Browse Source

Revert "Blacklist bandit 1.6.0"

This reverts commit ebac8330d8.

Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.

Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
(cherry picked from commit dc3175afb1)
changes/75/667675/1
Jim Rollenhagen 4 months ago
parent
commit
c220cc450c

+ 1
- 1
keystone/assignment/core.py View File

@@ -58,7 +58,7 @@ class Manager(manager.Manager):
58 58
     driver_namespace = 'keystone.assignment'
59 59
     _provides_api = 'assignment_api'
60 60
 
61
-    _SYSTEM_SCOPE_TOKEN = 'system'
61
+    _SYSTEM_SCOPE_TOKEN = 'system'  # nosec
62 62
     _USER_SYSTEM = 'UserSystem'
63 63
     _GROUP_SYSTEM = 'GroupSystem'
64 64
     _PROJECT = 'project'

+ 2
- 2
keystone/common/authorization.py View File

@@ -25,11 +25,11 @@ from keystone import exception
25 25
 
26 26
 
27 27
 # Header used to transmit the auth token
28
-AUTH_TOKEN_HEADER = 'X-Auth-Token'
28
+AUTH_TOKEN_HEADER = 'X-Auth-Token'  # nosec
29 29
 
30 30
 
31 31
 # Header used to transmit the subject token
32
-SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
32
+SUBJECT_TOKEN_HEADER = 'X-Subject-Token'  # nosec
33 33
 
34 34
 
35 35
 CONF = conf.CONF

+ 3
- 2
keystone/common/policies/base.py View File

@@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
24 24
 RULE_ADMIN_OR_TARGET_PROJECT = (
25 25
     'rule:admin_required or '
26 26
     'project_id:%(target.project.id)s')
27
-RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
27
+RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'  # nosec
28 28
 RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
29
-RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
29
+RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
30
+    'rule:service_admin_or_token_subject')  # nosec
30 31
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
31 32
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
32 33
 

+ 1
- 1
keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py View File

@@ -16,7 +16,7 @@ import sqlalchemy as sql
16 16
 _USER_TABLE_NAME = 'user'
17 17
 _USER_NAME_COLUMN_NAME = 'name'
18 18
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
19
-_USER_PASSWORD_COLUMN_NAME = 'password'
19
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec
20 20
 
21 21
 
22 22
 def upgrade(migrate_engine):

+ 1
- 1
keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py View File

@@ -16,7 +16,7 @@ import sqlalchemy as sql
16 16
 _USER_TABLE_NAME = 'user'
17 17
 _USER_NAME_COLUMN_NAME = 'name'
18 18
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
19
-_USER_PASSWORD_COLUMN_NAME = 'password'
19
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec
20 20
 
21 21
 
22 22
 def upgrade(migrate_engine):

+ 1
- 1
keystone/identity/backends/sql_model.py View File

@@ -247,7 +247,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
247 247
         new_dict = user_dict.copy()
248 248
         resource_options = {}
249 249
         options = new_dict.pop('options', {})
250
-        password_expires_at_key = 'password_expires_at'
250
+        password_expires_at_key = 'password_expires_at'  # nosec
251 251
         if password_expires_at_key in user_dict:
252 252
             del new_dict[password_expires_at_key]
253 253
         for opt in cls.resource_options_registry.options:

+ 1
- 1
keystone/notifications.py View File

@@ -76,7 +76,7 @@ CONF = keystone.conf.CONF
76 76
 
77 77
 # NOTE(morganfainberg): Special case notifications that are only used
78 78
 # internally for handling token persistence token deletions
79
-INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
79
+INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'  # nosec
80 80
 PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
81 81
 REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
82 82
 DOMAIN_DELETED = 'domain_deleted'

+ 2
- 2
keystone/oauth1/core.py View File

@@ -113,8 +113,8 @@ class Manager(manager.Manager):
113 113
     driver_namespace = 'keystone.oauth1'
114 114
     _provides_api = 'oauth_api'
115 115
 
116
-    _ACCESS_TOKEN = "OS-OAUTH1:access_token"
117
-    _REQUEST_TOKEN = "OS-OAUTH1:request_token"
116
+    _ACCESS_TOKEN = "OS-OAUTH1:access_token"  # nosec
117
+    _REQUEST_TOKEN = "OS-OAUTH1:request_token"  # nosec
118 118
     _CONSUMER = "OS-OAUTH1:consumer"
119 119
 
120 120
     def __init__(self):

+ 1
- 1
setup.cfg View File

@@ -35,7 +35,7 @@ memcache =
35 35
 mongodb =
36 36
   pymongo!=3.1,>=3.0.2 # Apache-2.0
37 37
 bandit =
38
-  bandit!=1.6.0,>=1.1.0 # Apache-2.0
38
+  bandit>=1.1.0 # Apache-2.0
39 39
 
40 40
 [global]
41 41
 setup-hooks =

+ 2
- 2
tox.ini View File

@@ -35,14 +35,14 @@ commands =
35 35
   # the check and gate queues
36 36
   bashate devstack/plugin.sh
37 37
   # Run security linter
38
-  bandit -r keystone -x tests
38
+  bandit -r keystone -x 'keystone/tests/*'
39 39
 
40 40
 [testenv:bandit]
41 41
 basepython = python3
42 42
 # NOTE(browne): This is required for the integration test job of the bandit
43 43
 # project. Please do not remove.
44 44
 deps = .[bandit]
45
-commands = bandit -r keystone -x tests
45
+commands = bandit -r keystone -x 'keystone/tests/*'
46 46
 
47 47
 [testenv:cover]
48 48
 basepython = python3

Loading…
Cancel
Save