Merge "Revert "Blacklist bandit 1.6.0""

2019-05-16 21:38:30 +00:00 · 2019-05-16 21:38:30 +00:00 · a34386f2d0
parent 5c5d71cce9 dc3175afb1
commit a34386f2d0
10 changed files with 15 additions and 14 deletions
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -58,7 +58,7 @@ class Manager(manager.Manager):
    driver_namespace = 'keystone.assignment'
    _provides_api = 'assignment_api'

-    _SYSTEM_SCOPE_TOKEN = 'system'
+    _SYSTEM_SCOPE_TOKEN = 'system'  # nosec
    _USER_SYSTEM = 'UserSystem'
    _GROUP_SYSTEM = 'GroupSystem'
    _PROJECT = 'project'
--- a/keystone/common/authorization.py
+++ b/keystone/common/authorization.py
@ -19,7 +19,7 @@
 # A couple common constants for Auth data

 # Header used to transmit the auth token
-AUTH_TOKEN_HEADER = 'X-Auth-Token'
+AUTH_TOKEN_HEADER = 'X-Auth-Token'  # nosec


 # Header used to transmit the auth receipt
@ -27,7 +27,7 @@ AUTH_RECEIPT_HEADER = 'Openstack-Auth-Receipt'


 # Header used to transmit the subject token
-SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
+SUBJECT_TOKEN_HEADER = 'X-Subject-Token'  # nosec

 # Environment variable used to convey the Keystone auth context,
 # the user credential used for policy enforcement.
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
 RULE_ADMIN_OR_TARGET_PROJECT = (
    'rule:admin_required or '
    'project_id:%(target.project.id)s')
-RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
+RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'  # nosec
 RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
-RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
+RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
+    'rule:service_admin_or_token_subject')  # nosec
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'

--- a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec


 def upgrade(migrate_engine):
--- a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec


 def upgrade(migrate_engine):
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@ -243,7 +243,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
        new_dict = user_dict.copy()
        resource_options = {}
        options = new_dict.pop('options', {})
-        password_expires_at_key = 'password_expires_at'
+        password_expires_at_key = 'password_expires_at'  # nosec
        if password_expires_at_key in user_dict:
            del new_dict[password_expires_at_key]
        for opt in cls.resource_options_registry.options:
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@ -80,7 +80,7 @@ CONF = keystone.conf.CONF

 # NOTE(morganfainberg): Special case notifications that are only used
 # internally for handling token persistence token deletions
-INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
+INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'  # nosec
 PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
 REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
 DOMAIN_DELETED = 'domain_deleted'
--- a/keystone/oauth1/core.py
+++ b/keystone/oauth1/core.py
@ -118,8 +118,8 @@ class Manager(manager.Manager):
    driver_namespace = 'keystone.oauth1'
    _provides_api = 'oauth_api'

-    _ACCESS_TOKEN = "OS-OAUTH1:access_token"
-    _REQUEST_TOKEN = "OS-OAUTH1:request_token"
+    _ACCESS_TOKEN = "OS-OAUTH1:access_token"  # nosec
+    _REQUEST_TOKEN = "OS-OAUTH1:request_token"  # nosec
    _CONSUMER = "OS-OAUTH1:consumer"

    def __init__(self):
--- a/setup.cfg
+++ b/setup.cfg
@ -35,7 +35,7 @@ memcache =
 mongodb =
  pymongo!=3.1,>=3.0.2 # Apache-2.0
 bandit =
-  bandit!=1.6.0,>=1.1.0 # Apache-2.0
+  bandit>=1.1.0 # Apache-2.0

 [global]
 setup-hooks =
--- a/tox.ini
+++ b/tox.ini
@ -37,7 +37,7 @@ commands =
  # the check and gate queues
  bashate devstack/plugin.sh
  # Run security linter
-  bandit -r keystone -x tests
+  bandit -r keystone -x 'keystone/tests/*'

 [testenv:bandit]
 basepython = python3
@ -46,7 +46,7 @@ basepython = python3
 deps = -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt}
       -r{toxinidir}/requirements.txt
       .[bandit]
-commands = bandit -r keystone -x tests
+commands = bandit -r keystone -x 'keystone/tests/*'

 [testenv:cover]
 basepython = python3