feat: upgrade to bobcat (#887)
diff --git a/images/keystone/Earthfile b/images/keystone/Earthfile
index 9478a03..7aae428 100644
--- a/images/keystone/Earthfile
+++ b/images/keystone/Earthfile
@@ -1,19 +1,22 @@
VERSION 0.7
+ARG --global RELEASE=2023.2
+ARG --global PROJECT=keystone
+ARG --global PROJECT_REF=653d82b1b4e09b2ff37b56868e57d08c8e3af7dd
+
+build:
+ FROM ../openstack-service+builder --RELEASE=${RELEASE}
+ DO ../openstack-service+BUILD_VENV \
+ --PROJECT=${PROJECT} \
+ --PROJECT_REF=${PROJECT_REF} \
+ --EXTRAS "[ldap]" \
+ --PIP_PACKAGES "keystone-keycloak-backend==0.1.6"
+
image:
- ARG PROJECT=keystone
- ARG RELEASE=zed
- ARG REF=72a4fc0f3ccf7a5ca9fc40e5364e14f881ec27b2
- FROM ../openstack-service+image \
- --PROJECT ${PROJECT} \
- --RELEASE ${RELEASE} \
- --PROJECT_REF ${REF} \
- --PIP_PACKAGES "keystone-keycloak-backend==0.1.6" \
- --EXTRAS "[ldap]"
- DO \
- ../+APT_INSTALL \
+ FROM ../openstack-service+image --RELEASE ${RELEASE} --PROJECT ${PROJECT}
+ COPY +build/venv /var/lib/openstack
+ DO ../+APT_INSTALL \
--PACKAGES "apache2 libapache2-mod-wsgi-py3"
- DO ../+APPLY_PATCHES
ARG MOD_AUTH_OPENIDC_VERSION=2.4.12.1
ARG TARGETARCH
RUN \
@@ -27,4 +30,4 @@
rm -rfv /var/lib/apt/lists/* libapache2-mod-auth-openidc_${MOD_AUTH_OPENIDC_VERSION}-1.$(lsb_release -sc)_${TARGETARCH}.deb
SAVE IMAGE --push \
ghcr.io/vexxhost/atmosphere/${PROJECT}:${RELEASE} \
- ghcr.io/vexxhost/atmosphere/${PROJECT}:${REF}
+ ghcr.io/vexxhost/atmosphere/${PROJECT}:${PROJECT_REF}
diff --git a/images/keystone/patches/keystone/0000-Ensure-application-credentials-take-account-of-impli.patch b/images/keystone/patches/keystone/0000-Ensure-application-credentials-take-account-of-impli.patch
new file mode 100644
index 0000000..83689fa
--- /dev/null
+++ b/images/keystone/patches/keystone/0000-Ensure-application-credentials-take-account-of-impli.patch
@@ -0,0 +1,47 @@
+From 6ee7ea0d63fed272beb3806d722c2dd3585e8212 Mon Sep 17 00:00:00 2001
+From: Andrew Bonney <andrew.bonney@bbc.co.uk>
+Date: Tue, 5 Sep 2023 14:56:51 +0100
+Subject: [PATCH] Ensure application credentials take account of implied roles
+
+Related-Bug: #2030061
+Change-Id: I2aea0b89987b24cf5ddaadeecbd06c32ad81a9bc
+---
+ keystone/models/token_model.py | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py
+index 78146295d..b152d97c2 100644
+--- a/keystone/models/token_model.py
++++ b/keystone/models/token_model.py
+@@ -429,7 +429,13 @@ class TokenModel(object):
+
+ def _get_application_credential_roles(self):
+ roles = []
++ roles_added = list()
+ app_cred_roles = self.application_credential['roles']
++ app_cred_roles = [{'role_id': r['id']} for r in app_cred_roles]
++ effective_app_cred_roles = (
++ PROVIDERS.assignment_api.add_implied_roles(app_cred_roles)
++ )
++
+ assignment_list = PROVIDERS.assignment_api.list_role_assignments(
+ user_id=self.user_id,
+ project_id=self.project_id,
+@@ -437,9 +443,12 @@ class TokenModel(object):
+ effective=True)
+ user_roles = list(set([x['role_id'] for x in assignment_list]))
+
+- for role in app_cred_roles:
+- if role['id'] in user_roles:
++ for role in effective_app_cred_roles:
++ if role['role_id'] in user_roles and \
++ role['role_id'] not in roles_added:
++ role = PROVIDERS.role_api.get_role(role['role_id'])
+ roles.append({'id': role['id'], 'name': role['name']})
++ roles_added.append(role['id'])
+
+ return roles
+
+--
+2.34.1
+