diff options
author | Jim Rollenhagen <jim@jimrollenhagen.com> | 2019-05-14 20:47:18 +0000 |
---|---|---|
committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-06-24 06:52:52 -0700 |
commit | 90f9da82add76ca6a8d509528a2ddb616b0d76ce (patch) | |
tree | 59fc02a34ae70c92c473ff69e71664e77736713a | |
parent | 1828d0612cf2c51427773077dc25bd8b659eb549 (diff) | |
download | keystone-90f9da82add76ca6a8d509528a2ddb616b0d76ce.tar.gz |
Revert "Blacklist bandit 1.6.0"
This reverts commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee.
Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.
Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
(cherry picked from commit dc3175afb16fedaf5216b5d4a7a521d16636b4d1)
-rw-r--r-- | keystone/assignment/core.py | 2 | ||||
-rw-r--r-- | keystone/common/authorization.py | 4 | ||||
-rw-r--r-- | keystone/common/policies/base.py | 5 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py | 2 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py | 2 | ||||
-rw-r--r-- | keystone/identity/backends/sql_model.py | 2 | ||||
-rw-r--r-- | keystone/notifications.py | 2 | ||||
-rw-r--r-- | keystone/oauth1/core.py | 4 | ||||
-rw-r--r-- | setup.cfg | 2 | ||||
-rw-r--r-- | tox.ini | 4 |
10 files changed, 15 insertions, 14 deletions
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 4e21efdbf..8db1a7bc4 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -58,7 +58,7 @@ class Manager(manager.Manager): driver_namespace = 'keystone.assignment' _provides_api = 'assignment_api' - _SYSTEM_SCOPE_TOKEN = 'system' + _SYSTEM_SCOPE_TOKEN = 'system' # nosec _USER_SYSTEM = 'UserSystem' _GROUP_SYSTEM = 'GroupSystem' _PROJECT = 'project' diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py index 5c4581b96..a15c9eaac 100644 --- a/keystone/common/authorization.py +++ b/keystone/common/authorization.py @@ -19,7 +19,7 @@ # A couple common constants for Auth data # Header used to transmit the auth token -AUTH_TOKEN_HEADER = 'X-Auth-Token' +AUTH_TOKEN_HEADER = 'X-Auth-Token' # nosec # Header used to transmit the auth receipt @@ -27,7 +27,7 @@ AUTH_RECEIPT_HEADER = 'Openstack-Auth-Receipt' # Header used to transmit the subject token -SUBJECT_TOKEN_HEADER = 'X-Subject-Token' +SUBJECT_TOKEN_HEADER = 'X-Subject-Token' # nosec # Environment variable used to convey the Keystone auth context, # the user credential used for policy enforcement. diff --git a/keystone/common/policies/base.py b/keystone/common/policies/base.py index 00b24e2c6..38d948f91 100644 --- a/keystone/common/policies/base.py +++ b/keystone/common/policies/base.py @@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = ( RULE_ADMIN_OR_TARGET_PROJECT = ( 'rule:admin_required or ' 'project_id:%(target.project.id)s') -RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject' +RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject' # nosec RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin' -RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject' +RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = ( + 'rule:service_admin_or_token_subject') # nosec RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin' RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s' diff --git a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py index bb1aea882..d99d6aa6a 100644 --- a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py +++ b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py @@ -16,7 +16,7 @@ import sqlalchemy as sql _USER_TABLE_NAME = 'user' _USER_NAME_COLUMN_NAME = 'name' _USER_DOMAINID_COLUMN_NAME = 'domain_id' -_USER_PASSWORD_COLUMN_NAME = 'password' +_USER_PASSWORD_COLUMN_NAME = 'password' # nosec def upgrade(migrate_engine): diff --git a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py index b54af234a..a8740c594 100644 --- a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py +++ b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py @@ -16,7 +16,7 @@ import sqlalchemy as sql _USER_TABLE_NAME = 'user' _USER_NAME_COLUMN_NAME = 'name' _USER_DOMAINID_COLUMN_NAME = 'domain_id' -_USER_PASSWORD_COLUMN_NAME = 'password' +_USER_PASSWORD_COLUMN_NAME = 'password' # nosec def upgrade(migrate_engine): diff --git a/keystone/identity/backends/sql_model.py b/keystone/identity/backends/sql_model.py index 20423a0d2..a7b6df65c 100644 --- a/keystone/identity/backends/sql_model.py +++ b/keystone/identity/backends/sql_model.py @@ -243,7 +243,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras): new_dict = user_dict.copy() resource_options = {} options = new_dict.pop('options', {}) - password_expires_at_key = 'password_expires_at' + password_expires_at_key = 'password_expires_at' # nosec if password_expires_at_key in user_dict: del new_dict[password_expires_at_key] for opt in cls.resource_options_registry.options: diff --git a/keystone/notifications.py b/keystone/notifications.py index fb2a5f543..3f59d151e 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -80,7 +80,7 @@ CONF = keystone.conf.CONF # NOTE(morganfainberg): Special case notifications that are only used # internally for handling token persistence token deletions -INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' +INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' # nosec PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user' REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user' DOMAIN_DELETED = 'domain_deleted' diff --git a/keystone/oauth1/core.py b/keystone/oauth1/core.py index a693e25f5..68e208e2a 100644 --- a/keystone/oauth1/core.py +++ b/keystone/oauth1/core.py @@ -118,8 +118,8 @@ class Manager(manager.Manager): driver_namespace = 'keystone.oauth1' _provides_api = 'oauth_api' - _ACCESS_TOKEN = "OS-OAUTH1:access_token" - _REQUEST_TOKEN = "OS-OAUTH1:request_token" + _ACCESS_TOKEN = "OS-OAUTH1:access_token" # nosec + _REQUEST_TOKEN = "OS-OAUTH1:request_token" # nosec _CONSUMER = "OS-OAUTH1:consumer" def __init__(self): @@ -35,7 +35,7 @@ memcache = mongodb = pymongo!=3.1,>=3.0.2 # Apache-2.0 bandit = - bandit!=1.6.0,>=1.1.0 # Apache-2.0 + bandit>=1.1.0 # Apache-2.0 [global] setup-hooks = @@ -37,7 +37,7 @@ commands = # the check and gate queues bashate devstack/plugin.sh # Run security linter - bandit -r keystone -x tests + bandit -r keystone -x 'keystone/tests/*' [testenv:bandit] basepython = python3 @@ -46,7 +46,7 @@ basepython = python3 deps = -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/stein} -r{toxinidir}/requirements.txt .[bandit] -commands = bandit -r keystone -x tests +commands = bandit -r keystone -x 'keystone/tests/*' [testenv:cover] basepython = python3 |