diff options
author | Mike Frysinger <vapier@chromium.org> | 2021-01-19 23:24:50 -0500 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2021-01-19 23:29:25 -0500 |
commit | e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf (patch) | |
tree | 5c38da813ea732aa8b5bc0d687a2fae0421bc945 | |
parent | dev-python/pyyaml: security bump to 5.4 (diff) | |
download | gentoo-e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf.tar.gz gentoo-e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf.tar.bz2 gentoo-e70c3835fa0ce573996b6b0d20cdb7b2dc245dbf.zip |
dev-python/boto: pull in more python 3 fixes
These mostly come from gsutil's boto fork.
The SNI fix from Debian was slightly broken in that it passed the
host:port down to the SSL layers to validate, but Python matches
against just host, so it would always fail.
Also unbundle the six module and use the system copy.
URL: https://crbug.com/1128519
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
6 files changed, 328 insertions, 0 deletions
diff --git a/dev-python/boto/boto-2.49.0-r4.ebuild b/dev-python/boto/boto-2.49.0-r4.ebuild new file mode 100644 index 000000000000..1841ab488bbd --- /dev/null +++ b/dev-python/boto/boto-2.49.0-r4.ebuild @@ -0,0 +1,60 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +PYTHON_COMPAT=( python3_{6..9} ) +DISTUTILS_USE_SETUPTOOLS=bdepend + +inherit distutils-r1 + +DESCRIPTION="Amazon Web Services API" +HOMEPAGE="https://github.com/boto/boto https://pypi.org/project/boto/" +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" + +PATCHES=( + # taken from https://bugs.debian.org/909545 + "${FILESDIR}"/${P}-try-to-add-SNI-support-v3.patch + "${FILESDIR}"/${P}-py38.patch + "${FILESDIR}"/${P}-py3-socket-binary.patch + "${FILESDIR}"/${P}-py3-httplib-strict.patch + "${FILESDIR}"/${P}-py3-server-port.patch + "${FILESDIR}"/${P}-unbundle-six.patch +) + +RDEPEND=">=dev-python/six-1.12.0[${PYTHON_USEDEP}]" + +BDEPEND=" + test? ( + dev-python/httpretty[${PYTHON_USEDEP}] + dev-python/keyring[${PYTHON_USEDEP}] + dev-python/lxml[${PYTHON_USEDEP}] + dev-python/mock[${PYTHON_USEDEP}] + dev-python/paramiko[${PYTHON_USEDEP}] + dev-python/requests[${PYTHON_USEDEP}] + dev-python/rsa[${PYTHON_USEDEP}] + dev-python/selenium[${PYTHON_USEDEP}] + )" + +distutils_enable_tests nose + +src_prepare() { + # remove bundled libs. + rm -f "${S}"/boto/vendored/six.py || die + # broken, not worth fixing + rm tests/unit/cloudfront/test_signed_urls.py || die + # fix tests + mkdir -p "${HOME}"/.ssh || die + : > "${HOME}"/.ssh/known_hosts || die + + distutils-r1_src_prepare +} + +python_test() { + nosetests -v tests/unit || + die "Tests fail with ${EPYTHON}" +} diff --git a/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch b/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch new file mode 100644 index 000000000000..209b01aa74a0 --- /dev/null +++ b/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch @@ -0,0 +1,35 @@ +https://github.com/boto/boto/commit/4f4dcb31fe852c05ce19b44eb9d5b5d747e36f7c +https://github.com/boto/boto/pull/2718 + +From 4f4dcb31fe852c05ce19b44eb9d5b5d747e36f7c Mon Sep 17 00:00:00 2001 +From: Lee Ball <43632885+catleeball@users.noreply.github.com> +Date: Mon, 10 Jun 2019 16:02:53 -0700 +Subject: [PATCH] Remove `strict=True` from http_client (#6) + +In Python 3.4, the `strict` kwarg was removed[1]. We are removing it +here too. + +Alternatively, we can leave in `strict=True` for 2.x, but I chose to +remove it entirely to maintain consistent behavior across versions. + +[1]: https://docs.python.org/3/library/http.client.html +--- + boto/connection.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/boto/connection.py b/boto/connection.py +index c731173bb4eb..54e26fb2de16 100644 +--- a/boto/connection.py ++++ b/boto/connection.py +@@ -807,7 +807,7 @@ class AWSAuthConnection(object): + sock.sendall(six.ensure_binary("\r\n")) + else: + sock.sendall(six.ensure_binary("\r\n")) +- resp = http_client.HTTPResponse(sock, strict=True, debuglevel=self.debug) ++ resp = http_client.HTTPResponse(sock, debuglevel=self.debug) + resp.begin() + + if resp.status != 200: +-- +2.28.0 + diff --git a/dev-python/boto/files/boto-2.49.0-py3-server-port.patch b/dev-python/boto/files/boto-2.49.0-py3-server-port.patch new file mode 100644 index 000000000000..62e331921980 --- /dev/null +++ b/dev-python/boto/files/boto-2.49.0-py3-server-port.patch @@ -0,0 +1,42 @@ +https://github.com/boto/boto/commit/b9f6cb0ab717ea76e2780c7fddd1cd36b3bf7d63 + +From b9f6cb0ab717ea76e2780c7fddd1cd36b3bf7d63 Mon Sep 17 00:00:00 2001 +From: Matt Houglum <houglum@google.com> +Date: Fri, 21 Jun 2019 15:09:11 -0700 +Subject: [PATCH] Make server_name() behave correctly for PY3 + +...because Python-2.6-or-newer doesn't just include Python 2.6 and 2.7. +--- + boto/connection.py | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/boto/connection.py b/boto/connection.py +index 54e26fb2de16..bbb25d8fb842 100644 +--- a/boto/connection.py ++++ b/boto/connection.py +@@ -650,17 +650,13 @@ class AWSAuthConnection(object): + if port == 80: + signature_host = self.host + else: +- # This unfortunate little hack can be attributed to +- # a difference in the 2.6 version of http_client. In old +- # versions, it would append ":443" to the hostname sent +- # in the Host header and so we needed to make sure we +- # did the same when calculating the V2 signature. In 2.6 +- # (and higher!) +- # it no longer does that. Hence, this kludge. +- if ((ON_APP_ENGINE and sys.version[:3] == '2.5') or +- sys.version[:3] in ('2.6', '2.7')) and port == 443: ++ ver_int = sys.version_info[0] * 10 + sys.version_info[1] ++ if port == 443 and ver_int >= 26: # Py >= 2.6 + signature_host = self.host + else: ++ # In versions < 2.6, Python's http_client would append ":443" ++ # to the hostname sent in the Host header and so we needed to ++ # make sure we did the same when calculating the V2 signature. + signature_host = '%s:%d' % (self.host, port) + return signature_host + +-- +2.28.0 + diff --git a/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch b/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch new file mode 100644 index 000000000000..1d109a3f4995 --- /dev/null +++ b/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch @@ -0,0 +1,59 @@ +https://github.com/boto/boto/commit/d2cb697b32c297858ecc36701a5a4176818ab36d +https://github.com/boto/boto/pull/2718 +https://github.com/boto/boto/pull/2893 +https://github.com/boto/boto/pull/3699 + +From d2cb697b32c297858ecc36701a5a4176818ab36d Mon Sep 17 00:00:00 2001 +From: Cat Lee Ball <cball@google.com> +Date: Mon, 10 Jun 2019 13:31:11 -0700 +Subject: [PATCH] Ensure binary strings sent to socket + +When running pre-release tests with proxied connections, it appeared a +few spots in connection.py would fail under Python 3 since the +socket.sendall method expects binary strings rather than unicode. +--- + boto/connection.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/boto/connection.py b/boto/connection.py +index a0d89a51f49c..d084d1f881fb 100644 +--- a/boto/connection.py ++++ b/boto/connection.py +@@ -796,17 +796,17 @@ class AWSAuthConnection(object): + else: + sock = socket.create_connection((self.proxy, int(self.proxy_port))) + boto.log.debug("Proxy connection: CONNECT %s HTTP/1.0\r\n", host) +- sock.sendall("CONNECT %s HTTP/1.0\r\n" % host) +- sock.sendall("User-Agent: %s\r\n" % UserAgent) ++ sock.sendall(six.ensure_binary("CONNECT %s HTTP/1.0\r\n" % host)) ++ sock.sendall(six.ensure_binary("User-Agent: %s\r\n" % UserAgent)) + if self.proxy_user and self.proxy_pass: + for k, v in self.get_proxy_auth_header().items(): +- sock.sendall("%s: %s\r\n" % (k, v)) ++ sock.sendall(six.ensure_binary("%s: %s\r\n" % (k, v))) + # See discussion about this config option at + # https://groups.google.com/forum/?fromgroups#!topic/boto-dev/teenFvOq2Cc + if config.getbool('Boto', 'send_crlf_after_proxy_auth_headers', False): +- sock.sendall("\r\n") ++ sock.sendall(six.ensure_binary("\r\n")) + else: +- sock.sendall("\r\n") ++ sock.sendall(six.ensure_binary("\r\n")) + resp = http_client.HTTPResponse(sock, strict=True, debuglevel=self.debug) + resp.begin() + +@@ -814,9 +814,10 @@ class AWSAuthConnection(object): + # Fake a socket error, use a code that make it obvious it hasn't + # been generated by the socket library + raise socket.error(-71, ++ six.ensure_binary( + "Error talking to HTTP proxy %s:%s: %s (%s)" % + (self.proxy, self.proxy_port, +- resp.status, resp.reason)) ++ resp.status, resp.reason))) + + # We can safely close the response, it duped the original socket + resp.close() +-- +2.28.0 + diff --git a/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch b/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch new file mode 100644 index 000000000000..11d346a2199e --- /dev/null +++ b/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch @@ -0,0 +1,104 @@ +From f5e7f6c98b46ff622f60a4661ffc9ce07216d109 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat, 29 Sep 2018 21:47:11 +0200 +Subject: [PATCH] boto: try to add SNI support + +Add SNI support. Newer OpenSSL (with TLS1.3) fail to connect if the +hostname is missing. + +Link: https://bugs.debian.org/bug=909545 +Tested-by: Witold Baryluk <witold.baryluk@gmail.com> +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +--- + boto/connection.py | 19 ++++++++++--------- + boto/https_connection.py | 22 +++++++++++----------- + 2 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/boto/connection.py b/boto/connection.py +index 34b428f101df7..b4867a7657465 100644 +--- a/boto/connection.py ++++ b/boto/connection.py +@@ -778,8 +778,10 @@ + + def proxy_ssl(self, host=None, port=None): + if host and port: ++ cert_host = host + host = '%s:%d' % (host, port) + else: ++ cert_host = self.host + host = '%s:%d' % (self.host, self.port) + # Seems properly to use timeout for connect too + timeout = self.http_connection_kwargs.get("timeout") +@@ -824,23 +824,24 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert + h = http_client.HTTPConnection(host) + + if self.https_validate_certificates and HAVE_HTTPS_CONNECTION: ++ context = ssl.create_default_context() ++ context.verify_mode = ssl.CERT_REQUIRED ++ context.check_hostname = True ++ + msg = "wrapping ssl socket for proxied connection; " + if self.ca_certificates_file: + msg += "CA certificate file=%s" % self.ca_certificates_file ++ context.load_verify_locations(cafile=self.ca_certificates_file) + else: + msg += "using system provided SSL certs" ++ context.load_default_certs() + boto.log.debug(msg) + key_file = self.http_connection_kwargs.get('key_file', None) + cert_file = self.http_connection_kwargs.get('cert_file', None) +- sslSock = ssl.wrap_socket(sock, keyfile=key_file, +- certfile=cert_file, +- cert_reqs=ssl.CERT_REQUIRED, +- ca_certs=self.ca_certificates_file) +- cert = sslSock.getpeercert() +- hostname = self.host.split(':', 0)[0] +- if not https_connection.ValidateCertificateHostname(cert, hostname): +- raise https_connection.InvalidCertificateException( +- hostname, cert, 'hostname mismatch') ++ if key_file: ++ context.load_cert_chain(certfile=cert_file, keyfile=key_file) ++ ++ sslSock = context.wrap_socket(sock, server_hostname=cert_host) + else: + # Fallback for old Python without ssl.wrap_socket + if hasattr(http_client, 'ssl'): +diff --git a/boto/https_connection.py b/boto/https_connection.py +index ddc31a152292e..a5076f6f9b261 100644 +--- a/boto/https_connection.py ++++ b/boto/https_connection.py +@@ -119,20 +119,20 @@ from boto.compat import six, http_client + sock = socket.create_connection((self.host, self.port), self.timeout) + else: + sock = socket.create_connection((self.host, self.port)) ++ ++ context = ssl.create_default_context() ++ context.verify_mode = ssl.CERT_REQUIRED ++ context.check_hostname = True ++ if self.key_file: ++ context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file) ++ + msg = "wrapping ssl socket; " + if self.ca_certs: + msg += "CA certificate file=%s" % self.ca_certs ++ context.load_verify_locations(cafile=self.ca_certs) + else: + msg += "using system provided SSL certs" ++ context.load_default_certs() + boto.log.debug(msg) +- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, +- certfile=self.cert_file, +- cert_reqs=ssl.CERT_REQUIRED, +- ca_certs=self.ca_certs) +- cert = self.sock.getpeercert() +- hostname = self.host.split(':', 0)[0] +- if not ValidateCertificateHostname(cert, hostname): +- raise InvalidCertificateException(hostname, +- cert, +- 'remote hostname "%s" does not match ' +- 'certificate' % hostname) ++ ++ self.sock = context.wrap_socket(sock, server_hostname=self.host) +-- +2.19.0 + diff --git a/dev-python/boto/files/boto-2.49.0-unbundle-six.patch b/dev-python/boto/files/boto-2.49.0-unbundle-six.patch new file mode 100644 index 000000000000..188dae7eb6fd --- /dev/null +++ b/dev-python/boto/files/boto-2.49.0-unbundle-six.patch @@ -0,0 +1,28 @@ +use the system copy of six + +--- a/boto/compat.py ++++ b/boto/compat.py +@@ -46,16 +46,16 @@ except (AttributeError, ImportError): + # This is probably running on App Engine. + expanduser = (lambda x: x) + +-from boto.vendored import six ++import six + +-from boto.vendored.six import BytesIO, StringIO +-from boto.vendored.six.moves import filter, http_client, map, _thread, \ ++from six import BytesIO, StringIO ++from six.moves import filter, http_client, map, _thread, \ + urllib, zip +-from boto.vendored.six.moves.queue import Queue +-from boto.vendored.six.moves.urllib.parse import parse_qs, quote, unquote, \ ++from six.moves.queue import Queue ++from six.moves.urllib.parse import parse_qs, quote, unquote, \ + urlparse, urlsplit +-from boto.vendored.six.moves.urllib.parse import unquote_plus +-from boto.vendored.six.moves.urllib.request import urlopen ++from six.moves.urllib.parse import unquote_plus ++from six.moves.urllib.request import urlopen + + if six.PY3: + # StandardError was removed, so use the base exception type instead |