summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@chromium.org>2021-01-19 23:24:50 -0500
committerMike Frysinger <vapier@gentoo.org>2021-01-19 23:29:25 -0500
commite70c3835fa0ce573996b6b0d20cdb7b2dc245dbf (patch)
tree5c38da813ea732aa8b5bc0d687a2fae0421bc945 /dev-python/boto
parentdev-python/pyyaml: security bump to 5.4 (diff)
downloadgentoo-e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf.tar.gz
gentoo-e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf.tar.bz2
gentoo-e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf.zip
dev-python/boto: pull in more python 3 fixes
These mostly come from gsutil's boto fork. The SNI fix from Debian was slightly broken in that it passed the host:port down to the SSL layers to validate, but Python matches against just host, so it would always fail. Also unbundle the six module and use the system copy. URL: https://crbug.com/1128519 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'dev-python/boto')
-rw-r--r--dev-python/boto/boto-2.49.0-r4.ebuild60
-rw-r--r--dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch35
-rw-r--r--dev-python/boto/files/boto-2.49.0-py3-server-port.patch42
-rw-r--r--dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch59
-rw-r--r--dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch104
-rw-r--r--dev-python/boto/files/boto-2.49.0-unbundle-six.patch28
6 files changed, 328 insertions, 0 deletions
diff --git a/dev-python/boto/boto-2.49.0-r4.ebuild b/dev-python/boto/boto-2.49.0-r4.ebuild
new file mode 100644
index 000000000000..1841ab488bbd
--- /dev/null
+++ b/dev-python/boto/boto-2.49.0-r4.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+PYTHON_COMPAT=( python3_{6..9} )
+DISTUTILS_USE_SETUPTOOLS=bdepend
+
+inherit distutils-r1
+
+DESCRIPTION="Amazon Web Services API"
+HOMEPAGE="https://github.com/boto/boto https://pypi.org/project/boto/"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
+
+PATCHES=(
+ # taken from https://bugs.debian.org/909545
+ "${FILESDIR}"/${P}-try-to-add-SNI-support-v3.patch
+ "${FILESDIR}"/${P}-py38.patch
+ "${FILESDIR}"/${P}-py3-socket-binary.patch
+ "${FILESDIR}"/${P}-py3-httplib-strict.patch
+ "${FILESDIR}"/${P}-py3-server-port.patch
+ "${FILESDIR}"/${P}-unbundle-six.patch
+)
+
+RDEPEND=">=dev-python/six-1.12.0[${PYTHON_USEDEP}]"
+
+BDEPEND="
+ test? (
+ dev-python/httpretty[${PYTHON_USEDEP}]
+ dev-python/keyring[${PYTHON_USEDEP}]
+ dev-python/lxml[${PYTHON_USEDEP}]
+ dev-python/mock[${PYTHON_USEDEP}]
+ dev-python/paramiko[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ dev-python/rsa[${PYTHON_USEDEP}]
+ dev-python/selenium[${PYTHON_USEDEP}]
+ )"
+
+distutils_enable_tests nose
+
+src_prepare() {
+ # remove bundled libs.
+ rm -f "${S}"/boto/vendored/six.py || die
+ # broken, not worth fixing
+ rm tests/unit/cloudfront/test_signed_urls.py || die
+ # fix tests
+ mkdir -p "${HOME}"/.ssh || die
+ : > "${HOME}"/.ssh/known_hosts || die
+
+ distutils-r1_src_prepare
+}
+
+python_test() {
+ nosetests -v tests/unit ||
+ die "Tests fail with ${EPYTHON}"
+}
diff --git a/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch b/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch
new file mode 100644
index 000000000000..209b01aa74a0
--- /dev/null
+++ b/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch
@@ -0,0 +1,35 @@
+https://github.com/boto/boto/commit/4f4dcb31fe852c05ce19b44eb9d5b5d747e36f7c
+https://github.com/boto/boto/pull/2718
+
+From 4f4dcb31fe852c05ce19b44eb9d5b5d747e36f7c Mon Sep 17 00:00:00 2001
+From: Lee Ball <43632885+catleeball@users.noreply.github.com>
+Date: Mon, 10 Jun 2019 16:02:53 -0700
+Subject: [PATCH] Remove `strict=True` from http_client (#6)
+
+In Python 3.4, the `strict` kwarg was removed[1]. We are removing it
+here too.
+
+Alternatively, we can leave in `strict=True` for 2.x, but I chose to
+remove it entirely to maintain consistent behavior across versions.
+
+[1]: https://docs.python.org/3/library/http.client.html
+---
+ boto/connection.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/boto/connection.py b/boto/connection.py
+index c731173bb4eb..54e26fb2de16 100644
+--- a/boto/connection.py
++++ b/boto/connection.py
+@@ -807,7 +807,7 @@ class AWSAuthConnection(object):
+ sock.sendall(six.ensure_binary("\r\n"))
+ else:
+ sock.sendall(six.ensure_binary("\r\n"))
+- resp = http_client.HTTPResponse(sock, strict=True, debuglevel=self.debug)
++ resp = http_client.HTTPResponse(sock, debuglevel=self.debug)
+ resp.begin()
+
+ if resp.status != 200:
+--
+2.28.0
+
diff --git a/dev-python/boto/files/boto-2.49.0-py3-server-port.patch b/dev-python/boto/files/boto-2.49.0-py3-server-port.patch
new file mode 100644
index 000000000000..62e331921980
--- /dev/null
+++ b/dev-python/boto/files/boto-2.49.0-py3-server-port.patch
@@ -0,0 +1,42 @@
+https://github.com/boto/boto/commit/b9f6cb0ab717ea76e2780c7fddd1cd36b3bf7d63
+
+From b9f6cb0ab717ea76e2780c7fddd1cd36b3bf7d63 Mon Sep 17 00:00:00 2001
+From: Matt Houglum <houglum@google.com>
+Date: Fri, 21 Jun 2019 15:09:11 -0700
+Subject: [PATCH] Make server_name() behave correctly for PY3
+
+...because Python-2.6-or-newer doesn't just include Python 2.6 and 2.7.
+---
+ boto/connection.py | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/boto/connection.py b/boto/connection.py
+index 54e26fb2de16..bbb25d8fb842 100644
+--- a/boto/connection.py
++++ b/boto/connection.py
+@@ -650,17 +650,13 @@ class AWSAuthConnection(object):
+ if port == 80:
+ signature_host = self.host
+ else:
+- # This unfortunate little hack can be attributed to
+- # a difference in the 2.6 version of http_client. In old
+- # versions, it would append ":443" to the hostname sent
+- # in the Host header and so we needed to make sure we
+- # did the same when calculating the V2 signature. In 2.6
+- # (and higher!)
+- # it no longer does that. Hence, this kludge.
+- if ((ON_APP_ENGINE and sys.version[:3] == '2.5') or
+- sys.version[:3] in ('2.6', '2.7')) and port == 443:
++ ver_int = sys.version_info[0] * 10 + sys.version_info[1]
++ if port == 443 and ver_int >= 26: # Py >= 2.6
+ signature_host = self.host
+ else:
++ # In versions < 2.6, Python's http_client would append ":443"
++ # to the hostname sent in the Host header and so we needed to
++ # make sure we did the same when calculating the V2 signature.
+ signature_host = '%s:%d' % (self.host, port)
+ return signature_host
+
+--
+2.28.0
+
diff --git a/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch b/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch
new file mode 100644
index 000000000000..1d109a3f4995
--- /dev/null
+++ b/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch
@@ -0,0 +1,59 @@
+https://github.com/boto/boto/commit/d2cb697b32c297858ecc36701a5a4176818ab36d
+https://github.com/boto/boto/pull/2718
+https://github.com/boto/boto/pull/2893
+https://github.com/boto/boto/pull/3699
+
+From d2cb697b32c297858ecc36701a5a4176818ab36d Mon Sep 17 00:00:00 2001
+From: Cat Lee Ball <cball@google.com>
+Date: Mon, 10 Jun 2019 13:31:11 -0700
+Subject: [PATCH] Ensure binary strings sent to socket
+
+When running pre-release tests with proxied connections, it appeared a
+few spots in connection.py would fail under Python 3 since the
+socket.sendall method expects binary strings rather than unicode.
+---
+ boto/connection.py | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/boto/connection.py b/boto/connection.py
+index a0d89a51f49c..d084d1f881fb 100644
+--- a/boto/connection.py
++++ b/boto/connection.py
+@@ -796,17 +796,17 @@ class AWSAuthConnection(object):
+ else:
+ sock = socket.create_connection((self.proxy, int(self.proxy_port)))
+ boto.log.debug("Proxy connection: CONNECT %s HTTP/1.0\r\n", host)
+- sock.sendall("CONNECT %s HTTP/1.0\r\n" % host)
+- sock.sendall("User-Agent: %s\r\n" % UserAgent)
++ sock.sendall(six.ensure_binary("CONNECT %s HTTP/1.0\r\n" % host))
++ sock.sendall(six.ensure_binary("User-Agent: %s\r\n" % UserAgent))
+ if self.proxy_user and self.proxy_pass:
+ for k, v in self.get_proxy_auth_header().items():
+- sock.sendall("%s: %s\r\n" % (k, v))
++ sock.sendall(six.ensure_binary("%s: %s\r\n" % (k, v)))
+ # See discussion about this config option at
+ # https://groups.google.com/forum/?fromgroups#!topic/boto-dev/teenFvOq2Cc
+ if config.getbool('Boto', 'send_crlf_after_proxy_auth_headers', False):
+- sock.sendall("\r\n")
++ sock.sendall(six.ensure_binary("\r\n"))
+ else:
+- sock.sendall("\r\n")
++ sock.sendall(six.ensure_binary("\r\n"))
+ resp = http_client.HTTPResponse(sock, strict=True, debuglevel=self.debug)
+ resp.begin()
+
+@@ -814,9 +814,10 @@ class AWSAuthConnection(object):
+ # Fake a socket error, use a code that make it obvious it hasn't
+ # been generated by the socket library
+ raise socket.error(-71,
++ six.ensure_binary(
+ "Error talking to HTTP proxy %s:%s: %s (%s)" %
+ (self.proxy, self.proxy_port,
+- resp.status, resp.reason))
++ resp.status, resp.reason)))
+
+ # We can safely close the response, it duped the original socket
+ resp.close()
+--
+2.28.0
+
diff --git a/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch b/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch
new file mode 100644
index 000000000000..11d346a2199e
--- /dev/null
+++ b/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch
@@ -0,0 +1,104 @@
+From f5e7f6c98b46ff622f60a4661ffc9ce07216d109 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Sat, 29 Sep 2018 21:47:11 +0200
+Subject: [PATCH] boto: try to add SNI support
+
+Add SNI support. Newer OpenSSL (with TLS1.3) fail to connect if the
+hostname is missing.
+
+Link: https://bugs.debian.org/bug=909545
+Tested-by: Witold Baryluk <witold.baryluk@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ boto/connection.py | 19 ++++++++++---------
+ boto/https_connection.py | 22 +++++++++++-----------
+ 2 files changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/boto/connection.py b/boto/connection.py
+index 34b428f101df7..b4867a7657465 100644
+--- a/boto/connection.py
++++ b/boto/connection.py
+@@ -778,8 +778,10 @@
+
+ def proxy_ssl(self, host=None, port=None):
+ if host and port:
++ cert_host = host
+ host = '%s:%d' % (host, port)
+ else:
++ cert_host = self.host
+ host = '%s:%d' % (self.host, self.port)
+ # Seems properly to use timeout for connect too
+ timeout = self.http_connection_kwargs.get("timeout")
+@@ -824,23 +824,24 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert
+ h = http_client.HTTPConnection(host)
+
+ if self.https_validate_certificates and HAVE_HTTPS_CONNECTION:
++ context = ssl.create_default_context()
++ context.verify_mode = ssl.CERT_REQUIRED
++ context.check_hostname = True
++
+ msg = "wrapping ssl socket for proxied connection; "
+ if self.ca_certificates_file:
+ msg += "CA certificate file=%s" % self.ca_certificates_file
++ context.load_verify_locations(cafile=self.ca_certificates_file)
+ else:
+ msg += "using system provided SSL certs"
++ context.load_default_certs()
+ boto.log.debug(msg)
+ key_file = self.http_connection_kwargs.get('key_file', None)
+ cert_file = self.http_connection_kwargs.get('cert_file', None)
+- sslSock = ssl.wrap_socket(sock, keyfile=key_file,
+- certfile=cert_file,
+- cert_reqs=ssl.CERT_REQUIRED,
+- ca_certs=self.ca_certificates_file)
+- cert = sslSock.getpeercert()
+- hostname = self.host.split(':', 0)[0]
+- if not https_connection.ValidateCertificateHostname(cert, hostname):
+- raise https_connection.InvalidCertificateException(
+- hostname, cert, 'hostname mismatch')
++ if key_file:
++ context.load_cert_chain(certfile=cert_file, keyfile=key_file)
++
++ sslSock = context.wrap_socket(sock, server_hostname=cert_host)
+ else:
+ # Fallback for old Python without ssl.wrap_socket
+ if hasattr(http_client, 'ssl'):
+diff --git a/boto/https_connection.py b/boto/https_connection.py
+index ddc31a152292e..a5076f6f9b261 100644
+--- a/boto/https_connection.py
++++ b/boto/https_connection.py
+@@ -119,20 +119,20 @@ from boto.compat import six, http_client
+ sock = socket.create_connection((self.host, self.port), self.timeout)
+ else:
+ sock = socket.create_connection((self.host, self.port))
++
++ context = ssl.create_default_context()
++ context.verify_mode = ssl.CERT_REQUIRED
++ context.check_hostname = True
++ if self.key_file:
++ context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)
++
+ msg = "wrapping ssl socket; "
+ if self.ca_certs:
+ msg += "CA certificate file=%s" % self.ca_certs
++ context.load_verify_locations(cafile=self.ca_certs)
+ else:
+ msg += "using system provided SSL certs"
++ context.load_default_certs()
+ boto.log.debug(msg)
+- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
+- certfile=self.cert_file,
+- cert_reqs=ssl.CERT_REQUIRED,
+- ca_certs=self.ca_certs)
+- cert = self.sock.getpeercert()
+- hostname = self.host.split(':', 0)[0]
+- if not ValidateCertificateHostname(cert, hostname):
+- raise InvalidCertificateException(hostname,
+- cert,
+- 'remote hostname "%s" does not match '
+- 'certificate' % hostname)
++
++ self.sock = context.wrap_socket(sock, server_hostname=self.host)
+--
+2.19.0
+
diff --git a/dev-python/boto/files/boto-2.49.0-unbundle-six.patch b/dev-python/boto/files/boto-2.49.0-unbundle-six.patch
new file mode 100644
index 000000000000..188dae7eb6fd
--- /dev/null
+++ b/dev-python/boto/files/boto-2.49.0-unbundle-six.patch
@@ -0,0 +1,28 @@
+use the system copy of six
+
+--- a/boto/compat.py
++++ b/boto/compat.py
+@@ -46,16 +46,16 @@ except (AttributeError, ImportError):
+ # This is probably running on App Engine.
+ expanduser = (lambda x: x)
+
+-from boto.vendored import six
++import six
+
+-from boto.vendored.six import BytesIO, StringIO
+-from boto.vendored.six.moves import filter, http_client, map, _thread, \
++from six import BytesIO, StringIO
++from six.moves import filter, http_client, map, _thread, \
+ urllib, zip
+-from boto.vendored.six.moves.queue import Queue
+-from boto.vendored.six.moves.urllib.parse import parse_qs, quote, unquote, \
++from six.moves.queue import Queue
++from six.moves.urllib.parse import parse_qs, quote, unquote, \
+ urlparse, urlsplit
+-from boto.vendored.six.moves.urllib.parse import unquote_plus
+-from boto.vendored.six.moves.urllib.request import urlopen
++from six.moves.urllib.parse import unquote_plus
++from six.moves.urllib.request import urlopen
+
+ if six.PY3:
+ # StandardError was removed, so use the base exception type instead