Revert "Blacklist bandit 1.6.0"
This reverts commitebac8330d8
. Using the glob that I had not yet had enough coffee to do correctly is a better solution, and allows us to fix new failures in 1.6.0 which would break us again when 1.6.1 was released. Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54 (cherry picked from commitdc3175afb1
)
This commit is contained in:
parent
00242bd197
commit
c220cc450c
|
@ -58,7 +58,7 @@ class Manager(manager.Manager):
|
||||||
driver_namespace = 'keystone.assignment'
|
driver_namespace = 'keystone.assignment'
|
||||||
_provides_api = 'assignment_api'
|
_provides_api = 'assignment_api'
|
||||||
|
|
||||||
_SYSTEM_SCOPE_TOKEN = 'system'
|
_SYSTEM_SCOPE_TOKEN = 'system' # nosec
|
||||||
_USER_SYSTEM = 'UserSystem'
|
_USER_SYSTEM = 'UserSystem'
|
||||||
_GROUP_SYSTEM = 'GroupSystem'
|
_GROUP_SYSTEM = 'GroupSystem'
|
||||||
_PROJECT = 'project'
|
_PROJECT = 'project'
|
||||||
|
|
|
@ -25,11 +25,11 @@ from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
# Header used to transmit the auth token
|
# Header used to transmit the auth token
|
||||||
AUTH_TOKEN_HEADER = 'X-Auth-Token'
|
AUTH_TOKEN_HEADER = 'X-Auth-Token' # nosec
|
||||||
|
|
||||||
|
|
||||||
# Header used to transmit the subject token
|
# Header used to transmit the subject token
|
||||||
SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
|
SUBJECT_TOKEN_HEADER = 'X-Subject-Token' # nosec
|
||||||
|
|
||||||
|
|
||||||
CONF = conf.CONF
|
CONF = conf.CONF
|
||||||
|
|
|
@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
|
||||||
RULE_ADMIN_OR_TARGET_PROJECT = (
|
RULE_ADMIN_OR_TARGET_PROJECT = (
|
||||||
'rule:admin_required or '
|
'rule:admin_required or '
|
||||||
'project_id:%(target.project.id)s')
|
'project_id:%(target.project.id)s')
|
||||||
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
|
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject' # nosec
|
||||||
RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
|
RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
|
||||||
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
|
||||||
|
'rule:service_admin_or_token_subject') # nosec
|
||||||
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
||||||
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
|
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ import sqlalchemy as sql
|
||||||
_USER_TABLE_NAME = 'user'
|
_USER_TABLE_NAME = 'user'
|
||||||
_USER_NAME_COLUMN_NAME = 'name'
|
_USER_NAME_COLUMN_NAME = 'name'
|
||||||
_USER_DOMAINID_COLUMN_NAME = 'domain_id'
|
_USER_DOMAINID_COLUMN_NAME = 'domain_id'
|
||||||
_USER_PASSWORD_COLUMN_NAME = 'password'
|
_USER_PASSWORD_COLUMN_NAME = 'password' # nosec
|
||||||
|
|
||||||
|
|
||||||
def upgrade(migrate_engine):
|
def upgrade(migrate_engine):
|
||||||
|
|
|
@ -16,7 +16,7 @@ import sqlalchemy as sql
|
||||||
_USER_TABLE_NAME = 'user'
|
_USER_TABLE_NAME = 'user'
|
||||||
_USER_NAME_COLUMN_NAME = 'name'
|
_USER_NAME_COLUMN_NAME = 'name'
|
||||||
_USER_DOMAINID_COLUMN_NAME = 'domain_id'
|
_USER_DOMAINID_COLUMN_NAME = 'domain_id'
|
||||||
_USER_PASSWORD_COLUMN_NAME = 'password'
|
_USER_PASSWORD_COLUMN_NAME = 'password' # nosec
|
||||||
|
|
||||||
|
|
||||||
def upgrade(migrate_engine):
|
def upgrade(migrate_engine):
|
||||||
|
|
|
@ -247,7 +247,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
|
||||||
new_dict = user_dict.copy()
|
new_dict = user_dict.copy()
|
||||||
resource_options = {}
|
resource_options = {}
|
||||||
options = new_dict.pop('options', {})
|
options = new_dict.pop('options', {})
|
||||||
password_expires_at_key = 'password_expires_at'
|
password_expires_at_key = 'password_expires_at' # nosec
|
||||||
if password_expires_at_key in user_dict:
|
if password_expires_at_key in user_dict:
|
||||||
del new_dict[password_expires_at_key]
|
del new_dict[password_expires_at_key]
|
||||||
for opt in cls.resource_options_registry.options:
|
for opt in cls.resource_options_registry.options:
|
||||||
|
|
|
@ -76,7 +76,7 @@ CONF = keystone.conf.CONF
|
||||||
|
|
||||||
# NOTE(morganfainberg): Special case notifications that are only used
|
# NOTE(morganfainberg): Special case notifications that are only used
|
||||||
# internally for handling token persistence token deletions
|
# internally for handling token persistence token deletions
|
||||||
INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
|
INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' # nosec
|
||||||
PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
|
PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
|
||||||
REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
|
REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
|
||||||
DOMAIN_DELETED = 'domain_deleted'
|
DOMAIN_DELETED = 'domain_deleted'
|
||||||
|
|
|
@ -113,8 +113,8 @@ class Manager(manager.Manager):
|
||||||
driver_namespace = 'keystone.oauth1'
|
driver_namespace = 'keystone.oauth1'
|
||||||
_provides_api = 'oauth_api'
|
_provides_api = 'oauth_api'
|
||||||
|
|
||||||
_ACCESS_TOKEN = "OS-OAUTH1:access_token"
|
_ACCESS_TOKEN = "OS-OAUTH1:access_token" # nosec
|
||||||
_REQUEST_TOKEN = "OS-OAUTH1:request_token"
|
_REQUEST_TOKEN = "OS-OAUTH1:request_token" # nosec
|
||||||
_CONSUMER = "OS-OAUTH1:consumer"
|
_CONSUMER = "OS-OAUTH1:consumer"
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
|
|
|
@ -35,7 +35,7 @@ memcache =
|
||||||
mongodb =
|
mongodb =
|
||||||
pymongo!=3.1,>=3.0.2 # Apache-2.0
|
pymongo!=3.1,>=3.0.2 # Apache-2.0
|
||||||
bandit =
|
bandit =
|
||||||
bandit!=1.6.0,>=1.1.0 # Apache-2.0
|
bandit>=1.1.0 # Apache-2.0
|
||||||
|
|
||||||
[global]
|
[global]
|
||||||
setup-hooks =
|
setup-hooks =
|
||||||
|
|
4
tox.ini
4
tox.ini
|
@ -35,14 +35,14 @@ commands =
|
||||||
# the check and gate queues
|
# the check and gate queues
|
||||||
bashate devstack/plugin.sh
|
bashate devstack/plugin.sh
|
||||||
# Run security linter
|
# Run security linter
|
||||||
bandit -r keystone -x tests
|
bandit -r keystone -x 'keystone/tests/*'
|
||||||
|
|
||||||
[testenv:bandit]
|
[testenv:bandit]
|
||||||
basepython = python3
|
basepython = python3
|
||||||
# NOTE(browne): This is required for the integration test job of the bandit
|
# NOTE(browne): This is required for the integration test job of the bandit
|
||||||
# project. Please do not remove.
|
# project. Please do not remove.
|
||||||
deps = .[bandit]
|
deps = .[bandit]
|
||||||
commands = bandit -r keystone -x tests
|
commands = bandit -r keystone -x 'keystone/tests/*'
|
||||||
|
|
||||||
[testenv:cover]
|
[testenv:cover]
|
||||||
basepython = python3
|
basepython = python3
|
||||||
|
|
Loading…
Reference in New Issue