From a9c041be274fb6ba986b1a7cb56f4f59d8342633 Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Sat, 29 Jun 2013 21:37:50 +0800 Subject: [PATCH] Removes all patches: - removes-lxml-version-limitation-from-pip-requires.patch - fix-package-version-detection-when-building-doc.patch - Subclass_keystone_middleware_to_set_headers.patch Rewritten-From: 36652a21aaff08d1c27226e3a01f9c037f7fb86f --- ...s_keystone_middleware_to_set_headers.patch | 582 ------------------ ...-version-detection-when-building-doc.patch | 27 - ...version-limitation-from-pip-requires.patch | 18 - xenial/debian/patches/series | 3 - 4 files changed, 630 deletions(-) delete mode 100644 xenial/debian/patches/Subclass_keystone_middleware_to_set_headers.patch delete mode 100644 xenial/debian/patches/fix-package-version-detection-when-building-doc.patch delete mode 100644 xenial/debian/patches/removes-lxml-version-limitation-from-pip-requires.patch delete mode 100644 xenial/debian/patches/series diff --git a/xenial/debian/patches/Subclass_keystone_middleware_to_set_headers.patch b/xenial/debian/patches/Subclass_keystone_middleware_to_set_headers.patch deleted file mode 100644 index 23ae70c2..00000000 --- a/xenial/debian/patches/Subclass_keystone_middleware_to_set_headers.patch +++ /dev/null @@ -1,582 +0,0 @@ -Description: Subclass keystone middleware to set headers - Replace old forked auth_token with a subclass of keystoneclient middleware. - The advantages of moving to keystoneclient middleware: - - can use v3 (or v2) keystone api - - PKI tokens - - token revocation - . - The subclass sets the following headers to be consumed by our request context - filter: - - X-Admin-User - - X-Admin-Pass - - X-Admin-Tenant-Name - - X-Auth-Url -Author: Steve Baker -Origin: upstream, https://github.com/openstack/heat/commit/cfda18b43e2e5782e5595e54f4a48f30b860e5dd -Last-Update: 2013-05-23 - ---- heat-2013.1.orig/heat/common/auth_token.py -+++ heat-2013.1/heat/common/auth_token.py -@@ -15,509 +15,24 @@ - # See the License for the specific language governing permissions and - # limitations under the License. - --""" --TOKEN-BASED AUTH MIDDLEWARE -- --This WSGI component: -- --* Verifies that incoming client requests have valid tokens by validating -- tokens with the auth service. --* Rejects unauthenticated requests UNLESS it is in 'delay_auth_decision' -- mode, which means the final decision is delegated to the downstream WSGI -- component (usually the OpenStack service) --* Collects and forwards identity information based on a valid token -- such as user name, tenant, etc -- --Refer to: http://keystone.openstack.org/middlewarearchitecture.html -- --HEADERS --------- -- --* Headers starting with HTTP\_ is a standard http header --* Headers starting with HTTP_X is an extended http header -- --Coming in from initial call from client or customer --^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- --HTTP_X_AUTH_TOKEN -- The client token being passed in. -- --HTTP_X_STORAGE_TOKEN -- The client token being passed in (legacy Rackspace use) to support -- swift/cloud files -- --Used for communication between components --^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- --WWW-Authenticate -- HTTP header returned to a user indicating which endpoint to use -- to retrieve a new token -- --What we add to the request for use by the OpenStack service --^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- --HTTP_X_IDENTITY_STATUS -- 'Confirmed' or 'Invalid' -- The underlying service will only see a value of 'Invalid' if the Middleware -- is configured to run in 'delay_auth_decision' mode -- --HTTP_X_TENANT_ID -- Identity service managed unique identifier, string -- --HTTP_X_TENANT_NAME -- Unique tenant identifier, string -- --HTTP_X_USER_ID -- Identity-service managed unique identifier, string -- --HTTP_X_USER_NAME -- Unique user identifier, string -- --HTTP_X_ROLES -- Comma delimited list of case-sensitive Roles -- --HTTP_X_TENANT -- *Deprecated* in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME -- Keystone-assigned unique identifier, deprecated -- --HTTP_X_USER -- *Deprecated* in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME -- Unique user name, string -- --HTTP_X_ROLE -- *Deprecated* in favor of HTTP_X_ROLES -- This is being renamed, and the new header contains the same data. -- --""" -- --import httplib --import json - import logging --import time -- --import webob --import webob.exc -- -+from keystoneclient.middleware import auth_token - - LOG = logging.getLogger(__name__) - - --class InvalidUserToken(Exception): -- pass -- -- --class ServiceError(Exception): -- pass -- -- --class AuthProtocol(object): -- """Auth Middleware that handles authenticating client calls.""" -- -- def __init__(self, app, conf): -- LOG.info('Starting keystone auth_token middleware') -- self.conf = conf -- self.app = app -- -- # delay_auth_decision means we still allow unauthenticated requests -- # through and we let the downstream service make the final decision -- self.delay_auth_decision = int(conf.get('delay_auth_decision', 0)) -- -- # where to find the auth service (we use this to validate tokens) -- self.auth_host = conf.get('auth_host') -- self.auth_port = int(conf.get('auth_port', 35357)) -- auth_protocol = conf.get('auth_protocol', 'https') -- if auth_protocol == 'http': -- self.http_client_class = httplib.HTTPConnection -- else: -- self.http_client_class = httplib.HTTPSConnection -- -- default_auth_uri = '%s://%s:%s' % (auth_protocol, -- self.auth_host, -- self.auth_port) -- self.auth_uri = conf.get('auth_uri', default_auth_uri) -- -- # Credentials used to verify this component with the Auth service since -- # validating tokens is a privileged call -- self.admin_token = conf.get('admin_token') -- self.admin_user = conf.get('admin_user') -- self.admin_password = conf.get('admin_password') -- self.admin_tenant_name = conf.get('admin_tenant_name', 'admin') -- -- # Token caching via memcache -- self._cache = None -- self._iso8601 = None -- memcache_servers = conf.get('memcache_servers') -- # By default the token will be cached for 5 minutes -- self.token_cache_time = conf.get('token_cache_time', 300) -- if memcache_servers: -- try: -- import memcache -- import iso8601 -- LOG.info('Using memcache for caching token') -- self._cache = memcache.Client(memcache_servers.split(',')) -- self._iso8601 = iso8601 -- except NameError as e: -- LOG.warn('disabled caching due to missing libraries %s', e) -- -- def __call__(self, env, start_response): -- """Handle incoming request. -- -- Authenticate send downstream on success. Reject request if -- we can't authenticate. -- -- """ -- LOG.debug('Authenticating user token') -- try: -- self._remove_auth_headers(env) -- user_token = self._get_user_token_from_header(env) -- token_info = self._validate_user_token(user_token) -- user_headers = self._build_user_headers(token_info) -- self._add_headers(env, user_headers) -- return self.app(env, start_response) -- -- except InvalidUserToken: -- if self.delay_auth_decision: -- LOG.info('Invalid user token - deferring reject downstream') -- self._add_headers(env, {'X-Identity-Status': 'Invalid'}) -- return self.app(env, start_response) -- else: -- LOG.info('Invalid user token - rejecting request') -- return self._reject_request(env, start_response) -- -- except ServiceError, e: -- LOG.critical('Unable to obtain admin token: %s' % e) -- resp = webob.exc.HTTPServiceUnavailable() -- return resp(env, start_response) -- -- def _remove_auth_headers(self, env): -- """Remove headers so a user can't fake authentication. -- -- :param env: wsgi request environment -- -- """ -- auth_headers = ( -- 'X-Identity-Status', -- 'X-Tenant-Id', -- 'X-Tenant-Name', -- 'X-User-Id', -- 'X-User-Name', -- 'X-Roles', -- # Deprecated -- 'X-User', -- 'X-Tenant', -- 'X-Role', -- ) -- LOG.debug('Removing headers from request environment: %s' % -- ','.join(auth_headers)) -- self._remove_headers(env, auth_headers) -- -- def _get_user_token_from_header(self, env): -- """Get token id from request. -- -- :param env: wsgi request environment -- :return token id -- :raises InvalidUserToken if no token is provided in request -- -- """ -- token = self._get_header(env, 'X-Auth-Token', -- self._get_header(env, 'X-Storage-Token')) -- if token: -- return token -- else: -- LOG.warn("Unable to find authentication token in headers: %s", env) -- raise InvalidUserToken('Unable to find token in headers') -- -- def _reject_request(self, env, start_response): -- """Redirect client to auth server. -- -- :param env: wsgi request environment -- :param start_response: wsgi response callback -- :returns HTTPUnauthorized http response -- -- """ -- headers = [('WWW-Authenticate', 'Keystone uri=\'%s\'' % self.auth_uri)] -- resp = webob.exc.HTTPUnauthorized('Authentication required', headers) -- return resp(env, start_response) -- -- def get_admin_token(self): -- """Return admin token, possibly fetching a new one. -- -- :return admin token id -- :raise ServiceError when unable to retrieve token from keystone -- -- """ -- if not self.admin_token: -- self.admin_token = self._request_admin_token() -- -- return self.admin_token -- -- def _get_http_connection(self): -- return self.http_client_class(self.auth_host, self.auth_port) -- -- def _json_request(self, method, path, body=None, additional_headers=None): -- """HTTP request helper used to make json requests. -- -- :param method: http method -- :param path: relative request url -- :param body: dict to encode to json as request body. Optional. -- :param additional_headers: dict of additional headers to send with -- http request. Optional. -- :return (http response object, response body parsed as json) -- :raise ServerError when unable to communicate with keystone -- -- """ -- conn = self._get_http_connection() -- -- kwargs = { -- 'headers': { -- 'Content-type': 'application/json', -- 'Accept': 'application/json', -- }, -- } -- -- if additional_headers: -- kwargs['headers'].update(additional_headers) -- -- if body: -- kwargs['body'] = json.dumps(body) -- -- try: -- conn.request(method, path, **kwargs) -- response = conn.getresponse() -- body = response.read() -- except Exception, e: -- LOG.error('HTTP connection exception: %s' % e) -- raise ServiceError('Unable to communicate with keystone') -- finally: -- conn.close() -- -- try: -- data = json.loads(body) -- except ValueError: -- LOG.debug('Keystone did not return json-encoded body') -- data = {} -- -- return response, data -- -- def _request_admin_token(self): -- """Retrieve new token as admin user from keystone. -- -- :return token id upon success -- :raises ServerError when unable to communicate with keystone -- -- """ -- params = { -- 'auth': { -- 'passwordCredentials': { -- 'username': self.admin_user, -- 'password': self.admin_password, -- }, -- 'tenantName': self.admin_tenant_name, -- } -- } -- -- response, data = self._json_request('POST', -- '/v2.0/tokens', -- body=params) -- -- try: -- token = data['access']['token']['id'] -- assert token -- return token -- except (AssertionError, KeyError): -- LOG.warn("Unexpected response from keystone service: %s", data) -- raise ServiceError('invalid json response') -- -- def _validate_user_token(self, user_token, retry=True): -- """Authenticate user token with keystone. -- -- :param user_token: user's token id -- :param retry: flag that forces the middleware to retry -- user authentication when an indeterminate -- response is received. Optional. -- :return token object received from keystone on success -- :raise InvalidUserToken if token is rejected -- :raise ServiceError if unable to authenticate token -- -- """ -- cached = self._cache_get(user_token) -- if cached: -- return cached -- -- headers = {'X-Auth-Token': self.get_admin_token()} -- response, data = self._json_request('GET', -- '/v2.0/tokens/%s' % user_token, -- additional_headers=headers) -- -- if response.status == 200: -- self._cache_put(user_token, data) -- return data -- if response.status == 404: -- # FIXME(ja): I'm assuming the 404 status means that user_token is -- # invalid - not that the admin_token is invalid -- self._cache_store_invalid(user_token) -- LOG.warn("Authorization failed for token %s", user_token) -- raise InvalidUserToken('Token authorization failed') -- if response.status == 401: -- LOG.info('Keystone rejected admin token %s, resetting', headers) -- self.admin_token = None -- else: -- LOG.error('Bad response code while validating token: %s' % -- response.status) -- if retry: -- LOG.info('Retrying validation') -- return self._validate_user_token(user_token, False) -- else: -- LOG.warn("Invalid user token: %s. Keystone response: %s.", -- user_token, data) -- -- raise InvalidUserToken() -- -+class AuthProtocol(auth_token.AuthProtocol): -+ """ -+ Subclass of keystoneclient auth_token middleware which also -+ sets the 'X-Auth-Url' header to the value specified in the config. -+ """ - def _build_user_headers(self, token_info): -- """Convert token object into headers. -- -- Build headers that represent authenticated user: -- * X_IDENTITY_STATUS: Confirmed or Invalid -- * X_TENANT_ID: id of tenant if tenant is present -- * X_TENANT_NAME: name of tenant if tenant is present -- * X_USER_ID: id of user -- * X_USER_NAME: name of user -- * X_ROLES: list of roles -- -- Additional (deprecated) headers include: -- * X_USER: name of user -- * X_TENANT: For legacy compatibility before we had ID and Name -- * X_ROLE: list of roles -- -- :param token_info: token object returned by keystone on authentication -- :raise InvalidUserToken when unable to parse token object -- -- """ -- user = token_info['access']['user'] -- token = token_info['access']['token'] -- roles = ','.join([role['name'] for role in user.get('roles', [])]) -- -- def get_tenant_info(): -- """Returns a (tenant_id, tenant_name) tuple from context.""" -- def essex(): -- """Essex puts the tenant ID and name on the token.""" -- return (token['tenant']['id'], token['tenant']['name']) -- -- def pre_diablo(): -- """Pre-diablo, Keystone only provided tenantId.""" -- return (token['tenantId'], token['tenantId']) -- -- def default_tenant(): -- """Assume the user's default tenant.""" -- return (user['tenantId'], user['tenantName']) -- -- for method in [essex, pre_diablo, default_tenant]: -- try: -- return method() -- except KeyError: -- pass -- -- raise InvalidUserToken('Unable to determine tenancy.') -- -- tenant_id, tenant_name = get_tenant_info() -- -- user_id = user['id'] -- user_name = user['name'] -- -- return { -- 'X-Identity-Status': 'Confirmed', -- 'X-Tenant-Id': tenant_id, -- 'X-Tenant-Name': tenant_name, -- 'X-User-Id': user_id, -- 'X-User-Name': user_name, -- 'X-Roles': roles, -- # Deprecated -- 'X-User': user_name, -- 'X-Tenant': tenant_name, -- 'X-Role': roles, -- 'X-Admin-User': self.admin_user, -- 'X-Admin-Pass': self.admin_password, -- 'X-Admin-Tenant-Name': self.admin_tenant_name, -- 'X-Auth-Url': self.conf['auth_uri'], -- } -- -- def _header_to_env_var(self, key): -- """Convert header to wsgi env variable. -- -- :param key: http header name (ex. 'X-Auth-Token') -- :return wsgi env variable name (ex. 'HTTP_X_AUTH_TOKEN') -- -- """ -- return 'HTTP_%s' % (key.replace('-', '_').upper()) -- -- def _add_headers(self, env, headers): -- """Add http headers to environment.""" -- for (k, v) in headers.iteritems(): -- env_key = self._header_to_env_var(k) -- env[env_key] = v -- -- def _remove_headers(self, env, keys): -- """Remove http headers from environment.""" -- for k in keys: -- env_key = self._header_to_env_var(k) -- try: -- del env[env_key] -- except KeyError: -- pass -- -- def _get_header(self, env, key, default=None): -- """Get http header from environment.""" -- env_key = self._header_to_env_var(key) -- return env.get(env_key, default) -- -- def _cache_get(self, token): -- """Return token information from cache. -- -- If token is invalid raise InvalidUserToken -- return token only if fresh (not expired). -- """ -- if self._cache and token: -- key = 'tokens/%s' % token -- cached = self._cache.get(key) -- if cached == 'invalid': -- LOG.debug('Cached Token %s is marked unauthorized', token) -- raise InvalidUserToken('Token authorization failed') -- if cached: -- data, expires = cached -- if time.time() < float(expires): -- LOG.debug('Returning cached token %s', token) -- return data -- else: -- LOG.debug('Cached Token %s seems expired', token) -- -- def _cache_put(self, token, data): -- """Put token data into the cache. -- -- Stores the parsed expire date in cache allowing -- quick check of token freshness on retrieval. -- """ -- if self._cache and data: -- key = 'tokens/%s' % token -- if 'token' in data.get('access', {}): -- timestamp = data['access']['token']['expires'] -- expires = self._iso8601.parse_date(timestamp).strftime('%s') -- else: -- LOG.error('invalid token format') -- return -- LOG.debug('Storing %s token in memcache', token) -- self._cache.set(key, -- (data, expires), -- time=self.token_cache_time) -- -- def _cache_store_invalid(self, token): -- """Store invalid token in cache.""" -- if self._cache: -- key = 'tokens/%s' % token -- LOG.debug('Marking token %s as unauthorized in memcache', token) -- self._cache.set(key, -- 'invalid', -- time=self.token_cache_time) -- -+ rval = super(AuthProtocol, self)._build_user_headers(token_info) -+ rval['X-Auth-Url'] = self.auth_uri -+ rval['X-Admin-User'] = self.admin_user -+ rval['X-Admin-Pass'] = self.admin_password -+ rval['X-Admin-Tenant-Name'] = self.admin_tenant_name -+ return rval - - def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" ---- heat-2013.1.orig/etc/heat/heat-api-cfn-paste.ini -+++ heat-2013.1/etc/heat/heat-api-cfn-paste.ini -@@ -69,9 +69,6 @@ keystone_ec2_uri = http://localhost:5000 - - [filter:authtoken] - paste.filter_factory = heat.common.auth_token:filter_factory --service_protocol = http --service_host = 127.0.0.1 --service_port = 5000 - auth_host = 127.0.0.1 - auth_port = 35357 - auth_protocol = http ---- heat-2013.1.orig/etc/heat/heat-api-cloudwatch-paste.ini -+++ heat-2013.1/etc/heat/heat-api-cloudwatch-paste.ini -@@ -69,9 +69,6 @@ keystone_ec2_uri = http://localhost:5000 - - [filter:authtoken] - paste.filter_factory = heat.common.auth_token:filter_factory --service_protocol = http --service_host = 127.0.0.1 --service_port = 5000 - auth_host = 127.0.0.1 - auth_port = 35357 - auth_protocol = http ---- heat-2013.1.orig/etc/heat/heat-api-paste.ini -+++ heat-2013.1/etc/heat/heat-api-paste.ini -@@ -72,13 +72,10 @@ paste.filter_factory = heat.common.conte - - [filter:authtoken] - paste.filter_factory = heat.common.auth_token:filter_factory --service_protocol = http --service_host = 127.0.0.1 --service_port = 5000 - auth_host = 127.0.0.1 - auth_port = 35357 - auth_protocol = http --auth_uri = http://127.0.0.1:35357/v2.0 -+auth_uri = http://127.0.0.1:5000/v2.0 - - # These must be set to your local values in order for the token - # authentication to work. diff --git a/xenial/debian/patches/fix-package-version-detection-when-building-doc.patch b/xenial/debian/patches/fix-package-version-detection-when-building-doc.patch deleted file mode 100644 index 7d9cc221..00000000 --- a/xenial/debian/patches/fix-package-version-detection-when-building-doc.patch +++ /dev/null @@ -1,27 +0,0 @@ -Description: Fixes version detection when building docs -Author: Thomas Goirand -Forwarded: no -Last-Update: 2013-05-16 - -Index: heat/heat/openstack/common/version.py -=================================================================== ---- heat.orig/heat/openstack/common/version.py 2013-05-16 14:07:08.000000000 +0000 -+++ heat/heat/openstack/common/version.py 2013-05-16 14:07:08.000000000 +0000 -@@ -19,6 +19,7 @@ - """ - - import pkg_resources -+import os - - - class VersionInfo(object): -@@ -54,6 +55,9 @@ - if self.release is None: - self.release = self._get_version_from_pkg_resources() - -+ if self.release is None: -+ self.release = os.environ.get("OSLO_PACKAGE_VERSION", None) -+ - return self.release - - def version_string(self): diff --git a/xenial/debian/patches/removes-lxml-version-limitation-from-pip-requires.patch b/xenial/debian/patches/removes-lxml-version-limitation-from-pip-requires.patch deleted file mode 100644 index 0db74f62..00000000 --- a/xenial/debian/patches/removes-lxml-version-limitation-from-pip-requires.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: Removes <= 2.3.5 from lxml pip-requires - Warn upstream on IRC about this, they said it's no problem to remove the - version thing, and they will remove it upstream. -Author: Thomas Goirand -Forwarded: no -Last-Update: 2013-05-16 - ---- heat-2013.1.orig/tools/pip-requires -+++ heat-2013.1/tools/pip-requires -@@ -17,7 +17,7 @@ httplib2 - iso8601>=0.1.4 - kombu>=1.0.4 - argparse --lxml>=2.3,<=2.3.5 -+lxml>=2.3 - sqlalchemy-migrate>=0.7.2 - python-novaclient - PasteDeploy==1.5.0 diff --git a/xenial/debian/patches/series b/xenial/debian/patches/series deleted file mode 100644 index 67077088..00000000 --- a/xenial/debian/patches/series +++ /dev/null @@ -1,3 +0,0 @@ -removes-lxml-version-limitation-from-pip-requires.patch -fix-package-version-detection-when-building-doc.patch -Subclass_keystone_middleware_to_set_headers.patch -- 2.45.2