Vault Namespaces [0] is a feature available in Vault Enterprise that
can be considered as a more advanced isolation feature on top of current
KV Mountpoint option in Castellan Vault plugin.
Passing a namespace in all request headers (including Auth) allows to organize
Vault-in-Vault style of isolation, with clients using the same simple URI path
but accessing separate sets of entities in Vault.
[0] https://www.vaultproject.io/docs/enterprise/namespaces
Change-Id: I627c20002bb2a0a1b346b57e824f87f856eca4c9
Introduced changes:
- pre-commit config and rules
- Add pre-commit to pep8 gate, Flake8 is covered in the pre-commit hooks.
- Applying fixes for pre-commit compliance in all code.
Also commit hash will be used instead of version tags in pre-commit to
prevend arbitrary code from running in developer's machines.
pre-commit will be used to:
- trailing whitespace;
- Replaces or checks mixed line ending (mixed-line-ending);
- Forbid files which have a UTF-8 byte-order marker (check-byte-order-marker);
- Checks that non-binary executables have a proper
shebang (check-executables-have-shebangs);
- Check for files that contain merge conflict strings (check-merge-conflict);
- Check for debugger imports and py37+ breakpoint()
calls in python source (debug-statements);
- Attempts to load all yaml files to verify syntax (check-yaml);
- Run flake8 checks (flake8) (local)
For further details about tests please refer to:
https://github.com/pre-commit/pre-commit-hooks
Change-Id: I35e092c472e5d564ebc9bb6c2a4f6d40b54ff120
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
This patch bumps bandit allowed version to >=1.6.0,<1.7.0 in order to
avoid the errors detailed here https://github.com/PyCQA/bandit/pull/393
Change-Id: Id913a9c9bedb7eb1366ac534ec1371945b0918a6
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found by updated hacking version.
Change-Id: I4f24c0fa5178f15912db899fcf26ca11480eab21
This patch adds a `pdf-docs` tox target that will build
PDF versions of our docs. As per the Train community goal:
https://governance.openstack.org/tc/goals/selected/train/pdf-doc-generation.html
Add sphinxcontrib-svg2pdfconverter to doc/requirements.txt
to convert our SVGs.
This PR also introduces the docs testenv and a doc
requirements.txt file.
Change-Id: If782737efe7114422be9cc3fc586500a2065f07e
Story: 2006072
Bandit 1.6.0 accidentally changed how the exclusion list option is
handled and breaks our use of it. Cap to the previous version until
Bandit has fixed the problem.
Sphinx 2.0 no longer works on python 2.7, so we need to start capping
it there as well.
Change-Id: I659571d084247a6a180d5b665921791d3647038f
Reference: https://github.com/PyCQA/bandit/pull/489
This driver is an oslo.config backend driver implemented with
Castellan. It extends oslo.config's capabilities by enabling it
to retrieve configuration values from a secret manager behind
Castellan.
Change-Id: Id7cf99bea5788e0a6309461a75eaa8d08d29641b
Signed-off-by: Moises Guimaraes de Medeiros <moguimar@redhat.com>
According to Openstack summit session [1],
stestr is maintained project to which all Openstack projects should migrate.
Let's switch to stestr as other projects have already moved to it.
[1] https://etherpad.openstack.org/p/YVR-python-pti
Change-Id: I644c28acb04451113849691cd64c209258cef7d7
Since we added a vault driver, we should add a functional job
so updates to castellan won't break the vault integration.
Change-Id: I4c15359618f907a9927ff6a4a730c10f429c0ec8
As part of the docs migration work[0] for Pike we need to switch to use
the openstackdocstheme.
[0]https://review.openstack.org/#/c/472275/
Change-Id: I56c71ed3efd01b254567fbae5b35f8270261473b
This change is being proposed as part of the OpenStack Security Project
working session at the Austin 2016 summit. It adds support for running
the bandit[1] security linting tool against the Castellan codebase.
This change adds a targetted environment for bandit and also adds
bandit as part of the pep8 job.
The bandit configuration has been tailored to exclude tests that are
currently producing warning against the codebase. These issues will be
followed up with bug reports and patches.
At the time of submission, Castellan passes all Bandit tests configured
in tox.
[1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit
Change-Id: I19368d3440ad5dc862e7d91f7890f9b1901fced3
Adds the first usable key manager plugin to Castellan. While there is an
implementation of a mock key manager in the test directories, it is used
only for testing.
This code is based on the barbican key manager code in Nova written by
Brianna Poulos. See: https://review.openstack.org/#/c/104001/
The Barbican API version info will be read from a config option until
the Barbican Version API is fixed. See fix-version-api blueprint.
Implements: blueprint add-barbican-key-manager
Co-authored-by: Brianna Poulos <brianna.poulos@jhuapl.edu>
Change-Id: Ia27cd831f42c6b027778240b3396b1c4149dc689