This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
This review creates the structure for the Devstack plugin and
prints to the console to ensure its execution in the gate.
Follow-up reviews will do more useful stuff like setting up
the environment for our functional testing (ldap, federation).
Change-Id: I820ae355ae8f3183fee2b8207e3c17e8bd10dc17
Another follow up from 810e15689b200f92980e04e233523d72d885d4bd.
Change-Id: I5b16b30a3891a27359b3c238f10a4a13f5281866
Depends-On: Ic4b067b472dad3b8231cb2397abbb92a52939c31
Running `tox -e api-ref` prints warning:
WARNING:test command found but not installed in testenv
cmd: /bin/rm
env: /opt/stack/keystone/.tox/api-ref
Maybe you forgot to specify a dependency? See also the whitelist_externals envconfig setting.
Change-Id: I4c1718dac22c374f048d9e04f42051e10021bb31
The directory openstack/common was used to keep codes from
oslo-incubator, we have retired oslo-incubator, so don't use
this directory any more.
Change-Id: I0637c17f5c7aecf5bda87c8e7a6ef834be299baa
OpenStack CI supports now constraints in the coverage job - as a first
job to check that the recent changes for zuul-cloner work correctly.
Use constraints for cover environment.
Change-Id: I3812776ab228bf28df9934273df7fe8ee0880660
Depends-On: I2c0fb1e9b5a51be409687d9cb85ee3ae70c1ce94
Currently, flake8 runs against doc related directories such as
releasenotes and api-ref. Might as well remove doc from the
flake8 exclude list. Each of these directories has only one
python file (conf.py).
Change-Id: I0445ad083d8d9167e0309950c200c9abb766bc1a
The default regex, '(?:^|[\b_\./-])[Tt]est', will match methods that are
not test methods. For example, I created a new method
'skip_test_overrides' and it was mistakenly run as test. By convention
all of our tests start with 'test_' so this is a safe change.
Change-Id: I4f5917de53681c950c72479f16f88e76f49f6bfc
PEP257's D203 check ensures that you have a blank line before class
docstrings. This rule directly conflicts with D211 (no blank lines
before class docstrings), which is intended to supersede D203.
The original language in PEP257 which D203 was based on was actually
removed from PEP257 by Guido here:
https://hg.python.org/peps/rev/9b715d8246db
Change-Id: Icc048b947acea8f655d00540c221123b906e7545
Docs at [1] have already been converted from WADL (SGML / XML) to RST
using fairy-slipper [2].
This commit polish the results from the conversion and migrate the docs
to our repository under 'api-ref/source' directory. In addition, it
added missing descriptions for access_token_id and consumer_id to
'parameters.yaml'.
Polishing the generated RST files include:
- Removing unnecessary blank lines;
- Removing empty references.
Polishing the generated RST files do not include:
- Modifying their content;
- Modifying file names;
- Wrapping lines at the maximum of 79 chars.
Updating the documentation will be done after this migration step.
This change also adds a tox environment to build the docs using sphinx
under 'api-ref/build', which in turn is added to '.gitignore'.
Lastly, 'os-api-ref' is added as a test requirement. It provides the
sphinx stanzas rest_method and rest_parameter, used to define OpenStack
APIs in RST docs.
[1] https://github.com/openstack/api-site/tree/master/api-ref/source/identity/v3
[2] https://github.com/russell/fairy-slipper
Change-Id: If1b9a3e1b2e4ea7211c337071254c26b881893a3
Remove the helper script for py34, it prevents the use of arguments
being passed down e.g. tox -epy34 -- --failing due to the lack of
passing {posargs} to the script. Since py34 has no special exceptions
now, the specific env for py34 with a special pretty_tox script is
not needed.
Change-Id: I4d960d82e2844c0c82a14be5e92230f1698e11b3
Two years ago the translation files have been split into several
files, separating the log messages of different log levels from each
other, like X.pot, X-log-warning.pot, X-log-info.pot, and so on.
However, the setup.py command `compile_catalogs`, that comes from the
babel package and compiles the corresponding .po files into .mo
files, only supported one file per python package. This means that
during packaging `compile_catalogs` never compiled the X-log-*.po
files, so the corresponding translations were always missing.
Since babel 2.3 the domain can be set to a space separated list of
domains. This change adds the the additional log level files to the
domain list.
The obsolete check that .po and .pot files are valid is removed from
tox.ini.
Change-Id: I1f0bfb181e2b84ac6dd0ce61881cd2cc4400bdcb
Closes-Bug: #1536226
Currently tox ignores D105, D203, and D205.
D105: Missing docstring in magic method.
D203: 1 blank required before class docstring.
D205: Blank line required between one-line summary and description.
This change removes it and make keystone docstring compliant with it.
Change-Id: Id916612dd246e02159907d286e448545120f3655
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Other projects are already starting to make this change and it should
help with some of the strange issues we commonly get asked in IRC. When
those issues come up the first step is always update to the latest tox
and pip, so we might as well make that recommendation more formal.
Change-Id: Ic320881797b99747357ac14c6f84636e5070523d
Related-Bug: #1572202
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
Some targets don't respect upper-constraints like
cover and releasenotes, so make sure don't use
the same install_command for those jobs.
Temporarily add Babel to avoid problem with the
keystone-coverage-db coverage job.
Change-Id: I8636e7c86c6c5c608429fab88e181108ae615db9
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
`patch_cover` checks to make sure your patch has
adequate test coverage.
How it works is it stashes your changes, runs `tox -e cover`,
saves the results then stash pops your change and runs cover
again. It then reports to show if your code in your patch
has 100% test coverage or not.
The intent of this job is to be a non-voting / warning like
job that can inform reviewers if the review clearly needs
more testing.
Since cover.sh is copied from [0] the copyright should
reflect the owners of the code.
[0]: https://github.com/openstack/rally/blob/master/tests/ci/cover.sh
Change-Id: I66572072aa4d9563b6e1f73a8f8b3437116ef3c4
Now that the bandit linter runs without a bandit.yaml specified,
it should exclude the tests directory similar to how it did before
in the bandit.yaml.
The reason this has not caused a problem yet is because bandit is
still finding a config bandit.yaml in .tox/pep8/etc/bandit/bandit.yaml.
But in a newer version of bandit this will not be the case.
Change-Id: Ie81d052cd57318a987f0ebfe718e1c01bdbffcd3
When running tox it would print out a warning:
WARNING:test command found but not installed in testenv
cmd: /usr/bin/find
env: /opt/stack/keystone/.tox/py27
Maybe you forgot to specify a dependency? See also the whitelist_externals envconfig setting.
This is because we forgot to specify a dependency.
Change-Id: I4270c52213159cefa04a63979ee0bb2e1a2fa35f
pyc files for old code files and test files won't get removed from the
local tree when those files are removed. They will still be discovered
and used when running tox tests.
This removes pyc files before running tests to ensure that test
results are repeatble by end users even if they are updating older git
trees.
Closes-Bug: #1551312
Change-Id: I9987cc57dc9ac2bd0331af6cb59e2c5e137d9849
The 0.17.3 release of bandit supports running with no config,
enabling all the tests with a default configuration for them, switch
to that since it's easier to maintain.
Change-Id: I507b7a11e8d1d69a6d9ec88493cbefe48be5ddcf
Keystone's tox.ini contains an "ignore" entry for H405 violations:
multi line docstring summary not separated with an empty line.
All violations of H405 should be fixed so that H405 can be removed
from the ignore list.
Change-Id: I1b2aae0cabc20909cf3b0a405d5e31c5d91148b2
Closes-Bug: #1482773
The bandit project uses an integration test to ensure it doesn't
break other projects by introducing new changes. To run this
integration, it necessary to have a common tox target of 'bandit'.
Change-Id: I07c66fa2535211536d0218abd86bea0ae8644065
There are several reasons for this change:
- removes the need for the custome py3 test dependencies
- makes the broken tests more visible because they are listed
instead of the working ones
- using a blacklist means that new test files are tested by default in
py3
bp python3
Change-Id: I7472eec05d80cdd99c0ee376159578e0d7306f51
According to the PTI (=Python Test Interface,
http://governance.openstack.org/reference/cti/python_cti.html), pep8
is the interface for codestyle checks. Move all tests from linters to
pep8.
This basically reverts Ic9efdcb13978d2f29312a4a1f0fdd859d55c8398.
Depends-On: I9346e4bf8c3a50de088c6a157f0d871c0a9333a1
Change-Id: I99df6de57d345c40e39801d66575d35d0d8a36a9
test_credential.py was failing on python34 with two different errors.
1. Should encode unicode into byte before hashing on python3
...
hash_.update(access)
TypeError: Unicode-objects must be encoded before hashing
2. Request body should be always bytes on python3, use `dump_as_bytes`
to covert the body to bytes.
...
File "/opt/stack/keystone/.tox/py34/lib/python3.4/site-packages/
webob/request.py",
line 710, in _body__set % type(value))
TypeError: You can only set Request.body to bytes (not <class 'str'>)
bp python3
Change-Id: I82e731ea5e517e030db55cf01cc86db9684f4622
Both of them are for V2 ec2 credential, no need two separated files
to test the same things, two files also make it hard to find where
the new cases should be added.
`test_credential.py` will be added to py34 testenv in the follow on
review since it's will not pass py34 test without change.
Change-Id: Ib43fa352a9852f95023fad93f578a352bacd963e
This code has been largely untouched since 2012 and is not wired
up anywhere. This simply removes the file since it is not run
and has not been run for a while.
Change-Id: I67a682bc41d9214a32a24b76b1423828809d1b11