diff --git a/bandit.yaml b/bandit.yaml index 776e8b9954..7221e92b8f 100644 --- a/bandit.yaml +++ b/bandit.yaml @@ -81,9 +81,7 @@ profiles: - ssl_with_bad_defaults - ssl_with_bad_version - ssl_with_no_version - - # TODO: - # - try_except_pass + - try_except_pass # Keystone has no use for mako. # - use_of_mako_templates diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index e249ba3498..81de6a4e9b 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -125,8 +125,8 @@ class Assignment(keystone_assignment.AssignmentDriverV8): target_id=project_id or domain_id, role_id=role_id, inherited=inherited_to_projects)) - except sql.DBDuplicateEntry: - # The v3 grant APIs are silent if the assignment already exists + except sql.DBDuplicateEntry: # nosec : The v3 grant APIs are silent if + # the assignment already exists pass def list_grant_role_ids(self, user_id=None, group_id=None, diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index a510c3c194..a82c80a9a7 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -111,7 +111,8 @@ class Manager(manager.Manager): tenant_id=project_ref['id']) role_list = self._roles_from_role_dicts( metadata_ref.get('roles', {}), False) - except exception.MetadataNotFound: + except exception.MetadataNotFound: # nosec: No metadata so no + # roles. pass if CONF.os_inherit.enabled: @@ -121,7 +122,10 @@ class Manager(manager.Manager): user_id=user_id, domain_id=project_ref['domain_id']) role_list += self._roles_from_role_dicts( metadata_ref.get('roles', {}), True) - except (exception.MetadataNotFound, exception.NotImplemented): + except (exception.MetadataNotFound, # nosec : No metadata or + # the backend doesn't support the role ops, so no + # roles. + exception.NotImplemented): pass # As well inherited roles from parent projects for p in self.resource_api.list_project_parents( @@ -157,7 +161,8 @@ class Manager(manager.Manager): domain_id=domain_id) role_list += self._roles_from_role_dicts( metadata_ref.get('roles', {}), False) - except (exception.MetadataNotFound, exception.NotImplemented): + except (exception.MetadataNotFound, # nosec + exception.NotImplemented): # MetadataNotFound implies no group grant, so skip. # Ignore NotImplemented since not all backends support # domains. @@ -169,7 +174,8 @@ class Manager(manager.Manager): try: metadata_ref = self._get_metadata(user_id=user_id, domain_id=domain_id) - except (exception.MetadataNotFound, exception.NotImplemented): + except (exception.MetadataNotFound, # nosec + exception.NotImplemented): # MetadataNotFound implies no user grants. # Ignore NotImplemented since not all backends support # domains @@ -1208,7 +1214,7 @@ class RoleManager(manager.Manager): def delete_role(self, role_id, initiator=None): try: self.assignment_api.delete_tokens_for_role_assignments(role_id) - except exception.NotImplemented: + except exception.NotImplemented: # nosec # FIXME(morganfainberg): Not all backends (ldap) implement # `list_role_assignments_for_role` which would have previously # caused a NotImplmented error to be raised when called through diff --git a/keystone/assignment/role_backends/ldap.py b/keystone/assignment/role_backends/ldap.py index 6e5e038e3f..2e30c29934 100644 --- a/keystone/assignment/role_backends/ldap.py +++ b/keystone/assignment/role_backends/ldap.py @@ -55,7 +55,14 @@ class Role(assignment.RoleDriverV8): self.role.check_allow_create() try: self.get_role(role_id) - except exception.NotFound: + except exception.NotFound: # nosec + # The call to self.get_role() raises this exception when a role + # with the given ID doesn't exist. This was done to ensure that + # a role with the new role's ID doesn't already exist. As such this + # exception is expected to happen in the normal case. The abnormal + # case would be if the role does already exist. So this exception + # is expected to be ignored and there's no security issue with + # ignoring it. pass else: msg = _('Duplicate ID, %s.') % role_id @@ -63,7 +70,14 @@ class Role(assignment.RoleDriverV8): try: self.role.get_by_name(role['name']) - except exception.NotFound: + except exception.NotFound: # nosec + # The call to self.role.get_by_name() raises this exception when a + # role with the given name doesn't exist. This was done to ensure + # that a role with the new role's name doesn't already exist. As + # such this exception is expected to happen in the normal case. The + # abnormal case would be if a role with the same name does already + # exist. So this exception is expected to be ignored and there's no + # security issue with ignoring it. pass else: msg = _('Duplicate name, %s.') % role['name'] @@ -117,7 +131,8 @@ class RoleApi(RoleLdapStructureMixin, common_ldap.BaseLdap): if old_role['id'] != role_id: raise exception.Conflict( _('Cannot duplicate name %s') % old_role) - except exception.NotFound: + except exception.NotFound: # nosec + # Another role with the same name doesn't exist, good. pass return super(RoleApi, self).update(role_id, role) diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 133230d693..077b43d627 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -580,7 +580,7 @@ class Auth(controller.V3Controller): if user_id: try: user_refs = self.assignment_api.list_projects_for_user(user_id) - except exception.UserNotFound: + except exception.UserNotFound: # nosec # federated users have an id but they don't link to anything pass @@ -601,7 +601,7 @@ class Auth(controller.V3Controller): if user_id: try: user_refs = self.assignment_api.list_domains_for_user(user_id) - except exception.UserNotFound: + except exception.UserNotFound: # nosec # federated users have an id but they don't link to anything pass diff --git a/keystone/catalog/core.py b/keystone/catalog/core.py index 8bb7261917..b414309f0b 100644 --- a/keystone/catalog/core.py +++ b/keystone/catalog/core.py @@ -129,7 +129,8 @@ class Manager(manager.Manager): # Check duplicate ID try: self.get_region(region_ref['id']) - except exception.RegionNotFound: + except exception.RegionNotFound: # nosec + # A region with the same id doesn't exist already, good. pass else: msg = _('Duplicate ID, %s.') % region_ref['id'] diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index d993d71c54..538c4be26c 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -428,7 +428,7 @@ class DomainConfigUploadFiles(object): """ try: self.upload_config_to_database(file_name, domain_name) - except ValueError: + except ValueError: # nosec # We've already given all the info we can in a message, so carry # on to the next one pass diff --git a/keystone/common/environment/eventlet_server.py b/keystone/common/environment/eventlet_server.py index 6be234ad89..cf39a6267f 100644 --- a/keystone/common/environment/eventlet_server.py +++ b/keystone/common/environment/eventlet_server.py @@ -169,9 +169,11 @@ class Server(service.ServiceBase): """Wait until all servers have completed running.""" try: self.pool.waitall() - except KeyboardInterrupt: + except KeyboardInterrupt: # nosec + # If CTRL-C, just break out of the loop. pass - except greenlet.GreenletExit: + except greenlet.GreenletExit: # nosec + # If exiting, break out of the loop. pass def reset(self): @@ -199,7 +201,7 @@ class Server(service.ServiceBase): socket, application, log=EventletFilteringLogger(logger), debug=False, keepalive=CONF.eventlet_server.wsgi_keep_alive, socket_timeout=socket_timeout) - except greenlet.GreenletExit: + except greenlet.GreenletExit: # nosec # Wait until all servers have completed running pass except Exception: diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py index 0bb3830c82..78c18cdaee 100644 --- a/keystone/common/ldap/core.py +++ b/keystone/common/ldap/core.py @@ -113,11 +113,13 @@ def enabled2py(val): try: return LDAP_VALUES[val] - except KeyError: + except KeyError: # nosec + # It wasn't a boolean value, will try as an int instead. pass try: return int(val) - except ValueError: + except ValueError: # nosec + # It wasn't an int either, will try as utf8 instead. pass return utf8_decode(val) @@ -1354,7 +1356,8 @@ class BaseLdap(object): continue v = lower_res[map_attr.lower()] - except KeyError: + except KeyError: # nosec + # Didn't find the attr, so don't add it. pass else: try: @@ -1383,7 +1386,8 @@ class BaseLdap(object): if values.get('name') is not None: try: self.get_by_name(values['name']) - except exception.NotFound: + except exception.NotFound: # nosec + # Didn't find it so it's unique, good. pass else: raise exception.Conflict(type=self.options_name, @@ -1393,7 +1397,8 @@ class BaseLdap(object): if values.get('id') is not None: try: self.get(values['id']) - except exception.NotFound: + except exception.NotFound: # nosec + # Didn't find it, so it's unique, good. pass else: raise exception.Conflict(type=self.options_name, @@ -1840,7 +1845,8 @@ class EnabledEmuMixIn(BaseLdap): with self.get_connection() as conn: try: conn.modify_s(self.enabled_emulation_dn, modlist) - except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): + except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): # nosec + # It's already gone, good. pass def create(self, values): diff --git a/keystone/common/sql/migration_helpers.py b/keystone/common/sql/migration_helpers.py index aaa59f7042..fc3ea00af1 100644 --- a/keystone/common/sql/migration_helpers.py +++ b/keystone/common/sql/migration_helpers.py @@ -154,7 +154,7 @@ def _assert_not_schema_downgrade(extension=None, version=None): current_ver = int(six.text_type(get_db_version(extension))) if int(version) < current_ver: raise migration.exception.DbMigrationError() - except exceptions.DatabaseNotControlledError: + except exceptions.DatabaseNotControlledError: # nosec # NOTE(morganfainberg): The database is not controlled, this action # cannot be a downgrade. pass @@ -177,7 +177,7 @@ def _sync_extension_repo(extension, version): # Register the repo with the version control API # If it already knows about the repo, it will throw # an exception that we can safely ignore - except exceptions.DatabaseAlreadyControlledError: + except exceptions.DatabaseAlreadyControlledError: # nosec pass except exception.MigrationNotProvided as e: print(e) diff --git a/keystone/contrib/federation/idp.py b/keystone/contrib/federation/idp.py index fe942bdca1..13f9903c92 100644 --- a/keystone/contrib/federation/idp.py +++ b/keystone/contrib/federation/idp.py @@ -448,7 +448,8 @@ def _sign_assertion(assertion): try: if file_path: os.remove(file_path) - except OSError: + except OSError: # nosec + # The file is already gone, good. pass return saml2.create_class_from_xml_string(saml.Assertion, stdout) diff --git a/keystone/contrib/federation/utils.py b/keystone/contrib/federation/utils.py index bde19cfd3a..a4981a5d4b 100644 --- a/keystone/contrib/federation/utils.py +++ b/keystone/contrib/federation/utils.py @@ -203,7 +203,8 @@ def get_remote_id_parameter(protocol): group=protocol) try: remote_id_parameter = CONF[protocol]['remote_id_attribute'] - except AttributeError: + except AttributeError: # nosec + # No remote ID attr, will be logged and use the default instead. pass if not remote_id_parameter: LOG.debug('Cannot find "remote_id_attribute" in configuration ' diff --git a/keystone/endpoint_policy/core.py b/keystone/endpoint_policy/core.py index e176ac1cfd..89b37d801b 100644 --- a/keystone/endpoint_policy/core.py +++ b/keystone/endpoint_policy/core.py @@ -217,7 +217,8 @@ class Manager(manager.Manager): service_id=endpoint['service_id'], region_id=region_id) return ref['policy_id'] - except exception.PolicyAssociationNotFound: + except exception.PolicyAssociationNotFound: # nosec + # There wasn't one for that region & service, handle below. pass # There wasn't one for that region & service, let's @@ -239,7 +240,9 @@ class Manager(manager.Manager): try: ref = self.driver.get_policy_association(endpoint_id=endpoint_id) return _get_policy(ref['policy_id'], endpoint_id) - except exception.PolicyAssociationNotFound: + except exception.PolicyAssociationNotFound: # nosec + # There wasn't a policy explicitly defined for this endpoint, + # handled below. pass # There wasn't a policy explicitly defined for this endpoint, so @@ -255,7 +258,8 @@ class Manager(manager.Manager): ref = self.driver.get_policy_association( service_id=endpoint['service_id']) return _get_policy(ref['policy_id'], endpoint_id) - except exception.PolicyAssociationNotFound: + except exception.PolicyAssociationNotFound: # nosec + # No policy is associated with endpoint, handled below. pass msg = _('No policy is associated with endpoint ' diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 0ec38190e5..32e6a2e62c 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -149,7 +149,7 @@ class User(controller.V2Controller): try: self.assignment_api.add_user_to_project( user_ref['tenantId'], user_id) - except exception.Conflict: + except exception.Conflict: # nosec # We are already a member of that tenant pass except exception.NotFound: diff --git a/keystone/identity/core.py b/keystone/identity/core.py index e3b70eb485..b825486cbe 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -70,7 +70,8 @@ def filter_user(user_ref): try: user_ref['extra'].pop('password', None) user_ref['extra'].pop('tenants', None) - except KeyError: + except KeyError: # nosec + # ok to not have extra in the user_ref. pass return user_ref @@ -404,7 +405,7 @@ class DomainConfigs(dict): # specific driver for this domain. try: del self[domain_id] - except KeyError: + except KeyError: # nosec # Allow this error in case we are unlucky and in a # multi-threaded situation, two threads happen to be running # in lock step. diff --git a/keystone/identity/mapping_backends/sql.py b/keystone/identity/mapping_backends/sql.py index 7ab4ef52a2..032d7064a8 100644 --- a/keystone/identity/mapping_backends/sql.py +++ b/keystone/identity/mapping_backends/sql.py @@ -78,7 +78,7 @@ class Mapping(identity.MappingDriverV8): try: session.query(IDMapping).filter( IDMapping.public_id == public_id).delete() - except sql.NotFound: + except sql.NotFound: # nosec # NOTE(morganfainberg): There is nothing to delete and nothing # to do. pass diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py index 2032fd19c0..309097029b 100644 --- a/keystone/models/token_model.py +++ b/keystone/models/token_model.py @@ -116,7 +116,7 @@ class KeystoneToken(dict): return self['user']['domain']['name'] elif 'user' in self: return "Default" - except KeyError: + except KeyError: # nosec # Do not raise KeyError, raise UnexpectedError pass raise exception.UnexpectedError() @@ -128,7 +128,7 @@ class KeystoneToken(dict): return self['user']['domain']['id'] elif 'user' in self: return CONF.identity.default_domain_id - except KeyError: + except KeyError: # nosec # Do not raise KeyError, raise UnexpectedError pass raise exception.UnexpectedError() @@ -184,7 +184,7 @@ class KeystoneToken(dict): return self['project']['domain']['id'] elif 'tenant' in self['token']: return CONF.identity.default_domain_id - except KeyError: + except KeyError: # nosec # Do not raise KeyError, raise UnexpectedError pass @@ -197,7 +197,7 @@ class KeystoneToken(dict): return self['project']['domain']['name'] if 'tenant' in self['token']: return 'Default' - except KeyError: + except KeyError: # nosec # Do not raise KeyError, raise UnexpectedError pass diff --git a/keystone/resource/config_backends/sql.py b/keystone/resource/config_backends/sql.py index 7c296074aa..b94691e49d 100644 --- a/keystone/resource/config_backends/sql.py +++ b/keystone/resource/config_backends/sql.py @@ -130,7 +130,8 @@ class DomainConfig(resource.DomainConfigDriverV8): ref = ConfigRegister(type=type, domain_id=domain_id) session.add(ref) return True - except sql.DBDuplicateEntry: + except sql.DBDuplicateEntry: # nosec + # Continue on and return False to indicate failure. pass return False diff --git a/keystone/token/persistence/core.py b/keystone/token/persistence/core.py index e68970ace5..96f69720ed 100644 --- a/keystone/token/persistence/core.py +++ b/keystone/token/persistence/core.py @@ -317,7 +317,8 @@ class TokenDriverV8(object): for token in token_list: try: self.delete_token(token) - except exception.NotFound: + except exception.NotFound: # nosec + # The token is already gone, good. pass return token_list diff --git a/keystone/token/providers/fernet/utils.py b/keystone/token/providers/fernet/utils.py index 4235eda86e..2fdd33513d 100644 --- a/keystone/token/providers/fernet/utils.py +++ b/keystone/token/providers/fernet/utils.py @@ -176,7 +176,7 @@ def rotate_keys(keystone_user_id=None, keystone_group_id=None): if os.path.isfile(path): try: key_id = int(filename) - except ValueError: + except ValueError: # nosec : name isn't a number, ignore the file. pass else: key_files[key_id] = path @@ -243,7 +243,8 @@ def load_keys(): with open(path, 'r') as key_file: try: key_id = int(filename) - except ValueError: + except ValueError: # nosec : filename isn't a number, ignore + # this file since it's not a key. pass else: keys[key_id] = key_file.read() diff --git a/keystone/trust/core.py b/keystone/trust/core.py index 7838cb033d..53eaebd0c7 100644 --- a/keystone/trust/core.py +++ b/keystone/trust/core.py @@ -192,7 +192,7 @@ class Manager(manager.Manager): # recursive call to make sure all notifications are sent try: self.delete_trust(t['id']) - except exception.TrustNotFound: + except exception.TrustNotFound: # nosec # if trust was deleted by concurrent process # consistency must not suffer pass