diff --git a/.custodia.metadata b/.custodia.metadata
new file mode 100644
index 0000000..db52fee
--- /dev/null
+++ b/.custodia.metadata
@@ -0,0 +1 @@
+7bfa722c3afe0151157e0d73d90a38ee97d8d5c8 SOURCES/custodia-0.3.1.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f89fec4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/custodia-0.3.1.tar.gz
diff --git a/SOURCES/0001-Vendor-configparser-3.5.0.patch b/SOURCES/0001-Vendor-configparser-3.5.0.patch
new file mode 100644
index 0000000..ce43770
--- /dev/null
+++ b/SOURCES/0001-Vendor-configparser-3.5.0.patch
@@ -0,0 +1,1668 @@
+From 85001e92986b3e3f6b7dcbbe5d71cde99962fd58 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 28 Mar 2017 17:49:39 +0200
+Subject: [PATCH 1/4] Vendor configparser-3.5.0
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ custodia/vendor/backports/__init__.py | 11 +
+ custodia/vendor/backports/configparser/__init__.py | 1390 ++++++++++++++++++++
+ custodia/vendor/backports/configparser/helpers.py | 171 +++
+ custodia/vendor/configparser.py | 52 +
+ 4 files changed, 1624 insertions(+)
+ create mode 100644 custodia/vendor/backports/__init__.py
+ create mode 100644 custodia/vendor/backports/configparser/__init__.py
+ create mode 100644 custodia/vendor/backports/configparser/helpers.py
+ create mode 100644 custodia/vendor/configparser.py
+
+diff --git a/custodia/vendor/backports/__init__.py b/custodia/vendor/backports/__init__.py
+new file mode 100644
+index 0000000..f84d25c
+--- /dev/null
++++ b/custodia/vendor/backports/__init__.py
+@@ -0,0 +1,11 @@
++# A Python "namespace package" http://www.python.org/dev/peps/pep-0382/
++# This always goes inside of a namespace package's __init__.py
++
++from pkgutil import extend_path
++__path__ = extend_path(__path__, __name__)
++
++try:
++ import pkg_resources
++ pkg_resources.declare_namespace(__name__)
++except ImportError:
++ pass
+diff --git a/custodia/vendor/backports/configparser/__init__.py b/custodia/vendor/backports/configparser/__init__.py
+new file mode 100644
+index 0000000..06d7a08
+--- /dev/null
++++ b/custodia/vendor/backports/configparser/__init__.py
+@@ -0,0 +1,1390 @@
++#!/usr/bin/env python
++# -*- coding: utf-8 -*-
++
++"""Configuration file parser.
++
++A configuration file consists of sections, lead by a "[section]" header,
++and followed by "name: value" entries, with continuations and such in
++the style of RFC 822.
++
++Intrinsic defaults can be specified by passing them into the
++ConfigParser constructor as a dictionary.
++
++class:
++
++ConfigParser -- responsible for parsing a list of
++ configuration files, and managing the parsed database.
++
++ methods:
++
++ __init__(defaults=None, dict_type=_default_dict, allow_no_value=False,
++ delimiters=('=', ':'), comment_prefixes=('#', ';'),
++ inline_comment_prefixes=None, strict=True,
++ empty_lines_in_values=True, default_section='DEFAULT',
++ interpolation=<unset>, converters=<unset>):
++ Create the parser. When `defaults' is given, it is initialized into the
++ dictionary or intrinsic defaults. The keys must be strings, the values
++ must be appropriate for %()s string interpolation.
++
++ When `dict_type' is given, it will be used to create the dictionary
++ objects for the list of sections, for the options within a section, and
++ for the default values.
++
++ When `delimiters' is given, it will be used as the set of substrings
++ that divide keys from values.
++
++ When `comment_prefixes' is given, it will be used as the set of
++ substrings that prefix comments in empty lines. Comments can be
++ indented.
++
++ When `inline_comment_prefixes' is given, it will be used as the set of
++ substrings that prefix comments in non-empty lines.
++
++ When `strict` is True, the parser won't allow for any section or option
++ duplicates while reading from a single source (file, string or
++ dictionary). Default is True.
++
++ When `empty_lines_in_values' is False (default: True), each empty line
++ marks the end of an option. Otherwise, internal empty lines of
++ a multiline option are kept as part of the value.
++
++ When `allow_no_value' is True (default: False), options without
++ values are accepted; the value presented for these is None.
++
++ sections()
++ Return all the configuration section names, sans DEFAULT.
++
++ has_section(section)
++ Return whether the given section exists.
++
++ has_option(section, option)
++ Return whether the given option exists in the given section.
++
++ options(section)
++ Return list of configuration options for the named section.
++
++ read(filenames, encoding=None)
++ Read and parse the list of named configuration files, given by
++ name. A single filename is also allowed. Non-existing files
++ are ignored. Return list of successfully read files.
++
++ read_file(f, filename=None)
++ Read and parse one configuration file, given as a file object.
++ The filename defaults to f.name; it is only used in error
++ messages (if f has no `name' attribute, the string `<???>' is used).
++
++ read_string(string)
++ Read configuration from a given string.
++
++ read_dict(dictionary)
++ Read configuration from a dictionary. Keys are section names,
++ values are dictionaries with keys and values that should be present
++ in the section. If the used dictionary type preserves order, sections
++ and their keys will be added in order. Values are automatically
++ converted to strings.
++
++ get(section, option, raw=False, vars=None, fallback=_UNSET)
++ Return a string value for the named option. All % interpolations are
++ expanded in the return values, based on the defaults passed into the
++ constructor and the DEFAULT section. Additional substitutions may be
++ provided using the `vars' argument, which must be a dictionary whose
++ contents override any pre-existing defaults. If `option' is a key in
++ `vars', the value from `vars' is used.
++
++ getint(section, options, raw=False, vars=None, fallback=_UNSET)
++ Like get(), but convert value to an integer.
++
++ getfloat(section, options, raw=False, vars=None, fallback=_UNSET)
++ Like get(), but convert value to a float.
++
++ getboolean(section, options, raw=False, vars=None, fallback=_UNSET)
++ Like get(), but convert value to a boolean (currently case
++ insensitively defined as 0, false, no, off for False, and 1, true,
++ yes, on for True). Returns False or True.
++
++ items(section=_UNSET, raw=False, vars=None)
++ If section is given, return a list of tuples with (name, value) for
++ each option in the section. Otherwise, return a list of tuples with
++ (section_name, section_proxy) for each section, including DEFAULTSECT.
++
++ remove_section(section)
++ Remove the given file section and all its options.
++
++ remove_option(section, option)
++ Remove the given option from the given section.
++
++ set(section, option, value)
++ Set the given option.
++
++ write(fp, space_around_delimiters=True)
++ Write the configuration state in .ini format. If
++ `space_around_delimiters' is True (the default), delimiters
++ between keys and values are surrounded by spaces.
++"""
++
++from __future__ import absolute_import
++from __future__ import division
++from __future__ import print_function
++from __future__ import unicode_literals
++
++from collections import MutableMapping
++import functools
++import io
++import itertools
++import re
++import sys
++import warnings
++
++from backports.configparser.helpers import OrderedDict as _default_dict
++from backports.configparser.helpers import ChainMap as _ChainMap
++from backports.configparser.helpers import from_none, open, str, PY2
++
++__all__ = ["NoSectionError", "DuplicateOptionError", "DuplicateSectionError",
++ "NoOptionError", "InterpolationError", "InterpolationDepthError",
++ "InterpolationMissingOptionError", "InterpolationSyntaxError",
++ "ParsingError", "MissingSectionHeaderError",
++ "ConfigParser", "SafeConfigParser", "RawConfigParser",
++ "Interpolation", "BasicInterpolation", "ExtendedInterpolation",
++ "LegacyInterpolation", "SectionProxy", "ConverterMapping",
++ "DEFAULTSECT", "MAX_INTERPOLATION_DEPTH"]
++
++DEFAULTSECT = "DEFAULT"
++
++MAX_INTERPOLATION_DEPTH = 10
++
++
++# exception classes
++class Error(Exception):
++ """Base class for ConfigParser exceptions."""
++
++ def __init__(self, msg=''):
++ self.message = msg
++ Exception.__init__(self, msg)
++
++ def __repr__(self):
++ return self.message
++
++ __str__ = __repr__
++
++
++class NoSectionError(Error):
++ """Raised when no section matches a requested option."""
++
++ def __init__(self, section):
++ Error.__init__(self, 'No section: %r' % (section,))
++ self.section = section
++ self.args = (section, )
++
++
++class DuplicateSectionError(Error):
++ """Raised when a section is repeated in an input source.
++
++ Possible repetitions that raise this exception are: multiple creation
++ using the API or in strict parsers when a section is found more than once
++ in a single input file, string or dictionary.
++ """
++
++ def __init__(self, section, source=None, lineno=None):
++ msg = [repr(section), " already exists"]
++ if source is not None:
++ message = ["While reading from ", repr(source)]
++ if lineno is not None:
++ message.append(" [line {0:2d}]".format(lineno))
++ message.append(": section ")
++ message.extend(msg)
++ msg = message
++ else:
++ msg.insert(0, "Section ")
++ Error.__init__(self, "".join(msg))
++ self.section = section
++ self.source = source
++ self.lineno = lineno
++ self.args = (section, source, lineno)
++
++
++class DuplicateOptionError(Error):
++ """Raised by strict parsers when an option is repeated in an input source.
++
++ Current implementation raises this exception only when an option is found
++ more than once in a single file, string or dictionary.
++ """
++
++ def __init__(self, section, option, source=None, lineno=None):
++ msg = [repr(option), " in section ", repr(section),
++ " already exists"]
++ if source is not None:
++ message = ["While reading from ", repr(source)]
++ if lineno is not None:
++ message.append(" [line {0:2d}]".format(lineno))
++ message.append(": option ")
++ message.extend(msg)
++ msg = message
++ else:
++ msg.insert(0, "Option ")
++ Error.__init__(self, "".join(msg))
++ self.section = section
++ self.option = option
++ self.source = source
++ self.lineno = lineno
++ self.args = (section, option, source, lineno)
++
++
++class NoOptionError(Error):
++ """A requested option was not found."""
++
++ def __init__(self, option, section):
++ Error.__init__(self, "No option %r in section: %r" %
++ (option, section))
++ self.option = option
++ self.section = section
++ self.args = (option, section)
++
++
++class InterpolationError(Error):
++ """Base class for interpolation-related exceptions."""
++
++ def __init__(self, option, section, msg):
++ Error.__init__(self, msg)
++ self.option = option
++ self.section = section
++ self.args = (option, section, msg)
++
++
++class InterpolationMissingOptionError(InterpolationError):
++ """A string substitution required a setting which was not available."""
++
++ def __init__(self, option, section, rawval, reference):
++ msg = ("Bad value substitution: option {0!r} in section {1!r} contains "
++ "an interpolation key {2!r} which is not a valid option name. "
++ "Raw value: {3!r}".format(option, section, reference, rawval))
++ InterpolationError.__init__(self, option, section, msg)
++ self.reference = reference
++ self.args = (option, section, rawval, reference)
++
++
++class InterpolationSyntaxError(InterpolationError):
++ """Raised when the source text contains invalid syntax.
++
++ Current implementation raises this exception when the source text into
++ which substitutions are made does not conform to the required syntax.
++ """
++
++
++class InterpolationDepthError(InterpolationError):
++ """Raised when substitutions are nested too deeply."""
++
++ def __init__(self, option, section, rawval):
++ msg = ("Recursion limit exceeded in value substitution: option {0!r} "
++ "in section {1!r} contains an interpolation key which "
++ "cannot be substituted in {2} steps. Raw value: {3!r}"
++ "".format(option, section, MAX_INTERPOLATION_DEPTH,
++ rawval))
++ InterpolationError.__init__(self, option, section, msg)
++ self.args = (option, section, rawval)
++
++
++class ParsingError(Error):
++ """Raised when a configuration file does not follow legal syntax."""
++
++ def __init__(self, source=None, filename=None):
++ # Exactly one of `source'/`filename' arguments has to be given.
++ # `filename' kept for compatibility.
++ if filename and source:
++ raise ValueError("Cannot specify both `filename' and `source'. "
++ "Use `source'.")
++ elif not filename and not source:
++ raise ValueError("Required argument `source' not given.")
++ elif filename:
++ source = filename
++ Error.__init__(self, 'Source contains parsing errors: %r' % source)
++ self.source = source
++ self.errors = []
++ self.args = (source, )
++
++ @property
++ def filename(self):
++ """Deprecated, use `source'."""
++ warnings.warn(
++ "The 'filename' attribute will be removed in future versions. "
++ "Use 'source' instead.",
++ DeprecationWarning, stacklevel=2
++ )
++ return self.source
++
++ @filename.setter
++ def filename(self, value):
++ """Deprecated, user `source'."""
++ warnings.warn(
++ "The 'filename' attribute will be removed in future versions. "
++ "Use 'source' instead.",
++ DeprecationWarning, stacklevel=2
++ )
++ self.source = value
++
++ def append(self, lineno, line):
++ self.errors.append((lineno, line))
++ self.message += '\n\t[line %2d]: %s' % (lineno, line)
++
++
++class MissingSectionHeaderError(ParsingError):
++ """Raised when a key-value pair is found before any section header."""
++
++ def __init__(self, filename, lineno, line):
++ Error.__init__(
++ self,
++ 'File contains no section headers.\nfile: %r, line: %d\n%r' %
++ (filename, lineno, line))
++ self.source = filename
++ self.lineno = lineno
++ self.line = line
++ self.args = (filename, lineno, line)
++
++
++# Used in parser getters to indicate the default behaviour when a specific
++# option is not found it to raise an exception. Created to enable `None' as
++# a valid fallback value.
++_UNSET = object()
++
++
++class Interpolation(object):
++ """Dummy interpolation that passes the value through with no changes."""
++
++ def before_get(self, parser, section, option, value, defaults):
++ return value
++
++ def before_set(self, parser, section, option, value):
++ return value
++
++ def before_read(self, parser, section, option, value):
++ return value
++
++ def before_write(self, parser, section, option, value):
++ return value
++
++
++class BasicInterpolation(Interpolation):
++ """Interpolation as implemented in the classic ConfigParser.
++
++ The option values can contain format strings which refer to other values in
++ the same section, or values in the special default section.
++
++ For example:
++
++ something: %(dir)s/whatever
++
++ would resolve the "%(dir)s" to the value of dir. All reference
++ expansions are done late, on demand. If a user needs to use a bare % in
++ a configuration file, she can escape it by writing %%. Other % usage
++ is considered a user error and raises `InterpolationSyntaxError'."""
++
++ _KEYCRE = re.compile(r"%\(([^)]+)\)s")
++
++ def before_get(self, parser, section, option, value, defaults):
++ L = []
++ self._interpolate_some(parser, option, L, value, section, defaults, 1)
++ return ''.join(L)
++
++ def before_set(self, parser, section, option, value):
++ tmp_value = value.replace('%%', '') # escaped percent signs
++ tmp_value = self._KEYCRE.sub('', tmp_value) # valid syntax
++ if '%' in tmp_value:
++ raise ValueError("invalid interpolation syntax in %r at "
++ "position %d" % (value, tmp_value.find('%')))
++ return value
++
++ def _interpolate_some(self, parser, option, accum, rest, section, map,
++ depth):
++ rawval = parser.get(section, option, raw=True, fallback=rest)
++ if depth > MAX_INTERPOLATION_DEPTH:
++ raise InterpolationDepthError(option, section, rawval)
++ while rest:
++ p = rest.find("%")
++ if p < 0:
++ accum.append(rest)
++ return
++ if p > 0:
++ accum.append(rest[:p])
++ rest = rest[p:]
++ # p is no longer used
++ c = rest[1:2]
++ if c == "%":
++ accum.append("%")
++ rest = rest[2:]
++ elif c == "(":
++ m = self._KEYCRE.match(rest)
++ if m is None:
++ raise InterpolationSyntaxError(option, section,
++ "bad interpolation variable reference %r" % rest)
++ var = parser.optionxform(m.group(1))
++ rest = rest[m.end():]
++ try:
++ v = map[var]
++ except KeyError:
++ raise from_none(InterpolationMissingOptionError(
++ option, section, rawval, var))
++ if "%" in v:
++ self._interpolate_some(parser, option, accum, v,
++ section, map, depth + 1)
++ else:
++ accum.append(v)
++ else:
++ raise InterpolationSyntaxError(
++ option, section,
++ "'%%' must be followed by '%%' or '(', "
++ "found: %r" % (rest,))
++
++
++class ExtendedInterpolation(Interpolation):
++ """Advanced variant of interpolation, supports the syntax used by
++ `zc.buildout'. Enables interpolation between sections."""
++
++ _KEYCRE = re.compile(r"\$\{([^}]+)\}")
++
++ def before_get(self, parser, section, option, value, defaults):
++ L = []
++ self._interpolate_some(parser, option, L, value, section, defaults, 1)
++ return ''.join(L)
++
++ def before_set(self, parser, section, option, value):
++ tmp_value = value.replace('$$', '') # escaped dollar signs
++ tmp_value = self._KEYCRE.sub('', tmp_value) # valid syntax
++ if '$' in tmp_value:
++ raise ValueError("invalid interpolation syntax in %r at "
++ "position %d" % (value, tmp_value.find('$')))
++ return value
++
++ def _interpolate_some(self, parser, option, accum, rest, section, map,
++ depth):
++ rawval = parser.get(section, option, raw=True, fallback=rest)
++ if depth > MAX_INTERPOLATION_DEPTH:
++ raise InterpolationDepthError(option, section, rawval)
++ while rest:
++ p = rest.find("$")
++ if p < 0:
++ accum.append(rest)
++ return
++ if p > 0:
++ accum.append(rest[:p])
++ rest = rest[p:]
++ # p is no longer used
++ c = rest[1:2]
++ if c == "$":
++ accum.append("$")
++ rest = rest[2:]
++ elif c == "{":
++ m = self._KEYCRE.match(rest)
++ if m is None:
++ raise InterpolationSyntaxError(option, section,
++ "bad interpolation variable reference %r" % rest)
++ path = m.group(1).split(':')
++ rest = rest[m.end():]
++ sect = section
++ opt = option
++ try:
++ if len(path) == 1:
++ opt = parser.optionxform(path[0])
++ v = map[opt]
++ elif len(path) == 2:
++ sect = path[0]
++ opt = parser.optionxform(path[1])
++ v = parser.get(sect, opt, raw=True)
++ else:
++ raise InterpolationSyntaxError(
++ option, section,
++ "More than one ':' found: %r" % (rest,))
++ except (KeyError, NoSectionError, NoOptionError):
++ raise from_none(InterpolationMissingOptionError(
++ option, section, rawval, ":".join(path)))
++ if "$" in v:
++ self._interpolate_some(parser, opt, accum, v, sect,
++ dict(parser.items(sect, raw=True)),
++ depth + 1)
++ else:
++ accum.append(v)
++ else:
++ raise InterpolationSyntaxError(
++ option, section,
++ "'$' must be followed by '$' or '{', "
++ "found: %r" % (rest,))
++
++
++class LegacyInterpolation(Interpolation):
++ """Deprecated interpolation used in old versions of ConfigParser.
++ Use BasicInterpolation or ExtendedInterpolation instead."""
++
++ _KEYCRE = re.compile(r"%\(([^)]*)\)s|.")
++
++ def before_get(self, parser, section, option, value, vars):
++ rawval = value
++ depth = MAX_INTERPOLATION_DEPTH
++ while depth: # Loop through this until it's done
++ depth -= 1
++ if value and "%(" in value:
++ replace = functools.partial(self._interpolation_replace,
++ parser=parser)
++ value = self._KEYCRE.sub(replace, value)
++ try:
++ value = value % vars
++ except KeyError as e:
++ raise from_none(InterpolationMissingOptionError(
++ option, section, rawval, e.args[0]))
++ else:
++ break
++ if value and "%(" in value:
++ raise InterpolationDepthError(option, section, rawval)
++ return value
++
++ def before_set(self, parser, section, option, value):
++ return value
++
++ @staticmethod
++ def _interpolation_replace(match, parser):
++ s = match.group(1)
++ if s is None:
++ return match.group()
++ else:
++ return "%%(%s)s" % parser.optionxform(s)
++
++
++class RawConfigParser(MutableMapping):
++ """ConfigParser that does not do interpolation."""
++
++ # Regular expressions for parsing section headers and options
++ _SECT_TMPL = r"""
++ \[ # [
++ (?P<header>[^]]+) # very permissive!
++ \] # ]
++ """
++ _OPT_TMPL = r"""
++ (?P<option>.*?) # very permissive!
++ \s*(?P<vi>{delim})\s* # any number of space/tab,
++ # followed by any of the
++ # allowed delimiters,
++ # followed by any space/tab
++ (?P<value>.*)$ # everything up to eol
++ """
++ _OPT_NV_TMPL = r"""
++ (?P<option>.*?) # very permissive!
++ \s*(?: # any number of space/tab,
++ (?P<vi>{delim})\s* # optionally followed by
++ # any of the allowed
++ # delimiters, followed by any
++ # space/tab
++ (?P<value>.*))?$ # everything up to eol
++ """
++ # Interpolation algorithm to be used if the user does not specify another
++ _DEFAULT_INTERPOLATION = Interpolation()
++ # Compiled regular expression for matching sections
++ SECTCRE = re.compile(_SECT_TMPL, re.VERBOSE)
++ # Compiled regular expression for matching options with typical separators
++ OPTCRE = re.compile(_OPT_TMPL.format(delim="=|:"), re.VERBOSE)
++ # Compiled regular expression for matching options with optional values
++ # delimited using typical separators
++ OPTCRE_NV = re.compile(_OPT_NV_TMPL.format(delim="=|:"), re.VERBOSE)
++ # Compiled regular expression for matching leading whitespace in a line
++ NONSPACECRE = re.compile(r"\S")
++ # Possible boolean values in the configuration.
++ BOOLEAN_STATES = {'1': True, 'yes': True, 'true': True, 'on': True,
++ '0': False, 'no': False, 'false': False, 'off': False}
++
++ def __init__(self, defaults=None, dict_type=_default_dict,
++ allow_no_value=False, **kwargs):
++
++ # keyword-only arguments
++ delimiters = kwargs.get('delimiters', ('=', ':'))
++ comment_prefixes = kwargs.get('comment_prefixes', ('#', ';'))
++ inline_comment_prefixes = kwargs.get('inline_comment_prefixes', None)
++ strict = kwargs.get('strict', True)
++ empty_lines_in_values = kwargs.get('empty_lines_in_values', True)
++ default_section = kwargs.get('default_section', DEFAULTSECT)
++ interpolation = kwargs.get('interpolation', _UNSET)
++ converters = kwargs.get('converters', _UNSET)
++
++ self._dict = dict_type
++ self._sections = self._dict()
++ self._defaults = self._dict()
++ self._converters = ConverterMapping(self)
++ self._proxies = self._dict()
++ self._proxies[default_section] = SectionProxy(self, default_section)
++ if defaults:
++ for key, value in defaults.items():
++ self._defaults[self.optionxform(key)] = value
++ self._delimiters = tuple(delimiters)
++ if delimiters == ('=', ':'):
++ self._optcre = self.OPTCRE_NV if allow_no_value else self.OPTCRE
++ else:
++ d = "|".join(re.escape(d) for d in delimiters)
++ if allow_no_value:
++ self._optcre = re.compile(self._OPT_NV_TMPL.format(delim=d),
++ re.VERBOSE)
++ else:
++ self._optcre = re.compile(self._OPT_TMPL.format(delim=d),
++ re.VERBOSE)
++ self._comment_prefixes = tuple(comment_prefixes or ())
++ self._inline_comment_prefixes = tuple(inline_comment_prefixes or ())
++ self._strict = strict
++ self._allow_no_value = allow_no_value
++ self._empty_lines_in_values = empty_lines_in_values
++ self.default_section=default_section
++ self._interpolation = interpolation
++ if self._interpolation is _UNSET:
++ self._interpolation = self._DEFAULT_INTERPOLATION
++ if self._interpolation is None:
++ self._interpolation = Interpolation()
++ if converters is not _UNSET:
++ self._converters.update(converters)
++
++ def defaults(self):
++ return self._defaults
++
++ def sections(self):
++ """Return a list of section names, excluding [DEFAULT]"""
++ # self._sections will never have [DEFAULT] in it
++ return list(self._sections.keys())
++
++ def add_section(self, section):
++ """Create a new section in the configuration.
++
++ Raise DuplicateSectionError if a section by the specified name
++ already exists. Raise ValueError if name is DEFAULT.
++ """
++ if section == self.default_section:
++ raise ValueError('Invalid section name: %r' % section)
++
++ if section in self._sections:
++ raise DuplicateSectionError(section)
++ self._sections[section] = self._dict()
++ self._proxies[section] = SectionProxy(self, section)
++
++ def has_section(self, section):
++ """Indicate whether the named section is present in the configuration.
++
++ The DEFAULT section is not acknowledged.
++ """
++ return section in self._sections
++
++ def options(self, section):
++ """Return a list of option names for the given section name."""
++ try:
++ opts = self._sections[section].copy()
++ except KeyError:
++ raise from_none(NoSectionError(section))
++ opts.update(self._defaults)
++ return list(opts.keys())
++
++ def read(self, filenames, encoding=None):
++ """Read and parse a filename or a list of filenames.
++
++ Files that cannot be opened are silently ignored; this is
++ designed so that you can specify a list of potential
++ configuration file locations (e.g. current directory, user's
++ home directory, systemwide directory), and all existing
++ configuration files in the list will be read. A single
++ filename may also be given.
++
++ Return list of successfully read files.
++ """
++ if PY2 and isinstance(filenames, bytes):
++ # we allow for a little unholy magic for Python 2 so that
++ # people not using unicode_literals can still use the library
++ # conveniently
++ warnings.warn(
++ "You passed a bytestring as `filenames`. This will not work"
++ " on Python 3. Use `cp.read_file()` or switch to using Unicode"
++ " strings across the board.",
++ DeprecationWarning,
++ stacklevel=2,
++ )
++ filenames = [filenames]
++ elif isinstance(filenames, str):
++ filenames = [filenames]
++ read_ok = []
++ for filename in filenames:
++ try:
++ with open(filename, encoding=encoding) as fp:
++ self._read(fp, filename)
++ except IOError:
++ continue
++ read_ok.append(filename)
++ return read_ok
++
++ def read_file(self, f, source=None):
++ """Like read() but the argument must be a file-like object.
++
++ The `f' argument must be iterable, returning one line at a time.
++ Optional second argument is the `source' specifying the name of the
++ file being read. If not given, it is taken from f.name. If `f' has no
++ `name' attribute, `<???>' is used.
++ """
++ if source is None:
++ try:
++ source = f.name
++ except AttributeError:
++ source = '<???>'
++ self._read(f, source)
++
++ def read_string(self, string, source='<string>'):
++ """Read configuration from a given string."""
++ sfile = io.StringIO(string)
++ self.read_file(sfile, source)
++
++ def read_dict(self, dictionary, source='<dict>'):
++ """Read configuration from a dictionary.
++
++ Keys are section names, values are dictionaries with keys and values
++ that should be present in the section. If the used dictionary type
++ preserves order, sections and their keys will be added in order.
++
++ All types held in the dictionary are converted to strings during
++ reading, including section names, option names and keys.
++
++ Optional second argument is the `source' specifying the name of the
++ dictionary being read.
++ """
++ elements_added = set()
++ for section, keys in dictionary.items():
++ section = str(section)
++ try:
++ self.add_section(section)
++ except (DuplicateSectionError, ValueError):
++ if self._strict and section in elements_added:
++ raise
++ elements_added.add(section)
++ for key, value in keys.items():
++ key = self.optionxform(str(key))
++ if value is not None:
++ value = str(value)
++ if self._strict and (section, key) in elements_added:
++ raise DuplicateOptionError(section, key, source)
++ elements_added.add((section, key))
++ self.set(section, key, value)
++
++ def readfp(self, fp, filename=None):
++ """Deprecated, use read_file instead."""
++ warnings.warn(
++ "This method will be removed in future versions. "
++ "Use 'parser.read_file()' instead.",
++ DeprecationWarning, stacklevel=2
++ )
++ self.read_file(fp, source=filename)
++
++ def get(self, section, option, **kwargs):
++ """Get an option value for a given section.
++
++ If `vars' is provided, it must be a dictionary. The option is looked up
++ in `vars' (if provided), `section', and in `DEFAULTSECT' in that order.
++ If the key is not found and `fallback' is provided, it is used as
++ a fallback value. `None' can be provided as a `fallback' value.
++
++ If interpolation is enabled and the optional argument `raw' is False,
++ all interpolations are expanded in the return values.
++
++ Arguments `raw', `vars', and `fallback' are keyword only.
++
++ The section DEFAULT is special.
++ """
++ # keyword-only arguments
++ raw = kwargs.get('raw', False)
++ vars = kwargs.get('vars', None)
++ fallback = kwargs.get('fallback', _UNSET)
++
++ try:
++ d = self._unify_values(section, vars)
++ except NoSectionError:
++ if fallback is _UNSET:
++ raise
++ else:
++ return fallback
++ option = self.optionxform(option)
++ try:
++ value = d[option]
++ except KeyError:
++ if fallback is _UNSET:
++ raise NoOptionError(option, section)
++ else:
++ return fallback
++
++ if raw or value is None:
++ return value
++ else:
++ return self._interpolation.before_get(self, section, option, value,
++ d)
++
++ def _get(self, section, conv, option, **kwargs):
++ return conv(self.get(section, option, **kwargs))
++
++ def _get_conv(self, section, option, conv, **kwargs):
++ # keyword-only arguments
++ kwargs.setdefault('raw', False)
++ kwargs.setdefault('vars', None)
++ fallback = kwargs.pop('fallback', _UNSET)
++ try:
++ return self._get(section, conv, option, **kwargs)
++ except (NoSectionError, NoOptionError):
++ if fallback is _UNSET:
++ raise
++ return fallback
++
++ # getint, getfloat and getboolean provided directly for backwards compat
++ def getint(self, section, option, **kwargs):
++ # keyword-only arguments
++ kwargs.setdefault('raw', False)
++ kwargs.setdefault('vars', None)
++ kwargs.setdefault('fallback', _UNSET)
++ return self._get_conv(section, option, int, **kwargs)
++
++ def getfloat(self, section, option, **kwargs):
++ # keyword-only arguments
++ kwargs.setdefault('raw', False)
++ kwargs.setdefault('vars', None)
++ kwargs.setdefault('fallback', _UNSET)
++ return self._get_conv(section, option, float, **kwargs)
++
++ def getboolean(self, section, option, **kwargs):
++ # keyword-only arguments
++ kwargs.setdefault('raw', False)
++ kwargs.setdefault('vars', None)
++ kwargs.setdefault('fallback', _UNSET)
++ return self._get_conv(section, option, self._convert_to_boolean,
++ **kwargs)
++
++ def items(self, section=_UNSET, raw=False, vars=None):
++ """Return a list of (name, value) tuples for each option in a section.
++
++ All % interpolations are expanded in the return values, based on the
++ defaults passed into the constructor, unless the optional argument
++ `raw' is true. Additional substitutions may be provided using the
++ `vars' argument, which must be a dictionary whose contents overrides
++ any pre-existing defaults.
++
++ The section DEFAULT is special.
++ """
++ if section is _UNSET:
++ return super(RawConfigParser, self).items()
++ d = self._defaults.copy()
++ try:
++ d.update(self._sections[section])
++ except KeyError:
++ if section != self.default_section:
++ raise NoSectionError(section)
++ # Update with the entry specific variables
++ if vars:
++ for key, value in vars.items():
++ d[self.optionxform(key)] = value
++ value_getter = lambda option: self._interpolation.before_get(self,
++ section, option, d[option], d)
++ if raw:
++ value_getter = lambda option: d[option]
++ return [(option, value_getter(option)) for option in d.keys()]
++
++ def popitem(self):
++ """Remove a section from the parser and return it as
++ a (section_name, section_proxy) tuple. If no section is present, raise
++ KeyError.
++
++ The section DEFAULT is never returned because it cannot be removed.
++ """
++ for key in self.sections():
++ value = self[key]
++ del self[key]
++ return key, value
++ raise KeyError
++
++ def optionxform(self, optionstr):
++ return optionstr.lower()
++
++ def has_option(self, section, option):
++ """Check for the existence of a given option in a given section.
++ If the specified `section' is None or an empty string, DEFAULT is
++ assumed. If the specified `section' does not exist, returns False."""
++ if not section or section == self.default_section:
++ option = self.optionxform(option)
++ return option in self._defaults
++ elif section not in self._sections:
++ return False
++ else:
++ option = self.optionxform(option)
++ return (option in self._sections[section]
++ or option in self._defaults)
++
++ def set(self, section, option, value=None):
++ """Set an option."""
++ if value:
++ value = self._interpolation.before_set(self, section, option,
++ value)
++ if not section or section == self.default_section:
++ sectdict = self._defaults
++ else:
++ try:
++ sectdict = self._sections[section]
++ except KeyError:
++ raise from_none(NoSectionError(section))
++ sectdict[self.optionxform(option)] = value
++
++ def write(self, fp, space_around_delimiters=True):
++ """Write an .ini-format representation of the configuration state.
++
++ If `space_around_delimiters' is True (the default), delimiters
++ between keys and values are surrounded by spaces.
++ """
++ if space_around_delimiters:
++ d = " {0} ".format(self._delimiters[0])
++ else:
++ d = self._delimiters[0]
++ if self._defaults:
++ self._write_section(fp, self.default_section,
++ self._defaults.items(), d)
++ for section in self._sections:
++ self._write_section(fp, section,
++ self._sections[section].items(), d)
++
++ def _write_section(self, fp, section_name, section_items, delimiter):
++ """Write a single section to the specified `fp'."""
++ fp.write("[{0}]\n".format(section_name))
++ for key, value in section_items:
++ value = self._interpolation.before_write(self, section_name, key,
++ value)
++ if value is not None or not self._allow_no_value:
++ value = delimiter + str(value).replace('\n', '\n\t')
++ else:
++ value = ""
++ fp.write("{0}{1}\n".format(key, value))
++ fp.write("\n")
++
++ def remove_option(self, section, option):
++ """Remove an option."""
++ if not section or section == self.default_section:
++ sectdict = self._defaults
++ else:
++ try:
++ sectdict = self._sections[section]
++ except KeyError:
++ raise from_none(NoSectionError(section))
++ option = self.optionxform(option)
++ existed = option in sectdict
++ if existed:
++ del sectdict[option]
++ return existed
++
++ def remove_section(self, section):
++ """Remove a file section."""
++ existed = section in self._sections
++ if existed:
++ del self._sections[section]
++ del self._proxies[section]
++ return existed
++
++ def __getitem__(self, key):
++ if key != self.default_section and not self.has_section(key):
++ raise KeyError(key)
++ return self._proxies[key]
++
++ def __setitem__(self, key, value):
++ # To conform with the mapping protocol, overwrites existing values in
++ # the section.
++
++ # XXX this is not atomic if read_dict fails at any point. Then again,
++ # no update method in configparser is atomic in this implementation.
++ if key == self.default_section:
++ self._defaults.clear()
++ elif key in self._sections:
++ self._sections[key].clear()
++ self.read_dict({key: value})
++
++ def __delitem__(self, key):
++ if key == self.default_section:
++ raise ValueError("Cannot remove the default section.")
++ if not self.has_section(key):
++ raise KeyError(key)
++ self.remove_section(key)
++
++ def __contains__(self, key):
++ return key == self.default_section or self.has_section(key)
++
++ def __len__(self):
++ return len(self._sections) + 1 # the default section
++
++ def __iter__(self):
++ # XXX does it break when underlying container state changed?
++ return itertools.chain((self.default_section,), self._sections.keys())
++
++ def _read(self, fp, fpname):
++ """Parse a sectioned configuration file.
++
++ Each section in a configuration file contains a header, indicated by
++ a name in square brackets (`[]'), plus key/value options, indicated by
++ `name' and `value' delimited with a specific substring (`=' or `:' by
++ default).
++
++ Values can span multiple lines, as long as they are indented deeper
++ than the first line of the value. Depending on the parser's mode, blank
++ lines may be treated as parts of multiline values or ignored.
++
++ Configuration files may include comments, prefixed by specific
++ characters (`#' and `;' by default). Comments may appear on their own
++ in an otherwise empty line or may be entered in lines holding values or
++ section names.
++ """
++ elements_added = set()
++ cursect = None # None, or a dictionary
++ sectname = None
++ optname = None
++ lineno = 0
++ indent_level = 0
++ e = None # None, or an exception
++ for lineno, line in enumerate(fp, start=1):
++ comment_start = sys.maxsize
++ # strip inline comments
++ inline_prefixes = dict(
++ (p, -1) for p in self._inline_comment_prefixes)
++ while comment_start == sys.maxsize and inline_prefixes:
++ next_prefixes = {}
++ for prefix, index in inline_prefixes.items():
++ index = line.find(prefix, index+1)
++ if index == -1:
++ continue
++ next_prefixes[prefix] = index
++ if index == 0 or (index > 0 and line[index-1].isspace()):
++ comment_start = min(comment_start, index)
++ inline_prefixes = next_prefixes
++ # strip full line comments
++ for prefix in self._comment_prefixes:
++ if line.strip().startswith(prefix):
++ comment_start = 0
++ break
++ if comment_start == sys.maxsize:
++ comment_start = None
++ value = line[:comment_start].strip()
++ if not value:
++ if self._empty_lines_in_values:
++ # add empty line to the value, but only if there was no
++ # comment on the line
++ if (comment_start is None and
++ cursect is not None and
++ optname and
++ cursect[optname] is not None):
++ cursect[optname].append('') # newlines added at join
++ else:
++ # empty line marks end of value
++ indent_level = sys.maxsize
++ continue
++ # continuation line?
++ first_nonspace = self.NONSPACECRE.search(line)
++ cur_indent_level = first_nonspace.start() if first_nonspace else 0
++ if (cursect is not None and optname and
++ cur_indent_level > indent_level):
++ cursect[optname].append(value)
++ # a section header or option header?
++ else:
++ indent_level = cur_indent_level
++ # is it a section header?
++ mo = self.SECTCRE.match(value)
++ if mo:
++ sectname = mo.group('header')
++ if sectname in self._sections:
++ if self._strict and sectname in elements_added:
++ raise DuplicateSectionError(sectname, fpname,
++ lineno)
++ cursect = self._sections[sectname]
++ elements_added.add(sectname)
++ elif sectname == self.default_section:
++ cursect = self._defaults
++ else:
++ cursect = self._dict()
++ self._sections[sectname] = cursect
++ self._proxies[sectname] = SectionProxy(self, sectname)
++ elements_added.add(sectname)
++ # So sections can't start with a continuation line
++ optname = None
++ # no section header in the file?
++ elif cursect is None:
++ raise MissingSectionHeaderError(fpname, lineno, line)
++ # an option line?
++ else:
++ mo = self._optcre.match(value)
++ if mo:
++ optname, vi, optval = mo.group('option', 'vi', 'value')
++ if not optname:
++ e = self._handle_error(e, fpname, lineno, line)
++ optname = self.optionxform(optname.rstrip())
++ if (self._strict and
++ (sectname, optname) in elements_added):
++ raise DuplicateOptionError(sectname, optname,
++ fpname, lineno)
++ elements_added.add((sectname, optname))
++ # This check is fine because the OPTCRE cannot
++ # match if it would set optval to None
++ if optval is not None:
++ optval = optval.strip()
++ cursect[optname] = [optval]
++ else:
++ # valueless option handling
++ cursect[optname] = None
++ else:
++ # a non-fatal parsing error occurred. set up the
++ # exception but keep going. the exception will be
++ # raised at the end of the file and will contain a
++ # list of all bogus lines
++ e = self._handle_error(e, fpname, lineno, line)
++ # if any parsing errors occurred, raise an exception
++ if e:
++ raise e
++ self._join_multiline_values()
++
++ def _join_multiline_values(self):
++ defaults = self.default_section, self._defaults
++ all_sections = itertools.chain((defaults,),
++ self._sections.items())
++ for section, options in all_sections:
++ for name, val in options.items():
++ if isinstance(val, list):
++ val = '\n'.join(val).rstrip()
++ options[name] = self._interpolation.before_read(self,
++ section,
++ name, val)
++
++ def _handle_error(self, exc, fpname, lineno, line):
++ if not exc:
++ exc = ParsingError(fpname)
++ exc.append(lineno, repr(line))
++ return exc
++
++ def _unify_values(self, section, vars):
++ """Create a sequence of lookups with 'vars' taking priority over
++ the 'section' which takes priority over the DEFAULTSECT.
++
++ """
++ sectiondict = {}
++ try:
++ sectiondict = self._sections[section]
++ except KeyError:
++ if section != self.default_section:
++ raise NoSectionError(section)
++ # Update with the entry specific variables
++ vardict = {}
++ if vars:
++ for key, value in vars.items():
++ if value is not None:
++ value = str(value)
++ vardict[self.optionxform(key)] = value
++ return _ChainMap(vardict, sectiondict, self._defaults)
++
++ def _convert_to_boolean(self, value):
++ """Return a boolean value translating from other types if necessary.
++ """
++ if value.lower() not in self.BOOLEAN_STATES:
++ raise ValueError('Not a boolean: %s' % value)
++ return self.BOOLEAN_STATES[value.lower()]
++
++ def _validate_value_types(self, **kwargs):
++ """Raises a TypeError for non-string values.
++
++ The only legal non-string value if we allow valueless
++ options is None, so we need to check if the value is a
++ string if:
++ - we do not allow valueless options, or
++ - we allow valueless options but the value is not None
++
++ For compatibility reasons this method is not used in classic set()
++ for RawConfigParsers. It is invoked in every case for mapping protocol
++ access and in ConfigParser.set().
++ """
++ # keyword-only arguments
++ section = kwargs.get('section', "")
++ option = kwargs.get('option', "")
++ value = kwargs.get('value', "")
++
++ if PY2 and bytes in (type(section), type(option), type(value)):
++ # we allow for a little unholy magic for Python 2 so that
++ # people not using unicode_literals can still use the library
++ # conveniently
++ warnings.warn(
++ "You passed a bytestring. Implicitly decoding as UTF-8 string."
++ " This will not work on Python 3. Please switch to using"
++ " Unicode strings across the board.",
++ DeprecationWarning,
++ stacklevel=2,
++ )
++ if isinstance(section, bytes):
++ section = section.decode('utf8')
++ if isinstance(option, bytes):
++ option = option.decode('utf8')
++ if isinstance(value, bytes):
++ value = value.decode('utf8')
++
++ if not isinstance(section, str):
++ raise TypeError("section names must be strings")
++ if not isinstance(option, str):
++ raise TypeError("option keys must be strings")
++ if not self._allow_no_value or value:
++ if not isinstance(value, str):
++ raise TypeError("option values must be strings")
++
++ return section, option, value
++
++ @property
++ def converters(self):
++ return self._converters
++
++
++class ConfigParser(RawConfigParser):
++ """ConfigParser implementing interpolation."""
++
++ _DEFAULT_INTERPOLATION = BasicInterpolation()
++
++ def set(self, section, option, value=None):
++ """Set an option. Extends RawConfigParser.set by validating type and
++ interpolation syntax on the value."""
++ _, option, value = self._validate_value_types(option=option, value=value)
++ super(ConfigParser, self).set(section, option, value)
++
++ def add_section(self, section):
++ """Create a new section in the configuration. Extends
++ RawConfigParser.add_section by validating if the section name is
++ a string."""
++ section, _, _ = self._validate_value_types(section=section)
++ super(ConfigParser, self).add_section(section)
++
++
++class SafeConfigParser(ConfigParser):
++ """ConfigParser alias for backwards compatibility purposes."""
++
++ def __init__(self, *args, **kwargs):
++ super(SafeConfigParser, self).__init__(*args, **kwargs)
++ warnings.warn(
++ "The SafeConfigParser class has been renamed to ConfigParser "
++ "in Python 3.2. This alias will be removed in future versions."
++ " Use ConfigParser directly instead.",
++ DeprecationWarning, stacklevel=2
++ )
++
++
++class SectionProxy(MutableMapping):
++ """A proxy for a single section from a parser."""
++
++ def __init__(self, parser, name):
++ """Creates a view on a section of the specified `name` in `parser`."""
++ self._parser = parser
++ self._name = name
++ for conv in parser.converters:
++ key = 'get' + conv
++ getter = functools.partial(self.get, _impl=getattr(parser, key))
++ setattr(self, key, getter)
++
++ def __repr__(self):
++ return '<Section: {0}>'.format(self._name)
++
++ def __getitem__(self, key):
++ if not self._parser.has_option(self._name, key):
++ raise KeyError(key)
++ return self._parser.get(self._name, key)
++
++ def __setitem__(self, key, value):
++ _, key, value = self._parser._validate_value_types(option=key, value=value)
++ return self._parser.set(self._name, key, value)
++
++ def __delitem__(self, key):
++ if not (self._parser.has_option(self._name, key) and
++ self._parser.remove_option(self._name, key)):
++ raise KeyError(key)
++
++ def __contains__(self, key):
++ return self._parser.has_option(self._name, key)
++
++ def __len__(self):
++ return len(self._options())
++
++ def __iter__(self):
++ return self._options().__iter__()
++
++ def _options(self):
++ if self._name != self._parser.default_section:
++ return self._parser.options(self._name)
++ else:
++ return self._parser.defaults()
++
++ @property
++ def parser(self):
++ # The parser object of the proxy is read-only.
++ return self._parser
++
++ @property
++ def name(self):
++ # The name of the section on a proxy is read-only.
++ return self._name
++
++ def get(self, option, fallback=None, **kwargs):
++ """Get an option value.
++
++ Unless `fallback` is provided, `None` will be returned if the option
++ is not found.
++
++ """
++ # keyword-only arguments
++ kwargs.setdefault('raw', False)
++ kwargs.setdefault('vars', None)
++ _impl = kwargs.pop('_impl', None)
++ # If `_impl` is provided, it should be a getter method on the parser
++ # object that provides the desired type conversion.
++ if not _impl:
++ _impl = self._parser.get
++ return _impl(self._name, option, fallback=fallback, **kwargs)
++
++
++class ConverterMapping(MutableMapping):
++ """Enables reuse of get*() methods between the parser and section proxies.
++
++ If a parser class implements a getter directly, the value for the given
++ key will be ``None``. The presence of the converter name here enables
++ section proxies to find and use the implementation on the parser class.
++ """
++
++ GETTERCRE = re.compile(r"^get(?P<name>.+)$")
++
++ def __init__(self, parser):
++ self._parser = parser
++ self._data = {}
++ for getter in dir(self._parser):
++ m = self.GETTERCRE.match(getter)
++ if not m or not callable(getattr(self._parser, getter)):
++ continue
++ self._data[m.group('name')] = None # See class docstring.
++
++ def __getitem__(self, key):
++ return self._data[key]
++
++ def __setitem__(self, key, value):
++ try:
++ k = 'get' + key
++ except TypeError:
++ raise ValueError('Incompatible key: {} (type: {})'
++ ''.format(key, type(key)))
++ if k == 'get':
++ raise ValueError('Incompatible key: cannot use "" as a name')
++ self._data[key] = value
++ func = functools.partial(self._parser._get_conv, conv=value)
++ func.converter = value
++ setattr(self._parser, k, func)
++ for proxy in self._parser.values():
++ getter = functools.partial(proxy.get, _impl=func)
++ setattr(proxy, k, getter)
++
++ def __delitem__(self, key):
++ try:
++ k = 'get' + (key or None)
++ except TypeError:
++ raise KeyError(key)
++ del self._data[key]
++ for inst in itertools.chain((self._parser,), self._parser.values()):
++ try:
++ delattr(inst, k)
++ except AttributeError:
++ # don't raise since the entry was present in _data, silently
++ # clean up
++ continue
++
++ def __iter__(self):
++ return iter(self._data)
++
++ def __len__(self):
++ return len(self._data)
+diff --git a/custodia/vendor/backports/configparser/helpers.py b/custodia/vendor/backports/configparser/helpers.py
+new file mode 100644
+index 0000000..c47662f
+--- /dev/null
++++ b/custodia/vendor/backports/configparser/helpers.py
+@@ -0,0 +1,171 @@
++#!/usr/bin/env python
++# -*- coding: utf-8 -*-
++
++from __future__ import absolute_import
++from __future__ import division
++from __future__ import print_function
++from __future__ import unicode_literals
++
++from collections import MutableMapping
++try:
++ from collections import UserDict
++except ImportError:
++ from UserDict import UserDict
++
++try:
++ from collections import OrderedDict
++except ImportError:
++ from ordereddict import OrderedDict
++
++from io import open
++import sys
++try:
++ from thread import get_ident
++except ImportError:
++ try:
++ from _thread import get_ident
++ except ImportError:
++ from _dummy_thread import get_ident
++
++
++PY2 = sys.version_info[0] == 2
++PY3 = sys.version_info[0] == 3
++
++str = type('str')
++
++
++def from_none(exc):
++ """raise from_none(ValueError('a')) == raise ValueError('a') from None"""
++ exc.__cause__ = None
++ exc.__suppress_context__ = True
++ return exc
++
++
++# from reprlib 3.2.1
++def recursive_repr(fillvalue='...'):
++ 'Decorator to make a repr function return fillvalue for a recursive call'
++
++ def decorating_function(user_function):
++ repr_running = set()
++
++ def wrapper(self):
++ key = id(self), get_ident()
++ if key in repr_running:
++ return fillvalue
++ repr_running.add(key)
++ try:
++ result = user_function(self)
++ finally:
++ repr_running.discard(key)
++ return result
++
++ # Can't use functools.wraps() here because of bootstrap issues
++ wrapper.__module__ = getattr(user_function, '__module__')
++ wrapper.__doc__ = getattr(user_function, '__doc__')
++ wrapper.__name__ = getattr(user_function, '__name__')
++ wrapper.__annotations__ = getattr(user_function, '__annotations__', {})
++ return wrapper
++
++ return decorating_function
++
++# from collections 3.2.1
++class _ChainMap(MutableMapping):
++ ''' A ChainMap groups multiple dicts (or other mappings) together
++ to create a single, updateable view.
++
++ The underlying mappings are stored in a list. That list is public and can
++ accessed or updated using the *maps* attribute. There is no other state.
++
++ Lookups search the underlying mappings successively until a key is found.
++ In contrast, writes, updates, and deletions only operate on the first
++ mapping.
++
++ '''
++
++ def __init__(self, *maps):
++ '''Initialize a ChainMap by setting *maps* to the given mappings.
++ If no mappings are provided, a single empty dictionary is used.
++
++ '''
++ self.maps = list(maps) or [{}] # always at least one map
++
++ def __missing__(self, key):
++ raise KeyError(key)
++
++ def __getitem__(self, key):
++ for mapping in self.maps:
++ try:
++ return mapping[key] # can't use 'key in mapping' with defaultdict
++ except KeyError:
++ pass
++ return self.__missing__(key) # support subclasses that define __missing__
++
++ def get(self, key, default=None):
++ return self[key] if key in self else default
++
++ def __len__(self):
++ return len(set().union(*self.maps)) # reuses stored hash values if possible
++
++ def __iter__(self):
++ return iter(set().union(*self.maps))
++
++ def __contains__(self, key):
++ return any(key in m for m in self.maps)
++
++ @recursive_repr()
++ def __repr__(self):
++ return '{0.__class__.__name__}({1})'.format(
++ self, ', '.join(map(repr, self.maps)))
++
++ @classmethod
++ def fromkeys(cls, iterable, *args):
++ 'Create a ChainMap with a single dict created from the iterable.'
++ return cls(dict.fromkeys(iterable, *args))
++
++ def copy(self):
++ 'New ChainMap or subclass with a new copy of maps[0] and refs to maps[1:]'
++ return self.__class__(self.maps[0].copy(), *self.maps[1:])
++
++ __copy__ = copy
++
++ def new_child(self): # like Django's Context.push()
++ 'New ChainMap with a new dict followed by all previous maps.'
++ return self.__class__({}, *self.maps)
++
++ @property
++ def parents(self): # like Django's Context.pop()
++ 'New ChainMap from maps[1:].'
++ return self.__class__(*self.maps[1:])
++
++ def __setitem__(self, key, value):
++ self.maps[0][key] = value
++
++ def __delitem__(self, key):
++ try:
++ del self.maps[0][key]
++ except KeyError:
++ raise KeyError('Key not found in the first mapping: {!r}'.format(key))
++
++ def popitem(self):
++ 'Remove and return an item pair from maps[0]. Raise KeyError is maps[0] is empty.'
++ try:
++ return self.maps[0].popitem()
++ except KeyError:
++ raise KeyError('No keys found in the first mapping.')
++
++ def pop(self, key, *args):
++ 'Remove *key* from maps[0] and return its value. Raise KeyError if *key* not in maps[0].'
++ try:
++ return self.maps[0].pop(key, *args)
++ except KeyError:
++ raise KeyError('Key not found in the first mapping: {!r}'.format(key))
++
++ def clear(self):
++ 'Clear maps[0], leaving maps[1:] intact.'
++ self.maps[0].clear()
++
++
++try:
++ from collections import ChainMap
++except ImportError:
++ ChainMap = _ChainMap
+diff --git a/custodia/vendor/configparser.py b/custodia/vendor/configparser.py
+new file mode 100644
+index 0000000..b899f9e
+--- /dev/null
++++ b/custodia/vendor/configparser.py
+@@ -0,0 +1,52 @@
++#!/usr/bin/env python
++# -*- coding: utf-8 -*-
++
++"""Convenience module importing everything from backports.configparser."""
++
++from __future__ import absolute_import
++from __future__ import division
++from __future__ import print_function
++from __future__ import unicode_literals
++
++
++from backports.configparser import (
++ RawConfigParser,
++ ConfigParser,
++ SafeConfigParser,
++ SectionProxy,
++
++ Interpolation,
++ BasicInterpolation,
++ ExtendedInterpolation,
++ LegacyInterpolation,
++
++ Error,
++ NoSectionError,
++ DuplicateSectionError,
++ DuplicateOptionError,
++ NoOptionError,
++ InterpolationError,
++ InterpolationMissingOptionError,
++ InterpolationSyntaxError,
++ InterpolationDepthError,
++ ParsingError,
++ MissingSectionHeaderError,
++ ConverterMapping,
++
++ _UNSET,
++ DEFAULTSECT,
++ MAX_INTERPOLATION_DEPTH,
++ _default_dict,
++ _ChainMap,
++)
++
++__all__ = ["NoSectionError", "DuplicateOptionError", "DuplicateSectionError",
++ "NoOptionError", "InterpolationError", "InterpolationDepthError",
++ "InterpolationMissingOptionError", "InterpolationSyntaxError",
++ "ParsingError", "MissingSectionHeaderError",
++ "ConfigParser", "SafeConfigParser", "RawConfigParser",
++ "Interpolation", "BasicInterpolation", "ExtendedInterpolation",
++ "LegacyInterpolation", "SectionProxy", "ConverterMapping",
++ "DEFAULTSECT", "MAX_INTERPOLATION_DEPTH"]
++
++# NOTE: names missing from __all__ imported anyway for backwards compatibility.
+--
+2.9.3
+
diff --git a/SOURCES/0002-Patch-and-integrate-vendored-configparser.patch b/SOURCES/0002-Patch-and-integrate-vendored-configparser.patch
new file mode 100644
index 0000000..f3f4236
--- /dev/null
+++ b/SOURCES/0002-Patch-and-integrate-vendored-configparser.patch
@@ -0,0 +1,146 @@
+From fbb766bb81f37fb89fe4eb63aa7e356306994a5c Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 28 Mar 2017 17:51:23 +0200
+Subject: [PATCH 2/4] Patch and integrate vendored configparser
+
+---
+ custodia/compat.py | 2 +-
+ custodia/vendor/__init__.py | 2 ++
+ custodia/vendor/backports/configparser/__init__.py | 7 ++++---
+ custodia/vendor/backports/configparser/helpers.py | 1 +
+ custodia/vendor/configparser.py | 3 ++-
+ setup.py | 13 +++++++------
+ tox.ini | 2 +-
+ 7 files changed, 18 insertions(+), 12 deletions(-)
+ create mode 100644 custodia/vendor/__init__.py
+
+diff --git a/custodia/compat.py b/custodia/compat.py
+index 87626e1..5434b93 100644
+--- a/custodia/compat.py
++++ b/custodia/compat.py
+@@ -7,7 +7,7 @@ import six
+
+ if six.PY2:
+ # use https://pypi.python.org/pypi/configparser/ on Python 2
+- from backports import configparser
++ from custodia.vendor.backports import configparser
+ from urllib import quote as url_escape
+ from urllib import quote_plus, unquote
+ from urlparse import parse_qs, urlparse
+diff --git a/custodia/vendor/__init__.py b/custodia/vendor/__init__.py
+new file mode 100644
+index 0000000..3ad9513
+--- /dev/null
++++ b/custodia/vendor/__init__.py
+@@ -0,0 +1,2 @@
++from pkgutil import extend_path
++__path__ = extend_path(__path__, __name__)
+diff --git a/custodia/vendor/backports/configparser/__init__.py b/custodia/vendor/backports/configparser/__init__.py
+index 06d7a08..16c0c80 100644
+--- a/custodia/vendor/backports/configparser/__init__.py
++++ b/custodia/vendor/backports/configparser/__init__.py
+@@ -1,5 +1,6 @@
+ #!/usr/bin/env python
+ # -*- coding: utf-8 -*-
++# pylint: disable-all
+
+ """Configuration file parser.
+
+@@ -135,9 +136,9 @@ import re
+ import sys
+ import warnings
+
+-from backports.configparser.helpers import OrderedDict as _default_dict
+-from backports.configparser.helpers import ChainMap as _ChainMap
+-from backports.configparser.helpers import from_none, open, str, PY2
++from .helpers import OrderedDict as _default_dict
++from .helpers import ChainMap as _ChainMap
++from .helpers import from_none, open, str, PY2
+
+ __all__ = ["NoSectionError", "DuplicateOptionError", "DuplicateSectionError",
+ "NoOptionError", "InterpolationError", "InterpolationDepthError",
+diff --git a/custodia/vendor/backports/configparser/helpers.py b/custodia/vendor/backports/configparser/helpers.py
+index c47662f..64f8c33 100644
+--- a/custodia/vendor/backports/configparser/helpers.py
++++ b/custodia/vendor/backports/configparser/helpers.py
+@@ -1,5 +1,6 @@
+ #!/usr/bin/env python
+ # -*- coding: utf-8 -*-
++# pylint: disable-all
+
+ from __future__ import absolute_import
+ from __future__ import division
+diff --git a/custodia/vendor/configparser.py b/custodia/vendor/configparser.py
+index b899f9e..6379d87 100644
+--- a/custodia/vendor/configparser.py
++++ b/custodia/vendor/configparser.py
+@@ -1,5 +1,6 @@
+ #!/usr/bin/env python
+ # -*- coding: utf-8 -*-
++# pylint: disable-all
+
+ """Convenience module importing everything from backports.configparser."""
+
+@@ -9,7 +10,7 @@ from __future__ import print_function
+ from __future__ import unicode_literals
+
+
+-from backports.configparser import (
++from .backports.configparser import (
+ RawConfigParser,
+ ConfigParser,
+ SafeConfigParser,
+diff --git a/setup.py b/setup.py
+index 96c14c7..a7c398a 100755
+--- a/setup.py
++++ b/setup.py
+@@ -2,8 +2,6 @@
+ #
+ # Copyright (C) 2015 Custodia project Contributors, for licensee see COPYING
+
+-import sys
+-
+ import setuptools
+ from setuptools import setup
+
+@@ -33,10 +31,10 @@ extras_require = {
+
+ # backwards compatibility with old setuptools
+ # extended interpolation is provided by stdlib in Python 3.4+
+-if SETUPTOOLS_VERSION < (18, 0, 0) and sys.version_info < (3, 4):
+- requirements.append('configparser')
+-else:
+- extras_require[':python_version<"3.4"'] = ['configparser']
++# if SETUPTOOLS_VERSION < (18, 0, 0) and sys.version_info < (3, 4):
++# requirements.append('configparser')
++# else:
++# extras_require[':python_version<"3.4"'] = ['configparser']
+
+
+ with open('README') as f:
+@@ -94,6 +92,9 @@ setup(
+ 'custodia.message',
+ 'custodia.server',
+ 'custodia.store',
++ 'custodia.vendor',
++ 'custodia.vendor.backports',
++ 'custodia.vendor.backports.configparser',
+ ],
+ entry_points={
+ 'console_scripts': [
+diff --git a/tox.ini b/tox.ini
+index 8db1c8b..d90359d 100644
+--- a/tox.ini
++++ b/tox.ini
+@@ -76,7 +76,7 @@ markers =
+ servertest: Integration tests start a local Custodia server
+
+ [flake8]
+-exclude = .tox,*.egg,dist,build,docs/source
++exclude = .tox,*.egg,dist,build,docs/source,custodia/vendor
+ show-source = true
+ max-line-length = 79
+ ignore = N802
+--
+2.9.3
+
diff --git a/SOURCES/0003-Remove-etcd-store.patch b/SOURCES/0003-Remove-etcd-store.patch
new file mode 100644
index 0000000..d74d1ab
--- /dev/null
+++ b/SOURCES/0003-Remove-etcd-store.patch
@@ -0,0 +1,199 @@
+From c2a8008af30d045227058e3158e84c9415647760 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 31 Mar 2017 12:14:43 +0200
+Subject: [PATCH 3/4] Remove etcd store
+
+---
+ custodia/store/etcdstore.py | 123 -----------------------------------------
+ docs/source/plugins/stores.rst | 6 --
+ setup.py | 9 +--
+ 3 files changed, 2 insertions(+), 136 deletions(-)
+ delete mode 100644 custodia/store/etcdstore.py
+
+diff --git a/custodia/store/etcdstore.py b/custodia/store/etcdstore.py
+deleted file mode 100644
+index 759348b..0000000
+--- a/custodia/store/etcdstore.py
++++ /dev/null
+@@ -1,123 +0,0 @@
+-# Copyright (C) 2015 Custodia Project Contributors - see LICENSE file
+-
+-from __future__ import print_function
+-
+-try:
+- from etcd import (Client, EtcdException, EtcdNotFile, EtcdAlreadyExist,
+- EtcdKeyNotFound)
+-except ImportError:
+- def Client(*args, **kwargs):
+- raise RuntimeError("Etcd client is unavailable")
+-
+- class EtcdException(Exception):
+- pass
+-
+- class EtcdNotFile(Exception):
+- pass
+-
+- class EtcdKeyNotFound(Exception):
+- pass
+-
+- class EtcdAlreadyExist(Exception):
+- pass
+-
+-from custodia.plugin import CSStore, CSStoreError, CSStoreExists
+-from custodia.plugin import PluginOption
+-
+-
+-class EtcdStore(CSStore):
+- etcd_server = PluginOption(str, '127.0.0.1', None)
+- etcd_port = PluginOption(int, '4001', None)
+- namespace = PluginOption(str, '/custodia', None)
+-
+- def __init__(self, config, section):
+- super(EtcdStore, self).__init__(config, section)
+- # Initialize the DB by trying to create the default table
+- try:
+- self.etcd = Client(self.etcd_server, self.etcd_port)
+- self.etcd.write(self.namespace, None, dir=True)
+- except EtcdNotFile:
+- # Already exists
+- pass
+- except EtcdException:
+- self.logger.exception("Error creating namespace %s",
+- self.namespace)
+- raise CSStoreError('Error occurred while trying to init db')
+-
+- def _absolute_key(self, key):
+- """Get absolute path to key and validate key"""
+- if '//' in key:
+- raise ValueError("Invalid empty components in key '%s'" % key)
+- parts = key.split('/')
+- if set(parts).intersection({'.', '..'}):
+- raise ValueError("Invalid relative components in key '%s'" % key)
+- return '/'.join([self.namespace] + parts).replace('//', '/')
+-
+- def get(self, key):
+- self.logger.debug("Fetching key %s", key)
+- try:
+- result = self.etcd.get(self._absolute_key(key))
+- except EtcdException:
+- self.logger.exception("Error fetching key %s", key)
+- raise CSStoreError('Error occurred while trying to get key')
+- self.logger.debug("Fetched key %s got result: %r", key, result)
+- return result.value # pylint: disable=no-member
+-
+- def set(self, key, value, replace=False):
+- self.logger.debug("Setting key %s to value %s (replace=%s)",
+- key, value, replace)
+- path = self._absolute_key(key)
+- try:
+- self.etcd.write(path, value, prevExist=replace)
+- except EtcdAlreadyExist as err:
+- raise CSStoreExists(str(err))
+- except EtcdException:
+- self.logger.exception("Error storing key %s", key)
+- raise CSStoreError('Error occurred while trying to store key')
+-
+- def span(self, key):
+- path = self._absolute_key(key)
+- self.logger.debug("Creating directory %s", path)
+- try:
+- self.etcd.write(path, None, dir=True, prevExist=False)
+- except EtcdAlreadyExist as err:
+- raise CSStoreExists(str(err))
+- except EtcdException:
+- self.logger.exception("Error storing key %s", key)
+- raise CSStoreError('Error occurred while trying to store key')
+-
+- def list(self, keyfilter='/'):
+- path = self._absolute_key(keyfilter)
+- if path != '/':
+- path = path.rstrip('/')
+- self.logger.debug("Listing keys matching %s", path)
+- try:
+- result = self.etcd.read(path, recursive=True)
+- except EtcdKeyNotFound:
+- return None
+- except EtcdException:
+- self.logger.exception("Error listing %s", keyfilter)
+- raise CSStoreError('Error occurred while trying to list keys')
+- self.logger.debug("Searched for %s got result: %r", path, result)
+- value = set()
+- for entry in result.get_subtree():
+- if entry.key == path:
+- continue
+- name = entry.key[len(path):]
+- if entry.dir and not name.endswith('/'):
+- name += '/'
+- value.add(name.lstrip('/'))
+- return sorted(value)
+-
+- def cut(self, key):
+- self.logger.debug("Removing key %s", key)
+- try:
+- self.etcd.delete(self._absolute_key(key))
+- except EtcdKeyNotFound:
+- self.logger.debug("Key %s not found", key)
+- return False
+- except EtcdException:
+- self.logger.exception("Error removing key %s", key)
+- raise CSStoreError('Error occurred while trying to cut key')
+- self.logger.debug("Key %s removed", key)
+- return True
+diff --git a/docs/source/plugins/stores.rst b/docs/source/plugins/stores.rst
+index ed921ba..d715f31 100644
+--- a/docs/source/plugins/stores.rst
++++ b/docs/source/plugins/stores.rst
+@@ -5,7 +5,6 @@ Stores
+ :nosignatures:
+
+ custodia.store.sqlite.SqliteStore
+- custodia.store.etcdstore.EtcdStore
+ custodia.store.encgen.EncryptedOverlay
+
+ .. autoclass:: custodia.store.sqlite.SqliteStore
+@@ -13,11 +12,6 @@ Stores
+ :undoc-members:
+ :show-inheritance:
+
+-.. autoclass:: custodia.store.etcdstore.EtcdStore
+- :members:
+- :undoc-members:
+- :show-inheritance:
+-
+ .. autoclass:: custodia.store.encgen.EncryptedOverlay
+ :members:
+ :undoc-members:
+diff --git a/setup.py b/setup.py
+index a7c398a..c8f270d 100755
+--- a/setup.py
++++ b/setup.py
+@@ -15,16 +15,12 @@ requirements = [
+ 'requests'
+ ]
+
+-# extra requirements
+-etcd_requires = ['python-etcd']
+-
+ # test requirements
+-test_requires = ['coverage', 'pytest'] + etcd_requires
++test_requires = ['coverage', 'pytest']
+
+ extras_require = {
+- 'etcd_store': etcd_requires,
+ 'test': test_requires,
+- 'test_docs': ['docutils', 'markdown'] + etcd_requires,
++ 'test_docs': ['docutils', 'markdown'],
+ 'test_pep8': ['flake8', 'flake8-import-order', 'pep8-naming'],
+ 'test_pylint': ['pylint'] + test_requires,
+ }
+@@ -70,7 +66,6 @@ custodia_consumers = [
+ custodia_stores = [
+ 'EncryptedOverlay = custodia.store.encgen:EncryptedOverlay',
+ 'EncryptedStore = custodia.store.enclite:EncryptedStore',
+- 'EtcdStore = custodia.store.etcdstore:EtcdStore',
+ 'SqliteStore = custodia.store.sqlite:SqliteStore',
+ ]
+
+--
+2.9.3
+
diff --git a/SOURCES/0004-Vendor-custodia.ipa.patch b/SOURCES/0004-Vendor-custodia.ipa.patch
new file mode 100644
index 0000000..58ed91b
--- /dev/null
+++ b/SOURCES/0004-Vendor-custodia.ipa.patch
@@ -0,0 +1,704 @@
+From a38601968ccd8c8dfdce60c8d66b220eefb344b0 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 28 Mar 2017 18:41:08 +0200
+Subject: [PATCH 4/4] Vendor custodia.ipa
+
+---
+ README.custodia.ipa | 137 ++++++++++++++++++++++
+ custodia/ipa/__init__.py | 1 +
+ custodia/ipa/vault.py | 291 +++++++++++++++++++++++++++++++++++++++++++++++
+ setup.py | 8 +-
+ tests/test_ipa.py | 195 +++++++++++++++++++++++++++++++
+ 6 files changed, 638 insertions(+), 2 deletions(-)
+ create mode 100644 README.custodia.ipa
+ create mode 100644 custodia/ipa/__init__.py
+ create mode 100644 custodia/ipa/vault.py
+ create mode 100644 tests/test_ipa.py
+
+diff --git a/README.custodia.ipa b/README.custodia.ipa
+new file mode 100644
+index 0000000..a952ef8
+--- /dev/null
++++ b/README.custodia.ipa
+@@ -0,0 +1,137 @@
++.. WARNING: AUTO-GENERATED FILE. DO NOT EDIT.
++
++custodia.ipa — IPA vault plugin for Custodia
++============================================
++
++**WARNING** *custodia.ipa is a tech preview with a provisional API.*
++
++custodia.ipa is a storage plugin for
++`Custodia <https://custodia.readthedocs.io/>`__. It provides integration
++with `FreeIPA <http://www.freeipa.org>`__'s
++`vault <https://www.freeipa.org/page/V4/Password_Vault>`__ facility.
++Secrets are encrypted and stored in
++`Dogtag <http://www.dogtagpki.org>`__'s Key Recovery Agent.
++
++Requirements
++------------
++
++Installation
++~~~~~~~~~~~~
++
++- pip
++- setuptools >= 18.0
++
++Runtime
++~~~~~~~
++
++- custodia >= 0.3.1
++- ipalib >= 4.5.0
++- ipaclient >= 4.5.0
++- Python 2.7 (Python 3 support in IPA vault is unstable.)
++
++custodia.ipa requires an IPA-enrolled host and a Kerberos TGT for
++authentication. It is recommended to provide credentials with a keytab
++file or GSS-Proxy.
++
++Testing and development
++~~~~~~~~~~~~~~~~~~~~~~~
++
++- wheel
++- tox
++
++virtualenv requirements
++~~~~~~~~~~~~~~~~~~~~~~~
++
++custodia.ipa depends on several binary extensions and shared libraries
++for e.g. python-cryptography, python-gssapi, python-ldap, and
++python-nss. For installation in a virtual environment, a C compiler and
++several development packages are required.
++
++::
++
++ $ virtualenv venv
++ $ venv/bin/pip install --upgrade custodia.ipa
++
++Fedora
++^^^^^^
++
++::
++
++ $ sudo dnf install python2 python-pip python-virtualenv python-devel \
++ gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \
++ nss-devel openldap-devel cyrus-sasl-devel openssl-devel
++
++Debian / Ubuntu
++^^^^^^^^^^^^^^^
++
++::
++
++ $ sudo apt-get update
++ $ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \
++ gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \
++ libsasl2-dev libssl-dev
++
++--------------
++
++Example configuration
++---------------------
++
++Create directories
++
++::
++
++ $ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia
++ $ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia
++ $ sudo chmod 750 /var/lib/custodia /var/log/custodia
++
++Create service account and keytab
++
++::
++
++ $ kinit admin
++ $ ipa service-add custodia/client1.ipa.example
++ $ ipa service-allow-create-keytab custodia/client1.ipa.example --users=admin
++ $ mkdir -p /etc/custodia
++ $ ipa-getkeytab -p custodia/client1.ipa.example -k /etc/custodia/custodia.keytab
++
++Create ``/etc/custodia/custodia.conf``
++
++::
++
++ [DEFAULT]
++ confdir = /etc/custodia
++ libdir = /var/lib/custodia
++ logdir = /var/log/custodia
++ rundir = /var/run/custodia
++
++ [global]
++ debug = true
++ server_socket = ${rundir}/custodia.sock
++ auditlog = ${logdir}/audit.log
++
++ [store:vault]
++ handler = IPAVault
++ keytab = {confdir}/custodia.keytab
++ ccache = FILE:{rundir}/ccache
++
++ [auth:creds]
++ handler = SimpleCredsAuth
++ uid = root
++ gid = root
++
++ [authz:paths]
++ handler = SimplePathAuthz
++ paths = /. /secrets
++
++ [/]
++ handler = Root
++
++ [/secrets]
++ handler = Secrets
++ store = vault
++
++Run Custodia server
++
++::
++
++ $ custodia /etc/custodia/custodia.conf
+diff --git a/custodia/ipa/__init__.py b/custodia/ipa/__init__.py
+new file mode 100644
+index 0000000..ef1bb9d
+--- /dev/null
++++ b/custodia/ipa/__init__.py
+@@ -0,0 +1 @@
++# Copyright (C) 2016 Custodia Project Contributors - see LICENSE file
+diff --git a/custodia/ipa/vault.py b/custodia/ipa/vault.py
+new file mode 100644
+index 0000000..f681c54
+--- /dev/null
++++ b/custodia/ipa/vault.py
+@@ -0,0 +1,291 @@
++# Copyright (C) 2016 Custodia Project Contributors - see LICENSE file
++"""FreeIPA vault store (PoC)
++"""
++import os
++
++import ipalib
++from ipalib.errors import DuplicateEntry, NotFound
++from ipalib.krb_utils import get_principal
++
++import six
++
++from custodia.plugin import CSStore, CSStoreError, CSStoreExists, PluginOption
++
++
++def krb5_unparse_principal_name(name):
++ """Split a Kerberos principal name into parts
++
++ Returns:
++ * ('host', hostname, realm) for a host principal
++ * (servicename, hostname, realm) for a service principal
++ * (None, username, realm) for a user principal
++
++ :param text name: Kerberos principal name
++ :return: (service, host, realm) or (None, username, realm)
++ """
++ prefix, realm = name.split(u'@')
++ if u'/' in prefix:
++ service, host = prefix.rsplit(u'/', 1)
++ return service, host, realm
++ else:
++ return None, prefix, realm
++
++
++class FreeIPA(object):
++ """FreeIPA wrapper
++
++ Custodia uses a forking server model. We can bootstrap FreeIPA API in
++ the main process. Connections must be created in the client process.
++ """
++ def __init__(self, api=None, ipa_context='cli', ipa_confdir=None,
++ ipa_debug=False):
++ if api is None:
++ self._api = ipalib.api
++ else:
++ self._api = api
++ self._ipa_config = dict(
++ context=ipa_context,
++ debug=ipa_debug,
++ log=None, # disable logging to file
++ )
++ if ipa_confdir is not None:
++ self._ipa_config['confdir'] = ipa_confdir
++ self._bootstrap()
++
++ @property
++ def Command(self):
++ return self._api.Command # pylint: disable=no-member
++
++ @property
++ def env(self):
++ return self._api.env # pylint: disable=no-member
++
++ def _bootstrap(self):
++ if not self._api.isdone('bootstrap'):
++ # TODO: bandaid for "A PKCS #11 module returned CKR_DEVICE_ERROR"
++ # https://github.com/avocado-framework/avocado/issues/1112#issuecomment-206999400
++ os.environ['NSS_STRICT_NOFORK'] = 'DISABLED'
++ self._api.bootstrap(**self._ipa_config)
++ self._api.finalize()
++
++ def __enter__(self):
++ # pylint: disable=no-member
++ if not self._api.Backend.rpcclient.isconnected():
++ self._api.Backend.rpcclient.connect()
++ # pylint: enable=no-member
++ return self
++
++ def __exit__(self, exc_type, exc_val, exc_tb):
++ # pylint: disable=no-member
++ if self._api.Backend.rpcclient.isconnected():
++ self._api.Backend.rpcclient.disconnect()
++ # pylint: enable=no-member
++
++
++class IPAVault(CSStore):
++ # vault arguments
++ principal = PluginOption(
++ str, None,
++ "Service principal for service vault (auto-discovered from GSSAPI)"
++ )
++ user = PluginOption(
++ str, None,
++ "User name for user vault (auto-discovered from GSSAPI)"
++ )
++ vault_type = PluginOption(
++ str, None,
++ "vault type, one of 'user', 'service', 'shared', or "
++ "auto-discovered from GSSAPI"
++ )
++
++ # Kerberos flags
++ krb5config = PluginOption(str, None, "Kerberos krb5.conf override")
++ keytab = PluginOption(str, None, "Kerberos keytab for auth")
++ ccache = PluginOption(
++ str, None, "Kerberos ccache, e,g. FILE:/path/to/ccache")
++
++ # ipalib.api arguments
++ ipa_confdir = PluginOption(str, None, "IPA confdir override")
++ ipa_context = PluginOption(str, "cli", "IPA bootstrap context")
++ ipa_debug = PluginOption(bool, False, "debug mode for ipalib")
++
++ def __init__(self, config, section=None):
++ super(IPAVault, self).__init__(config, section)
++ # configure Kerberos / GSSAPI and acquire principal
++ gssapi_principal = self._gssapi()
++ self.logger.info(u"Vault uses Kerberos principal '%s'",
++ gssapi_principal)
++
++ # bootstrap FreeIPA API
++ self.ipa = FreeIPA(
++ ipa_confdir=self.ipa_confdir,
++ ipa_debug=self.ipa_debug,
++ ipa_context=self.ipa_context,
++ )
++ # connect
++ with self.ipa:
++ self.logger.info("IPA server '%s': %s",
++ self.ipa.env.server,
++ self.ipa.Command.ping()[u'summary'])
++ # retrieve and cache KRA transport cert
++ response = self.ipa.Command.vaultconfig_show()
++ servers = response[u'result'][u'kra_server_server']
++ self.logger.info("KRA server(s) %s", ', '.join(servers))
++
++ service, user_host, realm = krb5_unparse_principal_name(
++ gssapi_principal)
++ self._init_vault_args(service, user_host, realm)
++
++ def _gssapi(self):
++ # set client keytab env var for authentication
++ if self.keytab is not None:
++ os.environ['KRB5_CLIENT_KTNAME'] = self.keytab
++ if self.ccache is not None:
++ os.environ['KRB5CCNAME'] = self.ccache
++ if self.krb5config is not None:
++ os.environ['KRB5_CONFIG'] = self.krb5config
++ try:
++ return get_principal()
++ except Exception:
++ self.logger.error(
++ "Unable to get principal from GSSAPI. Are you missing a "
++ "TGT or valid Kerberos keytab?"
++ )
++ raise
++
++ def _init_vault_args(self, service, user_host, realm):
++ if self.vault_type is None:
++ self.vault_type = 'user' if service is None else 'service'
++ self.logger.info("Setting vault type to '%s' from Kerberos",
++ self.vault_type)
++
++ if self.vault_type == 'shared':
++ self._vault_args = {'shared': True}
++ elif self.vault_type == 'user':
++ if self.user is None:
++ if service is not None:
++ msg = "{!r}: User vault requires 'user' parameter"
++ raise ValueError(msg.format(self))
++ else:
++ self.user = user_host
++ self.logger.info(u"Setting username '%s' from Kerberos",
++ self.user)
++ if six.PY2 and isinstance(self.user, str):
++ self.user = self.user.decode('utf-8')
++ self._vault_args = {'username': self.user}
++ elif self.vault_type == 'service':
++ if self.principal is None:
++ if service is None:
++ msg = "{!r}: Service vault requires 'principal' parameter"
++ raise ValueError(msg.format(self))
++ else:
++ self.principal = u'/'.join((service, user_host))
++ self.logger.info(u"Setting principal '%s' from Kerberos",
++ self.principal)
++ if six.PY2 and isinstance(self.principal, str):
++ self.principal = self.principal.decode('utf-8')
++ self._vault_args = {'service': self.principal}
++ else:
++ msg = '{!r}: Invalid vault type {}'
++ raise ValueError(msg.format(self, self.vault_type))
++
++ def _mangle_key(self, key):
++ if '__' in key:
++ raise ValueError
++ key = key.replace('/', '__')
++ if isinstance(key, bytes):
++ key = key.decode('utf-8')
++ return key
++
++ def get(self, key):
++ key = self._mangle_key(key)
++ with self.ipa as ipa:
++ try:
++ result = ipa.Command.vault_retrieve(
++ key, **self._vault_args)
++ except NotFound as e:
++ self.logger.info(str(e))
++ return None
++ except Exception:
++ msg = "Failed to retrieve entry {}".format(key)
++ self.logger.exception(msg)
++ raise CSStoreError(msg)
++ else:
++ return result[u'result'][u'data']
++
++ def set(self, key, value, replace=False):
++ key = self._mangle_key(key)
++ if not isinstance(value, bytes):
++ value = value.encode('utf-8')
++ with self.ipa as ipa:
++ try:
++ ipa.Command.vault_add(
++ key, ipavaulttype=u"standard", **self._vault_args)
++ except DuplicateEntry:
++ if not replace:
++ raise CSStoreExists(key)
++ except Exception:
++ msg = "Failed to add entry {}".format(key)
++ self.logger.exception(msg)
++ raise CSStoreError(msg)
++ try:
++ ipa.Command.vault_archive(
++ key, data=value, **self._vault_args)
++ except Exception:
++ msg = "Failed to archive entry {}".format(key)
++ self.logger.exception(msg)
++ raise CSStoreError(msg)
++
++ def span(self, key):
++ raise CSStoreError("span is not implemented")
++
++ def list(self, keyfilter=None):
++ with self.ipa as ipa:
++ try:
++ result = ipa.Command.vault_find(
++ ipavaulttype=u"standard", **self._vault_args)
++ except Exception:
++ msg = "Failed to list entries"
++ self.logger.exception(msg)
++ raise CSStoreError(msg)
++
++ names = []
++ for entry in result[u'result']:
++ cn = entry[u'cn'][0]
++ key = cn.replace('__', '/')
++ if keyfilter is not None and not key.startswith(keyfilter):
++ continue
++ names.append(key.rsplit('/', 1)[-1])
++ return names
++
++ def cut(self, key):
++ key = self._mangle_key(key)
++ with self.ipa as ipa:
++ try:
++ ipa.Command.vault_del(key, **self._vault_args)
++ except NotFound:
++ return False
++ except Exception:
++ msg = "Failed to delete entry {}".format(key)
++ self.logger.exception(msg)
++ raise CSStoreError(msg)
++ else:
++ return True
++
++
++if __name__ == '__main__':
++ from custodia.compat import configparser
++
++ parser = configparser.ConfigParser(
++ interpolation=configparser.ExtendedInterpolation()
++ )
++ parser.read_string(u"""
++ [store:ipa_vault]
++ """)
++
++ v = IPAVault(parser, "store:ipa_vault")
++ v.set('foo', 'bar', replace=True)
++ print(v.get('foo'))
++ print(v.list())
++ v.cut('foo')
++ print(v.list())
+diff --git a/setup.py b/setup.py
+index c8f270d..4bf096c 100755
+--- a/setup.py
++++ b/setup.py
+@@ -15,10 +15,14 @@ requirements = [
+ 'requests'
+ ]
+
++# extra requirements
++ipa_requires = ['ipalib >= 4.5.0', 'ipaclient >= 4.5.0']
++
+ # test requirements
+-test_requires = ['coverage', 'pytest']
++test_requires = ['coverage', 'pytest', 'mock'] + ipa_requires
+
+ extras_require = {
++ 'ipa': ipa_requires,
+ 'test': test_requires,
+ 'test_docs': ['docutils', 'markdown'],
+ 'test_pep8': ['flake8', 'flake8-import-order', 'pep8-naming'],
+@@ -66,6 +70,7 @@ custodia_consumers = [
+ custodia_stores = [
+ 'EncryptedOverlay = custodia.store.encgen:EncryptedOverlay',
+ 'EncryptedStore = custodia.store.enclite:EncryptedStore',
++ 'IPAVault = custodia.ipa.vault:IPAVault',
+ 'SqliteStore = custodia.store.sqlite:SqliteStore',
+ ]
+
+@@ -84,6 +89,7 @@ setup(
+ 'custodia',
+ 'custodia.cli',
+ 'custodia.httpd',
++ 'custodia.ipa',
+ 'custodia.message',
+ 'custodia.server',
+ 'custodia.store',
+diff --git a/tests/test_ipa.py b/tests/test_ipa.py
+new file mode 100644
+index 0000000..eb4d7fa
+--- /dev/null
++++ b/tests/test_ipa.py
+@@ -0,0 +1,195 @@
++# Copyright (C) 2017 Custodia project Contributors, for licensee see COPYING
++
++import os
++
++import ipalib
++
++import mock
++
++import pytest
++
++from custodia.compat import configparser
++from custodia.ipa.vault import FreeIPA, IPAVault, krb5_unparse_principal_name
++
++
++CONFIG = u"""
++[store:ipa_service]
++vault_type = service
++principal = custodia/ipa.example
++
++[store:ipa_user]
++vault_type = user
++user = john
++
++[store:ipa_shared]
++vault_type = shared
++
++[store:ipa_invalid]
++vault_type = invalid
++
++[store:ipa_autodiscover]
++
++[store:ipa_environ]
++krb5config = /path/to/krb5.conf
++keytab = /path/to/custodia.keytab
++ccache = FILE:/path/to/ccache
++"""
++
++vault_parametrize = pytest.mark.parametrize(
++ 'plugin,vault_type,vault_args',
++ [
++ ('store:ipa_service', 'service', {'service': 'custodia/ipa.example'}),
++ ('store:ipa_user', 'user', {'username': 'john'}),
++ ('store:ipa_shared', 'shared', {'shared': True}),
++ ]
++)
++
++
++class TestCustodiaIPA:
++ def setup_method(self, method):
++ self.parser = configparser.ConfigParser(
++ interpolation=configparser.ExtendedInterpolation(),
++ )
++ self.parser.read_string(CONFIG)
++ # mocked ipalib.api
++ self.p_api = mock.patch('ipalib.api', autospec=ipalib.api)
++ self.m_api = self.p_api.start()
++ self.m_api.isdone.return_value = False
++ self.m_api.env = mock.Mock()
++ self.m_api.env.server = 'server.ipa.example'
++ self.m_api.Backend = mock.Mock()
++ self.m_api.Command = mock.Mock()
++ self.m_api.Command.ping.return_value = {
++ u'summary': u'IPA server version 4.4.3. API version 2.215',
++ }
++ self.m_api.Command.vaultconfig_show.return_value = {
++ u'result': {
++ u'kra_server_server': [u'ipa.example'],
++ }
++ }
++ # mocked get_principal
++ self.p_get_principal = mock.patch('custodia.ipa.vault.get_principal')
++ self.m_get_principal = self.p_get_principal.start()
++ self.m_get_principal.return_value = 'custodia/ipa.example@IPA.EXAMPLE'
++ # mocked environ (empty dict)
++ self.p_env = mock.patch.dict('os.environ', clear=True)
++ self.p_env.start()
++
++ def teardown_method(self, method):
++ self.p_api.stop()
++ self.p_get_principal.stop()
++ self.p_env.stop()
++
++ def test_api_init(self):
++ m_api = self.m_api
++ freeipa = FreeIPA(api=m_api)
++ m_api.isdone.assert_called_once_with('bootstrap')
++ m_api.bootstrap.assert_called_once_with(
++ context='cli',
++ debug=False,
++ log=None,
++ )
++
++ m_api.Backend.rpcclient.isconnected.return_value = False
++ with freeipa:
++ m_api.Backend.rpcclient.connect.assert_called_once()
++ m_api.Backend.rpcclient.isconnected.return_value = True
++ m_api.Backend.rpcclient.disconnect.assert_called_once()
++
++ assert os.environ == dict(NSS_STRICT_NOFORK='DISABLED')
++
++ def test_api_environ(self):
++ assert os.environ == {}
++ IPAVault(self.parser, 'store:ipa_environ')
++ assert os.environ == dict(
++ NSS_STRICT_NOFORK='DISABLED',
++ KRB5_CONFIG='/path/to/krb5.conf',
++ KRB5_CLIENT_KTNAME='/path/to/custodia.keytab',
++ KRB5CCNAME='FILE:/path/to/ccache',
++ )
++
++ def test_invalid_vault_type(self):
++ pytest.raises(ValueError, IPAVault, self.parser, 'store:ipa_invalid')
++
++ def test_vault_autodiscover_service(self):
++ self.m_get_principal.return_value = 'custodia/ipa.example@IPA.EXAMPLE'
++ ipa = IPAVault(self.parser, 'store:ipa_autodiscover')
++ assert ipa.vault_type == 'service'
++ assert ipa.principal == 'custodia/ipa.example'
++ assert ipa.user is None
++
++ def test_vault_autodiscover_user(self):
++ self.m_get_principal.return_value = 'john@IPA.EXAMPLE'
++ ipa = IPAVault(self.parser, 'store:ipa_autodiscover')
++ assert ipa.vault_type == 'user'
++ assert ipa.principal is None
++ assert ipa.user == 'john'
++
++ @vault_parametrize
++ def test_vault_set(self, plugin, vault_type, vault_args):
++ ipa = IPAVault(self.parser, plugin)
++ assert ipa.vault_type == vault_type
++ self.m_api.Command.ping.assert_called_once()
++ ipa.set('directory/testkey', 'testvalue')
++ self.m_api.Command.vault_add.assert_called_once_with(
++ 'directory__testkey',
++ ipavaulttype=u'standard',
++ **vault_args
++ )
++ self.m_api.Command.vault_archive.assert_called_once_with(
++ 'directory__testkey',
++ data=b'testvalue',
++ **vault_args
++ )
++
++ @vault_parametrize
++ def test_vault_get(self, plugin, vault_type, vault_args):
++ ipa = IPAVault(self.parser, plugin)
++ assert ipa.vault_type == vault_type
++ self.m_api.Command.vault_retrieve.return_value = {
++ u'result': {
++ u'data': b'testvalue',
++ }
++ }
++ assert ipa.get('directory/testkey') == b'testvalue'
++ self.m_api.Command.vault_retrieve.assert_called_once_with(
++ 'directory__testkey',
++ **vault_args
++ )
++
++ @vault_parametrize
++ def test_vault_list(self, plugin, vault_type, vault_args):
++ ipa = IPAVault(self.parser, plugin)
++ assert ipa.vault_type == vault_type
++ self.m_api.Command.vault_find.return_value = {
++ u'result': [{'cn': [u'directory__testkey']}]
++ }
++ assert ipa.list('directory') == ['testkey']
++ self.m_api.Command.vault_find.assert_called_once_with(
++ ipavaulttype=u'standard',
++ **vault_args
++ )
++
++ @vault_parametrize
++ def test_vault_cut(self, plugin, vault_type, vault_args):
++ ipa = IPAVault(self.parser, plugin)
++ assert ipa.vault_type == vault_type
++ ipa.cut('directory/testkey')
++ self.m_api.Command.vault_del.assert_called_once_with(
++ 'directory__testkey',
++ **vault_args
++ )
++
++
++@pytest.mark.parametrize('principal,result', [
++ ('john@IPA.EXAMPLE',
++ (None, 'john', 'IPA.EXAMPLE')),
++ ('host/host.invalid@IPA.EXAMPLE',
++ ('host', 'host.invalid', 'IPA.EXAMPLE')),
++ ('custodia/host.invalid@IPA.EXAMPLE',
++ ('custodia', 'host.invalid', 'IPA.EXAMPLE')),
++ ('whatever/custodia/host.invalid@IPA.EXAMPLE',
++ ('whatever/custodia', 'host.invalid', 'IPA.EXAMPLE')),
++])
++def test_unparse(principal, result):
++ assert krb5_unparse_principal_name(principal) == result
+--
+2.9.3
+
diff --git a/SOURCES/0005-Add-workaround-for-missing-kra_server_server.patch b/SOURCES/0005-Add-workaround-for-missing-kra_server_server.patch
new file mode 100644
index 0000000..e6caaec
--- /dev/null
+++ b/SOURCES/0005-Add-workaround-for-missing-kra_server_server.patch
@@ -0,0 +1,29 @@
+From d265e3fd23a18b051e363048ffbeae7d11fb05a3 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 20 Jun 2017 15:42:53 +0200
+Subject: [PATCH 5/5] Add workaround for missing kra_server_server
+
+Fixes rhbz #1462403
+---
+ custodia/ipa/vault.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/custodia/ipa/vault.py b/custodia/ipa/vault.py
+index f681c54..cba2d5b 100644
+--- a/custodia/ipa/vault.py
++++ b/custodia/ipa/vault.py
+@@ -129,8 +129,9 @@ class IPAVault(CSStore):
+ self.ipa.Command.ping()[u'summary'])
+ # retrieve and cache KRA transport cert
+ response = self.ipa.Command.vaultconfig_show()
+- servers = response[u'result'][u'kra_server_server']
+- self.logger.info("KRA server(s) %s", ', '.join(servers))
++ servers = response[u'result'].get(u'kra_server_server', ())
++ if servers:
++ self.logger.info("KRA server(s) %s", ', '.join(servers))
+
+ service, user_host, realm = krb5_unparse_principal_name(
+ gssapi_principal)
+--
+2.9.4
+
diff --git a/SOURCES/custodia-0.3.1.tar.gz.sha512sum.txt b/SOURCES/custodia-0.3.1.tar.gz.sha512sum.txt
new file mode 100644
index 0000000..295a132
--- /dev/null
+++ b/SOURCES/custodia-0.3.1.tar.gz.sha512sum.txt
@@ -0,0 +1 @@
+2b18dde8ca14d8447fa8a7f844652a981afbbb2fe0a4da0ef4df33aa083f26c7bed0edfe1a3f483a512973588949438810d311138c08b34dde70d99ed54a8bdb custodia-0.3.1.tar.gz
diff --git a/SOURCES/custodia.conf b/SOURCES/custodia.conf
new file mode 100644
index 0000000..2e46309
--- /dev/null
+++ b/SOURCES/custodia.conf
@@ -0,0 +1,39 @@
+# /etc/custodia/custodia.conf
+
+[DEFAULT]
+libdir = /var/lib/custodia
+logdir = /var/log/custodia
+rundir = /var/run/custodia
+
+[global]
+debug = true
+server_socket = ${rundir}/custodia.sock
+auditlog = ${logdir}/audit.log
+
+[store:sqlite]
+handler = SqliteStore
+dburi = ${libdir}/secrets.db
+table = secrets
+
+[store:encrypted_sqlite]
+handler = EncryptedOverlay
+backing_store = sqlite
+master_key = ${libdir}/secrets.key
+master_enctype = A128CBC-HS256
+autogen_master_key = true
+
+[auth:creds]
+handler = SimpleCredsAuth
+uid = root
+gid = root
+
+[authz:paths]
+handler = SimplePathAuthz
+paths = /. /secrets
+
+[/]
+handler = Root
+
+[/secrets]
+handler = Secrets
+store = encrypted_sqlite
diff --git a/SOURCES/custodia.tmpfiles.conf b/SOURCES/custodia.tmpfiles.conf
new file mode 100644
index 0000000..9ab7d5f
--- /dev/null
+++ b/SOURCES/custodia.tmpfiles.conf
@@ -0,0 +1 @@
+d /run/custodia 0755
diff --git a/SPECS/custodia.spec b/SPECS/custodia.spec
new file mode 100644
index 0000000..a8b48eb
--- /dev/null
+++ b/SPECS/custodia.spec
@@ -0,0 +1,205 @@
+%global custodiaipa_version 0.1.0
+
+Name: custodia
+Version: 0.3.1
+Release: 4%{?dist}
+Summary: A service to manage, retrieve and store secrets for other processes
+
+License: GPLv3+
+URL: https://github.com/latchset/%{name}
+Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source1: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sha512sum.txt
+Source2: custodia.conf
+Source5: custodia.tmpfiles.conf
+Patch1: 0001-Vendor-configparser-3.5.0.patch
+Patch2: 0002-Patch-and-integrate-vendored-configparser.patch
+Patch3: 0003-Remove-etcd-store.patch
+Patch4: 0004-Vendor-custodia.ipa.patch
+Patch5: 0005-Add-workaround-for-missing-kra_server_server.patch
+
+
+BuildArch: noarch
+
+BuildRequires: python-devel
+BuildRequires: python-jwcrypto
+BuildRequires: python-requests
+BuildRequires: python-setuptools
+BuildRequires: python-coverage
+BuildRequires: pytest
+BuildRequires: python-docutils
+BuildRequires: systemd-python
+BuildRequires: python-ipalib
+Requires: python-custodia = %{version}-%{release}
+
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+Requires(post): systemd-units
+
+%global overview \
+Custodia is a Secrets Service Provider, it stores or proxies access to \
+keys, password, and secret material in general. Custodia is built to \
+use the HTTP protocol and a RESTful API as an IPC mechanism over a local \
+Unix Socket. It can also be exposed to a network via a Reverse Proxy \
+service assuming proper authentication and header validation is \
+implemented in the Proxy. \
+ \
+Custodia is modular, the configuration file controls how authentication, \
+authorization, storage and API plugins are combined and exposed.
+
+
+%description
+A service to manage, retrieve and store secrets for other processes
+
+%{overview}
+
+%package -n python-custodia
+Summary: Sub-package with python2 custodia modules
+Provides: python2-custodia = %{version}-%{release}
+Requires: python-jwcrypto
+Requires: python-requests
+Requires: python-setuptools
+Requires: systemd-python
+
+%description -n python-custodia
+Sub-package with python2 custodia modules
+
+%{overview}
+
+%package -n python-custodia-ipa
+Summary: Sub-package with python2 custodia.ipa vault module
+Requires: python-custodia = %{version}-%{release}
+Requires: python-ipalib
+Requires: ipa-client
+
+%description -n python-custodia-ipa
+Sub-package with python2 custodia.ipa vault module
+
+%{overview}
+
+%prep
+grep `sha512sum %{SOURCE0}` %{SOURCE1} || (echo "Checksum invalid!" && exit 1)
+%setup
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+
+
+%build
+%{__python2} setup.py egg_info build
+
+
+%check
+export PYTHONPATH="%{buildroot}/%{python2_sitelib}"
+py.test --skip-servertest --ignore=tests/test_ipa.py --ignore=tests/test_cli.py
+
+
+%install
+mkdir -p %{buildroot}/%{_sbindir}
+mkdir -p %{buildroot}/%{_mandir}/man7
+mkdir -p %{buildroot}/%{_defaultdocdir}/custodia
+mkdir -p %{buildroot}/%{_defaultdocdir}/custodia/examples
+mkdir -p %{buildroot}/%{_sysconfdir}/custodia
+mkdir -p %{buildroot}/%{_unitdir}
+mkdir -p %{buildroot}/%{_tmpfilesdir}
+mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia
+mkdir -p %{buildroot}/%{_localstatedir}/log/custodia
+
+%{__python2} setup.py install --skip-build --root %{buildroot}
+mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia
+install -m 644 -t "%{buildroot}/%{_mandir}/man7" man/custodia.7
+install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia" README README.custodia.ipa API.md
+install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia/examples" custodia.conf
+install -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/custodia
+install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/custodia.conf
+# Recently setuptools stopped installing namespace __init__.py
+install -m 644 -t "%{buildroot}/%{python2_sitelib}/custodia" custodia/__init__.py
+
+
+%post
+%systemd_post custodia.socket
+%systemd_post custodia.service
+
+%preun
+%systemd_preun custodia.socket
+%systemd_preun custodia.service
+
+%postun
+%systemd_postun custodia.socket
+%systemd_postun custodia.service
+
+
+%files
+%doc %{_defaultdocdir}/custodia/README
+%doc %{_defaultdocdir}/custodia/API.md
+%doc %{_defaultdocdir}/custodia/examples/custodia.conf
+%license LICENSE
+%{_mandir}/man7/custodia*
+%{_sbindir}/custodia
+%{_bindir}/custodia-cli
+%dir %attr(0700,root,root) %{_sysconfdir}/custodia
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/custodia/custodia.conf
+%dir %attr(0700,root,root) %{_localstatedir}/lib/custodia
+%dir %attr(0700,root,root) %{_localstatedir}/log/custodia
+%{_tmpfilesdir}/custodia.conf
+
+%files -n python-custodia
+%license LICENSE
+%exclude %{python2_sitelib}/custodia/ipa
+%{python2_sitelib}/*
+
+%files -n python-custodia-ipa
+%doc %{_defaultdocdir}/custodia/README.custodia.ipa
+%{python2_sitelib}/custodia/ipa/*
+
+
+%changelog
+* Tue Jun 20 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-4
+- Add workaround for missing kra_server_server key, resolves #1462403
+
+* Mon Jun 12 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-3
+- Remove custodia user from tmpfiles.d, resolves #1460735
+- Add missing systemd hooks for service and socket files
+- Drop dependency on python-mock and skip mock tests in check block,
+ resolves #1447426
+
+* Fri Mar 31 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-2
+- Exclude empty directory custodia/ipa from python-custodia
+
+* Fri Mar 31 2017 Christian Heimes <cheimes@redhat.com> - 0.3.1-1
+- Rebase to Custodia 0.3.1
+- Vendor custodia.ipa 0.1.0
+- Vendor backports.configparser 3.5.0 final
+- related: #1403214
+
+* Tue Mar 28 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-4
+- Fix whitespace handling in URLs
+- Use upstream patches to replace patches for setuptools and configparser
+- resolves: #1436763
+
+* Fri Mar 17 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-3
+- custodia depends on python-custodia
+
+* Fri Mar 17 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-2
+- Fix package dependencies and package names to use python prefix
+
+* Wed Mar 15 2017 Christian Heimes <cheimes@redhat.com> - 0.3.0-1
+- Update to custodia 0.3.0
+- Vendor backports.configparser 3.5.0b2
+- Fix compatibility issues with old setuptools
+- Add tmpfiles.d config for /run/custodia
+
+* Wed Sep 07 2016 Christian Heimes <cheimes@redhat.com> - 0.1.0-4
+- Disable tests (broken on build machines)
+- related: #1371902
+
+* Wed Sep 07 2016 Simo Sorce <simo@redhat.com> - 0.1.0-3
+- Change default to use RSA OAEP padding
+- resolves: #1371902
+
+* Mon Apr 04 2016 Christian Heimes <cheimes@redhat.com> - 0.2.1-2
+- Correct download link
+
+* Thu Mar 31 2016 Christian Heimes <cheimes@redhat.com> - 0.1.0-1
+- Initial packaging