[openstack-heat] readd PBR and migration patches

Ryan Brown ryansb at fedoraproject.org
Tue Sep 9 18:08:47 UTC 2014 

commit 243ffcea994cb541f94dcf8774067a8832bbefd7
Author: Ryan S. Brown <rybrown at redhat.com>
Date:   Tue Sep 9 14:08:42 2014 -0400

    readd PBR and migration patches

 0001-remove-pbr-runtime-dependency.patch           |   30 ++++++++
 ...bility-patch-to-allow-smooth-migration-aw.patch |   70 ++++++++++++++++++++
 openstack-heat.spec                                |    3 +
 3 files changed, 103 insertions(+), 0 deletions(-)
---
diff --git a/0001-remove-pbr-runtime-dependency.patch b/0001-remove-pbr-runtime-dependency.patch
new file mode 100644
index 0000000..46ff786
--- /dev/null
+++ b/0001-remove-pbr-runtime-dependency.patch
@@ -0,0 +1,30 @@
+From 185006cecf9e6f18d1182725894f8966ac116d5b Mon Sep 17 00:00:00 2001
+From: Jeff Peeler <jpeeler at redhat.com>
+Date: Mon, 14 Oct 2013 14:30:34 -0400
+Subject: [PATCH] remove pbr runtime dependency
+
+---
+ heat/version.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/heat/version.py b/heat/version.py
+index a8cd2d7..5383da8 100644
+--- a/heat/version.py
++++ b/heat/version.py
+@@ -12,6 +12,14 @@
+ #    under the License.
+ 
+ 
+-import pbr.version
++class VersionInfo(object):
++    release = 'REDHATHEATRELEASE'
++    version = 'REDHATHEATVERSION'
+ 
+-version_info = pbr.version.VersionInfo('heat')
++    def version_string(self):
++        return self.version
++
++    def release_string(self):
++        return self.release
++
++version_info = VersionInfo()
diff --git a/0002-Add-compatability-patch-to-allow-smooth-migration-aw.patch b/0002-Add-compatability-patch-to-allow-smooth-migration-aw.patch
new file mode 100644
index 0000000..d21a3f2
--- /dev/null
+++ b/0002-Add-compatability-patch-to-allow-smooth-migration-aw.patch
@@ -0,0 +1,70 @@
+From 3afae514cc22a30acc5a3dae76ec2a6ca3c83f9f Mon Sep 17 00:00:00 2001
+From: Jeff Peeler <jpeeler at redhat.com>
+Date: Sat, 21 Jun 2014 00:28:04 -0400
+Subject: [PATCH] Add compatability patch to allow smooth migration away from
+ M2Crypto
+
+For many releases, Fedora has shipped with the encryption routines
+reimplemented using M2Crypto. We are now aligning with upstream which
+uses PyCrypto. However, we must still allow decryption of existing
+entries in the database, so this patch will remain until at least
+the next release.
+---
+ heat/common/crypt.py | 43 ++++++++++++++++++++++++++++++-------------
+ 1 file changed, 30 insertions(+), 13 deletions(-)
+
+diff --git a/heat/common/crypt.py b/heat/common/crypt.py
+index 0defb10..0c1e14e 100644
+--- a/heat/common/crypt.py
++++ b/heat/common/crypt.py
+@@ -44,20 +44,37 @@ def oslo_decrypt_v1(auth_info):
+     return sym.decrypt(cfg.CONF.auth_encryption_key[:32],
+                        auth_info, b64decode=True)
+ 
++#This is here for testing verification purposes related to the comment below
++#def heat_encrypt(auth_info):
++#    import M2Crypto
++#    from os import urandom
++#    iv = urandom(16)
++#    cipher = M2Crypto.EVP.Cipher(alg='aes_128_cbc', key_as_bytes=False, padding=True,
++#                                 key=cfg.CONF.auth_encryption_key[:32], iv=iv,
++#                                 op=1) # 1 is encode
++#    update = cipher.update(auth_info)
++#    final = cipher.final()
++#    res = base64.b64encode(iv + update + final)
++#    return 'heat_decrypt', res
+ 
+ def heat_decrypt(auth_info):
+-    """Decrypt function for data that has been encrypted using an older
+-    version of Heat.
+-    Note: the encrypt function returns the function that is needed to
+-    decrypt the data. The database then stores this. When the data is
+-    then retrieved (potentially by a later version of Heat) the decrypt
+-    function must still exist. So whilst it may seem that this function
+-    is not referenced, it will be referenced from the database.
+-    """
++    # This is an AES specific version of oslo decrypt, reimplementing the
++    # commented out code below. The main differences are a different key size
++    # and different padding to be compatible with our old m2crypto based
++    # heat_encrypt. This patch will be dropped in a few releases since once
++    # people upgrade, the new encrypt method will be used making this
++    # decryption method no longer necessary.
++    #sym = utils.SymmetricCrypto()
++    #return sym.decrypt(cfg.CONF.auth_encryption_key[:16],
++    #                   auth_info, b64decode=True)
++
+     if auth_info is None:
+         return None
+-    auth = base64.b64decode(auth_info)
+-    iv = auth[:AES.block_size]
+-    cipher = AES.new(cfg.CONF.auth_encryption_key[:32], AES.MODE_CFB, iv)
+-    res = cipher.decrypt(auth[AES.block_size:])
+-    return res
++    auth_info = base64.b64decode(auth_info)
++    iv = auth_info[:AES.block_size]
++    # Note: MUST send in 16 bytes long key for AES-128
++    cipher = AES.new(cfg.CONF.auth_encryption_key[:16], AES.MODE_CBC, iv)
++    padded = cipher.decrypt(auth_info[AES.block_size:])
++    l = ord(padded[-1])
++    plain = padded[:-l]
++    return plain
diff --git a/openstack-heat.spec b/openstack-heat.spec
index 27f537a..c393795 100644
--- a/openstack-heat.spec
+++ b/openstack-heat.spec
@@ -33,6 +33,9 @@ Source20:	heat-dist.conf
 #
 # patches_base=2014.2.b3+0
 #
+Patch0001: 0001-remove-pbr-runtime-dependency.patch
+Patch0002: 0002-Add-compatability-patch-to-allow-smooth-migration-aw.patch
+
 
 BuildArch: noarch
 BuildRequires: git

More information about the scm-commits mailing list