sys-auth/keystone: remove unused patches

2 files changed, 0 insertions, 197 deletions

diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
deleted file mode 100644
index 0f64ed5f6a6e..000000000000
--- a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001
-From: Boris Bobrov <breton@cynicmansion.ru>
-Date: Mon, 17 Apr 2017 00:28:07 +0300
-Subject: [PATCH] Do not fetch group assignments without groups
-
-Without the change, the method fetched all assignments for a project
-or domain, regardless of who has the assignment, user or group. This
-led to situation when federated user without groups could scope a token
-with other user's rules.
-
-Return empty list of assignments if no groups were passed.
-
-Closes-Bug: 1677723
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
-
-Conflicts:
-	keystone/tests/unit/test_v3_federation.py -- removed irrelevant
-						     tests
----
- keystone/assignment/core.py               |  5 +++++
- keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++
- 2 files changed, 33 insertions(+)
-
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
-index e549abb..6a6717a 100644
---- a/keystone/assignment/core.py
-+++ b/keystone/assignment/core.py
-@@ -165,6 +165,11 @@ class Manager(manager.Manager):
- 
-     def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
-         """Get a list of roles for this group on domain and/or project."""
-+        # if no group ids were passed, there are no roles. Without this check,
-+        # all assignments for the project or domain will be fetched,
-+        # which is not what we want.
-+        if not group_ids:
-+            return []
-         if project_id is not None:
-             self.resource_api.get_project(project_id)
-             assignment_list = self.list_role_assignments(
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
-index f3e9baa..1a7ce40 100644
---- a/keystone/tests/unit/test_v3_federation.py
-+++ b/keystone/tests/unit/test_v3_federation.py
-@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
-         token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-         self.assertEqual(0, len(token_groups))
- 
-+    def test_issue_scoped_token_no_groups(self):
-+        """Verify that token without groups cannot get scoped to project.
-+
-+        This test is required because of bug 1677723.
-+        """
-+        # issue unscoped token with no groups
-+        r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
-+        self.assertIsNotNone(r.headers.get('X-Subject-Token'))
-+        token_resp = r.json_body
-+        token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-+        self.assertEqual(0, len(token_groups))
-+        unscoped_token = r.headers.get('X-Subject-Token')
-+
-+        # let admin get roles in a project
-+        self.proj_employees
-+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+        self.identity_api.create_user(admin)
-+        self.assignment_api.create_grant(self.role_admin['id'],
-+                                         user_id=admin['id'],
-+                                         project_id=self.proj_employees['id'])
-+
-+        # try to scope the token. It should fail
-+        scope = self._scope_request(
-+            unscoped_token, 'project', self.proj_employees['id']
-+        )
-+        self.v3_create_token(
-+            scope, expected_status=http_client.UNAUTHORIZED)
-+
-     def test_issue_unscoped_token_malformed_environment(self):
-         """Test whether non string objects are filtered out.
- 
--- 
-2.1.4
-
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
deleted file mode 100644
index abf17489cd98..000000000000
--- a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001
-From: Boris Bobrov <breton@cynicmansion.ru>
-Date: Mon, 17 Apr 2017 00:28:07 +0300
-Subject: [PATCH] Do not fetch group assignments without groups
-
-Without the change, the method fetched all assignments for a project
-or domain, regardless of who has the assignment, user or group. This
-led to situation when federated user without groups could scope a token
-with other user's rules.
-
-Return empty list of assignments if no groups were passed.
-
-Closes-Bug: 1677723
-Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
-(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
----
- keystone/assignment/core.py               |  5 +++
- keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++
- 2 files changed, 63 insertions(+)
-
-diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
-index eccc22d..8fba77e 100644
---- a/keystone/assignment/core.py
-+++ b/keystone/assignment/core.py
-@@ -126,6 +126,11 @@ class Manager(manager.Manager):
- 
-     def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
-         """Get a list of roles for this group on domain and/or project."""
-+        # if no group ids were passed, there are no roles. Without this check,
-+        # all assignments for the project or domain will be fetched,
-+        # which is not what we want.
-+        if not group_ids:
-+            return []
-         if project_id is not None:
-             self.resource_api.get_project(project_id)
-             assignment_list = self.list_role_assignments(
-diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
-index 0f5148f..03509b8 100644
---- a/keystone/tests/unit/test_v3_federation.py
-+++ b/keystone/tests/unit/test_v3_federation.py
-@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
-         token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-         self.assertEqual(0, len(token_groups))
- 
-+    def test_issue_scoped_token_no_groups(self):
-+        """Verify that token without groups cannot get scoped to project.
-+
-+        This test is required because of bug 1677723.
-+        """
-+        # issue unscoped token with no groups
-+        r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
-+        self.assertIsNotNone(r.headers.get('X-Subject-Token'))
-+        token_resp = r.json_body
-+        token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
-+        self.assertEqual(0, len(token_groups))
-+        unscoped_token = r.headers.get('X-Subject-Token')
-+
-+        # let admin get roles in a project
-+        self.proj_employees
-+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+        self.identity_api.create_user(admin)
-+        self.assignment_api.create_grant(self.role_admin['id'],
-+                                         user_id=admin['id'],
-+                                         project_id=self.proj_employees['id'])
-+
-+        # try to scope the token. It should fail
-+        scope = self._scope_request(
-+            unscoped_token, 'project', self.proj_employees['id']
-+        )
-+        self.v3_create_token(
-+            scope, expected_status=http_client.UNAUTHORIZED)
-+
-     def test_issue_unscoped_token_malformed_environment(self):
-         """Test whether non string objects are filtered out.
- 
-@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
-                 self.expected_results[project_name], roles[0]['name']
-             )
- 
-+    def test_user_gets_only_assigned_roles(self):
-+        # in bug 1677723 user could get roles outside of what was assigned
-+        # to them. This test verifies that this is no longer true.
-+        # Authenticate once to create the projects
-+        response = self._issue_unscoped_token()
-+        self.assertValidMappedUser(response.json_body['token'])
-+        unscoped_token = response.headers.get('X-Subject-Token')
-+
-+        # Assign admin role to newly-created project to another user
-+        staging_project = self.resource_api.get_project_by_name(
-+            'Staging', self.idp['domain_id']
-+        )
-+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
-+        self.identity_api.create_user(admin)
-+        self.assignment_api.create_grant(self.role_admin['id'],
-+                                         user_id=admin['id'],
-+                                         project_id=staging_project['id'])
-+
-+        # Authenticate again with the federated user and verify roles
-+        response = self._issue_unscoped_token()
-+        self.assertValidMappedUser(response.json_body['token'])
-+        unscoped_token = response.headers.get('X-Subject-Token')
-+        scope = self._scope_request(
-+            unscoped_token, 'project', staging_project['id']
-+        )
-+        response = self.v3_create_token(scope)
-+        roles = response.json_body['token']['roles']
-+        role_ids = [r['id'] for r in roles]
-+        self.assertNotIn(self.role_admin['id'], role_ids)
-+
- 
- class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
-     JSON_HOME_DATA = {
--- 
-2.1.4
-