diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2017-04-25 11:37:09 -0500 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2017-04-25 11:39:06 -0500 |
commit | 2435fb3c0f9121abace295b7909b303ba94f52c1 (patch) | |
tree | b17c1ce1df8aed9c8d387f10259c687b44333542 | |
parent | net-analyzer/prometheus: Remove old (diff) | |
download | gentoo-2435fb3c0f9121abace295b7909b303ba94f52c1.tar.gz gentoo-2435fb3c0f9121abace295b7909b303ba94f52c1.tar.bz2 gentoo-2435fb3c0f9121abace295b7909b303ba94f52c1.zip |
sys-auth/keystone: fix CVE-2017-2673
Package-Manager: Portage-2.3.3, Repoman-2.3.1
-rw-r--r-- | sys-auth/keystone/files/cve-2017-2673-stable-newton.patch | 82 | ||||
-rw-r--r-- | sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch | 115 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-10.0.1-r1.ebuild | 165 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-11.0.0-r1.ebuild | 159 |
4 files changed, 521 insertions, 0 deletions
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch new file mode 100644 index 000000000000..0f64ed5f6a6e --- /dev/null +++ b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch @@ -0,0 +1,82 @@ +From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001 +From: Boris Bobrov <breton@cynicmansion.ru> +Date: Mon, 17 Apr 2017 00:28:07 +0300 +Subject: [PATCH] Do not fetch group assignments without groups + +Without the change, the method fetched all assignments for a project +or domain, regardless of who has the assignment, user or group. This +led to situation when federated user without groups could scope a token +with other user's rules. + +Return empty list of assignments if no groups were passed. + +Closes-Bug: 1677723 +Change-Id: I65f5be915bef2f979e70b043bde27064e970349d +(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) + +Conflicts: + keystone/tests/unit/test_v3_federation.py -- removed irrelevant + tests +--- + keystone/assignment/core.py | 5 +++++ + keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py +index e549abb..6a6717a 100644 +--- a/keystone/assignment/core.py ++++ b/keystone/assignment/core.py +@@ -165,6 +165,11 @@ class Manager(manager.Manager): + + def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): + """Get a list of roles for this group on domain and/or project.""" ++ # if no group ids were passed, there are no roles. Without this check, ++ # all assignments for the project or domain will be fetched, ++ # which is not what we want. ++ if not group_ids: ++ return [] + if project_id is not None: + self.resource_api.get_project(project_id) + assignment_list = self.list_role_assignments( +diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py +index f3e9baa..1a7ce40 100644 +--- a/keystone/tests/unit/test_v3_federation.py ++++ b/keystone/tests/unit/test_v3_federation.py +@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): + token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + self.assertEqual(0, len(token_groups)) + ++ def test_issue_scoped_token_no_groups(self): ++ """Verify that token without groups cannot get scoped to project. ++ ++ This test is required because of bug 1677723. ++ """ ++ # issue unscoped token with no groups ++ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') ++ self.assertIsNotNone(r.headers.get('X-Subject-Token')) ++ token_resp = r.json_body ++ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] ++ self.assertEqual(0, len(token_groups)) ++ unscoped_token = r.headers.get('X-Subject-Token') ++ ++ # let admin get roles in a project ++ self.proj_employees ++ admin = unit.new_user_ref(CONF.identity.default_domain_id) ++ self.identity_api.create_user(admin) ++ self.assignment_api.create_grant(self.role_admin['id'], ++ user_id=admin['id'], ++ project_id=self.proj_employees['id']) ++ ++ # try to scope the token. It should fail ++ scope = self._scope_request( ++ unscoped_token, 'project', self.proj_employees['id'] ++ ) ++ self.v3_create_token( ++ scope, expected_status=http_client.UNAUTHORIZED) ++ + def test_issue_unscoped_token_malformed_environment(self): + """Test whether non string objects are filtered out. + +-- +2.1.4 + diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch new file mode 100644 index 000000000000..abf17489cd98 --- /dev/null +++ b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch @@ -0,0 +1,115 @@ +From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001 +From: Boris Bobrov <breton@cynicmansion.ru> +Date: Mon, 17 Apr 2017 00:28:07 +0300 +Subject: [PATCH] Do not fetch group assignments without groups + +Without the change, the method fetched all assignments for a project +or domain, regardless of who has the assignment, user or group. This +led to situation when federated user without groups could scope a token +with other user's rules. + +Return empty list of assignments if no groups were passed. + +Closes-Bug: 1677723 +Change-Id: I65f5be915bef2f979e70b043bde27064e970349d +(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3) +--- + keystone/assignment/core.py | 5 +++ + keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+) + +diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py +index eccc22d..8fba77e 100644 +--- a/keystone/assignment/core.py ++++ b/keystone/assignment/core.py +@@ -126,6 +126,11 @@ class Manager(manager.Manager): + + def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): + """Get a list of roles for this group on domain and/or project.""" ++ # if no group ids were passed, there are no roles. Without this check, ++ # all assignments for the project or domain will be fetched, ++ # which is not what we want. ++ if not group_ids: ++ return [] + if project_id is not None: + self.resource_api.get_project(project_id) + assignment_list = self.list_role_assignments( +diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py +index 0f5148f..03509b8 100644 +--- a/keystone/tests/unit/test_v3_federation.py ++++ b/keystone/tests/unit/test_v3_federation.py +@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): + token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + self.assertEqual(0, len(token_groups)) + ++ def test_issue_scoped_token_no_groups(self): ++ """Verify that token without groups cannot get scoped to project. ++ ++ This test is required because of bug 1677723. ++ """ ++ # issue unscoped token with no groups ++ r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') ++ self.assertIsNotNone(r.headers.get('X-Subject-Token')) ++ token_resp = r.json_body ++ token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] ++ self.assertEqual(0, len(token_groups)) ++ unscoped_token = r.headers.get('X-Subject-Token') ++ ++ # let admin get roles in a project ++ self.proj_employees ++ admin = unit.new_user_ref(CONF.identity.default_domain_id) ++ self.identity_api.create_user(admin) ++ self.assignment_api.create_grant(self.role_admin['id'], ++ user_id=admin['id'], ++ project_id=self.proj_employees['id']) ++ ++ # try to scope the token. It should fail ++ scope = self._scope_request( ++ unscoped_token, 'project', self.proj_employees['id'] ++ ) ++ self.v3_create_token( ++ scope, expected_status=http_client.UNAUTHORIZED) ++ + def test_issue_unscoped_token_malformed_environment(self): + """Test whether non string objects are filtered out. + +@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): + self.expected_results[project_name], roles[0]['name'] + ) + ++ def test_user_gets_only_assigned_roles(self): ++ # in bug 1677723 user could get roles outside of what was assigned ++ # to them. This test verifies that this is no longer true. ++ # Authenticate once to create the projects ++ response = self._issue_unscoped_token() ++ self.assertValidMappedUser(response.json_body['token']) ++ unscoped_token = response.headers.get('X-Subject-Token') ++ ++ # Assign admin role to newly-created project to another user ++ staging_project = self.resource_api.get_project_by_name( ++ 'Staging', self.idp['domain_id'] ++ ) ++ admin = unit.new_user_ref(CONF.identity.default_domain_id) ++ self.identity_api.create_user(admin) ++ self.assignment_api.create_grant(self.role_admin['id'], ++ user_id=admin['id'], ++ project_id=staging_project['id']) ++ ++ # Authenticate again with the federated user and verify roles ++ response = self._issue_unscoped_token() ++ self.assertValidMappedUser(response.json_body['token']) ++ unscoped_token = response.headers.get('X-Subject-Token') ++ scope = self._scope_request( ++ unscoped_token, 'project', staging_project['id'] ++ ) ++ response = self.v3_create_token(scope) ++ roles = response.json_body['token']['roles'] ++ role_ids = [r['id'] for r in roles] ++ self.assertNotIn(self.role_admin['id'], role_ids) ++ + + class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): + JSON_HOME_DATA = { +-- +2.1.4 + diff --git a/sys-auth/keystone/keystone-10.0.1-r1.ebuild b/sys-auth/keystone/keystone-10.0.1-r1.ebuild new file mode 100644 index 000000000000..d224cc06e4f7 --- /dev/null +++ b/sys-auth/keystone/keystone-10.0.1-r1.ebuild @@ -0,0 +1,165 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 python3_4 ) + +inherit distutils-r1 user + +DESCRIPTION="The Openstack authentication, authorization, and service catalog" +HOMEPAGE="https://launchpad.net/keystone" +SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="+sqlite ldap memcached mongo mysql postgres test" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +CDEPEND=">=dev-python/pbr-1.6[${PYTHON_USEDEP}]" +DEPEND=" + dev-python/setuptools[${PYTHON_USEDEP}] + ${CDEPEND}" +RDEPEND=" + ${CDEPEND} + >=dev-python/Babel-2.3.4[${PYTHON_USEDEP}] + >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] + >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] + !~dev-python/routes-2.0[${PYTHON_USEDEP}] + !~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')] + !~dev-python/routes-2.3.0[${PYTHON_USEDEP}] + >=dev-python/cryptography-1.0[${PYTHON_USEDEP}] + !~dev-python/cryptography-1.3.0[${PYTHON_USEDEP}] + >=dev-python/six-1.9.0[${PYTHON_USEDEP}] + sqlite? ( + >=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}] + ) + mysql? ( + >=dev-python/pymysql-0.6.2[${PYTHON_USEDEP}] + !~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}] + >=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] + <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}] + ) + postgres? ( + >=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}] + >=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] + <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}] + ) + >=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}] + >=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}] + >=dev-python/passlib-1.6[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-2.0.0[${PYTHON_USEDEP}] + !~dev-python/python-keystoneclient-2.1.0[${PYTHON_USEDEP}] + >=dev-python/keystonemiddleware-4.0.0[${PYTHON_USEDEP}] + !~dev-python/keystonemiddleware-4.1.0[${PYTHON_USEDEP}] + !~dev-python/keystonemiddleware-4.5.0[${PYTHON_USEDEP}] + >=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}] + >=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}] + >=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}] + >=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}] + >=dev-python/oslo-messaging-5.2.0[${PYTHON_USEDEP}] + >=dev-python/oslo-db-4.10.0[${PYTHON_USEDEP}] + !~dev-python/oslo-db-4.13.1[${PYTHON_USEDEP}] + !~dev-python/oslo-db-4.13.2[${PYTHON_USEDEP}] + >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}] + >=dev-python/oslo-log-1.14.0[${PYTHON_USEDEP}] + >=dev-python/oslo-middleware-3.0.0[${PYTHON_USEDEP}] + >=dev-python/oslo-policy-1.9.0[${PYTHON_USEDEP}] + >=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}] + >=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}] + >=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}] + >=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}] + <dev-python/pysaml2-4.0.3[${PYTHON_USEDEP}] + >=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}] + >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}] + !~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}] + <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}] + >=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}] + !~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}] + >=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}] + >=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}] + memcached? ( + >=dev-python/python-memcached-1.56[${PYTHON_USEDEP}] + ) + mongo? ( + >=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}] + !~dev-python/pymongo-3.1[${PYTHON_USEDEP}] + ) + ldap? ( + >=dev-python/pyldap-2.4[${PYTHON_USEDEP}] + >=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}] + ) + || ( + www-servers/uwsgi[python,${PYTHON_USEDEP}] + www-apache/mod_wsgi[${PYTHON_USEDEP}] + www-servers/gunicorn[${PYTHON_USEDEP}] + )" + +PATCHES=( + "${FILESDIR}/cve-2017-2673-stable-newton.patch" +) + +pkg_setup() { + enewgroup keystone + enewuser keystone -1 -1 /var/lib/keystone keystone +} + +python_prepare_all() { + # it's in git, but not in the tarball..... + sed -i '/^hacking/d' test-requirements.txt || die + mkdir -p ${PN}/tests/tmp/ || die + cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die + sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die + sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die + distutils-r1_python_prepare_all +} + +# Ignore (naughty) test_.py files & 1 test that connect to the network +#-I 'test_keystoneclient*' \ +python_test() { + nosetests -I 'test_keystoneclient*' \ + -e test_static_translated_string_is_Message \ + -e test_get_token_id_error_handling \ + -e test_provider_token_expiration_validation \ + -e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7" +} + +python_install() { + distutils-r1_python_install + + diropts -m 0750 + keepdir /etc/keystone /var/log/keystone + insinto /etc/keystone + insopts -m0640 -okeystone -gkeystone + doins etc/keystone.conf.sample etc/logging.conf.sample + doins etc/default_catalog.templates etc/policy.json + doins etc/policy.v3cloudsample.json etc/keystone-paste.ini + insinto /etc/keystone/httpd + doins httpd/* + + fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone +} + +pkg_postinst() { + elog "You might want to run:" + elog "emerge --config =${CATEGORY}/${PF}" + elog "if this is a new install." + elog "If you have not already configured your openssl installation" + elog "please do it by modifying /etc/ssl/openssl.cnf" + elog "BEFORE issuing the configuration command." + elog "Otherwise default values will be used." +} + +pkg_config() { + if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then + einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." + read + "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone + else + einfo "keystone PKI certificates directory already present, skipping configuration" + fi +} diff --git a/sys-auth/keystone/keystone-11.0.0-r1.ebuild b/sys-auth/keystone/keystone-11.0.0-r1.ebuild new file mode 100644 index 000000000000..1176d3d63788 --- /dev/null +++ b/sys-auth/keystone/keystone-11.0.0-r1.ebuild @@ -0,0 +1,159 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 python3_4 ) + +inherit distutils-r1 user + +DESCRIPTION="The Openstack authentication, authorization, and service catalog" +HOMEPAGE="https://launchpad.net/keystone" +SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="+sqlite ldap memcached mongo mysql postgres test" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +CDEPEND=">=dev-python/pbr-1.8[${PYTHON_USEDEP}]" +DEPEND=" + dev-python/setuptools[${PYTHON_USEDEP}] + ${CDEPEND}" +RDEPEND=" + ${CDEPEND} + >=dev-python/Babel-2.3.4[${PYTHON_USEDEP}] + >=dev-python/webob-1.6.0[${PYTHON_USEDEP}] + >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] + !~dev-python/routes-2.0[${PYTHON_USEDEP}] + !~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')] + !~dev-python/routes-2.3.0[${PYTHON_USEDEP}] + >=dev-python/cryptography-1.0[${PYTHON_USEDEP}] + !~dev-python/cryptography-1.3.0[${PYTHON_USEDEP}] + >=dev-python/six-1.9.0[${PYTHON_USEDEP}] + sqlite? ( + >=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}] + ) + mysql? ( + >=dev-python/pymysql-0.7.6[${PYTHON_USEDEP}] + !~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}] + >=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] + <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}] + ) + postgres? ( + >=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}] + >=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}] + <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}] + ) + >=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}] + >=dev-python/stevedore-1.17.1[${PYTHON_USEDEP}] + >=dev-python/passlib-1.7.0[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-3.8.0[${PYTHON_USEDEP}] + >=dev-python/keystonemiddleware-4.12.0[${PYTHON_USEDEP}] + >=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}] + >=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}] + >=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}] + !~dev-python/oslo-config-3.18.0[${PYTHON_USEDEP}] + >=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}] + >=dev-python/oslo-messaging-5.14.0[${PYTHON_USEDEP}] + >=dev-python/oslo-db-4.15.0[${PYTHON_USEDEP}] + >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}] + >=dev-python/oslo-log-3.11.0[${PYTHON_USEDEP}] + >=dev-python/oslo-middleware-3.0.0[${PYTHON_USEDEP}] + >=dev-python/oslo-policy-1.17.0[${PYTHON_USEDEP}] + >=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}] + >=dev-python/oslo-utils-3.18.0[${PYTHON_USEDEP}] + >=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}] + >=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}] + <dev-python/pysaml2-4.0.3[${PYTHON_USEDEP}] + >=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}] + >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}] + !~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}] + <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}] + >=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}] + !~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}] + >=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}] + >=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}] + memcached? ( + >=dev-python/python-memcached-1.56[${PYTHON_USEDEP}] + ) + mongo? ( + >=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}] + !~dev-python/pymongo-3.1[${PYTHON_USEDEP}] + ) + ldap? ( + >=dev-python/pyldap-2.4.20[${PYTHON_USEDEP}] + >=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}] + ) + || ( + www-servers/uwsgi[python,${PYTHON_USEDEP}] + www-apache/mod_wsgi[${PYTHON_USEDEP}] + www-servers/gunicorn[${PYTHON_USEDEP}] + )" + +PATCHES=( + "${FILESDIR}/cve-2017-2673-stable-ocata.patch" +) + +pkg_setup() { + enewgroup keystone + enewuser keystone -1 -1 /var/lib/keystone keystone +} + +python_prepare_all() { + # it's in git, but not in the tarball..... + sed -i '/^hacking/d' test-requirements.txt || die + mkdir -p ${PN}/tests/tmp/ || die + cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die + sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die + sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die + distutils-r1_python_prepare_all +} + +python_test() { + nosetests -I 'test_keystoneclient*' \ + -e test_static_translated_string_is_Message \ + -e test_get_token_id_error_handling \ + -e test_provider_token_expiration_validation \ + -e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7" +} + +python_install_all() { + distutils-r1_python_install_all + + diropts -m 0750 + keepdir /etc/keystone /var/log/keystone + insinto /etc/keystone + insopts -m0640 -okeystone -gkeystone + doins etc/keystone.conf.sample etc/logging.conf.sample + doins etc/default_catalog.templates etc/policy.json + doins etc/policy.v3cloudsample.json etc/keystone-paste.ini + insinto /etc/keystone/httpd + doins httpd/* + + fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone +} + +pkg_postinst() { + elog "You might want to run:" + elog "emerge --config =${CATEGORY}/${PF}" + elog "if this is a new install." + elog "If you have not already configured your openssl installation" + elog "please do it by modifying /etc/ssl/openssl.cnf" + elog "BEFORE issuing the configuration command." + elog "Otherwise default values will be used." +} + +pkg_config() { + if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then + einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." + read + "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone + else + einfo "keystone PKI certificates directory already present, skipping configuration" + fi +} |