| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
An empty exception clause is unnecessary when you're using
a "finally" clause.
Previous-Change-Id: I59ebf0fa77391d49b2349e918fc55f96318c42a6
Change-Id: I903db2fd2ac810ec96dbd25fc6529752c08f9a79
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Print a human readable error if tls certs are not provided when using
ldaps:// or use_tls and not providing CA certificates.
Change-Id: I5d3613617278443673a265259351a2e1d5dc7f44
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: Ic6effa352660f0405d5f4bcd15f3be44b0cc423c
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
authenticate.failed in the list is not working as the correct
notification is authenticate.failure (see [0]), this way we keep the
default behaviour, and the users still have the ability to add their
events to this list at deployment time.
[0]https://github.com/openstack/pycadf/blob/stable/victoria/pycadf/cadftaxonomy.py#L76
Change-Id: If3d818dac220a105f4aba382537c09ab4ee1abd5
Closes-Bug: 1954665
|
| |\ \ \ \ \
| |_|_|_|/
|/| | | | |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When using a numerical group name, the current codebase which
relies on ast.literal_eval does not account for the value
being a number. Therefore, it can be parsed as a number and
fail in further steps since it will not be a list.
This patch adds a test to handle that use case and refactor the
code that leverages ast.literal_eval to be the same everywhere
so that it adds that fix everywhere.
Closes-Bug: #1992186
Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on
cryptography 36.0.0 or later. Users may have to upgrade cryptography
which is already installed, which can be unreasonably hassle. This
patch introduces an alternative for that parameter.
[1] https://cryptography.io/en/latest/changelog/#v36-0-0
Closes-bug: 2009600
Change-Id: Idffe269b62797bb2935429f4069e878a177db04f
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add devstack testing setup for OIDC using an instance of keycloak
which is instantiated from a keycloak image. This is largely taken
from Kristi's work in https://github.com/knikolla/devstack-plugin-oidc
This configuration is triggered by enabling the devstack service
keystone-oidc-federation. The expectation is that either SAML2 or
OIDC is enabled, but not both.
Depends-On: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/864571
Co-Authored-By: David Wilde <dwilde@redhat.com>
Change-Id: I1ff4d48c05cef1022dc510df03104f36cdd7a953
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0]. This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.
[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues
Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
result3 does not invoke message.clean() when an exception is thrown
by `message.connection.result3()` call, causing pool connection
associated with the message to be marked active forever. This causes
a denial-of-service on ldappool.
The fix ensures message.clean() is invoked by wrapping the offending
call in try-except-finally and putting the message.clean() in finally
block.
Closes-Bug: #1998789
Change-Id: I59ebf0fa77391d49b2349e918fc55f96318c42a6
Signed-off-by: Mustafa Kemal Gilor <mustafa.gilor@canonical.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This updated the Python jobs and fixes the following error with tox 4:
tox.tox_env.errors.Fail: pass_env values cannot contain whitespace, use
comma to have multiple values in a single line, invalid values found
'http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
PBR_VERSION'PROXY PBR_VERSION'
Change-Id: I003723766b1dba7f54c9800364207191597c6741
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The pep257 dependency does not support Python 3.10 and has been
deprecated in favour of flake8-docstrings. While we're here, we bump the
other linter dependencies and remove a note regarding the order of
dependencies, which is no longer true with the new dependency resolver
introduced in pip 20.3. We also remove an import exception for six.moves
since we no longer use six.
Change-Id: I4aae75f513568126230becf27b2e07d6682d35a1
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.
Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I1f5579cf3b8e5055b3a26867c8cb1d39d2ea86fc
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.
Change-Id: Id78b5ab392ac52a52731c87a4c06cbad1516ea85
|
| |\ \ \ \
| |_|/ /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I0de3c786fa2617a44094c37827ebd93a8dfcf3b6
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I2d496fd5a76ca31a2ebbf275fdc348e8fc44394f
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When we check the EC2 signature without the port part of the host value
received, we should properly split host:port. Keep in mind the splitting
should work for values like [fc00::]:123 too.
Change-Id: I1d90dfcea3568e2a9b22069daa428ea6a2a38bd6
Closes-Bug: #1988168
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.
Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: Iabc8cd0746871ea6ab81af9d3f0149644a489f3d
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
| |\ \ \ \ \
| |/ / / / |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Switch to alembic for real by integrating it into the 'db sync' command
flow. From a user-facing perspective, things should remain pretty much
the same as before, with the key difference being that version
information (i.e. what's shown by 'keystone-manage db_sync --check' or
'keystone-manage db_version') will now take the form of a hash rather
than an integer. There are a few differences for contributors however.
The changes are described in the included release note and
documentation.
Note that there are a couple of important design decisions here that are
worth examining:
- We drop the idea of the 'data_migration' branch entirely and the
'keystone-manage db_sync --migrate' command is now a no-op. Neutron
doesn't do data migrations like we do and yet they manage just fine.
Dropping this gets us closer to neutron's behavior, which is a good
thing for users.
- We haven't re-added the ability to specify a version when doing
'db_sync'. Neutron has this, but the logic needed to get this working
is complex and of questionable value. We've managed without the
ability to sync to a version since Newton and can continue to do so
until someone asks for it (and does the work).
- sqlalchemy-migrate is not removed entirely. Instead, upon doing a
'db_sync' we will apply all sqlalchemy-migrate migrations up to the
final '079_expand_update_local_id_limit' migration and dummy apply the
initial alembic migration, after which we will switch over to alembic.
In a future release we can remove the sqlalchemy-migrate migrations
and rely entirely on alembic. Until then, keeping this allows fast
forward upgrades to continue as a thing.
- Related to the above, we always apply *all* sqlalchemy-migrate
migrations when calling 'db_sync', even if this command is called with
e.g. '--expand' (meaning only apply the expand branch). This is
because there is at most one "real" migration to apply, the Xena-era
'079_expand_update_local_id_limit' migration, which is an expand-only
migration. There is no risk to applying the empty "data_migration" and
"contract" parts of this migration, and applying everything in one go
results in *much* simpler logic.
Future changes will update documentation and add developer tooling for
(auto-)generating new migrations, a la 'neutron-db-manage revision'.
Change-Id: Ia376cb87f5159a4e79e2cfbab8442b6bcead708f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Previously, the fernet token provider would log warnings when a fernet
token exceeded 255 characters, which is common for LDAP-backed
deployments. The warning is always issued, even when operators configure
keystone's max_token_size to a higher value, causing confusion because
it appears the configuration value is silently ignored.
This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.
Closes-Bug: 1926483
Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Closed bug: #1916662
Change-Id: I3ae502580588af42ac5d5f9fc6718a639b443e98
|
| | |_|_|_|/ /
|/| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I69d52a1d921e2c9376baef9ab54ba41aa9602b07
|
| |\ \ \ \ \ \
| |_|_|/ / /
|/| | | | | |
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Move FIPS job to centos 9 and add new required nslookup_target variable.
Change-Id: Ifef262cfca4ecb8ad1222da3c43e5749f40c1f24
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We were inadvertently monkeypatching a variety of functions in
'keystone.common.sql.upgrades'. We should be configuring mocks for these
that we teardown at the end of the test. This has been an issue since we
first added these tests way back in change
I9f138fe0bcbf5ffbb98e6fcebd7d897329a301b7. Fix it now.
Change-Id: I185420e6d16276e7d184146f6a38b098abc00b25
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Suggested-by: Mike Bayer <mike_mp@zzzcomputing.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We can use the existing connection. No need to create a new one.
Change-Id: I2165710ee83dad12ddd795b665ecac6c8bd42a93
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Keystone's API policy rules are defaulting to system scope. Scope checks
are disabled by default in oslo.policy, but if you hit the API with a
token that doesn't match the scope, it generates a UserWarning, for
every policy check on that request. This is pretty annoying, so just
filter those warnings during our test runs.
Change-Id: I150b8fa19d4ec1582234caa4c25db905e6403590
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Keeps directories clean.
Change-Id: I8fcd9370a6adbfe8bbb2ce441a6f2efad45d089a
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I92a8cfaef350bb61330d9ef02c0fd9e6f6c5854a
|
