Your message dated Sun, 25 Nov 2012 22:05:38 +0100 with message-id <20121125210538.GJ8091@radis.cristau.org> and subject line Re: Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes) has caused the Debian Bug report #689289, regarding unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 689289: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689289 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
- From: Thomas Goirand <zigo@debian.org>
- Date: Mon, 01 Oct 2012 15:00:25 +0800
- Message-id: <20121001070025.6908.50083.reportbug@buzig.gplhost.com>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, I have applied upstream patches for CVE-2012-445{6,7} (yes, yet another CVE in keystone...), and fixed bad handling of /etc/keystone/keystone.conf. The later modifications have already been investigated by Julien, and I believe they are into shape now. If the release team prefers that I first undo keystone.conf changes so that only the CVE fixes can migrate first, then the keystone.conf handling gets the standard 10 days testing, that can be done too. I have no problem doing this in 2 steps, to give more testing time for the keystone.conf handling. But I believe it should be ok now. The debdiff is attached. It's unfortunately not so small. Thanks for your time working on the Wheezy release, Please unblock keystone/2012.1.1-9, Cheers, Thomas Goirand (zigo) -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog --- keystone-2012.1.1/debian/changelog 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.000000000 +0000 @@ -1,3 +1,28 @@ +keystone (2012.1.1-9) unstable; urgency=high + + * Fixes sometimes failing keystone.postrm (db_get in some conditions can + return false), and fixed non-consistant indenting. + * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone + /keystone.conf.sample for temporary storing the conf file (this was a policy + violation, as the doc folder should never be required). + * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled, + CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210). + + -- Thomas Goirand <zigo@debian.org> Mon, 01 Oct 2012 05:52:23 +0000 + +keystone (2012.1.1-8) unstable; urgency=low + + * Fixes parsing of the SQL connection in keystone.config. + + -- Thomas Goirand <zigo@debian.org> Sun, 30 Sep 2012 01:48:50 +0000 + +keystone (2012.1.1-7) unstable; urgency=low + + * Fixes band handling (eg: policy violation) of keystone.conf which was + conffiles, but changed in the posinst (Closes: #687311). + + -- Thomas Goirand <zigo@debian.org> Wed, 12 Sep 2012 17:09:47 +0000 + keystone (2012.1.1-6) unstable; urgency=high * CVE-2012-4413: Revoking a role does not affect existing tokens diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config --- keystone-2012.1.1/debian/keystone.config 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/keystone.config 2012-10-01 06:51:43.000000000 +0000 @@ -1,19 +1,79 @@ #!/bin/sh + set -e . /usr/share/debconf/confmodule +### Reading of values in the keystone config file ### +### and setting default for dbconfig-common accordingly ### +KEY_CONF=/etc/keystone/keystone.conf + +if [ -e "${KEY_CONF}" ] ; then + KEY_CONF_AUTH_TOKEN=`grep -E "^([ \t])*admin_token([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'` + if [ -n "${KEY_CONF_AUTH_TOKEN}" ] ; then + db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN} + fi +fi db_input low keystone/auth-token || true db_input low keystone/configure_db || true db_go + db_get keystone/configure_db -if [ "$RET" = "true" ]; then - if [ -f /usr/share/dbconfig-common/dpkg/config ]; - then - dbc_dbtypes="sqlite3, mysql, pgsql" - db_authmethod_user="password" - dbc_basepath="/var/lib/keystone" +if [ "$RET" = "true" ] && [ -e "${KEY_CONF}" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then . /usr/share/dbconfig-common/dpkg/config + KEY_CONF_DB_CON_INFO=`grep -E "^([ \t])*connection([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'` + KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d":" -f1` + # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite) + if [ "${KEY_CONF_DB_TYPE}" != "sqlite" ] && [ "${KEY_CONF_DB_TYPE}" != "mysql" ] && [ "${KEY_CONF_DB_TYPE}" != "pgsql" ] ; then + KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite" + KEY_CONF_DB_TYPE="sqlite" + fi + if [ "${KEY_CONF_DB_TYPE}" = "sqlite" ] ; then + # This is the invalid default in the etc/keystone.conf in the source package + if [ "${KEY_CONF_DB_CON_INFO}" = "sqlite:///keystone.db" ] ; then + KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite" + fi + + KEY_CONF_DB_PATH=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,11)}'` + if [ -z "${KEY_CONF_DB_PATH}" ] ; then + KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite + fi + dbc_basepath=`dirname "${KEY_CONF_DB_PATH}"` + dbc_dbname=`basename "${KEY_CONF_DB_PATH}"` + dbc_dbtypes="sqlite3, mysql, pgsql" + else + # Later, the postinst does: mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname + # so we are supposed to parse that if it exists + KEY_CONF_ADDR=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,9)}'` + KEY_CONF_BEFORE_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f1` + KEY_CONF_AFTER_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f2` + + KEY_CONF_USER=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f2` + KEY_CONF_USER=`echo "${KEY_CONF_USER}" | cut -d"/" -f3` + KEY_CONF_PASS=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f3` + KEY_CONF_SERVER_PORT=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f1` + KEY_CONF_DB_NAME=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f2` + + KEY_CONF_SERVER=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f1` + if echo "${KEY_CONF_SERVER_PORT}" | grep -Eq ":" ; then + KEY_CONF_PORT=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f2` + else + KEY_CONF_PORT="" + fi + + if [ -n "${KEY_CONF_USER}" ] && [ -n "${KEY_CONF_PASS}" ] && [ -n "${KEY_CONF_SERVER}" ] && [ -n "${KEY_CONF_DB_NAME}" ] ; then + dbc_dbuser=${KEY_CONF_USER} + dbc_dbpass=${KEY_CONF_PASS} + dbc_dbserver=${KEY_CONF_SERVER} + dbc_dbport=${KEY_CONF_PORT} + dbc_dbname=${KEY_CONF_DB_NAME} + fi + if [ "${KEY_CONF_DB_TYPE}" = "mysql" ] ; then + dbc_dbtypes="mysql, pgsql, sqlite3" + else + dbc_dbtypes="pgsql, mysql, sqlite3" + fi + db_authmethod_user="password" + fi dbc_go keystone $@ - fi fi diff -Nru keystone-2012.1.1/debian/keystone.install keystone-2012.1.1/debian/keystone.install --- keystone-2012.1.1/debian/keystone.install 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/keystone.install 2012-10-01 06:51:43.000000000 +0000 @@ -1,2 +1,4 @@ usr/bin/* -etc/* etc/keystone \ No newline at end of file +etc/default_catalog.templates /etc/keystone +etc/logging.conf.sample /usr/share/doc/keystone +etc/policy.json /etc/keystone diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst --- keystone-2012.1.1/debian/keystone.postinst 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.000000000 +0000 @@ -1,77 +1,64 @@ #!/bin/sh + set -e -if [ "$1" = "configure" ] -then - . /usr/share/debconf/confmodule - . /usr/share/dbconfig-common/dpkg/postinst - - adduser --system \ - --home /var/lib/keystone \ - --no-create-home \ - --quiet \ - --disabled-password \ - --group keystone - - - db_get keystone/configure_db - if [ "$RET" = "true" ]; then - db_get keystone/database-type - if [ $RET = "sqlite3" ] - then - dbc_name="keystone.sqlite" - db_set keystone/db/dbname $dbc_name +if [ "$1" = "configure" ] ; then + . /usr/share/debconf/confmodule + . /usr/share/dbconfig-common/dpkg/postinst + + # Create config files if they don't exist + KEY_CONF=/etc/keystone/keystone.conf + if ! [ -e /etc/keystone ] ; then + mkdir /etc/keystone + fi + if ! [ -e "${KEY_CONF}" ] && [ -r /usr/share/keystone/keystone.conf ] ; then + cp -auxf /usr/share/keystone/keystone.conf ${KEY_CONF} fi - dbc_dbfile_owner="keystone:keystone" - - dbc_go keystone $@ - - if [ "$dbc_install" = "true" ] - then - case "$dbc_dbtype" in - sqlite3) - SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname" - ;; - mysql) - [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport - SQL_CONNECTION="mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" - ;; - pgsql) - [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport - SQL_CONNECTION="pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" - ;; - *) - SQL_CONNECTION="sqlite:////var/lib/keystone/$dbc_dbname" - ;; - esac - - sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i /etc/keystone/keystone.conf - if [ "$dbc_upgrade" = "true" ] - then - keystone-manage db_sync - fi + adduser --system \ + --home /var/lib/keystone \ + --no-create-home \ + --quiet \ + --disabled-password \ + --group keystone + + db_get keystone/configure_db + if [ "$RET" = "true" ] ; then + db_get keystone/database-type + dbc_dbfile_owner="keystone:keystone" + + dbc_go keystone $@ + if [ "$dbc_install" = "true" ] ; then + if [ "$dbc_dbtype" = "mysql" ] || [ "$dbc_dbtype" = "pgsql" ] ; then + if [ -n "$dbc_dbport" ] ; then + dbport=:$dbc_dbport + fi + SQL_CONNECTION="$dbc_dbtype://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" + else + SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname" + fi + fi + + sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i ${KEY_CONF} + + if [ "$dbc_upgrade" = "true" ] ; then + keystone-manage db_sync + fi fi - fi - if [ -z "$2" ] - then db_get keystone/auth-token AUTH_TOKEN=${RET:-ADMIN} - sed -s "s,^admin_token = ADMIN,admin_token = $AUTH_TOKEN," -i /etc/keystone/keystone.conf - fi + sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF} - chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone - chmod 0750 /etc/keystone - chmod 0750 /var/log/keystone + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone + chmod 0750 /etc/keystone + chmod 0750 /var/log/keystone + # On first install, create basics configuration and add roles + if [ -z "$2" ] ; then + keystone-manage db_sync + fi fi #DEBHELPER# -# On first install, create basics configuration and add roles -if [ -z "$2" ] -then - keystone-manage db_sync -fi - exit 0 diff -Nru keystone-2012.1.1/debian/keystone.postrm keystone-2012.1.1/debian/keystone.postrm --- keystone-2012.1.1/debian/keystone.postrm 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/keystone.postrm 2012-10-01 06:51:43.000000000 +0000 @@ -2,24 +2,24 @@ set -e -if [ -f /usr/share/debconf/confmodule ] -then - . /usr/share/debconf/confmodule +if [ -f /usr/share/debconf/confmodule ] ;then + . /usr/share/debconf/confmodule + db_get keystone/configure_db || true + DEBCONF_CONFIGURE_DB=$RET fi -db_get keystone/configure_db -if [ "$RET" = "true" ]; then - if [ -f /usr/share/dbconfig-common/dpkg/postrm ] - then - . /usr/share/dbconfig-common/dpkg/postrm - dbc_go keystone $@ - fi +if [ "${DEBCONF_CONFIGURE_DB}" = "true" ] ; then + if [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then + . /usr/share/dbconfig-common/dpkg/postrm + dbc_go keystone $@ + fi fi case "$1" in - purge) - rm -rf /var/log/keystone +purge) + rm -rf /var/log/keystone rm -rf /var/lib/keystone + rm -rf /etc/keystone esac #DEBHELPER# diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch --- keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch 1970-01-01 00:00:00.000000000 +0000 +++ keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch 2012-10-01 06:51:43.000000000 +0000 @@ -0,0 +1,131 @@ +Description: Require authz for user role list + Jason Xu (yinyangxu@gmail.com) discovered several vulnerabilities in OpenStack + Keystone token verification: + . + The first occurs in the API /v2.0/OS-KSADM/services and + /v2.0/OS-KSADM/services/{service_id}, the second occurs in + /v2.0/tenants/{tenant_id}/users/{user_id}/roles + . + In both cases the OpenStack Keystone code fails to check if the tokens are + valid. These issues have been addressed by adding checks in the form of + test_service_crud_requires_auth() and test_user_role_list_requires_auth(). +Bug-Debian: http://bugs.debian.org/689210 +Bug-Ubuntu: https://bugs.launchpad.net/+bug/1006815 +Author: Dolph Mathews <dolph.mathews@gmail.com> +Origin: Upstream + +Index: keystone/keystone/identity/core.py +=================================================================== +--- keystone.orig/keystone/identity/core.py 2012-10-01 06:25:52.000000000 +0000 ++++ keystone/keystone/identity/core.py 2012-10-01 06:25:52.000000000 +0000 +@@ -458,6 +458,7 @@ + not implementing them in hopes that the idea will die off. + + """ ++ self.assert_admin(context) + if tenant_id is None: + raise exception.NotImplemented(message='User roles not supported: ' + 'tenant ID required') +Index: keystone/tests/test_content_types.py +=================================================================== +--- keystone.orig/tests/test_content_types.py 2012-10-01 06:25:48.000000000 +0000 ++++ keystone/tests/test_content_types.py 2012-10-01 06:25:52.000000000 +0000 +@@ -16,6 +16,7 @@ + + import httplib + import json ++import uuid + + from lxml import etree + import nose.exc +@@ -554,6 +555,49 @@ + def assertValidVersionResponse(self, r): + self.assertValidVersion(r.body.get('version')) + ++ def test_user_role_list_requires_auth(self): ++ """User role list should 401 without an X-Auth-Token (bug 1006815).""" ++ # values here don't matter because we should 401 before they're checked ++ path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % { ++ 'tenant_id': uuid.uuid4().hex, ++ 'user_id': uuid.uuid4().hex, ++ } ++ ++ r = self.admin_request(path=path, expected_status=401) ++ self.assertValidErrorResponse(r) ++ ++ def test_service_crud_requires_auth(self): ++ """Service CRUD should 401 without an X-Auth-Token (bug 1006822).""" ++ # values here don't matter because we should 401 before they're checked ++ service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex ++ service_body = { ++ 'OS-KSADM:service': { ++ 'name': uuid.uuid4().hex, ++ 'type': uuid.uuid4().hex, ++ }, ++ } ++ ++ r = self.admin_request(method='GET', ++ path='/v2.0/OS-KSADM/services', ++ expected_status=401) ++ self.assertValidErrorResponse(r) ++ ++ r = self.admin_request(method='POST', ++ path='/v2.0/OS-KSADM/services', ++ body=service_body, ++ expected_status=401) ++ self.assertValidErrorResponse(r) ++ ++ r = self.admin_request(method='GET', ++ path=service_path, ++ expected_status=401) ++ self.assertValidErrorResponse(r) ++ ++ r = self.admin_request(method='DELETE', ++ path=service_path, ++ expected_status=401) ++ self.assertValidErrorResponse(r) ++ + + class XmlTestCase(RestfulTestCase, CoreApiTests): + xmlns = 'http://docs.openstack.org/identity/api/v2.0' +Index: keystone/keystone/catalog/core.py +=================================================================== +--- keystone.orig/keystone/catalog/core.py 2012-10-01 06:25:48.000000000 +0000 ++++ keystone/keystone/catalog/core.py 2012-10-01 06:25:52.000000000 +0000 +@@ -116,29 +116,36 @@ + class ServiceController(wsgi.Application): + def __init__(self): + self.catalog_api = Manager() ++ self.identity_api = identity.Manager() ++ self.policy_api = policy.Manager() ++ self.token_api = token.Manager() + super(ServiceController, self).__init__() + + # CRUD extensions + # NOTE(termie): this OS-KSADM stuff is not very consistent + def get_services(self, context): ++ self.assert_admin(context) + service_list = self.catalog_api.list_services(context) + service_refs = [self.catalog_api.get_service(context, x) + for x in service_list] + return {'OS-KSADM:services': service_refs} + + def get_service(self, context, service_id): ++ self.assert_admin(context) + service_ref = self.catalog_api.get_service(context, service_id) + if not service_ref: + raise exception.ServiceNotFound(service_id=service_id) + return {'OS-KSADM:service': service_ref} + + def delete_service(self, context, service_id): ++ self.assert_admin(context) + service_ref = self.catalog_api.get_service(context, service_id) + if not service_ref: + raise exception.ServiceNotFound(service_id=service_id) + self.catalog_api.delete_service(context, service_id) + + def create_service(self, context, OS_KSADM_service): ++ self.assert_admin(context) + service_id = uuid.uuid4().hex + service_ref = OS_KSADM_service.copy() + service_ref['id'] = service_id diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch --- keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch 1970-01-01 00:00:00.000000000 +0000 +++ keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch 2012-10-01 06:51:43.000000000 +0000 @@ -0,0 +1,95 @@ +Description: Raise unauthorized if tenant disabled + If the client attempts to explicitly authenticate against a disabled + tenant, keystone should return HTTP 401 Unauthorized. +Bug-Debian: http://bugs.debian.org/689210 +Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/988920 +Author: Dolph Mathews <dolph.mathews@gmail.com> +Origin: upstream + +Index: keystone/keystone/service.py +=================================================================== +--- keystone.orig/keystone/service.py 2012-10-01 06:25:28.000000000 +0000 ++++ keystone/keystone/service.py 2012-10-01 06:25:41.000000000 +0000 +@@ -280,6 +280,11 @@ + if not user_ref.get('enabled', True): + LOG.warning('User %s is disabled' % user_id) + raise exception.Unauthorized() ++ ++ # If the tenant is disabled don't allow them to authenticate ++ if tenant_ref and not tenant_ref.get('enabled', True): ++ LOG.warning('Tenant %s is disabled' % tenant_id) ++ raise exception.Unauthorized() + except AssertionError as e: + raise exception.Unauthorized(e.message) + +@@ -333,6 +338,12 @@ + + tenant_ref = self.identity_api.get_tenant(context=context, + tenant_id=tenant_id) ++ ++ # If the tenant is disabled don't allow them to authenticate ++ if tenant_ref and not tenant_ref.get('enabled', True): ++ LOG.warning('Tenant %s is disabled' % tenant_id) ++ raise exception.Unauthorized() ++ + if tenant_ref: + metadata_ref = self.identity_api.get_metadata( + context=context, +Index: keystone/tests/test_keystoneclient.py +=================================================================== +--- keystone.orig/tests/test_keystoneclient.py 2012-10-01 06:25:41.000000000 +0000 ++++ keystone/tests/test_keystoneclient.py 2012-10-01 06:25:41.000000000 +0000 +@@ -176,6 +176,53 @@ + self.get_client, + user_ref) + ++ def test_authenticate_disabled_tenant(self): ++ from keystoneclient import exceptions as client_exceptions ++ ++ admin_client = self.get_client(admin=True) ++ ++ tenant = { ++ 'name': uuid.uuid4().hex, ++ 'description': uuid.uuid4().hex, ++ 'enabled': False, ++ } ++ tenant_ref = admin_client.tenants.create( ++ tenant_name=tenant['name'], ++ description=tenant['description'], ++ enabled=tenant['enabled']) ++ tenant['id'] = tenant_ref.id ++ ++ user = { ++ 'name': uuid.uuid4().hex, ++ 'password': uuid.uuid4().hex, ++ 'email': uuid.uuid4().hex, ++ 'tenant_id': tenant['id'], ++ } ++ user_ref = admin_client.users.create( ++ name=user['name'], ++ password=user['password'], ++ email=user['email'], ++ tenant_id=user['tenant_id']) ++ user['id'] = user_ref.id ++ ++ # password authentication ++ self.assertRaises( ++ client_exceptions.Unauthorized, ++ self._client, ++ username=user['name'], ++ password=user['password'], ++ tenant_id=tenant['id']) ++ ++ # token authentication ++ client = self._client( ++ username=user['name'], ++ password=user['password']) ++ self.assertRaises( ++ client_exceptions.Unauthorized, ++ self._client, ++ token=client.auth_token, ++ tenant_id=tenant['id']) ++ + # FIXME(ja): this test should require the "keystone:admin" roled + # (probably the role set via --keystone_admin_role flag) + # FIXME(ja): add a test that admin endpoint is only sent to admin user diff -Nru keystone-2012.1.1/debian/patches/series keystone-2012.1.1/debian/patches/series --- keystone-2012.1.1/debian/patches/series 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/patches/series 2012-10-01 06:51:43.000000000 +0000 @@ -4,3 +4,5 @@ sql_conn.patch CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch +CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch +CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules --- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.000000000 +0000 +++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.000000000 +0000 @@ -42,6 +42,11 @@ rm -rf debian/python-keystone/usr/lib/python*/*/doc rm -rf debian/python-keystone/usr/lib/python*/*/tools rm -rf debian/python-keystone/usr/lib/python*/*/examples + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf + +override_dh_fixperms: + dh_fixperms + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf override_dh_clean: rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
--- End Message ---
--- Begin Message ---
- To: Thomas Goirand <zigo@debian.org>, 689289-done@bugs.debian.org
- Subject: Re: Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
- From: Julien Cristau <jcristau@debian.org>
- Date: Sun, 25 Nov 2012 22:05:38 +0100
- Message-id: <20121125210538.GJ8091@radis.cristau.org>
- In-reply-to: <20121001070025.6908.50083.reportbug@buzig.gplhost.com>
- References: <20121001070025.6908.50083.reportbug@buzig.gplhost.com>
On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote: > Please unblock keystone/2012.1.1-9, -10 unblocked. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---