summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-cluster')
-rw-r--r--sys-cluster/neutron/ChangeLog9
-rw-r--r--sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch218
-rw-r--r--sys-cluster/neutron/neutron-2013.1.5.ebuild (renamed from sys-cluster/neutron/neutron-2013.1.4-r1.ebuild)5
3 files changed, 11 insertions, 221 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog
index 8f61b7f37890..70c7d4536636 100644
--- a/sys-cluster/neutron/ChangeLog
+++ b/sys-cluster/neutron/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for sys-cluster/neutron
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.24 2014/02/24 07:12:23 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.25 2014/03/23 20:27:12 prometheanfire Exp $
+
+*neutron-2013.1.5 (23 Mar 2014)
+
+ 23 Mar 2014; Matthew Thode <prometheanfire@gentoo.org>
+ +neutron-2013.1.5.ebuild, -files/CVE-2013-6419_2013.1.4.patch,
+ -neutron-2013.1.4-r1.ebuild:
+ updating neutron/quantum
24 Feb 2014; Ian Delaney <idella4@gentoo.org> -neutron-2013.2.1.ebuild:
rm old 2013.2.1 by request of maintainer
diff --git a/sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch b/sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch
deleted file mode 100644
index abb8e5f83794..000000000000
--- a/sys-cluster/neutron/files/CVE-2013-6419_2013.1.4.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-commit 933a88e49428f0fbdeb78695279b0a4ce3715b12
-Author: Aaron Rosen <arosen@nicira.com>
-Date: Mon Oct 7 15:34:38 2013 -0700
-
- Add X-Tenant-ID to metadata request
-
- Previously, one could update a port's device_id to be that of another tenant's
- instance_id and then be able to retrieve that instance's metadata. In order
- to prevent this X-Tenant-ID is now passed in the metadata request to nova and
- nova then checks that X-Tenant-ID also matches the tenant_id for the instance
- against it's database to ensure it's not being spoofed.
-
- DocImpact - When upgrading OpenStack nova and neturon, neutron should be
- updated first (and neutron-metadata-agent restarted before nova is
- upgraded) in order to minimize downtime. This is because there is
- also a patch to nova which has checks X-Tenant-ID against it's
- database therefore neutron-metadata-agent needs to pass that
- before nova is upgraded for metadata to work.
-
- Fixes bug: 1235450
-
- Conflicts:
-
- quantum/agent/metadata/agent.py
-
-diff --git a/quantum/agent/metadata/agent.py b/quantum/agent/metadata/agent.py
-index 7bdfae8..e1abe93 100644
---- a/quantum/agent/metadata/agent.py
-+++ b/quantum/agent/metadata/agent.py
-@@ -83,9 +83,9 @@ class MetadataProxyHandler(object):
- try:
- LOG.debug(_("Request: %s"), req)
-
-- instance_id = self._get_instance_id(req)
-+ instance_id, tenant_id = self._get_instance_and_tenant_id(req)
- if instance_id:
-- return self._proxy_request(instance_id, req)
-+ return self._proxy_request(instance_id, tenant_id, req)
- else:
- return webob.exc.HTTPNotFound()
-
-@@ -95,7 +95,7 @@ class MetadataProxyHandler(object):
- 'Please try your request again.')
- return webob.exc.HTTPInternalServerError(explanation=unicode(msg))
-
-- def _get_instance_id(self, req):
-+ def _get_instance_and_tenant_id(self, req):
- qclient = self._get_quantum_client()
-
- remote_address = req.headers.get('X-Forwarded-For')
-@@ -116,12 +116,14 @@ class MetadataProxyHandler(object):
- fixed_ips=['ip_address=%s' % remote_address])['ports']
-
- if len(ports) == 1:
-- return ports[0]['device_id']
-+ return ports[0]['device_id'], ports[0]['tenant_id']
-+ return None, None
-
-- def _proxy_request(self, instance_id, req):
-+ def _proxy_request(self, instance_id, tenant_id, req):
- headers = {
- 'X-Forwarded-For': req.headers.get('X-Forwarded-For'),
- 'X-Instance-ID': instance_id,
-+ 'X-Tenant-ID': tenant_id,
- 'X-Instance-ID-Signature': self._sign_instance_id(instance_id)
- }
-
-diff --git a/quantum/tests/unit/test_metadata_agent.py b/quantum/tests/unit/test_metadata_agent.py
-index c81a237..0e74bcb 100644
---- a/quantum/tests/unit/test_metadata_agent.py
-+++ b/quantum/tests/unit/test_metadata_agent.py
-@@ -54,8 +54,9 @@ class TestMetadataProxyHandler(base.BaseTestCase):
-
- def test_call(self):
- req = mock.Mock()
-- with mock.patch.object(self.handler, '_get_instance_id') as get_id:
-- get_id.return_value = 'id'
-+ with mock.patch.object(self.handler,
-+ '_get_instance_and_tenant_id') as get_ids:
-+ get_ids.return_value = ('instance_id', 'tenant_id')
- with mock.patch.object(self.handler, '_proxy_request') as proxy:
- proxy.return_value = 'value'
-
-@@ -64,21 +65,23 @@ class TestMetadataProxyHandler(base.BaseTestCase):
-
- def test_call_no_instance_match(self):
- req = mock.Mock()
-- with mock.patch.object(self.handler, '_get_instance_id') as get_id:
-- get_id.return_value = None
-+ with mock.patch.object(self.handler,
-+ '_get_instance_and_tenant_id') as get_ids:
-+ get_ids.return_value = None, None
- retval = self.handler(req)
- self.assertIsInstance(retval, webob.exc.HTTPNotFound)
-
- def test_call_internal_server_error(self):
- req = mock.Mock()
-- with mock.patch.object(self.handler, '_get_instance_id') as get_id:
-- get_id.side_effect = Exception
-+ with mock.patch.object(self.handler,
-+ '_get_instance_and_tenant_id') as get_ids:
-+ get_ids.side_effect = Exception
- retval = self.handler(req)
- self.assertIsInstance(retval, webob.exc.HTTPInternalServerError)
- self.assertEqual(len(self.log.mock_calls), 2)
-
-- def _get_instance_id_helper(self, headers, list_ports_retval,
-- networks=None, router_id=None):
-+ def _get_instance_and_tenant_id_helper(self, headers, list_ports_retval,
-+ networks=None, router_id=None):
- headers['X-Forwarded-For'] = '192.168.1.1'
- req = mock.Mock(headers=headers)
-
-@@ -86,8 +89,7 @@ class TestMetadataProxyHandler(base.BaseTestCase):
- return {'ports': list_ports_retval.pop(0)}
-
- self.qclient.return_value.list_ports.side_effect = mock_list_ports
-- retval = self.handler._get_instance_id(req)
--
-+ instance_id, tenant_id = self.handler._get_instance_and_tenant_id(req)
- expected = [
- mock.call(
- username=FakeConf.admin_user,
-@@ -114,7 +116,7 @@ class TestMetadataProxyHandler(base.BaseTestCase):
-
- self.qclient.assert_has_calls(expected)
-
-- return retval
-+ return (instance_id, tenant_id)
-
- def test_get_instance_id_router_id(self):
- router_id = 'the_id'
-@@ -125,13 +127,14 @@ class TestMetadataProxyHandler(base.BaseTestCase):
- networks = ['net1', 'net2']
- ports = [
- [{'network_id': 'net1'}, {'network_id': 'net2'}],
-- [{'device_id': 'device_id'}]
-+ [{'device_id': 'device_id', 'tenant_id': 'tenant_id'}]
- ]
-
- self.assertEqual(
-- self._get_instance_id_helper(headers, ports, networks=networks,
-- router_id=router_id),
-- 'device_id'
-+ self._get_instance_and_tenant_id_helper(headers, ports,
-+ networks=networks,
-+ router_id=router_id),
-+ ('device_id', 'tenant_id')
- )
-
- def test_get_instance_id_router_id_no_match(self):
-@@ -145,10 +148,11 @@ class TestMetadataProxyHandler(base.BaseTestCase):
- [{'network_id': 'net1'}, {'network_id': 'net2'}],
- []
- ]
--
-- self.assertIsNone(
-- self._get_instance_id_helper(headers, ports, networks=networks,
-- router_id=router_id),
-+ self.assertEqual(
-+ self._get_instance_and_tenant_id_helper(headers, ports,
-+ networks=networks,
-+ router_id=router_id),
-+ (None, None)
- )
-
- def test_get_instance_id_network_id(self):
-@@ -158,12 +162,14 @@ class TestMetadataProxyHandler(base.BaseTestCase):
- }
-
- ports = [
-- [{'device_id': 'device_id'}]
-+ [{'device_id': 'device_id',
-+ 'tenant_id': 'tenant_id'}]
- ]
-
- self.assertEqual(
-- self._get_instance_id_helper(headers, ports, networks=['the_id']),
-- 'device_id'
-+ self._get_instance_and_tenant_id_helper(headers, ports,
-+ networks=['the_id']),
-+ ('device_id', 'tenant_id')
- )
-
- def test_get_instance_id_network_id_no_match(self):
-@@ -174,8 +180,10 @@ class TestMetadataProxyHandler(base.BaseTestCase):
-
- ports = [[]]
-
-- self.assertIsNone(
-- self._get_instance_id_helper(headers, ports, networks=['the_id'])
-+ self.assertEqual(
-+ self._get_instance_and_tenant_id_helper(headers, ports,
-+ networks=['the_id']),
-+ (None, None)
- )
-
- def _proxy_request_test_helper(self, response_code=200, method='GET'):
-@@ -190,7 +198,8 @@ class TestMetadataProxyHandler(base.BaseTestCase):
- with mock.patch('httplib2.Http') as mock_http:
- mock_http.return_value.request.return_value = (resp, 'content')
-
-- retval = self.handler._proxy_request('the_id', req)
-+ retval = self.handler._proxy_request('the_id', 'tenant_id',
-+ req)
- mock_http.assert_has_calls([
- mock.call().request(
- 'http://9.9.9.9:8775/the_path',
-@@ -198,7 +207,8 @@ class TestMetadataProxyHandler(base.BaseTestCase):
- headers={
- 'X-Forwarded-For': '8.8.8.8',
- 'X-Instance-ID-Signature': 'signed',
-- 'X-Instance-ID': 'the_id'
-+ 'X-Instance-ID': 'the_id',
-+ 'X-Tenant-ID': 'tenant_id'
- },
- body=body
- )]
diff --git a/sys-cluster/neutron/neutron-2013.1.4-r1.ebuild b/sys-cluster/neutron/neutron-2013.1.5.ebuild
index 97e4ebe156bd..a98adc2117aa 100644
--- a/sys-cluster/neutron/neutron-2013.1.4-r1.ebuild
+++ b/sys-cluster/neutron/neutron-2013.1.5.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.1.4-r1.ebuild,v 1.3 2014/01/08 05:57:29 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2013.1.5.ebuild,v 1.1 2014/03/23 20:27:12 prometheanfire Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
@@ -67,7 +67,8 @@ RDEPEND=">=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
openvswitch? ( net-misc/openvswitch )
dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
-PATCHES=( "${FILESDIR}/CVE-2013-6419_2013.1.4.patch" )
+PATCHES=(
+)
pkg_setup() {
enewgroup neutron