CVE-2015-7546.patch revision 6033
From 9c9c1331e0c004897d5f4c5847f7143b56373f10 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Tue, 1 Dec 2015 11:09:14 -0600
Subject: [PATCH] Add audit IDs to revocation events
The revoked tokens' audit ID is now included in the data returned in
the revocation list.
Closes-Bug: 1490804
Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0)
Conflicts:
---
keystone/tests/unit/test_backend.py | 39 ++++++++++++++++++++----------
keystone/token/persistence/backends/kvs.py | 9 +++++++
keystone/token/persistence/backends/sql.py | 12 ++++++++-
4 files changed, 48 insertions(+), 15 deletions(-)
index 6cf0649..9c82502 100644
@@ -3778,7 +3778,9 @@ class TokenTests(object):
token_id = self._create_token_id()
data = {'id': token_id, 'a': 'b',
'trust_id': None,
- 'user': {'id': 'testuserid'}}
+ 'user': {'id': 'testuserid'},
+ 'token_data': {'access': {'token': {
+ 'audit_ids': [uuid.uuid4().hex]}}}}
data_ref = self.token_provider_api._persistence.create_token(token_id,
data)
expires = data_ref.pop('expires')
@@ -3813,7 +3815,8 @@ class TokenTests(object):
# FIXME(morganfainberg): These tokens look nothing like "Real" tokens.
# This should be fixed when token issuance is cleaned up.
data = {'id': token_id, 'a': 'b',
- 'user': {'id': user_id}}
+ 'user': {'id': user_id},
+ 'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
if tenant_id is not None:
data['tenant'] = {'id': tenant_id, 'name': tenant_id}
if tenant_id is NULL_OBJECT:
@@ -3822,7 +3825,7 @@ class TokenTests(object):
data['expires'] = expires
if trust_id is not None:
data['trust_id'] = trust_id
- data.setdefault('access', {}).setdefault('trust', {})
+ data['access'].setdefault('trust', {})
# Testuserid2 is used here since a trustee will be different in
# the cases of impersonation and therefore should not match the
# token's user_id.
@@ -3988,17 +3991,21 @@ class TokenTests(object):
self.assertEqual(data_ref, new_data_ref)
- def check_list_revoked_tokens(self, token_ids):
- revoked_ids = [x['id']
- for x in self.token_provider_api.list_revoked_tokens()]
+ def check_list_revoked_tokens(self, token_infos):
+ revocation_list = self.token_provider_api.list_revoked_tokens()
+ revoked_ids = [x['id'] for x in revocation_list]
+ revoked_audit_ids = [x['audit_id'] for x in revocation_list]
self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
- for token_id in token_ids:
+ for token_id, audit_id in token_infos:
self.assertIn(token_id, revoked_ids)
+ self.assertIn(audit_id, revoked_audit_ids)
def delete_token(self):
token_id = uuid.uuid4().hex
+ audit_id = uuid.uuid4().hex
data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
- 'user': {'id': 'testuserid'}}
+ 'user': {'id': 'testuserid'},
+ 'token_data': {'token': {'audit_ids': [audit_id]}}}
data_ref = self.token_provider_api._persistence.create_token(token_id,
data)
@@ -4010,7 +4017,7 @@ class TokenTests(object):
data_ref['id'])
- return token_id
+ return (token_id, audit_id)
def test_list_revoked_tokens_returns_empty_list(self):
revoked_ids = [x['id']
@@ -4061,12 +4068,16 @@ class TokenTests(object):
token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
'expires': expire_time,
'trust_id': None,
- 'user': {'id': 'testuserid'}}
+ 'user': {'id': 'testuserid'},
+ 'token_data': {'token': {
+ 'audit_ids': [uuid.uuid4().hex]}}}
token2_id = uuid.uuid4().hex
token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b',
'expires': expire_time,
'trust_id': None,
- 'user': {'id': 'testuserid'}}
+ 'user': {'id': 'testuserid'},
+ 'token_data': {'token': {
+ 'audit_ids': [uuid.uuid4().hex]}}}
# Create 2 Tokens.
token_data)
@@ -4101,7 +4112,8 @@ class TokenTests(object):
def _test_predictable_revoked_pki_token_id(self, hash_fn):
token_id = self._create_token_id()
token_id_hash = hash_fn(token_id).hexdigest()
- token = {'user': {'id': uuid.uuid4().hex}}
+ token = {'user': {'id': uuid.uuid4().hex},
+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
self.token_provider_api._persistence.create_token(token_id, token)
@@ -4123,7 +4135,8 @@ class TokenTests(object):
def test_predictable_revoked_uuid_token_id(self):
token_id = uuid.uuid4().hex
- token = {'user': {'id': uuid.uuid4().hex}}
+ token = {'user': {'id': uuid.uuid4().hex},
+ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
self.token_provider_api._persistence.create_token(token_id, token)
index a7c63bf..7adc936 100644
@@ -441,7 +441,8 @@ class SqlToken(SqlTests, test_backend.TokenTests):
# necessary.
expected_query_args = (token_sql.TokenModel.id,
with mock.patch.object(token_sql, 'sql') as mock_sql:
tok = token_sql.Token()
diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py
index b4807bf..9a7ccea 100644
@@ -211,6 +211,15 @@ class Token(token.persistence.Driver):
subsecond=True)
revoked_token_data['id'] = data['id']
+ token_data = data['token_data']
+ if 'access' in token_data:
+ # It's a v2 token.
+ audit_ids = token_data['access']['token']['audit_ids']
+ else:
+ # It's a v3 token.
+ audit_ids = token_data['token']['audit_ids']
+ revoked_token_data['audit_id'] = audit_ids[0]
+
token_list = self._get_key_or_default(self.revocation_key, default=[])
if not isinstance(token_list, list):
# NOTE(morganfainberg): In the case that the revocation list is not
diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py
index 08c3a21..7c5c11d 100644
@@ -228,13 +228,23 @@ class Token(token.persistence.Driver):
session = sql.get_session()
tokens = []
now = timeutils.utcnow()
query = query.filter(TokenModel.expires > now)
token_references = query.filter_by(valid=False)
for token_ref in token_references:
+ token_data = token_ref[2]['token_data']
+ if 'access' in token_data:
+ # It's a v2 token.
+ audit_ids = token_data['access']['token']['audit_ids']
+ else:
+ # It's a v3 token.
+ audit_ids = token_data['token']['audit_ids']
+
record = {
'id': token_ref[0],
'expires': token_ref[1],
+ 'audit_id': audit_ids[0],
}
tokens.append(record)
return tokens
--
1.9.1