diff options
author | Matt Thode <prometheanfire@gentoo.org> | 2013-05-10 04:00:52 +0000 |
---|---|---|
committer | Matt Thode <prometheanfire@gentoo.org> | 2013-05-10 04:00:52 +0000 |
commit | e440999c3ce2ba0e4136ad38b0b2bdc7dad0ebca (patch) | |
tree | 70138a8087b7900835e3e16a4be4c7b6a53259d6 | |
parent | Restricting pypy1.9 as webob doesn't support it (diff) | |
download | historical-e440999c3ce2ba0e4136ad38b0b2bdc7dad0ebca.tar.gz historical-e440999c3ce2ba0e4136ad38b0b2bdc7dad0ebca.tar.bz2 historical-e440999c3ce2ba0e4136ad38b0b2bdc7dad0ebca.zip |
CVE-2013-2030 fix for keystone folsom
Package-Manager: portage-2.1.11.55/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
-rw-r--r-- | sys-auth/keystone/ChangeLog | 13 | ||||
-rw-r--r-- | sys-auth/keystone/Manifest | 38 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-0270.patch | 230 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-0282.patch | 91 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch | 52 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch | 107 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch | 50 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch | 41 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2012.2.4-r1.ebuild (renamed from sys-auth/keystone/keystone-2012.2.4.ebuild) | 3 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2013.1-r1.ebuild | 89 |
10 files changed, 80 insertions, 634 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 9057ae3ff554..f94a340e1440 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,17 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.15 2013/05/10 02:47:10 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.16 2013/05/10 04:00:42 prometheanfire Exp $ + +*keystone-2012.2.4-r1 (10 May 2013) + + 10 May 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/keystone-folsom-4-CVE-2013-2030.patch, +keystone-2012.2.4-r1.ebuild, + -files/keystone-CVE-2013-0270.patch, -files/keystone-CVE-2013-0282.patch, + -files/keystone-CVE-2013-1664_1665.patch, + -files/keystone-folsom-3-CVE-2013-1865.patch, + -files/keystone-grizzly-1-CVE-2013-2006.patch, -keystone-2012.2.4.ebuild, + -keystone-2013.1-r1.ebuild: + CVE-2013-2030 fix for keystone folsom *keystone-2012.2.4 (10 May 2013) *keystone-2013.1.1 (10 May 2013) diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest index 89e54c4384f9..9ac5df9110c0 100644 --- a/sys-auth/keystone/Manifest +++ b/sys-auth/keystone/Manifest @@ -1,37 +1,31 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 -AUX keystone-CVE-2013-0270.patch 9329 SHA256 f6ca6b82a50569f897f8eb68a7d6e2663beade3e45cce04ae3cdd8013491bd13 SHA512 93525ac26022fd21ef94bee8ed7326bc3822f61f349cf9b1b27ef9b446b8feb1ff3e57360c7262c03577dca4a38be7bcb221d7192307700541ae667060114eb4 WHIRLPOOL 89669011b426196fd81157c2f7f1447b4b1028b65e742bf94560a0825ec71b925e88b93fbc224b1eba08cfceafbaf96b380d93092eedf0c3f52d51c86c3d3947 -AUX keystone-CVE-2013-0282.patch 3774 SHA256 3e916e5212d61c1384967dbab24c8a56fe0c4d37b3c6baf36e822ed5fb3b0b56 SHA512 c44dd5b6222986ba8a0c5af745de819f2c40fbfee51958b3553a491495b4f72a42c9a7d6a152f11ebfd579cf2cac40752ea4e0c919e2435c7df118cb487ae3f5 WHIRLPOOL dcb0bdba74aa37e191227589bdafbb724e2e7b50c8218a3d0be1c023361aa14f2dc327672463d1d5589685c89cbab796e880b590a97747f4210d717f05fd7ec2 -AUX keystone-CVE-2013-1664_1665.patch 1959 SHA256 b52bb0cbb5e6fb575ab609f59b043f149278fa3df83dfdbd43d0294270393a7c SHA512 12332bce7265923ae1881ceabb57d054b6083e83abd8f92c45be6688aa88ae8d9be8596a1df49e49d9d9244c6cef3bef14f8a1f8468086fe70eaea8f98dc067f WHIRLPOOL 2e10804a80c2b8d10293bc9d784cbb77c64da58ef75957706421529722df943d0213062f99ade56d45c8ad61f1c655c2fafa6cddc0ec07186681ae729113e614 -AUX keystone-folsom-3-CVE-2013-1865.patch 4100 SHA256 9b463052b78ec724c5ed7aa398552edc0ba2592d976b88ef2ba1b26269da82d8 SHA512 e5f92f6b8a4d29b28f248d77830e5828f2544d48c38b6eb45a0c130b77a88b49a31323e58bf79b2419ab0a23cb0e95a65e7ca50c5b39f482c52b3da8df91eac5 WHIRLPOOL f127a79d1cf48a9b44e0c5c68e7bb2e40578523d7026ad5ce42d80a49d2349e0b0168adc32d4950aec60828d3d2fa15335e817c75619b06d2b451f8034ea8da7 -AUX keystone-grizzly-1-CVE-2013-2006.patch 1614 SHA256 b403d024eed366f1cff844d93aa734d40bb6ab3ea5ad74c025c28820e695aa3b SHA512 b17ef5dbd065f75f3f3757746e3696d09e94be9fdda4f3d2a87daed4bde99a1224722248a4bd1a1b9b140504406ff4e3fa0417130fb70e982f4728966c757308 WHIRLPOOL 67028752b48759ff752b8798000d0d9d3f4a5fe8688b0d817a27bb48a2d16f0cff62a25abff9ff75f52854d44eed1202e9ec5ca2d7e8cc98513de77f0f6e0c9a +AUX keystone-folsom-4-CVE-2013-2030.patch 2318 SHA256 fd824a4000da663568f26dbcfa6de031911ebdca1dea2c0958b3d5398d4d9ba6 SHA512 6b00a6d9062dd418299f9f02891fbfaa86f8f69db394ccfff31367555d1d7dbad1cf0d5a8647b61addeaabd2107b9f75cdc1986df8186de5c428f33533abffab WHIRLPOOL 842c4adb14c4a4501ea84c0082c0f28295027e27fee9957eafea6db9397a26c4955eb355b955d625bf5df818c1178af2267270aedec93bc47da8f17b59eaeca2 AUX keystone.confd 67 SHA256 8faa32d3354df30b1d1c98cf481be162c27583b84e387f8da57611b689bc2448 SHA512 75b040eda6ef8701e8dac8f34b3dd3c96aedde3b005fac01f20592b3d8afb8bbce57fadc466cda69d7192f96460a5c704d941a16b96d02f3e80f1a3e264c2efe WHIRLPOOL 8e8cb4e8991ca8d8cf1e874bd2286900ca63379c73793bca906ecfc1318ee63a8af6d1f6090e9ef296bfbe5abf018368a5ad6430de1efdea0db626d8c697f3c4 AUX keystone.initd 1177 SHA256 fcf7e532f2f3fad8413455f67d8e9c4c0522ff99e69bd95d4fff49d2dfa243ac SHA512 a0281f5fdd96963d9479a3463e6b5f1947a2c3c8694e464d4d293ef237392bed796ec7b8431e1add7b73334ed5e11158347f35ab562edda5f7aa7bdb9b05e51e WHIRLPOOL d819103e6f2bdd7ca4d5ab2f645f8ca168cc46567ff7c2d00cb2d536c08319aaa472b06b8f98cf2b6de940089f444e7aa752e4c9deeb849a834108394dfe1862 AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5 DIST keystone-2012.2.4.tar.gz 555448 SHA256 ab3a9a6c1f8ef9b95a73920883294f888f298db6330b8d4ed43e28354e8ca7af SHA512 481bde4372525c92144059c94d95ddac95dc720e486428f2e7ad1d5e0c6c2b6eb9a17be40f83c5866b522a512a2a3d331a08498c6704b794fea343fc2c0c1d93 WHIRLPOOL 243d9fe82988fd6057ffdae7971b570cb129a168fba3f6a38ea105fadc51e7e9fbfd29d88bb389572fc00cfbe0cc17e9e4c4f4ebf9d61ff589148b1b0c171558 DIST keystone-2013.1.1.tar.gz 791324 SHA256 a00664dd20adf36e1e78a6b29f49f7947e2f2426c0ae375f8acde01e75bdb579 SHA512 7d4fd0cd649f783214dc3aad48853682db529fa336631e601d55c6b45355dbc670bcabf76f642db6808c5d46aae70062eb8fe5c5e3a20247954beb5a6c4fda7b WHIRLPOOL 96df00049325cc96c1b54ebecbb95cf8d47f0e580703ce8b8942e1e4f75604a98fc33f2972a1b1dffbba2225c502a692d7f84241ffc1f66da27f6a325789e08c -DIST keystone-2013.1.tar.gz 789365 SHA256 34347a3242a40d93b98c3722e6f3fbc112bc1c9ef20c045c3d40637e459b4574 SHA512 2f9d9ecb3cb0b2f282be31d280e0c202a5e818cdcd057919445bf8899827af59856b6e3e75000f83b1a97aefdf3d9454fa0dc16a2d4819a68e8f899c865c2a20 WHIRLPOOL b306ffafe3345225496e6e1505fa691f312b0ef6cea42cc7d78224da7569c2498997e74efe6c5b82d8bb20d2d2653aaeb8ec8c79703db10f97c72b04046153c7 -EBUILD keystone-2012.2.4.ebuild 2481 SHA256 b458e900d3410c79fe3c4286bebc9bb9315ff1a854e7daf9a5fb062c5ed5b34f SHA512 15f3b57f8b92e0a8d8593e8b0c40813796fa152e9e76d9e61b7e7ac7025b7a1165247353247471bfb057b019bc54c308430e0f6243ea1b7fe4ec13c86c20a88a WHIRLPOOL 670313f15a762a16bcbfba122530cc91f7830ff3f61c81a2322ab323042f3c313865f5a3a3f8e45cbd52890168a010da4eb73da1bb071a2491c7229ba4554544 -EBUILD keystone-2013.1-r1.ebuild 2974 SHA256 2abcfe8de51dcd00267177149abd02bea966c65f4acbf505476d968623e2a4d5 SHA512 549f3c839c037688d1a779fc1e28a234af6e18cdc3c68ac1bf7da254cbb27b4bf79b97aa794c62f42b908995f8e22864791c11550bb63f36097a97d4425c88f8 WHIRLPOOL 2df5d7e440d719b09c805c14e3064947de9f8929d27747a22980eecbc12edef0f0cff89bd284afc9d05f1ce2f4ed3ddd9274c9838998cbc4472466ce2d55316b +EBUILD keystone-2012.2.4-r1.ebuild 2537 SHA256 0bc4c0569924fe102b2ac51eabccf34fc4ec2604bbbf7489ab49ee3bf8e8f385 SHA512 8afbb76a747eb23457c7c9ba8ca01bbbd581020e50e3d6c95a85910179adc785260e5606cacd90bde180facd286ed255c22cacb1373cc885083ff1e44bc5ebac WHIRLPOOL 4ba13422e3192ec45570951903ae84a4ad0b4e37c05884cf37a12b93965f46370eb6811b1e99dd718fa565b3f8278661fef6044800babac3a82528f53c265a68 EBUILD keystone-2013.1.1.ebuild 2920 SHA256 e6290cedad04b9c6801ce9c73a1b4e2b25cce8a53b3057c51b8880cabd36d2d3 SHA512 283de4603b1788135cbbe0ff31c26fa9290067cd945941093cbcd844ae37388577775c6e320db6353e8e3b1c664700a06a00c73584396c1a135fc1bf27ab6aed WHIRLPOOL 06fde096d6a034a1d2e2e5dd3ead39c4c6a63faa5bc741b18ef31b7a38809b6696aabc9b7f3cf342f03efe28ca149c8fea8c318e48e42dca0e5e150c7ade113b EBUILD keystone-9999.ebuild 2942 SHA256 048862e16792a3de401129f16b01fdfedbbcebc0f126dd1a39fb63c0118cd030 SHA512 767dccb4ce53d3162156f965c97bb4d33ff6d1d7dfd5efaa3a223d66915694f2d946e6e7774b73ac1c4f5a42af6228dafd3f30d3fb57da59bc293bae141a18a7 WHIRLPOOL 944e87af5b6a7f4276d49751d0b578052257c833350a568e7dd031f138b20a1714e38874f4992486fd8ca51d83e01516c055a244c634ec35e931149d120fdbc2 -MISC ChangeLog 3064 SHA256 0eaa8ab87c7f96259f079b29a078577fb074a888805d9bd4d6d59f9cbf4e23d7 SHA512 bad6510e1d53ba9ee035a3ba013c775da79c280dfc79e614330443d4c140a8c4854307bda987a665d881ff45d7db4b9e2323431d42364a823de54deb9c447235 WHIRLPOOL 929c4e5151c7975f9d376e2e0afa50c330f3fcffb882b6fbdc03e37a201002319f6c718ec86ca73ee659c7e55b56ea736df7ea5e7d736f74e2ef306cfde174be +MISC ChangeLog 3551 SHA256 c4c81a5230b085402a66a8e2480c992704e15c4d5837fbcd54c03d8ebcfe7918 SHA512 74a501fefec57991fe566a792328db7bb97189217924542d4aecdaab63ce76bd2806e7b3937c372772e254038ffedab1c74c8015e62d469a6386078becd387e9 WHIRLPOOL dfcf875e011d62bee441f5fd03909fb4bdeb21e5c889851a996499bbca5a864538ff0f0e25ad7698e8d0c44f4171642165d2d982b318a2005e04da7ae920fb47 MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iQIcBAEBCAAGBQJRjF/pAAoJECRx6z5ArFrDBGsQAL7Rjn1Lz/g1xD5CRO/iQJJi -TWUfthEz3+yA7ubGuIyZc6CBVSqkMRkd9mYGFHL5lPs/6dxkb4kx6tuoG+KW/hD1 -m0M2e6rI9x77IK90LGFnZnbVdUpjXZ5dhubVjN0C0ZIblabC4keD/+dWWieHkPMf -i+j+USlxXwqfk+b2uNKGsuNnfDyGEU4b1UedG8Et4PuiO2xtwBcdBIJQmhB67dyt -4Pa/5hqnzl/4M4T1VZwRWl6fL32D7qgnR36kNTosfA5OtRT8nvdthMvp4Te8zpvf -3xGM8UGDx9S+Cugor9LYFQmnJnKe8OSpfCI/CSMjxwMWDZuIsj3hCxrHwqQHh2i6 -lrwgx6fbnuOr2Voqqx+l+Aq82l4DSuNnC7PrpaD6ToiusiE6+Qbr8a5NxdWCnYRi -D2C6Yh0G3ntSh/oQp2Y17wxIuDCfWAKW1FG6XCHWp26UfNKDj+SSBG3FFEmg2/bz -gfWAO5EjTYLukN9PYQm8HxK/UCjUcI8fh8Nef4sHWkOBjH99s9qv+Ie3+pD6oJQi -JfSWMNUAfTfiTz6SY7+0Y7mcw0XtusXp+WgPwUDLrjCWgR5VexMnnG9j8IRc8wsX -atH6CnhJvs/mpAAgFuWaUUXw/jxAKKG87TUqkklRj2gHlABnFKzlz8TbryEsnALE -ZbshAd0DphN7mbTUuJcF -=/650 +iQIcBAEBCAAGBQJRjHEnAAoJECRx6z5ArFrDy7UQAIihf8NHVDk2Aaw81RohFCZZ +SK4ir+gekJ7cfMZ+fChTzv/feGcAL3H+GgrLfVMjziDLtvEkUk45YoR4uBL9OePk +H8lIBtEm9wZSK1k8Stiuknx8oLJVDY7NLW/br+bF2PO4mc4cOvpCJfAR2HBbKh2p +h0Lk8vaY7sOUT0+w1+Ok+QkHy5h/B9IfEydUK475NVCpxpufVu/zIjfaAo5UBT1j +ZrAaAXreyHsstaUGcMVo00i+vG8Kg6a3EvLxcVHBGID5foo91hG2UvaeMkvhZyjo +S3fTaNFNI3MEnDgDhP4f5yx1y39979/jsExBRMyN+pL11fpIC19y4NMYvFsK4rsF +qd5qgMAMbNS9VB75kX14qEg5/SU9boQqRLOeEiPpBDXfl1MhsNHnNd4U9uGm0XZ/ +jSHmL2HgdCQnTJODCmBRwkJcHZBQLPsSmnbQLS5Wlbl+t5REftk9bOMpd9iop0wb +3zbdcQZ7i7A5sBsDCsG0qzX6AoMKDBPEm9S+1PUp4xd3oR1Ygb84dxxi91rm8UE0 +Fd8LL8nAzdz9HC9uk0EfVLdDOSTgIRvMpgDfrPbYOtc66jrikjaiKcGFlJgPDLJn +JoFQ0xP8ODu6NULb0gqeNjPwWGkWH+QlUXl9TYTfTMRn+51YsHvm5ZvJ18YIkFcF +LTXNKfkGrPEqklJcGp7g +=duff -----END PGP SIGNATURE----- diff --git a/sys-auth/keystone/files/keystone-CVE-2013-0270.patch b/sys-auth/keystone/files/keystone-CVE-2013-0270.patch deleted file mode 100644 index 41b77c571d64..000000000000 --- a/sys-auth/keystone/files/keystone-CVE-2013-0270.patch +++ /dev/null @@ -1,230 +0,0 @@ -From bb2226f944aaa38beb7fc08ce0a78796e51e2680 Mon Sep 17 00:00:00 2001 -From: Dan Prince <dprince@redhat.com> -Date: Thu, 10 Jan 2013 15:31:28 -0500 -Subject: [PATCH] Add size validations for /tokens. - -Updates /tokens controller so that it explicitly checks the max -size of userId, username, tenantId, tenantname, token, and password -before continuing with a request. - -Previously, when used with the SQL keystone backend an unauthenticated -user could send in *really* large requests which would ultimately -log large SQL exceptions and could thus fill up keystone logs on the -disk. - -Change-Id: I0904d307bf79a3bf851ac052c11101f8380a12a7 ---- - keystone/config.py | 3 ++ - keystone/exception.py | 13 +++++++++ - keystone/service.py | 27 ++++++++++++++++++ - tests/test_service.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 118 insertions(+) - -diff --git a/keystone/config.py b/keystone/config.py -index 5fed916..c7d2f79 100644 ---- a/keystone/config.py -+++ b/keystone/config.py -@@ -117,6 +117,9 @@ register_str('admin_port', default=35357) - register_str('public_port', default=5000) - register_str('onready') - register_str('auth_admin_prefix', default='') -+register_int('max_param_size', default=64) -+# we allow tokens to be a bit larger to accomidate PKI -+register_int('max_token_size', default=8192) - - #ssl options - register_bool('enable', group='ssl', default=False) -diff --git a/keystone/exception.py b/keystone/exception.py -index c3b3ec8..bb4da37 100644 ---- a/keystone/exception.py -+++ b/keystone/exception.py -@@ -51,6 +51,19 @@ class ValidationError(Error): - title = 'Bad Request' - - -+class ValidationSizeError(Error): -+ """Request attribute %(attribute)s must be less than or equal to %(size)i. -+ -+ The server could not comply with the request because the attribute -+ size is invalid (too large). -+ -+ The client is assumed to be in error. -+ -+ """ -+ code = 400 -+ title = 'Bad Request' -+ -+ - class Unauthorized(Error): - """The request you have made requires authentication.""" - code = 401 -diff --git a/keystone/service.py b/keystone/service.py -index d54c073..c088986 100644 ---- a/keystone/service.py -+++ b/keystone/service.py -@@ -22,6 +22,7 @@ from keystone import config - from keystone import catalog - from keystone.common import cms - from keystone.common import logging -+from keystone.common import utils - from keystone.common import wsgi - from keystone import exception - from keystone import identity -@@ -31,6 +32,8 @@ from keystone import token - - - LOG = logging.getLogger(__name__) -+MAX_PARAM_SIZE = config.CONF.max_param_size -+MAX_TOKEN_SIZE = config.CONF.max_token_size - - - class AdminRouter(wsgi.ComposingRouter): -@@ -288,9 +291,23 @@ class TokenController(wsgi.Application): - - if 'passwordCredentials' in auth: - user_id = auth['passwordCredentials'].get('userId', None) -+ if user_id and len(user_id) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='userId', -+ size=MAX_PARAM_SIZE) - username = auth['passwordCredentials'].get('username', '') -+ if len(username) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='username', -+ size=MAX_PARAM_SIZE) - password = auth['passwordCredentials'].get('password', '') -+ max_pw_size = utils.MAX_PASSWORD_LENGTH -+ if len(password) > max_pw_size: -+ raise exception.ValidationSizeError(attribute='password', -+ size=max_pw_size) -+ - tenant_name = auth.get('tenantName', None) -+ if tenant_name and len(tenant_name) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='tenantName', -+ size=MAX_PARAM_SIZE) - - if username: - try: -@@ -302,6 +319,9 @@ class TokenController(wsgi.Application): - - # more compat - tenant_id = auth.get('tenantId', None) -+ if tenant_id and len(tenant_id) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='tenantId', -+ size=MAX_PARAM_SIZE) - if tenant_name: - try: - tenant_ref = self.identity_api.get_tenant_by_name( -@@ -342,7 +362,14 @@ class TokenController(wsgi.Application): - catalog_ref = {} - elif 'token' in auth: - old_token = auth['token'].get('id', None) -+ -+ if len(old_token) > MAX_TOKEN_SIZE: -+ raise exception.ValidationSizeError(attribute='token', -+ size=MAX_TOKEN_SIZE) - tenant_name = auth.get('tenantName') -+ if tenant_name and len(tenant_name) > MAX_PARAM_SIZE: -+ raise exception.ValidationSizeError(attribute='tenantName', -+ size=MAX_PARAM_SIZE) - - try: - old_token_ref = self.token_api.get_token(context=context, -diff --git a/tests/test_service.py b/tests/test_service.py -index 6fb98c6..f48bd9a 100644 ---- a/tests/test_service.py -+++ b/tests/test_service.py -@@ -17,6 +17,7 @@ import time - import default_fixtures - - from keystone import config -+from keystone import exception - from keystone import service - from keystone import test - from keystone.identity.backends import kvs as kvs_identity -@@ -25,6 +26,31 @@ from keystone.identity.backends import kvs as kvs_identity - CONF = config.CONF - - -+def _build_user_auth(token=None, user_id=None, username=None, -+ password=None, tenant_id=None, tenant_name=None): -+ """Build auth dictionary. -+ -+ It will create an auth dictionary based on all the arguments -+ that it receives. -+ """ -+ auth_json = {} -+ if token is not None: -+ auth_json['token'] = token -+ if username or password: -+ auth_json['passwordCredentials'] = {} -+ if username is not None: -+ auth_json['passwordCredentials']['username'] = username -+ if user_id is not None: -+ auth_json['passwordCredentials']['userId'] = user_id -+ if password is not None: -+ auth_json['passwordCredentials']['password'] = password -+ if tenant_name is not None: -+ auth_json['tenantName'] = tenant_name -+ if tenant_id is not None: -+ auth_json['tenantId'] = tenant_id -+ return auth_json -+ -+ - class TokenExpirationTest(test.TestCase): - def setUp(self): - super(TokenExpirationTest, self).setUp() -@@ -75,3 +101,52 @@ class TokenExpirationTest(test.TestCase): - def test_maintain_uuid_token_expiration(self): - self.opt_in_group('signing', token_format='UUID') - self._maintain_token_expiration() -+ -+ -+class AuthTest(test.TestCase): -+ def setUp(self): -+ super(AuthTest, self).setUp() -+ -+ CONF.identity.driver = 'keystone.identity.backends.kvs.Identity' -+ self.load_backends() -+ self.load_fixtures(default_fixtures) -+ self.api = service.TokenController() -+ -+ def test_authenticate_user_id_too_large(self): -+ """Verify sending large 'userId' raises the right exception.""" -+ body_dict = _build_user_auth(user_id='0' * 65, username='FOO', -+ password='foo2') -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_username_too_large(self): -+ """Verify sending large 'username' raises the right exception.""" -+ body_dict = _build_user_auth(username='0' * 65, password='foo2') -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_tenant_id_too_large(self): -+ """Verify sending large 'tenantId' raises the right exception.""" -+ body_dict = _build_user_auth(username='FOO', password='foo2', -+ tenant_id='0' * 65) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_tenant_name_too_large(self): -+ """Verify sending large 'tenantName' raises the right exception.""" -+ body_dict = _build_user_auth(username='FOO', password='foo2', -+ tenant_name='0' * 65) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_token_too_large(self): -+ """Verify sending large 'token' raises the right exception.""" -+ body_dict = _build_user_auth(token={'id': '0' * 8193}) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) -+ -+ def test_authenticate_password_too_large(self): -+ """Verify sending large 'password' raises the right exception.""" -+ body_dict = _build_user_auth(username='FOO', password='0' * 8193) -+ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, -+ {}, body_dict) --- -1.7.9.5 - diff --git a/sys-auth/keystone/files/keystone-CVE-2013-0282.patch b/sys-auth/keystone/files/keystone-CVE-2013-0282.patch deleted file mode 100644 index d411847c3fe0..000000000000 --- a/sys-auth/keystone/files/keystone-CVE-2013-0282.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Nathanael Burton <nathanael.i.burton.work@gmail.com> -Date: Tue, 19 Feb 2013 15:27:04 +0000 (-0600) -Subject: Ensure user and tenant enabled in EC2 -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=f0b4d300db5cc61d4f079f8bce9da8e8bea1081a - -Ensure user and tenant enabled in EC2 - -Fixes bug 1121494. - -Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc ---- - -diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py -index 064474c..ffc0eee 100644 ---- a/keystone/contrib/ec2/core.py -+++ b/keystone/contrib/ec2/core.py -@@ -37,6 +37,7 @@ glance to list images needed to perform the requested task. - import uuid - - from keystone import catalog -+from keystone.common import logging - from keystone.common import manager - from keystone.common import utils - from keystone.common import wsgi -@@ -49,6 +50,7 @@ from keystone import token - - - CONF = config.CONF -+LOG = logging.getLogger(__name__) - - - class Manager(manager.Manager): -@@ -117,9 +119,9 @@ class Ec2Controller(wsgi.Application): - credentials['host'] = hostname - signature = signer.generate(credentials) - if not utils.auth_str_equal(credentials.signature, signature): -- raise exception.Unauthorized(message='Invalid EC2 signature.') -+ raise exception.Unauthorized() - else: -- raise exception.Unauthorized(message='EC2 signature not supplied.') -+ raise exception.Unauthorized() - - def authenticate(self, context, credentials=None, ec2Credentials=None): - """Validate a signed EC2 request and provide a token. -@@ -149,7 +151,7 @@ class Ec2Controller(wsgi.Application): - credentials = ec2Credentials - - if not 'access' in credentials: -- raise exception.Unauthorized(message='EC2 signature not supplied.') -+ raise exception.Unauthorized() - - creds_ref = self._get_credentials(context, - credentials['access']) -@@ -161,9 +163,19 @@ class Ec2Controller(wsgi.Application): - tenant_ref = self.identity_api.get_tenant( - context=context, - tenant_id=creds_ref['tenant_id']) -+ # If the tenant is disabled don't allow them to authenticate -+ if tenant_ref and not tenant_ref.get('enabled', True): -+ msg = 'Tenant %s is disabled' % tenant_ref['id'] -+ LOG.warning(msg) -+ raise exception.Unauthorized() - user_ref = self.identity_api.get_user( - context=context, - user_id=creds_ref['user_id']) -+ # If the user is disabled don't allow them to authenticate -+ if not user_ref.get('enabled', True): -+ msg = 'User %s is disabled' % user_ref['id'] -+ LOG.warning(msg) -+ raise exception.Unauthorized() - metadata_ref = self.identity_api.get_metadata( - context=context, - user_id=user_ref['id'], -@@ -174,7 +186,7 @@ class Ec2Controller(wsgi.Application): - # fill out the roles in the metadata - roles = metadata_ref.get('roles', []) - if not roles: -- raise exception.Unauthorized(message='User not valid for tenant.') -+ raise exception.Unauthorized() - roles_ref = [self.identity_api.get_role(context, role_id) - for role_id in roles] - -@@ -279,7 +291,7 @@ class Ec2Controller(wsgi.Application): - creds = self.ec2_api.get_credential(context, - credential_id) - if not creds: -- raise exception.Unauthorized(message='EC2 access key not found.') -+ raise exception.Unauthorized() - return creds - - def _assert_identity(self, context, user_id): diff --git a/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch b/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch deleted file mode 100644 index e87ca0be3cff..000000000000 --- a/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Dolph Mathews <dolph.mathews@gmail.com> -Date: Tue, 19 Feb 2013 15:04:11 +0000 (-0600) -Subject: Disable XML entity parsing -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=8a2274595ac628b2373eab0cb14690f866b7a024 - -Disable XML entity parsing - -Fixes bug 1100282 and bug 1100279. - -Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123 ---- - -diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py -index 734f7d1..72fe7f1 100644 ---- a/keystone/common/serializer.py -+++ b/keystone/common/serializer.py -@@ -29,6 +29,16 @@ import re - DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>' - XMLNS = 'http://docs.openstack.org/identity/api/v2.0' - -+PARSER = etree.XMLParser( -+ resolve_entities=False, -+ remove_comments=True, -+ remove_pis=True) -+ -+# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an -+# lxml.etree._Entity instance, which doesn't appear to be part of the -+# public API, so we discover the type dynamically to be safe -+ENTITY_TYPE = type(etree.Entity('x')) -+ - - def from_xml(xml): - """Deserialize XML to a dictionary.""" -@@ -51,7 +61,7 @@ def to_xml(d, xmlns=None): - class XmlDeserializer(object): - def __call__(self, xml_str): - """Returns a dictionary populated by decoding the given xml string.""" -- dom = etree.fromstring(xml_str.strip()) -+ dom = etree.fromstring(xml_str.strip(), PARSER) - return self.walk_element(dom) - - @staticmethod -@@ -87,7 +97,8 @@ class XmlDeserializer(object): - # current spec does not have attributes on an element with text - values = values or text or {} - -- for child in [self.walk_element(x) for x in element]: -+ for child in [self.walk_element(x) for x in element -+ if not isinstance(x, ENTITY_TYPE)]: - values = dict(values.items() + child.items()) - - return {XmlDeserializer._tag_name(element.tag): values} diff --git a/sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch b/sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch deleted file mode 100644 index 49660f291869..000000000000 --- a/sys-auth/keystone/files/keystone-folsom-3-CVE-2013-1865.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 255b1d43500f5d98ec73a0056525b492b14fec05 Mon Sep 17 00:00:00 2001 -From: Adam Young <ayoung@redhat.com> -Date: Wed, 20 Mar 2013 09:49:32 -0500 -Subject: [PATCH] validate from backend (bug 1129713) - -In certain cases we were depending on CMS to validate PKI tokens -but that is not necessary, and by passes the revocation check - -Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4 ---- - keystone/service.py | 19 ++++++------------- - tests/test_service.py | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 57 insertions(+), 13 deletions(-) - -diff --git a/keystone/service.py b/keystone/service.py -index c088986..9799e3a 100644 ---- a/keystone/service.py -+++ b/keystone/service.py -@@ -490,20 +490,13 @@ class TokenController(wsgi.Application): - """ - # TODO(termie): this stuff should probably be moved to middleware - self.assert_admin(context) -+ data = self.token_api.get_token(context=context, token_id=token_id) -+ if belongs_to: -+ if (not data.get('tenant') or data['tenant'].get('id') != -+ belongs_to): -+ raise exception.Unauthorized() - -- if cms.is_ans1_token(token_id): -- data = json.loads(cms.cms_verify(cms.token_to_cms(token_id), -- config.CONF.signing.certfile, -- config.CONF.signing.ca_certs)) -- data['access']['token']['user'] = data['access']['user'] -- data['access']['token']['metadata'] = data['access']['metadata'] -- if belongs_to: -- assert data['access']['token']['tenant']['id'] == belongs_to -- token_ref = data['access']['token'] -- else: -- token_ref = self.token_api.get_token(context=context, -- token_id=token_id) -- return token_ref -+ return data - - # admin only - def validate_token_head(self, context, token_id): -diff --git a/tests/test_service.py b/tests/test_service.py -index f48bd9a..487e5ac 100644 ---- a/tests/test_service.py -+++ b/tests/test_service.py -@@ -150,3 +150,54 @@ class AuthTest(test.TestCase): - body_dict = _build_user_auth(username='FOO', password='0' * 8193) - self.assertRaises(exception.ValidationSizeError, self.api.authenticate, - {}, body_dict) -+ -+ -+class AuthWithToken(AuthTest): -+ def setUp(self): -+ super(AuthWithToken, self).setUp() -+ -+ def test_belongs_to_no_tenant(self): -+ r = self.api.authenticate( -+ {}, -+ auth={ -+ 'passwordCredentials': { -+ 'username': self.user_foo['name'], -+ 'password': self.user_foo['password'] -+ } -+ }) -+ unscoped_token_id = r['access']['token']['id'] -+ self.assertRaises( -+ exception.Unauthorized, -+ self.api.validate_token, -+ dict(is_admin=True, query_string={'belongsTo': 'BAR'}), -+ token_id=unscoped_token_id) -+ -+ def test_belongs_to_wrong_tenant(self): -+ body_dict = _build_user_auth( -+ username='FOO', -+ password='foo2', -+ tenant_name="BAR") -+ -+ scoped_token = self.api.authenticate({}, body_dict) -+ scoped_token_id = scoped_token['access']['token']['id'] -+ -+ self.assertRaises( -+ exception.Unauthorized, -+ self.api.validate_token, -+ dict(is_admin=True, query_string={'belongsTo': 'me'}), -+ token_id=scoped_token_id) -+ -+ def test_belongs_to(self): -+ body_dict = _build_user_auth( -+ username='FOO', -+ password='foo2', -+ tenant_name="BAR") -+ -+ scoped_token = self.api.authenticate({}, body_dict) -+ scoped_token_id = scoped_token['access']['token']['id'] -+ -+ self.assertRaises( -+ exception.Unauthorized, -+ self.api.validate_token, -+ dict(is_admin=True, query_string={'belongsTo': 'BAR'}), -+ token_id=scoped_token_id) --- -1.8.1.5 - diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch new file mode 100644 index 000000000000..616143be18c9 --- /dev/null +++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2030.patch @@ -0,0 +1,50 @@ +From 24c25b38ed6fc95ed919ab34463cdb10bdcc57fd Mon Sep 17 00:00:00 2001 +From: Dolph Mathews <dolph.mathews@gmail.com> +Date: Wed, 8 May 2013 10:49:20 -0500 +Subject: [PATCH] Securely create signing_dir (bug 1174608) + +Also verifies the security of an existing signing_dir. + +Change-Id: I0685b4274a94ad3974a2b2a7ab3f45830d3934bb +(cherry picked from python-keystoneclient 1736e2ffb12f70eeebed019448bc14def48aa036) +--- + keystone/middleware/auth_token.py | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py +index ddadf9f..01e6c58 100644 +--- a/keystone/middleware/auth_token.py ++++ b/keystone/middleware/auth_token.py +@@ -219,15 +219,20 @@ class AuthProtocol(object): + self.signing_dirname = '%s/keystone-signing' % os.environ['HOME'] + LOG.info('Using %s as cache directory for signing certificate' % + self.signing_dirname) +- if (os.path.exists(self.signing_dirname) and +- not os.access(self.signing_dirname, os.W_OK)): +- raise ConfigurationError("unable to access signing dir %s" % +- self.signing_dirname) +- +- if not os.path.exists(self.signing_dirname): +- os.makedirs(self.signing_dirname) +- #will throw IOError if it cannot change permissions +- os.chmod(self.signing_dirname, stat.S_IRWXU) ++ if os.path.exists(self.signing_dirname): ++ if not os.access(self.signing_dirname, os.W_OK): ++ raise ConfigurationError( ++ 'unable to access signing_dir %s' % self.signing_dirname) ++ if os.stat(self.signing_dirname).st_uid != os.getuid(): ++ LOG.warning( ++ 'signing_dir is not owned by %s' % os.getlogin()) ++ current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode) ++ if current_mode != stat.S_IRWXU: ++ LOG.warning( ++ 'signing_dir mode is %s instead of %s' % ++ (oct(current_mode), oct(stat.S_IRWXU))) ++ else: ++ os.makedirs(self.signing_dirname, stat.S_IRWXU) + + val = '%s/signing_cert.pem' % self.signing_dirname + self.signing_cert_file_name = val +-- +1.8.1.5 + diff --git a/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch b/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch deleted file mode 100644 index d9b0b3472ceb..000000000000 --- a/sys-auth/keystone/files/keystone-grizzly-1-CVE-2013-2006.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd Mon Sep 17 00:00:00 2001 -From: Xuhan Peng <xuhanp@cn.ibm.com> -Date: Fri, 12 Apr 2013 16:19:37 +0800 -Subject: [PATCH] Mark LDAP password and admin_token secret - -Add secret=True to LDAP password and admin_token -of keystone configuration. - -Fix bug #1172195 - -Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75 -(cherry picked from commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8) ---- - keystone/common/config.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/keystone/common/config.py b/keystone/common/config.py -index edecee0..82c31e6 100644 ---- a/keystone/common/config.py -+++ b/keystone/common/config.py -@@ -188,7 +188,7 @@ def configure(): - register_cli_str('pydev-debug-host', default=None) - register_cli_int('pydev-debug-port', default=None) - -- register_str('admin_token', default='ADMIN') -+ register_str('admin_token', secret=True, default='ADMIN') - register_str('bind_host', default='0.0.0.0') - register_int('compute_port', default=8774) - register_int('admin_port', default=35357) -@@ -271,7 +271,7 @@ def configure(): - # ldap - register_str('url', group='ldap', default='ldap://localhost') - register_str('user', group='ldap', default=None) -- register_str('password', group='ldap', default=None) -+ register_str('password', group='ldap', secret=True, default=None) - register_str('suffix', group='ldap', default='cn=example,cn=com') - register_bool('use_dumb_member', group='ldap', default=False) - register_str('dumb_member', group='ldap', default='cn=dumb,dc=nonexistent') --- -1.8.1.5 - diff --git a/sys-auth/keystone/keystone-2012.2.4.ebuild b/sys-auth/keystone/keystone-2012.2.4-r1.ebuild index ccde2c02c823..b138eb805c28 100644 --- a/sys-auth/keystone/keystone-2012.2.4.ebuild +++ b/sys-auth/keystone/keystone-2012.2.4-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4.ebuild,v 1.1 2013/05/10 02:47:10 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r1.ebuild,v 1.1 2013/05/10 04:00:42 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -70,6 +70,7 @@ RDEPEND="${DEPEND} #} PATCHES=( + "${FILESDIR}/keystone-folsom-4-CVE-2013-2030.patch" ) python_install() { diff --git a/sys-auth/keystone/keystone-2013.1-r1.ebuild b/sys-auth/keystone/keystone-2013.1-r1.ebuild deleted file mode 100644 index cf05507f7dbc..000000000000 --- a/sys-auth/keystone/keystone-2013.1-r1.ebuild +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1-r1.ebuild,v 1.1 2013/05/06 15:57:35 prometheanfire Exp $ - -EAPI=5 -#test restricted becaues of bad requirements given (old webob for instance) -RESTRICT="test" -PYTHON_COMPAT=( python2_7 ) - -inherit distutils-r1 - -DESCRIPTION="Keystone is the Openstack authentication, authorization, and -service catalog written in Python." -HOMEPAGE="https://launchpad.net/keystone" -SRC_URI="http://launchpad.net/${PN}/grizzly/${PV}/+download/${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="folsom" -KEYWORDS="~amd64 ~x86" -IUSE="+sqlite mysql postgres ldap" -#IUSE="+sqlite mysql postgres ldap test" -REQUIRED_USE="|| ( ldap mysql postgres sqlite )" - -#todo, seperate out rdepend via use flags -DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]" -RDEPEND="${DEPEND} - dev-python/eventlet[${PYTHON_USEDEP}] - dev-python/greenlet[${PYTHON_USEDEP}] - >=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}] - >=dev-python/python-keystoneclient-0.2.1[${PYTHON_USEDEP}] - <=dev-python/python-keystoneclient-0.3[${PYTHON_USEDEP}] - dev-python/lxml[${PYTHON_USEDEP}] - >=dev-python/oslo-config-1.1.0[${PYTHON_USEDEP}] - dev-python/passlib[${PYTHON_USEDEP}] - dev-python/paste[${PYTHON_USEDEP}] - dev-python/pastedeploy[${PYTHON_USEDEP}] - dev-python/python-daemon - >=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}] - dev-python/routes[${PYTHON_USEDEP}] - >=dev-python/sqlalchemy-migrate-0.7.2 - =dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] - virtual/python-argparse[${PYTHON_USEDEP}] - sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite] - <=dev-python/sqlalchemy-0.7.9[sqlite] ) - mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql] - <=dev-python/sqlalchemy-0.7.9[mysql] ) - postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres] - <=dev-python/sqlalchemy-0.7.9[postgres] ) - ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )" -# test? ( dev-python/Babel -# dev-python/decorator -# dev-python/eventlet -# dev-python/greenlet -# dev-python/httplib2 -# dev-python/iso8601 -# dev-python/lxml -# dev-python/netifaces -# dev-python/nose -# dev-python/nosexcover -# dev-python/passlib -# dev-python/paste -# dev-python/pastedeploy -# dev-python/python-pam -# dev-python/repoze-lru -# dev-python/routes -# dev-python/sphinx -# >=dev-python/sqlalchemy-migrate-0.7 -# dev-python/tempita -# >=dev-python/webob-1.0.8 -# dev-python/webtest -# ) -PATCHES=( "${FILESDIR}"/keystone-grizzly-1-CVE-2013-2006.patch ) -# -#python_test() { -# "${PYTHON}" setup.py nosetests || die -#} - -python_install() { - distutils-r1_python_install - newconfd "${FILESDIR}/keystone.confd" keystone - newinitd "${FILESDIR}/keystone.initd" keystone - - diropts -m 0750 - dodir /var/run/keystone /var/log/keystone /etc/keystone - keepdir /etc/keystone - insinto /etc/keystone - doins etc/keystone.conf.sample etc/logging.conf.sample - doins etc/default_catalog.templates etc/policy.json -} |