diff --git a/.custodia.metadata b/.custodia.metadata
new file mode 100644
index 0000000..db52fee
--- /dev/null
+++ b/.custodia.metadata
@@ -0,0 +1 @@
+7bfa722c3afe0151157e0d73d90a38ee97d8d5c8 SOURCES/custodia-0.3.1.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f89fec4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/custodia-0.3.1.tar.gz
diff --git a/SOURCES/0001-Vendor-configparser-3.5.0.patch b/SOURCES/0001-Vendor-configparser-3.5.0.patch
new file mode 100644
index 0000000..ce43770
--- /dev/null
+++ b/SOURCES/0001-Vendor-configparser-3.5.0.patch
@@ -0,0 +1,1668 @@
+From 85001e92986b3e3f6b7dcbbe5d71cde99962fd58 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 28 Mar 2017 17:49:39 +0200
+Subject: [PATCH 1/4] Vendor configparser-3.5.0
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ custodia/vendor/backports/__init__.py              |   11 +
+ custodia/vendor/backports/configparser/__init__.py | 1390 ++++++++++++++++++++
+ custodia/vendor/backports/configparser/helpers.py  |  171 +++
+ custodia/vendor/configparser.py                    |   52 +
+ 4 files changed, 1624 insertions(+)
+ create mode 100644 custodia/vendor/backports/__init__.py
+ create mode 100644 custodia/vendor/backports/configparser/__init__.py
+ create mode 100644 custodia/vendor/backports/configparser/helpers.py
+ create mode 100644 custodia/vendor/configparser.py
+
+diff --git a/custodia/vendor/backports/__init__.py b/custodia/vendor/backports/__init__.py
+new file mode 100644
+index 0000000..f84d25c
+--- /dev/null
++++ b/custodia/vendor/backports/__init__.py
+@@ -0,0 +1,11 @@
++# A Python "namespace package" http://www.python.org/dev/peps/pep-0382/
++# This always goes inside of a namespace package's __init__.py
++
++from pkgutil import extend_path
++__path__ = extend_path(__path__, __name__)
++
++try:
++    import pkg_resources
++    pkg_resources.declare_namespace(__name__)
++except ImportError:
++    pass
+diff --git a/custodia/vendor/backports/configparser/__init__.py b/custodia/vendor/backports/configparser/__init__.py
+new file mode 100644
+index 0000000..06d7a08
+--- /dev/null
++++ b/custodia/vendor/backports/configparser/__init__.py
+@@ -0,0 +1,1390 @@
++#!/usr/bin/env python
++# -*- coding: utf-8 -*-
++
++"""Configuration file parser.
++
++A configuration file consists of sections, lead by a "[section]" header,
++and followed by "name: value" entries, with continuations and such in
++the style of RFC 822.
++
++Intrinsic defaults can be specified by passing them into the
++ConfigParser constructor as a dictionary.
++
++class:
++
++ConfigParser -- responsible for parsing a list of
++                    configuration files, and managing the parsed database.
++
++    methods:
++
++    __init__(defaults=None, dict_type=_default_dict, allow_no_value=False,
++             delimiters=('=', ':'), comment_prefixes=('#', ';'),
++             inline_comment_prefixes=None, strict=True,
++             empty_lines_in_values=True, default_section='DEFAULT',
++             interpolation=<unset>, converters=<unset>):
++        Create the parser. When `defaults' is given, it is initialized into the
++        dictionary or intrinsic defaults. The keys must be strings, the values
++        must be appropriate for %()s string interpolation.
++
++        When `dict_type' is given, it will be used to create the dictionary
++        objects for the list of sections, for the options within a section, and
++        for the default values.
++
++        When `delimiters' is given, it will be used as the set of substrings
++        that divide keys from values.
++
++        When `comment_prefixes' is given, it will be used as the set of
++        substrings that prefix comments in empty lines. Comments can be
++        indented.
++
++        When `inline_comment_prefixes' is given, it will be used as the set of
++        substrings that prefix comments in non-empty lines.
++
++        When `strict` is True, the parser won't allow for any section or option
++        duplicates while reading from a single source (file, string or
++        dictionary). Default is True.
++
++        When `empty_lines_in_values' is False (default: True), each empty line
++        marks the end of an option. Otherwise, internal empty lines of
++        a multiline option are kept as part of the value.
++
++        When `allow_no_value' is True (default: False), options without
++        values are accepted; the value presented for these is None.
++
++    sections()
++        Return all the configuration section names, sans DEFAULT.
++
++    has_section(section)
++        Return whether the given section exists.
++
++    has_option(section, option)
++        Return whether the given option exists in the given section.
++
++    options(section)
++        Return list of configuration options for the named section.
++
++    read(filenames, encoding=None)
++        Read and parse the list of named configuration files, given by
++        name.  A single filename is also allowed.  Non-existing files
++        are ignored.  Return list of successfully read files.
++
++    read_file(f, filename=None)
++        Read and parse one configuration file, given as a file object.
++        The filename defaults to f.name; it is only used in error
++        messages (if f has no `name' attribute, the string `<???>' is used).
++
++    read_string(string)
++        Read configuration from a given string.
++
++    read_dict(dictionary)
++        Read configuration from a dictionary. Keys are section names,
++        values are dictionaries with keys and values that should be present
++        in the section. If the used dictionary type preserves order, sections
++        and their keys will be added in order. Values are automatically
++        converted to strings.
++
++    get(section, option, raw=False, vars=None, fallback=_UNSET)
++        Return a string value for the named option.  All % interpolations are
++        expanded in the return values, based on the defaults passed into the
++        constructor and the DEFAULT section.  Additional substitutions may be
++        provided using the `vars' argument, which must be a dictionary whose
++        contents override any pre-existing defaults. If `option' is a key in
++        `vars', the value from `vars' is used.
++
++    getint(section, options, raw=False, vars=None, fallback=_UNSET)
++        Like get(), but convert value to an integer.
++
++    getfloat(section, options, raw=False, vars=None, fallback=_UNSET)
++        Like get(), but convert value to a float.
++
++    getboolean(section, options, raw=False, vars=None, fallback=_UNSET)
++        Like get(), but convert value to a boolean (currently case
++        insensitively defined as 0, false, no, off for False, and 1, true,
++        yes, on for True).  Returns False or True.
++
++    items(section=_UNSET, raw=False, vars=None)
++        If section is given, return a list of tuples with (name, value) for
++        each option in the section. Otherwise, return a list of tuples with
++        (section_name, section_proxy) for each section, including DEFAULTSECT.
++
++    remove_section(section)
++        Remove the given file section and all its options.
++
++    remove_option(section, option)
++        Remove the given option from the given section.
++
++    set(section, option, value)
++        Set the given option.
++
++    write(fp, space_around_delimiters=True)
++        Write the configuration state in .ini format. If
++        `space_around_delimiters' is True (the default), delimiters
++        between keys and values are surrounded by spaces.
++"""
++
++from __future__ import absolute_import
++from __future__ import division
++from __future__ import print_function
++from __future__ import unicode_literals
++
++from collections import MutableMapping
++import functools
++import io
++import itertools
++import re
++import sys
++import warnings
++
++from backports.configparser.helpers import OrderedDict as _default_dict
++from backports.configparser.helpers import ChainMap as _ChainMap
++from backports.configparser.helpers import from_none, open, str, PY2
++
++__all__ = ["NoSectionError", "DuplicateOptionError", "DuplicateSectionError",
++           "NoOptionError", "InterpolationError", "InterpolationDepthError",
++           "InterpolationMissingOptionError", "InterpolationSyntaxError",
++           "ParsingError", "MissingSectionHeaderError",
++           "ConfigParser", "SafeConfigParser", "RawConfigParser",
++           "Interpolation", "BasicInterpolation",  "ExtendedInterpolation",
++           "LegacyInterpolation", "SectionProxy", "ConverterMapping",
++           "DEFAULTSECT", "MAX_INTERPOLATION_DEPTH"]
++
++DEFAULTSECT = "DEFAULT"
++
++MAX_INTERPOLATION_DEPTH = 10
++
++
++# exception classes
++class Error(Exception):
++    """Base class for ConfigParser exceptions."""
++
++    def __init__(self, msg=''):
++        self.message = msg
++        Exception.__init__(self, msg)
++
++    def __repr__(self):
++        return self.message
++
++    __str__ = __repr__
++
++
++class NoSectionError(Error):
++    """Raised when no section matches a requested option."""
++
++    def __init__(self, section):
++        Error.__init__(self, 'No section: %r' % (section,))
++        self.section = section
++        self.args = (section, )
++
++
++class DuplicateSectionError(Error):
++    """Raised when a section is repeated in an input source.
++
++    Possible repetitions that raise this exception are: multiple creation
++    using the API or in strict parsers when a section is found more than once
++    in a single input file, string or dictionary.
++    """
++
++    def __init__(self, section, source=None, lineno=None):
++        msg = [repr(section), " already exists"]
++        if source is not None:
++            message = ["While reading from ", repr(source)]
++            if lineno is not None:
++                message.append(" [line {0:2d}]".format(lineno))
++            message.append(": section ")
++            message.extend(msg)
++            msg = message
++        else:
++            msg.insert(0, "Section ")
++        Error.__init__(self, "".join(msg))
++        self.section = section
++        self.source = source
++        self.lineno = lineno
++        self.args = (section, source, lineno)
++
++
++class DuplicateOptionError(Error):
++    """Raised by strict parsers when an option is repeated in an input source.
++
++    Current implementation raises this exception only when an option is found
++    more than once in a single file, string or dictionary.
++    """
++
++    def __init__(self, section, option, source=None, lineno=None):
++        msg = [repr(option), " in section ", repr(section),
++               " already exists"]
++        if source is not None:
++            message = ["While reading from ", repr(source)]
++            if lineno is not None:
++                message.append(" [line {0:2d}]".format(lineno))
++            message.append(": option ")
++            message.extend(msg)
++            msg = message
++        else:
++            msg.insert(0, "Option ")
++        Error.__init__(self, "".join(msg))
++        self.section = section
++        self.option = option
++        self.source = source
++        self.lineno = lineno
++        self.args = (section, option, source, lineno)
++
++
++class NoOptionError(Error):
++    """A requested option was not found."""
++
++    def __init__(self, option, section):
++        Error.__init__(self, "No option %r in section: %r" %
++                       (option, section))
++        self.option = option
++        self.section = section
++        self.args = (option, section)
++
++
++class InterpolationError(Error):
++    """Base class for interpolation-related exceptions."""
++
++    def __init__(self, option, section, msg):
++        Error.__init__(self, msg)
++        self.option = option
++        self.section = section
++        self.args = (option, section, msg)
++
++
++class InterpolationMissingOptionError(InterpolationError):
++    """A string substitution required a setting which was not available."""
++
++    def __init__(self, option, section, rawval, reference):
++        msg = ("Bad value substitution: option {0!r} in section {1!r} contains "
++               "an interpolation key {2!r} which is not a valid option name. "
++               "Raw value: {3!r}".format(option, section, reference, rawval))
++        InterpolationError.__init__(self, option, section, msg)
++        self.reference = reference
++        self.args = (option, section, rawval, reference)
++
++
++class InterpolationSyntaxError(InterpolationError):
++    """Raised when the source text contains invalid syntax.
++
++    Current implementation raises this exception when the source text into
++    which substitutions are made does not conform to the required syntax.
++    """
++
++
++class InterpolationDepthError(InterpolationError):
++    """Raised when substitutions are nested too deeply."""
++
++    def __init__(self, option, section, rawval):
++        msg = ("Recursion limit exceeded in value substitution: option {0!r} "
++               "in section {1!r} contains an interpolation key which "
++               "cannot be substituted in {2} steps. Raw value: {3!r}"
++               "".format(option, section, MAX_INTERPOLATION_DEPTH,
++                         rawval))
++        InterpolationError.__init__(self, option, section, msg)
++        self.args = (option, section, rawval)
++
++
++class ParsingError(Error):
++    """Raised when a configuration file does not follow legal syntax."""
++
++    def __init__(self, source=None, filename=None):
++        # Exactly one of `source'/`filename' arguments has to be given.
++        # `filename' kept for compatibility.
++        if filename and source:
++            raise ValueError("Cannot specify both `filename' and `source'. "
++                             "Use `source'.")
++        elif not filename and not source:
++            raise ValueError("Required argument `source' not given.")
++        elif filename:
++            source = filename
++        Error.__init__(self, 'Source contains parsing errors: %r' % source)
++        self.source = source
++        self.errors = []
++        self.args = (source, )
++
++    @property
++    def filename(self):
++        """Deprecated, use `source'."""
++        warnings.warn(
++            "The 'filename' attribute will be removed in future versions.  "
++            "Use 'source' instead.",
++            DeprecationWarning, stacklevel=2
++        )
++        return self.source
++
++    @filename.setter
++    def filename(self, value):
++        """Deprecated, user `source'."""
++        warnings.warn(
++            "The 'filename' attribute will be removed in future versions.  "
++            "Use 'source' instead.",
++            DeprecationWarning, stacklevel=2
++        )
++        self.source = value
++
++    def append(self, lineno, line):
++        self.errors.append((lineno, line))
++        self.message += '\n\t[line %2d]: %s' % (lineno, line)
++
++
++class MissingSectionHeaderError(ParsingError):
++    """Raised when a key-value pair is found before any section header."""
++
++    def __init__(self, filename, lineno, line):
++        Error.__init__(
++            self,
++            'File contains no section headers.\nfile: %r, line: %d\n%r' %
++            (filename, lineno, line))
++        self.source = filename
++        self.lineno = lineno
++        self.line = line
++        self.args = (filename, lineno, line)
++
++
++# Used in parser getters to indicate the default behaviour when a specific
++# option is not found it to raise an exception. Created to enable `None' as
++# a valid fallback value.
++_UNSET = object()
++
++
++class Interpolation(object):
++    """Dummy interpolation that passes the value through with no changes."""
++
++    def before_get(self, parser, section, option, value, defaults):
++        return value
++
++    def before_set(self, parser, section, option, value):
++        return value
++
++    def before_read(self, parser, section, option, value):
++        return value
++
++    def before_write(self, parser, section, option, value):
++        return value
++
++
++class BasicInterpolation(Interpolation):
++    """Interpolation as implemented in the classic ConfigParser.
++
++    The option values can contain format strings which refer to other values in
++    the same section, or values in the special default section.
++
++    For example:
++
++        something: %(dir)s/whatever
++
++    would resolve the "%(dir)s" to the value of dir.  All reference
++    expansions are done late, on demand. If a user needs to use a bare % in
++    a configuration file, she can escape it by writing %%. Other % usage
++    is considered a user error and raises `InterpolationSyntaxError'."""
++
++    _KEYCRE = re.compile(r"%\(([^)]+)\)s")
++
++    def before_get(self, parser, section, option, value, defaults):
++        L = []
++        self._interpolate_some(parser, option, L, value, section, defaults, 1)
++        return ''.join(L)
++
++    def before_set(self, parser, section, option, value):
++        tmp_value = value.replace('%%', '') # escaped percent signs
++        tmp_value = self._KEYCRE.sub('', tmp_value) # valid syntax
++        if '%' in tmp_value:
++            raise ValueError("invalid interpolation syntax in %r at "
++                             "position %d" % (value, tmp_value.find('%')))
++        return value
++
++    def _interpolate_some(self, parser, option, accum, rest, section, map,
++                          depth):
++        rawval = parser.get(section, option, raw=True, fallback=rest)
++        if depth > MAX_INTERPOLATION_DEPTH:
++            raise InterpolationDepthError(option, section, rawval)
++        while rest:
++            p = rest.find("%")
++            if p < 0:
++                accum.append(rest)
++                return
++            if p > 0:
++                accum.append(rest[:p])
++                rest = rest[p:]
++            # p is no longer used
++            c = rest[1:2]
++            if c == "%":
++                accum.append("%")
++                rest = rest[2:]
++            elif c == "(":
++                m = self._KEYCRE.match(rest)
++                if m is None:
++                    raise InterpolationSyntaxError(option, section,
++                        "bad interpolation variable reference %r" % rest)
++                var = parser.optionxform(m.group(1))
++                rest = rest[m.end():]
++                try:
++                    v = map[var]
++                except KeyError:
++                    raise from_none(InterpolationMissingOptionError(
++                        option, section, rawval, var))
++                if "%" in v:
++                    self._interpolate_some(parser, option, accum, v,
++                                           section, map, depth + 1)
++                else:
++                    accum.append(v)
++            else:
++                raise InterpolationSyntaxError(
++                    option, section,
++                    "'%%' must be followed by '%%' or '(', "
++                    "found: %r" % (rest,))
++
++
++class ExtendedInterpolation(Interpolation):
++    """Advanced variant of interpolation, supports the syntax used by
++    `zc.buildout'. Enables interpolation between sections."""
++
++    _KEYCRE = re.compile(r"\$\{([^}]+)\}")
++
++    def before_get(self, parser, section, option, value, defaults):
++        L = []
++        self._interpolate_some(parser, option, L, value, section, defaults, 1)
++        return ''.join(L)
++
++    def before_set(self, parser, section, option, value):
++        tmp_value = value.replace('$$', '') # escaped dollar signs
++        tmp_value = self._KEYCRE.sub('', tmp_value) # valid syntax
++        if '$' in tmp_value:
++            raise ValueError("invalid interpolation syntax in %r at "
++                             "position %d" % (value, tmp_value.find('$')))
++        return value
++
++    def _interpolate_some(self, parser, option, accum, rest, section, map,
++                          depth):
++        rawval = parser.get(section, option, raw=True, fallback=rest)
++        if depth > MAX_INTERPOLATION_DEPTH:
++            raise InterpolationDepthError(option, section, rawval)
++        while rest:
++            p = rest.find("$")
++            if p < 0:
++                accum.append(rest)
++                return
++            if p > 0:
++                accum.append(rest[:p])
++                rest = rest[p:]
++            # p is no longer used
++            c = rest[1:2]
++            if c == "$":
++                accum.append("$")
++                rest = rest[2:]
++            elif c == "{":
++                m = self._KEYCRE.match(rest)
++                if m is None:
++                    raise InterpolationSyntaxError(option, section,
++                        "bad interpolation variable reference %r" % rest)
++                path = m.group(1).split(':')
++                rest = rest[m.end():]
++                sect = section
++                opt = option
++                try:
++                    if len(path) == 1:
++                        opt = parser.optionxform(path[0])
++                        v = map[opt]
++                    elif len(path) == 2:
++                        sect = path[0]
++                        opt = parser.optionxform(path[1])
++                        v = parser.get(sect, opt, raw=True)
++                    else:
++                        raise InterpolationSyntaxError(
++                            option, section,
++                            "More than one ':' found: %r" % (rest,))
++                except (KeyError, NoSectionError, NoOptionError):
++                    raise from_none(InterpolationMissingOptionError(
++                        option, section, rawval, ":".join(path)))
++                if "$" in v:
++                    self._interpolate_some(parser, opt, accum, v, sect,
++                                           dict(parser.items(sect, raw=True)),
++                                           depth + 1)
++                else:
++                    accum.append(v)
++            else:
++                raise InterpolationSyntaxError(
++                    option, section,
++                    "'$' must be followed by '$' or '{', "
++                    "found: %r" % (rest,))
++
++
++class LegacyInterpolation(Interpolation):
++    """Deprecated interpolation used in old versions of ConfigParser.
++    Use BasicInterpolation or ExtendedInterpolation instead."""
++
++    _KEYCRE = re.compile(r"%\(([^)]*)\)s|.")
++
++    def before_get(self, parser, section, option, value, vars):
++        rawval = value
++        depth = MAX_INTERPOLATION_DEPTH
++        while depth:                    # Loop through this until it's done
++            depth -= 1
++            if value and "%(" in value:
++                replace = functools.partial(self._interpolation_replace,
++                                            parser=parser)
++                value = self._KEYCRE.sub(replace, value)
++                try:
++                    value = value % vars
++                except KeyError as e:
++                    raise from_none(InterpolationMissingOptionError(
++                        option, section, rawval, e.args[0]))
++            else:
++                break
++        if value and "%(" in value:
++            raise InterpolationDepthError(option, section, rawval)
++        return value
++
++    def before_set(self, parser, section, option, value):
++        return value
++
++    @staticmethod
++    def _interpolation_replace(match, parser):
++        s = match.group(1)
++        if s is None:
++            return match.group()
++        else:
++            return "%%(%s)s" % parser.optionxform(s)
++
++
++class RawConfigParser(MutableMapping):
++    """ConfigParser that does not do interpolation."""
++
++    # Regular expressions for parsing section headers and options
++    _SECT_TMPL = r"""
++        \[                                 # [
++        (?P<header>[^]]+)                  # very permissive!
++        \]                                 # ]
++        """
++    _OPT_TMPL = r"""
++        (?P<option>.*?)                    # very permissive!
++        \s*(?P<vi>{delim})\s*              # any number of space/tab,
++                                           # followed by any of the
++                                           # allowed delimiters,
++                                           # followed by any space/tab
++        (?P<value>.*)$                     # everything up to eol
++        """
++    _OPT_NV_TMPL = r"""
++        (?P<option>.*?)                    # very permissive!
++        \s*(?:                             # any number of space/tab,
++        (?P<vi>{delim})\s*                 # optionally followed by
++                                           # any of the allowed
++                                           # delimiters, followed by any
++                                           # space/tab
++        (?P<value>.*))?$                   # everything up to eol
++        """
++    # Interpolation algorithm to be used if the user does not specify another
++    _DEFAULT_INTERPOLATION = Interpolation()
++    # Compiled regular expression for matching sections
++    SECTCRE = re.compile(_SECT_TMPL, re.VERBOSE)
++    # Compiled regular expression for matching options with typical separators
++    OPTCRE = re.compile(_OPT_TMPL.format(delim="=|:"), re.VERBOSE)
++    # Compiled regular expression for matching options with optional values
++    # delimited using typical separators
++    OPTCRE_NV = re.compile(_OPT_NV_TMPL.format(delim="=|:"), re.VERBOSE)
++    # Compiled regular expression for matching leading whitespace in a line
++    NONSPACECRE = re.compile(r"\S")
++    # Possible boolean values in the configuration.
++    BOOLEAN_STATES = {'1': True, 'yes': True, 'true': True, 'on': True,
++                      '0': False, 'no': False, 'false': False, 'off': False}
++
++    def __init__(self, defaults=None, dict_type=_default_dict,
++                 allow_no_value=False, **kwargs):
++
++        # keyword-only arguments
++        delimiters = kwargs.get('delimiters', ('=', ':'))
++        comment_prefixes = kwargs.get('comment_prefixes', ('#', ';'))
++        inline_comment_prefixes = kwargs.get('inline_comment_prefixes', None)
++        strict = kwargs.get('strict', True)
++        empty_lines_in_values = kwargs.get('empty_lines_in_values', True)
++        default_section = kwargs.get('default_section', DEFAULTSECT)
++        interpolation = kwargs.get('interpolation', _UNSET)
++        converters = kwargs.get('converters', _UNSET)
++
++        self._dict = dict_type
++        self._sections = self._dict()
++        self._defaults = self._dict()
++        self._converters = ConverterMapping(self)
++        self._proxies = self._dict()
++        self._proxies[default_section] = SectionProxy(self, default_section)
++        if defaults:
++            for key, value in defaults.items():
++                self._defaults[self.optionxform(key)] = value
++        self._delimiters = tuple(delimiters)
++        if delimiters == ('=', ':'):
++            self._optcre = self.OPTCRE_NV if allow_no_value else self.OPTCRE
++        else:
++            d = "|".join(re.escape(d) for d in delimiters)
++            if allow_no_value:
++                self._optcre = re.compile(self._OPT_NV_TMPL.format(delim=d),
++                                          re.VERBOSE)
++            else:
++                self._optcre = re.compile(self._OPT_TMPL.format(delim=d),
++                                          re.VERBOSE)
++        self._comment_prefixes = tuple(comment_prefixes or ())
++        self._inline_comment_prefixes = tuple(inline_comment_prefixes or ())
++        self._strict = strict
++        self._allow_no_value = allow_no_value
++        self._empty_lines_in_values = empty_lines_in_values
++        self.default_section=default_section
++        self._interpolation = interpolation
++        if self._interpolation is _UNSET:
++            self._interpolation = self._DEFAULT_INTERPOLATION
++        if self._interpolation is None:
++            self._interpolation = Interpolation()
++        if converters is not _UNSET:
++            self._converters.update(converters)
++
++    def defaults(self):
++        return self._defaults
++
++    def sections(self):
++        """Return a list of section names, excluding [DEFAULT]"""
++        # self._sections will never have [DEFAULT] in it
++        return list(self._sections.keys())
++
++    def add_section(self, section):
++        """Create a new section in the configuration.
++
++        Raise DuplicateSectionError if a section by the specified name
++        already exists. Raise ValueError if name is DEFAULT.
++        """
++        if section == self.default_section:
++            raise ValueError('Invalid section name: %r' % section)
++
++        if section in self._sections:
++            raise DuplicateSectionError(section)
++        self._sections[section] = self._dict()
++        self._proxies[section] = SectionProxy(self, section)
++
++    def has_section(self, section):
++        """Indicate whether the named section is present in the configuration.
++
++        The DEFAULT section is not acknowledged.
++        """
++        return section in self._sections
++
++    def options(self, section):
++        """Return a list of option names for the given section name."""
++        try:
++            opts = self._sections[section].copy()
++        except KeyError:
++            raise from_none(NoSectionError(section))
++        opts.update(self._defaults)
++        return list(opts.keys())
++
++    def read(self, filenames, encoding=None):
++        """Read and parse a filename or a list of filenames.
++
++        Files that cannot be opened are silently ignored; this is
++        designed so that you can specify a list of potential
++        configuration file locations (e.g. current directory, user's
++        home directory, systemwide directory), and all existing
++        configuration files in the list will be read.  A single
++        filename may also be given.
++
++        Return list of successfully read files.
++        """
++        if PY2 and isinstance(filenames, bytes):
++            # we allow for a little unholy magic for Python 2 so that
++            # people not using unicode_literals can still use the library
++            # conveniently
++            warnings.warn(
++                "You passed a bytestring as `filenames`. This will not work"
++                " on Python 3. Use `cp.read_file()` or switch to using Unicode"
++                " strings across the board.",
++                DeprecationWarning,
++                stacklevel=2,
++            )
++            filenames = [filenames]
++        elif isinstance(filenames, str):
++            filenames = [filenames]
++        read_ok = []
++        for filename in filenames:
++            try:
++                with open(filename, encoding=encoding) as fp:
++                    self._read(fp, filename)
++            except IOError:
++                continue
++            read_ok.append(filename)
++        return read_ok
++
++    def read_file(self, f, source=None):
++        """Like read() but the argument must be a file-like object.
++
++        The `f' argument must be iterable, returning one line at a time.
++        Optional second argument is the `source' specifying the name of the
++        file being read. If not given, it is taken from f.name. If `f' has no
++        `name' attribute, `<???>' is used.
++        """
++        if source is None:
++            try:
++                source = f.name
++            except AttributeError:
++                source = '<???>'
++        self._read(f, source)
++
++    def read_string(self, string, source='<string>'):
++        """Read configuration from a given string."""
++        sfile = io.StringIO(string)
++        self.read_file(sfile, source)
++
++    def read_dict(self, dictionary, source='<dict>'):
++        """Read configuration from a dictionary.
++
++        Keys are section names, values are dictionaries with keys and values
++        that should be present in the section. If the used dictionary type
++        preserves order, sections and their keys will be added in order.
++
++        All types held in the dictionary are converted to strings during
++        reading, including section names, option names and keys.
++
++        Optional second argument is the `source' specifying the name of the
++        dictionary being read.
++        """
++        elements_added = set()
++        for section, keys in dictionary.items():
++            section = str(section)
++            try:
++                self.add_section(section)
++            except (DuplicateSectionError, ValueError):
++                if self._strict and section in elements_added:
++                    raise
++            elements_added.add(section)
++            for key, value in keys.items():
++                key = self.optionxform(str(key))
++                if value is not None:
++                    value = str(value)
++                if self._strict and (section, key) in elements_added:
++                    raise DuplicateOptionError(section, key, source)
++                elements_added.add((section, key))
++                self.set(section, key, value)
++
++    def readfp(self, fp, filename=None):
++        """Deprecated, use read_file instead."""
++        warnings.warn(
++            "This method will be removed in future versions.  "
++            "Use 'parser.read_file()' instead.",
++            DeprecationWarning, stacklevel=2
++        )
++        self.read_file(fp, source=filename)
++
++    def get(self, section, option, **kwargs):
++        """Get an option value for a given section.
++
++        If `vars' is provided, it must be a dictionary. The option is looked up
++        in `vars' (if provided), `section', and in `DEFAULTSECT' in that order.
++        If the key is not found and `fallback' is provided, it is used as
++        a fallback value. `None' can be provided as a `fallback' value.
++
++        If interpolation is enabled and the optional argument `raw' is False,
++        all interpolations are expanded in the return values.
++
++        Arguments `raw', `vars', and `fallback' are keyword only.
++
++        The section DEFAULT is special.
++        """
++        # keyword-only arguments
++        raw = kwargs.get('raw', False)
++        vars = kwargs.get('vars', None)
++        fallback = kwargs.get('fallback', _UNSET)
++
++        try:
++            d = self._unify_values(section, vars)
++        except NoSectionError:
++            if fallback is _UNSET:
++                raise
++            else:
++                return fallback
++        option = self.optionxform(option)
++        try:
++            value = d[option]
++        except KeyError:
++            if fallback is _UNSET:
++                raise NoOptionError(option, section)
++            else:
++                return fallback
++
++        if raw or value is None:
++            return value
++        else:
++            return self._interpolation.before_get(self, section, option, value,
++                                                  d)
++
++    def _get(self, section, conv, option, **kwargs):
++        return conv(self.get(section, option, **kwargs))
++
++    def _get_conv(self, section, option, conv, **kwargs):
++        # keyword-only arguments
++        kwargs.setdefault('raw', False)
++        kwargs.setdefault('vars', None)
++        fallback = kwargs.pop('fallback', _UNSET)
++        try:
++            return self._get(section, conv, option, **kwargs)
++        except (NoSectionError, NoOptionError):
++            if fallback is _UNSET:
++                raise
++            return fallback
++
++    # getint, getfloat and getboolean provided directly for backwards compat
++    def getint(self, section, option, **kwargs):
++        # keyword-only arguments
++        kwargs.setdefault('raw', False)
++        kwargs.setdefault('vars', None)
++        kwargs.setdefault('fallback', _UNSET)
++        return self._get_conv(section, option, int, **kwargs)
++
++    def getfloat(self, section, option, **kwargs):
++        # keyword-only arguments
++        kwargs.setdefault('raw', False)
++        kwargs.setdefault('vars', None)
++        kwargs.setdefault('fallback', _UNSET)
++        return self._get_conv(section, option, float, **kwargs)
++
++    def getboolean(self, section, option, **kwargs):
++        # keyword-only arguments
++        kwargs.setdefault('raw', False)
++        kwargs.setdefault('vars', None)
++        kwargs.setdefault('fallback', _UNSET)
++        return self._get_conv(section, option, self._convert_to_boolean,
++                              **kwargs)
++
++    def items(self, section=_UNSET, raw=False, vars=None):
++        """Return a list of (name, value) tuples for each option in a section.
++
++        All % interpolations are expanded in the return values, based on the
++        defaults passed into the constructor, unless the optional argument
++        `raw' is true.  Additional substitutions may be provided using the
++        `vars' argument, which must be a dictionary whose contents overrides
++        any pre-existing defaults.
++
++        The section DEFAULT is special.
++        """
++        if section is _UNSET:
++            return super(RawConfigParser, self).items()
++        d = self._defaults.copy()
++        try:
++            d.update(self._sections[section])
++        except KeyError:
++            if section != self.default_section:
++                raise NoSectionError(section)
++        # Update with the entry specific variables
++        if vars:
++            for key, value in vars.items():
++                d[self.optionxform(key)] = value
++        value_getter = lambda option: self._interpolation.before_get(self,
++            section, option, d[option], d)
++        if raw:
++            value_getter = lambda option: d[option]
++        return [(option, value_getter(option)) for option in d.keys()]
++
++    def popitem(self):
++        """Remove a section from the parser and return it as
++        a (section_name, section_proxy) tuple. If no section is present, raise
++        KeyError.
++
++        The section DEFAULT is never returned because it cannot be removed.
++        """
++        for key in self.sections():
++            value = self[key]
++            del self[key]
++            return key, value
++        raise KeyError
++
++    def optionxform(self, optionstr):
++        return optionstr.lower()
++
++    def has_option(self, section, option):
++        """Check for the existence of a given option in a given section.
++        If the specified `section' is None or an empty string, DEFAULT is
++        assumed. If the specified `section' does not exist, returns False."""
++        if not section or section == self.default_section:
++            option = self.optionxform(option)
++            return option in self._defaults
++        elif section not in self._sections:
++            return False
++        else:
++            option = self.optionxform(option)
++            return (option in self._sections[section]
++                    or option in self._defaults)
++
++    def set(self, section, option, value=None):
++        """Set an option."""
++        if value:
++            value = self._interpolation.before_set(self, section, option,
++                                                   value)
++        if not section or section == self.default_section:
++            sectdict = self._defaults
++        else:
++            try:
++                sectdict = self._sections[section]
++            except KeyError:
++                raise from_none(NoSectionError(section))
++        sectdict[self.optionxform(option)] = value
++
++    def write(self, fp, space_around_delimiters=True):
++        """Write an .ini-format representation of the configuration state.
++
++        If `space_around_delimiters' is True (the default), delimiters
++        between keys and values are surrounded by spaces.
++        """
++        if space_around_delimiters:
++            d = " {0} ".format(self._delimiters[0])
++        else:
++            d = self._delimiters[0]
++        if self._defaults:
++            self._write_section(fp, self.default_section,
++                                    self._defaults.items(), d)
++        for section in self._sections:
++            self._write_section(fp, section,
++                                self._sections[section].items(), d)
++
++    def _write_section(self, fp, section_name, section_items, delimiter):
++        """Write a single section to the specified `fp'."""
++        fp.write("[{0}]\n".format(section_name))
++        for key, value in section_items:
++            value = self._interpolation.before_write(self, section_name, key,
++                                                     value)
++            if value is not None or not self._allow_no_value:
++                value = delimiter + str(value).replace('\n', '\n\t')
++            else:
++                value = ""
++            fp.write("{0}{1}\n".format(key, value))
++        fp.write("\n")
++
++    def remove_option(self, section, option):
++        """Remove an option."""
++        if not section or section == self.default_section:
++            sectdict = self._defaults
++        else:
++            try:
++                sectdict = self._sections[section]
++            except KeyError:
++                raise from_none(NoSectionError(section))
++        option = self.optionxform(option)
++        existed = option in sectdict
++        if existed:
++            del sectdict[option]
++        return existed
++
++    def remove_section(self, section):
++        """Remove a file section."""
++        existed = section in self._sections
++        if existed:
++            del self._sections[section]
++            del self._proxies[section]
++        return existed
++
++    def __getitem__(self, key):
++        if key != self.default_section and not self.has_section(key):
++            raise KeyError(key)
++        return self._proxies[key]
++
++    def __setitem__(self, key, value):
++        # To conform with the mapping protocol, overwrites existing values in
++        # the section.
++
++        # XXX this is not atomic if read_dict fails at any point. Then again,
++        # no update method in configparser is atomic in this implementation.
++        if key == self.default_section:
++            self._defaults.clear()
++        elif key in self._sections:
++            self._sections[key].clear()
++        self.read_dict({key: value})
++
++    def __delitem__(self, key):
++        if key == self.default_section:
++            raise ValueError("Cannot remove the default section.")
++        if not self.has_section(key):
++            raise KeyError(key)
++        self.remove_section(key)
++
++    def __contains__(self, key):
++        return key == self.default_section or self.has_section(key)
++
++    def __len__(self):
++        return len(self._sections) + 1 # the default section
++
++    def __iter__(self):
++        # XXX does it break when underlying container state changed?
++        return itertools.chain((self.default_section,), self._sections.keys())
++
++    def _read(self, fp, fpname):
++        """Parse a sectioned configuration file.
++
++        Each section in a configuration file contains a header, indicated by
++        a name in square brackets (`[]'), plus key/value options, indicated by
++        `name' and `value' delimited with a specific substring (`=' or `:' by
++        default).
++
++        Values can span multiple lines, as long as they are indented deeper
++        than the first line of the value. Depending on the parser's mode, blank
++        lines may be treated as parts of multiline values or ignored.
++
++        Configuration files may include comments, prefixed by specific
++        characters (`#' and `;' by default). Comments may appear on their own
++        in an otherwise empty line or may be entered in lines holding values or
++        section names.
++        """
++        elements_added = set()
++        cursect = None                        # None, or a dictionary
++        sectname = None
++        optname = None
++        lineno = 0
++        indent_level = 0
++        e = None                              # None, or an exception
++        for lineno, line in enumerate(fp, start=1):
++            comment_start = sys.maxsize
++            # strip inline comments
++            inline_prefixes = dict(
++                (p, -1) for p in self._inline_comment_prefixes)
++            while comment_start == sys.maxsize and inline_prefixes:
++                next_prefixes = {}
++                for prefix, index in inline_prefixes.items():
++                    index = line.find(prefix, index+1)
++                    if index == -1:
++                        continue
++                    next_prefixes[prefix] = index
++                    if index == 0 or (index > 0 and line[index-1].isspace()):
++                        comment_start = min(comment_start, index)
++                inline_prefixes = next_prefixes
++            # strip full line comments
++            for prefix in self._comment_prefixes:
++                if line.strip().startswith(prefix):
++                    comment_start = 0
++                    break
++            if comment_start == sys.maxsize:
++                comment_start = None
++            value = line[:comment_start].strip()
++            if not value:
++                if self._empty_lines_in_values:
++                    # add empty line to the value, but only if there was no
++                    # comment on the line
++                    if (comment_start is None and
++                        cursect is not None and
++                        optname and
++                        cursect[optname] is not None):
++                        cursect[optname].append('') # newlines added at join
++                else:
++                    # empty line marks end of value
++                    indent_level = sys.maxsize
++                continue
++            # continuation line?
++            first_nonspace = self.NONSPACECRE.search(line)
++            cur_indent_level = first_nonspace.start() if first_nonspace else 0
++            if (cursect is not None and optname and
++                cur_indent_level > indent_level):
++                cursect[optname].append(value)
++            # a section header or option header?
++            else:
++                indent_level = cur_indent_level
++                # is it a section header?
++                mo = self.SECTCRE.match(value)
++                if mo:
++                    sectname = mo.group('header')
++                    if sectname in self._sections:
++                        if self._strict and sectname in elements_added:
++                            raise DuplicateSectionError(sectname, fpname,
++                                                        lineno)
++                        cursect = self._sections[sectname]
++                        elements_added.add(sectname)
++                    elif sectname == self.default_section:
++                        cursect = self._defaults
++                    else:
++                        cursect = self._dict()
++                        self._sections[sectname] = cursect
++                        self._proxies[sectname] = SectionProxy(self, sectname)
++                        elements_added.add(sectname)
++                    # So sections can't start with a continuation line
++                    optname = None
++                # no section header in the file?
++                elif cursect is None:
++                    raise MissingSectionHeaderError(fpname, lineno, line)
++                # an option line?
++                else:
++                    mo = self._optcre.match(value)
++                    if mo:
++                        optname, vi, optval = mo.group('option', 'vi', 'value')
++                        if not optname:
++                            e = self._handle_error(e, fpname, lineno, line)
++                        optname = self.optionxform(optname.rstrip())
++                        if (self._strict and
++                            (sectname, optname) in elements_added):
++                            raise DuplicateOptionError(sectname, optname,
++                                                       fpname, lineno)
++                        elements_added.add((sectname, optname))
++                        # This check is fine because the OPTCRE cannot
++                        # match if it would set optval to None
++                        if optval is not None:
++                            optval = optval.strip()
++                            cursect[optname] = [optval]
++                        else:
++                            # valueless option handling
++                            cursect[optname] = None
++                    else:
++                        # a non-fatal parsing error occurred. set up the
++                        # exception but keep going. the exception will be
++                        # raised at the end of the file and will contain a
++                        # list of all bogus lines
++                        e = self._handle_error(e, fpname, lineno, line)
++        # if any parsing errors occurred, raise an exception
++        if e:
++            raise e
++        self._join_multiline_values()
++
++    def _join_multiline_values(self):
++        defaults = self.default_section, self._defaults
++        all_sections = itertools.chain((defaults,),
++                                       self._sections.items())
++        for section, options in all_sections:
++            for name, val in options.items():
++                if isinstance(val, list):
++                    val = '\n'.join(val).rstrip()
++                options[name] = self._interpolation.before_read(self,
++                                                                section,
++                                                                name, val)
++
++    def _handle_error(self, exc, fpname, lineno, line):
++        if not exc:
++            exc = ParsingError(fpname)
++        exc.append(lineno, repr(line))
++        return exc
++
++    def _unify_values(self, section, vars):
++        """Create a sequence of lookups with 'vars' taking priority over
++        the 'section' which takes priority over the DEFAULTSECT.
++
++        """
++        sectiondict = {}
++        try:
++            sectiondict = self._sections[section]
++        except KeyError:
++            if section != self.default_section:
++                raise NoSectionError(section)
++        # Update with the entry specific variables
++        vardict = {}
++        if vars:
++            for key, value in vars.items():
++                if value is not None:
++                    value = str(value)
++                vardict[self.optionxform(key)] = value
++        return _ChainMap(vardict, sectiondict, self._defaults)
++
++    def _convert_to_boolean(self, value):
++        """Return a boolean value translating from other types if necessary.
++        """
++        if value.lower() not in self.BOOLEAN_STATES:
++            raise ValueError('Not a boolean: %s' % value)
++        return self.BOOLEAN_STATES[value.lower()]
++
++    def _validate_value_types(self, **kwargs):
++        """Raises a TypeError for non-string values.
++
++        The only legal non-string value if we allow valueless
++        options is None, so we need to check if the value is a
++        string if:
++        - we do not allow valueless options, or
++        - we allow valueless options but the value is not None
++
++        For compatibility reasons this method is not used in classic set()
++        for RawConfigParsers. It is invoked in every case for mapping protocol
++        access and in ConfigParser.set().
++        """
++        # keyword-only arguments
++        section = kwargs.get('section', "")
++        option = kwargs.get('option', "")
++        value = kwargs.get('value', "")
++
++        if PY2 and bytes in (type(section), type(option), type(value)):
++            # we allow for a little unholy magic for Python 2 so that
++            # people not using unicode_literals can still use the library
++            # conveniently
++            warnings.warn(
++                "You passed a bytestring. Implicitly decoding as UTF-8 string."
++                " This will not work on Python 3. Please switch to using"
++                " Unicode strings across the board.",
++                DeprecationWarning,
++                stacklevel=2,
++            )
++            if isinstance(section, bytes):
++                section = section.decode('utf8')
++            if isinstance(option, bytes):
++                option = option.decode('utf8')
++            if isinstance(value, bytes):
++                value = value.decode('utf8')
++
++        if not isinstance(section, str):
++            raise TypeError("section names must be strings")
++        if not isinstance(option, str):
++            raise TypeError("option keys must be strings")
++        if not self._allow_no_value or value:
++            if not isinstance(value, str):
++                raise TypeError("option values must be strings")
++
++        return section, option, value
++
++    @property
++    def converters(self):
++        return self._converters
++
++
++class ConfigParser(RawConfigParser):
++    """ConfigParser implementing interpolation."""
++
++    _DEFAULT_INTERPOLATION = BasicInterpolation()
++
++    def set(self, section, option, value=None):
++        """Set an option.  Extends RawConfigParser.set by validating type and
++        interpolation syntax on the value."""
++        _, option, value = self._validate_value_types(option=option, value=value)
++        super(ConfigParser, self).set(section, option, value)
++
++    def add_section(self, section):
++        """Create a new section in the configuration.  Extends
++        RawConfigParser.add_section by validating if the section name is
++        a string."""
++        section, _, _ = self._validate_value_types(section=section)
++        super(ConfigParser, self).add_section(section)
++
++
++class SafeConfigParser(ConfigParser):
++    """ConfigParser alias for backwards compatibility purposes."""
++
++    def __init__(self, *args, **kwargs):
++        super(SafeConfigParser, self).__init__(*args, **kwargs)
++        warnings.warn(
++            "The SafeConfigParser class has been renamed to ConfigParser "
++            "in Python 3.2. This alias will be removed in future versions."
++            " Use ConfigParser directly instead.",
++            DeprecationWarning, stacklevel=2
++        )
++
++
++class SectionProxy(MutableMapping):
++    """A proxy for a single section from a parser."""
++
++    def __init__(self, parser, name):
++        """Creates a view on a section of the specified `name` in `parser`."""
++        self._parser = parser
++        self._name = name
++        for conv in parser.converters:
++            key = 'get' + conv
++            getter = functools.partial(self.get, _impl=getattr(parser, key))
++            setattr(self, key, getter)
++
++    def __repr__(self):
++        return '<Section: {0}>'.format(self._name)
++
++    def __getitem__(self, key):
++        if not self._parser.has_option(self._name, key):
++            raise KeyError(key)
++        return self._parser.get(self._name, key)
++
++    def __setitem__(self, key, value):
++        _, key, value = self._parser._validate_value_types(option=key, value=value)
++        return self._parser.set(self._name, key, value)
++
++    def __delitem__(self, key):
++        if not (self._parser.has_option(self._name, key) and
++                self._parser.remove_option(self._name, key)):
++            raise KeyError(key)
++
++    def __contains__(self, key):
++        return self._parser.has_option(self._name, key)
++
++    def __len__(self):
++        return len(self._options())
++
++    def __iter__(self):
++        return self._options().__iter__()
++
++    def _options(self):
++        if self._name != self._parser.default_section:
++            return self._parser.options(self._name)
++        else:
++            return self._parser.defaults()
++
++    @property
++    def parser(self):
++        # The parser object of the proxy is read-only.
++        return self._parser
++
++    @property
++    def name(self):
++        # The name of the section on a proxy is read-only.
++        return self._name
++
++    def get(self, option, fallback=None, **kwargs):
++        """Get an option value.
++
++        Unless `fallback` is provided, `None` will be returned if the option
++        is not found.
++
++        """
++        # keyword-only arguments
++        kwargs.setdefault('raw', False)
++        kwargs.setdefault('vars', None)
++        _impl = kwargs.pop('_impl', None)
++        # If `_impl` is provided, it should be a getter method on the parser
++        # object that provides the desired type conversion.
++        if not _impl:
++            _impl = self._parser.get
++        return _impl(self._name, option, fallback=fallback, **kwargs)
++
++
++class ConverterMapping(MutableMapping):
++    """Enables reuse of get*() methods between the parser and section proxies.
++
++    If a parser class implements a getter directly, the value for the given
++    key will be ``None``. The presence of the converter name here enables
++    section proxies to find and use the implementation on the parser class.
++    """
++
++    GETTERCRE = re.compile(r"^get(?P<name>.+)$")
++
++    def __init__(self, parser):
++        self._parser = parser
++        self._data = {}
++        for getter in dir(self._parser):
++            m = self.GETTERCRE.match(getter)
++            if not m or not callable(getattr(self._parser, getter)):
++                continue
++            self._data[m.group('name')] = None   # See class docstring.
++
++    def __getitem__(self, key):
++        return self._data[key]
++
++    def __setitem__(self, key, value):
++        try:
++            k = 'get' + key
++        except TypeError:
++            raise ValueError('Incompatible key: {} (type: {})'
++                             ''.format(key, type(key)))
++        if k == 'get':
++            raise ValueError('Incompatible key: cannot use "" as a name')
++        self._data[key] = value
++        func = functools.partial(self._parser._get_conv, conv=value)
++        func.converter = value
++        setattr(self._parser, k, func)
++        for proxy in self._parser.values():
++            getter = functools.partial(proxy.get, _impl=func)
++            setattr(proxy, k, getter)
++
++    def __delitem__(self, key):
++        try:
++            k = 'get' + (key or None)
++        except TypeError:
++            raise KeyError(key)
++        del self._data[key]
++        for inst in itertools.chain((self._parser,), self._parser.values()):
++            try:
++                delattr(inst, k)
++            except AttributeError:
++                # don't raise since the entry was present in _data, silently
++                # clean up
++                continue
++
++    def __iter__(self):
++        return iter(self._data)
++
++    def __len__(self):
++        return len(self._data)
+diff --git a/custodia/vendor/backports/configparser/helpers.py b/custodia/vendor/backports/configparser/helpers.py
+new file mode 100644
+index 0000000..c47662f
+--- /dev/null
++++ b/custodia/vendor/backports/configparser/helpers.py
+@@ -0,0 +1,171 @@
++#!/usr/bin/env python
++# -*- coding: utf-8 -*-
++
++from __future__ import absolute_import
++from __future__ import division
++from __future__ import print_function
++from __future__ import unicode_literals
++
++from collections import MutableMapping
++try:
++    from collections import UserDict
++except ImportError:
++    from UserDict import UserDict
++
++try:
++    from collections import OrderedDict
++except ImportError:
++    from ordereddict import OrderedDict
++
++from io import open
++import sys
++try:
++    from thread import get_ident
++except ImportError:
++    try:
++        from _thread import get_ident
++    except ImportError:
++        from _dummy_thread import get_ident
++
++
++PY2 = sys.version_info[0] == 2
++PY3 = sys.version_info[0] == 3
++
++str = type('str')
++
++
++def from_none(exc):
++    """raise from_none(ValueError('a')) == raise ValueError('a') from None"""
++    exc.__cause__ = None
++    exc.__suppress_context__ = True
++    return exc
++
++
++# from reprlib 3.2.1
++def recursive_repr(fillvalue='...'):
++    'Decorator to make a repr function return fillvalue for a recursive call'
++
++    def decorating_function(user_function):
++        repr_running = set()
++
++        def wrapper(self):
++            key = id(self), get_ident()
++            if key in repr_running:
++                return fillvalue
++            repr_running.add(key)
++            try:
++                result = user_function(self)
++            finally:
++                repr_running.discard(key)
++            return result
++
++        # Can't use functools.wraps() here because of bootstrap issues
++        wrapper.__module__ = getattr(user_function, '__module__')
++        wrapper.__doc__ = getattr(user_function, '__doc__')
++        wrapper.__name__ = getattr(user_function, '__name__')
++        wrapper.__annotations__ = getattr(user_function, '__annotations__', {})
++        return wrapper
++
++    return decorating_function
++
++# from collections 3.2.1
++class _ChainMap(MutableMapping):
++    ''' A ChainMap groups multiple dicts (or other mappings) together
++    to create a single, updateable view.
++
++    The underlying mappings are stored in a list.  That list is public and can
++    accessed or updated using the *maps* attribute.  There is no other state.
++
++    Lookups search the underlying mappings successively until a key is found.
++    In contrast, writes, updates, and deletions only operate on the first
++    mapping.
++
++    '''
++
++    def __init__(self, *maps):
++        '''Initialize a ChainMap by setting *maps* to the given mappings.
++        If no mappings are provided, a single empty dictionary is used.
++
++        '''
++        self.maps = list(maps) or [{}]          # always at least one map
++
++    def __missing__(self, key):
++        raise KeyError(key)
++
++    def __getitem__(self, key):
++        for mapping in self.maps:
++            try:
++                return mapping[key]             # can't use 'key in mapping' with defaultdict
++            except KeyError:
++                pass
++        return self.__missing__(key)            # support subclasses that define __missing__
++
++    def get(self, key, default=None):
++        return self[key] if key in self else default
++
++    def __len__(self):
++        return len(set().union(*self.maps))     # reuses stored hash values if possible
++
++    def __iter__(self):
++        return iter(set().union(*self.maps))
++
++    def __contains__(self, key):
++        return any(key in m for m in self.maps)
++
++    @recursive_repr()
++    def __repr__(self):
++        return '{0.__class__.__name__}({1})'.format(
++            self, ', '.join(map(repr, self.maps)))
++
++    @classmethod
++    def fromkeys(cls, iterable, *args):
++        'Create a ChainMap with a single dict created from the iterable.'
++        return cls(dict.fromkeys(iterable, *args))
++
++    def copy(self):
++        'New ChainMap or subclass with a new copy of maps[0] and refs to maps[1:]'
++        return self.__class__(self.maps[0].copy(), *self.maps[1:])
++
++    __copy__ = copy
++
++    def new_child(self):                        # like Django's Context.push()
++        'New ChainMap with a new dict followed by all previous maps.'
++        return self.__class__({}, *self.maps)
++
++    @property
++    def parents(self):                          # like Django's Context.pop()
++        'New ChainMap from maps[1:].'
++        return self.__class__(*self.maps[1:])
++
++    def __setitem__(self, key, value):
++        self.maps[0][key] = value
++
++    def __delitem__(self, key):
++        try:
++            del self.maps[0][key]
++        except KeyError:
++            raise KeyError('Key not found in the first mapping: {!r}'.format(key))
++
++    def popitem(self):
++        'Remove and return an item pair from maps[0]. Raise KeyError is maps[0] is empty.'
++        try:
++            return self.maps[0].popitem()
++        except KeyError:
++            raise KeyError('No keys found in the first mapping.')
++
++    def pop(self, key, *args):
++        'Remove *key* from maps[0] and return its value. Raise KeyError if *key* not in maps[0].'
++        try:
++            return self.maps[0].pop(key, *args)
++        except KeyError:
++            raise KeyError('Key not found in the first mapping: {!r}'.format(key))
++
++    def clear(self):
++        'Clear maps[0], leaving maps[1:] intact.'
++        self.maps[0].clear()
++
++
++try:
++    from collections import ChainMap
++except ImportError:
++    ChainMap = _ChainMap
+diff --git a/custodia/vendor/configparser.py b/custodia/vendor/configparser.py
+new file mode 100644
+index 0000000..b899f9e
+--- /dev/null
++++ b/custodia/vendor/configparser.py
+@@ -0,0 +1,52 @@
++#!/usr/bin/env python
++# -*- coding: utf-8 -*-
++
++"""Convenience module importing everything from backports.configparser."""
++
++from __future__ import absolute_import
++from __future__ import division
++from __future__ import print_function
++from __future__ import unicode_literals
++
++
++from backports.configparser import (
++    RawConfigParser,
++    ConfigParser,
++    SafeConfigParser,
++    SectionProxy,
++
++    Interpolation,
++    BasicInterpolation,
++    ExtendedInterpolation,
++    LegacyInterpolation,
++
++    Error,
++    NoSectionError,
++    DuplicateSectionError,
++    DuplicateOptionError,
++    NoOptionError,
++    InterpolationError,
++    InterpolationMissingOptionError,
++    InterpolationSyntaxError,
++    InterpolationDepthError,
++    ParsingError,
++    MissingSectionHeaderError,
++    ConverterMapping,
++
++    _UNSET,
++    DEFAULTSECT,
++    MAX_INTERPOLATION_DEPTH,
++    _default_dict,
++    _ChainMap,
++)
++
++__all__ = ["NoSectionError", "DuplicateOptionError", "DuplicateSectionError",
++           "NoOptionError", "InterpolationError", "InterpolationDepthError",
++           "InterpolationMissingOptionError", "InterpolationSyntaxError",
++           "ParsingError", "MissingSectionHeaderError",
++           "ConfigParser", "SafeConfigParser", "RawConfigParser",
++           "Interpolation", "BasicInterpolation",  "ExtendedInterpolation",
++           "LegacyInterpolation", "SectionProxy", "ConverterMapping",
++           "DEFAULTSECT", "MAX_INTERPOLATION_DEPTH"]
++
++# NOTE: names missing from __all__ imported anyway for backwards compatibility.
+-- 
+2.9.3
+
diff --git a/SOURCES/0002-Patch-and-integrate-vendored-configparser.patch b/SOURCES/0002-Patch-and-integrate-vendored-configparser.patch
new file mode 100644
index 0000000..f3f4236
--- /dev/null
+++ b/SOURCES/0002-Patch-and-integrate-vendored-configparser.patch
@@ -0,0 +1,146 @@
+From fbb766bb81f37fb89fe4eb63aa7e356306994a5c Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 28 Mar 2017 17:51:23 +0200
+Subject: [PATCH 2/4] Patch and integrate vendored configparser
+
+---
+ custodia/compat.py                                 |  2 +-
+ custodia/vendor/__init__.py                        |  2 ++
+ custodia/vendor/backports/configparser/__init__.py |  7 ++++---
+ custodia/vendor/backports/configparser/helpers.py  |  1 +
+ custodia/vendor/configparser.py                    |  3 ++-
+ setup.py                                           | 13 +++++++------
+ tox.ini                                            |  2 +-
+ 7 files changed, 18 insertions(+), 12 deletions(-)
+ create mode 100644 custodia/vendor/__init__.py
+
+diff --git a/custodia/compat.py b/custodia/compat.py
+index 87626e1..5434b93 100644
+--- a/custodia/compat.py
++++ b/custodia/compat.py
+@@ -7,7 +7,7 @@ import six
+ 
+ if six.PY2:
+     # use https://pypi.python.org/pypi/configparser/ on Python 2
+-    from backports import configparser
++    from custodia.vendor.backports import configparser
+     from urllib import quote as url_escape
+     from urllib import quote_plus, unquote
+     from urlparse import parse_qs, urlparse
+diff --git a/custodia/vendor/__init__.py b/custodia/vendor/__init__.py
+new file mode 100644
+index 0000000..3ad9513
+--- /dev/null
++++ b/custodia/vendor/__init__.py
+@@ -0,0 +1,2 @@
++from pkgutil import extend_path
++__path__ = extend_path(__path__, __name__)
+diff --git a/custodia/vendor/backports/configparser/__init__.py b/custodia/vendor/backports/configparser/__init__.py
+index 06d7a08..16c0c80 100644
+--- a/custodia/vendor/backports/configparser/__init__.py
++++ b/custodia/vendor/backports/configparser/__init__.py
+@@ -1,5 +1,6 @@
+ #!/usr/bin/env python
+ # -*- coding: utf-8 -*-
++# pylint: disable-all
+ 
+ """Configuration file parser.
+ 
+@@ -135,9 +136,9 @@ import re
+ import sys
+ import warnings
+ 
+-from backports.configparser.helpers import OrderedDict as _default_dict
+-from backports.configparser.helpers import ChainMap as _ChainMap
+-from backports.configparser.helpers import from_none, open, str, PY2
++from .helpers import OrderedDict as _default_dict
++from .helpers import ChainMap as _ChainMap
++from .helpers import from_none, open, str, PY2
+ 
+ __all__ = ["NoSectionError", "DuplicateOptionError", "DuplicateSectionError",
+            "NoOptionError", "InterpolationError", "InterpolationDepthError",
+diff --git a/custodia/vendor/backports/configparser/helpers.py b/custodia/vendor/backports/configparser/helpers.py
+index c47662f..64f8c33 100644
+--- a/custodia/vendor/backports/configparser/helpers.py
++++ b/custodia/vendor/backports/configparser/helpers.py
+@@ -1,5 +1,6 @@
+ #!/usr/bin/env python
+ # -*- coding: utf-8 -*-
++# pylint: disable-all
+ 
+ from __future__ import absolute_import
+ from __future__ import division
+diff --git a/custodia/vendor/configparser.py b/custodia/vendor/configparser.py
+index b899f9e..6379d87 100644
+--- a/custodia/vendor/configparser.py
++++ b/custodia/vendor/configparser.py
+@@ -1,5 +1,6 @@
+ #!/usr/bin/env python
+ # -*- coding: utf-8 -*-
++# pylint: disable-all
+ 
+ """Convenience module importing everything from backports.configparser."""
+ 
+@@ -9,7 +10,7 @@ from __future__ import print_function
+ from __future__ import unicode_literals
+ 
+ 
+-from backports.configparser import (
++from .backports.configparser import (
+     RawConfigParser,
+     ConfigParser,
+     SafeConfigParser,
+diff --git a/setup.py b/setup.py
+index 96c14c7..a7c398a 100755
+--- a/setup.py
++++ b/setup.py
+@@ -2,8 +2,6 @@
+ #
+ # Copyright (C) 2015  Custodia project Contributors, for licensee see COPYING
+ 
+-import sys
+-
+ import setuptools
+ from setuptools import setup
+ 
+@@ -33,10 +31,10 @@ extras_require = {
+ 
+ # backwards compatibility with old setuptools
+ # extended interpolation is provided by stdlib in Python 3.4+
+-if SETUPTOOLS_VERSION < (18, 0, 0) and sys.version_info < (3, 4):
+-    requirements.append('configparser')
+-else:
+-    extras_require[':python_version<"3.4"'] = ['configparser']
++# if SETUPTOOLS_VERSION < (18, 0, 0) and sys.version_info < (3, 4):
++#     requirements.append('configparser')
++# else:
++#     extras_require[':python_version<"3.4"'] = ['configparser']
+ 
+ 
+ with open('README') as f:
+@@ -94,6 +92,9 @@ setup(
+         'custodia.message',
+         'custodia.server',
+         'custodia.store',
++        'custodia.vendor',
++        'custodia.vendor.backports',
++        'custodia.vendor.backports.configparser',
+     ],
+     entry_points={
+         'console_scripts': [
+diff --git a/tox.ini b/tox.ini
+index 8db1c8b..d90359d 100644
+--- a/tox.ini
++++ b/tox.ini
+@@ -76,7 +76,7 @@ markers =
+     servertest: Integration tests start a local Custodia server
+ 
+ [flake8]
+-exclude = .tox,*.egg,dist,build,docs/source
++exclude = .tox,*.egg,dist,build,docs/source,custodia/vendor
+ show-source = true
+ max-line-length = 79
+ ignore = N802
+-- 
+2.9.3
+
diff --git a/SOURCES/0003-Remove-etcd-store.patch b/SOURCES/0003-Remove-etcd-store.patch
new file mode 100644
index 0000000..d74d1ab
--- /dev/null
+++ b/SOURCES/0003-Remove-etcd-store.patch
@@ -0,0 +1,199 @@
+From c2a8008af30d045227058e3158e84c9415647760 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 31 Mar 2017 12:14:43 +0200
+Subject: [PATCH 3/4] Remove etcd store
+
+---
+ custodia/store/etcdstore.py    | 123 -----------------------------------------
+ docs/source/plugins/stores.rst |   6 --
+ setup.py                       |   9 +--
+ 3 files changed, 2 insertions(+), 136 deletions(-)
+ delete mode 100644 custodia/store/etcdstore.py
+
+diff --git a/custodia/store/etcdstore.py b/custodia/store/etcdstore.py
+deleted file mode 100644
+index 759348b..0000000
+--- a/custodia/store/etcdstore.py
++++ /dev/null
+@@ -1,123 +0,0 @@
+-# Copyright (C) 2015  Custodia Project Contributors - see LICENSE file
+-
+-from __future__ import print_function
+-
+-try:
+-    from etcd import (Client, EtcdException, EtcdNotFile, EtcdAlreadyExist,
+-                      EtcdKeyNotFound)
+-except ImportError:
+-    def Client(*args, **kwargs):
+-        raise RuntimeError("Etcd client is unavailable")
+-
+-    class EtcdException(Exception):
+-        pass
+-
+-    class EtcdNotFile(Exception):
+-        pass
+-
+-    class EtcdKeyNotFound(Exception):
+-        pass
+-
+-    class EtcdAlreadyExist(Exception):
+-        pass
+-
+-from custodia.plugin import CSStore, CSStoreError, CSStoreExists
+-from custodia.plugin import PluginOption
+-
+-
+-class EtcdStore(CSStore):
+-    etcd_server = PluginOption(str, '127.0.0.1', None)
+-    etcd_port = PluginOption(int, '4001', None)
+-    namespace = PluginOption(str, '/custodia', None)
+-
+-    def __init__(self, config, section):
+-        super(EtcdStore, self).__init__(config, section)
+-        # Initialize the DB by trying to create the default table
+-        try:
+-            self.etcd = Client(self.etcd_server, self.etcd_port)
+-            self.etcd.write(self.namespace, None, dir=True)
+-        except EtcdNotFile:
+-            # Already exists
+-            pass
+-        except EtcdException:
+-            self.logger.exception("Error creating namespace %s",
+-                                  self.namespace)
+-            raise CSStoreError('Error occurred while trying to init db')
+-
+-    def _absolute_key(self, key):
+-        """Get absolute path to key and validate key"""
+-        if '//' in key:
+-            raise ValueError("Invalid empty components in key '%s'" % key)
+-        parts = key.split('/')
+-        if set(parts).intersection({'.', '..'}):
+-            raise ValueError("Invalid relative components in key '%s'" % key)
+-        return '/'.join([self.namespace] + parts).replace('//', '/')
+-
+-    def get(self, key):
+-        self.logger.debug("Fetching key %s", key)
+-        try:
+-            result = self.etcd.get(self._absolute_key(key))
+-        except EtcdException:
+-            self.logger.exception("Error fetching key %s", key)
+-            raise CSStoreError('Error occurred while trying to get key')
+-        self.logger.debug("Fetched key %s got result: %r", key, result)
+-        return result.value  # pylint: disable=no-member
+-
+-    def set(self, key, value, replace=False):
+-        self.logger.debug("Setting key %s to value %s (replace=%s)",
+-                          key, value, replace)
+-        path = self._absolute_key(key)
+-        try:
+-            self.etcd.write(path, value, prevExist=replace)
+-        except EtcdAlreadyExist as err:
+-            raise CSStoreExists(str(err))
+-        except EtcdException:
+-            self.logger.exception("Error storing key %s", key)
+-            raise CSStoreError('Error occurred while trying to store key')
+-
+-    def span(self, key):
+-        path = self._absolute_key(key)
+-        self.logger.debug("Creating directory %s", path)
+-        try:
+-            self.etcd.write(path, None, dir=True, prevExist=False)
+-        except EtcdAlreadyExist as err:
+-            raise CSStoreExists(str(err))
+-        except EtcdException:
+-            self.logger.exception("Error storing key %s", key)
+-            raise CSStoreError('Error occurred while trying to store key')
+-
+-    def list(self, keyfilter='/'):
+-        path = self._absolute_key(keyfilter)
+-        if path != '/':
+-            path = path.rstrip('/')
+-        self.logger.debug("Listing keys matching %s", path)
+-        try:
+-            result = self.etcd.read(path, recursive=True)
+-        except EtcdKeyNotFound:
+-            return None
+-        except EtcdException:
+-            self.logger.exception("Error listing %s", keyfilter)
+-            raise CSStoreError('Error occurred while trying to list keys')
+-        self.logger.debug("Searched for %s got result: %r", path, result)
+-        value = set()
+-        for entry in result.get_subtree():
+-            if entry.key == path:
+-                continue
+-            name = entry.key[len(path):]
+-            if entry.dir and not name.endswith('/'):
+-                name += '/'
+-            value.add(name.lstrip('/'))
+-        return sorted(value)
+-
+-    def cut(self, key):
+-        self.logger.debug("Removing key %s", key)
+-        try:
+-            self.etcd.delete(self._absolute_key(key))
+-        except EtcdKeyNotFound:
+-            self.logger.debug("Key %s not found", key)
+-            return False
+-        except EtcdException:
+-            self.logger.exception("Error removing key %s", key)
+-            raise CSStoreError('Error occurred while trying to cut key')
+-        self.logger.debug("Key %s removed", key)
+-        return True
+diff --git a/docs/source/plugins/stores.rst b/docs/source/plugins/stores.rst
+index ed921ba..d715f31 100644
+--- a/docs/source/plugins/stores.rst
++++ b/docs/source/plugins/stores.rst
+@@ -5,7 +5,6 @@ Stores
+    :nosignatures:
+ 
+    custodia.store.sqlite.SqliteStore
+-   custodia.store.etcdstore.EtcdStore
+    custodia.store.encgen.EncryptedOverlay
+ 
+ .. autoclass:: custodia.store.sqlite.SqliteStore
+@@ -13,11 +12,6 @@ Stores
+     :undoc-members:
+     :show-inheritance:
+ 
+-.. autoclass:: custodia.store.etcdstore.EtcdStore
+-    :members:
+-    :undoc-members:
+-    :show-inheritance:
+-
+ .. autoclass:: custodia.store.encgen.EncryptedOverlay
+     :members:
+     :undoc-members:
+diff --git a/setup.py b/setup.py
+index a7c398a..c8f270d 100755
+--- a/setup.py
++++ b/setup.py
+@@ -15,16 +15,12 @@ requirements = [
+     'requests'
+ ]
+ 
+-# extra requirements
+-etcd_requires = ['python-etcd']
+-
+ # test requirements
+-test_requires = ['coverage', 'pytest'] + etcd_requires
++test_requires = ['coverage', 'pytest']
+ 
+ extras_require = {
+-    'etcd_store': etcd_requires,
+     'test': test_requires,
+-    'test_docs': ['docutils', 'markdown'] + etcd_requires,
++    'test_docs': ['docutils', 'markdown'],
+     'test_pep8': ['flake8', 'flake8-import-order', 'pep8-naming'],
+     'test_pylint': ['pylint'] + test_requires,
+ }
+@@ -70,7 +66,6 @@ custodia_consumers = [
+ custodia_stores = [
+     'EncryptedOverlay = custodia.store.encgen:EncryptedOverlay',
+     'EncryptedStore = custodia.store.enclite:EncryptedStore',
+-    'EtcdStore = custodia.store.etcdstore:EtcdStore',
+     'SqliteStore = custodia.store.sqlite:SqliteStore',
+ ]
+ 
+-- 
+2.9.3
+
diff --git a/SOURCES/0004-Vendor-custodia.ipa.patch b/SOURCES/0004-Vendor-custodia.ipa.patch
new file mode 100644
index 0000000..58ed91b
--- /dev/null
+++ b/SOURCES/0004-Vendor-custodia.ipa.patch
@@ -0,0 +1,704 @@
+From a38601968ccd8c8dfdce60c8d66b220eefb344b0 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 28 Mar 2017 18:41:08 +0200
+Subject: [PATCH 4/4] Vendor custodia.ipa
+
+---
+ README.custodia.ipa      | 137 ++++++++++++++++++++++
+ custodia/ipa/__init__.py |   1 +
+ custodia/ipa/vault.py    | 291 +++++++++++++++++++++++++++++++++++++++++++++++
+ setup.py                 |   8 +-
+ tests/test_ipa.py        | 195 +++++++++++++++++++++++++++++++
+ 6 files changed, 638 insertions(+), 2 deletions(-)
+ create mode 100644 README.custodia.ipa
+ create mode 100644 custodia/ipa/__init__.py
+ create mode 100644 custodia/ipa/vault.py
+ create mode 100644 tests/test_ipa.py
+
+diff --git a/README.custodia.ipa b/README.custodia.ipa
+new file mode 100644
+index 0000000..a952ef8
+--- /dev/null
++++ b/README.custodia.ipa
+@@ -0,0 +1,137 @@
++.. WARNING: AUTO-GENERATED FILE. DO NOT EDIT.
++
++custodia.ipa — IPA vault plugin for Custodia
++============================================
++
++**WARNING** *custodia.ipa is a tech preview with a provisional API.*
++
++custodia.ipa is a storage plugin for
++`Custodia <https://custodia.readthedocs.io/>`__. It provides integration
++with `FreeIPA <http://www.freeipa.org>`__'s
++`vault <https://www.freeipa.org/page/V4/Password_Vault>`__ facility.
++Secrets are encrypted and stored in
++`Dogtag <http://www.dogtagpki.org>`__'s Key Recovery Agent.
++
++Requirements
++------------
++
++Installation
++~~~~~~~~~~~~
++
++-  pip
++-  setuptools >= 18.0
++
++Runtime
++~~~~~~~
++
++-  custodia >= 0.3.1
++-  ipalib >= 4.5.0
++-  ipaclient >= 4.5.0
++-  Python 2.7 (Python 3 support in IPA vault is unstable.)
++
++custodia.ipa requires an IPA-enrolled host and a Kerberos TGT for
++authentication. It is recommended to provide credentials with a keytab
++file or GSS-Proxy.
++
++Testing and development
++~~~~~~~~~~~~~~~~~~~~~~~
++
++-  wheel
++-  tox
++
++virtualenv requirements
++~~~~~~~~~~~~~~~~~~~~~~~
++
++custodia.ipa depends on several binary extensions and shared libraries
++for e.g. python-cryptography, python-gssapi, python-ldap, and
++python-nss. For installation in a virtual environment, a C compiler and
++several development packages are required.
++
++::
++
++    $ virtualenv venv
++    $ venv/bin/pip install --upgrade custodia.ipa
++
++Fedora
++^^^^^^
++
++::
++
++    $ sudo dnf install python2 python-pip python-virtualenv python-devel \
++        gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \
++        nss-devel openldap-devel cyrus-sasl-devel openssl-devel
++
++Debian / Ubuntu
++^^^^^^^^^^^^^^^
++
++::
++
++    $ sudo apt-get update
++    $ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \
++        gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \
++        libsasl2-dev libssl-dev
++
++--------------
++
++Example configuration
++---------------------
++
++Create directories
++
++::
++
++    $ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia
++    $ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia
++    $ sudo chmod 750 /var/lib/custodia /var/log/custodia
++
++Create service account and keytab
++
++::
++
++    $ kinit admin
++    $ ipa service-add custodia/client1.ipa.example
++    $ ipa service-allow-create-keytab custodia/client1.ipa.example --users=admin
++    $ mkdir -p /etc/custodia
++    $ ipa-getkeytab -p custodia/client1.ipa.example -k /etc/custodia/custodia.keytab
++
++Create ``/etc/custodia/custodia.conf``
++
++::
++
++    [DEFAULT]
++    confdir = /etc/custodia
++    libdir = /var/lib/custodia
++    logdir = /var/log/custodia
++    rundir = /var/run/custodia
++
++    [global]
++    debug = true
++    server_socket = ${rundir}/custodia.sock
++    auditlog = ${logdir}/audit.log
++
++    [store:vault]
++    handler = IPAVault
++    keytab = {confdir}/custodia.keytab
++    ccache = FILE:{rundir}/ccache
++
++    [auth:creds]
++    handler = SimpleCredsAuth
++    uid = root
++    gid = root
++
++    [authz:paths]
++    handler = SimplePathAuthz
++    paths = /. /secrets
++
++    [/]
++    handler = Root
++
++    [/secrets]
++    handler = Secrets
++    store = vault
++
++Run Custodia server
++
++::
++
++    $ custodia /etc/custodia/custodia.conf
+diff --git a/custodia/ipa/__init__.py b/custodia/ipa/__init__.py
+new file mode 100644
+index 0000000..ef1bb9d
+--- /dev/null
++++ b/custodia/ipa/__init__.py
+@@ -0,0 +1 @@
++# Copyright (C) 2016  Custodia Project Contributors - see LICENSE file
+diff --git a/custodia/ipa/vault.py b/custodia/ipa/vault.py
+new file mode 100644
+index 0000000..f681c54
+--- /dev/null
++++ b/custodia/ipa/vault.py
+@@ -0,0 +1,291 @@
++# Copyright (C) 2016  Custodia Project Contributors - see LICENSE file
++"""FreeIPA vault store (PoC)
++"""
++import os
++
++import ipalib
++from ipalib.errors import DuplicateEntry, NotFound
++from ipalib.krb_utils import get_principal
++
++import six
++
++from custodia.plugin import CSStore, CSStoreError, CSStoreExists, PluginOption
++
++
++def krb5_unparse_principal_name(name):
++    """Split a Kerberos principal name into parts
++
++    Returns:
++       * ('host', hostname, realm) for a host principal
++       * (servicename, hostname, realm) for a service principal
++       * (None, username, realm) for a user principal
++
++    :param text name: Kerberos principal name
++    :return: (service, host, realm) or (None, username, realm)
++    """
++    prefix, realm = name.split(u'@')
++    if u'/' in prefix:
++        service, host = prefix.rsplit(u'/', 1)
++        return service, host, realm
++    else:
++        return None, prefix, realm
++
++
++class FreeIPA(object):
++    """FreeIPA wrapper
++
++    Custodia uses a forking server model. We can bootstrap FreeIPA API in
++    the main process. Connections must be created in the client process.
++    """
++    def __init__(self, api=None, ipa_context='cli', ipa_confdir=None,
++                 ipa_debug=False):
++        if api is None:
++            self._api = ipalib.api
++        else:
++            self._api = api
++        self._ipa_config = dict(
++            context=ipa_context,
++            debug=ipa_debug,
++            log=None,  # disable logging to file
++        )
++        if ipa_confdir is not None:
++            self._ipa_config['confdir'] = ipa_confdir
++        self._bootstrap()
++
++    @property
++    def Command(self):
++        return self._api.Command  # pylint: disable=no-member
++
++    @property
++    def env(self):
++        return self._api.env  # pylint: disable=no-member
++
++    def _bootstrap(self):
++        if not self._api.isdone('bootstrap'):
++            # TODO: bandaid for "A PKCS #11 module returned CKR_DEVICE_ERROR"
++            # https://github.com/avocado-framework/avocado/issues/1112#issuecomment-206999400
++            os.environ['NSS_STRICT_NOFORK'] = 'DISABLED'
++            self._api.bootstrap(**self._ipa_config)
++            self._api.finalize()
++
++    def __enter__(self):
++        # pylint: disable=no-member
++        if not self._api.Backend.rpcclient.isconnected():
++            self._api.Backend.rpcclient.connect()
++        # pylint: enable=no-member
++        return self
++
++    def __exit__(self, exc_type, exc_val, exc_tb):
++        # pylint: disable=no-member
++        if self._api.Backend.rpcclient.isconnected():
++            self._api.Backend.rpcclient.disconnect()
++        # pylint: enable=no-member
++
++
++class IPAVault(CSStore):
++    # vault arguments
++    principal = PluginOption(
++        str, None,
++        "Service principal for service vault (auto-discovered from GSSAPI)"
++    )
++    user = PluginOption(
++        str, None,
++        "User name for user vault (auto-discovered from GSSAPI)"
++    )
++    vault_type = PluginOption(
++        str, None,
++        "vault type, one of 'user', 'service', 'shared', or "
++        "auto-discovered from GSSAPI"
++    )
++
++    # Kerberos flags
++    krb5config = PluginOption(str, None, "Kerberos krb5.conf override")
++    keytab = PluginOption(str, None, "Kerberos keytab for auth")
++    ccache = PluginOption(
++        str, None, "Kerberos ccache, e,g. FILE:/path/to/ccache")
++
++    # ipalib.api arguments
++    ipa_confdir = PluginOption(str, None, "IPA confdir override")
++    ipa_context = PluginOption(str, "cli", "IPA bootstrap context")
++    ipa_debug = PluginOption(bool, False, "debug mode for ipalib")
++
++    def __init__(self, config, section=None):
++        super(IPAVault, self).__init__(config, section)
++        # configure Kerberos / GSSAPI and acquire principal
++        gssapi_principal = self._gssapi()
++        self.logger.info(u"Vault uses Kerberos principal '%s'",
++                         gssapi_principal)
++
++        # bootstrap FreeIPA API
++        self.ipa = FreeIPA(
++            ipa_confdir=self.ipa_confdir,
++            ipa_debug=self.ipa_debug,
++            ipa_context=self.ipa_context,
++        )
++        # connect
++        with self.ipa:
++            self.logger.info("IPA server '%s': %s",
++                             self.ipa.env.server,
++                             self.ipa.Command.ping()[u'summary'])
++            # retrieve and cache KRA transport cert
++            response = self.ipa.Command.vaultconfig_show()
++            servers = response[u'result'][u'kra_server_server']
++            self.logger.info("KRA server(s) %s", ', '.join(servers))
++
++        service, user_host, realm = krb5_unparse_principal_name(
++            gssapi_principal)
++        self._init_vault_args(service, user_host, realm)
++
++    def _gssapi(self):
++        # set client keytab env var for authentication
++        if self.keytab is not None:
++            os.environ['KRB5_CLIENT_KTNAME'] = self.keytab
++        if self.ccache is not None:
++            os.environ['KRB5CCNAME'] = self.ccache
++        if self.krb5config is not None:
++            os.environ['KRB5_CONFIG'] = self.krb5config
++        try:
++            return get_principal()
++        except Exception:
++            self.logger.error(
++                "Unable to get principal from GSSAPI. Are you missing a "
++                "TGT or valid Kerberos keytab?"
++            )
++            raise
++
++    def _init_vault_args(self, service, user_host, realm):
++        if self.vault_type is None:
++            self.vault_type = 'user' if service is None else 'service'
++            self.logger.info("Setting vault type to '%s' from Kerberos",
++                             self.vault_type)
++
++        if self.vault_type == 'shared':
++            self._vault_args = {'shared': True}
++        elif self.vault_type == 'user':
++            if self.user is None:
++                if service is not None:
++                    msg = "{!r}: User vault requires 'user' parameter"
++                    raise ValueError(msg.format(self))
++                else:
++                    self.user = user_host
++                    self.logger.info(u"Setting username '%s' from Kerberos",
++                                     self.user)
++            if six.PY2 and isinstance(self.user, str):
++                self.user = self.user.decode('utf-8')
++            self._vault_args = {'username': self.user}
++        elif self.vault_type == 'service':
++            if self.principal is None:
++                if service is None:
++                    msg = "{!r}: Service vault requires 'principal' parameter"
++                    raise ValueError(msg.format(self))
++                else:
++                    self.principal = u'/'.join((service, user_host))
++                    self.logger.info(u"Setting principal '%s' from Kerberos",
++                                     self.principal)
++            if six.PY2 and isinstance(self.principal, str):
++                self.principal = self.principal.decode('utf-8')
++            self._vault_args = {'service': self.principal}
++        else:
++            msg = '{!r}: Invalid vault type {}'
++            raise ValueError(msg.format(self, self.vault_type))
++
++    def _mangle_key(self, key):
++        if '__' in key:
++            raise ValueError
++        key = key.replace('/', '__')
++        if isinstance(key, bytes):
++            key = key.decode('utf-8')
++        return key
++
++    def get(self, key):
++        key = self._mangle_key(key)
++        with self.ipa as ipa:
++            try:
++                result = ipa.Command.vault_retrieve(
++                    key, **self._vault_args)
++            except NotFound as e:
++                self.logger.info(str(e))
++                return None
++            except Exception:
++                msg = "Failed to retrieve entry {}".format(key)
++                self.logger.exception(msg)
++                raise CSStoreError(msg)
++            else:
++                return result[u'result'][u'data']
++
++    def set(self, key, value, replace=False):
++        key = self._mangle_key(key)
++        if not isinstance(value, bytes):
++            value = value.encode('utf-8')
++        with self.ipa as ipa:
++            try:
++                ipa.Command.vault_add(
++                    key, ipavaulttype=u"standard", **self._vault_args)
++            except DuplicateEntry:
++                if not replace:
++                    raise CSStoreExists(key)
++            except Exception:
++                msg = "Failed to add entry {}".format(key)
++                self.logger.exception(msg)
++                raise CSStoreError(msg)
++            try:
++                ipa.Command.vault_archive(
++                    key, data=value, **self._vault_args)
++            except Exception:
++                msg = "Failed to archive entry {}".format(key)
++                self.logger.exception(msg)
++                raise CSStoreError(msg)
++
++    def span(self, key):
++        raise CSStoreError("span is not implemented")
++
++    def list(self, keyfilter=None):
++        with self.ipa as ipa:
++            try:
++                result = ipa.Command.vault_find(
++                    ipavaulttype=u"standard", **self._vault_args)
++            except Exception:
++                msg = "Failed to list entries"
++                self.logger.exception(msg)
++                raise CSStoreError(msg)
++
++        names = []
++        for entry in result[u'result']:
++            cn = entry[u'cn'][0]
++            key = cn.replace('__', '/')
++            if keyfilter is not None and not key.startswith(keyfilter):
++                continue
++            names.append(key.rsplit('/', 1)[-1])
++        return names
++
++    def cut(self, key):
++        key = self._mangle_key(key)
++        with self.ipa as ipa:
++            try:
++                ipa.Command.vault_del(key, **self._vault_args)
++            except NotFound:
++                return False
++            except Exception:
++                msg = "Failed to delete entry {}".format(key)
++                self.logger.exception(msg)
++                raise CSStoreError(msg)
++            else:
++                return True
++
++
++if __name__ == '__main__':
++    from custodia.compat import configparser
++
++    parser = configparser.ConfigParser(
++        interpolation=configparser.ExtendedInterpolation()
++    )
++    parser.read_string(u"""
++    [store:ipa_vault]
++    """)
++
++    v = IPAVault(parser, "store:ipa_vault")
++    v.set('foo', 'bar', replace=True)
++    print(v.get('foo'))
++    print(v.list())
++    v.cut('foo')
++    print(v.list())
+diff --git a/setup.py b/setup.py
+index c8f270d..4bf096c 100755
+--- a/setup.py
++++ b/setup.py
+@@ -15,10 +15,14 @@ requirements = [
+     'requests'
+ ]
+ 
++# extra requirements
++ipa_requires = ['ipalib >= 4.5.0', 'ipaclient >= 4.5.0']
++
+ # test requirements
+-test_requires = ['coverage', 'pytest']
++test_requires = ['coverage', 'pytest', 'mock'] + ipa_requires
+ 
+ extras_require = {
++    'ipa': ipa_requires,
+     'test': test_requires,
+     'test_docs': ['docutils', 'markdown'],
+     'test_pep8': ['flake8', 'flake8-import-order', 'pep8-naming'],
+@@ -66,6 +70,7 @@ custodia_consumers = [
+ custodia_stores = [
+     'EncryptedOverlay = custodia.store.encgen:EncryptedOverlay',
+     'EncryptedStore = custodia.store.enclite:EncryptedStore',
++    'IPAVault = custodia.ipa.vault:IPAVault',
+     'SqliteStore = custodia.store.sqlite:SqliteStore',
+ ]
+ 
+@@ -84,6 +89,7 @@ setup(
+         'custodia',
+         'custodia.cli',
+         'custodia.httpd',
++        'custodia.ipa',
+         'custodia.message',
+         'custodia.server',
+         'custodia.store',
+diff --git a/tests/test_ipa.py b/tests/test_ipa.py
+new file mode 100644
+index 0000000..eb4d7fa
+--- /dev/null
++++ b/tests/test_ipa.py
+@@ -0,0 +1,195 @@
++# Copyright (C) 2017  Custodia project Contributors, for licensee see COPYING
++
++import os
++
++import ipalib
++
++import mock
++
++import pytest
++
++from custodia.compat import configparser
++from custodia.ipa.vault import FreeIPA, IPAVault, krb5_unparse_principal_name
++
++
++CONFIG = u"""
++[store:ipa_service]
++vault_type = service
++principal = custodia/ipa.example
++
++[store:ipa_user]
++vault_type = user
++user = john
++
++[store:ipa_shared]
++vault_type = shared
++
++[store:ipa_invalid]
++vault_type = invalid
++
++[store:ipa_autodiscover]
++
++[store:ipa_environ]
++krb5config = /path/to/krb5.conf
++keytab = /path/to/custodia.keytab
++ccache = FILE:/path/to/ccache
++"""
++
++vault_parametrize = pytest.mark.parametrize(
++    'plugin,vault_type,vault_args',
++    [
++        ('store:ipa_service', 'service', {'service': 'custodia/ipa.example'}),
++        ('store:ipa_user', 'user', {'username': 'john'}),
++        ('store:ipa_shared', 'shared', {'shared': True}),
++    ]
++)
++
++
++class TestCustodiaIPA:
++    def setup_method(self, method):
++        self.parser = configparser.ConfigParser(
++            interpolation=configparser.ExtendedInterpolation(),
++        )
++        self.parser.read_string(CONFIG)
++        # mocked ipalib.api
++        self.p_api = mock.patch('ipalib.api', autospec=ipalib.api)
++        self.m_api = self.p_api.start()
++        self.m_api.isdone.return_value = False
++        self.m_api.env = mock.Mock()
++        self.m_api.env.server = 'server.ipa.example'
++        self.m_api.Backend = mock.Mock()
++        self.m_api.Command = mock.Mock()
++        self.m_api.Command.ping.return_value = {
++            u'summary': u'IPA server version 4.4.3. API version 2.215',
++        }
++        self.m_api.Command.vaultconfig_show.return_value = {
++            u'result': {
++                u'kra_server_server': [u'ipa.example'],
++            }
++        }
++        # mocked get_principal
++        self.p_get_principal = mock.patch('custodia.ipa.vault.get_principal')
++        self.m_get_principal = self.p_get_principal.start()
++        self.m_get_principal.return_value = 'custodia/ipa.example@IPA.EXAMPLE'
++        # mocked environ (empty dict)
++        self.p_env = mock.patch.dict('os.environ', clear=True)
++        self.p_env.start()
++
++    def teardown_method(self, method):
++        self.p_api.stop()
++        self.p_get_principal.stop()
++        self.p_env.stop()
++
++    def test_api_init(self):
++        m_api = self.m_api
++        freeipa = FreeIPA(api=m_api)
++        m_api.isdone.assert_called_once_with('bootstrap')
++        m_api.bootstrap.assert_called_once_with(
++            context='cli',
++            debug=False,
++            log=None,
++        )
++
++        m_api.Backend.rpcclient.isconnected.return_value = False
++        with freeipa:
++            m_api.Backend.rpcclient.connect.assert_called_once()
++            m_api.Backend.rpcclient.isconnected.return_value = True
++        m_api.Backend.rpcclient.disconnect.assert_called_once()
++
++        assert os.environ == dict(NSS_STRICT_NOFORK='DISABLED')
++
++    def test_api_environ(self):
++        assert os.environ == {}
++        IPAVault(self.parser, 'store:ipa_environ')
++        assert os.environ == dict(
++            NSS_STRICT_NOFORK='DISABLED',
++            KRB5_CONFIG='/path/to/krb5.conf',
++            KRB5_CLIENT_KTNAME='/path/to/custodia.keytab',
++            KRB5CCNAME='FILE:/path/to/ccache',
++        )
++
++    def test_invalid_vault_type(self):
++        pytest.raises(ValueError, IPAVault, self.parser, 'store:ipa_invalid')
++
++    def test_vault_autodiscover_service(self):
++        self.m_get_principal.return_value = 'custodia/ipa.example@IPA.EXAMPLE'
++        ipa = IPAVault(self.parser, 'store:ipa_autodiscover')
++        assert ipa.vault_type == 'service'
++        assert ipa.principal == 'custodia/ipa.example'
++        assert ipa.user is None
++
++    def test_vault_autodiscover_user(self):
++        self.m_get_principal.return_value = 'john@IPA.EXAMPLE'
++        ipa = IPAVault(self.parser, 'store:ipa_autodiscover')
++        assert ipa.vault_type == 'user'
++        assert ipa.principal is None
++        assert ipa.user == 'john'
++
++    @vault_parametrize
++    def test_vault_set(self, plugin, vault_type, vault_args):
++        ipa = IPAVault(self.parser, plugin)
++        assert ipa.vault_type == vault_type
++        self.m_api.Command.ping.assert_called_once()
++        ipa.set('directory/testkey', 'testvalue')
++        self.m_api.Command.vault_add.assert_called_once_with(
++            'directory__testkey',
++            ipavaulttype=u'standard',
++            **vault_args
++        )
++        self.m_api.Command.vault_archive.assert_called_once_with(
++            'directory__testkey',
++            data=b'testvalue',
++            **vault_args
++        )
++
++    @vault_parametrize
++    def test_vault_get(self, plugin, vault_type, vault_args):
++        ipa = IPAVault(self.parser, plugin)
++        assert ipa.vault_type == vault_type
++        self.m_api.Command.vault_retrieve.return_value = {
++            u'result': {
++                u'data': b'testvalue',
++            }
++        }
++        assert ipa.get('directory/testkey') == b'testvalue'
++        self.m_api.Command.vault_retrieve.assert_called_once_with(
++            'directory__testkey',
++            **vault_args
++        )
++
++    @vault_parametrize
++    def test_vault_list(self, plugin, vault_type, vault_args):
++        ipa = IPAVault(self.parser, plugin)
++        assert ipa.vault_type == vault_type
++        self.m_api.Command.vault_find.return_value = {
++            u'result': [{'cn': [u'directory__testkey']}]
++        }
++        assert ipa.list('directory') == ['testkey']
++        self.m_api.Command.vault_find.assert_called_once_with(
++            ipavaulttype=u'standard',
++            **vault_args
++        )
++
++    @vault_parametrize
++    def test_vault_cut(self, plugin, vault_type, vault_args):
++        ipa = IPAVault(self.parser, plugin)
++        assert ipa.vault_type == vault_type
++        ipa.cut('directory/testkey')
++        self.m_api.Command.vault_del.assert_called_once_with(
++            'directory__testkey',
++            **vault_args
++        )
++
++
++@pytest.mark.parametrize('principal,result', [
++    ('john@IPA.EXAMPLE',
++     (None, 'john', 'IPA.EXAMPLE')),
++    ('host/host.invalid@IPA.EXAMPLE',
++     ('host', 'host.invalid', 'IPA.EXAMPLE')),
++    ('custodia/host.invalid@IPA.EXAMPLE',
++     ('custodia', 'host.invalid', 'IPA.EXAMPLE')),
++    ('whatever/custodia/host.invalid@IPA.EXAMPLE',
++     ('whatever/custodia', 'host.invalid', 'IPA.EXAMPLE')),
++])
++def test_unparse(principal, result):
++    assert krb5_unparse_principal_name(principal) == result
+-- 
+2.9.3
+
diff --git a/SOURCES/0005-Add-workaround-for-missing-kra_server_server.patch b/SOURCES/0005-Add-workaround-for-missing-kra_server_server.patch
new file mode 100644
index 0000000..e6caaec
--- /dev/null
+++ b/SOURCES/0005-Add-workaround-for-missing-kra_server_server.patch
@@ -0,0 +1,29 @@
+From d265e3fd23a18b051e363048ffbeae7d11fb05a3 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 20 Jun 2017 15:42:53 +0200
+Subject: [PATCH 5/5] Add workaround for missing kra_server_server
+
+Fixes rhbz #1462403
+---
+ custodia/ipa/vault.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/custodia/ipa/vault.py b/custodia/ipa/vault.py
+index f681c54..cba2d5b 100644
+--- a/custodia/ipa/vault.py
++++ b/custodia/ipa/vault.py
+@@ -129,8 +129,9 @@ class IPAVault(CSStore):
+                              self.ipa.Command.ping()[u'summary'])
+             # retrieve and cache KRA transport cert
+             response = self.ipa.Command.vaultconfig_show()
+-            servers = response[u'result'][u'kra_server_server']
+-            self.logger.info("KRA server(s) %s", ', '.join(servers))
++            servers = response[u'result'].get(u'kra_server_server', ())
++            if servers:
++                self.logger.info("KRA server(s) %s", ', '.join(servers))
+ 
+         service, user_host, realm = krb5_unparse_principal_name(
+             gssapi_principal)
+-- 
+2.9.4
+
diff --git a/SOURCES/custodia-0.3.1.tar.gz.sha512sum.txt b/SOURCES/custodia-0.3.1.tar.gz.sha512sum.txt
new file mode 100644
index 0000000..295a132
--- /dev/null
+++ b/SOURCES/custodia-0.3.1.tar.gz.sha512sum.txt
@@ -0,0 +1 @@
+2b18dde8ca14d8447fa8a7f844652a981afbbb2fe0a4da0ef4df33aa083f26c7bed0edfe1a3f483a512973588949438810d311138c08b34dde70d99ed54a8bdb  custodia-0.3.1.tar.gz
diff --git a/SOURCES/custodia.conf b/SOURCES/custodia.conf
new file mode 100644
index 0000000..2e46309
--- /dev/null
+++ b/SOURCES/custodia.conf
@@ -0,0 +1,39 @@
+# /etc/custodia/custodia.conf
+
+[DEFAULT]
+libdir = /var/lib/custodia
+logdir = /var/log/custodia
+rundir = /var/run/custodia
+
+[global]
+debug = true
+server_socket = ${rundir}/custodia.sock
+auditlog = ${logdir}/audit.log
+
+[store:sqlite]
+handler = SqliteStore
+dburi = ${libdir}/secrets.db
+table = secrets
+
+[store:encrypted_sqlite]
+handler = EncryptedOverlay
+backing_store = sqlite
+master_key = ${libdir}/secrets.key
+master_enctype = A128CBC-HS256
+autogen_master_key = true
+
+[auth:creds]
+handler = SimpleCredsAuth
+uid = root
+gid = root
+
+[authz:paths]
+handler = SimplePathAuthz
+paths = /. /secrets
+
+[/]
+handler = Root
+
+[/secrets]
+handler = Secrets
+store = encrypted_sqlite
diff --git a/SOURCES/custodia.tmpfiles.conf b/SOURCES/custodia.tmpfiles.conf
new file mode 100644
index 0000000..9ab7d5f
--- /dev/null
+++ b/SOURCES/custodia.tmpfiles.conf
@@ -0,0 +1 @@
+d /run/custodia 0755
diff --git a/SPECS/custodia.spec b/SPECS/custodia.spec
new file mode 100644
index 0000000..a8b48eb
--- /dev/null
+++ b/SPECS/custodia.spec
@@ -0,0 +1,205 @@
+%global custodiaipa_version 0.1.0
+
+Name:           custodia
+Version:        0.3.1
+Release:        4%{?dist}
+Summary:        A service to manage, retrieve and store secrets for other processes
+
+License:        GPLv3+
+URL:            https://github.com/latchset/%{name}
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source1:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sha512sum.txt
+Source2:        custodia.conf
+Source5:        custodia.tmpfiles.conf
+Patch1:         0001-Vendor-configparser-3.5.0.patch
+Patch2:         0002-Patch-and-integrate-vendored-configparser.patch
+Patch3:         0003-Remove-etcd-store.patch
+Patch4:         0004-Vendor-custodia.ipa.patch
+Patch5:         0005-Add-workaround-for-missing-kra_server_server.patch
+
+
+BuildArch:      noarch
+
+BuildRequires:      python-devel
+BuildRequires:      python-jwcrypto
+BuildRequires:      python-requests
+BuildRequires:      python-setuptools
+BuildRequires:      python-coverage
+BuildRequires:      pytest
+BuildRequires:      python-docutils
+BuildRequires:      systemd-python
+BuildRequires:      python-ipalib
+Requires:           python-custodia = %{version}-%{release}
+
+Requires(preun):    systemd-units
+Requires(postun):   systemd-units
+Requires(post):     systemd-units
+
+%global overview                                                           \
+Custodia is a Secrets Service Provider, it stores or proxies access to     \
+keys, password, and secret material in general. Custodia is built to       \
+use the HTTP protocol and a RESTful API as an IPC mechanism over a local   \
+Unix Socket. It can also be exposed to a network via a Reverse Proxy       \
+service assuming proper authentication and header validation is            \
+implemented in the Proxy.                                                  \
+                                                                           \
+Custodia is modular, the configuration file controls how authentication,   \
+authorization, storage and API plugins are combined and exposed.
+
+
+%description
+A service to manage, retrieve and store secrets for other processes
+
+%{overview}
+
+%package -n python-custodia
+Summary:    Sub-package with python2 custodia modules
+Provides:   python2-custodia = %{version}-%{release}
+Requires:   python-jwcrypto
+Requires:   python-requests
+Requires:   python-setuptools
+Requires:   systemd-python
+
+%description -n python-custodia
+Sub-package with python2 custodia modules
+
+%{overview}
+
+%package -n python-custodia-ipa
+Summary:    Sub-package with python2 custodia.ipa vault module
+Requires:   python-custodia = %{version}-%{release}
+Requires:   python-ipalib
+Requires:   ipa-client
+
+%description -n python-custodia-ipa
+Sub-package with python2 custodia.ipa vault module
+
+%{overview}
+
+%prep
+grep `sha512sum %{SOURCE0}` %{SOURCE1} || (echo "Checksum invalid!" && exit 1)
+%setup
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+
+
+%build
+%{__python2} setup.py egg_info build
+
+
+%check
+export PYTHONPATH="%{buildroot}/%{python2_sitelib}"
+py.test --skip-servertest --ignore=tests/test_ipa.py --ignore=tests/test_cli.py
+
+
+%install
+mkdir -p %{buildroot}/%{_sbindir}
+mkdir -p %{buildroot}/%{_mandir}/man7
+mkdir -p %{buildroot}/%{_defaultdocdir}/custodia
+mkdir -p %{buildroot}/%{_defaultdocdir}/custodia/examples
+mkdir -p %{buildroot}/%{_sysconfdir}/custodia
+mkdir -p %{buildroot}/%{_unitdir}
+mkdir -p %{buildroot}/%{_tmpfilesdir}
+mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia
+mkdir -p %{buildroot}/%{_localstatedir}/log/custodia
+
+%{__python2} setup.py install --skip-build --root %{buildroot}
+mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia
+install -m 644 -t "%{buildroot}/%{_mandir}/man7" man/custodia.7
+install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia" README README.custodia.ipa API.md
+install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia/examples" custodia.conf
+install -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/custodia
+install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/custodia.conf
+# Recently setuptools stopped installing namespace __init__.py
+install -m 644 -t "%{buildroot}/%{python2_sitelib}/custodia" custodia/__init__.py
+
+
+%post
+%systemd_post custodia.socket
+%systemd_post custodia.service
+
+%preun
+%systemd_preun custodia.socket
+%systemd_preun custodia.service
+
+%postun
+%systemd_postun custodia.socket
+%systemd_postun custodia.service
+
+
+%files
+%doc %{_defaultdocdir}/custodia/README
+%doc %{_defaultdocdir}/custodia/API.md
+%doc %{_defaultdocdir}/custodia/examples/custodia.conf
+%license LICENSE
+%{_mandir}/man7/custodia*
+%{_sbindir}/custodia
+%{_bindir}/custodia-cli
+%dir %attr(0700,root,root) %{_sysconfdir}/custodia
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/custodia/custodia.conf
+%dir %attr(0700,root,root) %{_localstatedir}/lib/custodia
+%dir %attr(0700,root,root) %{_localstatedir}/log/custodia
+%{_tmpfilesdir}/custodia.conf
+
+%files -n python-custodia
+%license LICENSE
+%exclude %{python2_sitelib}/custodia/ipa
+%{python2_sitelib}/*
+
+%files -n python-custodia-ipa
+%doc %{_defaultdocdir}/custodia/README.custodia.ipa
+%{python2_sitelib}/custodia/ipa/*
+
+
+%changelog
+* Tue Jun 20 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-4
+- Add workaround for missing kra_server_server key, resolves #1462403
+
+* Mon Jun 12 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-3
+- Remove custodia user from tmpfiles.d, resolves #1460735
+- Add missing systemd hooks for service and socket files
+- Drop dependency on python-mock and skip mock tests in check block,
+  resolves #1447426
+
+* Fri Mar 31 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-2
+- Exclude empty directory custodia/ipa from python-custodia
+
+* Fri Mar 31 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-1
+- Rebase to Custodia 0.3.1
+- Vendor custodia.ipa 0.1.0
+- Vendor backports.configparser 3.5.0 final
+- related: #1403214
+
+* Tue Mar 28 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-4
+- Fix whitespace handling in URLs
+- Use upstream patches to replace patches for setuptools and configparser
+- resolves: #1436763
+
+* Fri Mar 17 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-3
+- custodia depends on python-custodia
+
+* Fri Mar 17 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-2
+- Fix package dependencies and package names to use python prefix
+
+* Wed Mar 15 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-1
+- Update to custodia 0.3.0
+- Vendor backports.configparser 3.5.0b2
+- Fix compatibility issues with old setuptools
+- Add tmpfiles.d config for /run/custodia
+
+* Wed Sep 07 2016 Christian Heimes <cheimes@redhat.com> - 0.1.0-4
+- Disable tests (broken on build machines)
+- related: #1371902
+
+* Wed Sep 07 2016 Simo Sorce <simo@redhat.com> - 0.1.0-3
+- Change default to use RSA OAEP padding
+- resolves: #1371902
+
+* Mon Apr 04 2016 Christian Heimes <cheimes@redhat.com> - 0.2.1-2
+- Correct download link
+
+* Thu Mar 31 2016 Christian Heimes <cheimes@redhat.com> - 0.1.0-1
+- Initial packaging