diff --git a/pkgs/tools/filesystems/ceph/default.nix b/pkgs/tools/filesystems/ceph/default.nix index 3a9c513e566d5..a923f098f090e 100644 --- a/pkgs/tools/filesystems/ceph/default.nix +++ b/pkgs/tools/filesystems/ceph/default.nix @@ -142,7 +142,7 @@ let homepage = "https://ceph.io/en/"; inherit description; license = with lib.licenses; [ lgpl21 gpl2Only bsd3 mit publicDomain ]; - maintainers = with lib.maintainers; [ adev ak johanot krav ]; + maintainers = with lib.maintainers; [ adev ak johanot krav nh2 ]; platforms = [ "x86_64-linux" "aarch64-linux" ]; }; @@ -172,12 +172,18 @@ let python = python311.override { self = python; packageOverrides = self: super: let - cryptographyOverrideVersion = "40.0.1"; bcryptOverrideVersion = "4.0.1"; in { - # Ceph does not support `bcrypt` > 4.0 yet: + # Ceph does not support the following yet: + # * `bcrypt` > 4.0 + # * `cryptography` > 40 + # See: + # * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602 # * Upstream issue: https://tracker.ceph.com/issues/63529 # > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3 + # * Moved to issue: https://tracker.ceph.com/issues/64213 + # > MGR modules incompatible with later PyO3 versions - PyO3 modules may only be initialized once per interpreter process + bcrypt = super.bcrypt.overridePythonAttrs (old: rec { pname = "bcrypt"; version = bcryptOverrideVersion; @@ -193,44 +199,12 @@ let hash = "sha256-lDWX69YENZFMu7pyBmavUZaalGvFqbHSHfkwkzmDQaY="; }; }); - # Ceph does not support `cryptography` > 40 yet: - # * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602 - # * Upstream issue: https://tracker.ceph.com/issues/63529 - # > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3 - # + # We pin the older `cryptography` 40 here; # this also forces us to pin an older `pyopenssl` because the current one # is not compatible with older `cryptography`, see: # https://github.com/pyca/pyopenssl/blob/d9752e44127ba36041b045417af8a0bf16ec4f1e/CHANGELOG.rst#2320-2023-05-30 - cryptography = super.cryptography.overridePythonAttrs (old: rec { - version = cryptographyOverrideVersion; - - src = fetchPypi { - inherit (old) pname; - version = cryptographyOverrideVersion; - hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI="; - }; - - cargoDeps = rustPlatform.fetchCargoTarball { - inherit src; - sourceRoot = let cargoRoot = "src/rust"; in "${old.pname}-${cryptographyOverrideVersion}/${cargoRoot}"; - name = "${old.pname}-${cryptographyOverrideVersion}"; - hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU="; - }; - - # Not using the normal `(old.patches or []) ++` pattern here to use - # the overridden package's patches, because current nixpkgs's `cryptography` - # has patches that do not apply on this old version. - patches = [ - # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport. - # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893 - ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch - ]; - - # Tests would require overriding `cryptography-vectors`, which is not currently - # possible/desired, see: https://github.com/NixOS/nixpkgs/pull/281858#pullrequestreview-1841421866 - doCheck = false; - }); + cryptography = self.callPackage ./old-python-packages/cryptography.nix {}; # This is the most recent version of `pyopenssl` that's still compatible with `cryptography` 40. # See https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602 @@ -249,6 +223,14 @@ let ]; }); + + fastapi = super.fastapi.overridePythonAttrs (old: rec { + # Flaky test: + # ResourceWarning: Unclosed + # Unclear whether it's flaky in general or only in this overridden package set. + doCheck = false; + }); + # Ceph does not support `kubernetes` >= 19, see: # https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1900324090 kubernetes = super.kubernetes.overridePythonAttrs (old: rec { @@ -500,6 +482,7 @@ in rec { passthru = { inherit version; + inherit python; # to be able to test our overridden packages above individually with `nix-build -A` tests = { inherit (nixosTests) ceph-multi-node diff --git a/pkgs/tools/filesystems/ceph/old-python-packages/cryptography-vectors.nix b/pkgs/tools/filesystems/ceph/old-python-packages/cryptography-vectors.nix new file mode 100644 index 0000000000000..74fd8dd956768 --- /dev/null +++ b/pkgs/tools/filesystems/ceph/old-python-packages/cryptography-vectors.nix @@ -0,0 +1,36 @@ +# This older version only exists because `ceph` needs it, see `cryptography.nix`. +{ + buildPythonPackage, + fetchPypi, + lib, + cryptography, +}: + +buildPythonPackage rec { + pname = "cryptography-vectors"; + # The test vectors must have the same version as the cryptography package + inherit (cryptography) version; + format = "setuptools"; + + src = fetchPypi { + pname = "cryptography_vectors"; + inherit version; + hash = "sha256-hGBwa1tdDOSoVXHKM4nPiPcAu2oMYTPcn+D1ovW9oEE="; + }; + + # No tests included + doCheck = false; + + pythonImportsCheck = [ "cryptography_vectors" ]; + + meta = with lib; { + description = "Test vectors for the cryptography package"; + homepage = "https://cryptography.io/en/latest/development/test-vectors/"; + # Source: https://github.com/pyca/cryptography/tree/master/vectors; + license = with licenses; [ + asl20 + bsd3 + ]; + maintainers = with maintainers; [ nh2 ]; + }; +} diff --git a/pkgs/tools/filesystems/ceph/old-python-packages/cryptography.nix b/pkgs/tools/filesystems/ceph/old-python-packages/cryptography.nix new file mode 100644 index 0000000000000..8583cce73daef --- /dev/null +++ b/pkgs/tools/filesystems/ceph/old-python-packages/cryptography.nix @@ -0,0 +1,135 @@ +# This older version only exists because `ceph` needs it, see its package. +{ + lib, + stdenv, + callPackage, + buildPythonPackage, + fetchPypi, + fetchpatch, + rustPlatform, + cargo, + rustc, + setuptoolsRustBuildHook, + openssl, + Security ? null, + isPyPy, + cffi, + pkg-config, + pytestCheckHook, + pytest-subtests, + pythonOlder, + pretend, + libiconv, + libxcrypt, + iso8601, + py, + pytz, + hypothesis, +}: + +let + cryptography-vectors = callPackage ./cryptography-vectors.nix { }; +in +buildPythonPackage rec { + pname = "cryptography"; + version = "40.0.1"; # Also update the hash in vectors.nix + format = "setuptools"; + disabled = pythonOlder "3.6"; + + src = fetchPypi { + inherit pname version; + hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI="; + }; + + cargoDeps = rustPlatform.fetchCargoTarball { + inherit src; + sourceRoot = "${pname}-${version}/${cargoRoot}"; + name = "${pname}-${version}"; + hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU="; + }; + + # Since Cryptography v40 is quite outdated, we need to backport + # security fixes that are only available in newer versions. + patches = [ + # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport. + # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893 + ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch + + # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130 + # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 + (fetchpatch { + name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch"; + url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch"; + hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y="; + }) + ]; + + postPatch = '' + substituteInPlace pyproject.toml \ + --replace "--benchmark-disable" "" + ''; + + cargoRoot = "src/rust"; + + nativeBuildInputs = [ + rustPlatform.cargoSetupHook + setuptoolsRustBuildHook + cargo + rustc + pkg-config + ] ++ lib.optionals (!isPyPy) [ cffi ]; + + buildInputs = + [ openssl ] + ++ lib.optionals stdenv.isDarwin [ + Security + libiconv + ] + ++ lib.optionals (pythonOlder "3.9") [ libxcrypt ]; + + propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ]; + + nativeCheckInputs = [ + cryptography-vectors + hypothesis + iso8601 + pretend + py + pytestCheckHook + pytest-subtests + pytz + ]; + + pytestFlagsArray = [ "--disable-pytest-warnings" ]; + + disabledTestPaths = + [ + # save compute time by not running benchmarks + "tests/bench" + ] + ++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [ + # aarch64-darwin forbids W+X memory, but this tests depends on it: + # * https://cffi.readthedocs.io/en/latest/using.html#callbacks + "tests/hazmat/backends/test_openssl_memleak.py" + ]; + + meta = with lib; { + description = "A package which provides cryptographic recipes and primitives"; + longDescription = '' + Cryptography includes both high level recipes and low level interfaces to + common cryptographic algorithms such as symmetric ciphers, message + digests, and key derivation functions. + Our goal is for it to be your "cryptographic standard library". It + supports Python 2.7, Python 3.5+, and PyPy 5.4+. + ''; + homepage = "https://github.com/pyca/cryptography"; + changelog = + "https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version; + license = with licenses; [ + asl20 + bsd3 + psfl + ]; + maintainers = with maintainers; [ nh2 ]; + }; +} diff --git a/pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch b/pkgs/tools/filesystems/ceph/old-python-packages/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch similarity index 100% rename from pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch rename to pkgs/tools/filesystems/ceph/old-python-packages/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch