* CVE-2017-2673 (OSSA-2017-004): Incorrect role assignment with federated
Keystone. Applied upstream patch: Do not fetch group assignments without
groups (Closes: #861189).
Change-Id: Id70da1f4651c056e49e5a4d94271402487002452
* Do not use /sbin/route at all, and use ip only if it is available. The
previous "fix" was in fact wrong, as net-tools and iproute2 aren't
essential packages and adding it as depends wont fix.
Change-Id: I88aa9794f39725c249ca167092217b524446052c
During an upgrade, a node running this code may need to handle a
persisted token (UUID, PKI, or PKIZ) created without this attribute.
Closes-Bug: 1630259
Change-Id: I0c5959b6491bb13a02eb1b9b7e7e37d2f2d73f85
(cherry picked from commit 4fd55f230b)
This patch adds password history validation to the change_password
(self-service) backend method.
backport: newton
Closes-Bug: #1628692
Change-Id: I6a21eb355a60b96da0615e64f57fa64289c0221e
(cherry picked from commit 4be9164e53)
Migration 002 sets the password created_at column to a TIMESTAMP type
with a server_default=sql.func.now(). There are a couple problems
that have been uncovered with this change:
* We cannot guarantee that func.now() will generate a UTC timestamp.
* For some older versions of MySQL, the default TIMESTAMP column will
automatically be updated when other columns are updated:
https://dev.mysql.com/doc/refman/5.5/en/timestamp-initialization.html
This patch fixes the problem by recreating the password created_at
column back to a DateTime type without a server_default:
1) Drop and recreate the created_at column
2) Update the created_at value
3) Set the created_at column as not nullable
Closes-Bug: #1621200
Change-Id: Id5c607a777afb6565d66a336028eba796e3846b2
(cherry picked from commit 32328de6e3)
I wasn't able to find any existing unit tests for the function we use
to generate time strings. This commit adds unit tests to make sure
we don't unexpectedly change behavior.
This commit also addresses a couple comments from
Iaee0ec8c7acd512b9d93096ce8306a2952061c7a.
Change-Id: I383ac9ca97300cc37a994eccf43438c51b5030ba
The read_cached_file() method in keystone.common.utils isn't being
used anywhere in keystone and it isn't tested. Let's remove it.
Change-Id: Iafba37114957c5270351aafd25538c6085c07805
On keystonemiddleware 4.0.0 the base class is called
_BaseAuthProtocol, which was later changed to BaseAuthProtocol.
Due to this change keystone would not work with the 4.0.0
version, while it was still accepted in the requirements.
This fixes it by providing a fallback to the old naming
Change-Id: I859a2d15e63c8c857b0bcbb15c757b716c8c43ba
Closes-Bug: 1623091
When the API reference was moved and the old pages cleaned up, a lot of
dead links were created. This patch fixes them for the documentation on
"Configuring Keystone for Federation".
Moreover, a lot of the link text was nondescriptive, which makes the
documentation inaccessible for screen readers (see the W3C
guideline[1]). This patch cleans that up as well if the link URL
needed to be updated anyway.
[1] https://www.w3.org/TR/WCAG20-TECHS/H30.html
Change-Id: I58803276d9b06bad0252da2494c81a46c951916f
This commit introduces two tests that ensures if a trustee of a
trust-scoped token is disabled, keystone will emit a Forbidden
exception. Regardless of the token provider, keystone should have
a consistent behavior. In order to test this, the test had to be
implemented differently for each token provider, specifically for
persistent and non-persistent tokens.
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: Iaf04a26c9f60eb68bbd56b941ff76c893c144cb8
This patch reorders the sections about services and endpoints which were
previously interleaved randomly. After the reordering, all services APIs
appear before all endpoint APIs so browsing through the APIs would be
much easier. This patch aslo changes the representations of status codes
using the new stanza in os-api-ref.
Change-Id: I89aabd3d9a336f5f6f65aaca51353f2d23b4cb2a
The rest of the token provider API uses issued_at for the creation
time of a token. The fernet token provider referenced this value as
created_at. This change makes the fernet provider use the same
convention as the rest of the token provider API.
Change-Id: I347e40252824a01e887a17ab591bd092e007aa2d
The SafeConfigParser class has been renamed to ConfigParser in Python
3.2 [1]. This alias will be removed in future versions.So we can use
ConfigParser directly instead.
[1] http://bugs.python.org/issue10627
Closes-Bug: #1618666
Change-Id: If01186cefad2149d65ffcc1fc6550d72d26f5b11
This is one of the ways we can prevent race conditions with backends that round
datetime objects or strings before persisting them.
Change-Id: Iaee0ec8c7acd512b9d93096ce8306a2952061c7a
Closes-Bug: 1622010