From 6bad01e32dd9d0dd142910ffa710997d8917735d Mon Sep 17 00:00:00 2001
From: Shyam Singh <shyam81295@gmail.com>
Date: Wed, 17 Jun 2020 17:13:58 +0530
Subject: [PATCH] Upgrade for stable/stein branch

    * Added bandit to find common security issues in 'tox.ini'.
    * Updated test-requirements.txt with relevant 'stable/stein' branch
        libraries.
    * Added zuul jobs w.r.t. 'stable/stein' release.
    * Added F601,W503,W504,W605 errors in flake8 ignore.

Change-Id: I0a1ef1f9b99dce8fa95c74e21df119069b6dcbe4
---
 .zuul.yaml                             | 12 ++++++------
 gbpclient/gbp/v2_0/groupbasedpolicy.py |  4 ++--
 test-requirements.txt                  |  5 +++--
 tox.ini                                | 19 ++++++++++++++++---
 4 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index 155b211..8a77720 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -14,26 +14,26 @@
         - openstack-tox-pep8:
             required-projects:
               - name: openstack/requirements
-                override-checkout: stable/rocky
+                override-checkout: stable/stein
         - openstack-tox-py27:
             required-projects:
               - name: openstack/requirements
-                override-checkout: stable/rocky
+                override-checkout: stable/stein
         - openstack-tox-py35:
             required-projects:
               - name: openstack/requirements
-                override-checkout: stable/rocky
+                override-checkout: stable/stein
     gate:
       jobs:
         - openstack-tox-pep8:
             required-projects:
               - name: openstack/requirements
-                override-checkout: stable/rocky
+                override-checkout: stable/stein
         - openstack-tox-py27:
             required-projects:
               - name: openstack/requirements
-                override-checkout: stable/rocky
+                override-checkout: stable/stein
         - openstack-tox-py35:
             required-projects:
               - name: openstack/requirements
-                override-checkout: stable/rocky
+                override-checkout: stable/stein
diff --git a/gbpclient/gbp/v2_0/groupbasedpolicy.py b/gbpclient/gbp/v2_0/groupbasedpolicy.py
index 1d0c836..88af9c3 100644
--- a/gbpclient/gbp/v2_0/groupbasedpolicy.py
+++ b/gbpclient/gbp/v2_0/groupbasedpolicy.py
@@ -596,7 +596,7 @@ class CreateL3Policy(neutronV20.CreateCommand):
                     self.get_client(), 'external_segment',
                     list(external_segment.keys())[0])
                 ipaddrs = next(iter(external_segment.values()))
-                if ipaddrs is "":
+                if ipaddrs == "":
                     ipaddrs = []
                 else:
                     ipaddrs = next(iter(external_segment.values())).split(':')
@@ -679,7 +679,7 @@ class UpdateL3Policy(neutronV20.UpdateCommand):
                     self.get_client(), 'external_segment',
                     list(external_segment.keys())[0])
                 ipaddrs = next(iter(external_segment.values()))
-                if ipaddrs is "":
+                if ipaddrs == "":
                     ipaddrs = []
                 else:
                     ipaddrs = next(iter(external_segment.values())).split(':')
diff --git a/test-requirements.txt b/test-requirements.txt
index 77aceb7..22ef06c 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,8 +1,9 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
-hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+hacking>=1.1.0 # Apache-2.0
 
+bandit>=1.1.0,<1.6.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 flake8-import-order==0.12 # LGPLv3
 httpretty>=0.8.0,!=0.8.1,!=0.8.2,!=0.8.3
@@ -10,7 +11,7 @@ oslotest>=3.2.0 # Apache-2.0
 python-openstackclient>=3.12.0 # Apache-2.0
 sphinx!=1.6.6,>=1.6.2 # BSD
 oslosphinx>=4.7.0 # Apache-2.0
-stestr>=1.0.0 # Apache-2.0
+stestr>=2.0.0 # Apache-2.0
 testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=2.2.0 # MIT
 testscenarios>=0.4 # Apache-2.0/BSD
diff --git a/tox.ini b/tox.ini
index 72f74dc..6ed557f 100644
--- a/tox.ini
+++ b/tox.ini
@@ -11,14 +11,16 @@ setenv = VIRTUAL_ENV={envdir}
 usedevelop = True
 install_command = pip install {opts} {packages}
 deps =
-    -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/rocky}
+    -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/stein}
     -r{toxinidir}/requirements.txt
     -r{toxinidir}/test-requirements.txt
 commands = stestr run {posargs}
 
 [testenv:pep8]
 basepython = python2.7
-commands = flake8
+commands =
+  flake8
+  {[testenv:bandit]commands}
 distribute = false
 
 [testenv:venv]
@@ -37,12 +39,23 @@ basepython = python3
 commands=
     sphinx-build -W -b html doc/source doc/build/html
 
+[testenv:bandit]
+basepython = python2.7
+# B303: blacklist calls: md5, sha1
+# B112: Test for a continue in the except block
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r {toxinidir}/gbpclient -x {toxinidir}/gbpclient/tests -n5 -s B303,B112
+
 [flake8]
 # E125 continuation line does not distinguish itself from next logical line
+# F601 dictionary key name repeated with different values - REVISIT
 # H302 import only modules
+# W503 line break before binary operator - REVISIT
+# W504 line break after binary operator - REVISIT
+# W605 invalid escape sequence - REVISIT
 #
 # REVISIT: Fix code and remove E129,E251,H305,H307,H405,H904 added for
 # hacking 0.9.2
-ignore = E125,H302,E129,E251,H305,H307,H405,H904
+ignore = E125,H302,E129,E251,F601,H305,H307,H405,H904,W503,W504,W605
 show-source = true
 exclude=.venv,.git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,tools