* Update keystone from branch 'master'
to 7a6e1a0bdc79927e5d7fd6ad7e6dda2e04c8342c
- Enable protection jobs
This patch re-enables the protection gate jobs now that policy changes
and tempest test changes have merged.
Depends-On: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914934
Change-Id: I928fcb8943319e5463a246105391a2bafe833a7e
* Update keystone from branch 'master'
to 8ca73f758bb613a57815fbe4ae78e3d2afa4af49
- Merge "sql: Fixup for invalid unique constraint on external_id in access_rule table"
- sql: Fixup for invalid unique constraint on external_id in access_rule table
There was a big drop of invalid constraints with [1]. One of them was on
`external_id` in the access_rule table.
While the change made it into a Alembic revision with [2], it still exists in
the schema causing an a new Alembic autogeneration to actually add it again as
a revision.
[1] https://review.opendev.org/c/openstack/keystone/+/851845
[2] 7d169870fe (diff-26484e3f6683ce7557e17b67220003784ff84fbe)
Closes-Bug: #1988297
Change-Id: I66626ba8771ef2aa8b3580fd3f5d15fd4b58ab48
* Update keystone from branch 'master'
to b31007e1b2ecbea5e1268d3e28d6230d0f5d09b2
- Allow admin to access tokens and credentials
This patch modifies a few policies to allow users with the "admin" role
to access /v3/auth/tokens and /v3/credentials. These policies were
missed when we implemented Phase 1 of Secure RBAC.
Change-Id: Id789c09121f1405f7ba5e4926498dab4ad98e057
* Update keystone from branch 'master'
to a050129384ac4803d1c56001a3140fc547fe134b
- Run Secure RBAC tests as project-admin
This patch updates the devstack plugin so that tempest.conf is not
configured to use system-admin. Currently tempest uses an all-in
approach to configuring admin clients, and forcing system scope in
tempest when SRBAC is turned on results in test failures for services
that don't understand system scope.
With this patch, keystone test will be run with a project-scoped admin,
which should be fine since policies have been previously updated to
accept project-admin tokens as legacy admin for Phase 1. [1]
[1] f2f1a5c388
Change-Id: I39d50b8e6e55b0835670d753c3783f32b19b6c47
* Update keystone from branch 'master'
to fc10ccbc8c9798e554add498997535171e0e099f
- Merge "Replace CRLF by LF"
- Replace CRLF by LF
... because LF is now commonly used as newline code.
Change-Id: I1fddfcbdb06179c096b6a271350d52365ff958ca
* Update keystone from branch 'master'
to 31e7b1f261c199ed81ba970b3e1ce90556223e77
- Merge "reno: Update master for unmaintained/xena"
- reno: Update master for unmaintained/xena
Update the xena release notes configuration to build from
unmaintained/xena.
Change-Id: I85125d02ce8a17f848f23e024f32a5c183f7b67e
* Update keystone from branch 'master'
to 4f15ee89db1099aaf0d648aeae8b34de0e003e67
- Merge "reno: Update master for unmaintained/wallaby"
- reno: Update master for unmaintained/wallaby
Update the wallaby release notes configuration to build from
unmaintained/wallaby.
Change-Id: Iba95e22e05c8872ddde42dc88912dcfbf14c96b7
* Update keystone from branch 'master'
to 7af1d49c285b3166cd35859a2720a32bc1ff0f5e
- reno: Update master for unmaintained/victoria
Update the victoria release notes configuration to build from
unmaintained/victoria.
Change-Id: Ibc662537e6eda4a318141d7d5ef4a522efa8d29e
* Update keystone from branch 'master'
to 4121cf6cb7c3d5e585df827d72e08296664f7326
- Merge "Add ability to create users and projects from keystone-manage"
- Add ability to create users and projects from keystone-manage
This adds the ability to create users and projects directly from
keystone-manage. We also add the ability to specify specific UUIDs
for both users and projects via the creation functions.
Change-Id: Icd193eff25556d21ec26bb29908b8ad6548fdc91
* Update keystone from branch 'master'
to 0e78d42aefc986e8da39e05debea350f3f6f1ef5
- Merge "Update regex to detect closed branch"
- Update regex to detect closed branch
... based on the change made in reno recently[1].
[1] https://review.opendev.org/c/openstack/reno/+/910547
Change-Id: Ie38448c4df404514fc9c65b5a5b48be929b13cc5
* Update keystone from branch 'master'
to 307296af5e170ca6b0d44fd5ec85a39bd6b5e572
- Deprecate templated catalog driver
Keystone provided two in-tree catalog drivers, sql and templated.
However the templated driver hasn't been properly maintained.
The default template had not been updated for 8 years until it was
recently updated by [1].
This deprecates the driver assuming it's not widely used and sql driver
meets usual requirements.
This also restores the image service endpoints which were wrongly
removed by [1].
[1] c32bedb654d04176fdab9b3cb522dd3146cfea9c
Related-Bug: #2013473
Change-Id: Iadb7bd5d7c4cf82aea2a7dbc1d8c4dbe53b9f763
* Update keystone from branch 'master'
to b08e5b5f63f50775a4cf1f2928bacf6995e56322
- Merge "Drop remaining references to eventlet options"
- Drop remaining references to eventlet options
Because these were removed by [1]. Also update the previous release
note to document the upgrade impact on catalog information (like
endpoint urls) including string interpolations requiring these removed
options.
[1] 2a3c73c49b117fe43d2174dbdb55842a4407377d
Change-Id: If78d0b93665410b86754ea35653ca9d4c15c81c5
* Update keystone from branch 'master'
to ac65d1416d76b16a3c84e3abcbcc34e14065a688
- Merge "api-ref: Fix indentation"
- api-ref: Fix indentation
Additional paragraphs of a bullet list should be indented by two spaces
to align with the first paragraph, e.g.
- A bullet list item
Additional detail
Rather than:
- A bullet list item
Additional detail
The latter results in the additional paragraphs being rendered as block
quotes.
Change-Id: I18cd39e65fd8d43691c940a6e849765755c46c2e
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
* Update keystone from branch 'master'
to 0ba7fdbd15152bc0c088c399de9d581e50c4a1e0
- Merge "Fix operation order in role deletion"
- Fix operation order in role deletion
Deletion of a role leads to deletion of role assignments and entries in
the application credentials. However, deletion of the entries in
application credentials depends on the existence of the assignment, so
the order of deletion is important.
Delete the entries from application credentials first and then clean up
role assignment.
Closes-Bug: 2053137
Change-Id: Ibba9063c729961cd4155f8b55dbabd4789d7a438
* Update keystone from branch 'master'
to f3a3f8948aa893b20d2fb7e455b6ffc9706630ae
- Merge "Fix federation mapping role jsonschema"
- Fix federation mapping role jsonschema
additionalProperties attribute must be located on the level of "type"
and not inside "properties"
(https://json-schema.org/understanding-json-schema/reference/object#additional-properties).
Sadly this is not violating schema validation, but is wrong and hurts
any reasonable processing of the schema.
Change-Id: Ib537f1dd33dd3f3dc8909873dffc37980d04b4db
* Update keystone from branch 'master'
to c5133e5ab89bbc77f15fc587d55b7eb1a4684b48
- Merge "Pass initiator to delete user"
- Pass initiator to delete user
otherwise the initiator field is missing from the CADF payload,
which misses the point of audit and technically makes these notifications
not valid as CADF events (initiator field is requires by the
CADF spec).
Change-Id: Iae525ee13dec72af6a7d70db2bb59a77c682a177
* Update keystone from branch 'master'
to 9c73837d82ff5284325650a9fc6719d52eb5232a
- Merge "Remove unused old job templates and experimental jobs"
- Remove unused old job templates and experimental jobs
Ubuntu Xenial, CentOS7 and OpenSUSE 15 are all too old.
Change-Id: I0a87cc5a35e6033d670bab56d5cdc8b8312819d8
* Update keystone from branch 'master'
to d0ba0d33604cbf1ae49ffb0a26991408c5ecd683
- Merge "Drop unused pymongodb from requirements"
- Drop unused pymongodb from requirements
Keystone no longer depends on mongodb after cache implementation was
split to oslo.cache[1]. Also, bandit is not a runtime dependency but
a test dependency, so should live in test requirements.
[1] 4969f66fca37ce9bd654cf74890fa28dd011bc6e
Change-Id: I85f376d0897dd6b4dba758f86882fae70511fb6a
* Update keystone from branch 'master'
to 98ac508cf809ba272136579af7de55bc1de08396
- Merge "Drop keystone-dsvm-functional-federation-opensuse15 jobs"
- Drop keystone-dsvm-functional-federation-opensuse15 jobs
The OpenDev team is planning to remove OpenSUSE LEAP 15 images as our
node builds and mirrors are for 15.2 which is ancient and no one is
currently working to modernize these test environments. On top of that
LEAP is apparently going away in the future and will be replaced with
another distro.
Change-Id: Ia94b4e7151410515a3ecf99185042dae82bf1b7d
* Update keystone from branch 'master'
to 8c2d5769a16c1cb041701c73efa661b3cbeef482
- Merge "Dont enforce when HTTP GET on s3tokens and ec2tokens"
- Dont enforce when HTTP GET on s3tokens and ec2tokens
When calling the s3tokens or ec2tokens API with a
HTTP GET we should get a 405 Method Not Allowed but
we get a 500 Internal Server Error because we enforce
that method.
Closes-Bug: #2052916
Change-Id: I5f60d10dc25551175cc73ca8f3f28b0b95ec9f99
Signed-off-by: Tobias Urdin <tobias.urdin@binero.se>
* Update keystone from branch 'master'
to 57833a2e964ff03e7da8777a215d76b14adc7b8f
- Merge "Allow assignment of domain specific role to federated users"
- Allow assignment of domain specific role to federated users
Ater the patch "Keystone to honor the "domain" attribute mapping rules."
It's not possible to assign domain specific roles to federated users
when the user domain is specify on the claim.
This patch aims to fix this, allowing to map non domain specific roles
and domain specific, if the domain is the specify on the claim.
Depends-on: https://review.opendev.org/#/c/739966/
related-Bug: #1887515
Change-Id: Ie3d7585cb9143686a93e4a19843698274475eaf6
Signed-off-by: Juan Pedro Torres Muñoz <juanp.95.torres@gmail.com>
* Update keystone from branch 'master'
to 2ac039b717669bf9744f72161e82bdac46dbfacf
- Merge "Add domain scoping to list_domains"
- Add domain scoping to list_domains
Introduces domain-scoped filtering of the response list of the
list_domains endpoint when the user is authenticated in domain scope
instead of returning all domains. This aligns the implementation with
other endpoints like list_projects or list_groups and allows for a
domain-scoped reader role.
Changes the default policy rule for identity:list_domains to
incorporate this new behavior for the reader role.
Closes-Bug: 2041611
Change-Id: I8ee50efc3b4850060cce840fc904bae17f1503a9
* Update keystone from branch 'master'
to 7dc175a41f92e3f01cf26912431d0f2c98a03b32
- Normalize policy checks for domain-scoped tokens
This patch fixes an inconsistency in the policies for role_assignment
where the target object used for policy enforcement was being created
with different properties depending on the request query string.
This required policies to be written in two differnt ways to validate
domain IDs for domain-scoped requests. e.g. checking for domain reader
was using both:
role:reader and domain_id:%(target.domain_id)s
and
role:reader and domain_id:%(target.project.domain_id)s
With the former only being populated for GET /v3/role_assignments and
the latter only being populated for GET
/v3/role_assignments?scope.project.id=SOME_ID
This patch fixes the target object so that only target.domain_id needs
to be checked for domain-scoped tokens.
Change-Id: Iffbe11c57c61bbd1b045a6567a9249c12dff403c
* Update keystone from branch 'master'
to db0ff104763b6da4d661bf0c5cc9814ea3f18fc8
- reno: Update master for unmaintained/yoga
Update the yoga release notes configuration to build from
unmaintained/yoga.
Change-Id: If555750682c88a657834ac8f934f23b76a6ff9eb
* Update keystone from branch 'master'
to 03401210426ed62bbf24c24793125b598321f182
- Allow users with "admin" role to get projects
This patch modifies the policy for identity:get_project to allow a user
with the "admin" role to retrieve any project by project_id for Secure
RBAC (Phase 1)
Change-Id: I6442557701284572759da1354e6547f57186935f
* Update keystone from branch 'master'
to 5a97b7d847d5471d91b7e41ab0acf65974419c44
- Merge "Fix policies for groups"
- Fix policies for groups
This patch fixes a couple of broken policies in the groups resource.
Change-Id: Ia47ecc71c04bcb50c2e0d677a99b3754ffbc1c04
* Update keystone from branch 'master'
to 0608537f034b4b71205a90c7fbf02aa8b6720c8c
- Merge "Check user existence before setting last_active_at"
- Check user existence before setting last_active_at
A situation might arise, when the user does not exist any more and we
are attempting to set last_active_at on them. This results in keystone
raising AttributeError.
Check for user existense before addressing the attribute
Closes-Bug: 2044624
Change-Id: I3eb5890fb6d52a222b7caa4a52effc06774c0542
* Update keystone from branch 'master'
to 2d48ff27bb43947c12237333e265dd511a5a1096
- Merge "Propagate redirect exceptions to the client"
- Propagate redirect exceptions to the client
When a developer is implementing an Authentication plugin, in some cases
(like an OpenID Connect plugin) it is needed to perform a redirect to
the provider to complete the flow. This was possible in the past (before
moving to Flask) by raising an exception with the proper HTTP code set,
but the framework change made this possibility not available anymore.
Closes-Bug: #1854041
Co-authored-by: Alvaro Lopez Garcia <aloga@ifca.unican.es>
Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc
* Update keystone from branch 'master'
to 406233f16975a83ca41b0d057d1497b6d43ee0fa
- Merge "Clean up deprecated options for eventlet server"
- Clean up deprecated options for eventlet server
The eventlet server implementation was removed during Newton, and have
not been used by any other implementations for a while.
Change-Id: I01f9adfc3e610d820c1834209d36c10568cccf41
* Update keystone from branch 'master'
to 6c16f975d27b590332c9be484bb5ff11e021e40c
- Merge "Improve application credential validation speed"
- Improve application credential validation speed
Validating an application credential token is very slow, taking at least
400ms+ in a simple devstack environment, 5-10x longer than validating a
user/password project token.
The primary bottleneck during a token validation request
(/v3/auth/tokens) is that token.roles is evaluated at least 5 times.
validate_token is called twice, first during RBAC to populate the
subject token context and again to actually validate the token. Each
call to validate_token then called token.roles twice because it first
checks if it is None, before calling it again to use the result. Lastly
token.roles is evaluated a fifth time during
render_token_response_from_model.
Each evaluation of token.roles calls through
_get_application_credential_roles into list_role_assignments which then
makes multiple round-trip SQL queries to the database.
Unlike the related get_roles_for_user_and_project function, none of
these calls are currently cached/memoized. We memoize
list_role_assignments to get the same-speedup.
Reduce the number of token.roles calls to only 3 by storing and re-using
the token.roles result in validate_token, then memoize
list_role_assignments so the 2nd and 3rd call fetch from the cache
instead of repeating many SQL queries.
This provides a substantial performance improvement bringing validation
time in-line with user/password tokens.
Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48
* Update keystone from branch 'master'
to 993e589fa148a0e8da5b1d7bf00287df5632e96d
- Merge "Keystone to honor the "domain" attribute mapping rules."
- Keystone to honor the "domain" attribute mapping rules.
We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.
Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.
Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.
Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
* Update keystone from branch 'master'
to 4b3efbc0264f82898af51efa2f9d83ea0535c57a
- Merge "Remove babel.cfg"
- Remove babel.cfg
Remove babel.cfg and the translation bits from setup.cfg, those are not
needed anymore.
Change-Id: I6c44c8e0b8bf16af2e91ba26b2dbe37c06ea1048
* Update keystone from branch 'master'
to 44a547414819723eeaf2b7f121a2fb3f8fdedeef
- Merge "Add a cache to check_revocation"
- Add a cache to check_revocation
The check_revocation method is called at least 3 times when validating
a token.
Each time, it's doing a heavy SQL statement depending on the size of the
revocation table.
We can save time by adding cache to this method.
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I70b4664905bb4360d792ba8bd701674f60538223
* Update keystone from branch 'master'
to 31ea45d24195d9e8befdd11e55084d192e1e8a76
- Merge "Revoke list_events: Add trust sql filter"
- Revoke list_events: Add trust sql filter
Currently all token validation evaluate all events
related to trust deletion even if current token is neihter
trust scoped or if trust_ids do not match token trust.
This involves token validation time variation in environment
where trust deletion is high.
This change reduce token validation time and make it stable
during token life cycle by filtering also on trust_id when
querying revocation_event table.
Change-Id: If592599a12035769491eaed3df1541b5afe43e3f
* Update keystone from branch 'master'
to b15595746d4e23a2d181e224de4c15b2ccdd8014
- Merge "Remove deprecated [memcache] options"
- Remove deprecated [memcache] options
These options have had no effect and were formally deprecated during
Yoga cycle[1].
[1] 9a8686aee042ba55155de224c4072ca511f92eca
Related-Bug: #1941020
Change-Id: I9ac00109bd278bc4813a45358aeda848ab7318de
* Update keystone from branch 'master'
to c89655a6d1a142500363e43f1bd2d828973181fd
- Merge "Consistent and Secure RBAC (Phase 1)"
- Consistent and Secure RBAC (Phase 1)
This patch updates system-scoped policies to also accept project-admin
tokens so that operators can continue to use the "admin" role to access
system level APIs.
The protection test job is marked non-voting since tempest does not yet
expect these policy changes. A follow-up patch will make it voting
again after the test changes have merged into tempest.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582
* Update keystone from branch 'master'
to bb4b7abc8ddeb6a3c8d5417e9b66c79e29f376f6
- Merge "python 3.12: use raw string"
- python 3.12: use raw string
This fixes "SyntaxWarning: invalid escape sequence '\d'
when installing python3-keystone.
Change-Id: Iee22be887130dd171ae8038f5ed3bb365e2b3ade
* Update keystone from branch 'master'
to 21cc759c22eb4ce96ad474e4d604a35a19083f3a
- Merge "fix(federation): follow-up"
- fix(federation): follow-up
This mainly was intended to clean up confusing comments, and
to add @staticmethod since we're at it.
Related-Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
Change-Id: I7cd62cdd188da77367820317f4875b48a247ff00
* Update keystone from branch 'master'
to adfa92b40d11f94a03af5202da1fc3858bbccbb5
- Merge "Update python classifier in setup.cfg"
- Update python classifier in setup.cfg
As per the current release tested runtime, we test
python version from 3.8 to 3.11 so updating the
same in python classifier in setup.cfg
Change-Id: I94d11b7fb1f7111549a16d70581658d8fa17ab62
* Update keystone from branch 'master'
to effd3f405e90be748358b82168e3d7ddf5def902
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Ic69bc8b9b3c30abcd9e3aa40e4230bf2743e7c87
* Update keystone from branch 'master'
to 9e4a3157dd326801b9ae0ef2b7934c982259b3dd
- Merge "Fix typo in cmd/status.py"
- Fix typo in cmd/status.py
Comma is missing from the 'rules' list at check_trust_policies_are_not_empty().
Closes-Bug: #2037052
Change-Id: I47f3a7649b7e6022bea477caff8b081f352b0af3
* Update keystone from branch 'master'
to 262d763f79a9b97996ec51dca3399994b97bf4e0
- Merge "Remove unnecessary shebang"
- Remove unnecessary shebang
The current shebang requires python 2 instead of python 3. Because
the shebang is not really requires this removes it instead of fixing
it.
Change-Id: I4c82281a67de53c6c8d788000b695a22360c3dd6
* Update keystone from branch 'master'
to c57c6c2aa28a87245e43ffa40c6663e57a4cf5b7
- Merge "Drop compatibility code for Python 2.y"
- Drop compatibility code for Python 2.y
The inspect.getfullargspec method is available since Python 3.0.
Change-Id: I163f0327ede2a720c3b800dc4757d4791ed47d00
* Update keystone from branch 'master'
to bd681f379b2ba4e582bbc775b69a77c9079aa2bb
- Merge "Fix bindep.txt for python 3.11 job(Debian Bookworm)"
- Fix bindep.txt for python 3.11 job(Debian Bookworm)
Python 3.11 job now run on Debian Bookwarm which does not provide
some of the packages in bindep. This fixes the bindep file so that
it pulls packages actually available.
This also updates a few assertions of log records in unit tests to make
these robust for any warning logs.
Change-Id: Iae3f4da24418530b61b9a0b64390160d194da05b
* Update keystone from branch 'master'
to fe1a75cf3a0ed7be19d8e5a2fa99e5b2947cfa10
- Merge "doc: Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9"
- doc: Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9
The openstack Ussuri and Victoria versions no longer support the
RHEL7/CentOS7. Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9.
Change-Id: I6c9924c96c1f879b913b39f66878a8f9235ea18f
* Update keystone from branch 'master'
to 9cae81d37455eb003c93f641f31811687f0bb910
- Merge "Update master for stable/2023.2"
- Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I4be00df3ab7a0f692fc33e1d664c4545e89de545
* Update keystone from branch 'master'
to 7ee35794e94ea3d5519ccbb0ba72260c67c66ca8
- Merge "Fix presentation of OAuth2.0 user guides"
- Fix presentation of OAuth2.0 user guides
Applied remining comments to the first OAuth2.0 documentation patch [1].
[1] https://review.opendev.org/c/openstack/keystone/+/838108
Change-Id: I95aac0b4ac4e887b79ef5b15ac5cb3d356c26735
* Update keystone from branch 'master'
to 8b8c025fc3057781f44eb035c4799f6a53f98618
- Merge "Stop pinning pep8 related packages"
- Stop pinning pep8 related packages
These practices cause conflicts periodically. Not right now:
the gate is okay with the current values, which this patch
deletes. However, like sun raising in the east it is sure
to happen again. This patch lets workarounds work that the
infra team puts in place. The downside is, we need to fix
the code once in a while as new checks get added.
Change-Id: Ia7a96fb4b6de4251862a8a96c995cefa94dbc271
* Update keystone from branch 'master'
to be05fb3f11152ba5ee88aca454467e5d87d43af9
- Merge "Add support for bcrypt_sha256 hasher"
- Add support for bcrypt_sha256 hasher
This patch adds new hashing alhorythm bcrypt_sha256, which is based on
the bcrypt but does not have limitations on the leght of the passwords,
since passwords are passed through HMAC-SHA2-256 first.
At accepts exactly same parameters as bcrypt does.
However, it prefix the hash using `prefix` attribute rather then
`indent_values` which are same as for bcrypt.
Change-Id: I5430ebf5a20142c1a9caab960ced9b3ee2e782c1