Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-cluster/neutron/files
diff options
context:
space:
mode:
authorMatt Thode <prometheanfire@gentoo.org>2014-06-15 04:27:37 +0000
committerMatt Thode <prometheanfire@gentoo.org>2014-06-15 04:27:37 +0000
commit2ef196f6894bf884b92d0f1d281998f3574da569 (patch)
tree6d0894548ef0d4ab99a0ab71e7ad75e8027d2d85 /sys-cluster/neutron/files
parentremoving the old badness (diff)
downloadhistorical-2ef196f6894bf884b92d0f1d281998f3574da569.tar.gz
historical-2ef196f6894bf884b92d0f1d281998f3574da569.tar.bz2
historical-2ef196f6894bf884b92d0f1d281998f3574da569.zip
removing the old badness
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-cluster/neutron/files')
-rw-r--r--sys-cluster/neutron/files/2013.2.2-CVE-2014-0056.patch245
-rw-r--r--sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch257
2 files changed, 0 insertions, 502 deletions
diff --git a/sys-cluster/neutron/files/2013.2.2-CVE-2014-0056.patch b/sys-cluster/neutron/files/2013.2.2-CVE-2014-0056.patch
deleted file mode 100644
index fc3a37dbcc38..000000000000
--- a/sys-cluster/neutron/files/2013.2.2-CVE-2014-0056.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-From 1faec8354a0fab953524eaeb6042ad38461a58bc Mon Sep 17 00:00:00 2001
-From: Aaron Rosen <aaronorosen@gmail.com>
-Date: Wed, 26 Mar 2014 16:36:56 -0700
-Subject: [PATCH] Prevent cross plugging router ports from other tenants
-
-Previously, a tenant could plug an interface into another tenant's
-router if he knew their router_id by creating a port with the correct
-device_id and device_owner. This patch prevents this from occuring
-by preventing non-admin users from creating ports with device_owner
-network:router_interface with a device_id that matches another tenants router.
-In addition, it prevents one from updating a ports device_owner and device_id
-so that the device_id won't match another tenants router with device_owner
-being network:router_interface.
-
-NOTE: with this change it does open up the possiblity for a tenant to discover
-router_id's of another tenant's by guessing them and updating a port till
-a conflict occurs. That said, randomly guessing the router id would be hard
-and in theory should not matter if exposed. We also need to allow a tenant
-to update the device_id on network:router_interface ports as this would be
-used for by anyone using a vm as a service router. This issue will be fixed in
-another patch upstream as a db migration is required but since this needs
-to be backported to all stable branches this is not possible.
-
-NOTE: The only plugins affect by this are the ones that use the l3-agent.
-
-NOTE: **One should perform and audit of the ports that are already
- attached to routers after applying this patch and remove ports
- that a tenant may have cross plugged.**
-
-Closes-bug: #1243327
-
-Conflicts:
- neutron/common/exceptions.py
- neutron/db/db_base_plugin_v2.py
-
-Change-Id: I8bc6241f537d937e5729072dcc76871bf407cdb3
----
- neutron/common/exceptions.py | 5 +++
- neutron/db/db_base_plugin_v2.py | 62 +++++++++++++++++++++++++++++++++++
- neutron/tests/unit/test_l3_plugin.py | 63 +++++++++++++++++++++++++++++++++++-
- 3 files changed, 129 insertions(+), 1 deletion(-)
-
-diff --git a/neutron/common/exceptions.py b/neutron/common/exceptions.py
-index 7b02647..88fa6e4 100644
---- a/neutron/common/exceptions.py
-+++ b/neutron/common/exceptions.py
-@@ -301,3 +301,8 @@ def __init__(self, **kwargs):
-
- class NetworkVxlanPortRangeError(object):
- message = _("Invalid network VXLAN port range: '%(vxlan_range)s'")
-+
-+
-+class DeviceIDNotOwnedByTenant(Conflict):
-+ message = _("The following device_id %(device_id)s is not owned by your "
-+ "tenant or matches another tenants router.")
-diff --git a/neutron/db/db_base_plugin_v2.py b/neutron/db/db_base_plugin_v2.py
-index 2afbac5..872463f 100644
---- a/neutron/db/db_base_plugin_v2.py
-+++ b/neutron/db/db_base_plugin_v2.py
-@@ -27,14 +27,18 @@
- from neutron.api.v2 import attributes
- from neutron.common import constants
- from neutron.common import exceptions as q_exc
-+from neutron import context as ctx
- from neutron.db import api as db
- from neutron.db import models_v2
- from neutron.db import sqlalchemyutils
-+from neutron.extensions import l3
-+from neutron import manager
- from neutron import neutron_plugin_base_v2
- from neutron.openstack.common import excutils
- from neutron.openstack.common import log as logging
- from neutron.openstack.common import timeutils
- from neutron.openstack.common import uuidutils
-+from neutron.plugins.common import constants as service_constants
-
-
- LOG = logging.getLogger(__name__)
-@@ -1311,6 +1315,9 @@ def create_port(self, context, port):
- # NOTE(jkoelker) Get the tenant_id outside of the session to avoid
- # unneeded db action if the operation raises
- tenant_id = self._get_tenant_id_for_create(context, p)
-+ if p.get('device_owner') == constants.DEVICE_OWNER_ROUTER_INTF:
-+ self._enforce_device_owner_not_router_intf_or_device_id(context, p,
-+ tenant_id)
-
- with context.session.begin(subtransactions=True):
- network = self._get_network(context, network_id)
-@@ -1374,6 +1381,23 @@ def update_port(self, context, id, port):
- changed_ips = False
- with context.session.begin(subtransactions=True):
- port = self._get_port(context, id)
-+ if 'device_owner' in p:
-+ current_device_owner = p['device_owner']
-+ changed_device_owner = True
-+ else:
-+ current_device_owner = port['device_owner']
-+ changed_device_owner = False
-+ if p.get('device_id') != port['device_id']:
-+ changed_device_id = True
-+
-+ # if the current device_owner is ROUTER_INF and the device_id or
-+ # device_owner changed check device_id is not another tenants
-+ # router
-+ if ((current_device_owner == constants.DEVICE_OWNER_ROUTER_INTF)
-+ and (changed_device_id or changed_device_owner)):
-+ self._enforce_device_owner_not_router_intf_or_device_id(
-+ context, p, port['tenant_id'], port)
-+
- # Check if the IPs need to be updated
- if 'fixed_ips' in p:
- changed_ips = True
-@@ -1483,3 +1507,41 @@ def get_ports(self, context, filters=None, fields=None,
-
- def get_ports_count(self, context, filters=None):
- return self._get_ports_query(context, filters).count()
-+
-+ def _enforce_device_owner_not_router_intf_or_device_id(self, context,
-+ port_request,
-+ tenant_id,
-+ db_port=None):
-+ if not context.is_admin:
-+ # find the device_id. If the call was update_port and the
-+ # device_id was not passed in we use the device_id from the
-+ # db.
-+ device_id = port_request.get('device_id')
-+ if not device_id and db_port:
-+ device_id = db_port.get('device_id')
-+ # check to make sure device_id does not match another tenants
-+ # router.
-+ if device_id:
-+ if hasattr(self, 'get_router'):
-+ try:
-+ ctx_admin = ctx.get_admin_context()
-+ router = self.get_router(ctx_admin, device_id)
-+ except l3.RouterNotFound:
-+ return
-+ else:
-+ l3plugin = (
-+ manager.NeutronManager.get_service_plugins().get(
-+ service_constants.L3_ROUTER_NAT))
-+ if l3plugin:
-+ try:
-+ ctx_admin = ctx.get_admin_context()
-+ router = l3plugin.get_router(ctx_admin,
-+ device_id)
-+ except l3.RouterNotFound:
-+ return
-+ else:
-+ # raise as extension doesn't support L3 anyways.
-+ raise q_exc.DeviceIDNotOwnedByTenant(
-+ device_id=device_id)
-+ if tenant_id != router['tenant_id']:
-+ raise q_exc.DeviceIDNotOwnedByTenant(device_id=device_id)
-diff --git a/neutron/tests/unit/test_l3_plugin.py b/neutron/tests/unit/test_l3_plugin.py
-index 4f75b57..9cc5cf9 100644
---- a/neutron/tests/unit/test_l3_plugin.py
-+++ b/neutron/tests/unit/test_l3_plugin.py
-@@ -379,7 +379,8 @@ def _remove_external_gateway_from_router(self, router_id, network_id,
-
- def _router_interface_action(self, action, router_id, subnet_id, port_id,
- expected_code=exc.HTTPOk.code,
-- expected_body=None):
-+ expected_body=None,
-+ tenant_id=None):
- interface_data = {}
- if subnet_id:
- interface_data.update({'subnet_id': subnet_id})
-@@ -388,6 +389,10 @@ def _router_interface_action(self, action, router_id, subnet_id, port_id,
-
- req = self.new_action_request('routers', interface_data, router_id,
- "%s_router_interface" % action)
-+ # if tenant_id was specified, create a tenant context for this request
-+ if tenant_id:
-+ req.environ['neutron.context'] = context.Context(
-+ '', tenant_id)
- res = req.get_response(self.ext_api)
- self.assertEqual(res.status_int, expected_code)
- response = self.deserialize(self.fmt, res)
-@@ -968,6 +973,62 @@ def test_router_add_gateway_tenant_ctx(self):
- gw_info = body['router']['external_gateway_info']
- self.assertEqual(gw_info, None)
-
-+ def test_create_router_port_with_device_id_of_other_teants_router(self):
-+ with self.router() as admin_router:
-+ with self.network(tenant_id='tenant_a',
-+ set_context=True) as n:
-+ with self.subnet(network=n):
-+ self._create_port(
-+ self.fmt, n['network']['id'],
-+ tenant_id='tenant_a',
-+ device_id=admin_router['router']['id'],
-+ device_owner='network:router_interface',
-+ set_context=True,
-+ expected_res_status=exc.HTTPConflict.code)
-+
-+ def test_create_non_router_port_device_id_of_other_teants_router_update(
-+ self):
-+ # This tests that HTTPConflict is raised if we create a non-router
-+ # port that matches the device_id of another tenants router and then
-+ # we change the device_owner to be network:router_interface.
-+ with self.router() as admin_router:
-+ with self.network(tenant_id='tenant_a',
-+ set_context=True) as n:
-+ with self.subnet(network=n):
-+ port_res = self._create_port(
-+ self.fmt, n['network']['id'],
-+ tenant_id='tenant_a',
-+ device_id=admin_router['router']['id'],
-+ set_context=True)
-+ port = self.deserialize(self.fmt, port_res)
-+ neutron_context = context.Context('', 'tenant_a')
-+ data = {'port': {'device_owner':
-+ 'network:router_interface'}}
-+ self._update('ports', port['port']['id'], data,
-+ neutron_context=neutron_context,
-+ expected_code=exc.HTTPConflict.code)
-+ self._delete('ports', port['port']['id'])
-+
-+ def test_update_port_device_id_to_different_tenants_router(self):
-+ with self.router() as admin_router:
-+ with self.router(tenant_id='tenant_a',
-+ set_context=True) as tenant_router:
-+ with self.network(tenant_id='tenant_a',
-+ set_context=True) as n:
-+ with self.subnet(network=n) as s:
-+ port = self._router_interface_action(
-+ 'add', tenant_router['router']['id'],
-+ s['subnet']['id'], None, tenant_id='tenant_a')
-+ neutron_context = context.Context('', 'tenant_a')
-+ data = {'port':
-+ {'device_id': admin_router['router']['id']}}
-+ self._update('ports', port['port_id'], data,
-+ neutron_context=neutron_context,
-+ expected_code=exc.HTTPConflict.code)
-+ self._router_interface_action(
-+ 'remove', tenant_router['router']['id'],
-+ s['subnet']['id'], None, tenant_id='tenant_a')
-+
- def test_router_add_gateway_invalid_network_returns_404(self):
- with self.router() as r:
- self._add_external_gateway_to_router(
---
-1.8.5.5
-
diff --git a/sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch b/sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch
deleted file mode 100644
index 182b709e1e1b..000000000000
--- a/sys-cluster/neutron/files/2013.2.3-CVE-2014-0187.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-From 03eed8cd34cd4fb043c11fc99f6bb0b4fbd5728d Mon Sep 17 00:00:00 2001
-From: marios <marios@redhat.com>
-Date: Fri, 29 Nov 2013 18:23:54 +0200
-Subject: [PATCH] Validate CIDR given as ip-prefix in
- security-group-rule-create
-
-There was no validation for the provided ip prefix. This just adds
-a simple parse using netaddr and explodes with appropriate message.
-Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32).
-
-Validation occurs at the attribute level (API model) as well as at
-the db level, where the ethertype is validated against the ip_prefix
-address type.
-
-Unit test cases added - bad prefix, unmasked prefix and incorrect
-ethertype. Also adds attribute test cases for the added
-convert_ip_prefix_to_cidr method
-
-Closes-Bug: 1255338
-
-Conflicts:
- neutron/tests/unit/test_security_groups_rpc.py
- neutron/tests/unit/test_extension_security_group.py
-
-Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954
-(cherry picked from commit 65aa92b0348b7ab8413f359b00825610cdf66607)
----
- neutron/common/exceptions.py | 4 +
- neutron/db/securitygroups_db.py | 20 +++++
- neutron/extensions/securitygroup.py | 18 ++++-
- .../tests/unit/test_extension_security_group.py | 86 ++++++++++++++++++++++
- 4 files changed, 127 insertions(+), 1 deletion(-)
-
-diff --git a/neutron/common/exceptions.py b/neutron/common/exceptions.py
-index 88fa6e4..80a75d1 100644
---- a/neutron/common/exceptions.py
-+++ b/neutron/common/exceptions.py
-@@ -306,3 +306,7 @@ class NetworkVxlanPortRangeError(object):
- class DeviceIDNotOwnedByTenant(Conflict):
- message = _("The following device_id %(device_id)s is not owned by your "
- "tenant or matches another tenants router.")
-+
-+
-+class InvalidCIDR(BadRequest):
-+ message = _("Invalid CIDR %(input)s given as IP prefix")
-diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
-index 2a7d2ef..8868546 100644
---- a/neutron/db/securitygroups_db.py
-+++ b/neutron/db/securitygroups_db.py
-@@ -16,6 +16,7 @@
- #
- # @author: Aaron Rosen, Nicira, Inc
-
-+import netaddr
- import sqlalchemy as sa
- from sqlalchemy import orm
- from sqlalchemy.orm import exc
-@@ -331,6 +332,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
- new_rules.add(rule['security_group_id'])
-
- self._validate_port_range(rule)
-+ self._validate_ip_prefix(rule)
-
- if rule['remote_ip_prefix'] and rule['remote_group_id']:
- raise ext_sg.SecurityGroupRemoteGroupAndRemoteIpPrefix()
-@@ -411,6 +413,24 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
- if (i['security_group_rule'] == db_rule):
- raise ext_sg.SecurityGroupRuleExists(id=id)
-
-+ def _validate_ip_prefix(self, rule):
-+ """Check that a valid cidr was specified as remote_ip_prefix
-+
-+ No need to check that it is in fact an IP address as this is already
-+ validated by attribute validators.
-+ Check that rule ethertype is consistent with remote_ip_prefix ip type.
-+ Add mask to ip_prefix if absent (192.168.1.10 -> 192.168.1.10/32).
-+ """
-+ input_prefix = rule['remote_ip_prefix']
-+ if input_prefix:
-+ addr = netaddr.IPNetwork(input_prefix)
-+ # set input_prefix to always include the netmask:
-+ rule['remote_ip_prefix'] = str(addr)
-+ # check consistency of ethertype with addr version
-+ if rule['ethertype'] != "IPv%d" % (addr.version):
-+ raise ext_sg.SecurityGroupRuleParameterConflict(
-+ ethertype=rule['ethertype'], cidr=input_prefix)
-+
- def get_security_group_rules(self, context, filters=None, fields=None,
- sorts=None, limit=None, marker=None,
- page_reverse=False):
-diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py
-index 85d499a..3d10b5a 100644
---- a/neutron/extensions/securitygroup.py
-+++ b/neutron/extensions/securitygroup.py
-@@ -17,6 +17,7 @@
-
- from abc import ABCMeta
- from abc import abstractmethod
-+import netaddr
-
- from oslo.config import cfg
-
-@@ -102,6 +103,10 @@ class SecurityGroupRuleExists(qexception.InUse):
- message = _("Security group rule already exists. Group id is %(id)s.")
-
-
-+class SecurityGroupRuleParameterConflict(qexception.InvalidInput):
-+ message = _("Conflicting value ethertype %(ethertype)s for CIDR %(cidr)s")
-+
-+
- def convert_protocol(value):
- if value is None:
- return
-@@ -152,6 +157,16 @@ def convert_to_uuid_list_or_none(value_list):
- return value_list
-
-
-+def convert_ip_prefix_to_cidr(ip_prefix):
-+ if not ip_prefix:
-+ return
-+ try:
-+ cidr = netaddr.IPNetwork(ip_prefix)
-+ return str(cidr)
-+ except (TypeError, netaddr.AddrFormatError):
-+ raise qexception.InvalidCIDR(input=ip_prefix)
-+
-+
- def _validate_name_not_default(data, valid_values=None):
- if data == "default":
- raise SecurityGroupDefaultAlreadyExists()
-@@ -207,7 +222,8 @@ RESOURCE_ATTRIBUTE_MAP = {
- 'convert_to': convert_ethertype_to_case_insensitive,
- 'validate': {'type:values': sg_supported_ethertypes}},
- 'remote_ip_prefix': {'allow_post': True, 'allow_put': False,
-- 'default': None, 'is_visible': True},
-+ 'default': None, 'is_visible': True,
-+ 'convert_to': convert_ip_prefix_to_cidr},
- 'tenant_id': {'allow_post': True, 'allow_put': False,
- 'required_by_policy': True,
- 'is_visible': True},
-diff --git a/neutron/tests/unit/test_extension_security_group.py b/neutron/tests/unit/test_extension_security_group.py
-index d53e140..f0b1636 100644
---- a/neutron/tests/unit/test_extension_security_group.py
-+++ b/neutron/tests/unit/test_extension_security_group.py
-@@ -21,11 +21,13 @@ import webob.exc
-
- from neutron.api.v2 import attributes as attr
- from neutron.common import constants as const
-+from neutron.common import exceptions as n_exc
- from neutron.common.test_lib import test_config
- from neutron import context
- from neutron.db import db_base_plugin_v2
- from neutron.db import securitygroups_db
- from neutron.extensions import securitygroup as ext_sg
-+from neutron.tests import base
- from neutron.tests.unit import test_db_plugin
-
- DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_security_group.'
-@@ -413,6 +415,70 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
- self.deserialize(self.fmt, res)
- self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
-
-+ def test_create_security_group_rule_invalid_ip_prefix(self):
-+ name = 'webservers'
-+ description = 'my webservers'
-+ for bad_prefix in ['bad_ip', 256, "2001:db8:a::123/129", '172.30./24']:
-+ with self.security_group(name, description) as sg:
-+ sg_id = sg['security_group']['id']
-+ remote_ip_prefix = bad_prefix
-+ rule = self._build_security_group_rule(
-+ sg_id,
-+ 'ingress',
-+ const.PROTO_NAME_TCP,
-+ '22', '22',
-+ remote_ip_prefix)
-+ res = self._create_security_group_rule(self.fmt, rule)
-+ self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
-+
-+ def test_create_security_group_rule_invalid_ethertype_for_prefix(self):
-+ name = 'webservers'
-+ description = 'my webservers'
-+ test_addr = {'192.168.1.1/24': 'ipv4', '192.168.1.1/24': 'IPv6',
-+ '2001:db8:1234::/48': 'ipv6',
-+ '2001:db8:1234::/48': 'IPv4'}
-+ for prefix, ether in test_addr.iteritems():
-+ with self.security_group(name, description) as sg:
-+ sg_id = sg['security_group']['id']
-+ ethertype = ether
-+ remote_ip_prefix = prefix
-+ rule = self._build_security_group_rule(
-+ sg_id,
-+ 'ingress',
-+ const.PROTO_NAME_TCP,
-+ '22', '22',
-+ remote_ip_prefix,
-+ None,
-+ None,
-+ ethertype)
-+ res = self._create_security_group_rule(self.fmt, rule)
-+ self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
-+
-+ def test_create_security_group_rule_with_unmasked_prefix(self):
-+ name = 'webservers'
-+ description = 'my webservers'
-+ addr = {'10.1.2.3': {'mask': '32', 'ethertype': 'IPv4'},
-+ 'fe80::2677:3ff:fe7d:4c': {'mask': '128', 'ethertype': 'IPv6'}}
-+ for ip in addr:
-+ with self.security_group(name, description) as sg:
-+ sg_id = sg['security_group']['id']
-+ ethertype = addr[ip]['ethertype']
-+ remote_ip_prefix = ip
-+ rule = self._build_security_group_rule(
-+ sg_id,
-+ 'ingress',
-+ const.PROTO_NAME_TCP,
-+ '22', '22',
-+ remote_ip_prefix,
-+ None,
-+ None,
-+ ethertype)
-+ res = self._create_security_group_rule(self.fmt, rule)
-+ self.assertEqual(res.status_int, 201)
-+ res_sg = self.deserialize(self.fmt, res)
-+ prefix = res_sg['security_group_rule']['remote_ip_prefix']
-+ self.assertEqual(prefix, '%s/%s' % (ip, addr[ip]['mask']))
-+
- def test_create_security_group_rule_tcp_protocol_as_number(self):
- name = 'webservers'
- description = 'my webservers'
-@@ -1348,5 +1414,25 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
- self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
-
-
-+class TestConvertIPPrefixToCIDR(base.BaseTestCase):
-+
-+ def test_convert_bad_ip_prefix_to_cidr(self):
-+ for val in ['bad_ip', 256, "2001:db8:a::123/129"]:
-+ self.assertRaises(n_exc.InvalidCIDR,
-+ ext_sg.convert_ip_prefix_to_cidr, val)
-+ self.assertIsNone(ext_sg.convert_ip_prefix_to_cidr(None))
-+
-+ def test_convert_ip_prefix_no_netmask_to_cidr(self):
-+ addr = {'10.1.2.3': '32', 'fe80::2677:3ff:fe7d:4c': '128'}
-+ for k, v in addr.iteritems():
-+ self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(k),
-+ '%s/%s' % (k, v))
-+
-+ def test_convert_ip_prefix_with_netmask_to_cidr(self):
-+ addresses = ['10.1.0.0/16', '10.1.2.3/32', '2001:db8:1234::/48']
-+ for addr in addresses:
-+ self.assertEqual(ext_sg.convert_ip_prefix_to_cidr(addr), addr)
-+
-+
- class TestSecurityGroupsXML(TestSecurityGroups):
- fmt = 'xml'
---
-1.8.5.5 \ No newline at end of file