From 71beb2a9050f7ef521d53d9cbb544a8f89192d44 Mon Sep 17 00:00:00 2001
From: Matthew Thode <prometheanfire@gentoo.org>
Date: Tue, 9 Feb 2016 19:09:52 -0600
Subject: sys-cluster/neutron: cleanup

Package-Manager: portage-2.2.26
---
 .../neutron/files/CVE-2015-5240_2015.1.1.patch     | 155 -------------
 sys-cluster/neutron/neutron-2015.1.9999.ebuild     | 252 ---------------------
 2 files changed, 407 deletions(-)
 delete mode 100644 sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch
 delete mode 100644 sys-cluster/neutron/neutron-2015.1.9999.ebuild

(limited to 'sys-cluster')

diff --git a/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch b/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch
deleted file mode 100644
index ccb2a66bce9b..000000000000
--- a/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 8138e2fe38ad2cde5963685df47b1e4286776352 Mon Sep 17 00:00:00 2001
-From: Kevin Benton <blak111@gmail.com>
-Date: Tue, 25 Aug 2015 22:03:27 -0700
-Subject: [PATCH] Stop device_owner from being set to 'network:*'
-
-This patch adjusts the FieldCheck class in the policy engine to
-allow a regex rule. It then leverages that to prevent users from
-setting the device_owner field to anything that starts with
-'network:' on networks which they do not own.
-
-This policy adjustment is necessary because any ports with a
-device_owner that starts with 'network:' will not have any security
-group rules applied because it is assumed they are trusted network
-devices (e.g. router ports, DHCP ports, etc). These security rules
-include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
-and IP headers.
-
-Without this policy adjustment, tenants can abuse this trust when
-connected to a shared network with other tenants by setting their
-VM port's device_owner field to 'network:<anything>' and hijack other
-tenants' traffic via DHCP spoofing or MAC/IP spoofing.
-
-Closes-Bug: #1489111
-Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
-(cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f)
----
- etc/policy.json                   |  3 +++
- neutron/api/v2/attributes.py      |  2 +-
- neutron/policy.py                 |  3 +++
- neutron/tests/etc/policy.json     |  3 +++
- neutron/tests/unit/test_policy.py | 16 ++++++++++++++++
- 5 files changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/etc/policy.json b/etc/policy.json
-index 8a5de9b..0f04eb2 100644
---- a/etc/policy.json
-+++ b/etc/policy.json
-@@ -46,7 +46,9 @@
-     "update_network:router:external": "rule:admin_only",
-     "delete_network": "rule:admin_or_owner",
- 
-+    "network_device": "field:port:device_owner=~^network:",
-     "create_port": "",
-+    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
-     "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
-     "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-     "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-@@ -61,6 +63,7 @@
-     "get_port:binding:host_id": "rule:admin_only",
-     "get_port:binding:profile": "rule:admin_only",
-     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
-+    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
-     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-     "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-     "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py
-index b9c179a..9ceee78 100644
---- a/neutron/api/v2/attributes.py
-+++ b/neutron/api/v2/attributes.py
-@@ -766,7 +766,7 @@ RESOURCE_ATTRIBUTE_MAP = {
-                       'is_visible': True},
-         'device_owner': {'allow_post': True, 'allow_put': True,
-                          'validate': {'type:string': DEVICE_OWNER_MAX_LEN},
--                         'default': '',
-+                         'default': '', 'enforce_policy': True,
-                          'is_visible': True},
-         'tenant_id': {'allow_post': True, 'allow_put': False,
-                       'validate': {'type:string': TENANT_ID_MAX_LEN},
-diff --git a/neutron/policy.py b/neutron/policy.py
-index 9e586dd..961ae21 100644
---- a/neutron/policy.py
-+++ b/neutron/policy.py
-@@ -335,6 +335,7 @@ class FieldCheck(policy.Check):
- 
-         self.field = field
-         self.value = conv_func(value)
-+        self.regex = re.compile(value[1:]) if value.startswith('~') else None
- 
-     def __call__(self, target_dict, cred_dict, enforcer):
-         target_value = target_dict.get(self.field)
-@@ -344,6 +345,8 @@ class FieldCheck(policy.Check):
-                       "%(target_dict)s",
-                       {'field': self.field, 'target_dict': target_dict})
-             return False
-+        if self.regex:
-+            return bool(self.regex.match(target_value))
-         return target_value == self.value
- 
- 
-diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
-index 8a5de9b..0f04eb2 100644
---- a/neutron/tests/etc/policy.json
-+++ b/neutron/tests/etc/policy.json
-@@ -46,7 +46,9 @@
-     "update_network:router:external": "rule:admin_only",
-     "delete_network": "rule:admin_or_owner",
- 
-+    "network_device": "field:port:device_owner=~^network:",
-     "create_port": "",
-+    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
-     "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
-     "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-     "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-@@ -61,6 +63,7 @@
-     "get_port:binding:host_id": "rule:admin_only",
-     "get_port:binding:profile": "rule:admin_only",
-     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
-+    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
-     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-     "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-     "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py
-index 3888ce3..4be404f 100644
---- a/neutron/tests/unit/test_policy.py
-+++ b/neutron/tests/unit/test_policy.py
-@@ -232,6 +232,7 @@ class NeutronPolicyTestCase(base.BaseTestCase):
-             "regular_user": "role:user",
-             "shared": "field:networks:shared=True",
-             "external": "field:networks:router:external=True",
-+            "network_device": "field:port:device_owner=~^network:",
-             "default": '@',
- 
-             "create_network": "rule:admin_or_owner",
-@@ -243,6 +244,7 @@ class NeutronPolicyTestCase(base.BaseTestCase):
-             "create_subnet": "rule:admin_or_network_owner",
-             "create_port:mac": "rule:admin_or_network_owner or "
-                                "rule:context_is_advsvc",
-+            "create_port:device_owner": "not rule:network_device",
-             "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
-             "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
-             "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
-@@ -312,6 +314,20 @@ class NeutronPolicyTestCase(base.BaseTestCase):
-         self._test_nonadmin_action_on_attr('create', 'shared', True,
-                                            common_policy.PolicyNotAuthorized)
- 
-+    def test_create_port_device_owner_regex(self):
-+        blocked_values = ('network:', 'network:abdef', 'network:dhcp',
-+                          'network:router_interface')
-+        for val in blocked_values:
-+            self._test_advsvc_action_on_attr(
-+                'create', 'port', 'device_owner', val,
-+                common_policy.PolicyNotAuthorized
-+            )
-+        ok_values = ('network', 'networks', 'my_network:test', 'my_network:')
-+        for val in ok_values:
-+            self._test_advsvc_action_on_attr(
-+                'create', 'port', 'device_owner', val
-+            )
-+
-     def test_advsvc_get_network_works(self):
-         self._test_advsvc_action_on_attr('get', 'network', 'shared', False)
- 
--- 
-1.9.1
-
diff --git a/sys-cluster/neutron/neutron-2015.1.9999.ebuild b/sys-cluster/neutron/neutron-2015.1.9999.ebuild
deleted file mode 100644
index 84d68fc84f24..000000000000
--- a/sys-cluster/neutron/neutron-2015.1.9999.ebuild
+++ /dev/null
@@ -1,252 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 git-2 linux-info user
-
-DESCRIPTION="A virtual network service for Openstack"
-HOMEPAGE="https://launchpad.net/neutron"
-EGIT_REPO_URI="https://github.com/openstack/neutron.git"
-EGIT_BRANCH="stable/kilo"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS=""
-IUSE="compute-only dhcp doc ipv6 l3 metadata openvswitch linuxbridge server test sqlite mysql postgres"
-REQUIRED_USE="!compute-only? ( || ( mysql postgres sqlite ) )
-						compute-only? ( !mysql !postgres !sqlite !dhcp !l3 !metadata !server
-						|| ( openvswitch linuxbridge ) )"
-
-DEPEND="
-	dev-python/setuptools[${PYTHON_USEDEP}]
-	>=dev-python/pbr-0.8[${PYTHON_USEDEP}]
-	<dev-python/pbr-1.0[${PYTHON_USEDEP}]
-	app-admin/sudo
-	test? (
-		${RDEPEND}
-		>=dev-python/cliff-1.10.0[${PYTHON_USEDEP}]
-		<dev-python/cliff-1.11.0[${PYTHON_USEDEP}]
-		>=dev-python/coverage-3.6[${PYTHON_USEDEP}]
-		>=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}]
-		<dev-python/fixtures-1.3.0[${PYTHON_USEDEP}]
-		>=dev-python/mock-1.0[${PYTHON_USEDEP}]
-		<dev-python/mock-1.1.0[${PYTHON_USEDEP}]
-		>=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
-		>=dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}]
-		>=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
-		!~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
-		<dev-python/sphinx-1.3[${PYTHON_USEDEP}]
-		>=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
-		<dev-python/oslo-sphinx-2.6.0[${PYTHON_USEDEP}]
-		>=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
-		>=dev-python/testtools-0.9.36[${PYTHON_USEDEP}]
-		!~dev-python/testtools-1.2.0[${PYTHON_USEDEP}]
-		>=dev-python/testscenarios-0.4[${PYTHON_USEDEP}]
-		>=dev-python/webtest-2.0[${PYTHON_USEDEP}]
-		>=dev-python/oslotest-1.5.1[${PYTHON_USEDEP}]
-		<dev-python/oslotest-1.6.0[${PYTHON_USEDEP}]
-		>=dev-python/tempest-lib-0.4.0[${PYTHON_USEDEP}]
-		<dev-python/tempest-lib-0.5.0[${PYTHON_USEDEP}]
-	)"
-
-RDEPEND="
-	dev-python/paste[${PYTHON_USEDEP}]
-	>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
-	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
-	!~dev-python/routes-2.0[${PYTHON_USEDEP}]
-	>=dev-python/eventlet-0.16.1[${PYTHON_USEDEP}]
-	!~dev-python/eventlet-0.17.0[${PYTHON_USEDEP}]
-	>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-	>=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
-	>=dev-python/requests-2.2.0[${PYTHON_USEDEP}]
-	!~dev-python/requests-2.4.0[${PYTHON_USEDEP}]
-	dev-python/jsonrpclib[${PYTHON_USEDEP}]
-	>=dev-python/jinja-2.6[${PYTHON_USEDEP}]
-	>=dev-python/keystonemiddleware-1.5.0[${PYTHON_USEDEP}]
-	<dev-python/keystonemiddleware-1.6.0[${PYTHON_USEDEP}]
-	>=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}]
-	>=dev-python/python-neutronclient-2.4.0[${PYTHON_USEDEP}]
-	<dev-python/python-neutronclient-2.5.0[${PYTHON_USEDEP}]
-	>=dev-python/retrying-1.2.3[${PYTHON_USEDEP}]
-	!~dev-python/retrying-1.3.0[${PYTHON_USEDEP}]
-	compute-only? (
-		>=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
-		<=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
-	)
-	sqlite? (
-		>=dev-python/sqlalchemy-0.9.7[sqlite,${PYTHON_USEDEP}]
-		<=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}]
-	)
-	mysql? (
-		dev-python/mysql-python
-		>=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
-		<=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
-	)
-	postgres? (
-		dev-python/psycopg:2
-		>=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
-		<=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
-	)
-	>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
-	>=dev-python/python-keystoneclient-1.2.0[${PYTHON_USEDEP}]
-	<dev-python/python-keystoneclient-1.4.0[${PYTHON_USEDEP}]
-	>=dev-python/alembic-0.7.2[${PYTHON_USEDEP}]
-	<dev-python/alembic-0.8.1[${PYTHON_USEDEP}]
-	>=dev-python/six-1.9.0[${PYTHON_USEDEP}]
-	>=dev-python/stevedore-1.3.0[${PYTHON_USEDEP}]
-	<dev-python/stevedore-1.4.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-concurrency-1.8.2[${PYTHON_USEDEP}]
-	<dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}]
-	<dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-context-0.3.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-db-1.7.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-db-1.8.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-i18n-1.6.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-log-1.0.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-log-1.1.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-messaging-1.8.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-messaging-1.9.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-middleware-1.0.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-middleware-1.1.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-rootwrap-1.6.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-rootwrap-1.7.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}]
-	<dev-python/oslo-serialization-1.5.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-utils-1.4.0[${PYTHON_USEDEP}]
-	!~dev-python/oslo-utils-1.4.1[${PYTHON_USEDEP}]
-	<dev-python/oslo-utils-1.5.0[${PYTHON_USEDEP}]
-	>=dev-python/python-novaclient-2.22.0[${PYTHON_USEDEP}]
-	<dev-python/python-novaclient-2.24.0[${PYTHON_USEDEP}]
-	dev-python/pyudev[${PYTHON_USEDEP}]
-	sys-apps/iproute2
-	net-misc/bridge-utils
-	net-firewall/ipset
-	net-firewall/iptables
-	net-firewall/ebtables
-	openvswitch? ( net-misc/openvswitch )
-	ipv6? ( net-misc/radvd )
-	dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
-
-PATCHES=(
-)
-
-pkg_setup() {
-	linux-info_pkg_setup
-	CONFIG_CHECK_MODULES="VLAN_8021Q IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \
-	IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 \
-	NF_NAT_IPV4 NF_NAT NF_CONNTRACK IP_NF_FILTER IP_NF_IPTABLES NETFILTER_XTABLES"
-	if linux_config_exists; then
-		for module in ${CONFIG_CHECK_MODULES}; do
-			linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel"
-		done
-	fi
-	enewgroup neutron
-	enewuser neutron -1 -1 /var/lib/neutron neutron
-}
-
-pkg_config() {
-	fperms 0700 /var/log/neutron
-	fowners neutron:neutron /var/log neutron
-}
-
-src_prepare() {
-	sed -i '/^hacking/d' test-requirements.txt || die
-	# it's /bin/ip not /sbin/ip
-	sed -i 's/sbin\/ip\,/bin\/ip\,/g' etc/neutron/rootwrap.d/* || die
-	distutils-r1_python_prepare_all
-}
-
-python_compile_all() {
-	use doc && make -C doc html
-}
-
-python_test() {
-	# https://bugs.launchpad.net/neutron/+bug/1234857
-	# https://bugs.launchpad.net/swift/+bug/1249727
-	# https://bugs.launchpad.net/neutron/+bug/1251657
-	# Move tests out that attempt net connection, have failures
-	mv $(find . -name test_ovs_tunnel.py) . || die
-	sed -e 's:test_app_using_ipv6_and_ssl:_&:' \
-		-e 's:test_start_random_port_with_ipv6:_&:' \
-		-i neutron/tests/unit/test_wsgi.py || die
-	testr init
-	testr run --parallel || die "failed testsuite under python2.7"
-}
-
-python_install() {
-	distutils-r1_python_install
-	if use server; then
-		newinitd "${FILESDIR}/neutron.initd" "neutron-server"
-		newconfd "${FILESDIR}/neutron-server.confd" "neutron-server"
-		dosym /etc/neutron/plugin.ini /etc/neutron/plugins/ml2/ml2_conf.ini
-	fi
-	if use dhcp; then
-		newinitd "${FILESDIR}/neutron.initd" "neutron-dhcp-agent"
-		newconfd "${FILESDIR}/neutron-dhcp-agent.confd" "neutron-dhcp-agent"
-	fi
-	if use l3; then
-		newinitd "${FILESDIR}/neutron.initd" "neutron-l3-agent"
-		newconfd "${FILESDIR}/neutron-l3-agent.confd" "neutron-l3-agent"
-	fi
-	if use metadata; then
-		newinitd "${FILESDIR}/neutron.initd" "neutron-metadata-agent"
-		newconfd "${FILESDIR}/neutron-metadata-agent.confd" "neutron-metadata-agent"
-	fi
-	if use openvswitch; then
-		newinitd "${FILESDIR}/neutron.initd" "neutron-openvswitch-agent"
-		newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-openvswitch-agent"
-		newinitd "${FILESDIR}/neutron.initd" "neutron-ovs-cleanup"
-		newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-ovs-cleanup"
-	fi
-	if use linuxbridge; then
-		newinitd "${FILESDIR}/neutron.initd" "neutron-linuxbridge-agent"
-		newconfd "${FILESDIR}/neutron-linuxbridge-agent.confd" "neutron-linuxbridge-agent"
-	fi
-	diropts -m 755 -o neutron -g neutron
-	dodir /var/log/neutron /var/lib/neutron
-	keepdir /etc/neutron
-	insinto /etc/neutron
-	insopts -m 0640 -o neutron -g neutron
-
-	doins etc/*
-	# stupid renames
-	rm "${D}etc/neutron/quantum"
-	insinto /etc/neutron
-	doins -r "etc/neutron/plugins"
-	insopts -m 0640 -o root -g root
-	doins "etc/rootwrap.conf"
-	doins -r "etc/neutron/rootwrap.d"
-
-	insopts -m 0644
-	insinto "/usr/lib64/python2.7/site-packages/neutron/db/migration/alembic_migrations/"
-	doins -r "neutron/db/migration/alembic_migrations/versions"
-
-	#add sudoers definitions for user neutron
-	insinto /etc/sudoers.d/
-	insopts -m 0440 -o root -g root
-	newins "${FILESDIR}/neutron.sudoersd" neutron
-
-	#remove superfluous stuff
-	rm -R "${D}/usr/etc/"
-}
-
-python_install_all() {
-	use doc && local HTML_DOCS=( doc/build/html/. )
-	distutils-r1_python_install_all
-}
-
-pkg_postinst() {
-	elog
-	elog "neutron-server's conf.d file may need updating to include additional ini files"
-	elog "We currently assume the ml2 plugin will be used but do not make assumptions"
-	elog "on if you will use openvswitch or linuxbridge (or something else)"
-	elog
-	elog "Other conf.d files may need updating too, but should be good for the default use case"
-	elog
-}
-- 
cgit v1.2.3-65-gdbad