CVE-2017-2673 / OSSA-2017-004 fix
* CVE-2017-2673 (OSSA-2017-004): Incorrect role assignment with federated Keystone. Applied upstream patch: Do not fetch group assignments without groups (Closes: #861189). Change-Id: Id70da1f4651c056e49e5a4d94271402487002452
This commit is contained in:
parent
b68ebfe9d2
commit
e60ca5852b
|
@ -1,3 +1,11 @@
|
|||
keystone (2:10.0.0-9) unstable; urgency=high
|
||||
|
||||
* CVE-2017-2673 (OSSA-2017-004): Incorrect role assignment with federated
|
||||
Keystone. Applied upstream patch: Do not fetch group assignments without
|
||||
groups (Closes: #861189).
|
||||
|
||||
-- Thomas Goirand <zigo@debian.org> Tue, 25 Apr 2017 22:29:13 +0200
|
||||
|
||||
keystone (2:10.0.0-8) unstable; urgency=medium
|
||||
|
||||
* Do not use /sbin/route at all, and use ip only if it is available. The
|
||||
|
|
71
debian/patches/CVE-2017-2673_do_not_fetch_group_assignments_without_groups.patch
vendored
Normal file
71
debian/patches/CVE-2017-2673_do_not_fetch_group_assignments_without_groups.patch
vendored
Normal file
|
@ -0,0 +1,71 @@
|
|||
Description: CVE-2017-2673: Do not fetch group assignments without groups
|
||||
Without the change, the method fetched all assignments for a project
|
||||
or domain, regardless of who has the assignment, user or group. This
|
||||
led to situation when federated user without groups could scope a token
|
||||
with other user's rules.
|
||||
.
|
||||
Return empty list of assignments if no groups were passed.
|
||||
Author: Boris Bobrov <breton@cynicmansion.ru>
|
||||
Date: Tue, 25 Apr 2017 14:20:36 +0000 (+0000)
|
||||
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=05a129e54573b6cbda1ec095f4526f2b9ba90a90
|
||||
Bug-Ubuntu: https://launchpad.net/bugs/1677723
|
||||
Bug-Debian: https://bugs.debian.org/861189
|
||||
Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
|
||||
Origin: upstream, https://review.openstack.org/#/c/459713/
|
||||
Last-Update: 2017-04-25
|
||||
|
||||
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
|
||||
index e549abb..6a6717a 100644
|
||||
--- a/keystone/assignment/core.py
|
||||
+++ b/keystone/assignment/core.py
|
||||
@@ -165,6 +165,11 @@ class Manager(manager.Manager):
|
||||
|
||||
def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
|
||||
"""Get a list of roles for this group on domain and/or project."""
|
||||
+ # if no group ids were passed, there are no roles. Without this check,
|
||||
+ # all assignments for the project or domain will be fetched,
|
||||
+ # which is not what we want.
|
||||
+ if not group_ids:
|
||||
+ return []
|
||||
if project_id is not None:
|
||||
self.resource_api.get_project(project_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
|
||||
index f3e9baa..1a7ce40 100644
|
||||
--- a/keystone/tests/unit/test_v3_federation.py
|
||||
+++ b/keystone/tests/unit/test_v3_federation.py
|
||||
@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
||||
token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(0, len(token_groups))
|
||||
|
||||
+ def test_issue_scoped_token_no_groups(self):
|
||||
+ """Verify that token without groups cannot get scoped to project.
|
||||
+
|
||||
+ This test is required because of bug 1677723.
|
||||
+ """
|
||||
+ # issue unscoped token with no groups
|
||||
+ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
|
||||
+ self.assertIsNotNone(r.headers.get('X-Subject-Token'))
|
||||
+ token_resp = r.json_body
|
||||
+ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
|
||||
+ self.assertEqual(0, len(token_groups))
|
||||
+ unscoped_token = r.headers.get('X-Subject-Token')
|
||||
+
|
||||
+ # let admin get roles in a project
|
||||
+ self.proj_employees
|
||||
+ admin = unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
+ self.identity_api.create_user(admin)
|
||||
+ self.assignment_api.create_grant(self.role_admin['id'],
|
||||
+ user_id=admin['id'],
|
||||
+ project_id=self.proj_employees['id'])
|
||||
+
|
||||
+ # try to scope the token. It should fail
|
||||
+ scope = self._scope_request(
|
||||
+ unscoped_token, 'project', self.proj_employees['id']
|
||||
+ )
|
||||
+ self.v3_create_token(
|
||||
+ scope, expected_status=http_client.UNAUTHORIZED)
|
||||
+
|
||||
def test_issue_unscoped_token_malformed_environment(self):
|
||||
"""Test whether non string objects are filtered out.
|
||||
|
|
@ -4,3 +4,4 @@ fix-requirements.txt.patch
|
|||
Remove_trailing_d_from_-days_param_of_OpenSSL_command.patch
|
||||
allow_newer_sqlalchemy.patch
|
||||
uses-hash-instead-of-encrypt-for-passlib.patch
|
||||
CVE-2017-2673_do_not_fetch_group_assignments_without_groups.patch
|
||||
|
|
Loading…
Reference in New Issue