keystone/tests/test_keystoneclient.py 2012-10-01 06:25:41.000000000 +0000
+@@ -176,6 +176,53 @@
+ self.get_client,
+ user_ref)
+
++ def test_authenticate_disabled_tenant(self):
++ from keystoneclient import exceptions as client_exceptions
++
++ admin_client = self.get_client(admin=True)
++
++ tenant = {
++ 'name': uuid.uuid4().hex,
++ 'description': uuid.uuid4().hex,
++ 'enabled': False,
++ }
++ tenant_ref = admin_client.tenants.create(
++ tenant_name=tenant['name'],
++ description=tenant['description'],
++ enabled=tenant['enabled'])
++ tenant['id'] = tenant_ref.id
++
++ user = {
++ 'name': uuid.uuid4().hex,
++ 'password': uuid.uuid4().hex,
++ 'email': uuid.uuid4().hex,
++ 'tenant_id': tenant['id'],
++ }
++ user_ref = admin_client.users.create(
++ name=user['name'],
++ password=user['password'],
++ email=user['email'],
++ tenant_id=user['tenant_id'])
++ user['id'] = user_ref.id
++
++ # password authentication
++ self.assertRaises(
++ client_exceptions.Unauthorized,
++ self._client,
++ username=user['name'],
++ password=user['password'],
++ tenant_id=tenant['id'])
++
++ # token authentication
++ client = self._client(
++ username=user['name'],
++ password=user['password'])
++ self.assertRaises(
++ client_exceptions.Unauthorized,
++ self._client,
++ token=client.auth_token,
++ tenant_id=tenant['id'])
++
+ # FIXME(ja): this test should require the "keystone:admin" roled
+ # (probably the role set via --keystone_admin_role flag)
+ # FIXME(ja): add a test that admin endpoint is only sent to admin user
diff -Nru keystone-2012.1.1/debian/patches/series keystone-2012.1.1/debian/patches/series
--- keystone-2012.1.1/debian/patches/series 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/patches/series 2012-10-01 06:51:43.000000000 +0000
@@ -4,3 +4,5 @@
sql_conn.patch
CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch
+CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch
+CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch
diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules
--- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.000000000 +0000
@@ -42,6 +42,11 @@
rm -rf debian/python-keystone/usr/lib/python*/*/doc
rm -rf debian/python-keystone/usr/lib/python*/*/tools
rm -rf debian/python-keystone/usr/lib/python*/*/examples
+ install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf
+
+override_dh_fixperms:
+ dh_fixperms
+ chmod 0640 debian/keystone/usr/share/keystone/keystone.conf
override_dh_clean:
rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
Reply to: