updating keystone for cve-2013-4294

Package-Manager: portage-2.1.12.2/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2013-09-11 16:01:46 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2013-09-11 16:01:46 +0000
commit: 8ed21562b0d4bf9e11d0e6cc791ed53792674c83 (patch)
tree: 2917cd4651c4bcb41f514c36d65489228beb92f3 /sys-auth
parent: Fix failing patch wrt bug #484092. Tidy ebuild. (diff)
download: historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.gz
historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.bz2
historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.zip
6 files changed, 315 insertions, 19 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 7999ba7cdc76..ba893f0d6602 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.29 2013/08/19 03:26:04 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.30 2013/09/11 16:01:38 prometheanfire Exp $
+
+*keystone-2012.2.4-r7 (11 Sep 2013)
+*keystone-2013.1.3-r1 (11 Sep 2013)
+
+  11 Sep 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/keystone-cve-2013-4294-folsom.patch,
+  +files/keystone-cve-2013-4294-grizzly.patch, +keystone-2012.2.4-r7.ebuild,
+  +keystone-2013.1.3-r1.ebuild, -keystone-2012.2.4-r6.ebuild,
+  -keystone-2013.1.3.ebuild:
+  updating keystone for cve-2013-4294
 
   19 Aug 2013; Matthew Thode <prometheanfire@gentoo.org>
   keystone-2013.1.9999.ebuild:
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index b5c1496ed3c0..844466d2a978 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -2,6 +2,8 @@
 Hash: SHA256
 
 AUX 2012.2.4-upstream-1181157.patch 1336 SHA256 355c3e49e2c0ea0924bfb7eaf2d6a82120d2eb0f31fc4863ef6bf1b9791c94d4 SHA512 b90d41bcd9b60886af2f37de3cbc33c3583eef65b9ed4a92e2b55e8701f883f3662b8f5e00a4c65d869914b8c9718364b8024604197a5f6cc5403508e3fb8827 WHIRLPOOL 0454536a2c9ed28c6b164c9f64af6c472f8d22b38a509d27d4d0d22a238737f4d51ed17f416c04c7fe3b43790741e0914b09e0435c6dbc8e34c7c1debf75eb19
+AUX keystone-cve-2013-4294-folsom.patch 5662 SHA256 69b07e87cf021b21168fe40fedd2dabd492991e0b4192f86fad378e24ef0429c SHA512 502cca91cfd71bd43f1a0dd0ada718cc9020071e41b13abd7310de175a794453bdb529e1ffb641e60e199fef9a2226aa44395f32eb3b0af8dc0b56dbf739b307 WHIRLPOOL 58f95de485b6351f78a680a65531bee8bcc2d725329aefa21116443a8a5ad6759a32d0ff39aa97a5226fa32fdcf0ac689bab1e7730207677334d1559f8c8d790
+AUX keystone-cve-2013-4294-grizzly.patch 5704 SHA256 86a7f54c72675d5041b648dff4f607e7e20659dbdd56084aec4424e3e552e419 SHA512 b58bb75fa4bbfcc09b3a02ee407c05b031dce54976b949e140894f43b5691048ee62921496e132f0ac1d0c47e9a7a75b5ac238fa84f870289563abcda2e72d28 WHIRLPOOL 775365acc88a7486dd8ede7b999fb4811cca493a1487a9177b9af0ca8d0093aa2cc45e9ba6583b4b069671f3c44402269ae63875ca057d76e707e970d0a175e0
 AUX keystone-folsom-4-CVE-2013-1977.patch 1114 SHA256 af81df239364cab3f94b14636359a19e6c8474f8282d2c174e3e75208fa508c6 SHA512 e9139487cdf6185d0405fd034a48c451c15ab568ebb6d4e58c2c50160ef8dc6b926a31fd0b31c646ecfccf68f2b667d9577bbe6e169ef28f8abfc06ae9031210 WHIRLPOOL c2ed7858f514f3d4a45303b0a307eb259c3c53373160ad35afcb7012ca63f9360d152f4869745579b678d990ed6f929ef050b1c68683bac656123a0aea394ec0
 AUX keystone-folsom-4-CVE-2013-2030.patch 2318 SHA256 fd824a4000da663568f26dbcfa6de031911ebdca1dea2c0958b3d5398d4d9ba6 SHA512 6b00a6d9062dd418299f9f02891fbfaa86f8f69db394ccfff31367555d1d7dbad1cf0d5a8647b61addeaabd2107b9f75cdc1986df8186de5c428f33533abffab WHIRLPOOL 842c4adb14c4a4501ea84c0082c0f28295027e27fee9957eafea6db9397a26c4955eb355b955d625bf5df818c1178af2267270aedec93bc47da8f17b59eaeca2
 AUX keystone-folsom-4-CVE-2013-2059.patch 2340 SHA256 9c3a1d953abd719c55c77fd13295c0aa5caf730a4656f3a111a1bfc1d92a282c SHA512 c6f50ed21c95c7be256f0a15ef804eaf16f32fec038be53742ce85b9a303f4c613728c95af606aafd779009f298a68517668594a590fa40258dbbb6646c3fbed WHIRLPOOL 723b4d0e5573a2e7473e4613fcfc717d1e0d90ff18a7559baa7fe0a21c6c5fcb84648afcb227ea9231ed87738e0c17cf79153287d2d6b14a65974a67e78dbd2f
@@ -14,26 +16,26 @@ AUX keystone.initd 1245 SHA256 16f50903b74dd21ef0641333e013f2c6b661590ee519b6f6c
 AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5
 DIST keystone-2012.2.4.tar.gz 555448 SHA256 ab3a9a6c1f8ef9b95a73920883294f888f298db6330b8d4ed43e28354e8ca7af SHA512 481bde4372525c92144059c94d95ddac95dc720e486428f2e7ad1d5e0c6c2b6eb9a17be40f83c5866b522a512a2a3d331a08498c6704b794fea343fc2c0c1d93 WHIRLPOOL 243d9fe82988fd6057ffdae7971b570cb129a168fba3f6a38ea105fadc51e7e9fbfd29d88bb389572fc00cfbe0cc17e9e4c4f4ebf9d61ff589148b1b0c171558
 DIST keystone-2013.1.3.tar.gz 799651 SHA256 e097170ebb1cf22de50f2d5ab2216a5116ffe0934720dbad8b02d61c370b8261 SHA512 0d0a5f6902f78c5962ee19d29645081380d247a22d4de942a28e7fa28a4f6dca396114d94c6e8188d618b4de12d3b90187a4832575b37394a2b84c5eb9592876 WHIRLPOOL d74459c5e4f64287c3734384c075523ed2b88d4e4d044e5d45345009f2ce9b98d708367dcb3cc968df90b97972d0fd52d49ffb289a1982533370e5f9b075833b
-EBUILD keystone-2012.2.4-r6.ebuild 2740 SHA256 12aa067203a588a93f2f1da80d6fbf1bde8518addb32938028735e28235e05ea SHA512 26a7fae98ae28cd749f89f66b76ebe16c1124fcaf78c87354a98b4bce583fa1005a9bb9875d8574239fa1d6ed64ca48035818d50715a344580c6bc576f51c26c WHIRLPOOL 551b2a7f9004d552998881d73e116aa62643bb82a0232da7fe34663874fc75dfe88ac0925ea95a72f639d61b769e7d6a754334431f4785caf9899e595d2fe61a
-EBUILD keystone-2013.1.3.ebuild 2976 SHA256 2a20baff08b1a09ac51c1de0f214e8ab758d264d2da74223e26491ee03486ef9 SHA512 391c0b833f1de04030abd996dd14c8361e27ee2adaf7db6b5a8a0632f1b1d55b240a662e593f0f25abef0ef2cd766d321b210b503379ee1f904448e3a9c047bb WHIRLPOOL 4253883fe0c682301d0aab615e0edcad9620795bf7cf24782d42366707cbd34a057d5424c10b24ad57d81861e59553c74a322d61a896ba3982b35d4280cb0075
+EBUILD keystone-2012.2.4-r7.ebuild 2791 SHA256 27ce95c013742fcba83a1dc8a0afe55255bb961815de447063f85356abf69cae SHA512 ad23ebf40fe647e5159cbfce92fe53f3bb3c0bbc6cea5d4bfd6f02a5a64f8bdcfa1fdc0576827b42a3b0491c437ea760a346a4c47635515ee440998465620893 WHIRLPOOL d27995dbfca7f164408d2cc6f5287bbd0de6d09218fa88d8e16a60aad40768fcc3302a1a6a4a04479086c091ba3626f6f97cf46a2c960f3b60515d6ff3eb5b01
+EBUILD keystone-2013.1.3-r1.ebuild 3031 SHA256 9e8d5c65055eb7362704cf83b90ab7111e598f0b8a9582e77c1447854a857e52 SHA512 b84ce60a9d51bded4ac7c6519b0aa53e95d3b3717e2f1bf80372bc339351f00eede55c56d56d919e1a532432d1cd6a80aca4a6e30e63f29fac271b7ad2531da3 WHIRLPOOL 3ec1d5449e6bf39ec2960f573ad8b49ccac9eb08de3106dc3e06f40f281c19b17e9a7a237ec5f58ba6499cd7e8585a123758d5b86226c1e65efd4167aba0b221
 EBUILD keystone-2013.1.9999.ebuild 2859 SHA256 d3ea8321720c2ace785900affc03531f4774405cfb57eb1bc58460cfec9f6d89 SHA512 6bc083d4dab8dea112ebcd32c1016a6e78b4fc96f4c3fb5dbb6ea5ece142bf781328b0cf9a568d15413ee44d73b99a5ab895037fcf248530441fd66d54ff3dd2 WHIRLPOOL 20cf4775024c9bc1bdcdc9668538c037ae671efa759447a709939ba0ed86f5093c1f5665233769b12bfdd642123d44ccccdda06f0469fb735579056cff5cc64a
 EBUILD keystone-9999.ebuild 2942 SHA256 048862e16792a3de401129f16b01fdfedbbcebc0f126dd1a39fb63c0118cd030 SHA512 767dccb4ce53d3162156f965c97bb4d33ff6d1d7dfd5efaa3a223d66915694f2d946e6e7774b73ac1c4f5a42af6228dafd3f30d3fb57da59bc293bae141a18a7 WHIRLPOOL 944e87af5b6a7f4276d49751d0b578052257c833350a568e7dd031f138b20a1714e38874f4992486fd8ca51d83e01516c055a244c634ec35e931149d120fdbc2
-MISC ChangeLog 6196 SHA256 cceff3b78d07888b5004853a8bab4bddccc54d4622baa6b3a095cc92a6377714 SHA512 4168f656a0f7e4966a319188269eb2d2c3b6571324ae0890c3ff0625f4d0e73d123275e21e58da0f4273523d8dbc44dcad540356237707ab82799a495997e3d3 WHIRLPOOL 5916276ba81afe9a552aaca6e2898eb023729a54287dedc4780791bc8b9c56dea3f4d3a41178bdd07f59c98e36629818dc8bcfcfd21dc37bf4ccb370c7f12f14
+MISC ChangeLog 6579 SHA256 50de7e8a86a6f1ef8d04d7e047cb9908c7a9b65060a59660c2699371302702aa SHA512 b4635410af93a013485c9e1b095c5b7c4c288efaea3efba1585abc06ccf44d3acd9c3cc5a113fb5c921e27292f26f87fbecd73c35c5e23ca2b2d59af390b3b08 WHIRLPOOL cc38c58a1128e76aa3614dd08756d5038120018760e333bb292fdc6899748c4e222fc4f134cd97027f6c09d8e77d6b6338edcb2160f00bb3a36aa0140e495238
 MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.20 (GNU/Linux)
 
-iQIcBAEBCAAGBQJSEZCPAAoJECRx6z5ArFrDFTsQAJCcvrWOpSAKRbGWyq9ePL+4
-BuDOVn+oBa+0RBavR5qb8pVvXEHVLggq/A89/7pB4cqi6G1jtKDRuRBloCWNN7TO
-KjKAe6sv/cQ7ZuIBfwXi6qV+WWeFbuZ+dzIP42OKkxeXhSUJ3CbcN+uZ4YXIJvJZ
-n9XVHF45+h690cLNH+p7St6Jd+t1ILqyK042CEiBTSrHVlNf5SKpaiRDUgj2iYFh
-TpIrcr8dg3XJKb9yrc5iEajQUsf+2PM5PFtMbfIMJUa7HySO6UUujHKydj7su/5n
-yqSsBSNw5sz59BeJWeYHqPdNTlWjXk8ip2nkaA3hy+N9nH5Woe5g9T5B37nVK0wj
-7SJ6jvU9ss0jxo440JQM1PSRikaOeIZMgpydmradZoh2cZ0ApGtSlUi7wUNBWiGU
-fqQqK0bqQw/hX4OiDmFAKmnkSbcZdcGxkceq0zWACsIlwIRTmXtr0BJpFlAsIQio
-qQ6HTnPipoJ7GvYJcKHg8+M/0UB810GV/NSJe0ehza/KPaVZaKEuvAKYKaQA1oBp
-s9tem6WVm0Ob6grEFjYYLOWM2SeoEGURtX+cRI4/R/SG23HHj+GQWrdyNofXiwYj
-2JYJdYQ7tZMXmi6O/5tfZNfX0gzAMLaCdA2qhLC4XZiQcB4fslyzX3YZ38HVIX9N
-mDFgogI0EhniBjesqSSj
-=5Ixl
+iQIcBAEBCAAGBQJSMJQ5AAoJECRx6z5ArFrDDHEQAN/szHyi9lFgicUTgKHz17VU
+ctVCPpgw2BGDkBseUOkkiVuhK+KIaRHneEynJC8WjicfbpVBszbalkRos089SXpC
+Ujn1mSYWaaMTfQpiWYBZlkr0sIHqiI6NEOWwpeL8HOFDyRZYYmRK3tX7uLkEz3u6
+dTqQt/CO3BFqTXWt2mae8Zl6j3nDg9GjsTVp07Ue7IOFU3+HZ9Sc8KiFzn676ZSi
+v0AbxB2rL6NOx5X0w4rBV2+7zOcsYCX1TLBbnWq/UT67cq6gToBRnqE2AjKzgqmi
+lapYe9it6z6fuCl3cn3xNGQoVtdtsk43voFydYsZVrFANzn4+ATUoxKZEOd1wDrw
+sMAWFGs9JXAAnkPxjtyNvtX1R1VHArG91hs7mQqrBft7oSCLd1iU0c1VeCngSpS0
+7Z+ycPyXYN1hv2nRyHgGAxwUBP4pDgAkGeBtgqEVCYntdiShvfJxwHM9/4fq7BO5
+uiVXTk3G+sRlfir+8ajunnNMdjTJFy7WB4/B7Ct6i0TR7SmqrmyTEf3NbaXsd8Z4
+tKZcnGNKPa/a6AEGD3Y4Tw8vR7Lj6+kcLqQn8iE9r6BLMFQFQLAvrf4cS81PHHBU
+6zkYm/fRYUc7HhHk/ERXpj1U1sywmRZAKESO/XjeOI3+vNPRFaa9ZRjp8htJw6J/
+uuz2TJzub2PxHqg8ICH9
+=AvOU
 -----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch
new file mode 100644
index 000000000000..2d9e9b5a1ea4
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch
@@ -0,0 +1,143 @@
+From 8ef8be4af315d50edd661d8a5e846d260a5a3ce2 Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 23 Aug 2013 14:10:28 -0700
+Subject: [PATCH] Fix and test token revocation list API
+
+Change-Id: I07257b3704895a2af2654aa863f0b910122666da
+---
+ keystone/token/backends/kvs.py      |  2 +-
+ keystone/token/backends/memcache.py | 12 ++++++----
+ tests/test_backend.py               | 48 +++++++++++++++++++++++++++++++++----
+ 3 files changed, 51 insertions(+), 11 deletions(-)
+
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index 123e12f..e5e0ee2 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -81,7 +81,7 @@ class Token(kvs.Base, token.Driver):
+             if not token.startswith('revoked-token-'):
+                 continue
+             record = {}
+-            record['id'] = token_ref['id']
++            record['id'] = token[len('revoked-token-'):]
+             record['expires'] = token_ref['expires']
+             tokens.append(record)
+         return tokens
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index e4fa69a..815c392 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -82,8 +82,9 @@ class Token(token.Driver):
+                         raise exception.UnexpectedError(msg)
+         return copy.deepcopy(data_copy)
+ 
+-    def _add_to_revocation_list(self, data):
+-        data_json = jsonutils.dumps(data)
++    def _add_to_revocation_list(self, token_id, token_data):
++        data_json = jsonutils.dumps({'id': token_id,
++                                     'expires': token_data['expires']})
+         if not self.client.append(self.revocation_key, ',%s' % data_json):
+             if not self.client.add(self.revocation_key, data_json):
+                 if not self.client.append(self.revocation_key,
+@@ -93,10 +94,11 @@ class Token(token.Driver):
+ 
+     def delete_token(self, token_id):
+         # Test for existence
+-        data = self.get_token(self.token_to_key(token_id))
+-        ptk = self._prefix_token_id(self.token_to_key(token_id))
++        token_id = self.token_to_key(token_id)
++        data = self.get_token(token_id)
++        ptk = self._prefix_token_id(token_id)
+         result = self.client.delete(ptk)
+-        self._add_to_revocation_list(data)
++        self._add_to_revocation_list(token_id, data)
+         return result
+ 
+     def list_tokens(self, user_id, tenant_id=None):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 0a56cdb..3798e37 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -14,9 +14,11 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+ 
++import copy
+ import datetime
+-import uuid
+ import default_fixtures
++import hashlib
++import uuid
+ 
+ from keystone.catalog import core
+ from keystone import exception
+@@ -628,19 +630,29 @@ class IdentityTests(object):
+ 
+ 
+ class TokenTests(object):
++    def _create_token_id(self):
++        # Token must start with MII here otherwise it fails the asn1 test
++        # and is not hashed in a SQL backend.
++        token_id = "MII"
++        for i in range(1, 20):
++            token_id += uuid.uuid4().hex
++        return token_id
++
+     def test_token_crud(self):
+         token_id = uuid.uuid4().hex
+         data = {'id': token_id, 'a': 'b',
+                 'user': {'id': 'testuserid'}}
+         data_ref = self.token_api.create_token(token_id, data)
+-        expires = data_ref.pop('expires')
++        data_ref_copy = copy.deepcopy(data_ref)
++        expires = data_ref_copy.pop('expires')
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertDictEqual(data_ref, data)
++        self.assertDictEqual(data_ref_copy, data)
+ 
+         new_data_ref = self.token_api.get_token(token_id)
+-        expires = new_data_ref.pop('expires')
++        new_data_ref_copy = copy.deepcopy(new_data_ref)
++        expires = new_data_ref_copy.pop('expires')
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertEquals(new_data_ref, data)
++        self.assertEquals(new_data_ref_copy, data)
+ 
+         self.token_api.delete_token(token_id)
+         self.assertRaises(exception.TokenNotFound,
+@@ -758,6 +770,32 @@ class TokenTests(object):
+         self.check_list_revoked_tokens([self.delete_token()
+                                         for x in xrange(2)])
+ 
++    def test_predictable_revoked_pki_token_id(self):
++        token_id = self._create_token_id()
++        token_id_hash = hashlib.md5(token_id).hexdigest()
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id_hash, revoked_ids)
++        self.assertNotIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
++    def test_predictable_revoked_uuid_token_id(self):
++        token_id = uuid.uuid4().hex
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
+ 
+ class CommonHelperTests(test.TestCase):
+     def test_format_helper_raises_malformed_on_missing_key(self):
+-- 
+1.8.2.1 (Apple Git-45)
+
diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch
new file mode 100644
index 000000000000..d789ea38443c
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch
@@ -0,0 +1,139 @@
+From a20dcd159f9bf98e5605a3d13d4ba8de9aa1533e Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 23 Aug 2013 14:53:26 -0700
+Subject: [PATCH] Fix and test token revocation list API
+
+Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5
+---
+ keystone/token/backends/kvs.py      |  2 +-
+ keystone/token/backends/memcache.py | 12 ++++++----
+ tests/test_backend.py               | 47 +++++++++++++++++++++++++++++++------
+ 3 files changed, 48 insertions(+), 13 deletions(-)
+
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index 49f15ad..1935b41 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver):
+             if not token.startswith('revoked-token-'):
+                 continue
+             record = {}
+-            record['id'] = token_ref['id']
++            record['id'] = token[len('revoked-token-'):]
+             record['expires'] = token_ref['expires']
+             tokens.append(record)
+         return tokens
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index a62f342..c2c9b51 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -84,8 +84,9 @@ class Token(token.Driver):
+                         raise exception.UnexpectedError(msg)
+         return copy.deepcopy(data_copy)
+ 
+-    def _add_to_revocation_list(self, data):
+-        data_json = jsonutils.dumps(data)
++    def _add_to_revocation_list(self, token_id, token_data):
++        data_json = jsonutils.dumps({'id': token_id,
++                                     'expires': token_data['expires']})
+         if not self.client.append(self.revocation_key, ',%s' % data_json):
+             if not self.client.add(self.revocation_key, data_json):
+                 if not self.client.append(self.revocation_key,
+@@ -95,10 +96,11 @@ class Token(token.Driver):
+ 
+     def delete_token(self, token_id):
+         # Test for existence
+-        data = self.get_token(token.unique_id(token_id))
+-        ptk = self._prefix_token_id(token.unique_id(token_id))
++        token_id = token.unique_id(token_id)
++        data = self.get_token(token_id)
++        ptk = self._prefix_token_id(token_id)
+         result = self.client.delete(ptk)
+-        self._add_to_revocation_list(data)
++        self._add_to_revocation_list(token_id, data)
+         return result
+ 
+     def list_tokens(self, user_id, tenant_id=None, trust_id=None):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 85ac7cf..d4c2e6c 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -14,10 +14,11 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+ 
++import copy
+ import datetime
+ import default_fixtures
++import hashlib
+ import uuid
+-import nose.exc
+ 
+ from keystone.catalog import core
+ from keystone import config
+@@ -2065,17 +2066,19 @@ class TokenTests(object):
+                 'trust_id': None,
+                 'user': {'id': 'testuserid'}}
+         data_ref = self.token_api.create_token(token_id, data)
+-        expires = data_ref.pop('expires')
+-        data_ref.pop('user_id')
++        data_ref_copy = copy.deepcopy(data_ref)
++        expires = data_ref_copy.pop('expires')
++        data_ref_copy.pop('user_id')
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertDictEqual(data_ref, data)
++        self.assertDictEqual(data_ref_copy, data)
+ 
+         new_data_ref = self.token_api.get_token(token_id)
+-        expires = new_data_ref.pop('expires')
+-        new_data_ref.pop('user_id')
++        new_data_ref_copy = copy.deepcopy(new_data_ref)
++        expires = new_data_ref_copy.pop('expires')
++        new_data_ref_copy.pop('user_id')
+ 
+         self.assertTrue(isinstance(expires, datetime.datetime))
+-        self.assertEquals(new_data_ref, data)
++        self.assertEquals(new_data_ref_copy, data)
+ 
+         self.token_api.delete_token(token_id)
+         self.assertRaises(exception.TokenNotFound,
+@@ -2248,6 +2251,36 @@ class TokenTests(object):
+         self.check_list_revoked_tokens([self.delete_token()
+                                         for x in xrange(2)])
+ 
++    def test_predictable_revoked_pki_token_id(self):
++        # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the
++        #               returned token str in master, but not in grizzly.
++        #               revising _create_token_id() in grizzly to include the
++        #               previx breaks several other tests here
++        token_id = 'MII' + self._create_token_id()
++        token_id_hash = hashlib.md5(token_id).hexdigest()
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id_hash, revoked_ids)
++        self.assertNotIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
++    def test_predictable_revoked_uuid_token_id(self):
++        token_id = uuid.uuid4().hex
++        token = {'user': {'id': uuid.uuid4().hex}}
++
++        self.token_api.create_token(token_id, token)
++        self.token_api.delete_token(token_id)
++
++        revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++        self.assertIn(token_id, revoked_ids)
++        for t in self.token_api.list_revoked_tokens():
++            self.assertIn('expires', t)
++
+ 
+ class TrustTests(object):
+     def create_sample_trust(self, new_id):
+-- 
+1.8.2.1 (Apple Git-45)
+
diff --git a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild
index e8eba2575642..33d6a7cff4ea 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r6.ebuild,v 1.1 2013/07/17 16:30:36 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r7.ebuild,v 1.1 2013/09/11 16:01:38 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -74,6 +74,7 @@ PATCHES=(
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch"
+	"${FILESDIR}/keystone-cve-2013-4294-folsom.patch"
 	"${FILESDIR}/2012.2.4-upstream-1181157.patch"
 )
 
diff --git a/sys-auth/keystone/keystone-2013.1.3.ebuild b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild
index 498607be2433..6a6023ca7840 100644
--- a/sys-auth/keystone/keystone-2013.1.3.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3.ebuild,v 1.1 2013/08/11 00:56:17 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r1.ebuild,v 1.1 2013/09/11 16:01:37 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -70,6 +70,7 @@ RDEPEND="${DEPEND}
 #			dev-python/webtest
 #			)
 PATCHES=(
+	"${FILESDIR}/keystone-cve-2013-4294-grizzly.patch"
 )
 #	"${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
 #
author	Matt Thode <prometheanfire@gentoo.org>	2013-09-11 16:01:46 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2013-09-11 16:01:46 +0000
commit	8ed21562b0d4bf9e11d0e6cc791ed53792674c83 (patch)
tree	2917cd4651c4bcb41f514c36d65489228beb92f3 /sys-auth
parent	Fix failing patch wrt bug #484092. Tidy ebuild. (diff)
download	historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.gz historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.bz2 historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.zip