diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2014-03-16 19:54:35 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2014-03-16 19:54:35 +0000 |
| commit | 7fe80d411fe47ce97dcfd5f07c37400504156411 (patch) | |
| tree | bdeedc04b25f0679bf2f244efc777e7beaebe0da /sys-auth | |
| parent | Remove deprecated 10.0 profiles (diff) | |
| download | gentoo-2-7fe80d411fe47ce97dcfd5f07c37400504156411.tar.gz gentoo-2-7fe80d411fe47ce97dcfd5f07c37400504156411.tar.bz2 gentoo-2-7fe80d411fe47ce97dcfd5f07c37400504156411.zip | |
fix for bug 503446 CVE-2014-2237
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-auth')
| -rw-r--r-- | sys-auth/keystone/ChangeLog | 10 | ||||
| -rw-r--r-- | sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch | 166 | ||||
| -rw-r--r-- | sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch | 183 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2013.1.4-r3.ebuild | 90 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2013.2.2-r1.ebuild | 128 |
5 files changed, 576 insertions, 1 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index e498a750e8fb..aee5bc08fe82 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.60 2014/02/24 03:03:27 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.61 2014/03/16 19:54:35 prometheanfire Exp $ + +*keystone-2013.2.2-r1 (16 Mar 2014) +*keystone-2013.1.4-r3 (16 Mar 2014) + + 16 Mar 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/2013.1.4-CVE-2014-2237.patch, +files/2013.2.2-CVE-2014-2237.patch, + +keystone-2013.1.4-r3.ebuild, +keystone-2013.2.2-r1.ebuild: + fix for bug 503446 CVE-2014-2237 24 Feb 2014; Ian Delaney <idella4@gentoo.org> -keystone-2013.2.1-r1.ebuild: rm old 2013.2.1 by request of maintainer diff --git a/sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch b/sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch new file mode 100644 index 000000000000..36bbe2b43323 --- /dev/null +++ b/sys-auth/keystone/files/2013.1.4-CVE-2014-2237.patch @@ -0,0 +1,166 @@ +From a411c944af78c36f2fdb87d305ba452dc52d7ed3 Mon Sep 17 00:00:00 2001 +From: Morgan Fainberg <m@metacloud.com> +Date: Fri, 21 Feb 2014 22:09:04 +0000 +Subject: Ensure tokens are added to both Trustor and Trustee indexes + +Tokens are now added to both the Trustor and Trustee user-token-index +so that bulk token revocations (e.g. password change) of the trustee +will work as expected. This is a backport of the basic code that was +used in the Icehouse-vintage Dogpile Token KVS backend that resolves +this issue by merging the handling of memcache and KVS backends into +the same logic. + +Change-Id: I3e19e4a8fc1e11cef6db51d364e80061e97befa7 +Closes-Bug: #1260080 +--- +diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py +index c2c9b51..dc5c34e 100644 +--- a/keystone/token/backends/memcache.py ++++ b/keystone/token/backends/memcache.py +@@ -62,6 +62,15 @@ class Token(token.Driver): + return token_ref + + def create_token(self, token_id, data): ++ ++ def update_index(user_id, token_data): ++ user_key = self._prefix_user_id(user_id) ++ if not self.client.append(user_key, ',%s' % token_data): ++ if not self.client.add(user_key, token_data): ++ if not self.client.append(user_key, ',%s' % token_data): ++ msg = _('Unable to add token user list.') ++ raise exception.UnexpectedError(msg) ++ + data_copy = copy.deepcopy(data) + ptk = self._prefix_token_id(token.unique_id(token_id)) + if not data_copy.get('expires'): +@@ -73,15 +82,19 @@ class Token(token.Driver): + expires_ts = utils.unixtime(data_copy['expires']) + kwargs['time'] = expires_ts + self.client.set(ptk, data_copy, **kwargs) ++ token_data = jsonutils.dumps(token_id) + if 'id' in data['user']: +- token_data = jsonutils.dumps(token_id) + user_id = data['user']['id'] +- user_key = self._prefix_user_id(user_id) +- if not self.client.append(user_key, ',%s' % token_data): +- if not self.client.add(user_key, token_data): +- if not self.client.append(user_key, ',%s' % token_data): +- msg = _('Unable to add token user list.') +- raise exception.UnexpectedError(msg) ++ update_index(user_id, token_data) ++ ++ if CONF.trust.enabled and data.get('trust_id'): ++ if 'access' in data_copy: ++ trustee_user_id = data_copy['access']['trust'][ ++ 'trustee_user_id'] ++ else: ++ trustee_user_id = data_copy['OS-TRUST:trust'][ ++ 'trustee_user_id'] ++ update_index(trustee_user_id, token_data) + return copy.deepcopy(data_copy) + + def _add_to_revocation_list(self, token_id, token_data): +diff --git a/tests/test_backend.py b/tests/test_backend.py +index 1af3c16..19caa0c 100644 +--- a/tests/test_backend.py ++++ b/tests/test_backend.py +@@ -2096,7 +2096,8 @@ class TokenTests(object): + self.token_api.delete_token, token_id) + + def create_token_sample_data(self, tenant_id=None, trust_id=None, +- user_id="testuserid"): ++ user_id='testuserid', ++ trustee_user_id='testuserid2'): + token_id = self._create_token_id() + data = {'id': token_id, 'a': 'b', + 'user': {'id': user_id}} +@@ -2104,6 +2105,11 @@ class TokenTests(object): + data['tenant'] = {'id': tenant_id, 'name': tenant_id} + if trust_id is not None: + data['trust_id'] = trust_id ++ data.setdefault('access', {}).setdefault('trust', {}) ++ # Testuserid2 is used here since a trustee will be different in ++ # the cases of impersonation and therefore should not match the ++ # token's user_id. ++ data['access']['trust']['trustee_user_id'] = trustee_user_id + self.token_api.create_token(token_id, data) + return token_id + +@@ -2290,6 +2296,39 @@ class TokenTests(object): + for t in self.token_api.list_revoked_tokens(): + self.assertIn('expires', t) + ++ def test_token_in_trustee_and_trustor_token_list(self): ++ self.opt_in_group('trust', ++ enabled=True) ++ trustor = self.user_foo ++ trustee = self.user_two ++ trust_id = uuid.uuid4().hex ++ trust_info = {'trustor_user_id': trustor['id'], ++ 'trustee_user_id': trustee['id'], ++ 'project_id': self.tenant_bar['id'], ++ 'expires_at': timeutils. ++ parse_isotime('2031-02-18T18:10:00Z'), ++ 'impersonation': True} ++ self.trust_api.create_trust(trust_id, trust_info, ++ roles=[{'id': 'member'}, ++ {'id': 'other'}, ++ {'id': 'browser'}]) ++ ++ token_id = self.create_token_sample_data( ++ tenant_id=self.tenant_bar['id'], ++ trust_id=trust_id, ++ user_id=trustor['id'], ++ trustee_user_id=trustee['id']) ++ ++ # Ensure the token id exists in both the trustor and trustee token ++ # lists ++ ++ self.assertIn(token_id, ++ self.token_api.list_tokens(self.user_two['id'], ++ trust_id=trust_id)) ++ self.assertIn(token_id, ++ self.token_api.list_tokens(self.user_foo['id'], ++ trust_id=trust_id)) ++ + + class TrustTests(object): + def create_sample_trust(self, new_id): +diff --git a/tests/test_backend_kvs.py b/tests/test_backend_kvs.py +index f3a8ece..15a87b5 100644 +--- a/tests/test_backend_kvs.py ++++ b/tests/test_backend_kvs.py +@@ -73,6 +73,8 @@ class KvsToken(test.TestCase, test_backend.TokenTests): + def setUp(self): + super(KvsToken, self).setUp() + self.token_api = token_kvs.Token(db={}) ++ self.load_backends() ++ self.load_fixtures(default_fixtures) + + + class KvsTrust(test.TestCase, test_backend.TrustTests): +diff --git a/tests/test_backend_memcache.py b/tests/test_backend_memcache.py +index 9fbaeb9..6339e6f 100644 +--- a/tests/test_backend_memcache.py ++++ b/tests/test_backend_memcache.py +@@ -18,6 +18,7 @@ import uuid + + import memcache + ++import default_fixtures + from keystone.common import utils + from keystone.openstack.common import timeutils + from keystone import test +@@ -75,8 +76,10 @@ class MemcacheClient(object): + class MemcacheToken(test.TestCase, test_backend.TokenTests): + def setUp(self): + super(MemcacheToken, self).setUp() ++ self.load_backends() + fake_client = MemcacheClient() + self.token_api = token_memcache.Token(client=fake_client) ++ self.load_fixtures(default_fixtures) + + def test_create_unicode_token_id(self): + token_id = unicode(self._create_token_id()) +-- +cgit v0.9.2 diff --git a/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch b/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch new file mode 100644 index 000000000000..a19d9440258f --- /dev/null +++ b/sys-auth/keystone/files/2013.2.2-CVE-2014-2237.patch @@ -0,0 +1,183 @@ +From b6f0e26da0e2ab0892a5658da281a065e668637b Mon Sep 17 00:00:00 2001 +From: Morgan Fainberg <m@metacloud.com> +Date: Fri, 21 Feb 2014 21:33:25 +0000 +Subject: Ensure tokens are added to both Trustor and Trustee indexes + +Tokens are now added to both the Trustor and Trustee user-token-index +so that bulk token revocations (e.g. password change) of the trustee +will work as expected. This is a backport of the basic code that was +used in the Icehouse-vintage Dogpile Token KVS backend that resolves +this issue by merging the handling of memcache and KVS backends into +the same logic. + +Change-Id: I3e19e4a8fc1e11cef6db51d364e80061e97befa7 +Closes-Bug: #1260080 +--- +diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py +index e0e81ca..1e926c8 100644 +--- a/keystone/tests/test_backend.py ++++ b/keystone/tests/test_backend.py +@@ -25,6 +25,7 @@ from keystone import exception + from keystone.openstack.common import timeutils + from keystone import tests + from keystone.tests import default_fixtures ++from keystone.token import provider + + + CONF = config.CONF +@@ -2645,7 +2646,8 @@ class TokenTests(object): + self.token_api.delete_token, token_id) + + def create_token_sample_data(self, tenant_id=None, trust_id=None, +- user_id="testuserid"): ++ user_id='testuserid', ++ trustee_user_id='testuserid2'): + token_id = self._create_token_id() + data = {'id': token_id, 'a': 'b', + 'user': {'id': user_id}} +@@ -2655,6 +2657,15 @@ class TokenTests(object): + data['tenant'] = None + if trust_id is not None: + data['trust_id'] = trust_id ++ data.setdefault('access', {}).setdefault('trust', {}) ++ # Testuserid2 is used here since a trustee will be different in ++ # the cases of impersonation and therefore should not match the ++ # token's user_id. ++ data['access']['trust']['trustee_user_id'] = trustee_user_id ++ data['token_version'] = provider.V2 ++ # Issue token stores a copy of all token data at token['token_data']. ++ # This emulates that assumption as part of the test. ++ data['token_data'] = copy.deepcopy(data) + new_token = self.token_api.create_token(token_id, data) + return new_token['id'] + +@@ -2907,6 +2918,39 @@ class TokenTests(object): + for t in self.token_api.list_revoked_tokens(): + self.assertIn('expires', t) + ++ def test_token_in_trustee_and_trustor_token_list(self): ++ self.opt_in_group('trust', ++ enabled=True) ++ trustor = self.user_foo ++ trustee = self.user_two ++ trust_id = uuid.uuid4().hex ++ trust_info = {'trustor_user_id': trustor['id'], ++ 'trustee_user_id': trustee['id'], ++ 'project_id': self.tenant_bar['id'], ++ 'expires_at': timeutils. ++ parse_isotime('2031-02-18T18:10:00Z'), ++ 'impersonation': True} ++ self.trust_api.create_trust(trust_id, trust_info, ++ roles=[{'id': 'member'}, ++ {'id': 'other'}, ++ {'id': 'browser'}]) ++ ++ token_id = self.create_token_sample_data( ++ tenant_id=self.tenant_bar['id'], ++ trust_id=trust_id, ++ user_id=trustor['id'], ++ trustee_user_id=trustee['id']) ++ ++ # Ensure the token id exists in both the trustor and trustee token ++ # lists ++ ++ self.assertIn(token_id, ++ self.token_api.list_tokens(self.user_two['id'], ++ trust_id=trust_id)) ++ self.assertIn(token_id, ++ self.token_api.list_tokens(self.user_foo['id'], ++ trust_id=trust_id)) ++ + + class TokenCacheInvalidation(object): + def _create_test_data(self): +diff --git a/keystone/tests/test_backend_kvs.py b/keystone/tests/test_backend_kvs.py +index ac9df71..a23882c 100644 +--- a/keystone/tests/test_backend_kvs.py ++++ b/keystone/tests/test_backend_kvs.py +@@ -70,6 +70,7 @@ class KvsToken(tests.TestCase, test_backend.TokenTests): + identity.CONF.identity.driver = ( + 'keystone.identity.backends.kvs.Identity') + self.load_backends() ++ self.load_fixtures(default_fixtures) + + + class KvsTrust(tests.TestCase, test_backend.TrustTests): +diff --git a/keystone/tests/test_backend_memcache.py b/keystone/tests/test_backend_memcache.py +index 964d5b4..c99a6a3 100644 +--- a/keystone/tests/test_backend_memcache.py ++++ b/keystone/tests/test_backend_memcache.py +@@ -26,6 +26,7 @@ from keystone import exception + from keystone.openstack.common import jsonutils + from keystone.openstack.common import timeutils + from keystone import tests ++from keystone.tests import default_fixtures + from keystone.tests import test_backend + from keystone.tests import test_utils + from keystone import token +@@ -115,6 +116,7 @@ class MemcacheToken(tests.TestCase, test_backend.TokenTests): + def setUp(self): + super(MemcacheToken, self).setUp() + self.load_backends() ++ self.load_fixtures(default_fixtures) + fake_client = MemcacheClient() + self.token_man = token.Manager() + self.token_man.driver = token_memcache.Token(client=fake_client) +diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py +index b3f991a..c0d6e36 100644 +--- a/keystone/token/backends/kvs.py ++++ b/keystone/token/backends/kvs.py +@@ -150,5 +150,7 @@ class Token(kvs.Base, token.Driver): + def flush_expired_tokens(self): + now = timeutils.utcnow() + for token, token_ref in self.db.items(): ++ if not token.startswith('revoked-token-'): ++ continue + if self.is_expired(now, token_ref): + self.db.delete(token) +diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py +index a6fe826..08c1c40 100644 +--- a/keystone/token/backends/memcache.py ++++ b/keystone/token/backends/memcache.py +@@ -83,12 +83,33 @@ class Token(token.Driver): + expires_ts = utils.unixtime(data_copy['expires']) + kwargs['time'] = expires_ts + self.client.set(ptk, data_copy, **kwargs) +- if 'id' in data['user']: +- user_id = data['user']['id'] +- user_key = self._prefix_user_id(user_id) +- # Append the new token_id to the token-index-list stored in the +- # user-key within memcache. +- self._update_user_list_with_cas(user_key, token_id, data_copy) ++ user_id = data['user']['id'] ++ user_key = self._prefix_user_id(user_id) ++ # Append the new token_id to the token-index-list stored in the ++ # user-key within memcache. ++ self._update_user_list_with_cas(user_key, token_id, data_copy) ++ if CONF.trust.enabled and data.get('trust_id'): ++ # NOTE(morganfainberg): If trusts are enabled and this is a trust ++ # scoped token, we add the token to the trustee list as well. This ++ # allows password changes of the trustee to also expire the token. ++ # There is no harm in placing the token in multiple lists, as ++ # _list_tokens is smart enough to handle almost any case of ++ # valid/invalid/expired for a given token. ++ token_data = data_copy['token_data'] ++ if data_copy['token_version'] == token.provider.V2: ++ trustee_user_id = token_data['access']['trust'][ ++ 'trustee_user_id'] ++ elif data_copy['token_version'] == token.provider.V3: ++ trustee_user_id = token_data['OS-TRUST:trust'][ ++ 'trustee_user_id'] ++ else: ++ raise token.provider.UnsupportedTokenVersionException( ++ _('Unknown token version %s') % ++ data_copy.get('token_version')) ++ ++ trustee_key = self._prefix_user_id(trustee_user_id) ++ self._update_user_list_with_cas(trustee_key, token_id, data_copy) ++ + return copy.deepcopy(data_copy) + + def _convert_user_index_from_json(self, token_list, user_key): +-- +cgit v0.9.2 diff --git a/sys-auth/keystone/keystone-2013.1.4-r3.ebuild b/sys-auth/keystone/keystone-2013.1.4-r3.ebuild new file mode 100644 index 000000000000..65e7499edaaf --- /dev/null +++ b/sys-auth/keystone/keystone-2013.1.4-r3.ebuild @@ -0,0 +1,90 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.4-r3.ebuild,v 1.1 2014/03/16 19:54:35 prometheanfire Exp $ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 + +DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python." +HOMEPAGE="https://launchpad.net/keystone" +SRC_URI="http://launchpad.net/${PN}/grizzly/${PV}/+download/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="+sqlite mysql postgres ldap test" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +#todo, seperate out rdepend via use flags +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + test? ( dev-python/Babel + dev-python/decorator + dev-python/eventlet + dev-python/greenlet + dev-python/httplib2 + dev-python/iso8601 + dev-python/lxml + dev-python/netifaces + dev-python/nose + dev-python/nosexcover + dev-python/passlib + dev-python/paste + dev-python/pastedeploy + dev-python/python-pam + dev-python/repoze-lru + dev-python/routes + dev-python/sphinx + >=dev-python/sqlalchemy-migrate-0.7 + dev-python/tempita + >=dev-python/webob-1.0.8 + dev-python/webtest + dev-python/python-memcached + )" +RDEPEND="dev-python/eventlet[${PYTHON_USEDEP}] + dev-python/greenlet[${PYTHON_USEDEP}] + >=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-0.2.1[${PYTHON_USEDEP}] + <=dev-python/python-keystoneclient-0.3[${PYTHON_USEDEP}] + dev-python/lxml[${PYTHON_USEDEP}] + >=dev-python/oslo-config-1.1.0[${PYTHON_USEDEP}] + <dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}] + dev-python/passlib[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + dev-python/pastedeploy[${PYTHON_USEDEP}] + dev-python/python-daemon[${PYTHON_USEDEP}] + >=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}] + dev-python/routes[${PYTHON_USEDEP}] + >=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}] + =dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] + virtual/python-argparse[${PYTHON_USEDEP}] + sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.10[sqlite,${PYTHON_USEDEP}] ) + mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.10[mysql,${PYTHON_USEDEP}] ) + postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.10[postgres,${PYTHON_USEDEP}] ) + ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )" +PATCHES=( + "${FILESDIR}/2013.1.4-CVE-2013-4477.patch" + "${FILESDIR}/2013.1.4-CVE-2014-2237.patch" +) +# "${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch" +# +python_test() { + # https://bugs.launchpad.net/keystone/+bug/1241956 + nosetests -e 'test_keystoneclient*' || die "testsuite failed under ${EPYTHON}" +} + +python_install() { + distutils-r1_python_install + newconfd "${FILESDIR}/keystone.confd" keystone + newinitd "${FILESDIR}/keystone.initd" keystone + + diropts -m 0750 + keepdir /etc/keystone /var/log/keystone + insinto /etc/keystone + doins etc/keystone.conf.sample etc/logging.conf.sample + doins etc/default_catalog.templates etc/policy.json +} diff --git a/sys-auth/keystone/keystone-2013.2.2-r1.ebuild b/sys-auth/keystone/keystone-2013.2.2-r1.ebuild new file mode 100644 index 000000000000..ab74a474bf9d --- /dev/null +++ b/sys-auth/keystone/keystone-2013.2.2-r1.ebuild @@ -0,0 +1,128 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.2-r1.ebuild,v 1.1 2014/03/16 19:54:35 prometheanfire Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 user + +DESCRIPTION="The Openstack authentication, authorization, and service catalog written in Python." +HOMEPAGE="https://launchpad.net/keystone" +SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="+sqlite mysql postgres ldap test" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +#todo, seperate out rdepend via use flags +RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}] + >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] + <dev-python/webob-1.3[${PYTHON_USEDEP}] + >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}] + >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] + dev-python/netaddr[${PYTHON_USEDEP}] + >=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] + sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] ) + mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] ) + postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}] + <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] ) + >=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}] + dev-python/passlib[${PYTHON_USEDEP}] + >=dev-python/lxml-2.3[${PYTHON_USEDEP}] + >=dev-python/iso8601-0.1.8[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}] + >=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}] + >=dev-python/Babel-1.3[${PYTHON_USEDEP}] + dev-python/oauth2[${PYTHON_USEDEP}] + >=dev-python/dogpile-cache-0.5.2[${PYTHON_USEDEP}] + dev-python/python-daemon[${PYTHON_USEDEP}] + virtual/python-argparse[${PYTHON_USEDEP}] + ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] ) + >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}] + <dev-python/pbr-1.0[${PYTHON_USEDEP}]" +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + test? ( ${RDEPEND} + >=dev-python/coverage-3.6[${PYTHON_USEDEP}] + >=dev-python/hacking-0.5.6[${PYTHON_USEDEP}] + <dev-python/hacking-0.8[${PYTHON_USEDEP}] + dev-python/httplib2[${PYTHON_USEDEP}] + >=dev-python/keyring-1.6.1[${PYTHON_USEDEP}] + <dev-python/keyring-2.0[${PYTHON_USEDEP}] + >=dev-python/mox-0.5.3[${PYTHON_USEDEP}] + dev-python/nose[${PYTHON_USEDEP}] + dev-python/nosexcover[${PYTHON_USEDEP}] + >=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}] + >=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}] + dev-python/oslo-sphinx[${PYTHON_USEDEP}] + >=dev-python/requests-1.1[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] + <dev-python/sphinx-1.2[${PYTHON_USEDEP}] + >=dev-python/testtools-0.9.32[${PYTHON_USEDEP}] + >=dev-python/webtest-2.0[${PYTHON_USEDEP}] + >=dev-python/python-memcached-1.48[${PYTHON_USEDEP}] + ldap? ( ~dev-python/python-ldap-2.3.13 ) ) + >=dev-python/pbr-0.5.21[${PYTHON_USEDEP}] + <dev-python/pbr-1.0[${PYTHON_USEDEP}]" + +PATCHES=( + "${FILESDIR}/2013.2.2-CVE-2014-2237.patch" +) + +pkg_setup() { + enewgroup keystone + enewuser keystone -1 -1 /var/lib/keystone keystone +} + +python_prepare_all() { + mkdir ${PN}/tests/tmp || die + cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die + distutils-r1_python_prepare_all +} + +python_test() { + # https://bugs.launchpad.net/keystone/+bug/1262564 + nosetests || die "testsuite failed under python2.7" +} + +python_install() { + distutils-r1_python_install + newconfd "${FILESDIR}/keystone.confd" keystone + newinitd "${FILESDIR}/keystone.initd" keystone + + diropts -m 0750 + keepdir /etc/keystone /var/log/keystone + insinto /etc/keystone + doins etc/keystone.conf.sample etc/logging.conf.sample + doins etc/default_catalog.templates etc/policy.json + doins etc/policy.v3cloudsample.json etc/keystone-paste.ini + + fowners keystone:keystone /etc/keystone /var/log/keystone +} + +pkg_postinst() { + elog "You might want to run:" + elog "emerge --config =${CATEGORY}/${PF}" + elog "if this is a new install." + elog "If you have not already configured your openssl installation" + elog "please do it by modifying /etc/ssl/openssl.cnf" + elog "BEFORE issuing the configuration command." + elog "Otherwise default values will be used." +} + +pkg_config() { + if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then + einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." + read + "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone + else + einfo "keystone PKI certificates directory already present, skipping configuration" + fi +} |