Support Train release

(cherry picked from commit 6c2c052453dceff0d7e9d95bb63fe3c4d83282f2)
2021-11-05 02:03:02 +00:00 · 2021-11-05 02:03:02 +00:00 · bfca250ca0
commit bfca250ca0
parent b072b57908
4 changed files with 61 additions and 183 deletions
--- a/Hide_AccountLocked.patch
+++ b/Hide_AccountLocked.patch
@ -1,109 +0,0 @@
-From f510c806de3e20cdedd55291cd58dafa59398bec Mon Sep 17 00:00:00 2001
-From: Gage Hugo <gagehugo@gmail.com>
-Date: Tue, 27 Oct 2020 15:22:04 -0500
-Subject: [PATCH] Hide AccountLocked exception from end users
-
-This change hides the AccountLocked exception from being returned
-to the end user to hide sensitive information that a potential
-malicious person could gain insight from.
-
-The notification handler catches the AccountLocked exception as
-before, but after sending the audit notification, it instead
-bubbles up Unauthorized rather than AccountLocked.
-
-Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
-
-Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
-Related-Bug: #1688137
-(cherry picked from commit ac2631ae33445877094cdae796fbcdce8833a626)
---
-
-diff --git a/keystone/notifications.py b/keystone/notifications.py
-index e536ebd..a59b1d0 100644
--- a/keystone/notifications.py
-+++ b/keystone/notifications.py
-@@ -580,6 +580,8 @@
-                                          taxonomy.OUTCOME_FAILURE,
-                                          target, self.event_type,
-                                          reason=audit_reason)
-+                if isinstance(ex, exception.AccountLocked):
-+                    raise exception.Unauthorized
-                 raise
-             except Exception:
-                 # For authentication failure send a CADF event as well
-diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
-index b0fb720..308cc01 100644
--- a/keystone/tests/unit/common/test_notifications.py
-+++ b/keystone/tests/unit/common/test_notifications.py
-@@ -802,7 +802,7 @@
-         password = uuid.uuid4().hex
-         new_password = uuid.uuid4().hex
-         expected_responses = [AssertionError, AssertionError, AssertionError,
-                              exception.AccountLocked]
-+                              exception.Unauthorized]
-         user_ref = unit.new_user_ref(domain_id=self.domain_id,
-                                      password=password)
-         user_ref = PROVIDERS.identity_api.create_user(user_ref)
-diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py
-index 8c7fb31..0a99002 100644
--- a/keystone/tests/unit/identity/test_backend_sql.py
-+++ b/keystone/tests/unit/identity/test_backend_sql.py
-@@ -613,7 +613,7 @@
-             )
-             # test locking out user after max failed attempts
-             self._fail_auth_repeatedly(self.user['id'])
-            self.assertRaises(exception.AccountLocked,
-+            self.assertRaises(exception.Unauthorized,
-                               PROVIDERS.identity_api.authenticate,
-                               user_id=self.user['id'],
-                               password=uuid.uuid4().hex)
-@@ -642,7 +642,7 @@
-         with self.make_request():
-             # lockout user
-             self._fail_auth_repeatedly(self.user['id'])
-            self.assertRaises(exception.AccountLocked,
-+            self.assertRaises(exception.Unauthorized,
-                               PROVIDERS.identity_api.authenticate,
-                               user_id=self.user['id'],
-                               password=uuid.uuid4().hex)
-@@ -661,7 +661,7 @@
-             with self.make_request():
-                 # lockout user
-                 self._fail_auth_repeatedly(self.user['id'])
-                self.assertRaises(exception.AccountLocked,
-+                self.assertRaises(exception.Unauthorized,
-                                   PROVIDERS.identity_api.authenticate,
-                                   user_id=self.user['id'],
-                                   password=uuid.uuid4().hex)
-@@ -687,7 +687,7 @@
-             with self.make_request():
-                 # lockout user
-                 self._fail_auth_repeatedly(self.user['id'])
-                self.assertRaises(exception.AccountLocked,
-+                self.assertRaises(exception.Unauthorized,
-                                   PROVIDERS.identity_api.authenticate,
-                                   user_id=self.user['id'],
-                                   password=uuid.uuid4().hex)
-@@ -697,7 +697,7 @@
-                 # repeat failed auth the max times
-                 self._fail_auth_repeatedly(self.user['id'])
-                 # test user account is locked
-                self.assertRaises(exception.AccountLocked,
-+                self.assertRaises(exception.Unauthorized,
-                                   PROVIDERS.identity_api.authenticate,
-                                   user_id=self.user['id'],
-                                   password=uuid.uuid4().hex)
-diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
-new file mode 100644
-index 0000000..bd7a060
--- /dev/null
-+++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
-@@ -0,0 +1,8 @@
-+---
-+fixes:
-+  - |
-+    [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
-+    Fixed the AccountLocked exception being shown to the end user since
-+    it provides some information that could be exploited by a
-+    malicious user. The end user will now see Unauthorized instead of
-+    AccountLocked, preventing user info oracle exploitation.
--- a/keystone-16.0.2.tar.gz
+++ b/keystone-16.0.2.tar.gz
--- a/keystone-19.0.0.tar.gz
+++ b/keystone-19.0.0.tar.gz
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@ -1,4 +1,4 @@
-%global with_doc 1
+%global with_doc 0
 %global service keystone

 %{!?upstream_version: %global upstream_version %{version}%{?milestone}}
@ -8,8 +8,8 @@ Keystone is a Python implementation of the OpenStack \
 (http://www.openstack.org) identity service API.

 Name:           openstack-keystone
-Version:        19.0.0
-Release:        2
+Version:        16.0.2
+Release:        1
 Summary:        OpenStack Identity Service
 License:        ASL 2.0
 URL:            http://keystone.openstack.org/
@ -18,31 +18,31 @@ Source1:        openstack-keystone.logrotate
 Source3:        openstack-keystone.sysctl
 Source5:        openstack-keystone-sample-data
 Source20:       keystone-dist.conf
-Patch0:         Hide_AccountLocked.patch

 BuildArch:      noarch

 BuildRequires:  openstack-macros
 BuildRequires:  python3-devel
-BuildRequires:  python3-osprofiler >= 1.1.0
-BuildRequires:  python3-pbr >= 2.0.0
+BuildRequires:  python3-osprofiler
+BuildRequires:  python3-pbr
 BuildRequires:  git-core
-BuildRequires:  python3-oslo-cache >= 1.26.0
-BuildRequires:  python3-oslo-config >= 6.8.0
-BuildRequires:  python3-passlib >= 1.6
-BuildRequires:  python3-pycadf >= 2.1.0
+BuildRequires:  python3-oslo-cache
+BuildRequires:  python3-oslo-messaging
+BuildRequires:  python3-oslo-config
+BuildRequires:  python3-passlib
+BuildRequires:  python3-pycadf
 BuildRequires:  python3-babel
 BuildRequires:  python3-oslo-policy
-BuildRequires:  python3-jsonschema >= 2.6.0
-BuildRequires:  python3-oslo-db >= 4.27.0
+BuildRequires:  python3-jsonschema
+BuildRequires:  python3-oslo-db
 BuildRequires:  python3-oauthlib
 BuildRequires:  python3-pysaml2
-BuildRequires:  python3-keystonemiddleware >= 7.0.0
+BuildRequires:  python3-keystonemiddleware
 BuildRequires:  python3-testresources
 BuildRequires:  python3-testscenarios
 BuildRequires:  python3-oslotest
 BuildRequires:  python3-redis
-BuildRequires:  python3-ldappool >= 2.0.0
+BuildRequires:  python3-ldappool
 BuildRequires:  python3-webtest
 BuildRequires:  python3-freezegun

@ -63,43 +63,43 @@ This package contains the Keystone daemon.
 Summary:          Keystone Python libraries
 %{?python_provide:%python_provide python3-keystone}

-Requires:       python3-pbr >= 2.0.0
-Requires:       python3-bcrypt >= 3.1.3
-Requires:       python3-sqlalchemy >= 1.3.0
-Requires:       python3-passlib >= 1.7.0
+Requires:       python3-pbr
+Requires:       python3-bcrypt
+Requires:       python3-sqlalchemy
+Requires:       python3-passlib
 Requires:       openssl
-Requires:       python3-oauthlib >= 0.6.2
-Requires:       python3-jsonschema >= 3.2.0
-Requires:       python3-pycadf >= 1.1.0
-Requires:       python3-keystonemiddleware >= 7.0.0
-Requires:       python3-oslo-cache >= 1.26.0
-Requires:       python3-oslo-config >= 6.8.0
-Requires:       python3-oslo-context >= 2.22.0
-Requires:       python3-oslo-db >= 6.0.0
-Requires:       python3-oslo-i18n >= 3.15.3
-Requires:       python3-oslo-log >= 3.44.0
-Requires:       python3-oslo-messaging >= 5.29.0
-Requires:       python3-oslo-middleware >= 3.31.0
-Requires:       python3-oslo-policy >= 3.6.0
-Requires:       python3-oslo-serialization >= 2.18.0
-Requires:       python3-oslo-upgradecheck >= 1.3.0
-Requires:       python3-oslo-utils >= 3.33.0
-Requires:       python3-osprofiler >= 1.4.0
-Requires:       python3-pysaml2 >= 5.0.0
-Requires:       python3-stevedore >= 1.20.0
-Requires:       python3-scrypt >= 0.8.0
-Requires:       python3-flask >= 1.0.2
-Requires:       python3-flask-restful >= 0.3.5
-Requires:       python3-jwt >= 1.6.1
-Requires:       python3-pytz >= 2013.6
-Requires:       python3-cryptography >= 2.7
-Requires:       python3-ldap >= 3.1.0
-Requires:       python3-ldappool >= 2.0.0
-Requires:       python3-memcached >= 1.56
+Requires:       python3-oauthlib
+Requires:       python3-jsonschema
+Requires:       python3-pycadf
+Requires:       python3-keystonemiddleware
+Requires:       python3-oslo-cache
+Requires:       python3-oslo-config
+Requires:       python3-oslo-context
+Requires:       python3-oslo-db
+Requires:       python3-oslo-i18n
+Requires:       python3-oslo-log
+Requires:       python3-oslo-messaging
+Requires:       python3-oslo-middleware
+Requires:       python3-oslo-policy
+Requires:       python3-oslo-serialization
+Requires:       python3-oslo-upgradecheck
+Requires:       python3-oslo-utils
+Requires:       python3-osprofiler
+Requires:       python3-pysaml2
+Requires:       python3-stevedore
+Requires:       python3-scrypt
+Requires:       python3-flask
+Requires:       python3-flask-restful
+Requires:       python3-jwt
+Requires:       python3-pytz
+Requires:       python3-cryptography
+Requires:       python3-ldap
+Requires:       python3-ldappool
+Requires:       python3-memcached
 Requires:       python3-sqlalchemy-migrate
-Requires:       python3-webob >= 1.7.1
-Requires:       python3-dogpile-cache >= 1.0.2
-Requires:       python3-msgpack >= 0.5.0
+Requires:       python3-webob
+Requires:       python3-dogpile-cache
+Requires:       python3-msgpack


 %description -n   python3-keystone
@ -124,22 +124,22 @@ This package contains the Keystone test files.
 Summary:        Documentation for OpenStack Identity Service

 # for API autodoc
-BuildRequires:  python3-sphinx >= 1.1.2
+BuildRequires:  python3-sphinx
 BuildRequires:  python3-sphinx-feature-classification
 BuildRequires:  python3-openstackdocstheme
 BuildRequires:  python3-sphinxcontrib-apidoc
 BuildRequires:  python3-sphinxcontrib-seqdiag
 BuildRequires:  python3-sphinxcontrib-blockdiag
-BuildRequires:  python3-flask >= 1.0.2
-BuildRequires:  python3-flask-restful >= 0.3.5
-BuildRequires:  python3-cryptography >= 2.1
-BuildRequires:  python3-oslo-log >= 3.44.0
-BuildRequires:  python3-oslo-messaging >= 5.29.0
-BuildRequires:  python3-oslo-middleware >= 3.31.0
-BuildRequires:  python3-oslo-policy >= 2.3.0
+BuildRequires:  python3-flask
+BuildRequires:  python3-flask-restful
+BuildRequires:  python3-cryptography
+BuildRequires:  python3-oslo-log
+BuildRequires:  python3-oslo-messaging
+BuildRequires:  python3-oslo-middleware
+BuildRequires:  python3-oslo-policy
 BuildRequires:  python3-mock
-BuildRequires:  python3-dogpile-cache >= 0.5.7
-BuildRequires:  python3-memcached >= 1.56
+BuildRequires:  python3-dogpile-cache
+BuildRequires:  python3-memcached
 BuildRequires:  python3-lxml


@ -278,20 +278,7 @@ chmod 660 %{_localstatedir}/log/keystone/keystone.log
 %endif

 %changelog
-* Sat Aug 28 2021 wangxiyuan <wangxiyuan1007@gmail.com> - 19.0.0-2
- Fix CVE-2021-38155
-
-* Thu Jul 15 2021 openstack-sig <openstack@openeuler.org>
- Update to 19.0.0
-
-* Fri Feb 26 2021 zhaorenhai <zhaorenhai@hotmail.com> - 18.0.0-3
- Change reserved port to 5000
-
-* Sat Feb 20 2021 wangxiyuan <wangxiyuan1007@gmail.org>
- Correct python3-sqlalchemy-migrate requirement and drop useless
-  openstack-keystone.defaultconf file
-
-* Wed Feb 3 2021 wangxiyuan <wangxiyuan1007@gmail.org>
- Support OpenStack Victoria release
+* Fri Nov 05 2021 wangxiyuan <wangxiyuan1007@gmail.com> - 16.0.2-1
+- Support OpenStack Train release