Support Train release

(cherry picked from commit 6c2c052453dceff0d7e9d95bb63fe3c4d83282f2)
2021-11-05 02:03:02 +00:00 · 2021-11-05 02:03:02 +00:00 · bfca250ca0
commit bfca250ca0
parent b072b57908
4 changed files with 61 additions and 183 deletions
--- a/Hide_AccountLocked.patch
+++ b/Hide_AccountLocked.patch
@ -1,109 +0,0 @@
 From f510c806de3e20cdedd55291cd58dafa59398bec Mon Sep 17 00:00:00 2001
 From: Gage Hugo <gagehugo@gmail.com>
 Date: Tue, 27 Oct 2020 15:22:04 -0500
 Subject: [PATCH] Hide AccountLocked exception from end users
 This change hides the AccountLocked exception from being returned
 to the end user to hide sensitive information that a potential
 malicious person could gain insight from.
 The notification handler catches the AccountLocked exception as
 before, but after sending the audit notification, it instead
 bubbles up Unauthorized rather than AccountLocked.
 Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
 Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
 Related-Bug: #1688137
 (cherry picked from commit ac2631ae33445877094cdae796fbcdce8833a626)
 ---
 diff --git a/keystone/notifications.py b/keystone/notifications.py
 index e536ebd..a59b1d0 100644
 --- a/keystone/notifications.py
 +++ b/keystone/notifications.py
@@ -580,6 +580,8 @@
                                          taxonomy.OUTCOME_FAILURE,
                                          target, self.event_type,
                                          reason=audit_reason)
 +                if isinstance(ex, exception.AccountLocked):
 +                    raise exception.Unauthorized
                 raise
             except Exception:
                 # For authentication failure send a CADF event as well
 diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
 index b0fb720..308cc01 100644
 --- a/keystone/tests/unit/common/test_notifications.py
 +++ b/keystone/tests/unit/common/test_notifications.py
@@ -802,7 +802,7 @@
         password = uuid.uuid4().hex
         new_password = uuid.uuid4().hex
         expected_responses = [AssertionError, AssertionError, AssertionError,
 -                              exception.AccountLocked]
 +                              exception.Unauthorized]
         user_ref = unit.new_user_ref(domain_id=self.domain_id,
                                      password=password)
         user_ref = PROVIDERS.identity_api.create_user(user_ref)
 diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py
 index 8c7fb31..0a99002 100644
 --- a/keystone/tests/unit/identity/test_backend_sql.py
 +++ b/keystone/tests/unit/identity/test_backend_sql.py
@@ -613,7 +613,7 @@
             )
             # test locking out user after max failed attempts
             self._fail_auth_repeatedly(self.user['id'])
 -            self.assertRaises(exception.AccountLocked,
 +            self.assertRaises(exception.Unauthorized,
                               PROVIDERS.identity_api.authenticate,
                               user_id=self.user['id'],
                               password=uuid.uuid4().hex)
@@ -642,7 +642,7 @@
         with self.make_request():
             # lockout user
             self._fail_auth_repeatedly(self.user['id'])
 -            self.assertRaises(exception.AccountLocked,
 +            self.assertRaises(exception.Unauthorized,
                               PROVIDERS.identity_api.authenticate,
                               user_id=self.user['id'],
                               password=uuid.uuid4().hex)
@@ -661,7 +661,7 @@
             with self.make_request():
                 # lockout user
                 self._fail_auth_repeatedly(self.user['id'])
 -                self.assertRaises(exception.AccountLocked,
 +                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
@@ -687,7 +687,7 @@
             with self.make_request():
                 # lockout user
                 self._fail_auth_repeatedly(self.user['id'])
 -                self.assertRaises(exception.AccountLocked,
 +                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
@@ -697,7 +697,7 @@
                 # repeat failed auth the max times
                 self._fail_auth_repeatedly(self.user['id'])
                 # test user account is locked
 -                self.assertRaises(exception.AccountLocked,
 +                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
 diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
 new file mode 100644
 index 0000000..bd7a060
 --- /dev/null
 +++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
@@ -0,0 +1,8 @@
 +---
 +fixes:
 +  - |
 +    [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
 +    Fixed the AccountLocked exception being shown to the end user since
 +    it provides some information that could be exploited by a
 +    malicious user. The end user will now see Unauthorized instead of
 +    AccountLocked, preventing user info oracle exploitation.
--- a/keystone-16.0.2.tar.gz
+++ b/keystone-16.0.2.tar.gz
--- a/keystone-19.0.0.tar.gz
+++ b/keystone-19.0.0.tar.gz
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@ -1,4 +1,4 @@
-%global with_doc 1
+%global with_doc 0
 %global service keystone
 %{!?upstream_version: %global upstream_version %{version}%{?milestone}}
@ -8,8 +8,8 @@ Keystone is a Python implementation of the OpenStack \
 (http://www.openstack.org) identity service API.
 Name:           openstack-keystone
-Version:        19.0.0
+Version:        16.0.2
-Release:        2
+Release:        1
 Summary:        OpenStack Identity Service
 License:        ASL 2.0
 URL:            http://keystone.openstack.org/
@ -18,31 +18,31 @@ Source1:        openstack-keystone.logrotate
 Source3:        openstack-keystone.sysctl
 Source5:        openstack-keystone-sample-data
 Source20:       keystone-dist.conf
 Patch0:         Hide_AccountLocked.patch
 BuildArch:      noarch
 BuildRequires:  openstack-macros
 BuildRequires:  python3-devel
-BuildRequires:  python3-osprofiler >= 1.1.0
+BuildRequires:  python3-osprofiler
-BuildRequires:  python3-pbr >= 2.0.0
+BuildRequires:  python3-pbr
 BuildRequires:  git-core
-BuildRequires:  python3-oslo-cache >= 1.26.0
+BuildRequires:  python3-oslo-cache
-BuildRequires:  python3-oslo-config >= 6.8.0
+BuildRequires:  python3-oslo-messaging
-BuildRequires:  python3-passlib >= 1.6
+BuildRequires:  python3-oslo-config
-BuildRequires:  python3-pycadf >= 2.1.0
+BuildRequires:  python3-passlib
 BuildRequires:  python3-pycadf
 BuildRequires:  python3-babel
 BuildRequires:  python3-oslo-policy
-BuildRequires:  python3-jsonschema >= 2.6.0
+BuildRequires:  python3-jsonschema
-BuildRequires:  python3-oslo-db >= 4.27.0
+BuildRequires:  python3-oslo-db
 BuildRequires:  python3-oauthlib
 BuildRequires:  python3-pysaml2
-BuildRequires:  python3-keystonemiddleware >= 7.0.0
+BuildRequires:  python3-keystonemiddleware
 BuildRequires:  python3-testresources
 BuildRequires:  python3-testscenarios
 BuildRequires:  python3-oslotest
 BuildRequires:  python3-redis
-BuildRequires:  python3-ldappool >= 2.0.0
+BuildRequires:  python3-ldappool
 BuildRequires:  python3-webtest
 BuildRequires:  python3-freezegun
@ -63,43 +63,43 @@ This package contains the Keystone daemon.
 Summary:          Keystone Python libraries
 %{?python_provide:%python_provide python3-keystone}
-Requires:       python3-pbr >= 2.0.0
+Requires:       python3-pbr
-Requires:       python3-bcrypt >= 3.1.3
+Requires:       python3-bcrypt
-Requires:       python3-sqlalchemy >= 1.3.0
+Requires:       python3-sqlalchemy
-Requires:       python3-passlib >= 1.7.0
+Requires:       python3-passlib
 Requires:       openssl
-Requires:       python3-oauthlib >= 0.6.2
+Requires:       python3-oauthlib
-Requires:       python3-jsonschema >= 3.2.0
+Requires:       python3-jsonschema
-Requires:       python3-pycadf >= 1.1.0
+Requires:       python3-pycadf
-Requires:       python3-keystonemiddleware >= 7.0.0
+Requires:       python3-keystonemiddleware
-Requires:       python3-oslo-cache >= 1.26.0
+Requires:       python3-oslo-cache
-Requires:       python3-oslo-config >= 6.8.0
+Requires:       python3-oslo-config
-Requires:       python3-oslo-context >= 2.22.0
+Requires:       python3-oslo-context
-Requires:       python3-oslo-db >= 6.0.0
+Requires:       python3-oslo-db
-Requires:       python3-oslo-i18n >= 3.15.3
+Requires:       python3-oslo-i18n
-Requires:       python3-oslo-log >= 3.44.0
+Requires:       python3-oslo-log
-Requires:       python3-oslo-messaging >= 5.29.0
+Requires:       python3-oslo-messaging
-Requires:       python3-oslo-middleware >= 3.31.0
+Requires:       python3-oslo-middleware
-Requires:       python3-oslo-policy >= 3.6.0
+Requires:       python3-oslo-policy
-Requires:       python3-oslo-serialization >= 2.18.0
+Requires:       python3-oslo-serialization
-Requires:       python3-oslo-upgradecheck >= 1.3.0
+Requires:       python3-oslo-upgradecheck
-Requires:       python3-oslo-utils >= 3.33.0
+Requires:       python3-oslo-utils
-Requires:       python3-osprofiler >= 1.4.0
+Requires:       python3-osprofiler
-Requires:       python3-pysaml2 >= 5.0.0
+Requires:       python3-pysaml2
-Requires:       python3-stevedore >= 1.20.0
+Requires:       python3-stevedore
-Requires:       python3-scrypt >= 0.8.0
+Requires:       python3-scrypt
-Requires:       python3-flask >= 1.0.2
+Requires:       python3-flask
-Requires:       python3-flask-restful >= 0.3.5
+Requires:       python3-flask-restful
-Requires:       python3-jwt >= 1.6.1
+Requires:       python3-jwt
-Requires:       python3-pytz >= 2013.6
+Requires:       python3-pytz
-Requires:       python3-cryptography >= 2.7
+Requires:       python3-cryptography
-Requires:       python3-ldap >= 3.1.0
+Requires:       python3-ldap
-Requires:       python3-ldappool >= 2.0.0
+Requires:       python3-ldappool
-Requires:       python3-memcached >= 1.56
+Requires:       python3-memcached
 Requires:       python3-sqlalchemy-migrate
-Requires:       python3-webob >= 1.7.1
+Requires:       python3-webob
-Requires:       python3-dogpile-cache >= 1.0.2
+Requires:       python3-dogpile-cache
-Requires:       python3-msgpack >= 0.5.0
+Requires:       python3-msgpack
 %description -n   python3-keystone
@ -124,22 +124,22 @@ This package contains the Keystone test files.
 Summary:        Documentation for OpenStack Identity Service
 # for API autodoc
-BuildRequires:  python3-sphinx >= 1.1.2
+BuildRequires:  python3-sphinx
 BuildRequires:  python3-sphinx-feature-classification
 BuildRequires:  python3-openstackdocstheme
 BuildRequires:  python3-sphinxcontrib-apidoc
 BuildRequires:  python3-sphinxcontrib-seqdiag
 BuildRequires:  python3-sphinxcontrib-blockdiag
-BuildRequires:  python3-flask >= 1.0.2
+BuildRequires:  python3-flask
-BuildRequires:  python3-flask-restful >= 0.3.5
+BuildRequires:  python3-flask-restful
-BuildRequires:  python3-cryptography >= 2.1
+BuildRequires:  python3-cryptography
-BuildRequires:  python3-oslo-log >= 3.44.0
+BuildRequires:  python3-oslo-log
-BuildRequires:  python3-oslo-messaging >= 5.29.0
+BuildRequires:  python3-oslo-messaging
-BuildRequires:  python3-oslo-middleware >= 3.31.0
+BuildRequires:  python3-oslo-middleware
-BuildRequires:  python3-oslo-policy >= 2.3.0
+BuildRequires:  python3-oslo-policy
 BuildRequires:  python3-mock
-BuildRequires:  python3-dogpile-cache >= 0.5.7
+BuildRequires:  python3-dogpile-cache
-BuildRequires:  python3-memcached >= 1.56
+BuildRequires:  python3-memcached
 BuildRequires:  python3-lxml
@ -278,20 +278,7 @@ chmod 660 %{_localstatedir}/log/keystone/keystone.log
 %endif
 %changelog
-* Sat Aug 28 2021 wangxiyuan <wangxiyuan1007@gmail.com> - 19.0.0-2
+* Fri Nov 05 2021 wangxiyuan <wangxiyuan1007@gmail.com> - 16.0.2-1
- Fix CVE-2021-38155
+- Support OpenStack Train release
 * Thu Jul 15 2021 openstack-sig <openstack@openeuler.org>
 - Update to 19.0.0
 * Fri Feb 26 2021 zhaorenhai <zhaorenhai@hotmail.com> - 18.0.0-3
 - Change reserved port to 5000
 * Sat Feb 20 2021 wangxiyuan <wangxiyuan1007@gmail.org>
 - Correct python3-sqlalchemy-migrate requirement and drop useless
  openstack-keystone.defaultconf file
 * Wed Feb 3 2021 wangxiyuan <wangxiyuan1007@gmail.org>
 - Support OpenStack Victoria release