1 |
commit: ab7179f257e6dd899085f66fc81bb6a79418eb05 |
2 |
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Feb 2 16:01:35 2016 +0000 |
4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Feb 2 16:09:17 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab7179f2 |
7 |
|
8 |
sys-auth/keystone: fixing bug 573658 CVE-2015-7546 |
9 |
|
10 |
Package-Manager: portage-2.2.26 |
11 |
|
12 |
sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch | 216 +++++++++++++++++++++ |
13 |
sys-auth/keystone/keystone-8.0.1-r1.ebuild | 226 ++++++++++++++++++++++ |
14 |
2 files changed, 442 insertions(+) |
15 |
|
16 |
diff --git a/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch b/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch |
17 |
new file mode 100644 |
18 |
index 0000000..82bff1e |
19 |
--- /dev/null |
20 |
+++ b/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch |
21 |
@@ -0,0 +1,216 @@ |
22 |
+From bff03b5726fe5cac93d44a66715eea49b89c8cb0 Mon Sep 17 00:00:00 2001 |
23 |
+From: Brant Knudson <bknudson@××××××.com> |
24 |
+Date: Tue, 1 Dec 2015 11:09:14 -0600 |
25 |
+Subject: [PATCH] Add audit IDs to revocation events |
26 |
+ |
27 |
+The revoked tokens' audit ID is now included in the data returned in |
28 |
+the revocation list. |
29 |
+ |
30 |
+Closes-Bug: 1490804 |
31 |
+Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f |
32 |
+(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0) |
33 |
+Conflicts: |
34 |
+ keystone/tests/unit/test_backend.py |
35 |
+--- |
36 |
+ keystone/tests/unit/test_backend.py | 39 ++++++++++++++-------- |
37 |
+ keystone/tests/unit/test_backend_sql.py | 3 +- |
38 |
+ keystone/token/persistence/backends/kvs.py | 9 +++++ |
39 |
+ keystone/token/persistence/backends/sql.py | 12 ++++++- |
40 |
+ .../notes/bug-1490804-de58a9606edb31eb.yaml | 13 ++++++++ |
41 |
+ 5 files changed, 61 insertions(+), 15 deletions(-) |
42 |
+ create mode 100644 releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml |
43 |
+ |
44 |
+diff --git a/keystone/tests/unit/test_backend.py b/keystone/tests/unit/test_backend.py |
45 |
+index 2340645..1273736 100644 |
46 |
+--- a/keystone/tests/unit/test_backend.py |
47 |
++++ b/keystone/tests/unit/test_backend.py |
48 |
+@@ -4426,7 +4426,9 @@ class TokenTests(object): |
49 |
+ token_id = self._create_token_id() |
50 |
+ data = {'id': token_id, 'a': 'b', |
51 |
+ 'trust_id': None, |
52 |
+- 'user': {'id': 'testuserid'}} |
53 |
++ 'user': {'id': 'testuserid'}, |
54 |
++ 'token_data': {'access': {'token': { |
55 |
++ 'audit_ids': [uuid.uuid4().hex]}}}} |
56 |
+ data_ref = self.token_provider_api._persistence.create_token(token_id, |
57 |
+ data) |
58 |
+ expires = data_ref.pop('expires') |
59 |
+@@ -4461,7 +4463,8 @@ class TokenTests(object): |
60 |
+ # FIXME(morganfainberg): These tokens look nothing like "Real" tokens. |
61 |
+ # This should be fixed when token issuance is cleaned up. |
62 |
+ data = {'id': token_id, 'a': 'b', |
63 |
+- 'user': {'id': user_id}} |
64 |
++ 'user': {'id': user_id}, |
65 |
++ 'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}} |
66 |
+ if tenant_id is not None: |
67 |
+ data['tenant'] = {'id': tenant_id, 'name': tenant_id} |
68 |
+ if tenant_id is NULL_OBJECT: |
69 |
+@@ -4470,7 +4473,7 @@ class TokenTests(object): |
70 |
+ data['expires'] = expires |
71 |
+ if trust_id is not None: |
72 |
+ data['trust_id'] = trust_id |
73 |
+- data.setdefault('access', {}).setdefault('trust', {}) |
74 |
++ data['access'].setdefault('trust', {}) |
75 |
+ # Testuserid2 is used here since a trustee will be different in |
76 |
+ # the cases of impersonation and therefore should not match the |
77 |
+ # token's user_id. |
78 |
+@@ -4633,17 +4636,21 @@ class TokenTests(object): |
79 |
+ |
80 |
+ self.assertEqual(data_ref, new_data_ref) |
81 |
+ |
82 |
+- def check_list_revoked_tokens(self, token_ids): |
83 |
+- revoked_ids = [x['id'] |
84 |
+- for x in self.token_provider_api.list_revoked_tokens()] |
85 |
++ def check_list_revoked_tokens(self, token_infos): |
86 |
++ revocation_list = self.token_provider_api.list_revoked_tokens() |
87 |
++ revoked_ids = [x['id'] for x in revocation_list] |
88 |
++ revoked_audit_ids = [x['audit_id'] for x in revocation_list] |
89 |
+ self._assert_revoked_token_list_matches_token_persistence(revoked_ids) |
90 |
+- for token_id in token_ids: |
91 |
++ for token_id, audit_id in token_infos: |
92 |
+ self.assertIn(token_id, revoked_ids) |
93 |
++ self.assertIn(audit_id, revoked_audit_ids) |
94 |
+ |
95 |
+ def delete_token(self): |
96 |
+ token_id = uuid.uuid4().hex |
97 |
++ audit_id = uuid.uuid4().hex |
98 |
+ data = {'id_hash': token_id, 'id': token_id, 'a': 'b', |
99 |
+- 'user': {'id': 'testuserid'}} |
100 |
++ 'user': {'id': 'testuserid'}, |
101 |
++ 'token_data': {'token': {'audit_ids': [audit_id]}}} |
102 |
+ data_ref = self.token_provider_api._persistence.create_token(token_id, |
103 |
+ data) |
104 |
+ self.token_provider_api._persistence.delete_token(token_id) |
105 |
+@@ -4655,7 +4662,7 @@ class TokenTests(object): |
106 |
+ exception.TokenNotFound, |
107 |
+ self.token_provider_api._persistence.delete_token, |
108 |
+ data_ref['id']) |
109 |
+- return token_id |
110 |
++ return (token_id, audit_id) |
111 |
+ |
112 |
+ def test_list_revoked_tokens_returns_empty_list(self): |
113 |
+ revoked_ids = [x['id'] |
114 |
+@@ -4706,12 +4713,16 @@ class TokenTests(object): |
115 |
+ token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b', |
116 |
+ 'expires': expire_time, |
117 |
+ 'trust_id': None, |
118 |
+- 'user': {'id': 'testuserid'}} |
119 |
++ 'user': {'id': 'testuserid'}, |
120 |
++ 'token_data': {'token': { |
121 |
++ 'audit_ids': [uuid.uuid4().hex]}}} |
122 |
+ token2_id = uuid.uuid4().hex |
123 |
+ token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b', |
124 |
+ 'expires': expire_time, |
125 |
+ 'trust_id': None, |
126 |
+- 'user': {'id': 'testuserid'}} |
127 |
++ 'user': {'id': 'testuserid'}, |
128 |
++ 'token_data': {'token': { |
129 |
++ 'audit_ids': [uuid.uuid4().hex]}}} |
130 |
+ # Create 2 Tokens. |
131 |
+ self.token_provider_api._persistence.create_token(token_id, |
132 |
+ token_data) |
133 |
+@@ -4746,7 +4757,8 @@ class TokenTests(object): |
134 |
+ def _test_predictable_revoked_pki_token_id(self, hash_fn): |
135 |
+ token_id = self._create_token_id() |
136 |
+ token_id_hash = hash_fn(token_id).hexdigest() |
137 |
+- token = {'user': {'id': uuid.uuid4().hex}} |
138 |
++ token = {'user': {'id': uuid.uuid4().hex}, |
139 |
++ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} |
140 |
+ |
141 |
+ self.token_provider_api._persistence.create_token(token_id, token) |
142 |
+ self.token_provider_api._persistence.delete_token(token_id) |
143 |
+@@ -4768,7 +4780,8 @@ class TokenTests(object): |
144 |
+ |
145 |
+ def test_predictable_revoked_uuid_token_id(self): |
146 |
+ token_id = uuid.uuid4().hex |
147 |
+- token = {'user': {'id': uuid.uuid4().hex}} |
148 |
++ token = {'user': {'id': uuid.uuid4().hex}, |
149 |
++ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} |
150 |
+ |
151 |
+ self.token_provider_api._persistence.create_token(token_id, token) |
152 |
+ self.token_provider_api._persistence.delete_token(token_id) |
153 |
+diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py |
154 |
+index 69fac63..51221a3 100644 |
155 |
+--- a/keystone/tests/unit/test_backend_sql.py |
156 |
++++ b/keystone/tests/unit/test_backend_sql.py |
157 |
+@@ -492,7 +492,8 @@ class SqlToken(SqlTests, test_backend.TokenTests): |
158 |
+ # necessary. |
159 |
+ |
160 |
+ expected_query_args = (token_sql.TokenModel.id, |
161 |
+- token_sql.TokenModel.expires) |
162 |
++ token_sql.TokenModel.expires, |
163 |
++ token_sql.TokenModel.extra,) |
164 |
+ |
165 |
+ with mock.patch.object(token_sql, 'sql') as mock_sql: |
166 |
+ tok = token_sql.Token() |
167 |
+diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py |
168 |
+index 5193158..60f7931 100644 |
169 |
+--- a/keystone/token/persistence/backends/kvs.py |
170 |
++++ b/keystone/token/persistence/backends/kvs.py |
171 |
+@@ -210,6 +210,15 @@ class Token(token.persistence.TokenDriverV8): |
172 |
+ subsecond=True) |
173 |
+ revoked_token_data['id'] = data['id'] |
174 |
+ |
175 |
++ token_data = data['token_data'] |
176 |
++ if 'access' in token_data: |
177 |
++ # It's a v2 token. |
178 |
++ audit_ids = token_data['access']['token']['audit_ids'] |
179 |
++ else: |
180 |
++ # It's a v3 token. |
181 |
++ audit_ids = token_data['token']['audit_ids'] |
182 |
++ revoked_token_data['audit_id'] = audit_ids[0] |
183 |
++ |
184 |
+ token_list = self._get_key_or_default(self.revocation_key, default=[]) |
185 |
+ if not isinstance(token_list, list): |
186 |
+ # NOTE(morganfainberg): In the case that the revocation list is not |
187 |
+diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py |
188 |
+index 6fc1d22..d677620 100644 |
189 |
+--- a/keystone/token/persistence/backends/sql.py |
190 |
++++ b/keystone/token/persistence/backends/sql.py |
191 |
+@@ -228,13 +228,23 @@ class Token(token.persistence.TokenDriverV8): |
192 |
+ session = sql.get_session() |
193 |
+ tokens = [] |
194 |
+ now = timeutils.utcnow() |
195 |
+- query = session.query(TokenModel.id, TokenModel.expires) |
196 |
++ query = session.query(TokenModel.id, TokenModel.expires, |
197 |
++ TokenModel.extra) |
198 |
+ query = query.filter(TokenModel.expires > now) |
199 |
+ token_references = query.filter_by(valid=False) |
200 |
+ for token_ref in token_references: |
201 |
++ token_data = token_ref[2]['token_data'] |
202 |
++ if 'access' in token_data: |
203 |
++ # It's a v2 token. |
204 |
++ audit_ids = token_data['access']['token']['audit_ids'] |
205 |
++ else: |
206 |
++ # It's a v3 token. |
207 |
++ audit_ids = token_data['token']['audit_ids'] |
208 |
++ |
209 |
+ record = { |
210 |
+ 'id': token_ref[0], |
211 |
+ 'expires': token_ref[1], |
212 |
++ 'audit_id': audit_ids[0], |
213 |
+ } |
214 |
+ tokens.append(record) |
215 |
+ return tokens |
216 |
+diff --git a/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml b/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml |
217 |
+new file mode 100644 |
218 |
+index 0000000..0d5c203 |
219 |
+--- /dev/null |
220 |
++++ b/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml |
221 |
+@@ -0,0 +1,13 @@ |
222 |
++--- |
223 |
++features: |
224 |
++ - > |
225 |
++ [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] |
226 |
++ Audit IDs are included in the token revocation list. |
227 |
++security: |
228 |
++ - > |
229 |
++ [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] |
230 |
++ [`CVE-2015-7546 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546>`_] |
231 |
++ A bug is fixed where an attacker could avoid token revocation when the PKI |
232 |
++ or PKIZ token provider is used. The complete remediation for this |
233 |
++ vulnerability requires the corresponding fix in the keystonemiddleware |
234 |
++ project. |
235 |
+-- |
236 |
+1.9.1 |
237 |
+ |
238 |
|
239 |
diff --git a/sys-auth/keystone/keystone-8.0.1-r1.ebuild b/sys-auth/keystone/keystone-8.0.1-r1.ebuild |
240 |
new file mode 100644 |
241 |
index 0000000..24a477c |
242 |
--- /dev/null |
243 |
+++ b/sys-auth/keystone/keystone-8.0.1-r1.ebuild |
244 |
@@ -0,0 +1,226 @@ |
245 |
+# Copyright 1999-2015 Gentoo Foundation |
246 |
+# Distributed under the terms of the GNU General Public License v2 |
247 |
+# $Id$ |
248 |
+ |
249 |
+EAPI=5 |
250 |
+ |
251 |
+PYTHON_COMPAT=( python2_7 ) |
252 |
+ |
253 |
+inherit distutils-r1 user |
254 |
+ |
255 |
+DESCRIPTION="The Openstack authentication, authorization, and service catalog" |
256 |
+HOMEPAGE="https://launchpad.net/keystone" |
257 |
+SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz" |
258 |
+ |
259 |
+LICENSE="Apache-2.0" |
260 |
+SLOT="0" |
261 |
+KEYWORDS="~amd64 ~x86" |
262 |
+IUSE="+sqlite memcached mongo mysql postgres ldap test" |
263 |
+REQUIRED_USE="|| ( mysql postgres sqlite )" |
264 |
+ |
265 |
+CDEPEND=">=dev-python/pbr-1.6[${PYTHON_USEDEP}]" |
266 |
+DEPEND=" |
267 |
+ dev-python/setuptools[${PYTHON_USEDEP}] |
268 |
+ ${CDEPEND} |
269 |
+ test? ( |
270 |
+ ${RDEPEND} |
271 |
+ >=dev-python/bashate-0.2[${PYTHON_USEDEP}] |
272 |
+ <=dev-python/bashate-0.3.2[${PYTHON_USEDEP}] |
273 |
+ memcached? ( |
274 |
+ >=dev-python/python-memcached-1.48[${PYTHON_USEDEP}] |
275 |
+ <=dev-python/python-memcached-1.57[${PYTHON_USEDEP}] |
276 |
+ ) |
277 |
+ mongo? ( |
278 |
+ >=dev-python/pymongo-2.6.3[${PYTHON_USEDEP}] |
279 |
+ <dev-python/pymongo-3.2[${PYTHON_USEDEP}] |
280 |
+ ) |
281 |
+ ldap? ( |
282 |
+ >=dev-python/python-ldap-2.4[$(python_gen_usedep 'python2_7')] |
283 |
+ <=dev-python/python-ldap-2.4.20[$(python_gen_usedep 'python2_7')] |
284 |
+ ~dev-python/ldappool-1.0[$(python_gen_usedep 'python2_7')] |
285 |
+ ) |
286 |
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}] |
287 |
+ <=dev-python/coverage-4.0.3[${PYTHON_USEDEP}] |
288 |
+ >=dev-python/fixtures-1.3.1[${PYTHON_USEDEP}] |
289 |
+ <=dev-python/fixtures-1.4.0-r9999[${PYTHON_USEDEP}] |
290 |
+ >=dev-python/lxml-2.3[${PYTHON_USEDEP}] |
291 |
+ <=dev-python/lxml-3.5.0-r9999[${PYTHON_USEDEP}] |
292 |
+ >=dev-python/mock-1.2[${PYTHON_USEDEP}] |
293 |
+ <=dev-python/mock-1.3.0[${PYTHON_USEDEP}] |
294 |
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}] |
295 |
+ <=dev-python/oslotest-2.0.0[${PYTHON_USEDEP}] |
296 |
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] |
297 |
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] |
298 |
+ <dev-python/sphinx-1.3[${PYTHON_USEDEP}] |
299 |
+ >=dev-python/webtest-2.0[${PYTHON_USEDEP}] |
300 |
+ <=dev-python/webtest-2.0.20[${PYTHON_USEDEP}] |
301 |
+ >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}] |
302 |
+ <=dev-python/subunit-1.2.0[${PYTHON_USEDEP}] |
303 |
+ >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}] |
304 |
+ <=dev-python/testrepository-0.0.20[${PYTHON_USEDEP}] |
305 |
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}] |
306 |
+ <=dev-python/testtools-1.8.1[${PYTHON_USEDEP}] |
307 |
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] |
308 |
+ <=dev-python/oslo-sphinx-4.1.0[${PYTHON_USEDEP}] |
309 |
+ >=dev-python/tempest-lib-0.8.0[${PYTHON_USEDEP}] |
310 |
+ <=dev-python/tempest-lib-0.11.0[${PYTHON_USEDEP}] |
311 |
+ >=dev-python/requests-2.5.2[${PYTHON_USEDEP}] |
312 |
+ !~dev-python/requests-2.8.0[${PYTHON_USEDEP}] |
313 |
+ <=dev-python/requests-2.8.1[${PYTHON_USEDEP}] |
314 |
+ >=dev-python/reno-0.1.1[${PYTHON_USEDEP}] |
315 |
+ )" |
316 |
+RDEPEND=" |
317 |
+ ${CDEPEND} |
318 |
+ >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] |
319 |
+ <=dev-python/webob-1.5.1[${PYTHON_USEDEP}] |
320 |
+ ~dev-python/eventlet-0.17.4[${PYTHON_USEDEP}] |
321 |
+ >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] |
322 |
+ <=dev-python/greenlet-0.4.9[${PYTHON_USEDEP}] |
323 |
+ >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] |
324 |
+ <=dev-python/pastedeploy-1.5.2[${PYTHON_USEDEP}] |
325 |
+ <=dev-python/paste-2.0.2[${PYTHON_USEDEP}] |
326 |
+ >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] |
327 |
+ !~dev-python/routes-2.0[${PYTHON_USEDEP}] |
328 |
+ !~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')] |
329 |
+ <=dev-python/routes-2.2[${PYTHON_USEDEP}] |
330 |
+ >=dev-python/cryptography-1.0[${PYTHON_USEDEP}] |
331 |
+ <=dev-python/cryptography-1.1.2-r9999[${PYTHON_USEDEP}] |
332 |
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}] |
333 |
+ <=dev-python/six-1.10.0-r9999[${PYTHON_USEDEP}] |
334 |
+ sqlite? ( |
335 |
+ >=dev-python/sqlalchemy-0.9.9[sqlite,${PYTHON_USEDEP}] |
336 |
+ <dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}] |
337 |
+ ) |
338 |
+ mysql? ( |
339 |
+ dev-python/mysql-python |
340 |
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}] |
341 |
+ <dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] |
342 |
+ ) |
343 |
+ postgres? ( |
344 |
+ dev-python/psycopg:2 |
345 |
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}] |
346 |
+ <dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] |
347 |
+ ) |
348 |
+ >=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}] |
349 |
+ <=dev-python/sqlalchemy-migrate-0.10.0[${PYTHON_USEDEP}] |
350 |
+ >=dev-python/stevedore-1.5.0[${PYTHON_USEDEP}] |
351 |
+ <=dev-python/stevedore-1.10.0[${PYTHON_USEDEP}] |
352 |
+ >=dev-python/passlib-1.6[${PYTHON_USEDEP}] |
353 |
+ <=dev-python/passlib-1.6.5[${PYTHON_USEDEP}] |
354 |
+ >=dev-python/python-keystoneclient-1.6.0[${PYTHON_USEDEP}] |
355 |
+ !~dev-python/python-keystoneclient-1.8.0[${PYTHON_USEDEP}] |
356 |
+ <=dev-python/python-keystoneclient-2.0.0-r9999[${PYTHON_USEDEP}] |
357 |
+ >=dev-python/keystonemiddleware-2.0.0[${PYTHON_USEDEP}] |
358 |
+ !~dev-python/keystonemiddleware-2.4.0[${PYTHON_USEDEP}] |
359 |
+ <=dev-python/keystonemiddleware-4.0.0-r9999[${PYTHON_USEDEP}] |
360 |
+ >=dev-python/oslo-concurrency-2.3.0[${PYTHON_USEDEP}] |
361 |
+ <=dev-python/oslo-concurrency-3.1.0[${PYTHON_USEDEP}] |
362 |
+ >=dev-python/oslo-config-2.3.0[${PYTHON_USEDEP}] |
363 |
+ <=dev-python/oslo-config-3.1.0[${PYTHON_USEDEP}] |
364 |
+ >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}] |
365 |
+ <=dev-python/oslo-context-1.0.0[${PYTHON_USEDEP}] |
366 |
+ >=dev-python/oslo-messaging-1.16.0[${PYTHON_USEDEP}] |
367 |
+ !~dev-python/oslo-messaging-1.17.0[${PYTHON_USEDEP}] |
368 |
+ !~dev-python/oslo-messaging-1.17.1[${PYTHON_USEDEP}] |
369 |
+ !~dev-python/oslo-messaging-2.6.0[${PYTHON_USEDEP}] |
370 |
+ !~dev-python/oslo-messaging-2.6.1[${PYTHON_USEDEP}] |
371 |
+ !~dev-python/oslo-messaging-2.7.0[${PYTHON_USEDEP}] |
372 |
+ !~dev-python/oslo-messaging-2.8.0[${PYTHON_USEDEP}] |
373 |
+ !~dev-python/oslo-messaging-2.8.1[${PYTHON_USEDEP}] |
374 |
+ !~dev-python/oslo-messaging-2.9.0[${PYTHON_USEDEP}] |
375 |
+ !~dev-python/oslo-messaging-3.1.0[${PYTHON_USEDEP}] |
376 |
+ <=dev-python/oslo-messaging-3.0.0[${PYTHON_USEDEP}] |
377 |
+ >=dev-python/oslo-db-2.4.1[${PYTHON_USEDEP}] |
378 |
+ <=dev-python/oslo-db-4.1.0[${PYTHON_USEDEP}] |
379 |
+ >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}] |
380 |
+ <=dev-python/oslo-i18n-3.1.0[${PYTHON_USEDEP}] |
381 |
+ >=dev-python/oslo-log-1.8.0[${PYTHON_USEDEP}] |
382 |
+ <=dev-python/oslo-log-2.1.0[${PYTHON_USEDEP}] |
383 |
+ >=dev-python/oslo-middleware-2.8.0[${PYTHON_USEDEP}] |
384 |
+ <=dev-python/oslo-middleware-3.3.0[${PYTHON_USEDEP}] |
385 |
+ >=dev-python/oslo-policy-0.5.0[${PYTHON_USEDEP}] |
386 |
+ <=dev-python/oslo-policy-1.1.0[${PYTHON_USEDEP}] |
387 |
+ >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}] |
388 |
+ <=dev-python/oslo-serialization-2.1.0[${PYTHON_USEDEP}] |
389 |
+ >=dev-python/oslo-service-0.7.0[${PYTHON_USEDEP}] |
390 |
+ <=dev-python/oslo-service-1.1.0[${PYTHON_USEDEP}] |
391 |
+ >=dev-python/oslo-utils-2.0.0[${PYTHON_USEDEP}] |
392 |
+ !~dev-python/oslo-utils-2.6.0[${PYTHON_USEDEP}] |
393 |
+ <=dev-python/oslo-utils-3.2.0[${PYTHON_USEDEP}] |
394 |
+ >=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}] |
395 |
+ <=dev-python/oauthlib-1.0.3[${PYTHON_USEDEP}] |
396 |
+ >=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}] |
397 |
+ <=dev-python/pysaml2-4.0.0[${PYTHON_USEDEP}] |
398 |
+ >=dev-python/dogpile-cache-0.5.4[${PYTHON_USEDEP}] |
399 |
+ <=dev-python/dogpile-cache-0.5.7[${PYTHON_USEDEP}] |
400 |
+ >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}] |
401 |
+ !~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}] |
402 |
+ <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}] |
403 |
+ ~dev-python/pycadf-1.1.0[${PYTHON_USEDEP}] |
404 |
+ <=dev-python/pycadf-2.0.1[${PYTHON_USEDEP}] |
405 |
+ ~dev-python/msgpack-0.4.6[${PYTHON_USEDEP}]" |
406 |
+ |
407 |
+PATCHES=( |
408 |
+ "${FILESDIR}/CVE-2015-7546_8.0.1.patch" |
409 |
+) |
410 |
+ |
411 |
+pkg_setup() { |
412 |
+ enewgroup keystone |
413 |
+ enewuser keystone -1 -1 /var/lib/keystone keystone |
414 |
+} |
415 |
+ |
416 |
+python_prepare_all() { |
417 |
+ # it's in git, but not in the tarball..... |
418 |
+ sed -i '/^hacking/d' test-requirements.txt || die |
419 |
+ mkdir -p ${PN}/tests/tmp/ || die |
420 |
+ cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die |
421 |
+ distutils-r1_python_prepare_all |
422 |
+} |
423 |
+ |
424 |
+# Ignore (naughty) test_.py files & 1 test that connect to the network |
425 |
+#-I 'test_keystoneclient*' \ |
426 |
+python_test() { |
427 |
+ nosetests -I 'test_keystoneclient*' \ |
428 |
+ -e test_static_translated_string_is_Message \ |
429 |
+ -e test_get_token_id_error_handling \ |
430 |
+ -e test_provider_token_expiration_validation \ |
431 |
+ -e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7" |
432 |
+} |
433 |
+ |
434 |
+python_install() { |
435 |
+ distutils-r1_python_install |
436 |
+ newconfd "${FILESDIR}/keystone.confd" keystone |
437 |
+ newinitd "${FILESDIR}/keystone.initd" keystone |
438 |
+ |
439 |
+ diropts -m 0750 |
440 |
+ keepdir /etc/keystone /var/log/keystone |
441 |
+ insinto /etc/keystone |
442 |
+ insopts -m0640 -okeystone -gkeystone |
443 |
+ doins etc/keystone.conf.sample etc/logging.conf.sample |
444 |
+ doins etc/default_catalog.templates etc/policy.json |
445 |
+ doins etc/policy.v3cloudsample.json etc/keystone-paste.ini |
446 |
+ insinto /etc/keystone/httpd |
447 |
+ doins httpd/keystone.py httpd/wsgi-keystone.conf |
448 |
+ |
449 |
+ fowners keystone:keystone /etc/keystone /var/log/keystone |
450 |
+} |
451 |
+ |
452 |
+pkg_postinst() { |
453 |
+ elog "You might want to run:" |
454 |
+ elog "emerge --config =${CATEGORY}/${PF}" |
455 |
+ elog "if this is a new install." |
456 |
+ elog "If you have not already configured your openssl installation" |
457 |
+ elog "please do it by modifying /etc/ssl/openssl.cnf" |
458 |
+ elog "BEFORE issuing the configuration command." |
459 |
+ elog "Otherwise default values will be used." |
460 |
+} |
461 |
+ |
462 |
+pkg_config() { |
463 |
+ if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then |
464 |
+ einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." |
465 |
+ read |
466 |
+ "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone |
467 |
+ else |
468 |
+ einfo "keystone PKI certificates directory already present, skipping configuration" |
469 |
+ fi |
470 |
+} |