Starting in bandit 1.5.0, sha-1 will trip
[B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
However, there are surely clusters out there that have users with
sha-1-hashed passwords, so we can't simply rip it out. A deprecation
period is probably in order, but in the mean time this unblocks the
gate.
Change-Id: I65ff882b1a1cb52ec522e41baa29e4420cd889bd
The unicode() built-in does not exist under Python 3 so use
six.text_type, which is set correctly to str or unicode, instead.
Change-Id: Ieb29486c99400b4a10ce642cb3adc83f5e4420f6
Previously, Swift3 used client-facing HTTP headers to pass the S3 access
key, signature, and normalized request through the WSGI pipeline.
However, swauth did not validate that Swift3 actually set the headers;
as a result, an attacker who has captured a single valid request through
the S3 API may impersonate the user that issued the request indefinitely
through the Swift API.
Now, the S3 authentication information will be taken from a separate,
client-inaccessible namespace in the WSGI environment as defined in the
related change.
UpgradeImpact
This addresses a breaking API change in Swift3. No currently deployed
version of Swift3 will work with this. When upgrading swauth, operators
will need to upgrade Swift3 as well.
Change-Id: Ie5481a316397f46734e9dd0e77a8a87197ceec16
Related-Change: Ia3fbb4938f0daa8845cba4137a01cc43bc1a713c
Swauth uses token value as object name. Object names are logged in proxy
and object servers. Anybody with access to proxy/object server logs can
see token values. Attacker can use this token to access user's data in
Swift store. Instead of token, hashed token (with HASH_PATH_PREFIX and
HASH_PATH_SUFFIX) is used as object name now.
WARNING: In deployments without memcached this patch logs out all users
because tokens became invalid.
CVE-2017-16613
SecurityImpact
Closes-Bug: #1655781
Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c
swauth already uses PBR:
setuptools.setup(
setup_requires=['pbr>=1.8'],
pbr=True)
This patch removes `MANIFEST.in` file as pbr generates a
sensible manifest from git files and some standard files
and it removes the need for an explicit `MANIFEST.in` file.
Change-Id: Idb30c13b6c75129e07e46cbdd75a4aa92dcb5858
Closes-Bug: #1608980
Amazon S3 compatibility:
Due to security concerns raised, this change makes S3 support tunable
using a config option and is turned off by default.
Change-Id: I077f78946983f5d6b3b725dd6aa3ed178dc5604e
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Currently, the input to HMAC function is the entire stored credential
in the format '<salt>$<hash>` but it should rather be only the hashed
key/password.
With this change, validate_creds() method is invoked and only the hash
of the password is used in HMAC computation.
Change-Id: I1a9bbcac6f49c23f3256572f148e55249a59f7ed
Signed-off-by: Prashanth Pai <ppai@redhat.com>