The xmldsig module was moved to the pysaml2 namespace in 3.0.0, but
now 5.0.0 is the minimum required version.
See c90dd3a0f8280e28bbbff691c0ae27aff736658a for details.
Change-Id: I96b01da509c96387bd7f3c2a814f579a070815ae
Introduces domain-scoped policies for the 'manager' role to permit
domain-wide management capabilities in regards to users, groups,
projects and role assignments.
Defines a new base policy rule to restrict the roles assignable by
domain managers.
Closes-Bug: #2045974
Change-Id: I62742ed7d906c92d1132251080758bb54d0fc8e1
Hacking is a OpenStack style guide enforcement library. Many projects
use it.
Python imports sorting check in the hacking makes lot of sense since it
verifies the code is readable and matches the pep8 style as well.
Convert code base with `isort --profile open_stack --sl --py 311
--honor-noqa keystone` and 2 manual fixes so that hacking check passes
(it is a bit weird case, but black forces new line before comment in an
import while flake8-import-order thinks it is bad: keystone/api/auth.py.
So add a noqa here since there are currently no configuration options to
skip that.)
Change-Id: I31bd6d5f37910097ef0fae72f678c758411b5b03
This patch adds the `reset_last_active` subcommand to the
`keystone-manage` command line tool.
This subcommand will update every user in the database that has a null
value in the `last_active_at` property to the current server time. This
is necessary to prevent user lockout in deployments that have been
running for a long time without `disable_user_account_days_inactive` and
later decide to turn it on.
This patch also includes a change to the logic that sets
`last_active_at` to fix the root issue of the lockout.
Closes-Bug: 2074018
Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31
Tokens with expiration time limited by application credentials had an
incorrect format.
Fix the format, control it with the test.
Closes-Bug: 2075723
Change-Id: I09fe34541615090766a5c4a010a3f39756debedc
The current configuration for the OIDCRedirectURI results in
mod_auth_openidc masking the Keystone federation authentication
endpoint, which results in incorrect responses to requests for
Keystone tokens. This change updates the documentation to
recommend using a vanity URL that does not match a Keystone
API endpoint.
Closes-Bug: 2075349
Change-Id: I1dfba5c71da68522fdb6059f0dc03cddc74cb07d
Enable mypy and fix/ignore found issues.
With mypy it is possible to declare/define optional or mandatory
attributes in the base classes. Those are checked statically with mypy
making existing validations and tests in the code unnecessary.
Change-Id: I7246d4e68386e9f72559e8948c475e5916359922
We are going to start building OpenAPI using codegenerator directly in
the Keystone and move all the schemas into the codebasis. It is going to
be very helpful to immediately see whether generation is possible and
the OpenAPI spec is valid. Thus adding it as non-voting for now (and it
makes no sense of having non-voting job in gate).
Change-Id: Iaf418d69cbb55fbe9dde3f2ec4213e64345057c2
After reformatting there are some cases of previously strings split
across the lines were simply placed on a single line ("foo " "bar baz").
Join such cases properly.
Change-Id: Ie56d5ca35d3e0983a73554916f5399837a3b35b4
Ensure committing locally will raise bandit check errors before we push
the change by putting it into the pre-commit. Since pre-commit is
already invoked in the pep8 env we can drop bandit from there.
Change-Id: I4d9d5aa283fb6cb91d610e23c6a44e98d8df46aa
pyupgrade is a tool (and pre-commit hook) to automatically upgrade
syntax for newer versions of the language. It helps getting rid of
syntax required for older python versions not supported anymore and
prepare us for easier support of newer python versions. The tool is
already used in some other OpenStack projects, so it is time to start
using it also for Keystone.
The change is generated by uncommenting the pre-commit hook and
executing `pre-commit run -a` to convert the data. The same could be
also achieved by simply trying to commit and adding converted files in
few iterations.
Change-Id: Ia1f64709e57ebb4e44db128bfea4c5957b2071df
With this black performs linter check even before the commit is created
allowing devs to spot issues before sending change to the CI.
With this we also switch from flake8 to pre-commit to ensure we run the
same tests locally and in the CI thus preventing accidential drift.
Change-Id: I121f55a2f00817dc4b6061933752b81e01d62cb4
In order to keep git blame not overloaded with recent reformat changes
add the reformat commit to the ignore list.
Change-Id: I0b474143d07436d9b92cbe98e9caafe8318c2719
NotFound exceptions happen regularly during normal operations,
e.g. when doing "openstack role show member", so don't make a fuss
about them.
Change-Id: I59ad6fe4ff167a431eae943dd261d4a69c21e980
Improve code maintainability by enabling us to use automatic code
formatter. We use black as a relatively fast code formatter (ruff is an
lternative, but it will immediately require also changing all quotes
chaos). In the next change black is going to be added into the
pre-commit allowing contributors to spot formatting issues before
sending code to the CI sending precious run hours. Same steps has been
performed in the openstasksdk/cli and partially nova.
Steps performed:
- `black -l 79 -S keystone`
- add exceptions to the tox.ini for the lines which black decided not to
split
Following files are polished manually due to noqa headers and similar
being reformatted to wrong strings:
keystone/auth/plugins/totp.py
keystone/common/password_hashing.py
keystone/tests/unit/ksfixtures/__init__.py
Change-Id: I832ec4c152fa58fb0088d9f880add86a20ec95fc
When user requests new application credentials without specifying roles
explicitly all current roles from the token are being used for that
(including implied roles).
When new application credentials are requested specifying a role that
implies another role (i.e. member) only that role is added into the
list. This is not what is expected, so change it by looping through
every requested role and add every implied role into the list if it is
not already there.
Related-Bug: https://bugs.launchpad.net/keystone/+bug/2030061
Change-Id: I452313ac7e1e6960748bcd1e667fb7c0076eb7a2
python-all-dev is not available on the newer ubuntu images
(ubuntu-nobble). Replace it with `python3-dev` as used by majority of
other OpenStack repositories. This change does not fix the tests, it
just ensures tests are being executed.
Change-Id: I860ca5e6259459716e606a4c76002164d6a18668
As a starting point for the code renovation it makes sense to add
pre-commit with the same configuration as we spread across the other
services. For now comment out hooks that fail and address them one by
one.
At the end of the series we would have pre-commit executing all the
necessary checks (linting, flake, black, mypy, etc) and it will be
invoked directly in the `tox -e pep8` to unify all the processing. We
are going to re-format source code with `black` adding revisions to
git blame ignore to reduce amount of noise. This will help us to have
reasonable formatting of the code with possibility to just auto-format
the code.
Change-Id: Ia00f4209cde8f64828dc2d827d49bfc4bd6c1efa
This has been deprecated for removal [1]. Use the stdlib variant
instead.
[1] https://github.com/testing-cabal/testtools/commit/59b890db3c
Change-Id: I7701872d2de44bb7c8296501015c24d0741adc93
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
