Merge pull request #334286 from nh2/ceph-18.2.4-staging-next-fix

     homepage = "https://ceph.io/en/";

     inherit description;

     license = with lib.licenses; [ lgpl21 gpl2Only bsd3 mit publicDomain ];

     maintainers = with lib.maintainers; [ adev ak johanot krav ];

     maintainers = with lib.maintainers; [ adev ak johanot krav nh2 ];

     platforms = [ "x86_64-linux" "aarch64-linux" ];

   };

  python = python311.override {

    self = python;

    packageOverrides = self: super: let

      cryptographyOverrideVersion = "40.0.1";

      bcryptOverrideVersion = "4.0.1";

    in {

      # Ceph does not support `bcrypt` > 4.0 yet:

      # Ceph does not support the following yet:

      # * `bcrypt` > 4.0

      # * `cryptography` > 40

      # See:

      # * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602

      # * Upstream issue: https://tracker.ceph.com/issues/63529

      #   > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3

      # * Moved to issue: https://tracker.ceph.com/issues/64213

      #   > MGR modules incompatible with later PyO3 versions - PyO3 modules may only be initialized once per interpreter process

      bcrypt = super.bcrypt.overridePythonAttrs (old: rec {

        pname = "bcrypt";

        version = bcryptOverrideVersion;

          hash = "sha256-lDWX69YENZFMu7pyBmavUZaalGvFqbHSHfkwkzmDQaY=";

        };

      });

      # Ceph does not support `cryptography` > 40 yet:

      # * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602

      # * Upstream issue: https://tracker.ceph.com/issues/63529

      #   > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3

      #

      # We pin the older `cryptography` 40 here;

      # this also forces us to pin an older `pyopenssl` because the current one

      # is not compatible with older `cryptography`, see:

      #     https://github.com/pyca/pyopenssl/blob/d9752e44127ba36041b045417af8a0bf16ec4f1e/CHANGELOG.rst#2320-2023-05-30

      cryptography = super.cryptography.overridePythonAttrs (old: rec {

        version = cryptographyOverrideVersion;

        src = fetchPypi {

          inherit (old) pname;

          version = cryptographyOverrideVersion;

          hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";

        };

        cargoDeps = rustPlatform.fetchCargoTarball {

          inherit src;

          sourceRoot = let cargoRoot = "src/rust"; in "${old.pname}-${cryptographyOverrideVersion}/${cargoRoot}";

          name = "${old.pname}-${cryptographyOverrideVersion}";

          hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";

        };

        # Not using the normal `(old.patches or []) ++` pattern here to use

        # the overridden package's patches, because current nixpkgs's `cryptography`

        # has patches that do not apply on this old version.

        patches = [

          # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.

          # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893

          ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch

        ];

        # Tests would require overriding `cryptography-vectors`, which is not currently

        # possible/desired, see: https://github.com/NixOS/nixpkgs/pull/281858#pullrequestreview-1841421866

        doCheck = false;

      });

      cryptography = self.callPackage ./old-python-packages/cryptography.nix {};

      # This is the most recent version of `pyopenssl` that's still compatible with `cryptography` 40.

      # See https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602

        ];

      });

      fastapi = super.fastapi.overridePythonAttrs (old: rec {

        # Flaky test:

        #     ResourceWarning: Unclosed <MemoryObjectSendStream>

        # Unclear whether it's flaky in general or only in this overridden package set.

        doCheck = false;

      });

      # Ceph does not support `kubernetes` >= 19, see:

      #     https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1900324090

      kubernetes = super.kubernetes.overridePythonAttrs (old: rec {

    passthru = {

      inherit version;

      inherit python; # to be able to test our overridden packages above individually with `nix-build -A`

      tests = {

        inherit (nixosTests)

          ceph-multi-node

# This older version only exists because `ceph` needs it, see `cryptography.nix`.

{

  buildPythonPackage,

  fetchPypi,

  lib,

  cryptography,

}:

buildPythonPackage rec {

  pname = "cryptography-vectors";

  # The test vectors must have the same version as the cryptography package

  inherit (cryptography) version;

  format = "setuptools";

  src = fetchPypi {

    pname = "cryptography_vectors";

    inherit version;

    hash = "sha256-hGBwa1tdDOSoVXHKM4nPiPcAu2oMYTPcn+D1ovW9oEE=";

  };

  # No tests included

  doCheck = false;

  pythonImportsCheck = [ "cryptography_vectors" ];

  meta = with lib; {

    description = "Test vectors for the cryptography package";

    homepage = "https://cryptography.io/en/latest/development/test-vectors/";

    # Source: https://github.com/pyca/cryptography/tree/master/vectors;

    license = with licenses; [

      asl20

      bsd3

    ];

    maintainers = with maintainers; [ nh2 ];

  };

}

# This older version only exists because `ceph` needs it, see its package.

{

  lib,

  stdenv,

  callPackage,

  buildPythonPackage,

  fetchPypi,

  fetchpatch,

  rustPlatform,

  cargo,

  rustc,

  setuptoolsRustBuildHook,

  openssl,

  Security ? null,

  isPyPy,

  cffi,

  pkg-config,

  pytestCheckHook,

  pytest-subtests,

  pythonOlder,

  pretend,

  libiconv,

  libxcrypt,

  iso8601,

  py,

  pytz,

  hypothesis,

}:

let

  cryptography-vectors = callPackage ./cryptography-vectors.nix { };

in

buildPythonPackage rec {

  pname = "cryptography";

  version = "40.0.1"; # Also update the hash in vectors.nix

  format = "setuptools";

  disabled = pythonOlder "3.6";

  src = fetchPypi {

    inherit pname version;

    hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";

  };

  cargoDeps = rustPlatform.fetchCargoTarball {

    inherit src;

    sourceRoot = "${pname}-${version}/${cargoRoot}";

    name = "${pname}-${version}";

    hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";

  };

  # Since Cryptography v40 is quite outdated, we need to backport

  # security fixes that are only available in newer versions.

  patches = [

    # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.

    # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893

    ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch

    # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130

    # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55

    (fetchpatch {

      name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";

      url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";

      hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";

    })

  ];

  postPatch = ''

    substituteInPlace pyproject.toml \

      --replace "--benchmark-disable" ""

  '';

  cargoRoot = "src/rust";

  nativeBuildInputs = [

    rustPlatform.cargoSetupHook

    setuptoolsRustBuildHook

    cargo

    rustc

    pkg-config

  ] ++ lib.optionals (!isPyPy) [ cffi ];

  buildInputs =

    [ openssl ]

    ++ lib.optionals stdenv.isDarwin [

      Security

      libiconv

    ]

    ++ lib.optionals (pythonOlder "3.9") [ libxcrypt ];

  propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];

  nativeCheckInputs = [

    cryptography-vectors

    hypothesis

    iso8601

    pretend

    py

    pytestCheckHook

    pytest-subtests

    pytz

  ];

  pytestFlagsArray = [ "--disable-pytest-warnings" ];

  disabledTestPaths =

    [

      # save compute time by not running benchmarks

      "tests/bench"

    ]

    ++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [

      # aarch64-darwin forbids W+X memory, but this tests depends on it:

      # * https://cffi.readthedocs.io/en/latest/using.html#callbacks

      "tests/hazmat/backends/test_openssl_memleak.py"

    ];

  meta = with lib; {

    description = "A package which provides cryptographic recipes and primitives";

    longDescription = ''

      Cryptography includes both high level recipes and low level interfaces to

      common cryptographic algorithms such as symmetric ciphers, message

      digests, and key derivation functions.

      Our goal is for it to be your "cryptographic standard library". It

      supports Python 2.7, Python 3.5+, and PyPy 5.4+.

    '';

    homepage = "https://github.com/pyca/cryptography";

    changelog =

      "https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version;

    license = with licenses; [

      asl20

      bsd3

      psfl

    ];

    maintainers = with maintainers; [ nh2 ];

  };

}