| 1 |
commit: ab7179f257e6dd899085f66fc81bb6a79418eb05 |
| 2 |
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Feb 2 16:01:35 2016 +0000 |
| 4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Feb 2 16:09:17 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab7179f2 |
| 7 |
|
| 8 |
sys-auth/keystone: fixing bug 573658 CVE-2015-7546 |
| 9 |
|
| 10 |
Package-Manager: portage-2.2.26 |
| 11 |
|
| 12 |
sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch | 216 +++++++++++++++++++++ |
| 13 |
sys-auth/keystone/keystone-8.0.1-r1.ebuild | 226 ++++++++++++++++++++++ |
| 14 |
2 files changed, 442 insertions(+) |
| 15 |
|
| 16 |
diff --git a/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch b/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch |
| 17 |
new file mode 100644 |
| 18 |
index 0000000..82bff1e |
| 19 |
--- /dev/null |
| 20 |
+++ b/sys-auth/keystone/files/CVE-2015-7546_8.0.1.patch |
| 21 |
@@ -0,0 +1,216 @@ |
| 22 |
+From bff03b5726fe5cac93d44a66715eea49b89c8cb0 Mon Sep 17 00:00:00 2001 |
| 23 |
+From: Brant Knudson <bknudson@××××××.com> |
| 24 |
+Date: Tue, 1 Dec 2015 11:09:14 -0600 |
| 25 |
+Subject: [PATCH] Add audit IDs to revocation events |
| 26 |
+ |
| 27 |
+The revoked tokens' audit ID is now included in the data returned in |
| 28 |
+the revocation list. |
| 29 |
+ |
| 30 |
+Closes-Bug: 1490804 |
| 31 |
+Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f |
| 32 |
+(cherry picked from commit d5378f173da14a34ca010271477337879002d6d0) |
| 33 |
+Conflicts: |
| 34 |
+ keystone/tests/unit/test_backend.py |
| 35 |
+--- |
| 36 |
+ keystone/tests/unit/test_backend.py | 39 ++++++++++++++-------- |
| 37 |
+ keystone/tests/unit/test_backend_sql.py | 3 +- |
| 38 |
+ keystone/token/persistence/backends/kvs.py | 9 +++++ |
| 39 |
+ keystone/token/persistence/backends/sql.py | 12 ++++++- |
| 40 |
+ .../notes/bug-1490804-de58a9606edb31eb.yaml | 13 ++++++++ |
| 41 |
+ 5 files changed, 61 insertions(+), 15 deletions(-) |
| 42 |
+ create mode 100644 releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml |
| 43 |
+ |
| 44 |
+diff --git a/keystone/tests/unit/test_backend.py b/keystone/tests/unit/test_backend.py |
| 45 |
+index 2340645..1273736 100644 |
| 46 |
+--- a/keystone/tests/unit/test_backend.py |
| 47 |
++++ b/keystone/tests/unit/test_backend.py |
| 48 |
+@@ -4426,7 +4426,9 @@ class TokenTests(object): |
| 49 |
+ token_id = self._create_token_id() |
| 50 |
+ data = {'id': token_id, 'a': 'b', |
| 51 |
+ 'trust_id': None, |
| 52 |
+- 'user': {'id': 'testuserid'}} |
| 53 |
++ 'user': {'id': 'testuserid'}, |
| 54 |
++ 'token_data': {'access': {'token': { |
| 55 |
++ 'audit_ids': [uuid.uuid4().hex]}}}} |
| 56 |
+ data_ref = self.token_provider_api._persistence.create_token(token_id, |
| 57 |
+ data) |
| 58 |
+ expires = data_ref.pop('expires') |
| 59 |
+@@ -4461,7 +4463,8 @@ class TokenTests(object): |
| 60 |
+ # FIXME(morganfainberg): These tokens look nothing like "Real" tokens. |
| 61 |
+ # This should be fixed when token issuance is cleaned up. |
| 62 |
+ data = {'id': token_id, 'a': 'b', |
| 63 |
+- 'user': {'id': user_id}} |
| 64 |
++ 'user': {'id': user_id}, |
| 65 |
++ 'access': {'token': {'audit_ids': [uuid.uuid4().hex]}}} |
| 66 |
+ if tenant_id is not None: |
| 67 |
+ data['tenant'] = {'id': tenant_id, 'name': tenant_id} |
| 68 |
+ if tenant_id is NULL_OBJECT: |
| 69 |
+@@ -4470,7 +4473,7 @@ class TokenTests(object): |
| 70 |
+ data['expires'] = expires |
| 71 |
+ if trust_id is not None: |
| 72 |
+ data['trust_id'] = trust_id |
| 73 |
+- data.setdefault('access', {}).setdefault('trust', {}) |
| 74 |
++ data['access'].setdefault('trust', {}) |
| 75 |
+ # Testuserid2 is used here since a trustee will be different in |
| 76 |
+ # the cases of impersonation and therefore should not match the |
| 77 |
+ # token's user_id. |
| 78 |
+@@ -4633,17 +4636,21 @@ class TokenTests(object): |
| 79 |
+ |
| 80 |
+ self.assertEqual(data_ref, new_data_ref) |
| 81 |
+ |
| 82 |
+- def check_list_revoked_tokens(self, token_ids): |
| 83 |
+- revoked_ids = [x['id'] |
| 84 |
+- for x in self.token_provider_api.list_revoked_tokens()] |
| 85 |
++ def check_list_revoked_tokens(self, token_infos): |
| 86 |
++ revocation_list = self.token_provider_api.list_revoked_tokens() |
| 87 |
++ revoked_ids = [x['id'] for x in revocation_list] |
| 88 |
++ revoked_audit_ids = [x['audit_id'] for x in revocation_list] |
| 89 |
+ self._assert_revoked_token_list_matches_token_persistence(revoked_ids) |
| 90 |
+- for token_id in token_ids: |
| 91 |
++ for token_id, audit_id in token_infos: |
| 92 |
+ self.assertIn(token_id, revoked_ids) |
| 93 |
++ self.assertIn(audit_id, revoked_audit_ids) |
| 94 |
+ |
| 95 |
+ def delete_token(self): |
| 96 |
+ token_id = uuid.uuid4().hex |
| 97 |
++ audit_id = uuid.uuid4().hex |
| 98 |
+ data = {'id_hash': token_id, 'id': token_id, 'a': 'b', |
| 99 |
+- 'user': {'id': 'testuserid'}} |
| 100 |
++ 'user': {'id': 'testuserid'}, |
| 101 |
++ 'token_data': {'token': {'audit_ids': [audit_id]}}} |
| 102 |
+ data_ref = self.token_provider_api._persistence.create_token(token_id, |
| 103 |
+ data) |
| 104 |
+ self.token_provider_api._persistence.delete_token(token_id) |
| 105 |
+@@ -4655,7 +4662,7 @@ class TokenTests(object): |
| 106 |
+ exception.TokenNotFound, |
| 107 |
+ self.token_provider_api._persistence.delete_token, |
| 108 |
+ data_ref['id']) |
| 109 |
+- return token_id |
| 110 |
++ return (token_id, audit_id) |
| 111 |
+ |
| 112 |
+ def test_list_revoked_tokens_returns_empty_list(self): |
| 113 |
+ revoked_ids = [x['id'] |
| 114 |
+@@ -4706,12 +4713,16 @@ class TokenTests(object): |
| 115 |
+ token_data = {'id_hash': token_id, 'id': token_id, 'a': 'b', |
| 116 |
+ 'expires': expire_time, |
| 117 |
+ 'trust_id': None, |
| 118 |
+- 'user': {'id': 'testuserid'}} |
| 119 |
++ 'user': {'id': 'testuserid'}, |
| 120 |
++ 'token_data': {'token': { |
| 121 |
++ 'audit_ids': [uuid.uuid4().hex]}}} |
| 122 |
+ token2_id = uuid.uuid4().hex |
| 123 |
+ token2_data = {'id_hash': token2_id, 'id': token2_id, 'a': 'b', |
| 124 |
+ 'expires': expire_time, |
| 125 |
+ 'trust_id': None, |
| 126 |
+- 'user': {'id': 'testuserid'}} |
| 127 |
++ 'user': {'id': 'testuserid'}, |
| 128 |
++ 'token_data': {'token': { |
| 129 |
++ 'audit_ids': [uuid.uuid4().hex]}}} |
| 130 |
+ # Create 2 Tokens. |
| 131 |
+ self.token_provider_api._persistence.create_token(token_id, |
| 132 |
+ token_data) |
| 133 |
+@@ -4746,7 +4757,8 @@ class TokenTests(object): |
| 134 |
+ def _test_predictable_revoked_pki_token_id(self, hash_fn): |
| 135 |
+ token_id = self._create_token_id() |
| 136 |
+ token_id_hash = hash_fn(token_id).hexdigest() |
| 137 |
+- token = {'user': {'id': uuid.uuid4().hex}} |
| 138 |
++ token = {'user': {'id': uuid.uuid4().hex}, |
| 139 |
++ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} |
| 140 |
+ |
| 141 |
+ self.token_provider_api._persistence.create_token(token_id, token) |
| 142 |
+ self.token_provider_api._persistence.delete_token(token_id) |
| 143 |
+@@ -4768,7 +4780,8 @@ class TokenTests(object): |
| 144 |
+ |
| 145 |
+ def test_predictable_revoked_uuid_token_id(self): |
| 146 |
+ token_id = uuid.uuid4().hex |
| 147 |
+- token = {'user': {'id': uuid.uuid4().hex}} |
| 148 |
++ token = {'user': {'id': uuid.uuid4().hex}, |
| 149 |
++ 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} |
| 150 |
+ |
| 151 |
+ self.token_provider_api._persistence.create_token(token_id, token) |
| 152 |
+ self.token_provider_api._persistence.delete_token(token_id) |
| 153 |
+diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py |
| 154 |
+index 69fac63..51221a3 100644 |
| 155 |
+--- a/keystone/tests/unit/test_backend_sql.py |
| 156 |
++++ b/keystone/tests/unit/test_backend_sql.py |
| 157 |
+@@ -492,7 +492,8 @@ class SqlToken(SqlTests, test_backend.TokenTests): |
| 158 |
+ # necessary. |
| 159 |
+ |
| 160 |
+ expected_query_args = (token_sql.TokenModel.id, |
| 161 |
+- token_sql.TokenModel.expires) |
| 162 |
++ token_sql.TokenModel.expires, |
| 163 |
++ token_sql.TokenModel.extra,) |
| 164 |
+ |
| 165 |
+ with mock.patch.object(token_sql, 'sql') as mock_sql: |
| 166 |
+ tok = token_sql.Token() |
| 167 |
+diff --git a/keystone/token/persistence/backends/kvs.py b/keystone/token/persistence/backends/kvs.py |
| 168 |
+index 5193158..60f7931 100644 |
| 169 |
+--- a/keystone/token/persistence/backends/kvs.py |
| 170 |
++++ b/keystone/token/persistence/backends/kvs.py |
| 171 |
+@@ -210,6 +210,15 @@ class Token(token.persistence.TokenDriverV8): |
| 172 |
+ subsecond=True) |
| 173 |
+ revoked_token_data['id'] = data['id'] |
| 174 |
+ |
| 175 |
++ token_data = data['token_data'] |
| 176 |
++ if 'access' in token_data: |
| 177 |
++ # It's a v2 token. |
| 178 |
++ audit_ids = token_data['access']['token']['audit_ids'] |
| 179 |
++ else: |
| 180 |
++ # It's a v3 token. |
| 181 |
++ audit_ids = token_data['token']['audit_ids'] |
| 182 |
++ revoked_token_data['audit_id'] = audit_ids[0] |
| 183 |
++ |
| 184 |
+ token_list = self._get_key_or_default(self.revocation_key, default=[]) |
| 185 |
+ if not isinstance(token_list, list): |
| 186 |
+ # NOTE(morganfainberg): In the case that the revocation list is not |
| 187 |
+diff --git a/keystone/token/persistence/backends/sql.py b/keystone/token/persistence/backends/sql.py |
| 188 |
+index 6fc1d22..d677620 100644 |
| 189 |
+--- a/keystone/token/persistence/backends/sql.py |
| 190 |
++++ b/keystone/token/persistence/backends/sql.py |
| 191 |
+@@ -228,13 +228,23 @@ class Token(token.persistence.TokenDriverV8): |
| 192 |
+ session = sql.get_session() |
| 193 |
+ tokens = [] |
| 194 |
+ now = timeutils.utcnow() |
| 195 |
+- query = session.query(TokenModel.id, TokenModel.expires) |
| 196 |
++ query = session.query(TokenModel.id, TokenModel.expires, |
| 197 |
++ TokenModel.extra) |
| 198 |
+ query = query.filter(TokenModel.expires > now) |
| 199 |
+ token_references = query.filter_by(valid=False) |
| 200 |
+ for token_ref in token_references: |
| 201 |
++ token_data = token_ref[2]['token_data'] |
| 202 |
++ if 'access' in token_data: |
| 203 |
++ # It's a v2 token. |
| 204 |
++ audit_ids = token_data['access']['token']['audit_ids'] |
| 205 |
++ else: |
| 206 |
++ # It's a v3 token. |
| 207 |
++ audit_ids = token_data['token']['audit_ids'] |
| 208 |
++ |
| 209 |
+ record = { |
| 210 |
+ 'id': token_ref[0], |
| 211 |
+ 'expires': token_ref[1], |
| 212 |
++ 'audit_id': audit_ids[0], |
| 213 |
+ } |
| 214 |
+ tokens.append(record) |
| 215 |
+ return tokens |
| 216 |
+diff --git a/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml b/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml |
| 217 |
+new file mode 100644 |
| 218 |
+index 0000000..0d5c203 |
| 219 |
+--- /dev/null |
| 220 |
++++ b/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml |
| 221 |
+@@ -0,0 +1,13 @@ |
| 222 |
++--- |
| 223 |
++features: |
| 224 |
++ - > |
| 225 |
++ [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] |
| 226 |
++ Audit IDs are included in the token revocation list. |
| 227 |
++security: |
| 228 |
++ - > |
| 229 |
++ [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] |
| 230 |
++ [`CVE-2015-7546 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546>`_] |
| 231 |
++ A bug is fixed where an attacker could avoid token revocation when the PKI |
| 232 |
++ or PKIZ token provider is used. The complete remediation for this |
| 233 |
++ vulnerability requires the corresponding fix in the keystonemiddleware |
| 234 |
++ project. |
| 235 |
+-- |
| 236 |
+1.9.1 |
| 237 |
+ |
| 238 |
|
| 239 |
diff --git a/sys-auth/keystone/keystone-8.0.1-r1.ebuild b/sys-auth/keystone/keystone-8.0.1-r1.ebuild |
| 240 |
new file mode 100644 |
| 241 |
index 0000000..24a477c |
| 242 |
--- /dev/null |
| 243 |
+++ b/sys-auth/keystone/keystone-8.0.1-r1.ebuild |
| 244 |
@@ -0,0 +1,226 @@ |
| 245 |
+# Copyright 1999-2015 Gentoo Foundation |
| 246 |
+# Distributed under the terms of the GNU General Public License v2 |
| 247 |
+# $Id$ |
| 248 |
+ |
| 249 |
+EAPI=5 |
| 250 |
+ |
| 251 |
+PYTHON_COMPAT=( python2_7 ) |
| 252 |
+ |
| 253 |
+inherit distutils-r1 user |
| 254 |
+ |
| 255 |
+DESCRIPTION="The Openstack authentication, authorization, and service catalog" |
| 256 |
+HOMEPAGE="https://launchpad.net/keystone" |
| 257 |
+SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz" |
| 258 |
+ |
| 259 |
+LICENSE="Apache-2.0" |
| 260 |
+SLOT="0" |
| 261 |
+KEYWORDS="~amd64 ~x86" |
| 262 |
+IUSE="+sqlite memcached mongo mysql postgres ldap test" |
| 263 |
+REQUIRED_USE="|| ( mysql postgres sqlite )" |
| 264 |
+ |
| 265 |
+CDEPEND=">=dev-python/pbr-1.6[${PYTHON_USEDEP}]" |
| 266 |
+DEPEND=" |
| 267 |
+ dev-python/setuptools[${PYTHON_USEDEP}] |
| 268 |
+ ${CDEPEND} |
| 269 |
+ test? ( |
| 270 |
+ ${RDEPEND} |
| 271 |
+ >=dev-python/bashate-0.2[${PYTHON_USEDEP}] |
| 272 |
+ <=dev-python/bashate-0.3.2[${PYTHON_USEDEP}] |
| 273 |
+ memcached? ( |
| 274 |
+ >=dev-python/python-memcached-1.48[${PYTHON_USEDEP}] |
| 275 |
+ <=dev-python/python-memcached-1.57[${PYTHON_USEDEP}] |
| 276 |
+ ) |
| 277 |
+ mongo? ( |
| 278 |
+ >=dev-python/pymongo-2.6.3[${PYTHON_USEDEP}] |
| 279 |
+ <dev-python/pymongo-3.2[${PYTHON_USEDEP}] |
| 280 |
+ ) |
| 281 |
+ ldap? ( |
| 282 |
+ >=dev-python/python-ldap-2.4[$(python_gen_usedep 'python2_7')] |
| 283 |
+ <=dev-python/python-ldap-2.4.20[$(python_gen_usedep 'python2_7')] |
| 284 |
+ ~dev-python/ldappool-1.0[$(python_gen_usedep 'python2_7')] |
| 285 |
+ ) |
| 286 |
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}] |
| 287 |
+ <=dev-python/coverage-4.0.3[${PYTHON_USEDEP}] |
| 288 |
+ >=dev-python/fixtures-1.3.1[${PYTHON_USEDEP}] |
| 289 |
+ <=dev-python/fixtures-1.4.0-r9999[${PYTHON_USEDEP}] |
| 290 |
+ >=dev-python/lxml-2.3[${PYTHON_USEDEP}] |
| 291 |
+ <=dev-python/lxml-3.5.0-r9999[${PYTHON_USEDEP}] |
| 292 |
+ >=dev-python/mock-1.2[${PYTHON_USEDEP}] |
| 293 |
+ <=dev-python/mock-1.3.0[${PYTHON_USEDEP}] |
| 294 |
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}] |
| 295 |
+ <=dev-python/oslotest-2.0.0[${PYTHON_USEDEP}] |
| 296 |
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] |
| 297 |
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] |
| 298 |
+ <dev-python/sphinx-1.3[${PYTHON_USEDEP}] |
| 299 |
+ >=dev-python/webtest-2.0[${PYTHON_USEDEP}] |
| 300 |
+ <=dev-python/webtest-2.0.20[${PYTHON_USEDEP}] |
| 301 |
+ >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}] |
| 302 |
+ <=dev-python/subunit-1.2.0[${PYTHON_USEDEP}] |
| 303 |
+ >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}] |
| 304 |
+ <=dev-python/testrepository-0.0.20[${PYTHON_USEDEP}] |
| 305 |
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}] |
| 306 |
+ <=dev-python/testtools-1.8.1[${PYTHON_USEDEP}] |
| 307 |
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] |
| 308 |
+ <=dev-python/oslo-sphinx-4.1.0[${PYTHON_USEDEP}] |
| 309 |
+ >=dev-python/tempest-lib-0.8.0[${PYTHON_USEDEP}] |
| 310 |
+ <=dev-python/tempest-lib-0.11.0[${PYTHON_USEDEP}] |
| 311 |
+ >=dev-python/requests-2.5.2[${PYTHON_USEDEP}] |
| 312 |
+ !~dev-python/requests-2.8.0[${PYTHON_USEDEP}] |
| 313 |
+ <=dev-python/requests-2.8.1[${PYTHON_USEDEP}] |
| 314 |
+ >=dev-python/reno-0.1.1[${PYTHON_USEDEP}] |
| 315 |
+ )" |
| 316 |
+RDEPEND=" |
| 317 |
+ ${CDEPEND} |
| 318 |
+ >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] |
| 319 |
+ <=dev-python/webob-1.5.1[${PYTHON_USEDEP}] |
| 320 |
+ ~dev-python/eventlet-0.17.4[${PYTHON_USEDEP}] |
| 321 |
+ >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] |
| 322 |
+ <=dev-python/greenlet-0.4.9[${PYTHON_USEDEP}] |
| 323 |
+ >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] |
| 324 |
+ <=dev-python/pastedeploy-1.5.2[${PYTHON_USEDEP}] |
| 325 |
+ <=dev-python/paste-2.0.2[${PYTHON_USEDEP}] |
| 326 |
+ >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] |
| 327 |
+ !~dev-python/routes-2.0[${PYTHON_USEDEP}] |
| 328 |
+ !~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')] |
| 329 |
+ <=dev-python/routes-2.2[${PYTHON_USEDEP}] |
| 330 |
+ >=dev-python/cryptography-1.0[${PYTHON_USEDEP}] |
| 331 |
+ <=dev-python/cryptography-1.1.2-r9999[${PYTHON_USEDEP}] |
| 332 |
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}] |
| 333 |
+ <=dev-python/six-1.10.0-r9999[${PYTHON_USEDEP}] |
| 334 |
+ sqlite? ( |
| 335 |
+ >=dev-python/sqlalchemy-0.9.9[sqlite,${PYTHON_USEDEP}] |
| 336 |
+ <dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}] |
| 337 |
+ ) |
| 338 |
+ mysql? ( |
| 339 |
+ dev-python/mysql-python |
| 340 |
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}] |
| 341 |
+ <dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] |
| 342 |
+ ) |
| 343 |
+ postgres? ( |
| 344 |
+ dev-python/psycopg:2 |
| 345 |
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}] |
| 346 |
+ <dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] |
| 347 |
+ ) |
| 348 |
+ >=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}] |
| 349 |
+ <=dev-python/sqlalchemy-migrate-0.10.0[${PYTHON_USEDEP}] |
| 350 |
+ >=dev-python/stevedore-1.5.0[${PYTHON_USEDEP}] |
| 351 |
+ <=dev-python/stevedore-1.10.0[${PYTHON_USEDEP}] |
| 352 |
+ >=dev-python/passlib-1.6[${PYTHON_USEDEP}] |
| 353 |
+ <=dev-python/passlib-1.6.5[${PYTHON_USEDEP}] |
| 354 |
+ >=dev-python/python-keystoneclient-1.6.0[${PYTHON_USEDEP}] |
| 355 |
+ !~dev-python/python-keystoneclient-1.8.0[${PYTHON_USEDEP}] |
| 356 |
+ <=dev-python/python-keystoneclient-2.0.0-r9999[${PYTHON_USEDEP}] |
| 357 |
+ >=dev-python/keystonemiddleware-2.0.0[${PYTHON_USEDEP}] |
| 358 |
+ !~dev-python/keystonemiddleware-2.4.0[${PYTHON_USEDEP}] |
| 359 |
+ <=dev-python/keystonemiddleware-4.0.0-r9999[${PYTHON_USEDEP}] |
| 360 |
+ >=dev-python/oslo-concurrency-2.3.0[${PYTHON_USEDEP}] |
| 361 |
+ <=dev-python/oslo-concurrency-3.1.0[${PYTHON_USEDEP}] |
| 362 |
+ >=dev-python/oslo-config-2.3.0[${PYTHON_USEDEP}] |
| 363 |
+ <=dev-python/oslo-config-3.1.0[${PYTHON_USEDEP}] |
| 364 |
+ >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}] |
| 365 |
+ <=dev-python/oslo-context-1.0.0[${PYTHON_USEDEP}] |
| 366 |
+ >=dev-python/oslo-messaging-1.16.0[${PYTHON_USEDEP}] |
| 367 |
+ !~dev-python/oslo-messaging-1.17.0[${PYTHON_USEDEP}] |
| 368 |
+ !~dev-python/oslo-messaging-1.17.1[${PYTHON_USEDEP}] |
| 369 |
+ !~dev-python/oslo-messaging-2.6.0[${PYTHON_USEDEP}] |
| 370 |
+ !~dev-python/oslo-messaging-2.6.1[${PYTHON_USEDEP}] |
| 371 |
+ !~dev-python/oslo-messaging-2.7.0[${PYTHON_USEDEP}] |
| 372 |
+ !~dev-python/oslo-messaging-2.8.0[${PYTHON_USEDEP}] |
| 373 |
+ !~dev-python/oslo-messaging-2.8.1[${PYTHON_USEDEP}] |
| 374 |
+ !~dev-python/oslo-messaging-2.9.0[${PYTHON_USEDEP}] |
| 375 |
+ !~dev-python/oslo-messaging-3.1.0[${PYTHON_USEDEP}] |
| 376 |
+ <=dev-python/oslo-messaging-3.0.0[${PYTHON_USEDEP}] |
| 377 |
+ >=dev-python/oslo-db-2.4.1[${PYTHON_USEDEP}] |
| 378 |
+ <=dev-python/oslo-db-4.1.0[${PYTHON_USEDEP}] |
| 379 |
+ >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}] |
| 380 |
+ <=dev-python/oslo-i18n-3.1.0[${PYTHON_USEDEP}] |
| 381 |
+ >=dev-python/oslo-log-1.8.0[${PYTHON_USEDEP}] |
| 382 |
+ <=dev-python/oslo-log-2.1.0[${PYTHON_USEDEP}] |
| 383 |
+ >=dev-python/oslo-middleware-2.8.0[${PYTHON_USEDEP}] |
| 384 |
+ <=dev-python/oslo-middleware-3.3.0[${PYTHON_USEDEP}] |
| 385 |
+ >=dev-python/oslo-policy-0.5.0[${PYTHON_USEDEP}] |
| 386 |
+ <=dev-python/oslo-policy-1.1.0[${PYTHON_USEDEP}] |
| 387 |
+ >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}] |
| 388 |
+ <=dev-python/oslo-serialization-2.1.0[${PYTHON_USEDEP}] |
| 389 |
+ >=dev-python/oslo-service-0.7.0[${PYTHON_USEDEP}] |
| 390 |
+ <=dev-python/oslo-service-1.1.0[${PYTHON_USEDEP}] |
| 391 |
+ >=dev-python/oslo-utils-2.0.0[${PYTHON_USEDEP}] |
| 392 |
+ !~dev-python/oslo-utils-2.6.0[${PYTHON_USEDEP}] |
| 393 |
+ <=dev-python/oslo-utils-3.2.0[${PYTHON_USEDEP}] |
| 394 |
+ >=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}] |
| 395 |
+ <=dev-python/oauthlib-1.0.3[${PYTHON_USEDEP}] |
| 396 |
+ >=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}] |
| 397 |
+ <=dev-python/pysaml2-4.0.0[${PYTHON_USEDEP}] |
| 398 |
+ >=dev-python/dogpile-cache-0.5.4[${PYTHON_USEDEP}] |
| 399 |
+ <=dev-python/dogpile-cache-0.5.7[${PYTHON_USEDEP}] |
| 400 |
+ >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}] |
| 401 |
+ !~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}] |
| 402 |
+ <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}] |
| 403 |
+ ~dev-python/pycadf-1.1.0[${PYTHON_USEDEP}] |
| 404 |
+ <=dev-python/pycadf-2.0.1[${PYTHON_USEDEP}] |
| 405 |
+ ~dev-python/msgpack-0.4.6[${PYTHON_USEDEP}]" |
| 406 |
+ |
| 407 |
+PATCHES=( |
| 408 |
+ "${FILESDIR}/CVE-2015-7546_8.0.1.patch" |
| 409 |
+) |
| 410 |
+ |
| 411 |
+pkg_setup() { |
| 412 |
+ enewgroup keystone |
| 413 |
+ enewuser keystone -1 -1 /var/lib/keystone keystone |
| 414 |
+} |
| 415 |
+ |
| 416 |
+python_prepare_all() { |
| 417 |
+ # it's in git, but not in the tarball..... |
| 418 |
+ sed -i '/^hacking/d' test-requirements.txt || die |
| 419 |
+ mkdir -p ${PN}/tests/tmp/ || die |
| 420 |
+ cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die |
| 421 |
+ distutils-r1_python_prepare_all |
| 422 |
+} |
| 423 |
+ |
| 424 |
+# Ignore (naughty) test_.py files & 1 test that connect to the network |
| 425 |
+#-I 'test_keystoneclient*' \ |
| 426 |
+python_test() { |
| 427 |
+ nosetests -I 'test_keystoneclient*' \ |
| 428 |
+ -e test_static_translated_string_is_Message \ |
| 429 |
+ -e test_get_token_id_error_handling \ |
| 430 |
+ -e test_provider_token_expiration_validation \ |
| 431 |
+ -e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7" |
| 432 |
+} |
| 433 |
+ |
| 434 |
+python_install() { |
| 435 |
+ distutils-r1_python_install |
| 436 |
+ newconfd "${FILESDIR}/keystone.confd" keystone |
| 437 |
+ newinitd "${FILESDIR}/keystone.initd" keystone |
| 438 |
+ |
| 439 |
+ diropts -m 0750 |
| 440 |
+ keepdir /etc/keystone /var/log/keystone |
| 441 |
+ insinto /etc/keystone |
| 442 |
+ insopts -m0640 -okeystone -gkeystone |
| 443 |
+ doins etc/keystone.conf.sample etc/logging.conf.sample |
| 444 |
+ doins etc/default_catalog.templates etc/policy.json |
| 445 |
+ doins etc/policy.v3cloudsample.json etc/keystone-paste.ini |
| 446 |
+ insinto /etc/keystone/httpd |
| 447 |
+ doins httpd/keystone.py httpd/wsgi-keystone.conf |
| 448 |
+ |
| 449 |
+ fowners keystone:keystone /etc/keystone /var/log/keystone |
| 450 |
+} |
| 451 |
+ |
| 452 |
+pkg_postinst() { |
| 453 |
+ elog "You might want to run:" |
| 454 |
+ elog "emerge --config =${CATEGORY}/${PF}" |
| 455 |
+ elog "if this is a new install." |
| 456 |
+ elog "If you have not already configured your openssl installation" |
| 457 |
+ elog "please do it by modifying /etc/ssl/openssl.cnf" |
| 458 |
+ elog "BEFORE issuing the configuration command." |
| 459 |
+ elog "Otherwise default values will be used." |
| 460 |
+} |
| 461 |
+ |
| 462 |
+pkg_config() { |
| 463 |
+ if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then |
| 464 |
+ einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." |
| 465 |
+ read |
| 466 |
+ "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone |
| 467 |
+ else |
| 468 |
+ einfo "keystone PKI certificates directory already present, skipping configuration" |
| 469 |
+ fi |
| 470 |
+} |
Archives