Revert "Blacklist bandit 1.6.0"

This reverts commit ebac8330d8.

Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.

Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
(cherry picked from commit dc3175afb1)
This commit is contained in:
Jim Rollenhagen 2019-05-14 20:47:18 +00:00
parent 00242bd197
commit c220cc450c
10 changed files with 15 additions and 14 deletions

View File

@ -58,7 +58,7 @@ class Manager(manager.Manager):
driver_namespace = 'keystone.assignment' driver_namespace = 'keystone.assignment'
_provides_api = 'assignment_api' _provides_api = 'assignment_api'
_SYSTEM_SCOPE_TOKEN = 'system' _SYSTEM_SCOPE_TOKEN = 'system' # nosec
_USER_SYSTEM = 'UserSystem' _USER_SYSTEM = 'UserSystem'
_GROUP_SYSTEM = 'GroupSystem' _GROUP_SYSTEM = 'GroupSystem'
_PROJECT = 'project' _PROJECT = 'project'

View File

@ -25,11 +25,11 @@ from keystone import exception
# Header used to transmit the auth token # Header used to transmit the auth token
AUTH_TOKEN_HEADER = 'X-Auth-Token' AUTH_TOKEN_HEADER = 'X-Auth-Token' # nosec
# Header used to transmit the subject token # Header used to transmit the subject token
SUBJECT_TOKEN_HEADER = 'X-Subject-Token' SUBJECT_TOKEN_HEADER = 'X-Subject-Token' # nosec
CONF = conf.CONF CONF = conf.CONF

View File

@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
RULE_ADMIN_OR_TARGET_PROJECT = ( RULE_ADMIN_OR_TARGET_PROJECT = (
'rule:admin_required or ' 'rule:admin_required or '
'project_id:%(target.project.id)s') 'project_id:%(target.project.id)s')
RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject' RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject' # nosec
RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin' RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject' RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
'rule:service_admin_or_token_subject') # nosec
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin' RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s' RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'

View File

@ -16,7 +16,7 @@ import sqlalchemy as sql
_USER_TABLE_NAME = 'user' _USER_TABLE_NAME = 'user'
_USER_NAME_COLUMN_NAME = 'name' _USER_NAME_COLUMN_NAME = 'name'
_USER_DOMAINID_COLUMN_NAME = 'domain_id' _USER_DOMAINID_COLUMN_NAME = 'domain_id'
_USER_PASSWORD_COLUMN_NAME = 'password' _USER_PASSWORD_COLUMN_NAME = 'password' # nosec
def upgrade(migrate_engine): def upgrade(migrate_engine):

View File

@ -16,7 +16,7 @@ import sqlalchemy as sql
_USER_TABLE_NAME = 'user' _USER_TABLE_NAME = 'user'
_USER_NAME_COLUMN_NAME = 'name' _USER_NAME_COLUMN_NAME = 'name'
_USER_DOMAINID_COLUMN_NAME = 'domain_id' _USER_DOMAINID_COLUMN_NAME = 'domain_id'
_USER_PASSWORD_COLUMN_NAME = 'password' _USER_PASSWORD_COLUMN_NAME = 'password' # nosec
def upgrade(migrate_engine): def upgrade(migrate_engine):

View File

@ -247,7 +247,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
new_dict = user_dict.copy() new_dict = user_dict.copy()
resource_options = {} resource_options = {}
options = new_dict.pop('options', {}) options = new_dict.pop('options', {})
password_expires_at_key = 'password_expires_at' password_expires_at_key = 'password_expires_at' # nosec
if password_expires_at_key in user_dict: if password_expires_at_key in user_dict:
del new_dict[password_expires_at_key] del new_dict[password_expires_at_key]
for opt in cls.resource_options_registry.options: for opt in cls.resource_options_registry.options:

View File

@ -76,7 +76,7 @@ CONF = keystone.conf.CONF
# NOTE(morganfainberg): Special case notifications that are only used # NOTE(morganfainberg): Special case notifications that are only used
# internally for handling token persistence token deletions # internally for handling token persistence token deletions
INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' # nosec
PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user' PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user' REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
DOMAIN_DELETED = 'domain_deleted' DOMAIN_DELETED = 'domain_deleted'

View File

@ -113,8 +113,8 @@ class Manager(manager.Manager):
driver_namespace = 'keystone.oauth1' driver_namespace = 'keystone.oauth1'
_provides_api = 'oauth_api' _provides_api = 'oauth_api'
_ACCESS_TOKEN = "OS-OAUTH1:access_token" _ACCESS_TOKEN = "OS-OAUTH1:access_token" # nosec
_REQUEST_TOKEN = "OS-OAUTH1:request_token" _REQUEST_TOKEN = "OS-OAUTH1:request_token" # nosec
_CONSUMER = "OS-OAUTH1:consumer" _CONSUMER = "OS-OAUTH1:consumer"
def __init__(self): def __init__(self):

View File

@ -35,7 +35,7 @@ memcache =
mongodb = mongodb =
pymongo!=3.1,>=3.0.2 # Apache-2.0 pymongo!=3.1,>=3.0.2 # Apache-2.0
bandit = bandit =
bandit!=1.6.0,>=1.1.0 # Apache-2.0 bandit>=1.1.0 # Apache-2.0
[global] [global]
setup-hooks = setup-hooks =

View File

@ -35,14 +35,14 @@ commands =
# the check and gate queues # the check and gate queues
bashate devstack/plugin.sh bashate devstack/plugin.sh
# Run security linter # Run security linter
bandit -r keystone -x tests bandit -r keystone -x 'keystone/tests/*'
[testenv:bandit] [testenv:bandit]
basepython = python3 basepython = python3
# NOTE(browne): This is required for the integration test job of the bandit # NOTE(browne): This is required for the integration test job of the bandit
# project. Please do not remove. # project. Please do not remove.
deps = .[bandit] deps = .[bandit]
commands = bandit -r keystone -x tests commands = bandit -r keystone -x 'keystone/tests/*'
[testenv:cover] [testenv:cover]
basepython = python3 basepython = python3