Patch for fixing keystone rc bug #687311 : permission to upload in SID?
Hi,
I've tried to fix #687311. To the best of my knowledge, a review of at
least one person, and some practical tests, the package configuration
works as expected, respecting the policy, after applying the patch.
Since the patch isn't small (6 files changed, 95 insertions(+), 36
deletions), I'm sending it as attachment before upload into SID, so the
release team can object it if it's wrong.
Please let me know,
Thomas (zigo)
diff --git a/debian/changelog b/debian/changelog
index cbc8543..37519fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+keystone (2012.1.1-7) unstable; urgency=low
+
+ * Fixes band handling (eg: policy violation) of keystone.conf which was
+ conffiles, but changed in the posinst (Closes: #687311).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 12 Sep 2012 17:09:47 +0000
+
keystone (2012.1.1-6) unstable; urgency=high
* CVE-2012-4413: Revoking a role does not affect existing tokens
diff --git a/debian/keystone.config b/debian/keystone.config
index 84aad01..e1236d5 100644
--- a/debian/keystone.config
+++ b/debian/keystone.config
@@ -1,19 +1,84 @@
#!/bin/sh
+
set -e
. /usr/share/debconf/confmodule
+### Reading of values in the keystone config file ###
+### and setting default for dbconfig-common accordingly ###
+KEY_CONF=/etc/keystone/keystone.conf
+
+# Create config files if they don't exist
+if ! [ -e /etc/keystone ] ; then
+ mkdir /etc/keystone
+fi
+if ! [ -e /etc/keystone/keystone.conf ] ; then
+ cp /usr/share/doc/keystone/keystone.conf.sample ${KEY_CONF}
+fi
+
+if [ -e "${KEY_CONF}" ] ; then
+ KEY_CONF_AUTH_TOKEN=`grep -E "^([ \t])*admin_token([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ if [ -n "${KEY_CONF_AUTH_TOKEN}" ] ; then
+ db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN}
+ fi
+fi
db_input low keystone/auth-token || true
db_input low keystone/configure_db || true
db_go
+
db_get keystone/configure_db
-if [ "$RET" = "true" ]; then
- if [ -f /usr/share/dbconfig-common/dpkg/config ];
- then
- dbc_dbtypes="sqlite3, mysql, pgsql"
- db_authmethod_user="password"
- dbc_basepath="/var/lib/keystone"
+if [ "$RET" = "true" ] && [ -e "${KEY_CONF}" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
. /usr/share/dbconfig-common/dpkg/config
+ KEY_CONF_DB_CON_INFO=`grep -E "^([ \t])*connection([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d":" -f1`
+ # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite)
+ if [ "${KEY_CONF_DB_TYPE}" != "sqlite" ] && [ "${KEY_CONF_DB_TYPE}" != "mysql" ] && [ "${KEY_CONF_DB_TYPE}" != "pgsql" ] ; then
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+ KEY_CONF_DB_TYPE="sqlite"
+ fi
+ if [ "${KEY_CONF_DB_TYPE}" = "sqlite" ] ; then
+ # This is the invalid default in the etc/keystone.conf in the source package
+ if [ "${KEY_CONF_DB_CON_INFO}" = "sqlite:///keystone.db" ] ; then
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+ fi
+
+ KEY_CONF_DB_PATH=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,11)}'`
+ if [ -z "${KEY_CONF_DB_PATH}" ] ; then
+ KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite
+ fi
+ dbc_basepath=`dirname "${KEY_CONF_DB_PATH}"`
+ dbc_dbname=`basename "${KEY_CONF_DB_PATH}"`
+ dbc_dbtypes="sqlite3, mysql, pgsql"
+ else
+ # Later, the postinst does: mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
+ # so we are supposed to parse that if it exists
+ KEY_CONF_ADDR=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,9)}'`
+ KEY_CONF_BEFORE_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f1`
+ KEY_CONF_AFTER_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f1`
+
+ KEY_CONF_USER=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f1`
+ KEY_CONF_PASS=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f2`
+ KEY_CONF_SERVER_PORT=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f1`
+ KEY_CONF_DB_NAME=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f2`
+
+ KEY_CONF_SERVER=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f1`
+ KEY_CONF_PORT=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f2`
+ if [ -n "${KEY_CONF_PORT}" ] ; then
+ dbc_dbport=${KEY_CONF_PORT}
+ fi
+
+ if [ -n "${KEY_CONF_USER}" ] && [ -n "${KEY_CONF_PASS}" ] && [ -n "${KEY_CONF_SERVER_PORT}" ] && [ -n "${KEY_CONF_DB_NAME}" ] ; then
+ dbc_dbuser=${KEY_CONF_USER}
+ dbc_dbpass=${KEY_CONF_PASS}
+ dbc_dbserver=${KEY_CONF_SERVER}
+ dbc_dbname=${KEY_CONF_DB_NAME}
+ fi
+ if [ "${KEY_CONF_DB_TYPE}" = "mysql" ] ; then
+ dbc_dbtypes="mysql, pgsql, sqlite3"
+ else
+ dbc_dbtypes="pgsql, mysql, sqlite3"
+ fi
+ db_authmethod_user="password"
+ fi
dbc_go keystone $@
- fi
fi
diff --git a/debian/keystone.install b/debian/keystone.install
index 9dfb505..26d1053 100644
--- a/debian/keystone.install
+++ b/debian/keystone.install
@@ -1,2 +1,4 @@
usr/bin/*
-etc/* etc/keystone
\ No newline at end of file
+etc/default_catalog.templates /etc/keystone
+etc/logging.conf.sample /usr/share/doc/keystone
+etc/policy.json /etc/keystone
diff --git a/debian/keystone.postinst b/debian/keystone.postinst
index 9692a90..883b0a7 100755
--- a/debian/keystone.postinst
+++ b/debian/keystone.postinst
@@ -1,5 +1,7 @@
#!/bin/sh
+
set -e
+set -x
if [ "$1" = "configure" ]
then
@@ -13,37 +15,21 @@ then
--disabled-password \
--group keystone
-
db_get keystone/configure_db
if [ "$RET" = "true" ]; then
db_get keystone/database-type
- if [ $RET = "sqlite3" ]
- then
- dbc_name="keystone.sqlite"
- db_set keystone/db/dbname $dbc_name
- fi
dbc_dbfile_owner="keystone:keystone"
dbc_go keystone $@
if [ "$dbc_install" = "true" ]
then
- case "$dbc_dbtype" in
- sqlite3)
- SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
- ;;
- mysql)
- [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
- SQL_CONNECTION="mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
- ;;
- pgsql)
- [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
- SQL_CONNECTION="pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
- ;;
- *)
- SQL_CONNECTION="sqlite:////var/lib/keystone/$dbc_dbname"
- ;;
- esac
+ if [ "$dbc_dbtype" = "mysql" ] || [ "$dbc_dbtype" = "pgsql" ] ; then
+ [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
+ SQL_CONNECTION="$dbc_dbtype://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
+ else
+ SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
+ fi
sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i /etc/keystone/keystone.conf
@@ -54,12 +40,9 @@ then
fi
fi
- if [ -z "$2" ]
- then
- db_get keystone/auth-token
- AUTH_TOKEN=${RET:-ADMIN}
- sed -s "s,^admin_token = ADMIN,admin_token = $AUTH_TOKEN," -i /etc/keystone/keystone.conf
- fi
+ db_get keystone/auth-token
+ AUTH_TOKEN=${RET:-ADMIN}
+ sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' /etc/keystone/keystone.conf
chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
chmod 0750 /etc/keystone
diff --git a/debian/keystone.postrm b/debian/keystone.postrm
index ca5d17f..402b5e3 100644
--- a/debian/keystone.postrm
+++ b/debian/keystone.postrm
@@ -20,6 +20,7 @@ case "$1" in
purge)
rm -rf /var/log/keystone
rm -rf /var/lib/keystone
+ rm -rf /etc/keystone
esac
#DEBHELPER#
diff --git a/debian/rules b/debian/rules
index 2f33685..fffc403 100755
--- a/debian/rules
+++ b/debian/rules
@@ -42,6 +42,7 @@ override_dh_install:
rm -rf debian/python-keystone/usr/lib/python*/*/doc
rm -rf debian/python-keystone/usr/lib/python*/*/tools
rm -rf debian/python-keystone/usr/lib/python*/*/examples
+ cp -f etc/keystone.conf debian/keystone/usr/share/doc/keystone/keystone.conf.sample
override_dh_clean:
rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
Reply to: