2013.2.1 and cleaner deps

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

4 files changed, 35 insertions, 258 deletions

diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index e3bf365b2837..2e6184d8ffcb 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.50 2013/12/13 17:31:29 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.51 2013/12/19 04:16:52 prometheanfire Exp $
+
+*keystone-2013.2.1 (19 Dec 2013)
+
+  19 Dec 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +keystone-2013.2.1.ebuild, -files/2013.2-CVE-2013-4477.patch,
+  -files/cve-2013-6391_2013.2.patch, -keystone-2013.2-r2.ebuild:
+  2013.2.1 and cleaner deps
 
   13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org>
   +files/keystone.initd.havana, -files/2012.2.4-upstream-1181157.patch,
diff --git a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch b/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
deleted file mode 100644
index 3f9a640a08d9..000000000000
--- a/sys-auth/keystone/files/2013.2-CVE-2013-4477.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 4221b6020e6b0b42325d8904d7b8a22577a6acc0 Mon Sep 17 00:00:00 2001
-From: Brant Knudson <bknudson@us.ibm.com>
-Date: Mon, 21 Oct 2013 15:21:12 -0500
-Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment
-
-When using the LDAP assignment backend, attempting to remove a
-role assignment when the role hadn't been used before would
-actually add the role assignment and would not return a
-404 Not Found like the SQL backend.
-
-This change makes it so that when attempt to remove a role that
-wasn't assigned then 404 Not Found is returned.
-
-Closes-Bug: #1242855
-Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
-(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
-(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
----
- keystone/assignment/backends/ldap.py | 18 ++++--------------
- keystone/tests/test_backend.py       |  9 +++++++++
- 2 files changed, 13 insertions(+), 14 deletions(-)
-
-diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
-index 851f9ec..ecf4adb 100644
---- a/keystone/assignment/backends/ldap.py
-+++ b/keystone/assignment/backends/ldap.py
-@@ -426,20 +426,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn,
-         try:
-             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
-                                      self.member_attribute, user_dn)])
--        except ldap.NO_SUCH_OBJECT:
--            if tenant_dn is None:
--                raise exception.RoleNotFound(role_id=role_id)
--            attrs = [('objectClass', [self.object_class]),
--                     (self.member_attribute, [user_dn])]
--
--            if self.use_dumb_member:
--                attrs[1][1].append(self.dumb_member)
--            try:
--                conn.add_s(role_dn, attrs)
--            except Exception as inst:
--                raise inst
--        except ldap.NO_SUCH_ATTRIBUTE:
--            raise exception.UserNotFound(user_id=user_id)
-+        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
-+            raise exception.RoleNotFound(message=_(
-+                'Cannot remove role that has not been granted, %s') %
-+                role_id)
-         finally:
-             conn.unbind_s()
- 
-diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
-index 7dd3477..e0e81ca 100644
---- a/keystone/tests/test_backend.py
-+++ b/keystone/tests/test_backend.py
-@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self):
-             self.tenant_bar['id'])
-         self.assertNotIn(self.user_two['id'], user_ids)
- 
-+    def test_remove_user_role_not_assigned(self):
-+        # Expect failure if attempt to remove a role that was never assigned to
-+        # the user.
-+        self.assertRaises(exception.RoleNotFound,
-+                          self.identity_api.remove_role_from_user_and_project,
-+                          tenant_id=self.tenant_bar['id'],
-+                          user_id=self.user_two['id'],
-+                          role_id=self.role_other['id'])
-+
-     def test_authenticate_bad_user(self):
-         self.assertRaises(AssertionError,
-                           self.identity_api.authenticate,
--- 
-1.8.4
-
diff --git a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch b/sys-auth/keystone/files/cve-2013-6391_2013.2.patch
deleted file mode 100644
index 52d13c4b0e51..000000000000
--- a/sys-auth/keystone/files/cve-2013-6391_2013.2.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 2756f2ff0c49b25e17b4f833610bd5c4f16309bd Mon Sep 17 00:00:00 2001
-From: Steven Hardy <shardy@redhat.com>
-Date: Mon, 21 Oct 2013 19:49:01 +0100
-Subject: [PATCH] Fix issues handling trust tokens via ec2tokens API
-
-Trust scoped tokens are handled incorectly when making requests
-via the ec2tokens API, meaning that the restrictions enforced
-by trust-scoped tokens are not respected when obtaining a token
-via ec2token signature validation.
-
-Storing the trust_id in the blob associated with the ec2 keypair,
-and passing that id in the metadata when requesting a v2 token
-solves the issue.
-
-Change-Id: I52566384d7813ef0e2f20fb94a5076386457ff02
-Closes-Bug: #1242597
----
- keystone/contrib/ec2/controllers.py       | 19 ++++++++++--
- keystone/tests/test_keystoneclient_sql.py | 50 ++++++++++++++++++++++++++++---
- 2 files changed, 63 insertions(+), 6 deletions(-)
-
-diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py
-index 94b7430..262cbe5 100644
---- a/keystone/contrib/ec2/controllers.py
-+++ b/keystone/contrib/ec2/controllers.py
-@@ -106,6 +106,11 @@ class Ec2Controller(controller.V2Controller):
-             self.identity_api.get_roles_for_user_and_project(
-                 user_ref['id'], tenant_ref['id']))
- 
-+        trust_id = creds_ref.get('trust_id')
-+        if trust_id:
-+            metadata_ref['trust_id'] = trust_id
-+            metadata_ref['trustee_user_id'] = user_ref['id']
-+
-         # Validate that the auth info is valid and nothing is disabled
-         token.validate_auth_info(self, user_ref, tenant_ref)
- 
-@@ -146,8 +151,10 @@ class Ec2Controller(controller.V2Controller):
- 
-         self._assert_valid_user_id(user_id)
-         self._assert_valid_project_id(tenant_id)
-+        trust_id = self._context_trust_id(context)
-         blob = {'access': uuid.uuid4().hex,
--                'secret': uuid.uuid4().hex}
-+                'secret': uuid.uuid4().hex,
-+                'trust_id': trust_id}
-         credential_id = utils.hash_access_key(blob['access'])
-         cred_ref = {'user_id': user_id,
-                     'project_id': tenant_id,
-@@ -213,7 +220,8 @@ class Ec2Controller(controller.V2Controller):
-         return {'user_id': credential.get('user_id'),
-                 'tenant_id': credential.get('project_id'),
-                 'access': blob.get('access'),
--                'secret': blob.get('secret')}
-+                'secret': blob.get('secret'),
-+                'trust_id': blob.get('trust_id')}
- 
-     def _get_credentials(self, credential_id):
-         """Return credentials from an ID.
-@@ -244,6 +252,13 @@ class Ec2Controller(controller.V2Controller):
-         if token_ref['user'].get('id') != user_id:
-             raise exception.Forbidden(_('Token belongs to another user'))
- 
-+    def _context_trust_id(self, context):
-+        try:
-+            token_ref = self.token_api.get_token(context['token_id'])
-+        except exception.TokenNotFound as e:
-+            raise exception.Unauthorized(e)
-+        return token_ref.get('trust_id')
-+
-     def _is_admin(self, context):
-         """Wrap admin assertion error return statement.
- 
-diff --git a/keystone/tests/test_keystoneclient_sql.py b/keystone/tests/test_keystoneclient_sql.py
-index 5ddc33e..bd83803 100644
---- a/keystone/tests/test_keystoneclient_sql.py
-+++ b/keystone/tests/test_keystoneclient_sql.py
-@@ -88,9 +88,11 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
-         self.assertRaises(client_exceptions.NotFound, client.endpoints.delete,
-                           id=endpoint.id)
- 
--    def _send_ec2_auth_request(self, credentials):
-+    def _send_ec2_auth_request(self, credentials, client=None):
-+        if not client:
-+            client = self.default_client
-         url = '%s/ec2tokens' % self.default_client.auth_url
--        (resp, token) = self.default_client.request(
-+        (resp, token) = client.request(
-             url=url, method='POST',
-             body={'credentials': credentials})
-         return resp, token
-@@ -99,9 +101,12 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
-         cred = self. default_client.ec2.create(
-             user_id=self.user_foo['id'],
-             tenant_id=self.tenant_bar['id'])
--        signer = ec2_utils.Ec2Signer(cred.secret)
-+        return self._generate_user_ec2_credentials(cred.access, cred.secret)
-+
-+    def _generate_user_ec2_credentials(self, access, secret):
-+        signer = ec2_utils.Ec2Signer(secret)
-         credentials = {'params': {'SignatureVersion': '2'},
--                       'access': cred.access,
-+                       'access': access,
-                        'verb': 'GET',
-                        'host': 'localhost',
-                        'path': '/service/cloud'}
-@@ -115,6 +120,43 @@ class KcMasterSqlTestCase(test_keystoneclient.KcMasterTestCase, sql.Base):
-         self.assertEqual(resp.status_code, 200)
-         self.assertIn('access', token)
- 
-+    def test_ec2_auth_success_trust(self):
-+        # Add "other" role user_foo and create trust delegating it to user_two
-+        self.identity_api.add_role_to_user_and_project(
-+            self.user_foo['id'],
-+            self.tenant_bar['id'],
-+            self.role_other['id'])
-+        trust_id = 'atrust123'
-+        trust = {'trustor_user_id': self.user_foo['id'],
-+                 'trustee_user_id': self.user_two['id'],
-+                 'project_id': self.tenant_bar['id'],
-+                 'impersonation': True}
-+        roles = [self.role_other]
-+        self.trust_api.create_trust(trust_id, trust, roles)
-+
-+        # Create a client for user_two, scoped to the trust
-+        client = self.get_client(self.user_two)
-+        ret = client.authenticate(trust_id=trust_id,
-+                                  tenant_id=self.tenant_bar['id'])
-+        self.assertTrue(ret)
-+        self.assertTrue(client.auth_ref.trust_scoped)
-+        self.assertEqual(trust_id, client.auth_ref.trust_id)
-+
-+        # Create an ec2 keypair using the trust client impersonating user_foo
-+        cred = client.ec2.create(user_id=self.user_foo['id'],
-+                                 tenant_id=self.tenant_bar['id'])
-+        credentials, signature = self._generate_user_ec2_credentials(
-+            cred.access, cred.secret)
-+        credentials['signature'] = signature
-+        resp, token = self._send_ec2_auth_request(credentials)
-+        self.assertEqual(resp.status_code, 200)
-+        self.assertEqual(trust_id, token['access']['trust']['id'])
-+        #TODO(shardy) we really want to check the roles and trustee
-+        # but because of where the stubbing happens we don't seem to
-+        # hit the necessary code in controllers.py _authenticate_token
-+        # so although all is OK via a real request, it incorrect in
-+        # this test..
-+
-     def test_ec2_auth_failure(self):
-         from keystoneclient import exceptions as client_exceptions
- 
--- 
-1.8.3.1
-
diff --git a/sys-auth/keystone/keystone-2013.2-r2.ebuild b/sys-auth/keystone/keystone-2013.2.1.ebuild
index 71d256b4eefe..75e236c3e3dd 100644
--- a/sys-auth/keystone/keystone-2013.2-r2.ebuild
+++ b/sys-auth/keystone/keystone-2013.2.1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2-r2.ebuild,v 1.2 2013/12/13 17:31:29 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.1.ebuild,v 1.1 2013/12/19 04:16:52 prometheanfire Exp $
 
 EAPI=5
 
@@ -20,31 +20,6 @@ IUSE="+sqlite mysql postgres ldap test"
 REQUIRED_USE="|| ( mysql postgres sqlite )"
 
 #todo, seperate out rdepend via use flags
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-	test? ( dev-python/Babel
-			dev-python/decorator
-			dev-python/eventlet
-			dev-python/greenlet
-			dev-python/httplib2
-			dev-python/iso8601
-			dev-python/lxml
-			dev-python/netifaces
-			dev-python/nose
-			dev-python/nosexcover
-			dev-python/passlib
-			dev-python/paste
-			dev-python/pastedeploy
-			dev-python/python-pam
-			dev-python/repoze-lru
-			dev-python/routes
-			dev-python/sphinx
-			>=dev-python/sqlalchemy-migrate-0.7
-			dev-python/tempita
-			>=dev-python/webob-1.0.8
-			dev-python/webtest
-			dev-python/python-memcached )
-	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
-	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
 RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
 	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
 	<dev-python/webob-1.3[${PYTHON_USEDEP}]
@@ -63,10 +38,10 @@ RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
 	>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
 	dev-python/passlib[${PYTHON_USEDEP}]
 	>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
-	>=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}]
+	>=dev-python/iso8601-0.1.8[${PYTHON_USEDEP}]
 	>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
 	>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-	>=dev-python/Babel-0.9.6[${PYTHON_USEDEP}]
+	>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
 	dev-python/oauth2[${PYTHON_USEDEP}]
 	>=dev-python/dogpile-cache-0.5.0[${PYTHON_USEDEP}]
 	dev-python/python-daemon[${PYTHON_USEDEP}]
@@ -74,10 +49,32 @@ RDEPEND=">=dev-python/python-pam-0.1.4[${PYTHON_USEDEP}]
 	ldap? ( dev-python/python-ldap[${PYTHON_USEDEP}] )
 	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
 	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+	test? ( ${RDEPEND}
+			>=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+			>=dev-python/hacking-0.5.6[${PYTHON_USEDEP}]
+			<dev-python/hacking-0.8[${PYTHON_USEDEP}]
+			dev-python/httplib2[${PYTHON_USEDEP}]
+			>=dev-python/keyring-1.6.1[${PYTHON_USEDEP}]
+			<dev-python/keyring-2.0[${PYTHON_USEDEP}]
+			>=dev-python/mox-0.5.3[${PYTHON_USEDEP}]
+			>=dev-python/netifaces-0.5[${PYTHON_USEDEP}]
+			dev-python/nose[${PYTHON_USEDEP}]
+			dev-python/nosexcover[${PYTHON_USEDEP}]
+			>=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}]
+			>=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}]
+			dev-python/oslo-sphinx[${PYTHON_USEDEP}]
+			>=dev-python/requests-1.1[${PYTHON_USEDEP}]
+			>=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+			<dev-python/sphinx-1.2[${PYTHON_USEDEP}]
+			>=dev-python/testtools-0.9.32[${PYTHON_USEDEP}]
+			>=dev-python/webtest-2.0[${PYTHON_USEDEP}]
+			>=dev-python/python-memcached-1.48[${PYTHON_USEDEP}]
+			ldap? ( ~dev-python/python-ldap-2.3.13 ) )
+	>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
+	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
 
 PATCHES=(
-	"${FILESDIR}/2013.2-CVE-2013-4477.patch"
-	"${FILESDIR}/cve-2013-6391_2013.2.patch"
 )
 
 pkg_setup() {