fix for keystone 2012.2.4 CVE-2013-2104

Package-Manager: portage-2.1.11.62/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2013-05-28 16:35:01 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2013-05-28 16:35:01 +0000
commit: 1e651b2cf7cd34e2045959f18d664cefbc7fafa5 (patch)
tree: 93356a46095355f46e0d98e022952e0f86703f65 /sys-auth
parent: amd64, x86 stable. bug #471408 (diff)
download: historical-1e651b2cf7cd34e2045959f18d664cefbc7fafa5.tar.gz
historical-1e651b2cf7cd34e2045959f18d664cefbc7fafa5.tar.bz2
historical-1e651b2cf7cd34e2045959f18d664cefbc7fafa5.zip
4 files changed, 228 insertions, 18 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index d427f47e952b..d9d54804d28c 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.18 2013/05/17 15:35:49 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.19 2013/05/28 16:34:39 prometheanfire Exp $
+
+*keystone-2012.2.4-r4 (28 May 2013)
+
+  28 May 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/keystone-folsom-4-CVE-2013-2104.patch, +keystone-2012.2.4-r4.ebuild,
+  -keystone-2012.2.4-r3.ebuild:
+  fix for keystone 2012.2.4 CVE-2013-2104
 
 *keystone-2012.2.4-r3 (17 May 2013)
 
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index e71d47dd021c..3f1d0e08bbc7 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -4,31 +4,32 @@ Hash: SHA256
 AUX keystone-folsom-4-CVE-2013-1977.patch 1114 SHA256 af81df239364cab3f94b14636359a19e6c8474f8282d2c174e3e75208fa508c6 SHA512 e9139487cdf6185d0405fd034a48c451c15ab568ebb6d4e58c2c50160ef8dc6b926a31fd0b31c646ecfccf68f2b667d9577bbe6e169ef28f8abfc06ae9031210 WHIRLPOOL c2ed7858f514f3d4a45303b0a307eb259c3c53373160ad35afcb7012ca63f9360d152f4869745579b678d990ed6f929ef050b1c68683bac656123a0aea394ec0
 AUX keystone-folsom-4-CVE-2013-2030.patch 2318 SHA256 fd824a4000da663568f26dbcfa6de031911ebdca1dea2c0958b3d5398d4d9ba6 SHA512 6b00a6d9062dd418299f9f02891fbfaa86f8f69db394ccfff31367555d1d7dbad1cf0d5a8647b61addeaabd2107b9f75cdc1986df8186de5c428f33533abffab WHIRLPOOL 842c4adb14c4a4501ea84c0082c0f28295027e27fee9957eafea6db9397a26c4955eb355b955d625bf5df818c1178af2267270aedec93bc47da8f17b59eaeca2
 AUX keystone-folsom-4-CVE-2013-2059.patch 2340 SHA256 9c3a1d953abd719c55c77fd13295c0aa5caf730a4656f3a111a1bfc1d92a282c SHA512 c6f50ed21c95c7be256f0a15ef804eaf16f32fec038be53742ce85b9a303f4c613728c95af606aafd779009f298a68517668594a590fa40258dbbb6646c3fbed WHIRLPOOL 723b4d0e5573a2e7473e4613fcfc717d1e0d90ff18a7559baa7fe0a21c6c5fcb84648afcb227ea9231ed87738e0c17cf79153287d2d6b14a65974a67e78dbd2f
+AUX keystone-folsom-4-CVE-2013-2104.patch 11353 SHA256 5c2f86b572453cbf7d08f0a423a649ba1ddedf1eb0d825527430dc67804ec235 SHA512 8beb3ce69c889dcdcb258d062934927252e833a06010cbafc7b16047253e77e47c71830846e9e566c721b6e8b33d64ce2ebf59deb2d34df7a9e5c14d0034c290 WHIRLPOOL de1dc8b758d3974a4b4dbab03d6c5138a978658c92024c10706bf99213cecb823c4c76d64ddcb632eba366ce0fd34fa2c45071150460b688d79f6e457b509918
 AUX keystone-grizzly-1-CVE-2013-1977.patch 1545 SHA256 a052c366ed38f4a40e10809080da9106400de59224323b21ef5e609f71674c52 SHA512 59b4cd7a83bc662d9e0459fefe6a5d8a3976fd653220d9248c97a8007af45d23cc0bb38bbba378bdaf5951c70901bbebde709b1717980fb3741da11a21d30573 WHIRLPOOL e2e1f5f9c02edd07a3e738ca8d6997a64df65a147c75d19d0d269712a3b92b77506c0941d131a9183ccea6f0ffed13a1e5e746d39555675c5cb132ff5ade1020
 AUX keystone.confd 67 SHA256 8faa32d3354df30b1d1c98cf481be162c27583b84e387f8da57611b689bc2448 SHA512 75b040eda6ef8701e8dac8f34b3dd3c96aedde3b005fac01f20592b3d8afb8bbce57fadc466cda69d7192f96460a5c704d941a16b96d02f3e80f1a3e264c2efe WHIRLPOOL 8e8cb4e8991ca8d8cf1e874bd2286900ca63379c73793bca906ecfc1318ee63a8af6d1f6090e9ef296bfbe5abf018368a5ad6430de1efdea0db626d8c697f3c4
 AUX keystone.initd 1177 SHA256 fcf7e532f2f3fad8413455f67d8e9c4c0522ff99e69bd95d4fff49d2dfa243ac SHA512 a0281f5fdd96963d9479a3463e6b5f1947a2c3c8694e464d4d293ef237392bed796ec7b8431e1add7b73334ed5e11158347f35ab562edda5f7aa7bdb9b05e51e WHIRLPOOL d819103e6f2bdd7ca4d5ab2f645f8ca168cc46567ff7c2d00cb2d536c08319aaa472b06b8f98cf2b6de940089f444e7aa752e4c9deeb849a834108394dfe1862
 AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5
 DIST keystone-2012.2.4.tar.gz 555448 SHA256 ab3a9a6c1f8ef9b95a73920883294f888f298db6330b8d4ed43e28354e8ca7af SHA512 481bde4372525c92144059c94d95ddac95dc720e486428f2e7ad1d5e0c6c2b6eb9a17be40f83c5866b522a512a2a3d331a08498c6704b794fea343fc2c0c1d93 WHIRLPOOL 243d9fe82988fd6057ffdae7971b570cb129a168fba3f6a38ea105fadc51e7e9fbfd29d88bb389572fc00cfbe0cc17e9e4c4f4ebf9d61ff589148b1b0c171558
 DIST keystone-2013.1.1.tar.gz 791324 SHA256 a00664dd20adf36e1e78a6b29f49f7947e2f2426c0ae375f8acde01e75bdb579 SHA512 7d4fd0cd649f783214dc3aad48853682db529fa336631e601d55c6b45355dbc670bcabf76f642db6808c5d46aae70062eb8fe5c5e3a20247954beb5a6c4fda7b WHIRLPOOL 96df00049325cc96c1b54ebecbb95cf8d47f0e580703ce8b8942e1e4f75604a98fc33f2972a1b1dffbba2225c502a692d7f84241ffc1f66da27f6a325789e08c
-EBUILD keystone-2012.2.4-r3.ebuild 2643 SHA256 e5f8eb30741c50ab131dbc5ebe4edf5605e29eff1fa779155b97fd6c8ca1edb4 SHA512 a0230b889a21a8c4863aa7a550d74597573d39adc0310f9a682f39b1529a62593dd1e55132723672ab6465fff533da586fa5534fa1c898a07a2ecf1c85972cef WHIRLPOOL 986c7ccadfbae63c2f2d43ca25870e5b7d8167f105ac64465252931c7eea36899d8249fb23f0427178c9d6ddfd3703d0b0e387d4139937648aa5d808d3d6d9f5
+EBUILD keystone-2012.2.4-r4.ebuild 2640 SHA256 b41240e50c6f943523f619c3c8f2001f3ab03f6de4070d8c1a61274a8cb5abde SHA512 7eb59189fab88d910d201d2a1099af1317327e9544dbba65803055f4a13958c9c676c7b807b68ab197c9c72a0a94991ccfdf8a88a917ff92b4315ac3507a62b1 WHIRLPOOL 6dd2f64318c2d15ad96b3d91f7c0054c011f1d5f0483c4f36957b59052e13c8a02d8fe9eed8300e3c85033c2f1863f04301a3263227a9c6d8e7eb79d928621fd
 EBUILD keystone-2013.1.1.ebuild 2920 SHA256 e6290cedad04b9c6801ce9c73a1b4e2b25cce8a53b3057c51b8880cabd36d2d3 SHA512 283de4603b1788135cbbe0ff31c26fa9290067cd945941093cbcd844ae37388577775c6e320db6353e8e3b1c664700a06a00c73584396c1a135fc1bf27ab6aed WHIRLPOOL 06fde096d6a034a1d2e2e5dd3ead39c4c6a63faa5bc741b18ef31b7a38809b6696aabc9b7f3cf342f03efe28ca149c8fea8c318e48e42dca0e5e150c7ade113b
 EBUILD keystone-9999.ebuild 2942 SHA256 048862e16792a3de401129f16b01fdfedbbcebc0f126dd1a39fb63c0118cd030 SHA512 767dccb4ce53d3162156f965c97bb4d33ff6d1d7dfd5efaa3a223d66915694f2d946e6e7774b73ac1c4f5a42af6228dafd3f30d3fb57da59bc293bae141a18a7 WHIRLPOOL 944e87af5b6a7f4276d49751d0b578052257c833350a568e7dd031f138b20a1714e38874f4992486fd8ca51d83e01516c055a244c634ec35e931149d120fdbc2
-MISC ChangeLog 4092 SHA256 6a9eb15117588a682275c888d37ae6cf03ef237550f540a607664ff376fae7df SHA512 2665b408ee044d55f4b37b3d084dd47e4e95e055d19ca712a5c8920cc2f51f5404807a00668eab275cd64c592f017a763cebed6ef2cc0db7aad7608933d8db36 WHIRLPOOL 438b5a505624c637f8a12f2b31724f5e11cc77ff8ce39333c6886f97e2e51d24326d66a40059aeeda07df71b61013ac22c98d0c98f45adda81c7659e2d54f3fd
+MISC ChangeLog 4339 SHA256 dd2a2082a4b9eabcc66c84ff8542eebb8e4dcccee3fbcebe2355eb16f075eed3 SHA512 184d9577c63754d27bab6dfcd3c7221d96f73c000e71efbee8b2a0f1fbc5fa66de9b1fd7d934e168c95ad9958324ceba68802e063a83f5085231ff556cc65622 WHIRLPOOL b23b2d4a0332b7074a3a65616d13d5e91fc700f26c2840cefa3bd4a46426523e5cb4cadb7f6d32ec0b25fed090fc12fc211b56981d2efbff11e920095b6f317a
 MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRlk6WAAoJECRx6z5ArFrDFz8P/31wI20UY09HM9vxWkq6v9dK
-Y/Klby/gfugzjjqsnbkHNNPqDxCEr9RNSw3vMfgjR8oi4GSKzp2nBgGNJ3FiV+Ts
-TSo7WYet2bdo+TcDRLOUfOmpEisf9MMO8W6p8IGrclIdiZyeEOnplYI2ZMitF+Mb
-Gi0aO0Hpljvj6QU/XpCy54IC/De6ZiUvUtenhv0aW82vfEIGdSbjvwZbfMwoqG9F
-+ae03wTGMTj7QesCu8iNkB8qJdD+n2oWzfip6P4xVYWurAea+oCkTrYoFKOxEjt/
-zEleqPbMNGEeuAVlCLaN8rEmk/Y4mfkF6T/QsNX4rN45NIYssOQ14sSTwnAOdI1y
-moleidpJzYYu8I20xLofUXT8HfBa8w6BAQ0FpcLljDhhGz7AIgEM6JRGL5K/XQyr
-jcZVufyptuS29c5BFszlpkF+2bXp0Ed6wk0KiAS+nQch+WVC56CmXDmXhJHi88CA
-eLfgxvcRhqxJuufAVbIEaarIHQmr0FU+ItDVdsym0AlBYPsxCw/PfY9730tryP/z
-b4Ng/WeZmdfNumk9X1D0v9yI5FnIHclx1fY922LnOJ8h68W3wKo9LndD3R4xxV3E
-PurS937WPynpuqsmZSyINHa9GeOvIXvc0Ot3ews3uj7/AeXvuxb3XAj0xZoBibsN
-F1W2ReIntHlAfuLPrbDQ
-=VJ4j
+iQIcBAEBCAAGBQJRpNz3AAoJECRx6z5ArFrDMZkQAIl4+n8LbKFf1fMhyKSmH1ok
+xNmghaCqVwGfdyPzGsjMMTHrTbqSXXfL19MBxvoAXAOg/qWAckBqg9mlkduGBawS
+jGuU69ThfmTcL6s+rmmYmjT0nS8wFkW5n52YBv5+4r1bIf5mA+HPxTqqwdzJLjev
+lRFIgHAzwduALUE5NErv1wYXJfE4ddoY46e4GOwQVRlL5jSXdntXmtDFggTEpLlA
+kiZv8EyQg5pP2hN/QDiHcQM/LJREXHYBtUVTwJbZxpiVAdsBJxynZfyofHyERh+z
+wk4eWoIWplQN+Ya2hC2P15+M5OnD3YbMcW/jr38UzvZIoqPaKSdcjxJylE9o9uhm
+8rwgRtzvaNa58CVhuOeLBk9l7nQof6a6TuIpY14cGFup49hMCf1xMr77TvgykkE4
+N2tjN4lt+eLRVNgWQDqZEWKPVlj/Bv7v6kYe4Z1I5z+l7rj1NpEkEhXXXiId21ER
+xQsKt9oO9VxD9JglAUo0iiZp1CqsM3Tm8isJdF9OAnt00V5Cn07ywZsEMp5xNcUt
+ioktc37PRE3XEP3kcO0ERsEYOv4MSly+sSenBmVuFlAt6gcjkGzlPmLp2aGGR2mP
+AAk7eQEhExR0LFcgHhY2+X2nnhQjpiu9IOlDOjt2XNe55TSBcnMahSFFGs9XrXhP
+xO4PrOXeTUp8aR72ABAL
+=mQuV
 -----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2104.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2104.patch
new file mode 100644
index 000000000000..c3fb33fd712f
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2104.patch
@@ -0,0 +1,202 @@
+From 1d15ee512d0bebba23bdb997ae839bd6ab5d9317 Mon Sep 17 00:00:00 2001
+From: Adam Young <ayoung@redhat.com>
+Date: Mon, 13 May 2013 16:07:51 -0400
+Subject: [PATCH] Check token Expiration
+
+Backport for Folsom.
+
+Bug 1179615
+
+Change-Id: I8516d87ffc72cf35d3bff6fc21cb5324da4ad2bb
+---
+ keystone/middleware/auth_token.py            | 26 +++++++++++-------
+ tests/signing/Makefile                       |  2 +-
+ tests/signing/auth_token_revoked.pem         | 10 +++----
+ tests/signing/auth_token_scoped_expired.json |  1 +
+ tests/signing/auth_token_scoped_expired.pem  | 40 ++++++++++++++++++++++++++++
+ tests/test_auth_token_middleware.py          | 10 +++++++
+ 6 files changed, 74 insertions(+), 15 deletions(-)
+ create mode 100644 tests/signing/auth_token_scoped_expired.json
+ create mode 100644 tests/signing/auth_token_scoped_expired.pem
+
+diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py
+index 01e6c58..f5e631a 100644
+--- a/keystone/middleware/auth_token.py
++++ b/keystone/middleware/auth_token.py
+@@ -512,7 +512,8 @@ class AuthProtocol(object):
+                 data = json.loads(verified)
+             else:
+                 data = self.verify_uuid_token(user_token, retry)
+-            self._cache_put(token_id, data)
++            expires = self._confirm_token_not_expired(data)
++            self._cache_put(token_id, data, expires)
+             return data
+         except Exception as e:
+             LOG.debug('Token validation failure.', exc_info=True)
+@@ -642,7 +643,19 @@ class AuthProtocol(object):
+                 else:
+                     LOG.debug('Cached Token %s seems expired', token)
+ 
+-    def _cache_put(self, token, data):
++    def _confirm_token_not_expired(self, data):
++        if 'token' in data.get('access', {}):
++            timestamp = data['access']['token']['expires']
++            expires = self._iso8601.parse_date(timestamp).strftime('%s')
++        else:
++            LOG.error('invalid token format')
++            raise InvalidUserToken('Token authorization failed')
++        if time.time() >= float(expires):
++            self.LOG.debug('Token expired a %s', timestamp)
++            raise InvalidUserToken('Token authorization failed')
++        return expires
++
++    def _cache_put(self, token, data, expires):
+         """Put token data into the cache.
+ 
+         Stores the parsed expire date in cache allowing
+@@ -650,12 +663,6 @@ class AuthProtocol(object):
+         """
+         if self._cache and data:
+             key = 'tokens/%s' % token
+-            if 'token' in data.get('access', {}):
+-                timestamp = data['access']['token']['expires']
+-                expires = self._iso8601.parse_date(timestamp).strftime('%s')
+-            else:
+-                LOG.error('invalid token format')
+-                return
+             LOG.debug('Storing %s token in memcache', token)
+             self._cache.set(key,
+                             (data, expires),
+@@ -693,7 +700,8 @@ class AuthProtocol(object):
+                                             additional_headers=headers)
+ 
+         if response.status == 200:
+-            self._cache_put(user_token, data)
++            expires = self._confirm_token_not_expired(data)
++            self._cache_put(user_token, data, expires)
+             return data
+         if response.status == 404:
+             # FIXME(ja): I'm assuming the 404 status means that user_token is
+diff --git a/tests/signing/Makefile b/tests/signing/Makefile
+index b56c000..27f5ff8 100644
+--- a/tests/signing/Makefile
++++ b/tests/signing/Makefile
+@@ -19,7 +19,7 @@
+ 
+ .SUFFIXES:  .json .pem
+ 
+-SOURCES=auth_token_unscoped.json auth_token_scoped.json revocation_list.json
++SOURCES=auth_token_unscoped.json auth_token_scoped.json auth_token_scoped.json auth_token_scoped_expired.json revocation_list.json
+ SIGNED=$(SOURCES:.json=.pem)
+ TARGETS=$(SIGNED)
+ 
+diff --git a/tests/signing/auth_token_revoked.pem b/tests/signing/auth_token_revoked.pem
+index 186c080..27cef18 100644
+--- a/tests/signing/auth_token_revoked.pem
++++ b/tests/signing/auth_token_revoked.pem
+@@ -24,7 +24,7 @@ MC4wLjE6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVy
+ bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIuMCIsICJwdWJsaWNV
+ UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNf
+ bGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9u
+-ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAxMi0wNi0wMlQxNDo0NzozNFoi
++ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjExMi0wNi0wMlQxNDo0NzozNFoi
+ LCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJlbmFibGVkIjogdHJ1
+ ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
+ ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJyZXZv
+@@ -33,8 +33,8 @@ LCAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAi
+ cm9sZTEifSwgeyJuYW1lIjogInJvbGUyIn1dLCAibmFtZSI6ICJyZXZva2VkX3Vz
+ ZXJuYW1lMSJ9fX0NCjGB9zCB9AIBATBUME8xFTATBgNVBAoTDFJlZCBIYXQsIElu
+ YzERMA8GA1UEBxMIV2VzdGZvcmQxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJ
+-BgNVBAYTAlVTAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAXstA+yZ5N/cS
+-+i7Mmlhi585cckvwSVAGj9huPTpqBItpbO44+U3yUojEwcghomtpygI/wzUa8Z40
+-UW/L3nGlATlOG833zhGvLKrp76GIitYMgk1e0OEmzGXeAWLnQZFev8ooMPs9rwYW
+-MgEdAfDMWWqX+Tb7exdboLpRUiCQx1c=
++BgNVBAYTAlVTAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAdnQ5zU60aOc+
++TGK+5ESmYbOllqe7QGkcB2fWzuiIY4/9l53X0m3ThYNzxeloJ0NgETLWoHO24xIi
++YoCUtAGP8BQI0D21Amg4Nb3jBxiwObzdONytEpAYOXxMq8pDMgboi8eU0esch1jJ
++r+9/uR3R/xksWkPtPsl+qnt/KpUsL+A=
+ -----END CMS-----
+diff --git a/tests/signing/auth_token_scoped_expired.json b/tests/signing/auth_token_scoped_expired.json
+new file mode 100644
+index 0000000..d36d8cf
+--- /dev/null
++++ b/tests/signing/auth_token_scoped_expired.json
+@@ -0,0 +1 @@
++{"access": {"serviceCatalog": [{"endpoints": [{"adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne", "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a"}], "endpoints_links": [], "type": "volume", "name": "volume"}, {"endpoints": [{"adminURL": "http://127.0.0.1:9292/v1", "region": "regionOne", "internalURL": "http://127.0.0.1:9292/v1", "publicURL": "http://127.0.0.1:9292/v1"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "region": "regionOne", "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://127.0.0.1:35357/v2.0", "region": "RegionOne", "internalURL": "http://127.0.0.1:35357/v2.0", "publicURL": "http://127.0.0.1:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}],"token": {"expires": "2010-06-02T14:47:34Z", "id": "placeholder", "tenant": {"enabled": true, "description": null, "name": "tenant_name1", "id": "tenant_id1"}}, "user": {"username": "user_name1", "roles_links": ["role1","role2"], "id": "user_id1", "roles": [{"name": "role1"}, {"name": "role2"}], "name": "user_name1"}}}
+diff --git a/tests/signing/auth_token_scoped_expired.pem b/tests/signing/auth_token_scoped_expired.pem
+new file mode 100644
+index 0000000..8116b11
+--- /dev/null
++++ b/tests/signing/auth_token_scoped_expired.pem
+@@ -0,0 +1,40 @@
++-----BEGIN CMS-----
++MIIG9QYJKoZIhvcNAQcCoIIG5jCCBuICAQExCTAHBgUrDgMCGjCCBc4GCSqGSIb3
++DQEHAaCCBb8EggW7eyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
++cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
++LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
++ZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2
++L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInB1YmxpY1VS
++TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh
++NjBmY2Y4OWJiNjYxN2EifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUi
++OiAidm9sdW1lIiwgIm5hbWUiOiAidm9sdW1lIn0sIHsiZW5kcG9pbnRzIjogW3si
++YWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwgInJlZ2lvbiI6
++ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5
++MjkyL3YxIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi
++fV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaW1hZ2UiLCAibmFt
++ZSI6ICJnbGFuY2UifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRw
++Oi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5
++YmI2NjE3YSIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjog
++Imh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYw
++ZmNmODliYjY2MTdhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3
++NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSJ9XSwgImVu
++ZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAi
++bm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMjcu
++MC4wLjE6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVy
++bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIuMCIsICJwdWJsaWNV
++UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNf
++bGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9u
++ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAxMC0wNi0wMlQxNDo0NzozNFoi
++LCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJlbmFibGVkIjogdHJ1
++ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
++ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJ1c2Vy
++X25hbWUxIiwgInJvbGVzX2xpbmtzIjogWyJyb2xlMSIsInJvbGUyIl0sICJpZCI6
++ICJ1c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAicm9sZTEifSwgeyJuYW1l
++IjogInJvbGUyIn1dLCAibmFtZSI6ICJ1c2VyX25hbWUxIn19fQ0KMYH/MIH8AgEB
++MFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNl
++dDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAH
++BgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgJP+wKRwFaPY8xXAolDd6gmlID41yuAw
++nd+IKeD54Ack0NI9h/M0Iv2LzTo0l84VbMOijmq++kbtdnDJ2pn4VAoNk7dQcTTy
++lz2c78Xnu0NXvq7gsPRF4zDtIpjHbUXJ3ZRPHs342suG7Tb4nvQAbxYMJQHSN10k
++W6w+gEeN7t7V
++-----END CMS-----
+diff --git a/tests/test_auth_token_middleware.py b/tests/test_auth_token_middleware.py
+index e6893ee..dfe424f 100644
+--- a/tests/test_auth_token_middleware.py
++++ b/tests/test_auth_token_middleware.py
+@@ -154,6 +154,9 @@ def setUpModule(self):
+     signing_path = os.path.join(os.path.dirname(__file__), 'signing')
+     with open(os.path.join(signing_path, 'auth_token_scoped.pem')) as f:
+         self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read())
++    with open(os.path.join(signing_path,
++                           'auth_token_scoped_expired.pem')) as f:
++        self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read())
+     with open(os.path.join(signing_path, 'auth_token_unscoped.pem')) as f:
+         self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read())
+     with open(os.path.join(signing_path, 'auth_token_revoked.pem')) as f:
+@@ -612,6 +615,13 @@ class AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest):
+         self.middleware(req.environ, self.start_fake_response)
+         self.assertEqual(self.middleware._cache.set_value, None)
+ 
++    def test_expired(self):
++        req = webob.Request.blank('/')
++        token = SIGNED_TOKEN_SCOPED_EXPIRED
++        req.headers['X-Auth-Token'] = token
++        self.middleware(req.environ, self.start_fake_response)
++        self.assertEqual(self.response_status, 401)
++
+     def test_memcache_set_invalid(self):
+         req = webob.Request.blank('/')
+         req.headers['X-Auth-Token'] = 'invalid-token'
+-- 
+1.8.1.5
+
diff --git a/sys-auth/keystone/keystone-2012.2.4-r3.ebuild b/sys-auth/keystone/keystone-2012.2.4-r4.ebuild
index b4e12026585f..884f158b46f6 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r3.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r4.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r3.ebuild,v 1.1 2013/05/17 15:35:49 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r4.ebuild,v 1.1 2013/05/28 16:34:39 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -63,7 +63,6 @@ RDEPEND="${DEPEND}
 #			>=dev-python/webob-1.0.8
 #			dev-python/webtest
 #			)
-#PATCHES=( "${FILESDIR}"/keystone_test-requires.patch )
 #
 #python_test() {
 #	"${PYTHON}" setup.py nosetests || die
@@ -73,6 +72,7 @@ PATCHES=(
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2030.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2059.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch"
+	"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
 )
 
 python_install() {
author	Matt Thode <prometheanfire@gentoo.org>	2013-05-28 16:35:01 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2013-05-28 16:35:01 +0000
commit	1e651b2cf7cd34e2045959f18d664cefbc7fafa5 (patch)
tree	93356a46095355f46e0d98e022952e0f86703f65 /sys-auth
parent	amd64, x86 stable. bug #471408 (diff)
download	historical-1e651b2cf7cd34e2045959f18d664cefbc7fafa5.tar.gz historical-1e651b2cf7cd34e2045959f18d664cefbc7fafa5.tar.bz2 historical-1e651b2cf7cd34e2045959f18d664cefbc7fafa5.zip