Revert "Blacklist bandit 1.6.0"

This reverts commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee. Using the glob that I had not yet had enough coffee to do correctly is a better solution, and allows us to fix new failures in 1.6.0 which would break us again when 1.6.1 was released. Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54 (cherry picked from commit dc3175afb16fedaf5216b5d4a7a521d16636b4d1)
author: Jim Rollenhagen <jim@jimrollenhagen.com> 2019-05-14 20:47:18 +0000
committer: Colleen Murphy <colleen.murphy@suse.de> 2019-06-24 06:52:52 -0700
commit: 90f9da82add76ca6a8d509528a2ddb616b0d76ce (patch)
tree: 59fc02a34ae70c92c473ff69e71664e77736713a
parent: 1828d0612cf2c51427773077dc25bd8b659eb549 (diff)
download: keystone-90f9da82add76ca6a8d509528a2ddb616b0d76ce.tar.gz
10 files changed, 15 insertions, 14 deletions
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index 4e21efdbf..8db1a7bc4 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -58,7 +58,7 @@ class Manager(manager.Manager):
     driver_namespace = 'keystone.assignment'
     _provides_api = 'assignment_api'
 
-    _SYSTEM_SCOPE_TOKEN = 'system'
+    _SYSTEM_SCOPE_TOKEN = 'system'  # nosec
     _USER_SYSTEM = 'UserSystem'
     _GROUP_SYSTEM = 'GroupSystem'
     _PROJECT = 'project'
diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py
index 5c4581b96..a15c9eaac 100644
--- a/keystone/common/authorization.py
+++ b/keystone/common/authorization.py
@@ -19,7 +19,7 @@
 # A couple common constants for Auth data
 
 # Header used to transmit the auth token
-AUTH_TOKEN_HEADER = 'X-Auth-Token'
+AUTH_TOKEN_HEADER = 'X-Auth-Token'  # nosec
 
 
 # Header used to transmit the auth receipt
@@ -27,7 +27,7 @@ AUTH_RECEIPT_HEADER = 'Openstack-Auth-Receipt'
 
 
 # Header used to transmit the subject token
-SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
+SUBJECT_TOKEN_HEADER = 'X-Subject-Token'  # nosec
 
 # Environment variable used to convey the Keystone auth context,
 # the user credential used for policy enforcement.
diff --git a/keystone/common/policies/base.py b/keystone/common/policies/base.py
index 00b24e2c6..38d948f91 100644
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
 RULE_ADMIN_OR_TARGET_PROJECT = (
     'rule:admin_required or '
     'project_id:%(target.project.id)s')
-RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
+RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'  # nosec
 RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
-RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
+RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
+    'rule:service_admin_or_token_subject')  # nosec
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
 
diff --git a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
index bb1aea882..d99d6aa6a 100644
--- a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
@@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec
 
 
 def upgrade(migrate_engine):
diff --git a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
index b54af234a..a8740c594 100644
--- a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
@@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec
 
 
 def upgrade(migrate_engine):
diff --git a/keystone/identity/backends/sql_model.py b/keystone/identity/backends/sql_model.py
index 20423a0d2..a7b6df65c 100644
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@@ -243,7 +243,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
         new_dict = user_dict.copy()
         resource_options = {}
         options = new_dict.pop('options', {})
-        password_expires_at_key = 'password_expires_at'
+        password_expires_at_key = 'password_expires_at'  # nosec
         if password_expires_at_key in user_dict:
             del new_dict[password_expires_at_key]
         for opt in cls.resource_options_registry.options:
diff --git a/keystone/notifications.py b/keystone/notifications.py
index fb2a5f543..3f59d151e 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -80,7 +80,7 @@ CONF = keystone.conf.CONF
 
 # NOTE(morganfainberg): Special case notifications that are only used
 # internally for handling token persistence token deletions
-INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
+INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'  # nosec
 PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
 REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
 DOMAIN_DELETED = 'domain_deleted'
diff --git a/keystone/oauth1/core.py b/keystone/oauth1/core.py
index a693e25f5..68e208e2a 100644
--- a/keystone/oauth1/core.py
+++ b/keystone/oauth1/core.py
@@ -118,8 +118,8 @@ class Manager(manager.Manager):
     driver_namespace = 'keystone.oauth1'
     _provides_api = 'oauth_api'
 
-    _ACCESS_TOKEN = "OS-OAUTH1:access_token"
-    _REQUEST_TOKEN = "OS-OAUTH1:request_token"
+    _ACCESS_TOKEN = "OS-OAUTH1:access_token"  # nosec
+    _REQUEST_TOKEN = "OS-OAUTH1:request_token"  # nosec
     _CONSUMER = "OS-OAUTH1:consumer"
 
     def __init__(self):
diff --git a/setup.cfg b/setup.cfg
index 9efe858ca..20f674d9a 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -35,7 +35,7 @@ memcache =
 mongodb =
   pymongo!=3.1,>=3.0.2 # Apache-2.0
 bandit =
-  bandit!=1.6.0,>=1.1.0 # Apache-2.0
+  bandit>=1.1.0 # Apache-2.0
 
 [global]
 setup-hooks =
diff --git a/tox.ini b/tox.ini
index c096062ff..08d0348ff 100644
--- a/tox.ini
+++ b/tox.ini
@@ -37,7 +37,7 @@ commands =
   # the check and gate queues
   bashate devstack/plugin.sh
   # Run security linter
-  bandit -r keystone -x tests
+  bandit -r keystone -x 'keystone/tests/*'
 
 [testenv:bandit]
 basepython = python3
@@ -46,7 +46,7 @@ basepython = python3
 deps = -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/stein}
        -r{toxinidir}/requirements.txt
        .[bandit]
-commands = bandit -r keystone -x tests
+commands = bandit -r keystone -x 'keystone/tests/*'
 
 [testenv:cover]
 basepython = python3
author	Jim Rollenhagen <jim@jimrollenhagen.com>	2019-05-14 20:47:18 +0000
committer	Colleen Murphy <colleen.murphy@suse.de>	2019-06-24 06:52:52 -0700
commit	90f9da82add76ca6a8d509528a2ddb616b0d76ce (patch)
tree	59fc02a34ae70c92c473ff69e71664e77736713a
parent	1828d0612cf2c51427773077dc25bd8b659eb549 (diff)
download	keystone-90f9da82add76ca6a8d509528a2ddb616b0d76ce.tar.gz