Package: python-keystoneclient / 1:0.10.1-2

CVE-2014-7144_Fix_the_condition_expression_for_ssl_insecure.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
Description: CVE-2014-7144, Fix the condition expression for ssl_insecure
 In the existing code, self.ssl_insecure is a string. If insecure
 option is set in nova api-paste.ini, whatever it is 'true' or
 'false', kwargs['verify'] will become False. This commit corrects
 the condition expression. This patch is backported from
 https://review.openstack.org/#/c/113191/
Author: Qin Zhao <chaochin@gmail.com>
Origin: upstream, https://review.openstack.org/#/c/112232/
Date: Wed, 6 Aug 2014 07:47:58 +0000 (+0800)
X-Git-Tag: 0.11.0^2
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fpython-keystoneclient.git;a=commitdiff_plain;h=5c9c97f1a5dffe5964e945bf68d009fd68e616fc
Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
Bug-Ubuntu: https://bugs.launchpad.net/python-keystoneclient/+bug/1353315
Bug-Debian: https://bugs.debian.org/762749
Last-Update: 2014-09-25

Index: python-keystoneclient/keystoneclient/middleware/auth_token.py
===================================================================
--- python-keystoneclient.orig/keystoneclient/middleware/auth_token.py	2014-09-17 23:48:35.000000000 +0800
+++ python-keystoneclient/keystoneclient/middleware/auth_token.py	2014-09-25 20:30:43.000000000 +0800
@@ -423,6 +423,27 @@
     return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
 
 
+def _conf_values_type_convert(conf):
+    """Convert conf values into correct type."""
+    if not conf:
+        return {}
+    _opts = {}
+    opt_types = dict((o.dest, o.type) for o in opts)
+    for k, v in six.iteritems(conf):
+        try:
+            if v is None:
+                _opts[k] = v
+            else:
+                _opts[k] = opt_types[k](v)
+        except KeyError:
+            _opts[k] = v
+        except ValueError as e:
+            raise ConfigurationError(
+                'Unable to convert the value of %s option into correct '
+                'type: %s' % (k, e))
+    return _opts
+
+
 class InvalidUserToken(Exception):
     pass
 
@@ -462,7 +483,10 @@
             'This middleware module is deprecated as of v0.10.0 in favor of '
             'keystonemiddleware.auth_token - please update your WSGI pipeline '
             'to reference the new middleware package.')
-        self.conf = conf
+        # NOTE(wanghong): If options are set in paste file, all the option
+        # values passed into conf are string type. So, we should convert the
+        # conf value into correct type.
+        self.conf = _conf_values_type_convert(conf)
         self.app = app
 
         # delay_auth_decision means we still allow unauthenticated requests
Index: python-keystoneclient/keystoneclient/tests/test_auth_token_middleware.py
===================================================================
--- python-keystoneclient.orig/keystoneclient/tests/test_auth_token_middleware.py	2014-09-17 23:48:35.000000000 +0800
+++ python-keystoneclient/keystoneclient/tests/test_auth_token_middleware.py	2014-09-25 20:30:43.000000000 +0800
@@ -532,6 +532,29 @@
         self.assertEqual(middleware.token_revocation_list_cache_timeout,
                          datetime.timedelta(seconds=24))
 
+    def test_conf_values_type_convert(self):
+        conf = {
+            'revocation_cache_time': '24',
+            'identity_uri': 'https://keystone.example.com:1234',
+            'include_service_catalog': '0',
+            'nonexsit_option': '0',
+        }
+
+        middleware = auth_token.AuthProtocol(self.fake_app, conf)
+        self.assertEqual(datetime.timedelta(seconds=24),
+                         middleware.token_revocation_list_cache_timeout)
+        self.assertEqual(False, middleware.include_service_catalog)
+        self.assertEqual('https://keystone.example.com:1234',
+                         middleware.identity_uri)
+        self.assertEqual('0', middleware.conf['nonexsit_option'])
+
+    def test_conf_values_type_convert_with_wrong_value(self):
+        conf = {
+            'include_service_catalog': '123',
+        }
+        self.assertRaises(auth_token.ConfigurationError,
+                          auth_token.AuthProtocol, self.fake_app, conf)
+
 
 class CommonAuthTokenMiddlewareTest(object):
     """These tests are run once using v2 tokens and again using v3 tokens."""