Since we removed certificate order, we no longer have to maintain
these logics.
This also removes the release note for deprecation of symantec
certificate plugin, which was added during this cycle, because
the plugin is also being removed by this change.
Change-Id: I8e901024677e889d05ad8653389fb46487bc7745
It was announced that this resource will be removed in Pike release.
Multiple cycles have passed since then, so we may be really ready to
remove it.
Note that this is the first step and removes only API layer logic.
Further logic removal will be done in the subsequent change.
Change-Id: Ib0eb3b11815b40237d42735097076b7c89cf9516
Add the warnings fixture so we can catch deprecation warnings earlier.
Change-Id: I37a349237470beb60240d0b6c208aa75f2a075ac
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This functional test was being skipped, but seems to pass. Others
currently being skipped still do not pass.
Change-Id: If20fc134ff55494915b58872122888823edf31b3
Python 2 is no longer supported, thus usage of six can be removed.
Also, This removes B314 test from documentation because its actual
implementation was already removed[1].
[1] 9dbeefb55e
Change-Id: Ib01714e6462470dd5c3f6f06b52a3afeff573696
This patch modifies the Consumer controller to enable the use of
ownership information in policy checks. e.g. policies that use a target
container:
project_id:%(target.container.project_id)
Story: 2009664
Task: 43872
Depends-On: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999
Change-Id: I1724152839f0f5850f8d32d40b36d1670c0ad996
Users with the "creator" role on a project can now delete secrets owned
by the project even if the user is different than the user that
originally created the secret. Previous to this fix a user with the
"creator" role was only allowed to delete a secret owned by the project
if they were also the same user that originally created, which was
inconsistent with the way that deletes are handled by other OpenStack
projects that integrate with Barbican.
This change does not affect the policy for delting private secrets
(i.e. secrets with the "project-access" flag set to "false").
Story: 2009791
Task: 44324
Change-Id: Ie3e3adc1ee02d770de050f5cfa8110774bb1f661
This patch fixes the Castellan secret store use of SecretDTO objects,
which require that the "secret" member be base64 encoded. [1]
Prior to this fix all secrets that were generated were stored in
plaintext, but secrets coming in through the API were base64 encoded
before being stored in the backend.
On secret retreival the Castellan plugin wrongly assumed everything in
the backend was encoded, so attempts to retrieve generated keys failed.
This patch fixes this inconsistency by always storing data un-encoded in
the backend.
A helper method was added to sort out the inconsistent data stored prior
to this fix.
A "version" property was added to the Castellan plugin metadata that is
stored in barbican to help differentiate secrets stored prior to this
fix vs secrets stored after this fix.
Story: 2008335
Task: 41236
[1]
https://opendev.org/openstack/barbican/src/tag/12.0.0/barbican/plugin/interface/secret_store.py#L356
Change-Id: I46fe77a471bf7927a24ca4d64dfccb385cd6402e
The default maximum allowed size is too small for some certificates.
This patch doubles the allowed size from 10Kb to 20Kb, and raises the
maximum request size by the same amount.
Change-Id: I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1
Add new system scope specific RBAC rules for the secretstore API.
The new rules allow all roles to list and get secret stores.
Change-Id: Ibb19e9854e8bafd2a454c0792503c6f4360e7cf7
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found by updated hacking version.
Update local hacking checks for new flake8, remove
test B314 since that tests difference between Python 2 and 3,
there's no need to advise using six anymore.
Use oslotest.base directly, this fixes the hacking tests.
Remove ddt usage in testsuite, it does not work with current hacking
version anymore.
Change-Id: Iee4584c6fde08728c017468d9de1db73f2c79d8d
This patch updates the gate jobs to stop using legacy
jobs and use the new Zuul v3 jobs instead.
The tempest tests will be re-enabled in a future patch.
Depends-On: I5d2bda5e653ee5d7c17cb7697247802916bdc5f7
Change-Id: Id91f44e8053cf4f40224959021d43736d5525107
`sphinx-build` command is not found in test-env.
To fix pep8, also blacklist the new bandit warning B105, this will
be fixed in a followup.
Change-Id: Ic1b8c3a4bfd67fff082297b881df66ffb9ca2c50
1. oslo project provide jsonutils, and barbican use it in many place[1],
this PS to update the remained json moudule to oslo jsonutils for
consistency.
2. update the primary jsonutils to use alias json
[1]: https://github.com/openstack/barbican/search?utf8=%E2%9C%93&q=jsonutils&type=
Change-Id: I958a711db17bb1aa86fc4cd23c00cec185b84ab2
This patch fixes the secret tests for multiple backends. The tests
were assuming that there would be at least two configured backends
when multiple backends is enabled. All these test fail when
testing a deployment that has multiple backends = True but only
one configured backend.
Change-Id: I177096155592e14bfe617dd4b79b1e052de3e8c5
This patch fixes some broken tests that were incorrectly
looking for a "secret-stores" key in API responses. The
correct key is "secret_stores".
Change-Id: Ia42d14a1163f53d220e243ae0ecd5138e278db14
This patch fixes two tests that fail if the barbican service
under test is not listening on localhost.
Change-Id: I541ee6a44bd86fbd963930dd2423fb9af833eec1
Notably, these should include X-Openstack-Request-Id which will help
correlate server logs with test failures.
Change-Id: I7471afb30afceb9e44b30e6749a022ef3d005a36
Work with 389-ds-base-1.4.0.20. Following
https://pagure.io/389-ds-base/c/4fd73c5 `dscreate fromfile`
got renamed to `dscreate from-file`.
Save dogtag server files for future debug.
Removed pip install of dogtag-pki which installed old Dogtag client code.
Temporarily skipping paging tests and making grenade non-voting.
Change-Id: I4bbc3d39c8d4a3591374e5c4a733a987f001a896
Allow for setting the PKCS#11 encryption and hmac algorithms
in the config file.
This patch also implements CKM_AES_CBC encryption and
decryption.
Change-Id: I847b4b17df51bc4846c37a1e19e6adec76f46b38
Co-Authored-By: Ade Lee <alee@redhat.com>
Vault secretstore plugin doesn't support asymmetric key generation for
now, so disable the related functional tests.
With this patch, the following functional tests sould be skipped:
api.v1.functional.test_orders.OrdersTestCase.test_encryption_using_generated_key
api.v1.functional.test_rsa.RSATestCase.test_rsa_order_certificate_from_ordered_container
api.v1.functional.test_rsa.RSATestCase.test_rsa_order_certificate_from_ordered_container_with_pass
api.v1.functional.test_rsa.RSATestCase.test_rsa_order_container
api.v1.functional.test_rsa.RSATestCase.test_rsa_order_container_with_passphrase
Change-Id: If416f38cb87bdb279a05263b99b5f2af916c1229
According to Openstack summit session [1],
stestr is maintained project to which all Openstack projects should migrate.
Let's switch to stestr as other projects have already moved to it.
[1] https://etherpad.openstack.org/p/YVR-python-pti
Change-Id: Iee69eae0043a401eb355a1fcb957879904882e85
PyKMIP changes:
The CredentialType is no longer imported into the credentials
module. Fixed the reference. Skipping the accept header tests
till the webob fix is available.
WebOb 1.8.1 changes:
This patch updates the Accept header logic that was broken
by the update in the WebOb dependency.
In the interest of time I had to comment out four functional tests
that will require further work in the content negotiation logic so
we can get the gate working again.
Also shame on the WebOb folks for not bumping the major version
on this breaking change.
Change-Id: Ie4d0df0cca2c79686830931e96b11bbc97a41c5b
Story: 2002122
Currenlty, some gates is being failed with logs like this
"""
b'Response: {"description": "Provided object does not match schema
\'Secret\': \'expiration\' is before current time.
Invalid property: \'expiration\'", "title": "Bad Request", "code": 400}'
"""
So it is necessary to update the time to create secrets successfully.
Change-Id: I59707cdf21f6843dbd7db30978e21cff72756e67
Removes Certificate Orders and CAs from the Barbican
API Controller. This patch also removes any tests associated
with those controllers.
Co-Authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Change-Id: Iead0336a19ce58b8b2bb1f9af5e6dd3688fe91fc
Dogtag doesn't actually need the mode parameter to be
stored in metadata. We remove it from the generation case
because passing back a None value for the metadata breaks
metadata validation.
Added a functional test for no value passed in for the mode
in the order request.
Change-Id: I216f887875b1306604dd370301ac463cccbb2fa9
In Python3, assertRegexpMatches & assertNotRegexpMatches
are deprecated in favor of assertRegex and assertNotRegex
Change-Id: I5966bf52b86e3b7ce7fb0f75c662af15a50c122e
The functional test that checks secret expiration fails
intermittently because sometimes, when the gate is slow,
the secret expires too quickly for the test.
This patch adds an extra 10 seconds so the test will pass
more consistently, while still maintaining the integrity
of the test.
Change-Id: I2f0df9b42dd2bf9dd600948164532fd31bb2a0d3
Closes-Bug: #1499673
Probably the most common format for documenting arguments is reST field
lists [1]. This change updates some docstrings to comply with the field
lists syntax.
Change-Id: I7ab0f078796c2f0078d437e5b8c9450a30c16f62
Castellan unintentionally can't handle a barbican URL that has a path in
addition to the hostname, such as http://ip-address/key-manager, unless
it is followed by a forward slash (http://ip-address/key-manager/ ). We
should either revert this change before rc1 or merge
https://review.openstack.org/#/c/491942/, make a new release of
Castellan, and beg for a change in upper-constraints for castellan to
handle the new release.
This reverts commit 508a34e23c.
Change-Id: Iceb3a5fa890d64468cd6e7f5dec297d11a274d20
This commit switches barbican to use the devstack common functions for
deploying a wsgi app under uwsgi and apache. This will make the barbican
deployment consistent with the other services.
Change-Id: I8429e9a8f0db98c5f5a345190be71cae862af845
The 'message' attribute has been deprecated and removed
from Python3.
For more details, please check:
https://www.python.org/dev/peps/pep-0352/
Change-Id: I84053cacdd5101a4293c3491ade5296cea51439a