Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 697335 Details for
Bug 910928
CVE-2013-0282 OpenStack Keystone: EC2-style authentication accepts disabled user/tenants
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
keystone-validate-auth-info.grizzly.201302121030-CVE-2013-0282.txt
keystone-validate-auth-info.grizzly.201302121030-CVE-2013-0282.txt (text/plain), 5.80 KB, created by
Kurt Seifried
on 2013-02-14 18:37:35 UTC
(
hide
)
Description:
keystone-validate-auth-info.grizzly.201302121030-CVE-2013-0282.txt
Filename:
MIME Type:
Creator:
Kurt Seifried
Created:
2013-02-14 18:37:35 UTC
Size:
5.80 KB
patch
obsolete
>diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py >index e96575d..95199f5 100644 >--- a/keystone/contrib/ec2/core.py >+++ b/keystone/contrib/ec2/core.py >@@ -161,6 +161,10 @@ class Ec2Controller(controller.V2Controller): > user_id=user_ref['id'], > tenant_id=tenant_ref['id']) > >+ # Validate that the auth info is valid and nothing is disabled >+ auth_info = (user_ref, tenant_ref, metadata_ref) >+ token.validate_auth_info(self, context, auth_info) >+ > # TODO(termie): optimize this call at some point and put it into the > # the return for metadata > # fill out the roles in the metadata >diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py >index 6213402..ef31180 100644 >--- a/keystone/token/controllers.py >+++ b/keystone/token/controllers.py >@@ -76,45 +76,10 @@ class Auth(controller.V2Controller): > auth_token_data, auth_info = self._authenticate_local( > context, auth) > >+ core.validate_auth_info(self, context, auth_info) > user_ref, tenant_ref, metadata_ref = auth_info > >- # If the user is disabled don't allow them to authenticate >- if not user_ref.get('enabled', True): >- msg = 'User is disabled: %s' % user_ref['id'] >- LOG.warning(msg) >- raise exception.Unauthorized(msg) >- >- # If the user's domain is disabled don't allow them to authenticate >- # TODO(dolph): remove this check after default-domain migration >- if user_ref.get('domain_id') is not None: >- user_domain_ref = self.identity_api.get_domain( >- context, >- user_ref['domain_id']) >- if user_domain_ref and not user_domain_ref.get('enabled', True): >- msg = 'Domain is disabled: %s' % user_domain_ref['id'] >- LOG.warning(msg) >- raise exception.Unauthorized(msg) >- > if tenant_ref: >- # If the project is disabled don't allow them to authenticate >- if not tenant_ref.get('enabled', True): >- msg = 'Tenant is disabled: %s' % tenant_ref['id'] >- LOG.warning(msg) >- raise exception.Unauthorized(msg) >- >- # If the project's domain is disabled don't allow them to >- # authenticate >- # TODO(dolph): remove this check after default-domain migration >- if tenant_ref.get('domain_id') is not None: >- project_domain_ref = self.identity_api.get_domain( >- context, >- tenant_ref['domain_id']) >- if (project_domain_ref and >- not project_domain_ref.get('enabled', True)): >- msg = 'Domain is disabled: %s' % project_domain_ref['id'] >- LOG.warning(msg) >- raise exception.Unauthorized(msg) >- > catalog_ref = self.catalog_api.get_catalog( > context=context, > user_id=user_ref['id'], >diff --git a/keystone/token/core.py b/keystone/token/core.py >index 68bd94c..5f8d67f 100644 >--- a/keystone/token/core.py >+++ b/keystone/token/core.py >@@ -20,12 +20,14 @@ import datetime > > from keystone.common import cms > from keystone.common import dependency >+from keystone.common import logging > from keystone.common import manager > from keystone import config > from keystone import exception > from keystone.openstack.common import timeutils > > >+LOG = logging.getLogger(__name__) > CONF = config.CONF > config.register_int('expiration', group='token', default=86400) > >@@ -55,6 +57,55 @@ def default_expire_time(): > return timeutils.utcnow() + expire_delta > > >+def validate_auth_info(self, context, auth_info): >+ """Validate user, tenant, metadata auth_info. >+ >+ Validate the user, tenant and metadata auth_into in order to ensure >+ that user, tenant, or metadata information is valid and not disabled. >+ Consolidate the checks here to ensure consistency between token auth >+ and ec2 auth. >+ >+ """ >+ user_ref, tenant_ref, metadata_ref = auth_info >+ # If the user is disabled don't allow them to authenticate >+ if not user_ref.get('enabled', True): >+ msg = 'User is disabled: %s' % user_ref['id'] >+ LOG.warning(msg) >+ raise exception.Unauthorized(msg) >+ >+ # If the user's domain is disabled don't allow them to authenticate >+ # TODO(dolph): remove this check after default-domain migration >+ if user_ref.get('domain_id') is not None: >+ user_domain_ref = self.identity_api.get_domain( >+ context, >+ user_ref['domain_id']) >+ if user_domain_ref and not user_domain_ref.get('enabled', True): >+ msg = 'Domain is disabled: %s' % user_domain_ref['id'] >+ LOG.warning(msg) >+ raise exception.Unauthorized(msg) >+ >+ if tenant_ref: >+ # If the project is disabled don't allow them to authenticate >+ if not tenant_ref.get('enabled', True): >+ msg = 'Tenant is disabled: %s' % tenant_ref['id'] >+ LOG.warning(msg) >+ raise exception.Unauthorized(msg) >+ >+ # If the project's domain is disabled don't allow them to >+ # authenticate >+ # TODO(dolph): remove this check after default-domain migration >+ if tenant_ref.get('domain_id') is not None: >+ project_domain_ref = self.identity_api.get_domain( >+ context, >+ tenant_ref['domain_id']) >+ if (project_domain_ref and >+ not project_domain_ref.get('enabled', True)): >+ msg = 'Domain is disabled: %s' % project_domain_ref['id'] >+ LOG.warning(msg) >+ raise exception.Unauthorized(msg) >+ return >+ >+ > @dependency.provider('token_api') > class Manager(manager.Manager): > """Default pivot point for the Token backend.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=697335">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 910928
:
697333
|
697334
| 697335