From eb557c0450684931b48b6975c80f8ce05f45a3d4 Mon Sep 17 00:00:00 2001
From: Carmen Rata <carmen.rata@windriver.com>
Date: Fri, 20 Oct 2023 02:56:41 +0000
Subject: [PATCH] Set keyring dir group ownership on password change

This commit changes the group ownership for "/opt/platform/.keyring"
directory, and its subdirectories and files, from "root" to
'sys_protected', when keystone password changes for the admin user.
The 'sys_protected' group ownership is needed to support access
privileges for OpenLDAP/WAD users and is implemented by the ansible
bootstrap configuration.
The group ownership update in this commit is required because after
a keystone and corresponding keyring password change for the admin
user, the group ownership of the "/opt/platform/.keyring" directory
has been reset to "root".
As a consequence, a ldap user loses permission to access files in
that directory.
The group ownership reset is done in the keystone package.
That is why the fix for this bug is delivered as a patch for the
keystone package.

Test Plan:
PASS: Verify the keystone patch install correctly.
PASS: Verify the group ownership was applied correctly
for files in "/opt/platform/.keyring" so are part of the
"sys_protected" group before changing keystone password for the admin
user.
PASS: Verify the group ownership for files in "/opt/platform/.keyring"
remains "sys_protected" after changing keystone password for the admin
user.
PASS: Verify that an openldap user that is part of the "sys_protected"
group can execute command: "source /etc/platform/openrc" after the
keystone password has been changed for the admin user.

Closes-Bug: 2039870

Change-Id: I0360d1f13725cca9900b967c32451fc6f7afe761
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
---
 ...002-change-group-perm-to-keyring-dir.patch | 47 +++++++++++++++++++
 openstack/keystone/debian/patches/series      |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 openstack/keystone/debian/patches/0002-change-group-perm-to-keyring-dir.patch

diff --git a/openstack/keystone/debian/patches/0002-change-group-perm-to-keyring-dir.patch b/openstack/keystone/debian/patches/0002-change-group-perm-to-keyring-dir.patch
new file mode 100644
index 00000000..159099e4
--- /dev/null
+++ b/openstack/keystone/debian/patches/0002-change-group-perm-to-keyring-dir.patch
@@ -0,0 +1,47 @@
+From b2a70f1e73a4d6bd67603c3c289ce7d44ee31f77 Mon Sep 17 00:00:00 2001
+From: Carmen Rata <carmen.rata@windriver.com>
+Date: Wed, 18 Oct 2023 03:01:22 +0000
+Subject: [PATCH] Change keyring directory group ownership to 'sys_protected'
+
+This patch changes the group ownership for "/opt/platform/.keyring"
+directory, and its subdirectories and files, from "root" to
+'sys_protected' when keystone password changes for the admin user.
+
+Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
+---
+ keystone/identity/core.py | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/keystone/identity/core.py b/keystone/identity/core.py
+index 31d6cd6..249fe99 100644
+--- a/keystone/identity/core.py
++++ b/keystone/identity/core.py
+@@ -56,6 +56,7 @@ MEMOIZE_ID_MAPPING = cache.get_memoization_decorator(group='identity',
+ DOMAIN_CONF_FHEAD = 'keystone.'
+ DOMAIN_CONF_FTAIL = '.conf'
+ KEYRING_CGCS_SERVICE = "CGCS"
++KEYRING_DIR_PATH = "/opt/platform/.keyring"
+ 
+ # The number of times we will attempt to register a domain to use the SQL
+ # driver, if we find that another process is in the middle of registering or
+@@ -1147,6 +1148,17 @@ class Manager(manager.Manager):
+                 if (user['name'] == 'admin'):
+                     raise exception.WRSForbiddenAction(msg % user['name'])
+ 
++            # change group ownership to sys_protected for keyring directory
++            if os.path.isdir(KEYRING_DIR_PATH):
++                try:
++                    os.system("chgrp -R sys_protected %s" % KEYRING_DIR_PATH)
++                except OSError as e:
++                    LOG.exception("chgrp for %s OSError=%s failed" %
++                        (KEYRING_DIR_PATH, e))
++            else:
++                LOG.exception("Directory %s does not exist" %
++                    (KEYRING_DIR_PATH))
++
+     def _update_user_with_federated_objects(self, user, driver, entity_id):
+         # If the user did not pass a federated object along inside the user
+         # object then we simply update the user as normal and add the
+-- 
+2.34.1
+
diff --git a/openstack/keystone/debian/patches/series b/openstack/keystone/debian/patches/series
index 8661b867..d4e86962 100644
--- a/openstack/keystone/debian/patches/series
+++ b/openstack/keystone/debian/patches/series
@@ -1 +1,2 @@
 0001-Support-storing-users-in-keyring.patch
+0002-change-group-perm-to-keyring-dir.patch