[openstack-heat/el6-icehouse] Updated patches from el6-icehouse-patches
Jeff Peeler
jpeeler at fedoraproject.org
Mon Jan 27 19:31:54 UTC 2014
commit f6c7538edc6314514bf6d4e0ba5cd2f03c45a50a
Author: Jeff Peeler <jpeeler at redhat.com>
Date: Mon Jan 27 14:23:17 2014 -0500
Updated patches from el6-icehouse-patches
0001-Switch-to-using-M2Crypto.patch | 47 ++++++++-----
0002-remove-pbr-runtime-dependency.patch | 6 +-
...ust-to-handle-parallel-installed-packages.patch | 6 +-
...ix-adding-heat_stack_user-role-via-v3-API.patch | 75 ++++++++++++++++++++
openstack-heat.spec | 2 +
5 files changed, 113 insertions(+), 23 deletions(-)
---
diff --git a/0001-Switch-to-using-M2Crypto.patch b/0001-Switch-to-using-M2Crypto.patch
index 0bdca9f..ade1af8 100644
--- a/0001-Switch-to-using-M2Crypto.patch
+++ b/0001-Switch-to-using-M2Crypto.patch
@@ -1,4 +1,4 @@
-From dea5121ac0e9f497551bc39f51b9d3064fcf5410 Mon Sep 17 00:00:00 2001
+From d3d66e9649afaeac0dd3475c8c58ee1f71d67599 Mon Sep 17 00:00:00 2001
From: Jeff Peeler <jpeeler at redhat.com>
Date: Wed, 8 May 2013 12:27:35 -0400
Subject: [PATCH] Switch to using M2Crypto
@@ -6,39 +6,52 @@ Subject: [PATCH] Switch to using M2Crypto
This patch uses M2Crypto instead of PyCrypto to perform encryption
and decryption of user authentication information.
---
- heat/common/crypt.py | 18 +++++++++++-------
- requirements.txt | 2 +-
- 2 files changed, 12 insertions(+), 8 deletions(-)
+ heat/common/crypt.py | 31 ++++++++++++++-----------------
+ requirements.txt | 2 +-
+ 2 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/heat/common/crypt.py b/heat/common/crypt.py
-index 81b4c92..2619b31 100644
+index 8d27617..e8e34a8 100644
--- a/heat/common/crypt.py
+++ b/heat/common/crypt.py
-@@ -14,7 +14,7 @@
+@@ -14,7 +14,9 @@
# under the License.
import base64
-from Crypto.Cipher import AES
+import M2Crypto
- from os import urandom
-
++from os import urandom
++
from oslo.config import cfg
-@@ -36,9 +36,11 @@ logger = logging.getLogger(__name__)
+
+ from heat.openstack.common.crypto import utils
+@@ -35,19 +37,12 @@ logger = logging.getLogger(__name__)
def encrypt(auth_info):
if auth_info is None:
- return None
-- iv = urandom(AES.block_size)
-- cipher = AES.new(cfg.CONF.auth_encryption_key[:32], AES.MODE_CFB, iv)
-- res = base64.b64encode(iv + cipher.encrypt(auth_info))
+ return None, None
+- sym = utils.SymmetricCrypto()
+- res = sym.encrypt(cfg.CONF.auth_encryption_key[:32],
+- auth_info, b64encode=True)
+- return 'oslo_decrypt_v1', res
+-
+-
+-def oslo_decrypt_v1(auth_info):
+- if auth_info is None:
+- return None
+- sym = utils.SymmetricCrypto()
+- return sym.decrypt(cfg.CONF.auth_encryption_key[:32],
+- auth_info, b64decode=True)
+-
+ iv = urandom(16)
+ cipher = M2Crypto.EVP.Cipher(alg='aes_128_cbc',
+ key=cfg.CONF.auth_encryption_key[:32], iv=iv,
+ op=1) # 1 is encode
+ res = base64.b64encode(iv + cipher.update(auth_info) + cipher.final())
- return res
-
++ return 'heat_decrypt', res
-@@ -46,7 +48,9 @@ def decrypt(auth_info):
+ def heat_decrypt(auth_info):
+ """Decrypt function for data that has been encrypted using an older
+@@ -61,7 +56,9 @@ def heat_decrypt(auth_info):
if auth_info is None:
return None
auth = base64.b64decode(auth_info)
@@ -52,7 +65,7 @@ index 81b4c92..2619b31 100644
+ res = cipher.update(auth[16:]) + cipher.final()
return res
diff --git a/requirements.txt b/requirements.txt
-index 372eba1..019e9c2 100644
+index 11fb75d..969bbb4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
diff --git a/0002-remove-pbr-runtime-dependency.patch b/0002-remove-pbr-runtime-dependency.patch
index 21634dd..b5d280f 100644
--- a/0002-remove-pbr-runtime-dependency.patch
+++ b/0002-remove-pbr-runtime-dependency.patch
@@ -1,11 +1,11 @@
-From b2e70401d8928ecf00d70067fd6d4e51c4ba1a20 Mon Sep 17 00:00:00 2001
+From b47914a0e800cce0dcdb81e3d7ee8cd0e134a9ad Mon Sep 17 00:00:00 2001
From: Jeff Peeler <jpeeler at redhat.com>
Date: Mon, 14 Oct 2013 14:30:34 -0400
Subject: [PATCH] remove pbr runtime dependency
---
- heat/version.py | 12 ++++++++++--
- 1 files changed, 10 insertions(+), 2 deletions(-)
+ heat/version.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/heat/version.py b/heat/version.py
index a717606..8ea213a 100644
diff --git a/0003-Adjust-to-handle-parallel-installed-packages.patch b/0003-Adjust-to-handle-parallel-installed-packages.patch
index 67b9d5d..148f191 100644
--- a/0003-Adjust-to-handle-parallel-installed-packages.patch
+++ b/0003-Adjust-to-handle-parallel-installed-packages.patch
@@ -1,11 +1,11 @@
-From 4b001b065d15d19dfbb10d6daefac0fb77a9f829 Mon Sep 17 00:00:00 2001
+From ebc95c27e3dc00e3667b81a0aaa8a864ac2d9758 Mon Sep 17 00:00:00 2001
From: Jeff Peeler <jpeeler at redhat.com>
Date: Tue, 2 Apr 2013 18:08:48 -0400
Subject: [PATCH] Adjust to handle parallel installed packages
---
- heat/__init__.py | 33 +++++++++++++++++++++++++++++++++
- 1 files changed, 33 insertions(+), 0 deletions(-)
+ heat/__init__.py | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
diff --git a/heat/__init__.py b/heat/__init__.py
index 57e2d0f..d9df4ce 100644
diff --git a/0004-Fix-adding-heat_stack_user-role-via-v3-API.patch b/0004-Fix-adding-heat_stack_user-role-via-v3-API.patch
new file mode 100644
index 0000000..5ac18f3
--- /dev/null
+++ b/0004-Fix-adding-heat_stack_user-role-via-v3-API.patch
@@ -0,0 +1,75 @@
+From 38f40560d8d27f80d4b3164ca00e1701a36442ca Mon Sep 17 00:00:00 2001
+From: Steven Hardy <shardy at redhat.com>
+Date: Tue, 21 Jan 2014 14:51:16 +0000
+Subject: [PATCH] Fix adding heat_stack_user role via v3 API
+
+A regression was introduced via 301a894 because it expects
+keystoneclient functionality which is not yet merged/released,
+so instead of passing the name to roles.list() we must filter
+the results locally to lookup the role ID.
+
+The lack of filtering support is a general issue with the v3
+keystoneclient interfaces, so when it's fixed we can remove
+this workaround.
+
+Closes-Bug: #1271190
+Change-Id: I1b29cc131496e4b19493a8cd8e6d4ed913db0938
+---
+ heat/common/heat_keystoneclient.py | 10 +++++++---
+ heat/tests/test_heatclient.py | 13 ++++++++++++-
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py
+index 93f7c0c..2b7a29b 100644
+--- a/heat/common/heat_keystoneclient.py
++++ b/heat/common/heat_keystoneclient.py
+@@ -253,10 +253,14 @@ class KeystoneClient(object):
+ # This role is designed to allow easier differentiation of the
+ # heat-generated "stack users" which will generally have credentials
+ # deployed on an instance (hence are implicitly untrusted)
+- stack_user_role = self.client_v3.roles.list(
+- name=cfg.CONF.heat_stack_user_role)
++ # FIXME(shardy): The v3 keystoneclient doesn't currently support
++ # filtering the results, so we have to do it locally, update when
++ # that is fixed in keystoneclient
++ roles_list = self.client_v3.roles.list()
++ stack_user_role = [r for r in roles_list
++ if r.name == cfg.CONF.heat_stack_user_role]
+ if len(stack_user_role) == 1:
+- role_id = stack_user_role[0]
++ role_id = stack_user_role[0].id
+ logger.debug(_("Adding user %(user)s to role %(role)s") % {
+ 'user': user.id, 'role': role_id})
+ self.client_v3.roles.grant(role=role_id, user=user.id,
+diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py
+index 1d0f79e..85a503b 100644
+--- a/heat/tests/test_heatclient.py
++++ b/heat/tests/test_heatclient.py
+@@ -139,6 +139,7 @@ class KeystoneClientTest(HeatTestCase):
+ # mock keystone client user functions
+ self.mock_ks_v3_client.users = self.m.CreateMockAnything()
+ mock_user = self.m.CreateMockAnything()
++ mock_user.id = 'auser123'
+ # when keystone is called, the name should have been truncated
+ # to the last 64 characters of the long name
+ self.mock_ks_v3_client.users.create(name=good_user_name,
+@@ -147,8 +148,18 @@ class KeystoneClientTest(HeatTestCase):
+ ).AndReturn(mock_user)
+ # mock out the call to roles; will send an error log message but does
+ # not raise an exception
++ mock_roles_list = []
++ for r_id, r_name in (('1234', 'blah'), ('4546', 'heat_stack_user')):
++ mock_role = self.m.CreateMockAnything()
++ mock_role.id = r_id
++ mock_role.name = r_name
++ mock_roles_list.append(mock_role)
++
+ self.mock_ks_v3_client.roles = self.m.CreateMockAnything()
+- self.mock_ks_v3_client.roles.list(name='heat_stack_user').AndReturn([])
++ self.mock_ks_v3_client.roles.list().AndReturn(mock_roles_list)
++ self.mock_ks_v3_client.roles.grant(project=ctx.tenant_id,
++ role='4546',
++ user='auser123').AndReturn(None)
+ self.m.ReplayAll()
+ # call create_stack_user with a long user name.
+ # the cleanup VerifyAll should verify that though we passed
diff --git a/openstack-heat.spec b/openstack-heat.spec
index 8d36ad6..3ba8fdd 100644
--- a/openstack-heat.spec
+++ b/openstack-heat.spec
@@ -29,6 +29,7 @@ Source20: heat-dist.conf
Patch0001: 0001-Switch-to-using-M2Crypto.patch
Patch0002: 0002-remove-pbr-runtime-dependency.patch
Patch0003: 0003-Adjust-to-handle-parallel-installed-packages.patch
+Patch0004: 0004-Fix-adding-heat_stack_user-role-via-v3-API.patch
BuildArch: noarch
BuildRequires: git
@@ -81,6 +82,7 @@ Requires: %{name}-api-cloudwatch = %{version}-%{release}
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
+%patch0004 -p1
sed -i s/REDHATHEATVERSION/%{version}/ heat/version.py
sed -i s/REDHATHEATRELEASE/%{release}/ heat/version.py
More information about the scm-commits
mailing list