Revert "Blacklist bandit 1.6.0"

This reverts commit ebac8330d8. Using the glob that I had not yet had enough coffee to do correctly is a better solution, and allows us to fix new failures in 1.6.0 which would break us again when 1.6.1 was released. Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54 (cherry picked from commit dc3175afb1)
2019-05-14 20:47:18 +00:00 · 2019-05-14 20:47:18 +00:00 · c220cc450c
parent 00242bd197
commit c220cc450c
10 changed files with 15 additions and 14 deletions
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -58,7 +58,7 @@ class Manager(manager.Manager):
    driver_namespace = 'keystone.assignment'
    _provides_api = 'assignment_api'

-    _SYSTEM_SCOPE_TOKEN = 'system'
+    _SYSTEM_SCOPE_TOKEN = 'system'  # nosec
    _USER_SYSTEM = 'UserSystem'
    _GROUP_SYSTEM = 'GroupSystem'
    _PROJECT = 'project'
--- a/keystone/common/authorization.py
+++ b/keystone/common/authorization.py
@ -25,11 +25,11 @@ from keystone import exception


 # Header used to transmit the auth token
-AUTH_TOKEN_HEADER = 'X-Auth-Token'
+AUTH_TOKEN_HEADER = 'X-Auth-Token'  # nosec


 # Header used to transmit the subject token
-SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
+SUBJECT_TOKEN_HEADER = 'X-Subject-Token'  # nosec


 CONF = conf.CONF
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
 RULE_ADMIN_OR_TARGET_PROJECT = (
    'rule:admin_required or '
    'project_id:%(target.project.id)s')
-RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
+RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'  # nosec
 RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
-RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
+RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
+    'rule:service_admin_or_token_subject')  # nosec
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'

--- a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec


 def upgrade(migrate_engine):
--- a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec


 def upgrade(migrate_engine):
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@ -247,7 +247,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
        new_dict = user_dict.copy()
        resource_options = {}
        options = new_dict.pop('options', {})
-        password_expires_at_key = 'password_expires_at'
+        password_expires_at_key = 'password_expires_at'  # nosec
        if password_expires_at_key in user_dict:
            del new_dict[password_expires_at_key]
        for opt in cls.resource_options_registry.options:
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@ -76,7 +76,7 @@ CONF = keystone.conf.CONF

 # NOTE(morganfainberg): Special case notifications that are only used
 # internally for handling token persistence token deletions
-INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
+INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'  # nosec
 PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
 REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
 DOMAIN_DELETED = 'domain_deleted'
--- a/keystone/oauth1/core.py
+++ b/keystone/oauth1/core.py
@ -113,8 +113,8 @@ class Manager(manager.Manager):
    driver_namespace = 'keystone.oauth1'
    _provides_api = 'oauth_api'

-    _ACCESS_TOKEN = "OS-OAUTH1:access_token"
-    _REQUEST_TOKEN = "OS-OAUTH1:request_token"
+    _ACCESS_TOKEN = "OS-OAUTH1:access_token"  # nosec
+    _REQUEST_TOKEN = "OS-OAUTH1:request_token"  # nosec
    _CONSUMER = "OS-OAUTH1:consumer"

    def __init__(self):
--- a/setup.cfg
+++ b/setup.cfg
@ -35,7 +35,7 @@ memcache =
 mongodb =
  pymongo!=3.1,>=3.0.2 # Apache-2.0
 bandit =
-  bandit!=1.6.0,>=1.1.0 # Apache-2.0
+  bandit>=1.1.0 # Apache-2.0

 [global]
 setup-hooks =
--- a/tox.ini
+++ b/tox.ini
@ -35,14 +35,14 @@ commands =
  # the check and gate queues
  bashate devstack/plugin.sh
  # Run security linter
-  bandit -r keystone -x tests
+  bandit -r keystone -x 'keystone/tests/*'

 [testenv:bandit]
 basepython = python3
 # NOTE(browne): This is required for the integration test job of the bandit
 # project. Please do not remove.
 deps = .[bandit]
-commands = bandit -r keystone -x tests
+commands = bandit -r keystone -x 'keystone/tests/*'

 [testenv:cover]
 basepython = python3