Commit Graph

14802 Commits (master)

Author SHA1 Message Date
Zuul a7ba534f3d Merge "Imported Translations from Zanata" 2 days ago
Zuul 9fdbbcddc8 Merge "Bump SQLAlchemy minimum version" 2 days ago
OpenStack Proposal Bot f64b741ddb Imported Translations from Zanata
For more information about this automatic import see:

Change-Id: I85f65708996160a6b87bc29435dab8e71a2a01d6
3 weeks ago
Zuul 74ea58e0b9 Merge "[PooledLDAPHandler] Clean up the fix for result3()" 3 weeks ago
Zuul 1d58835d3e Merge "Print a human readable error if tls certs are not provided" 1 month ago
Zuul 2bde395ac4 Merge "Update master for stable/2023.1" 1 month ago
Zuul 5397c04499 Merge "Remove authenticate.failed from the notification_opt_out list" 1 month ago
Zuul 95288d2ce3 Merge "fix(federation): allow using numerical group names" 1 month ago
David Hill f66a7d11b5 Print a human readable error if tls certs are not provided
Print a human readable error if tls certs are not provided when using
ldaps:// or use_tls and not providing CA certificates.

Change-Id: I5d3613617278443673a265259351a2e1d5dc7f44
3 months ago
Pete Zaitcev 42e2f985b2 [PooledLDAPHandler] Clean up the fix for result3()
An empty exception clause is unnecessary when you're using
a "finally" clause.

Previous-Change-Id: I59ebf0fa77391d49b2349e918fc55f96318c42a6
Change-Id: I903db2fd2ac810ec96dbd25fc6529752c08f9a79
3 months ago
Hiromu Asahina f5db9801c2 Remove Dependency on Cryptography >=36.0.0
The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on
cryptography 36.0.0 or later. Users may have to upgrade cryptography
which is already installed, which can be unreasonably hassle. This
patch introduces an alternative for that parameter.


Closes-bug: 2009600
Change-Id: Idffe269b62797bb2935429f4069e878a177db04f
3 months ago
OpenStack Release Bot ba953a247e Update master for stable/2023.1
Add file to the reno documentation build to show release notes for

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on

Sem-Ver: feature
Change-Id: Ic6effa352660f0405d5f4bcd15f3be44b0cc423c
3 months ago
Zuul c08d97672d Merge "OAuth 2.0 Mutual-TLS Support" 3 months ago
sunyonggen f6a0cce440 OAuth 2.0 Mutual-TLS Support
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.

Co-Authored-By: Hiromu Asahina <>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
3 months ago
Zuul 363b941f2c Merge "Add oidc federation test setup" 3 months ago
Stephen Finucane f24c77c774 Bump SQLAlchemy minimum version
Change-Id: I13eb367a46a5c47c8a79f621bb6fa4d7c3915c15
Signed-off-by: Stephen Finucane <>
3 months ago
Zuul 909fe93fb1 Merge "Force algo specific maximum length" 3 months ago
Zuul 099b0f588f Merge "[PooledLDAPHandler] Ensure result3() invokes message.clean()" 3 months ago
Dave Wilde (d34dh0r53) 3288af579d Force algo specific maximum length
The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0].  This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.


Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
3 months ago
Ade Lee d293315eec Add oidc federation test setup
Add devstack testing setup for OIDC using an instance of keycloak
which is instantiated from a keycloak image.  This is largely taken
from Kristi's work in

This configuration is triggered by enabling the devstack service
keystone-oidc-federation.  The expectation is that either SAML2 or
OIDC is enabled, but not both.

Co-Authored-By: David Wilde <>
Change-Id: I1ff4d48c05cef1022dc510df03104f36cdd7a953
4 months ago
Kristi Nikolla 420f4ff46d Fix passenv syntax in tox and update python jobs
This updated the Python jobs and fixes the following error with tox 4:

tox.tox_env.errors.Fail: pass_env values cannot contain whitespace, use
comma to have multiple values in a single line, invalid values found
'http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY

Change-Id: I003723766b1dba7f54c9800364207191597c6741
5 months ago
Mustafa Kemal Gilor ff632a81fb
[PooledLDAPHandler] Ensure result3() invokes message.clean()
result3 does not invoke message.clean() when an exception is thrown
by `message.connection.result3()` call, causing pool connection
associated with the message to be marked active forever. This causes
a denial-of-service on ldappool.

The fix ensures message.clean() is invoked by wrapping the offending
call in try-except-finally and putting the message.clean() in finally

Closes-Bug: #1998789

Change-Id: I59ebf0fa77391d49b2349e918fc55f96318c42a6
Signed-off-by: Mustafa Kemal Gilor <>
6 months ago
Zuul 7d4047cb69 Merge "requirements: Bump linter requirements" 7 months ago
Stephen Finucane 6dfde5b48b requirements: Bump linter requirements
The pep257 dependency does not support Python 3.10 and has been
deprecated in favour of flake8-docstrings. While we're here, we bump the
other linter dependencies and remove a note regarding the order of
dependencies, which is no longer true with the new dependency resolver
introduced in pip 20.3. We also remove an import exception for six.moves
since we no longer use six.

Change-Id: I4aae75f513568126230becf27b2e07d6682d35a1
Signed-off-by: Stephen Finucane <>
7 months ago
Dave Wilde (d34dh0r53) 8f999d1c1f Limit token expiration to application credential expiration
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.

Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
8 months ago
Boris Bobrov 0b46eab168 Remove authenticate.failed from the notification_opt_out list
authenticate.failed in the list is not working as the correct
notification is authenticate.failure (see [0]), this way we keep the
default behaviour, and the users still have the ability to add their
events to this list at deployment time.


Change-Id: If3d818dac220a105f4aba382537c09ab4ee1abd5
Closes-Bug: 1954665
8 months ago
Mohammed Naser c70d0c33a5 fix(federation): allow using numerical group names
When using a numerical group name, the current codebase which
relies on ast.literal_eval does not account for the value
being a number.  Therefore, it can be parsed as a number and
fail in further steps since it will not be a list.

This patch adds a test to handle that use case and refactor the
code that leverages ast.literal_eval to be the same everywhere
so that it adds that fix everywhere.

Closes-Bug: #1992186
Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
8 months ago
Zuul 02db926396 Merge "Update master for stable/zed" 8 months ago
Zuul 0155ae8741 Merge "Use TOX_CONSTRAINTS_FILE" 9 months ago
Zuul 8d591489a9 Merge "remove unicode prefix from code" 9 months ago
OpenStack Release Bot 1ac8821651 Update master for stable/zed
Add file to the reno documentation build to show release notes for

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on

Sem-Ver: feature
Change-Id: I1f5579cf3b8e5055b3a26867c8cb1d39d2ea86fc
9 months ago
OpenStack Proposal Bot 1ea9f7557d Imported Translations from Zanata
For more information about this automatic import see:

Change-Id: I2d496fd5a76ca31a2ebbf275fdc348e8fc44394f
9 months ago
Bence Romsics 6c35b366e3 Fix host:port handling
When we check the EC2 signature without the port part of the host value
received, we should properly split host:port. Keep in mind the splitting
should work for values like [fc00::]:123 too.

Change-Id: I1d90dfcea3568e2a9b22069daa428ea6a2a38bd6
Closes-Bug: #1988168
9 months ago
Zuul 051aca8e8a Merge "OAuth2.0 Client Credentials Grant Flow Support" 9 months ago
niuke eae6adf00b remove unicode prefix from code
Change-Id: I0de3c786fa2617a44094c37827ebd93a8dfcf3b6
10 months ago
Zuul 1dd6993d7b Merge "docs: Update docs to reflect migration to Alembic" 10 months ago
Zuul f0f96d465d Merge "sql: Integrate alembic" 10 months ago
jiaqi07 4edad6b58f Use TOX_CONSTRAINTS_FILE
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.

Change-Id: Id78b5ab392ac52a52731c87a4c06cbad1516ea85
10 months ago
Zuul 9bb51da863 Merge "Only log warnings about token length when length exceeds max_token_size" 10 months ago
Zuul aee576a7c6 Merge "Change error response status code in master branch" 10 months ago
OpenStack Proposal Bot c01e17f459 Imported Translations from Zanata
For more information about this automatic import see:

Change-Id: I69d52a1d921e2c9376baef9ab54ba41aa9602b07
11 months ago
Zuul d7b1d57cae Merge "Move fips job to centos-9" 11 months ago
Ade Lee 950dd5e503 Move fips job to centos-9
Move FIPS job to centos 9 and add new required nslookup_target variable.

Change-Id: Ifef262cfca4ecb8ad1222da3c43e5749f40c1f24
12 months ago
Stephen Finucane d88439c6a9 docs: Update docs to reflect migration to Alembic
Change-Id: Iabc8cd0746871ea6ab81af9d3f0149644a489f3d
Signed-off-by: Stephen Finucane <>
12 months ago
Stephen Finucane f174b4fa7c sql: Integrate alembic
Switch to alembic for real by integrating it into the 'db sync' command
flow. From a user-facing perspective, things should remain pretty much
the same as before, with the key difference being that version
information (i.e. what's shown by 'keystone-manage db_sync --check' or
'keystone-manage db_version') will now take the form of a hash rather
than an integer. There are a few differences for contributors however.
The changes are described in the included release note and

Note that there are a couple of important design decisions here that are
worth examining:

- We drop the idea of the 'data_migration' branch entirely and the
  'keystone-manage db_sync --migrate' command is now a no-op. Neutron
  doesn't do data migrations like we do and yet they manage just fine.
  Dropping this gets us closer to neutron's behavior, which is a good
  thing for users.

- We haven't re-added the ability to specify a version when doing
  'db_sync'. Neutron has this, but the logic needed to get this working
  is complex and of questionable value. We've managed without the
  ability to sync to a version since Newton and can continue to do so
  until someone asks for it (and does the work).

- sqlalchemy-migrate is not removed entirely. Instead, upon doing a
  'db_sync' we will apply all sqlalchemy-migrate migrations up to the
  final '079_expand_update_local_id_limit' migration and dummy apply the
  initial alembic migration, after which we will switch over to alembic.
  In a future release we can remove the sqlalchemy-migrate migrations
  and rely entirely on alembic. Until then, keeping this allows fast
  forward upgrades to continue as a thing.

- Related to the above, we always apply *all* sqlalchemy-migrate
  migrations when calling 'db_sync', even if this command is called with
  e.g. '--expand' (meaning only apply the expand branch). This is
  because there is at most one "real" migration to apply, the Xena-era
  '079_expand_update_local_id_limit' migration, which is an expand-only
  migration. There is no risk to applying the empty "data_migration" and
  "contract" parts of this migration, and applying everything in one go
  results in *much* simpler logic.

Future changes will update documentation and add developer tooling for
(auto-)generating new migrations, a la 'neutron-db-manage revision'.

Change-Id: Ia376cb87f5159a4e79e2cfbab8442b6bcead708f
Signed-off-by: Stephen Finucane <>
12 months ago
Stephen Finucane 0916df35f9 tests: Don't monkeypatch functions
We were inadvertently monkeypatching a variety of functions in
'keystone.common.sql.upgrades'. We should be configuring mocks for these
that we teardown at the end of the test. This has been an issue since we
first added these tests way back in change
I9f138fe0bcbf5ffbb98e6fcebd7d897329a301b7. Fix it now.

Change-Id: I185420e6d16276e7d184146f6a38b098abc00b25
Signed-off-by: Stephen Finucane <>
Suggested-by: Mike Bayer <>
12 months ago
Stephen Finucane c4f2e2e1db sql: Don't create a new connection in migrations
We can use the existing connection. No need to create a new one.

Change-Id: I2165710ee83dad12ddd795b665ecac6c8bd42a93
Signed-off-by: Stephen Finucane <>
12 months ago
Stephen Finucane 30fa47f98a Ignore UserWarning for scope checks during test runs
Keystone's API policy rules are defaulting to system scope. Scope checks
are disabled by default in oslo.policy, but if you hit the API with a
token that doesn't match the scope, it generates a UserWarning, for
every policy check on that request. This is pretty annoying, so just
filter those warnings during our test runs.

Change-Id: I150b8fa19d4ec1582234caa4c25db905e6403590
Signed-off-by: Stephen Finucane <>
12 months ago
Stephen Finucane 7c2d0f589c tox: Don't generate byte code
Keeps directories clean.

Change-Id: I8fcd9370a6adbfe8bbb2ce441a6f2efad45d089a
Signed-off-by: Stephen Finucane <>
12 months ago
Yi Feng b554576f62 OAuth2.0 Client Credentials Grant Flow Support
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application

Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
12 months ago