Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 833742 Details for
Bug 1039164
CVE-2013-6391 OpenStack Keystone: trust circumvention through EC2-style tokens
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
cve-2013-6391-master-icehouse.patch
cve-2013-6391-master-icehouse.patch (text/plain), 6.78 KB, created by
Kurt Seifried
on 2013-12-06 19:48:54 UTC
(
hide
)
Description:
cve-2013-6391-master-icehouse.patch
Filename:
MIME Type:
Creator:
Kurt Seifried
Created:
2013-12-06 19:48:54 UTC
Size:
6.78 KB
patch
obsolete
>From 1ef499203e0f462b7d9ee6eeb3e36ec20ef66037 Mon Sep 17 00:00:00 2001 >From: Steven Hardy <shardy@redhat.com> >Date: Mon, 21 Oct 2013 19:49:01 +0100 >Subject: [PATCH] Fix issues handling trust tokens via ec2tokens API > >Trust scoped tokens are handled incorectly when making requests >via the ec2tokens API, meaning that the restrictions enforced >by trust-scoped tokens are not respected when obtaining a token >via ec2token signature validation. > >Storing the trust_id in the blob associated with the ec2 keypair, >and passing that id in the metadata when requesting a v2 token >solves the issue. > >Change-Id: I52566384d7813ef0e2f20fb94a5076386457ff02 >Closes-Bug: #1242597 >--- > keystone/contrib/ec2/controllers.py | 19 ++++++++++-- > keystone/tests/test_keystoneclient_sql.py | 50 ++++++++++++++++++++++++++++--- > 2 files changed, 63 insertions(+), 6 deletions(-) > >diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py >index e6f98f3..f6c2163 100644 >--- a/keystone/contrib/ec2/controllers.py >+++ b/keystone/contrib/ec2/controllers.py >@@ -107,6 +107,11 @@ class Ec2Controller(controller.V2Controller): > self.assignment_api.get_roles_for_user_and_project( > user_ref['id'], tenant_ref['id'])) > >+ trust_id = creds_ref.get('trust_id') >+ if trust_id: >+ metadata_ref['trust_id'] = trust_id >+ metadata_ref['trustee_user_id'] = user_ref['id'] >+ > # Validate that the auth info is valid and nothing is disabled > token.validate_auth_info(self, user_ref, tenant_ref) > >@@ -147,8 +152,10 @@ class Ec2Controller(controller.V2Controller): > > self._assert_valid_user_id(user_id) > self._assert_valid_project_id(tenant_id) >+ trust_id = self._context_trust_id(context) > blob = {'access': uuid.uuid4().hex, >- 'secret': uuid.uuid4().hex} >+ 'secret': uuid.uuid4().hex, >+ 'trust_id': trust_id} > credential_id = utils.hash_access_key(blob['access']) > cred_ref = {'user_id': user_id, > 'project_id': tenant_id, >@@ -214,7 +221,8 @@ class Ec2Controller(controller.V2Controller): > return {'user_id': credential.get('user_id'), > 'tenant_id': credential.get('project_id'), > 'access': blob.get('access'), >- 'secret': blob.get('secret')} >+ 'secret': blob.get('secret'), >+ 'trust_id': blob.get('trust_id')} > > def _get_credentials(self, credential_id): > """Return credentials from an ID. >@@ -245,6 +253,13 @@ class Ec2Controller(controller.V2Controller): > if token_ref['user'].get('id') != user_id: > raise exception.Forbidden(_('Token belongs to another user')) > >+ def _context_trust_id(self, context): >+ try: >+ token_ref = self.token_api.get_token(context['token_id']) >+ except exception.TokenNotFound as e: >+ raise exception.Unauthorized(e) >+ return token_ref.get('trust_id') >+ > def _is_admin(self, context): > """Wrap admin assertion error return statement. > >diff --git a/keystone/tests/test_keystoneclient_sql.py b/keystone/tests/test_keystoneclient_sql.py >index 5ddc33e..20ed8de 100644 >--- a/keystone/tests/test_keystoneclient_sql.py >+++ b/keystone/tests/test_keystoneclient_sql.py >@@ -88,9 +88,11 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): > self.assertRaises(client_exceptions.NotFound, client.endpoints.delete, > id=endpoint.id) > >- def _send_ec2_auth_request(self, credentials): >+ def _send_ec2_auth_request(self, credentials, client=None): >+ if not client: >+ client = self.default_client > url = '%s/ec2tokens' % self.default_client.auth_url >- (resp, token) = self.default_client.request( >+ (resp, token) = client.request( > url=url, method='POST', > body={'credentials': credentials}) > return resp, token >@@ -99,9 +101,12 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): > cred = self. default_client.ec2.create( > user_id=self.user_foo['id'], > tenant_id=self.tenant_bar['id']) >- signer = ec2_utils.Ec2Signer(cred.secret) >+ return self._generate_user_ec2_credentials(cred.access, cred.secret) >+ >+ def _generate_user_ec2_credentials(self, access, secret): >+ signer = ec2_utils.Ec2Signer(secret) > credentials = {'params': {'SignatureVersion': '2'}, >- 'access': cred.access, >+ 'access': access, > 'verb': 'GET', > 'host': 'localhost', > 'path': '/service/cloud'} >@@ -115,6 +120,43 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base): > self.assertEqual(resp.status_code, 200) > self.assertIn('access', token) > >+ def test_ec2_auth_success_trust(self): >+ # Add "other" role user_foo and create trust delegating it to user_two >+ self.assignment_api.add_role_to_user_and_project( >+ self.user_foo['id'], >+ self.tenant_bar['id'], >+ self.role_other['id']) >+ trust_id = 'atrust123' >+ trust = {'trustor_user_id': self.user_foo['id'], >+ 'trustee_user_id': self.user_two['id'], >+ 'project_id': self.tenant_bar['id'], >+ 'impersonation': True} >+ roles = [self.role_other] >+ self.trust_api.create_trust(trust_id, trust, roles) >+ >+ # Create a client for user_two, scoped to the trust >+ client = self.get_client(self.user_two) >+ ret = client.authenticate(trust_id=trust_id, >+ tenant_id=self.tenant_bar['id']) >+ self.assertTrue(ret) >+ self.assertTrue(client.auth_ref.trust_scoped) >+ self.assertEqual(trust_id, client.auth_ref.trust_id) >+ >+ # Create an ec2 keypair using the trust client impersonating user_foo >+ cred = client.ec2.create(user_id=self.user_foo['id'], >+ tenant_id=self.tenant_bar['id']) >+ credentials, signature = self._generate_user_ec2_credentials( >+ cred.access, cred.secret) >+ credentials['signature'] = signature >+ resp, token = self._send_ec2_auth_request(credentials) >+ self.assertEqual(resp.status_code, 200) >+ self.assertEqual(trust_id, token['access']['trust']['id']) >+ #TODO(shardy) we really want to check the roles and trustee >+ # but because of where the stubbing happens we don't seem to >+ # hit the necessary code in controllers.py _authenticate_token >+ # so although all is OK via a real request, it incorrect in >+ # this test.. >+ > def test_ec2_auth_failure(self): > from keystoneclient import exceptions as client_exceptions > >-- >1.8.3.1
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=833742">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1039164
: 833742 |
833743