fix for CVE-2013-6391

Package-Manager: portage-2.2.7/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2013-12-13 16:53:10 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2013-12-13 16:53:10 +0000
commit: fcd38d7ad72dfede2a07e3b8d923f6723a68fb09 (patch)
tree: ddb796b3a60987d3ed4730b9e4bbde50cd0552be /sys-auth
parent: Cleanup old versions (diff)
download: historical-fcd38d7ad72dfede2a07e3b8d923f6723a68fb09.tar.gz
historical-fcd38d7ad72dfede2a07e3b8d923f6723a68fb09.tar.bz2
historical-fcd38d7ad72dfede2a07e3b8d923f6723a68fb09.zip
4 files changed, 284 insertions, 6 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 7f52f59f6439..440df584e3f7 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.48 2013/11/28 04:51:37 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.49 2013/12/13 16:53:02 prometheanfire Exp $
+
+*keystone-2013.2-r2 (13 Dec 2013)
+
+  13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/cve-2013-6391_2013.2.patch, +keystone-2013.2-r2.ebuild:
+  fix for CVE-2013-6391
 
   28 Nov 2013; Ian Delaney <idella4@gentoo.org> keystone-2013.2-r1.ebuild,
   keystone-2013.2.9999.ebuild, keystone-9999.ebuild:
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index 45fdfdedfab9..e63aeca456f3 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -5,6 +5,7 @@ AUX 2012.2.4-CVE-2013-4222.patch 4815 SHA256 3a5018cf7788fb0498ac50cb022d4ecf780
 AUX 2012.2.4-upstream-1181157.patch 1336 SHA256 355c3e49e2c0ea0924bfb7eaf2d6a82120d2eb0f31fc4863ef6bf1b9791c94d4 SHA512 b90d41bcd9b60886af2f37de3cbc33c3583eef65b9ed4a92e2b55e8701f883f3662b8f5e00a4c65d869914b8c9718364b8024604197a5f6cc5403508e3fb8827 WHIRLPOOL 0454536a2c9ed28c6b164c9f64af6c472f8d22b38a509d27d4d0d22a238737f4d51ed17f416c04c7fe3b43790741e0914b09e0435c6dbc8e34c7c1debf75eb19
 AUX 2013.1.4-CVE-2013-4477.patch 3344 SHA256 6b4ff925ec1451eefb869ed85911f23fd90220f9394c482ee133feddd10eae32 SHA512 8a8a610603f05a27b2986637f9822389ef61e92c02d1837f13f30e56ce90de3733a2f8c5517179bbd3d1e4b0c69e8307262bbfba3fbd088b526c3c909d9d0a11 WHIRLPOOL 3e11c0ccd401ffedfc9549255e2843f3a9e0807bd37bb292adbe6e6a0beb736465ca126aff2022ea5d19fab59836aa51106d26d5e998b870a61cc42cd2378537
 AUX 2013.2-CVE-2013-4477.patch 3157 SHA256 c18b629cb0fabf89a51ad751cf5ddc64863938cd84ce31438de9b3623a56f7d6 SHA512 a681a02847d5da041303fcdb96414930f78e47cb677fb40f271dbf048f5e9e77126a5517f53e190a264b8865bc664e1f06383d604058e507b9fb674a3703a885 WHIRLPOOL 67f50bb07e549413528ce98a77cd7aea83466e41fd07d21437f88bba3117d03df8b46700951388548f296031b53ccd0d928167b9f079c090c0f9390e00e04975
+AUX cve-2013-6391_2013.2.patch 6944 SHA256 6f6c759ace5b4051ce0736f3852e083fd762e472ab7bea422ab32cb840024bec SHA512 4efb882a12c646626838539e5d0951aa9da7addfbeb68372a31607b296dd5cc12455cb42348967aca4f99f2ad9911644c433b9e7b282a93e8d1505e3bc0894e3 WHIRLPOOL f0f699bbb4c5e4977ed27435c620d5a9c3f8551bc8ab402e94f59d74012486fe979aa12677c7ef5338ef0c11c3d4f76102e3802b5071b8d1aaac23f926dd65ca
 AUX keystone-cve-2013-4294-folsom.patch 5662 SHA256 69b07e87cf021b21168fe40fedd2dabd492991e0b4192f86fad378e24ef0429c SHA512 502cca91cfd71bd43f1a0dd0ada718cc9020071e41b13abd7310de175a794453bdb529e1ffb641e60e199fef9a2226aa44395f32eb3b0af8dc0b56dbf739b307 WHIRLPOOL 58f95de485b6351f78a680a65531bee8bcc2d725329aefa21116443a8a5ad6759a32d0ff39aa97a5226fa32fdcf0ac689bab1e7730207677334d1559f8c8d790
 AUX keystone-cve-2013-4294-grizzly.patch 5704 SHA256 86a7f54c72675d5041b648dff4f607e7e20659dbdd56084aec4424e3e552e419 SHA512 b58bb75fa4bbfcc09b3a02ee407c05b031dce54976b949e140894f43b5691048ee62921496e132f0ac1d0c47e9a7a75b5ac238fa84f870289563abcda2e72d28 WHIRLPOOL 775365acc88a7486dd8ede7b999fb4811cca493a1487a9177b9af0ca8d0093aa2cc45e9ba6583b4b069671f3c44402269ae63875ca057d76e707e970d0a175e0
 AUX keystone-folsom-4-CVE-2013-1977.patch 1114 SHA256 af81df239364cab3f94b14636359a19e6c8474f8282d2c174e3e75208fa508c6 SHA512 e9139487cdf6185d0405fd034a48c451c15ab568ebb6d4e58c2c50160ef8dc6b926a31fd0b31c646ecfccf68f2b667d9577bbe6e169ef28f8abfc06ae9031210 WHIRLPOOL c2ed7858f514f3d4a45303b0a307eb259c3c53373160ad35afcb7012ca63f9360d152f4869745579b678d990ed6f929ef050b1c68683bac656123a0aea394ec0
@@ -21,14 +22,25 @@ DIST keystone-2013.2.tar.gz 1404658 SHA256 f0e037cc6e40cb8a703755eee52bcabb1c61d
 EBUILD keystone-2013.1.4-r1.ebuild 3153 SHA256 0a1ef5d65647f17dc70700d058d20cffc1379ca39f2a43d816ba9e260f9e686d SHA512 7b8288d4f205d2cd201ef6135aa1da527220d2b72896d24e0a99804091978adf88ca4a6a4d22f00acd3b199ffde73aa9ea259c253a582ccdfe0869c64a9151a9 WHIRLPOOL 94da411739945062ec72bb58cb78e718b673b7363e7999bd4be88f476aeedc9d0e66ab87fa6d8a116382c4e3bc8471defb5f7db4d389036bea56a78df2207839
 EBUILD keystone-2013.1.9999.ebuild 3101 SHA256 58a93657711e2bd7fdd7a54f4e641ee87ad29f39211fea04a4bdbcd18fda8807 SHA512 d2ab9ab6aad68f468eb2606a7a439d77f39ea85d9f2e69eb6308439a6824e76845b52ba6eb4df19205635b730a0233998ed3c9a75f28d1c20eb11018f56b22df WHIRLPOOL 5bdadbaca00e25e8b8f595fa23a10bdce18c764d9f960f7ba5bc45d791bfc4567eeee7d65c51e25a6119cb4505316b18f1de8b65d5f4f22bcae3d1b181bd6715
 EBUILD keystone-2013.2-r1.ebuild 3644 SHA256 902eab8466b9b61db4364db6f9bc6849adce29983d585124fcb72dfa342228a5 SHA512 56426ec02672aaf2dc219c17b8d0986485df0b794c1f96c67fc5e383090bec2b8e3ff5cf615054292107df8d970d055300ef0ca0ba560656e89d003628e030fe WHIRLPOOL 9f1d43c76f02cc5bb2253c4c51fc088cfbdcaeec73ddc9d02430fb77295664cc81e1549e2feb02590f20946658c623f842305edc88ca64fe92c3fa81ac081ecd
+EBUILD keystone-2013.2-r2.ebuild 3693 SHA256 4b3d696ecbe3016940d10780faf02cef30609d4caa14051b8ce687279715981e SHA512 34bb256230169d7d7c659d22a4ba0a68732820322c86e1918dd1f72681d7cf37dc35f1c4f96e6d462cee39e61a1c627fba71af5e6fb367f6c934fe14bb7c55e0 WHIRLPOOL 51e655e36316e874c35762fb682bbbd0c56c30c92a55afad2a2162576766b292e1a37223202813726700076747d0f882641bda64d6169bd31ca76d7d97419251
 EBUILD keystone-2013.2.9999.ebuild 3369 SHA256 66f1d8652cfc233c6ce6fcfa00737a35587178df8934e657666c76d4d7e7d625 SHA512 656541a968a7b1dbbb5240784dd9a60a5b53c57a387d72727232ffc087be4d3a2e268e5ee91ac27958dd9bfadfaff04a31a4949125b5425bdd12c474f4dfc459 WHIRLPOOL b8cbb7aca3464f8344376ba2d7529e4a2ef26c60b0545d26394b2f9d08c56e1462ac59a9f591fd51fba24add4327e945fa1b41459979d666be5ea057ea0318c4
 EBUILD keystone-9999.ebuild 3057 SHA256 935d2e365eed7feb2e33d644c6e3c9cd2987286bdba757a62e0295213b521245 SHA512 dcbb6315d118186b2e41ca83957aa11d72c2f264f96d6d7e82df6097a3c54388440ed4b4e38ca340b10c5f56a7f4a5385995a52e7cafe665512408144963a3bc WHIRLPOOL d5809a8a54d41d01b0ca93ba24407a65375ac34a93242d2278b4d056eb4f916442b6f7d54f193c5a907d0b957a7c17c237e83abb7d24210f11d57f3e6c73616b
-MISC ChangeLog 10388 SHA256 82c97f0cf8bc6f0756d57918712f51580fd83052f4347d24d515b5d0eb015dde SHA512 1cd03278403c85004c7ebf693b3532ac6db90df953f6b40a79184053be06054ba2beb8ceac1451237e164dfe3dd1a0508e32ffa889f70173b8bf5aba6239da46 WHIRLPOOL 73266969de504d1f45f3cf9b4a494157f4b43c59d9130cc467302706f9c71e7494016726a97052fa3122671a2a4be66aebd8ad0824f98de8a06827f66ef4c090
+MISC ChangeLog 10577 SHA256 ed50fb41324443d729bec1d6d7bab24fd0f4c937ee8c5aaf74db17135fd8f637 SHA512 ae6a79dbaa574b04419ad93503b1103d9a2343ee6a0ef1de7d785a135a1e3b2ea888cdd0d1368904bf6242764cf907d6ec8e557802391268548df513580a1e74 WHIRLPOOL db62869f1f1a6c016d83e9222043ac25a05b125a10ccd2c51d718b0210ec3e8142073b8ebdd0b81c0ebe91c8e2a8718c8dc64e72596c2310da74e204bf5edc5b
 MISC metadata.xml 424 SHA256 c89c0232e90df5d811d17941c1594e4c4c45db48c2b6240a3c62b232caad4e84 SHA512 9d7fcca89a6f35a93f1a57790103249cdc25424cbdb374bf26b691e81b27182dc3380a8ff67b77e7aabf4ce944e4a813d619838d4bc97086b4208e5312d76f11 WHIRLPOOL 4ec9d4c5ff5c484c341b06fe77fcac8e6fdd0e0b651dbd58b6f2d5aecd05db5bf70218b94733eb749ced7436f9df5ba5c93496bae06c0ff9a62b91ecb53ab77a
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.19 (GNU/Linux)
+Version: GnuPG v2.0.22 (GNU/Linux)
 
-iEYEAREIAAYFAlKWy+kACgkQso7CE7gHKw1qQwCgxLlSgrU4Mc/eNs4EL/KmSd6J
-aWAAoIfy+C6gIggxZKFv13OyLycfYXwM
-=GiID
+iQIcBAEBCAAGBQJSqzt3AAoJECRx6z5ArFrDChwQAJ/Oeqi3xZcmlKxPh+RsBENx
+UjOinvxIYznTFeAUKArZSta6FbjJUCD6IdlfuksqGu3kgCz0hhUe+ksVJAWsJjUO
+mmDDECJJdMeNVyIn4MI/Z84h1pp2eiHK3RRkuTU/Up5RGqK+uliUX/HPjutjgqN+
+NA8oSRkeFANFVdRnugpIPUd4Cwc+Poa3weVDkLu/7P/grFyBBNGtBCCY8JkaGZnP
+1GRHXeWM61ujoKReKIhdyW7XxJmeFWzCQCBg9LoTqZ1c/zCkjId9KVRgJpUc9LED
+TjmaOo25txMy/29P570R9HRriHD3m9P/kSbCDFFarx56v7gLfxfSF8ESDjgKUBEx
+86bj8/JKnh37bfiRdsVbL0HAKNl9L9qFPNNkjazqiWYx87JpLvs0hMpo7QX0aL2c
+sJTBAN8MOCMrrx9iMjRRSXVNiCpZtTJbpDuV6NVLcBzVLjCbLAu2zAUr+xD+uV6J
+/LTzOIU4GmYdapqc29HyPhlph1G6mu6R6acLukmUVMUK6+FNKbFwUoUzLbpB0oyo
+AIKcG6nVryhOT9OLsY1AeK4GNvXRgy8D86jp07UngqvfTy169yAcbiWviXZkypHO
+emA5dGSKI0egwpNgl3WXpOGdHtCDWzJYLTd5jeIYgKEHeho72bpSnj6bYK6K0it3
+FWOMgoXfxdAFBTDKVPva
+=8SNa
 -----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch
new file mode 100644
index 000000000000..52d13c4b0e51
--- /dev/null
+++ b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch
@@ -0,0 +1,153 @@
+From 2756f2ff0c49b25e17b4f833610bd5c4f16309bd Mon Sep 17 00:00:00 2001
+From: Steven Hardy <shardy@redhat.com>
+Date: Mon, 21 Oct 2013 19:49:01 +0100
+Subject: [PATCH] Fix issues handling trust tokens via ec2tokens API
+
+Trust scoped tokens are handled incorectly when making requests
+via the ec2tokens API, meaning that the restrictions enforced
+by trust-scoped tokens are not respected when obtaining a token
+via ec2token signature validation.
+
+Storing the trust_id in the blob associated with the ec2 keypair,
+and passing that id in the metadata when requesting a v2 token
+solves the issue.
+
+Change-Id: I52566384d7813ef0e2f20fb94a5076386457ff02
+Closes-Bug: #1242597
+---
+ keystone/contrib/ec2/controllers.py       | 19 ++++++++++--
+ keystone/tests/test_keystoneclient_sql.py | 50 ++++++++++++++++++++++++++++---
+ 2 files changed, 63 insertions(+), 6 deletions(-)
+
+diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py
+index 94b7430..262cbe5 100644
+--- a/keystone/contrib/ec2/controllers.py
++++ b/keystone/contrib/ec2/controllers.py
+@@ -106,6 +106,11 @@ class Ec2Controller(controller.V2Controller):
+             self.identity_api.get_roles_for_user_and_project(
+                 user_ref['id'], tenant_ref['id']))
+ 
++        trust_id = creds_ref.get('trust_id')
++        if trust_id:
++            metadata_ref['trust_id'] = trust_id
++            metadata_ref['trustee_user_id'] = user_ref['id']
++
+         # Validate that the auth info is valid and nothing is disabled
+         token.validate_auth_info(self, user_ref, tenant_ref)
+ 
+@@ -146,8 +151,10 @@ class Ec2Controller(controller.V2Controller):
+ 
+         self._assert_valid_user_id(user_id)
+         self._assert_valid_project_id(tenant_id)
++        trust_id = self._context_trust_id(context)
+         blob = {'access': uuid.uuid4().hex,
+-                'secret': uuid.uuid4().hex}
++                'secret': uuid.uuid4().hex,
++                'trust_id': trust_id}
+         credential_id = utils.hash_access_key(blob['access'])
+         cred_ref = {'user_id': user_id,
+                     'project_id': tenant_id,
+@@ -213,7 +220,8 @@ class Ec2Controller(controller.V2Controller):
+         return {'user_id': credential.get('user_id'),
+                 'tenant_id': credential.get('project_id'),
+                 'access': blob.get('access'),
+-                'secret': blob.get('secret')}
++                'secret': blob.get('secret'),
++                'trust_id': blob.get('trust_id')}
+ 
+     def _get_credentials(self, credential_id):
+         """Return credentials from an ID.
+@@ -244,6 +252,13 @@ class Ec2Controller(controller.V2Controller):
+         if token_ref['user'].get('id') != user_id:
+             raise exception.Forbidden(_('Token belongs to another user'))
+ 
++    def _context_trust_id(self, context):
++        try:
++            token_ref = self.token_api.get_token(context['token_id'])
++        except exception.TokenNotFound as e:
++            raise exception.Unauthorized(e)
++        return token_ref.get('trust_id')
++
+     def _is_admin(self, context):
+         """Wrap admin assertion error return statement.
+ 
+diff --git a/keystone/tests/test_keystoneclient_sql.py b/keystone/tests/test_keystoneclient_sql.py
+index 5ddc33e..bd83803 100644
+--- a/keystone/tests/test_keystoneclient_sql.py
++++ b/keystone/tests/test_keystoneclient_sql.py
+@@ -88,9 +88,11 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
+         self.assertRaises(client_exceptions.NotFound, client.endpoints.delete,
+                           id=endpoint.id)
+ 
+-    def _send_ec2_auth_request(self, credentials):
++    def _send_ec2_auth_request(self, credentials, client=None):
++        if not client:
++            client = self.default_client
+         url = '%s/ec2tokens' % self.default_client.auth_url
+-        (resp, token) = self.default_client.request(
++        (resp, token) = client.request(
+             url=url, method='POST',
+             body={'credentials': credentials})
+         return resp, token
+@@ -99,9 +101,12 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
+         cred = self. default_client.ec2.create(
+             user_id=self.user_foo['id'],
+             tenant_id=self.tenant_bar['id'])
+-        signer = ec2_utils.Ec2Signer(cred.secret)
++        return self._generate_user_ec2_credentials(cred.access, cred.secret)
++
++    def _generate_user_ec2_credentials(self, access, secret):
++        signer = ec2_utils.Ec2Signer(secret)
+         credentials = {'params': {'SignatureVersion': '2'},
+-                       'access': cred.access,
++                       'access': access,
+                        'verb': 'GET',
+                        'host': 'localhost',
+                        'path': '/service/cloud'}
+@@ -115,6 +120,43 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
+         self.assertEqual(resp.status_code, 200)
+         self.assertIn('access', token)
+ 
++    def test_ec2_auth_success_trust(self):
++        # Add "other" role user_foo and create trust delegating it to user_two
++        self.identity_api.add_role_to_user_and_project(
++            self.user_foo['id'],
++            self.tenant_bar['id'],
++            self.role_other['id'])
++        trust_id = 'atrust123'
++        trust = {'trustor_user_id': self.user_foo['id'],
++                 'trustee_user_id': self.user_two['id'],
++                 'project_id': self.tenant_bar['id'],
++                 'impersonation': True}
++        roles = [self.role_other]
++        self.trust_api.create_trust(trust_id, trust, roles)
++
++        # Create a client for user_two, scoped to the trust
++        client = self.get_client(self.user_two)
++        ret = client.authenticate(trust_id=trust_id,
++                                  tenant_id=self.tenant_bar['id'])
++        self.assertTrue(ret)
++        self.assertTrue(client.auth_ref.trust_scoped)
++        self.assertEqual(trust_id, client.auth_ref.trust_id)
++
++        # Create an ec2 keypair using the trust client impersonating user_foo
++        cred = client.ec2.create(user_id=self.user_foo['id'],
++                                 tenant_id=self.tenant_bar['id'])
++        credentials, signature = self._generate_user_ec2_credentials(
++            cred.access, cred.secret)
++        credentials['signature'] = signature
++        resp, token = self._send_ec2_auth_request(credentials)
++        self.assertEqual(resp.status_code, 200)
++        self.assertEqual(trust_id, token['access']['trust']['id'])
++        #TODO(shardy) we really want to check the roles and trustee
++        # but because of where the stubbing happens we don't seem to
++        # hit the necessary code in controllers.py _authenticate_token
++        # so although all is OK via a real request, it incorrect in
++        # this test..
++
+     def test_ec2_auth_failure(self):
+         from keystoneclient import exceptions as client_exceptions
+ 
+-- 
+1.8.3.1
+
diff --git a/sys-auth/keystone/keystone-2013.2-r2.ebuild b/sys-auth/keystone/keystone-2013.2-r2.ebuild
new file mode 100644
index 000000000000..e3de7b4a2775
--- /dev/null
+++ b/sys-auth/keystone/keystone-2013.2-r2.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2-r2.ebuild,v 1.1 2013/12/13 16:53:02 prometheanfire Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit distutils-r1
+
+DESCRIPTION="Keystone is the Openstack authentication, authorization, and
+service catalog written in Python."
+HOMEPAGE="https://launchpad.net/keystone"
+SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="grizzly"
+KEYWORDS="~amd64 ~x86"
+IUSE="+sqlite mysql postgres ldap test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+#todo, seperate out rdepend via use flags
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+	test? ( dev-python/Babel
+			dev-python/decorator
+			dev-python/eventlet
+			dev-python/greenlet
+			dev-python/httplib2
+			dev-python/iso8601
+			dev-python/lxml
+			dev-python/netifaces
+			dev-python/nose
+			dev-python/nosexcover
+			dev-python/passlib
+			dev-python/paste
+			dev-python/pastedeploy
+			dev-python/python-pam
+			dev-python/repoze-lru
+			dev-python/routes
+			dev-python/sphinx
+			>=dev-python/sqlalchemy-migrate-0.7
+			dev-python/tempita
+			>=dev-python/webob-1.0.8
+			dev-python/webtest
+			dev-python/python-memcached )
+	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
+	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
+RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
+	<dev-python/webob-1.3[${PYTHON_USEDEP}]
+	>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
+	>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
+	dev-python/netaddr[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	dev-python/paste[${PYTHON_USEDEP}]
+	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+	sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
+	          <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
+	mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
+	         <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
+	postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
+	            <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
+	>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
+	dev-python/passlib[${PYTHON_USEDEP}]
+	>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
+	>=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
+	>=dev-python/Babel-0.9.6[${PYTHON_USEDEP}]
+	dev-python/oauth2[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.5.0[${PYTHON_USEDEP}]
+	dev-python/python-daemon[${PYTHON_USEDEP}]
+	virtual/python-argparse[${PYTHON_USEDEP}]
+	ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )
+	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
+	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
+
+PATCHES=(
+	"${FILESDIR}/2013.2-CVE-2013-4477.patch"
+	"${FILESDIR}/cve-2013-6391_2013.2.patch"
+)
+
+python_prepare_all() {
+	mkdir ${PN}/tests/tmp || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	# Ignore (naughty) test_.py files & 1 test that connect to the network
+	nosetests -I 'test_keystoneclient*' \
+		-e test_import || die "testsuite failed under python2.7"
+}
+
+python_install() {
+	distutils-r1_python_install
+	newconfd "${FILESDIR}/keystone.confd" keystone
+	newinitd "${FILESDIR}/keystone.initd" keystone
+
+	diropts -m 0750
+	dodir /var/run/keystone /var/log/keystone /etc/keystone
+	keepdir /etc/keystone
+	insinto /etc/keystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates etc/policy.json
+	doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
+}
author	Matt Thode <prometheanfire@gentoo.org>	2013-12-13 16:53:10 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2013-12-13 16:53:10 +0000
commit	fcd38d7ad72dfede2a07e3b8d923f6723a68fb09 (patch)
tree	ddb796b3a60987d3ed4730b9e4bbde50cd0552be /sys-auth
parent	Cleanup old versions (diff)
download	historical-fcd38d7ad72dfede2a07e3b8d923f6723a68fb09.tar.gz historical-fcd38d7ad72dfede2a07e3b8d923f6723a68fb09.tar.bz2 historical-fcd38d7ad72dfede2a07e3b8d923f6723a68fb09.zip