The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0]. This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.
[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues
Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
This updated the Python jobs and fixes the following error with tox 4:
tox.tox_env.errors.Fail: pass_env values cannot contain whitespace, use
comma to have multiple values in a single line, invalid values found
'http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
PBR_VERSION'PROXY PBR_VERSION'
Change-Id: I003723766b1dba7f54c9800364207191597c6741
The pep257 dependency does not support Python 3.10 and has been
deprecated in favour of flake8-docstrings. While we're here, we bump the
other linter dependencies and remove a note regarding the order of
dependencies, which is no longer true with the new dependency resolver
introduced in pip 20.3. We also remove an import exception for six.moves
since we no longer use six.
Change-Id: I4aae75f513568126230becf27b2e07d6682d35a1
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.
Change-Id: Id78b5ab392ac52a52731c87a4c06cbad1516ea85
- Set 'ignore_basepython_conflict' so that e.g. the 'py37' environment
actually uses Python 3.7
- De-duplicate some environments
- Use upper-constraints for functional tests
Change-Id: Ia3a43e96af0e5d42a4ad3cc9594e1cebc7e71d08
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Change-Id: Ic440219814ee0c2b98217e9a821f38f5baf482ec
Without this patch, new library releases (even if not specifically
related to sphinx or docs) can break the docs build. For example, the
latest Werkzeug release is breaking the docs for the stable/stein branch
due to an import error that was fixed in later branches. We shouldn't be
letting new library releases affect the docs environment for the same
reason we want to control the other tox environments. This change adds
-c to the docs tox environment so ensure that all libraries installed in
this environment are known good versions.
Change-Id: I7cec5478bd276594485ed3ce434ba8dda1975ce4
In 09088690 we mistakenly added E501 to the flake8 ignore list. Since
then, many new violations have been introduced. This patch re-enables
the check and corrects all violations, except in some cases like unit
test names where the subunit output would suffer if we attempted to
shorten the function name.
This may appear to be a pointless no-op that messes with
git-blameability, and it is, but the reason to do this is that if PEP8
violations are introduced in master and then backported to a stable
branch, most stable branches will fail the pep8 job since the flake8
ignore list is correct for those branches. Rather than loosening the
check in older branches or requiring those backports to fix the linter
errors independently of what's been merged in master, we should fix it
now so that we don't introduce more errors in the future and patches can
more easily be backported.
Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6
There are so many protection tests now, and for the moment they are so
inefficient, that running them all as part of our main unit test suite
for py27, py36, py37, and cover jobs yields a high rate of timeouts
which reduces our own development velocity and negatively impacts every
project that co-gates with keystone. This change splits the protection
tests into their own level of tests outside of the configured stestr
test_path and adds a separate tox environment and zuul job to run just
the protection tests on their own. Parallelizing these tests should help
alleviate the timeout issue while we work on making these tests more
efficient.
Change-Id: Ibb12053bd6864a153f7e3998dbd008b6eec4295b
This patch adds a new tox job/command for building the pdf
version of documentation.
tox -epdf-docs
In addition to adjusting the infra requirement for PDF build
support, the following changes are made to build a PDF doc
- Download link of config_options, sample config and policy
files are disabled for PDF doc as relative links do not
make sense.
- Pre-create the doc/build/pdf/_static directory as a
workaround because sphinx_feature_classification.support_matrix extension
is operating under the assumption that the _static directory already exist
and trying to copy support-matrix.css into it. We need to remove
this workaround once the problem in the support_matrix extension is fixed.
- Use the toctree_only=True workaround to avoid TOC duplicate links.
Change-Id: Ief8df5f6a5a22b8d0530458ac45f344a72cc3e49
Our tools noticed that keystone links to
https://docs.openstack.org/keystone/latest/admin/identity-domain-specific-config.html
which does not exist anymore.
The page was removed but the link to it was not changed. Replace this
and similar links with internal links that will work even if files are
moved - and can be verified, thus sphinx will error in case of broken
targets.
These changes include a few other fixes for broken keystone links, e.g.
to renamed anchors.
For the include files in admin/configuration.rst and
admin/federation/configure_federation.rst: Rename them to *inc.
The files were
published twice (as separate files and on this page) and thus
referencing failed. Renaming avoids this.
Also, put doctree outside of html tree so that it does not get
published.
Change-Id: I3d07637b0046cc88a66bcb51a0a4fe7c146c1549
Without this patch, oslo.db is listed both in requirements.txt and
test-requirements.txt. Since it is listed without extras in
requirements.txt, those extras (like the mysql driver) aren't installed,
which means opportunistic database tests are not run. This change fixes
the issue by ensuring the oslo.db listed in test-requirements.txt takes
precedence.
Change-Id: I0ad6a847ad89a7b5ae7d12b6dd90433e4a617778
This patch fixes E731 for flake8/pep8 which recommends preferring
functions over lambda expressions.
Change-Id: Ied905e1d55ae73b8d390240d3320a8ba0dcca17c
Currently tox -epep8 will run flake8 on whole code.
To make this fast, flake8 support is added for only
updated(delta) code. Same can be run by "tox -efast8".
It also determines how many commits to check based on the
$FAST8_NUM_COMMITS env variable. If set to "smart",
it uses git to try to run against all unsubmitted commits.
This allows fast8 to be more useful when actively
developing a series of patches.
Closes-Bug: #1829455
Change-Id: Ic02d7a91c6f6b227abf14bc6f7cb85815591c0d3
This reverts commit ebac8330d8.
Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.
Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
With python3.7 jobs added to the Zuul jobs, it makes sense to add this
to the tox config too so that developers can run python3.7 tests as
well.
Change-Id: I87ba933d57de746651427386d76d5b70b7cf45b8
The lower version of pycodestyle lib (aliased to pep8) doesn't work
for py36 env. This commit unblocks the py36 gate by adding a
dependency on pycodestyle and using that for style checks.
Bump the "hacking" lib version to v1.1.0 which depends
on a higher verion of pycodestyle.
Change-Id: I3fc591e09c1e25a3bd2a3922880772ea9617f1e3
We already have a debug env that uses python3 as the base python, it's
not that useful to have another one specific to 3.5. Also relax the
functional test environment to allow any python3 so that we have
flexibility in the future if we want to update it.
Change-Id: Ib43b41e0a1ce427d161b51227d0ffe0d4dec0a98
We already run python3.6 unit tests in CI. Add the py36 environment to
the tox file so that developers with python3.6 available locally can opt
into running that version too.
Change-Id: I207db150716139bd55d31e4a4c6eb7e7f48916b0
Quotes around {posargs} cause the entire string to be combined into one
arg that gets passed to stestr. This prevents passing multiple args
(e.g. '--concurrency=16 some-regex')
Change-Id: Ia3353073bbdf9d18bbd5bd97425b3519f3d5aad0
If you have a -c in the install_cmd it gets used with all the deps
supplied this means that the lower-constraints job actually install from
upper-constraints :(
You can see what I mean in [1]
Note both lower-constraints.txt and upper-constraints.txt are used ; and
---
Collecting oslo.log===3.39.0 (from -c /home/zuul/src/git.openstack.org/openstack/requirements/upper-constraints.txt (line 247))
---
With this fixed we find a few minimums that needs to be bumped:
* oslo.policy >= 1.33.0
keystone uses the scope_types[2] kwarg to RuleDefault which was
introduced in 52c82ff9ab04dd78ff7045cb30d2f5de535dd7da which is
contained in 1.32.0 ; also we need the 'policy-in-code' feature
which is in 1.33.0
* oslo.log >= 0.38.0
keystone used the ROCKY[3] constant for deprecations which was
introduced in d68a895ee8e61b5c9d4ef368e7f04252e84649e9 which is
contained in 3.38.0
* msgpack >= 0.5.0
the 0.4.x versions have been removed from pypi so we have to bump the
minimum :(
* SQLAlchemy >= 1.0.13
identity_provider_id in token payload is byte in python3 which
triggers a sqlalchemy bug[4]. The bug has been fixed in 1.0.13
* keystonemiddleware >= 5.1.0
unified limit feature uses system scope feature which is supported
in keystonemiddleware after 5.1.0
We also add correct some errors in bindep.txt related to use on Fedora
[1] http://logs.openstack.org/47/599447/2/check/openstack-tox-lower-constraints/bbc912b/tox/lower-constraints-1.log
[2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/access_token.py#n24
[3] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/default.py#n50
[4] http://docs.sqlalchemy.org/en/latest/changelog/changelog_10.html#change-a14dd2e73d889d065acc07a77b1ee7cb
Change-Id: Ic0de6799fddd86a70abae2c87c92d565072ebdb9
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I4660a35ff63f3f0212978dda668ba2cb08774e3a
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Create a tox environment for running the unit tests against the lower
bounds of the dependencies.
Create a lower-constraints.txt to be used to enforce the lower bounds
in those tests.
Add openstack-tox-lower-constraints job to the zuul configuration.
See http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html
for more details.
Change-Id: Ide4d192e390ac78f860634014f2437dd6ea7b919
Depends-On: https://review.openstack.org/555034
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
The functional tests in tox.ini were still set to use testr,
this change makes it use the new stestr.
Change-Id: I2ca4e2ae5d8395ae27f8d14cce8038c737aa65f2
This is inline with the direction from:
http://lists.openstack.org/pipermail/openstack-dev/2017-September/122135.html
This also makes it easier to invoke tests based on a regular
expression. Previously, it was possible to do:
$ tox -e py27,py34 -- keystone.tests.unit.test_module.TestCase
But that isn't supported in the way we use ostestr in tox with the
new stestr changes. Instead of refactoring our ostestr usage we can
just replace it with stestr directly which allows us to invoke tests
using a single regex and is inline with the direction of moving away
from ostestr.
Change-Id: I83eb6ce905c45c9c388a8d5a3c9369f5c5f6710e
With the latests changes to os-testr[0] it now expects
a .stestr.conf file instead of a .testr.conf file. This
change migrates the testing suite from using testr to
use stestr instead.
[0] http://lists.openstack.org/pipermail/openstack-dev/2017-September/122135.html
Change-Id: Ie0de862f2192491fa7752af03c8c03b3ee36337a
This commit only adds the sample policy file to the projects
.gitignore file in the interest of keeping environments cleaner.
This also adds the genpolicy tox environment to the tox environment
list to be consistent with how we maintain other tox environments.
Change-Id: Idf538c97f5f7383d8d6e5c18c985d9715033926b
etc/ is for config files that should be installed on disk to support a
running keystone. config-generator/ is for files that
oslo-config-generator uses to generate sample config files and are not
needed by keystone in a live deployment.
Change-Id: I0614709ded739d77ec620150bcb6c2f456024b6f
This adds the entry point and config file necessary for using the
oslo.policy sample generation script. It also adds a tox target to
simplify the usage of it.
Change-Id: I7feb522b2ea5f56e48982169c7ebbb2ec2ef2cb3
Partially-Implements: bp policy-in-code
Dave Wilde (d34dh0r53)