diff --git a/Hide_AccountLocked.patch b/Hide_AccountLocked.patch deleted file mode 100644 index ebd20e3..0000000 --- a/Hide_AccountLocked.patch +++ /dev/null @@ -1,109 +0,0 @@ -From f510c806de3e20cdedd55291cd58dafa59398bec Mon Sep 17 00:00:00 2001 -From: Gage Hugo -Date: Tue, 27 Oct 2020 15:22:04 -0500 -Subject: [PATCH] Hide AccountLocked exception from end users - -This change hides the AccountLocked exception from being returned -to the end user to hide sensitive information that a potential -malicious person could gain insight from. - -The notification handler catches the AccountLocked exception as -before, but after sending the audit notification, it instead -bubbles up Unauthorized rather than AccountLocked. - -Co-Authored-By: Samuel de Medeiros Queiroz - -Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873 -Related-Bug: #1688137 -(cherry picked from commit ac2631ae33445877094cdae796fbcdce8833a626) ---- - -diff --git a/keystone/notifications.py b/keystone/notifications.py -index e536ebd..a59b1d0 100644 ---- a/keystone/notifications.py -+++ b/keystone/notifications.py -@@ -580,6 +580,8 @@ - taxonomy.OUTCOME_FAILURE, - target, self.event_type, - reason=audit_reason) -+ if isinstance(ex, exception.AccountLocked): -+ raise exception.Unauthorized - raise - except Exception: - # For authentication failure send a CADF event as well -diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py -index b0fb720..308cc01 100644 ---- a/keystone/tests/unit/common/test_notifications.py -+++ b/keystone/tests/unit/common/test_notifications.py -@@ -802,7 +802,7 @@ - password = uuid.uuid4().hex - new_password = uuid.uuid4().hex - expected_responses = [AssertionError, AssertionError, AssertionError, -- exception.AccountLocked] -+ exception.Unauthorized] - user_ref = unit.new_user_ref(domain_id=self.domain_id, - password=password) - user_ref = PROVIDERS.identity_api.create_user(user_ref) -diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py -index 8c7fb31..0a99002 100644 ---- a/keystone/tests/unit/identity/test_backend_sql.py -+++ b/keystone/tests/unit/identity/test_backend_sql.py -@@ -613,7 +613,7 @@ - ) - # test locking out user after max failed attempts - self._fail_auth_repeatedly(self.user['id']) -- self.assertRaises(exception.AccountLocked, -+ self.assertRaises(exception.Unauthorized, - PROVIDERS.identity_api.authenticate, - user_id=self.user['id'], - password=uuid.uuid4().hex) -@@ -642,7 +642,7 @@ - with self.make_request(): - # lockout user - self._fail_auth_repeatedly(self.user['id']) -- self.assertRaises(exception.AccountLocked, -+ self.assertRaises(exception.Unauthorized, - PROVIDERS.identity_api.authenticate, - user_id=self.user['id'], - password=uuid.uuid4().hex) -@@ -661,7 +661,7 @@ - with self.make_request(): - # lockout user - self._fail_auth_repeatedly(self.user['id']) -- self.assertRaises(exception.AccountLocked, -+ self.assertRaises(exception.Unauthorized, - PROVIDERS.identity_api.authenticate, - user_id=self.user['id'], - password=uuid.uuid4().hex) -@@ -687,7 +687,7 @@ - with self.make_request(): - # lockout user - self._fail_auth_repeatedly(self.user['id']) -- self.assertRaises(exception.AccountLocked, -+ self.assertRaises(exception.Unauthorized, - PROVIDERS.identity_api.authenticate, - user_id=self.user['id'], - password=uuid.uuid4().hex) -@@ -697,7 +697,7 @@ - # repeat failed auth the max times - self._fail_auth_repeatedly(self.user['id']) - # test user account is locked -- self.assertRaises(exception.AccountLocked, -+ self.assertRaises(exception.Unauthorized, - PROVIDERS.identity_api.authenticate, - user_id=self.user['id'], - password=uuid.uuid4().hex) -diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml -new file mode 100644 -index 0000000..bd7a060 ---- /dev/null -+++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml -@@ -0,0 +1,8 @@ -+--- -+fixes: -+ - | -+ [`bug 1688137 `_] -+ Fixed the AccountLocked exception being shown to the end user since -+ it provides some information that could be exploited by a -+ malicious user. The end user will now see Unauthorized instead of -+ AccountLocked, preventing user info oracle exploitation. diff --git a/keystone-16.0.2.tar.gz b/keystone-16.0.2.tar.gz new file mode 100644 index 0000000..9dcc4b1 Binary files /dev/null and b/keystone-16.0.2.tar.gz differ diff --git a/keystone-19.0.0.tar.gz b/keystone-19.0.0.tar.gz deleted file mode 100644 index eab72bd..0000000 Binary files a/keystone-19.0.0.tar.gz and /dev/null differ diff --git a/openstack-keystone.spec b/openstack-keystone.spec index 6ed82f6..97a0c8f 100644 --- a/openstack-keystone.spec +++ b/openstack-keystone.spec @@ -1,4 +1,4 @@ -%global with_doc 1 +%global with_doc 0 %global service keystone %{!?upstream_version: %global upstream_version %{version}%{?milestone}} @@ -8,8 +8,8 @@ Keystone is a Python implementation of the OpenStack \ (http://www.openstack.org) identity service API. Name: openstack-keystone -Version: 19.0.0 -Release: 2 +Version: 16.0.2 +Release: 1 Summary: OpenStack Identity Service License: ASL 2.0 URL: http://keystone.openstack.org/ @@ -18,31 +18,31 @@ Source1: openstack-keystone.logrotate Source3: openstack-keystone.sysctl Source5: openstack-keystone-sample-data Source20: keystone-dist.conf -Patch0: Hide_AccountLocked.patch BuildArch: noarch BuildRequires: openstack-macros BuildRequires: python3-devel -BuildRequires: python3-osprofiler >= 1.1.0 -BuildRequires: python3-pbr >= 2.0.0 +BuildRequires: python3-osprofiler +BuildRequires: python3-pbr BuildRequires: git-core -BuildRequires: python3-oslo-cache >= 1.26.0 -BuildRequires: python3-oslo-config >= 6.8.0 -BuildRequires: python3-passlib >= 1.6 -BuildRequires: python3-pycadf >= 2.1.0 +BuildRequires: python3-oslo-cache +BuildRequires: python3-oslo-messaging +BuildRequires: python3-oslo-config +BuildRequires: python3-passlib +BuildRequires: python3-pycadf BuildRequires: python3-babel BuildRequires: python3-oslo-policy -BuildRequires: python3-jsonschema >= 2.6.0 -BuildRequires: python3-oslo-db >= 4.27.0 +BuildRequires: python3-jsonschema +BuildRequires: python3-oslo-db BuildRequires: python3-oauthlib BuildRequires: python3-pysaml2 -BuildRequires: python3-keystonemiddleware >= 7.0.0 +BuildRequires: python3-keystonemiddleware BuildRequires: python3-testresources BuildRequires: python3-testscenarios BuildRequires: python3-oslotest BuildRequires: python3-redis -BuildRequires: python3-ldappool >= 2.0.0 +BuildRequires: python3-ldappool BuildRequires: python3-webtest BuildRequires: python3-freezegun @@ -63,43 +63,43 @@ This package contains the Keystone daemon. Summary: Keystone Python libraries %{?python_provide:%python_provide python3-keystone} -Requires: python3-pbr >= 2.0.0 -Requires: python3-bcrypt >= 3.1.3 -Requires: python3-sqlalchemy >= 1.3.0 -Requires: python3-passlib >= 1.7.0 +Requires: python3-pbr +Requires: python3-bcrypt +Requires: python3-sqlalchemy +Requires: python3-passlib Requires: openssl -Requires: python3-oauthlib >= 0.6.2 -Requires: python3-jsonschema >= 3.2.0 -Requires: python3-pycadf >= 1.1.0 -Requires: python3-keystonemiddleware >= 7.0.0 -Requires: python3-oslo-cache >= 1.26.0 -Requires: python3-oslo-config >= 6.8.0 -Requires: python3-oslo-context >= 2.22.0 -Requires: python3-oslo-db >= 6.0.0 -Requires: python3-oslo-i18n >= 3.15.3 -Requires: python3-oslo-log >= 3.44.0 -Requires: python3-oslo-messaging >= 5.29.0 -Requires: python3-oslo-middleware >= 3.31.0 -Requires: python3-oslo-policy >= 3.6.0 -Requires: python3-oslo-serialization >= 2.18.0 -Requires: python3-oslo-upgradecheck >= 1.3.0 -Requires: python3-oslo-utils >= 3.33.0 -Requires: python3-osprofiler >= 1.4.0 -Requires: python3-pysaml2 >= 5.0.0 -Requires: python3-stevedore >= 1.20.0 -Requires: python3-scrypt >= 0.8.0 -Requires: python3-flask >= 1.0.2 -Requires: python3-flask-restful >= 0.3.5 -Requires: python3-jwt >= 1.6.1 -Requires: python3-pytz >= 2013.6 -Requires: python3-cryptography >= 2.7 -Requires: python3-ldap >= 3.1.0 -Requires: python3-ldappool >= 2.0.0 -Requires: python3-memcached >= 1.56 +Requires: python3-oauthlib +Requires: python3-jsonschema +Requires: python3-pycadf +Requires: python3-keystonemiddleware +Requires: python3-oslo-cache +Requires: python3-oslo-config +Requires: python3-oslo-context +Requires: python3-oslo-db +Requires: python3-oslo-i18n +Requires: python3-oslo-log +Requires: python3-oslo-messaging +Requires: python3-oslo-middleware +Requires: python3-oslo-policy +Requires: python3-oslo-serialization +Requires: python3-oslo-upgradecheck +Requires: python3-oslo-utils +Requires: python3-osprofiler +Requires: python3-pysaml2 +Requires: python3-stevedore +Requires: python3-scrypt +Requires: python3-flask +Requires: python3-flask-restful +Requires: python3-jwt +Requires: python3-pytz +Requires: python3-cryptography +Requires: python3-ldap +Requires: python3-ldappool +Requires: python3-memcached Requires: python3-sqlalchemy-migrate -Requires: python3-webob >= 1.7.1 -Requires: python3-dogpile-cache >= 1.0.2 -Requires: python3-msgpack >= 0.5.0 +Requires: python3-webob +Requires: python3-dogpile-cache +Requires: python3-msgpack %description -n python3-keystone @@ -124,22 +124,22 @@ This package contains the Keystone test files. Summary: Documentation for OpenStack Identity Service # for API autodoc -BuildRequires: python3-sphinx >= 1.1.2 +BuildRequires: python3-sphinx BuildRequires: python3-sphinx-feature-classification BuildRequires: python3-openstackdocstheme BuildRequires: python3-sphinxcontrib-apidoc BuildRequires: python3-sphinxcontrib-seqdiag BuildRequires: python3-sphinxcontrib-blockdiag -BuildRequires: python3-flask >= 1.0.2 -BuildRequires: python3-flask-restful >= 0.3.5 -BuildRequires: python3-cryptography >= 2.1 -BuildRequires: python3-oslo-log >= 3.44.0 -BuildRequires: python3-oslo-messaging >= 5.29.0 -BuildRequires: python3-oslo-middleware >= 3.31.0 -BuildRequires: python3-oslo-policy >= 2.3.0 +BuildRequires: python3-flask +BuildRequires: python3-flask-restful +BuildRequires: python3-cryptography +BuildRequires: python3-oslo-log +BuildRequires: python3-oslo-messaging +BuildRequires: python3-oslo-middleware +BuildRequires: python3-oslo-policy BuildRequires: python3-mock -BuildRequires: python3-dogpile-cache >= 0.5.7 -BuildRequires: python3-memcached >= 1.56 +BuildRequires: python3-dogpile-cache +BuildRequires: python3-memcached BuildRequires: python3-lxml @@ -278,20 +278,7 @@ chmod 660 %{_localstatedir}/log/keystone/keystone.log %endif %changelog -* Sat Aug 28 2021 wangxiyuan - 19.0.0-2 -- Fix CVE-2021-38155 - -* Thu Jul 15 2021 openstack-sig -- Update to 19.0.0 - -* Fri Feb 26 2021 zhaorenhai - 18.0.0-3 -- Change reserved port to 5000 - -* Sat Feb 20 2021 wangxiyuan -- Correct python3-sqlalchemy-migrate requirement and drop useless - openstack-keystone.defaultconf file - -* Wed Feb 3 2021 wangxiyuan -- Support OpenStack Victoria release +* Fri Nov 05 2021 wangxiyuan - 16.0.2-1 +- Support OpenStack Train release