python-keystoneclient

Merge lp:~niedbalski/python-keystoneclient/icehouse-fix-lp-1368545-r into lp:~ubuntu-server-dev/python-keystoneclient/icehouse

  1. icehouse-fix-lp-1368545-r
  2. Merge into icehouse
Proposed by Jorge Niedbalski
Status: Merged
Merged at revision: 91
Proposed branch: lp:~niedbalski/python-keystoneclient/icehouse-fix-lp-1368545-r
Merge into: lp:~ubuntu-server-dev/python-keystoneclient/icehouse
Diff against target: 209 lines (+159/-1)
7 files modified
debian/changelog (+24/-0)
debian/control (+1/-0)
debian/patches/CVE-2014-7144.patch (+24/-0)
debian/patches/CVE-2015-1852.patch (+81/-0)
debian/patches/fix-1368545.patch (+25/-0)
debian/patches/series (+3/-0)
debian/rules (+1/-1)
To merge this branch: bzr merge lp:~niedbalski/python-keystoneclient/icehouse-fix-lp-1368545-r
Reviewer Review Type Date Requested Status
Corey Bryant Approve
Review via email: mp+267390@code.launchpad.net

Description of the change

Fix LP: #1368545

To post a comment you must log in.
Revision history for this message
Corey Bryant (corey.bryant) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2014-03-27 16:10:59 +0000
3+++ debian/changelog 2015-08-07 17:27:09 +0000
4@@ -1,3 +1,27 @@
5+python-keystoneclient (1:0.7.1-ubuntu1.3) trusty; urgency=medium
6+
7+ * debian/patches/fix-1368545.patch: hanging the value type of
8+ http_connect_timeout to IntOpt. (LP: #1368545)
9+
10+ -- Jorge Niedbalski <jorge.niedbalski@canonical.com> Fri, 07 Aug 2015 10:50:46 -0300
11+
12+python-keystoneclient (1:0.7.1-ubuntu1.2) trusty-security; urgency=medium
13+
14+ * SECURITY UPDATE: incorrect cert verification with ssl_insecure option
15+ - debian/patches/CVE-2014-7144.patch: properly parse option in
16+ keystoneclient/middleware/auth_token.py.
17+ - CVE-2014-7144
18+ * SECURITY UPDATE: incorrect cert verification with ssl_insecure option
19+ - debian/patches/CVE-2015-1852.patch: properly parse option in
20+ keystoneclient/middleware/s3_token.py, added test to
21+ keystoneclient/tests/test_s3_token_middleware.py.
22+ - CVE-2015-1852
23+ * Properly run test suite during build:
24+ - debian/control: added python-testresources to Build-Depends
25+ - debian/rules: call testr directly
26+
27+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 16 Jul 2015 15:05:21 -0400
28+
29 python-keystoneclient (1:0.7.1-ubuntu1) trusty; urgency=medium
30
31 * New upstream release. (LP: #1298453)
32
33=== modified file 'debian/control'
34--- debian/control 2014-01-21 15:43:37 +0000
35+++ debian/control 2015-08-07 17:27:09 +0000
36@@ -21,6 +21,7 @@
37 python-setuptools,
38 python-simplejson,
39 python-six,
40+ python-testresources,
41 python-testtools,
42 python-webob,
43 testrepository
44
45=== added file 'debian/patches/CVE-2014-7144.patch'
46--- debian/patches/CVE-2014-7144.patch 1970-01-01 00:00:00 +0000
47+++ debian/patches/CVE-2014-7144.patch 2015-08-07 17:27:09 +0000
48@@ -0,0 +1,24 @@
49+Description: fix incorrect cert verification with ssl_insecure option
50+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
51+
52+Index: python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py
53+===================================================================
54+--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/auth_token.py 2015-07-16 17:07:22.000000000 -0400
55++++ python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py 2015-07-16 17:14:26.575852486 -0400
56+@@ -163,6 +163,7 @@
57+ from keystoneclient.openstack.common import jsonutils
58+ from keystoneclient.openstack.common import memorycache
59+ from keystoneclient.openstack.common import timeutils
60++from keystoneclient.openstack.common import strutils
61+ from keystoneclient import utils
62+
63+
64+@@ -426,7 +427,7 @@
65+ self.cert_file = self._conf_get('certfile')
66+ self.key_file = self._conf_get('keyfile')
67+ self.ssl_ca_file = self._conf_get('cafile')
68+- self.ssl_insecure = self._conf_get('insecure')
69++ self.ssl_insecure = strutils.bool_from_string(self._conf_get('insecure'))
70+
71+ # signing
72+ self.signing_dirname = self._conf_get('signing_dir')
73
74=== added file 'debian/patches/CVE-2015-1852.patch'
75--- debian/patches/CVE-2015-1852.patch 1970-01-01 00:00:00 +0000
76+++ debian/patches/CVE-2015-1852.patch 2015-08-07 17:27:09 +0000
77@@ -0,0 +1,81 @@
78+Backport of:
79+
80+From 0e3a23d28438f3a298a384b1e1f1390cfa92b151 Mon Sep 17 00:00:00 2001
81+From: Brant Knudson <bknudson@us.ibm.com>
82+Date: Tue, 7 Apr 2015 19:38:29 +0000
83+Subject: [PATCH] Fix s3_token middleware parsing insecure option
84+
85+The "insecure" option was being treated as a bool when it was
86+actually provided as a string. The fix is to parse the string to
87+a bool.
88+
89+Closes-Bug: 1411063
90+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
91+---
92+ keystoneclient/middleware/s3_token.py | 3 ++-
93+ keystoneclient/tests/test_s3_token_middleware.py | 24 +++++++++++++++++++++++-
94+ 2 files changed, 25 insertions(+), 2 deletions(-)
95+
96+Index: python-keystoneclient-0.7.1/keystoneclient/middleware/s3_token.py
97+===================================================================
98+--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/s3_token.py 2015-07-16 17:24:42.779762830 -0400
99++++ python-keystoneclient-0.7.1/keystoneclient/middleware/s3_token.py 2015-07-16 17:25:16.408194217 -0400
100+@@ -39,6 +39,7 @@
101+ from six.moves import urllib
102+
103+ from keystoneclient.openstack.common import jsonutils
104++from keystoneclient.openstack.common import strutils
105+
106+
107+ PROTOCOL_NAME = 'S3 Token Authentication'
108+@@ -113,7 +114,7 @@
109+ self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
110+
111+ # SSL
112+- insecure = conf.get('insecure', False)
113++ insecure = strutils.bool_from_string(conf.get('insecure', False))
114+ cert_file = conf.get('certfile')
115+ key_file = conf.get('keyfile')
116+
117+Index: python-keystoneclient-0.7.1/keystoneclient/tests/test_s3_token_middleware.py
118+===================================================================
119+--- python-keystoneclient-0.7.1.orig/keystoneclient/tests/test_s3_token_middleware.py 2015-07-16 17:24:42.779762830 -0400
120++++ python-keystoneclient-0.7.1/keystoneclient/tests/test_s3_token_middleware.py 2015-07-16 17:24:42.779762830 -0400
121+@@ -123,7 +123,7 @@
122+ @mock.patch.object(requests, 'post')
123+ def test_insecure(self, MOCK_REQUEST):
124+ self.middleware = (
125+- s3_token.filter_factory({'insecure': True})(FakeApp()))
126++ s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
127+
128+ text_return_value = jsonutils.dumps(GOOD_RESPONSE)
129+ if six.PY3:
130+@@ -141,6 +141,28 @@
131+ mock_args, mock_kwargs = MOCK_REQUEST.call_args
132+ self.assertIs(mock_kwargs['verify'], False)
133+
134++ def test_insecure_option(self):
135++ # insecure is passed as a string.
136++
137++ # Some non-secure values.
138++ true_values = ['true', 'True', '1', 'yes']
139++ for val in true_values:
140++ config = {'insecure': val, 'certfile': 'false_ind'}
141++ middleware = s3_token.filter_factory(config)(FakeApp())
142++ self.assertIs(False, middleware.verify)
143++
144++ # Some "secure" values, including unexpected value.
145++ false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
146++ for val in false_values:
147++ config = {'insecure': val, 'certfile': 'false_ind'}
148++ middleware = s3_token.filter_factory(config)(FakeApp())
149++ self.assertEqual('false_ind', middleware.verify)
150++
151++ # Default is secure.
152++ config = {'certfile': 'false_ind'}
153++ middleware = s3_token.filter_factory(config)(FakeApp())
154++ self.assertIs('false_ind', middleware.verify)
155++
156+
157+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
158+ def setUp(self):
159
160=== added file 'debian/patches/fix-1368545.patch'
161--- debian/patches/fix-1368545.patch 1970-01-01 00:00:00 +0000
162+++ debian/patches/fix-1368545.patch 2015-08-07 17:27:09 +0000
163@@ -0,0 +1,25 @@
164+Description: Changing the value type of http_connect_timeout
165+
166+The value type of http_connect_timeout definition
167+is changed from Bool to Int value. Python treats
168+a value more than 1 as True but oslo config defines
169+Boolean values as 'true, '1', 'yes' and 'on'.
170+So http_connect_timeout is only configured 1 or None.
171+
172+Change-Id: I53075cc04d0ccea543f8e657279534208ed03058
173+Closes-bug: #1368545.
174+
175+Origin: upstream, https://review.openstack.org/#/c/126543
176+Bug-Ubuntu: https://bugs.launchpad.net/keystonemiddleware/+bug/1368545
177+
178+--- python-keystoneclient-0.7.1.orig/keystoneclient/middleware/auth_token.py
179++++ python-keystoneclient-0.7.1/keystoneclient/middleware/auth_token.py
180+@@ -212,7 +212,7 @@ opts = [
181+ help='Do not handle authorization requests within the'
182+ ' middleware, but delegate the authorization decision to'
183+ ' downstream WSGI components'),
184+- cfg.BoolOpt('http_connect_timeout',
185++ cfg.IntOpt('http_connect_timeout',
186+ default=None,
187+ help='Request timeout value for communicating with Identity'
188+ ' API server.'),
189
190=== added file 'debian/patches/series'
191--- debian/patches/series 1970-01-01 00:00:00 +0000
192+++ debian/patches/series 2015-08-07 17:27:09 +0000
193@@ -0,0 +1,3 @@
194+CVE-2014-7144.patch
195+CVE-2015-1852.patch
196+fix-1368545.patch
197
198=== modified file 'debian/rules'
199--- debian/rules 2013-11-14 15:51:35 +0000
200+++ debian/rules 2015-08-07 17:27:09 +0000
201@@ -8,7 +8,7 @@
202
203 override_dh_auto_test:
204 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
205- bash run_tests.sh -N -P || true
206+ testr init && testr run
207 endif
208
209 get-orig-source:

Subscribers

People subscribed via source and target branches