[stable-only] Cap bandit and fix constraints

The 1.6.3 [1] release has dropped support for py2 [2] but the release
is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2
when using py2.

With the introduction of the new dependency resolver in 20.3 pip the
lower-constraints job starts to fail as now the constraints are working
as they should. Multiple fixes needed:
* lower-constraints job uses the [testenv]install_command, so it gives
  both the upper-constraints and lower-constraints, which causes the
  job to fail. As an easy fix install_command is added to this target
  without the upper constraints.
* duplicate stestr constraint removed
* cryptography lower constraint is bumped as with version 2.1 the
  new resolver of pip takes hours to install the packages
* contradicting hacking version replaced (in lower-constraints.txt to
  match with test-requirements.txt), which pulls in newer flake8, too
* lower-constraints test job failed with error message:
  "[..] unexpected keyword argument 'barbican_endpoint_type'"
  which is due to old version of castellan.

[1] https://github.com/PyCQA/bandit/releases/tag/1.6.3
[2] https://github.com/PyCQA/bandit/pull/615
[3] https://github.com/PyCQA/bandit/issues/663
[4] https://github.com/PyCQA/bandit/issues/665

Change-Id: I4b33c2544c911bd68ed8af4c754c9f5dc0c93be8

lower-constraints.txt

@@ -7,7 +7,7 @@ astroid==1.3.8
 Babel==2.3.4
 bandit==1.1.0
 cachetools==2.0.1
-castellan==0.16.0
+castellan==0.18.0
 certifi==2018.1.18
 cffi==1.11.5
 chardet==3.0.4
@@ -15,7 +15,7 @@ cliff==2.11.0
 cmd2==0.8.1
 contextlib2==0.5.5
 coverage==4.0
-cryptography==2.1
+cryptography==2.1.4
 debtcollector==1.2.0
 decorator==4.2.1
 deprecation==2.0
@@ -27,13 +27,13 @@ eventlet==0.18.2
 extras==1.0.0
 fasteners==0.14.1
 fixtures==3.0.0
-flake8==2.5.5
+flake8==2.6.0
 future==0.16.0
 futurist==1.6.0
 gitdb2==2.0.3
 GitPython==2.1.8
 greenlet==0.4.13
-hacking==0.12.0
+hacking==1.1.0
 idna==2.6
 imagesize==1.0.0
 iso8601==0.1.12
@@ -100,7 +100,7 @@ pyinotify==0.9.6
 pylint==1.4.5
 PyMySQL==0.7.6
 pyOpenSSL==17.5.0
-pyparsing==2.2.0
+pyparsing==2.4.2
 pyperclip==1.6.0
 python-barbicanclient==4.6.0
 python-congressclient==1.9.0
@@ -135,7 +135,6 @@ sqlalchemy-migrate==0.11.0
 SQLAlchemy==1.0.10
 sqlparse==0.2.4
 statsd==3.2.2
-stestr==2.0.0
 stevedore==1.20.0
 Tempita==0.5.2
 tenacity==4.4.0

requirements.txt

@@ -22,7 +22,7 @@ keystonemiddleware>=4.17.0 # Apache-2.0
 testtools>=2.2.0 # MIT
 yaql>=1.1.3 # Apache 2.0 License
 debtcollector>=1.2.0 # Apache-2.0
-cryptography>=2.1 # BSD/Apache-2.0
+cryptography>=2.1.4 # BSD/Apache-2.0
 
 # For paste.util.template used in keystone.common.template
 Paste>=2.0.2 # MIT
@@ -48,4 +48,4 @@ oslo.i18n>=3.15.3 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.upgradecheck>=0.1.0 # Apache-2.0
 semantic-version>=2.8.2 # BSD
-castellan>=0.16.0 # Apache-2.0
+castellan>=0.18.0 # Apache-2.0

test-requirements.txt

@@ -18,7 +18,7 @@ pycodestyle>=2.0.0 # MIT License
 requests>=2.14.2 # Apache-2.0
 stestr>=1.0.0 # Apache-2.0
 murano-pkg-check>=0.3.0 # Apache-2.0
-bandit>=1.1.0,!=1.6.0 # Apache-2.0
+bandit>=1.1.0,!=1.6.0,<=1.6.2 # Apache-2.0
 
 # Some of the tests use real MySQL and Postgres databases
 PyMySQL>=0.7.6 # MIT License

tox.ini

@@ -133,6 +133,7 @@ commands = bindep test
 usedevelop = False
 
 [testenv:lower-constraints]
+install_command = pip install {opts} {packages}
 basepython = python3
 deps =
   -c{toxinidir}/lower-constraints.txt