From fa977464cfee5c0deccc585d10bdce223a01a4e0 Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Wed, 15 Nov 2023 06:46:19 +0000 Subject: [PATCH] community/ceph18: upgrade to 18.2.1 --- community/ceph18/10-isal.patch | 35 ++++ community/ceph18/47-bcrypt.patch | 26 +++ community/ceph18/47-remove-py-jwt.patch | 225 ++++++++++++++++++++++++ community/ceph18/APKBUILD | 20 ++- 4 files changed, 298 insertions(+), 8 deletions(-) create mode 100644 community/ceph18/47-bcrypt.patch create mode 100644 community/ceph18/47-remove-py-jwt.patch diff --git a/community/ceph18/10-isal.patch b/community/ceph18/10-isal.patch index 42a5b7cd019..356ba2cea48 100644 --- a/community/ceph18/10-isal.patch +++ b/community/ceph18/10-isal.patch @@ -231,3 +231,38 @@ diff -Nurp a/src/erasure-code/isa/CMakeLists.txt b/src/erasure-code/isa/CMakeLis set_target_properties(ec_isa PROPERTIES INSTALL_RPATH "") install(TARGETS ec_isa DESTINATION ${erasure_plugin_dir}) +diff -Nurp a/src/erasure-code/isa/ErasureCodeIsa.cc b/src/erasure-code/isa/ErasureCodeIsa.cc +--- a/src/erasure-code/isa/ErasureCodeIsa.cc 2023-10-10 11:01:53.784963054 +0000 ++++ b/src/erasure-code/isa/ErasureCodeIsa.cc 2023-10-10 11:02:22.213371017 +0000 +@@ -25,7 +25,7 @@ using namespace ceph; + + // ----------------------------------------------------------------------------- + extern "C" { +-#include "isa-l/include/erasure_code.h" ++#include "isa-l/erasure_code.h" + } + // ----------------------------------------------------------------------------- + #define dout_context g_ceph_context +--- a/src/compressor/zlib/ZlibCompressor.cc ++++ b/src/compressor/zlib/ZlibCompressor.cc +@@ -16,7 +16,7 @@ + #include "common/debug.h" + #include "ZlibCompressor.h" + #include "osd/osd_types.h" +-#include "isa-l/include/igzip_lib.h" ++#include "isa-l/igzip_lib.h" + // ----------------------------------------------------------------------------- + + #include +--- a/src/compressor/zstd/ZstdCompressor.h ++++ b/src/compressor/zstd/ZstdCompressor.h +@@ -16,7 +16,7 @@ + #define CEPH_ZSTDCOMPRESSOR_H + + #define ZSTD_STATIC_LINKING_ONLY +-#include "zstd/lib/zstd.h" ++#include "zstd.h" + + #include "include/buffer.h" + #include "include/encoding.h" + diff --git a/community/ceph18/47-bcrypt.patch b/community/ceph18/47-bcrypt.patch new file mode 100644 index 00000000000..326ce100c8f --- /dev/null +++ b/community/ceph18/47-bcrypt.patch @@ -0,0 +1,26 @@ +https://gitlab.alpinelinux.org/alpine/aports/-/issues/15620 + +diff -Nurp a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py +--- a/src/pybind/mgr/dashboard/services/access_control.py 2024-01-03 00:12:46.140405728 +0000 ++++ b/src/pybind/mgr/dashboard/services/access_control.py 2024-01-03 00:14:22.825611708 +0000 +@@ -12,7 +12,7 @@ from datetime import datetime, timedelta + from string import ascii_lowercase, ascii_uppercase, digits, punctuation + from typing import List, Optional, Sequence + +-import bcrypt ++import bcrypt_ceph as bcrypt + from mgr_module import CLICheckNonemptyFileInput, CLIReadCommand, CLIWriteCommand + from mgr_util import password_hash + +diff -Nurp a/src/pybind/mgr/mgr_util.py b/src/pybind/mgr/mgr_util.py +--- a/src/pybind/mgr/mgr_util.py 2024-01-03 00:11:59.903829031 +0000 ++++ b/src/pybind/mgr/mgr_util.py 2024-01-03 00:13:56.113278518 +0000 +@@ -3,7 +3,7 @@ import os + if 'UNITTEST' in os.environ: + import tests + +-import bcrypt ++import bcrypt_ceph as bcrypt + import cephfs + import contextlib + import datetime diff --git a/community/ceph18/47-remove-py-jwt.patch b/community/ceph18/47-remove-py-jwt.patch new file mode 100644 index 00000000000..3ec63ce9efc --- /dev/null +++ b/community/ceph18/47-remove-py-jwt.patch @@ -0,0 +1,225 @@ +https://gitlab.alpinelinux.org/alpine/aports/-/issues/15620 + +diff --git a/ceph.spec.in b/ceph.spec.in +index 3807f48280e95..9aa2432dcd480 100644 +--- a/ceph.spec.in ++++ b/ceph.spec.in +@@ -414,7 +414,6 @@ BuildRequires: xmlsec1-nss + BuildRequires: xmlsec1-openssl + BuildRequires: xmlsec1-openssl-devel + BuildRequires: python%{python3_pkgversion}-cherrypy +-BuildRequires: python%{python3_pkgversion}-jwt + BuildRequires: python%{python3_pkgversion}-routes + BuildRequires: python%{python3_pkgversion}-scipy + BuildRequires: python%{python3_pkgversion}-werkzeug +@@ -427,7 +426,6 @@ BuildRequires: libxmlsec1-1 + BuildRequires: libxmlsec1-nss1 + BuildRequires: libxmlsec1-openssl1 + BuildRequires: python%{python3_pkgversion}-CherryPy +-BuildRequires: python%{python3_pkgversion}-PyJWT + BuildRequires: python%{python3_pkgversion}-Routes + BuildRequires: python%{python3_pkgversion}-Werkzeug + BuildRequires: python%{python3_pkgversion}-numpy-devel +@@ -629,7 +627,6 @@ Requires: ceph-prometheus-alerts = %{_epoch_prefix}%{version}-%{release} + Requires: python%{python3_pkgversion}-setuptools + %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler} + Requires: python%{python3_pkgversion}-cherrypy +-Requires: python%{python3_pkgversion}-jwt + Requires: python%{python3_pkgversion}-routes + Requires: python%{python3_pkgversion}-werkzeug + %if 0%{?weak_deps} +@@ -638,7 +635,6 @@ Recommends: python%{python3_pkgversion}-saml + %endif + %if 0%{?suse_version} + Requires: python%{python3_pkgversion}-CherryPy +-Requires: python%{python3_pkgversion}-PyJWT + Requires: python%{python3_pkgversion}-Routes + Requires: python%{python3_pkgversion}-Werkzeug + Recommends: python%{python3_pkgversion}-python3-saml +diff --git a/debian/control b/debian/control +index 5ae413ce774ab..f1bdec95a2efd 100644 +--- a/debian/control ++++ b/debian/control +@@ -91,7 +91,6 @@ Build-Depends: automake, + python3-all-dev, + python3-cherrypy3, + python3-natsort, +- python3-jwt , + python3-pecan , + python3-bcrypt , + tox , +diff --git a/src/pybind/mgr/dashboard/constraints.txt b/src/pybind/mgr/dashboard/constraints.txt +index 55f81c92dec06..fd6141048800a 100644 +--- a/src/pybind/mgr/dashboard/constraints.txt ++++ b/src/pybind/mgr/dashboard/constraints.txt +@@ -1,6 +1,5 @@ + CherryPy~=13.1 + more-itertools~=8.14 +-PyJWT~=2.0 + bcrypt~=3.1 + python3-saml~=1.4 + requests~=2.26 +diff --git a/src/pybind/mgr/dashboard/exceptions.py b/src/pybind/mgr/dashboard/exceptions.py +index 96cbc52335613..d396a38d2c3a2 100644 +--- a/src/pybind/mgr/dashboard/exceptions.py ++++ b/src/pybind/mgr/dashboard/exceptions.py +@@ -121,3 +121,15 @@ class GrafanaError(Exception): + + class PasswordPolicyException(Exception): + pass ++ ++ ++class ExpiredSignatureError(Exception): ++ pass ++ ++ ++class InvalidTokenError(Exception): ++ pass ++ ++ ++class InvalidAlgorithmError(Exception): ++ pass +diff --git a/src/pybind/mgr/dashboard/requirements.txt b/src/pybind/mgr/dashboard/requirements.txt +index 8003d62a5523f..292971819c9c6 100644 +--- a/src/pybind/mgr/dashboard/requirements.txt ++++ b/src/pybind/mgr/dashboard/requirements.txt +@@ -1,7 +1,6 @@ + bcrypt + CherryPy + more-itertools +-PyJWT + pyopenssl + requests + Routes +diff --git a/src/pybind/mgr/dashboard/services/auth.py b/src/pybind/mgr/dashboard/services/auth.py +index f13963abffdd4..3c6002312524d 100644 +--- a/src/pybind/mgr/dashboard/services/auth.py ++++ b/src/pybind/mgr/dashboard/services/auth.py +@@ -1,17 +1,19 @@ + # -*- coding: utf-8 -*- + ++import base64 ++import hashlib ++import hmac + import json + import logging + import os + import threading + import time + import uuid +-from base64 import b64encode + + import cherrypy +-import jwt + + from .. import mgr ++from ..exceptions import ExpiredSignatureError, InvalidAlgorithmError, InvalidTokenError + from .access_control import LocalAuthenticator, UserDoesNotExist + + cherrypy.config.update({ +@@ -33,7 +35,7 @@ class JwtManager(object): + @staticmethod + def _gen_secret(): + secret = os.urandom(16) +- return b64encode(secret).decode('utf-8') ++ return base64.b64encode(secret).decode('utf-8') + + @classmethod + def init(cls): +@@ -45,6 +47,54 @@ def init(cls): + mgr.set_store('jwt_secret', secret) + cls._secret = secret + ++ @classmethod ++ def array_to_base64_string(cls, message): ++ jsonstr = json.dumps(message, sort_keys=True).replace(" ", "") ++ string_bytes = base64.urlsafe_b64encode(bytes(jsonstr, 'UTF-8')) ++ return string_bytes.decode('UTF-8').replace("=", "") ++ ++ @classmethod ++ def encode(cls, message, secret): ++ header = {"alg": cls.JWT_ALGORITHM, "typ": "JWT"} ++ base64_header = cls.array_to_base64_string(header) ++ base64_message = cls.array_to_base64_string(message) ++ base64_secret = base64.urlsafe_b64encode(hmac.new( ++ bytes(secret, 'UTF-8'), ++ msg=bytes(base64_header + "." + base64_message, 'UTF-8'), ++ digestmod=hashlib.sha256 ++ ).digest()).decode('UTF-8').replace("=", "") ++ return base64_header + "." + base64_message + "." + base64_secret ++ ++ @classmethod ++ def decode(cls, message, secret): ++ split_message = message.split(".") ++ base64_header = split_message[0] ++ base64_message = split_message[1] ++ base64_secret = split_message[2] ++ ++ decoded_header = json.loads(base64.urlsafe_b64decode(base64_header)) ++ ++ if decoded_header['alg'] != cls.JWT_ALGORITHM: ++ raise InvalidAlgorithmError() ++ ++ incoming_secret = base64.urlsafe_b64encode(hmac.new( ++ bytes(secret, 'UTF-8'), ++ msg=bytes(base64_header + "." + base64_message, 'UTF-8'), ++ digestmod=hashlib.sha256 ++ ).digest()).decode('UTF-8').replace("=", "") ++ ++ if base64_secret != incoming_secret: ++ raise InvalidTokenError() ++ ++ # We add ==== as padding to ignore the requirement to have correct padding in ++ # the urlsafe_b64decode method. ++ decoded_message = json.loads(base64.urlsafe_b64decode(base64_message + "====")) ++ now = int(time.time()) ++ if decoded_message['exp'] < now: ++ raise ExpiredSignatureError() ++ ++ return decoded_message ++ + @classmethod + def gen_token(cls, username): + if not cls._secret: +@@ -59,13 +109,13 @@ def gen_token(cls, username): + 'iat': now, + 'username': username + } +- return jwt.encode(payload, cls._secret, algorithm=cls.JWT_ALGORITHM) # type: ignore ++ return cls.encode(payload, cls._secret) # type: ignore + + @classmethod + def decode_token(cls, token): + if not cls._secret: + cls.init() +- return jwt.decode(token, cls._secret, algorithms=cls.JWT_ALGORITHM) # type: ignore ++ return cls.decode(token, cls._secret) # type: ignore + + @classmethod + def get_token_from_header(cls): +@@ -99,8 +149,8 @@ def get_username(cls): + @classmethod + def get_user(cls, token): + try: +- dtoken = JwtManager.decode_token(token) +- if not JwtManager.is_blocklisted(dtoken['jti']): ++ dtoken = cls.decode_token(token) ++ if not cls.is_blocklisted(dtoken['jti']): + user = AuthManager.get_user(dtoken['username']) + if user.last_update <= dtoken['iat']: + return user +@@ -110,10 +160,12 @@ def get_user(cls, token): + ) + else: + cls.logger.debug('Token is block-listed') # type: ignore +- except jwt.ExpiredSignatureError: ++ except ExpiredSignatureError: + cls.logger.debug("Token has expired") # type: ignore +- except jwt.InvalidTokenError: ++ except InvalidTokenError: + cls.logger.debug("Failed to decode token") # type: ignore ++ except InvalidAlgorithmError: ++ cls.logger.debug("Only the HS256 algorithm is supported.") # type: ignore + except UserDoesNotExist: + cls.logger.debug( # type: ignore + "Invalid token: user %s does not exist", dtoken['username'] diff --git a/community/ceph18/APKBUILD b/community/ceph18/APKBUILD index e8f3c96ff0e..2d1d866a5a9 100644 --- a/community/ceph18/APKBUILD +++ b/community/ceph18/APKBUILD @@ -3,8 +3,8 @@ # Contributor: Duncan Bellamy # Maintainer: Duncan Bellamy _pkgname=ceph -pkgver=18.2.0 -pkgrel=9 +pkgver=18.2.1 +pkgrel=0 _majorver=${pkgver%%.*} pkgname=$_pkgname$_majorver pkgdesc="Ceph is a distributed object store and file system, version $_majorver" @@ -12,7 +12,6 @@ pkgusers="ceph" pkggroups="ceph" url="https://ceph.io/en/" # 32-bit: needs more patching specific to 32bit builds -# riscv64: dashboard build runs out of memory arch="all !armhf !armv7 !x86" # https://github.com/ceph/ceph/blob/master/COPYING license="LGPL-2.1-only AND LGPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND CC-BY-SA-1.0 AND BSL-1.0 AND GPL-2.0-or-later WITH Autoconf-exception-2.0 AND BSD-3-Clause AND MIT AND custom" @@ -41,9 +40,8 @@ _ceph_test_deps=" xmlstarlet " _dashboard_deps=" - py3-bcrypt + py3-bcrypt-ceph py3-cherrypy - py3-jwt py3-more-itertools py3-openssl py3-prettytable @@ -52,7 +50,7 @@ _dashboard_deps=" py3-yaml " _mgr_modules_deps=" - py3-bcrypt + py3-bcrypt-ceph py3-cherrypy py3-dateutil py3-natsort @@ -153,9 +151,12 @@ source="https://download.ceph.com/tarballs/ceph-$pkgver.tar.gz 21-yarn.patch 35-fix_ErasureCodeShec.patch 46-statx.patch + 47-bcrypt.patch + 47-remove-py-jwt.patch boost-1.81.patch gcc13.patch ceph-18.2.0-fmt10-fixes.patch + $pkgname-rook-$pkgver.patch::https://github.com/ceph/ceph/pull/54521/commits/1f4a4bd88dbaf7bb621ae3ca6989d36656ae1d4e.patch " # to prevent things from installing wrong ceph libs, since they have the same SOMAJOR sonameprefix="ceph$_majorver:so:" @@ -722,11 +723,11 @@ _default_replace_majorversion() { } sha512sums=" -fe6a3ca4227cc05b5effc33a02670c466583ec9e4c7c025241248223992254e6e6551d7db486d5ead36bf0ba922d54e0aabc2aaf456d4593679376ec88bd971a ceph-18.2.0.tar.gz +88e1c18bc6c824b6203cf026cca4c9409000e7cf5b2b986e22ab74d2790d8b93d91556bd3af15a320dbdd0cf2302308f0b2c75fd1243bc5a65f76fc6b3d70736 ceph-18.2.1.tar.gz 110bdbcb40216c7ed155a8d23020784741b4992d895f4f04a146d275506e4e68053854d3b063b41e9c9b3e3e4f95b6b90602f92c185c853c0d8f47ad0c6b7121 ceph.confd ce5f162501f6b67fe254546dddf880d1a5b1d1a0fa69e0b1918de17e8da45c5c6124512b8cbd98b76f29d931403de0d11c5ffd330ed8ee1f4dc75bb04baecae3 ceph.initd 7e22028109cccffe026899ea20b02f8077261d5f6fcd69fe627179712c85820ff7b66992d191f634233d0138513ec064deb759a2422b15b94a69ab2892c2da1b 10-isal_crypto.patch -b50e99c4d92f0e7d9035b716963e9190d0842e71c8990d79dba880f8e86a39610cab9787fded305eec25d1c974540d9d7418a2014bdc1d2736d180d0a5f16ff1 10-isal.patch +c2efcf108708bc1212c4433f41a22b66a92cb44c1500afe233583dfd936ed977b223dfdcfd501b66b16663db507637e4ac6c6d8ef00a3fe57c243a3b3ad9f47c 10-isal.patch 94687578411bf0de1b17555ed81c188c88ea63ac4a25993bd8fde9cf68afbbfbdec7b2d7c54fdcfbd4aed4eb78754e8061c308955596cbe037ff15b575874cc6 10-musl-fixes.patch 211e6f5f8fc962878196ec917984781eb4a8a9495bcc8d1729b34ac66abd2d4a0b7388ae2caee9d5deb664d54860d120a37215924625e82eac9bfca16179667a 11-dump_time_header_impl.patch 253a7bf9fa6a68547f2c9269570be86aa659ef75ab0ed4c9d1a53be70de1ca6079508f19fe5ddb02ed9edda349e121037f8ed4d6b5b0e640edaab863ce6b280d 11-parse_rfc1123_alt.patch @@ -736,7 +737,10 @@ b50e99c4d92f0e7d9035b716963e9190d0842e71c8990d79dba880f8e86a39610cab9787fded305e b947a8f13e08b1cfaad82906ac04fa875c651cff660e64c43c7ba52eedb2a79fb2dc276f8e3ac9ee7d1264414bcee78640ec0cfc31600394313ddb0c6baf76c8 21-yarn.patch abb3cab9c01cc3d6d42a9858678059a8c9c43bda2649bf97b489fdc205eb10ae27f9fb7302062e0fb41f5cffddbfc2ae529130569034f373732a0a5d33aba86e 35-fix_ErasureCodeShec.patch f589c85baca2654e54ebd986ddda70a9b38116332c7c10aa5b75cd8a9c37e8d157baf0ad9ac91e36750046e7554d6831d93cb16d3967b5986155b8f38cff66c5 46-statx.patch +71ffe6f3263b3546bb3d3593981a288ee8136d44f8c1e734ecfae65b71ea3f7c91e6040c337f237fa41269328378c955e93ed13b9d35e0ad8efd785b75d0f595 47-bcrypt.patch +62032b400787ceb63418b20cb305ca97c71ccdbf6169a726b814c063fa816ac6945fd29d13eb8eec74152663b949b832f0dbd7cf7f869893b2e270661e8affa1 47-remove-py-jwt.patch ad71fda050df8658d653f9131855c28ff889395dfcc70a3124575c8b063c8e84eca7eb390232b6ee5a05238c4f953c5b55af7e961b1a99360696097a702686cd boost-1.81.patch afef1cc7e43f500d95d2ffd1687cfcb756e9d8dec729186a25d513d4401b38f00edac922562a161575b1da1a65ded3e99d01cf34f9bc329f6d08cf2b896acd0c gcc13.patch 869b61692b3c7854dc205dab8ee0d361b8b26eef6fe7d703f58575e31ba4839736d55c95bd55327ac98c5d6da46709c1e0991f5586483bd835251e017a322055 ceph-18.2.0-fmt10-fixes.patch +fcd138a08e669dc9e79ad6a1eb0f79679744a76e0a5fc26114b0093f3438355c23b088d432e6aa13131aee2db807278450fe198603d94d7af8e252da82fcc3b4 ceph18-rook-18.2.1.patch "