Deckhand updates

This PS delivers the following updates: - fixed sample config and policy files generation in tox - rolled back chart version incremention back to 0.2.0 Change-Id: I509030319a724b18bb21f45f7ede7c07ab18e894
2023-04-28 19:20:58 +00:00 · 2023-04-28 19:20:58 +00:00 · 03f6932e16
parent 13c5199f18
commit 03f6932e16
5 changed files with 125 additions and 99 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 CHANGES
 =======

+* Removing egg-info folder
+* Sync requirements with shipyard
 * [focal] Deckhand project updates
 * update to focal and python 3.8
 * Allow source substring extraction
--- a/charts/deckhand/Chart.yaml
+++ b/charts/deckhand/Chart.yaml
@ -15,7 +15,7 @@
 apiVersion: v1
 description: A Helm chart for Deckhand
 name: deckhand
-version: 0.2.2
+version: 0.2.0
 appVersion: 1.1.0
 keywords:
 - deckhand
--- a/etc/deckhand/deckhand.conf.sample
+++ b/etc/deckhand/deckhand.conf.sample
@ -11,6 +11,10 @@
 # in production. (boolean value)
 #development_mode = false

+# How many times Deckhand should attempt to create a secret in Barbican before
+# raising an exception. (integer value)
+#secret_create_attempts = 2
+
 #
 # From oslo.log
 #
@ -25,7 +29,7 @@
 # files, see the Python logging module documentation. Note that when logging
 # configuration files are used then all logging configuration is set in the
 # configuration file and other logging configuration options are ignored (for
-# example, logging_context_format_string). (string value)
+# example, log-date-format). (string value)
 # Note: This option can be changed without restarting.
 # Deprecated group/name - [DEFAULT]/log_config
 #log_config_append = <None>
@ -76,27 +80,62 @@
 # set. (boolean value)
 #use_stderr = false

-# Format string to use for log messages with context. (string value)
+# Log output to Windows Event Log. (boolean value)
+#use_eventlog = false
+
+# The amount of time before the log files are rotated. This option is ignored
+# unless log_rotation_type is set to "interval". (integer value)
+#log_rotate_interval = 1
+
+# Rotation interval type. The time of the last file change (or the time when the
+# service was started) is used when scheduling the next rotation. (string value)
+# Possible values:
+# Seconds - <No description provided>
+# Minutes - <No description provided>
+# Hours - <No description provided>
+# Days - <No description provided>
+# Weekday - <No description provided>
+# Midnight - <No description provided>
+#log_rotate_interval_type = days
+
+# Maximum number of rotated log files. (integer value)
+#max_logfile_count = 30
+
+# Log file maximum size in MB. This option is ignored if "log_rotation_type" is
+# not set to "size". (integer value)
+#max_logfile_size_mb = 200
+
+# Log rotation type. (string value)
+# Possible values:
+# interval - Rotate logs at predefined time intervals.
+# size - Rotate logs once they reach a predefined size.
+# none - Do not rotate log files.
+#log_rotation_type = none
+
+# Format string to use for log messages with context. Used by
+# oslo_log.formatters.ContextFormatter (string value)
 #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

-# Format string to use for log messages when context is undefined. (string
-# value)
+# Format string to use for log messages when context is undefined. Used by
+# oslo_log.formatters.ContextFormatter (string value)
 #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

 # Additional data to append to log message when logging level for the message is
-# DEBUG. (string value)
+# DEBUG. Used by oslo_log.formatters.ContextFormatter (string value)
 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d

-# Prefix each line of exception output with this format. (string value)
+# Prefix each line of exception output with this format. Used by
+# oslo_log.formatters.ContextFormatter (string value)
 #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s

 # Defines the format string for %(user_identity)s that is used in
-# logging_context_format_string. (string value)
+# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter
+# (string value)
 #logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s

 # List of package logging levels in logger=LEVEL pairs. This option is ignored
 # if log_config_append is set. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO

 # Enables or disables publication of error events. (boolean value)
 #publish_errors = false
@ -132,6 +171,10 @@
 #

 # URL override for the Barbican API endpoint. (string value)
+#
+# This option has a sample default set, which means that
+# its actual default value may vary from the one documented
+# below.
 #api_endpoint = http://barbican.example.org:9311/

 # Maximum number of threads used to call secret storage service concurrently.
@ -199,7 +242,7 @@
 # Domain name containing project (string value)
 #project_domain_name = <None>

-# Trust ID (string value)
+# ID of the trust to use as a trustee use (string value)
 #trust_id = <None>

 # User ID (string value)
@ -285,27 +328,10 @@
 # Connections which have been present in the connection pool longer than this
 # number of seconds will be replaced with a new one the next time they are
 # checked out from the pool. (integer value)
-# Deprecated group/name - [DATABASE]/idle_timeout
-# Deprecated group/name - [database]/idle_timeout
-# Deprecated group/name - [DEFAULT]/sql_idle_timeout
-# Deprecated group/name - [DATABASE]/sql_idle_timeout
-# Deprecated group/name - [sql]/idle_timeout
 #connection_recycle_time = 3600

-# DEPRECATED: Minimum number of SQL connections to keep open in a pool. (integer
-# value)
-# Deprecated group/name - [DEFAULT]/sql_min_pool_size
-# Deprecated group/name - [DATABASE]/sql_min_pool_size
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: The option to set the minimum pool size is not supported by
-# sqlalchemy.
-#min_pool_size = 1
-
 # Maximum number of SQL connections to keep open in a pool. Setting a value of 0
 # indicates no limit. (integer value)
-# Deprecated group/name - [DEFAULT]/sql_max_pool_size
-# Deprecated group/name - [DATABASE]/sql_max_pool_size
 #max_pool_size = 5

 # Maximum number of database connection retries during startup. Set to -1 to
@ -363,6 +389,23 @@
 #connection_parameters =


+[engine]
+# Engine options for allowing behavior specific to Deckhand's engine to be
+# configured.
+
+#
+# From deckhand.conf
+#
+
+# Whether to enable the document rendering caching. Useful for testing to avoid
+# cross-test caching conflicts. (boolean value)
+#enable_cache = true
+
+# How long (in seconds) document rendering results should remain cached in
+# memory. (integer value)
+#cache_timeout = 3600
+
+
 [healthcheck]

 #
@ -374,7 +417,10 @@
 # Its value may be silently ignored in the future.
 #path = /healthcheck

-# Show more detailed information as part of the response (boolean value)
+# Show more detailed information as part of the response. Security note:
+# Enabling this option may expose sensitive details about the service being
+# monitored. Be sure to verify that it will not violate your security policies.
+# (boolean value)
 #detailed = false

 # Additional backends that can perform health checks and report that information
@ -462,7 +508,7 @@
 # Domain name containing project (string value)
 #project_domain_name = <None>

-# Trust ID (string value)
+# ID of the trust to use as a trustee use (string value)
 #trust_id = <None>

 # Optional domain ID to use with v3 and v2 parameters. It will be used for both
@ -520,9 +566,13 @@
 # will be removed in the S  release.
 #auth_uri = <None>

-# API version of the admin Identity API endpoint. (string value)
+# API version of the Identity API endpoint. (string value)
 #auth_version = <None>

+# Interface to use for the Identity API endpoint. Valid values are "public",
+# "internal" (default) or "admin". (string value)
+#interface = internal
+
 # Do not handle authorization requests within the middleware, but delegate the
 # authorization decision to downstream WSGI components. (boolean value)
 #delay_auth_decision = false
@ -557,14 +607,6 @@
 # The region in which the identity server can be found. (string value)
 #region_name = <None>

-# DEPRECATED: Directory used to cache files related to PKI tokens. This option
-# has been deprecated in the Ocata release and will be removed in the P release.
-# (string value)
-# This option is deprecated for removal since Ocata.
-# Its value may be silently ignored in the future.
-# Reason: PKI token format is no longer supported.
-#signing_dir = <None>
-
 # Optionally specify a list of memcached server(s) to use for caching. If left
 # undefined, tokens will instead be cached in-process. (list value)
 # Deprecated group/name - [keystone_authtoken]/memcache_servers
@ -575,16 +617,6 @@
 # -1 to disable caching completely. (integer value)
 #token_cache_time = 300

-# DEPRECATED: Determines the frequency at which the list of revoked tokens is
-# retrieved from the Identity service (in seconds). A high number of revocation
-# events combined with a low cache duration may significantly reduce
-# performance. Only valid for PKI tokens. This option has been deprecated in the
-# Ocata release and will be removed in the P release. (integer value)
-# This option is deprecated for removal since Ocata.
-# Its value may be silently ignored in the future.
-# Reason: PKI token format is no longer supported.
-#revocation_cache_time = 10
-
 # (Optional) If defined, indicate whether token data should be authenticated or
 # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
 # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
@ -620,9 +652,9 @@
 # client connection from the pool. (integer value)
 #memcache_pool_conn_get_timeout = 10

-# (Optional) Use the advanced (eventlet safe) memcached client pool. The
-# advanced pool will only work under python 2.x. (boolean value)
-#memcache_use_advanced_pool = false
+# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
+# value)
+#memcache_use_advanced_pool = true

 # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
 # middleware will not ask for service catalog on token validation and will not
@ -638,27 +670,6 @@
 # value)
 #enforce_token_bind = permissive

-# DEPRECATED: If true, the revocation list will be checked for cached tokens.
-# This requires that PKI tokens are configured on the identity server. (boolean
-# value)
-# This option is deprecated for removal since Ocata.
-# Its value may be silently ignored in the future.
-# Reason: PKI token format is no longer supported.
-#check_revocations_for_cached = false
-
-# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may be a
-# single algorithm or multiple. The algorithms are those supported by Python
-# standard hashlib.new(). The hashes will be tried in the order given, so put
-# the preferred one first for performance. The result of the first hash will be
-# stored in the cache. This will typically be set to multiple values only while
-# migrating from a less secure algorithm to a more secure one. Once all the old
-# tokens are expired this option should be set to a single value for better
-# performance. (list value)
-# This option is deprecated for removal since Ocata.
-# Its value may be silently ignored in the future.
-# Reason: PKI token format is no longer supported.
-#hash_algorithms = md5
-
 # A choice of roles that must be present in a service token. Service tokens are
 # allowed to request that an expired token can be used and so this check should
 # tightly control that only actual services should be sending this token. Roles
@ -673,6 +684,10 @@
 # (boolean value)
 #service_token_roles_required = false

+# The name or type of the service as it appears in the service catalog. This is
+# used to validate tokens that have restricted access rules. (string value)
+#service_type = <None>
+
 # Authentication type to load (string value)
 # Deprecated group/name - [keystone_authtoken]/auth_plugin
 #auth_type = <None>
@ -718,7 +733,20 @@
 # scope. (boolean value)
 #enforce_scope = false

-# The file that defines policies. (string value)
+# This option controls whether or not to use old deprecated defaults when
+# evaluating policies. If ``True``, the old deprecated defaults are not going to
+# be evaluated. This means if any existing token is allowed for old defaults but
+# is disallowed for new defaults, it will be disallowed. It is encouraged to
+# enable this flag along with the ``enforce_scope`` flag so that you can get the
+# benefits of new defaults and ``scope_type`` together. If ``False``, the
+# deprecated policy check string is logically OR'd with the new policy check
+# string, allowing for a graceful upgrade experience between releases with new
+# policies, which is the default behavior. (boolean value)
+#enforce_new_defaults = false
+
+# The relative or absolute path of a file that maps roles to permissions for a
+# given service. Relative paths must be specified in relation to the
+# configuration file setting this option. (string value)
 #policy_file = policy.json

 # Default rule. Enforced when a requested rule is not found. (string value)
--- a/etc/deckhand/policy.yaml.sample
+++ b/etc/deckhand/policy.yaml.sample
@ -1,53 +1,45 @@
 # Default rule for most Admin APIs.
 #"admin_api": "role:admin"

-# Create a batch of documents specified in the request body, whereby
-# a new revision is created. Also, roll back a revision to a previous
-# one in the
-# revision history, whereby the target revision's documents are re-
-# created for
-# the new revision.
+# Create a batch of documents specified in the request body, whereby a
+# new revision is created. Also, roll back a revision to a previous
+# one in the revision history, whereby the target revision's documents
+# are re-created for the new revision.
 # PUT  /api/v1.0/buckets/{bucket_name}/documents
 # POST  /api/v1.0/rollback/{target_revision_id}
 #"deckhand:create_cleartext_documents": "rule:admin_api"

-# Create a batch of documents specified in the request body, whereby
-# a new revision is created. Also, roll back a revision to a previous
-# one in the
-# history, whereby the target revision's documents are re-created for
-# the new
-# revision.
+# Create a batch of documents specified in the request body, whereby a
+# new revision is created. Also, roll back a revision to a previous
+# one in the history, whereby the target revision's documents are re-
+# created for the new revision.
 #
 # Only enforced after ``create_cleartext_documents`` passes.
 #
 # Conditionally enforced for the endpoints below if the any of the
-# documents in
-# the request body have a ``metadata.storagePolicy`` of "encrypted".
+# documents in the request body have a ``metadata.storagePolicy`` of
+# "encrypted".
 # PUT  /api/v1.0/buckets/{bucket_name}/documents
 # POST  /api/v1.0/rollback/{target_revision_id}
 #"deckhand:create_encrypted_documents": "rule:admin_api"

 # List cleartext documents for a revision (with no layering or
 # substitution applied) as well as fully layered and substituted
-# concrete
-# documents.
+# concrete documents.
 # GET  api/v1.0/revisions/{revision_id}/documents
 # GET  api/v1.0/revisions/{revision_id}/rendered-documents
 #"deckhand:list_cleartext_documents": "rule:admin_api"

 # List encrypted documents for a revision (with no layering or
 # substitution applied) as well as fully layered and substituted
-# concrete
-# documents.
+# concrete documents.
 #
 # Only enforced after ``list_cleartext_documents`` passes.
 #
 # Conditionally enforced for the endpoints below if any of the
-# documents in the
-# request body have a ``metadata.storagePolicy`` of "encrypted". If
-# policy
-# enforcement fails, encrypted documents are excluded from the
-# response.
+# documents in the request body have a ``metadata.storagePolicy`` of
+# "encrypted". If policy enforcement fails, encrypted documents are
+# excluded from the response.
 # GET  api/v1.0/revisions/{revision_id}/documents
 # GET  api/v1.0/revisions/{revision_id}/rendered-documents
 #"deckhand:list_encrypted_documents": "rule:admin_api"
@ -65,7 +57,7 @@
 # DELETE  /api/v1.0/revisions
 #"deckhand:delete_revisions": "rule:admin_api"

-# Show revision deepdiff between two revisions.
+# Show revision deep diff between two revisions.
 # GET  /api/v1.0/revisions/{revision_id}/deepdiff/{comparison_revision_id}
 #"deckhand:show_revision_deepdiff": "rule:admin_api"

--- a/tox.ini
+++ b/tox.ini
@ -131,10 +131,14 @@ allowlist_externals =
 commands = bandit -r deckhand  --skip B311,B301,B106 -x deckhand/tests -n 5

 [testenv:genconfig]
-commands = oslo-config-generator --config-file=etc/deckhand/config-generator.conf
+commands =
+    pip install . --use-pep517
+    oslo-config-generator --config-file=etc/deckhand/config-generator.conf

 [testenv:genpolicy]
-commands = oslopolicy-sample-generator --config-file=etc/deckhand/policy-generator.conf
+commands =
+    pip install . --use-pep517
+    oslopolicy-sample-generator --config-file=etc/deckhand/policy-generator.conf

 [testenv:pep8]
 allowlist_externals =