* Update barbican from branch 'master'
to 91e44b667fe379a22a1af37e4de24d0b0f6220c7
- Merge "Fix wrong plugin name"
- Fix wrong plugin name
The kmip_crypto secret plugin does not exist.
Change-Id: I2cd280e054cce30fd2cb76a2158d3d5bfb3e0c04
* Update barbican from branch 'master'
to ca57ef5436e20e90cf6cd6853efe3c89a9afd986
- Use explicit default instead of implicit fallback
[p11_crypto_plugin] mkek_length has no default but the logic uses
implicit default value (32) internally.
Change-Id: I8743457aab9f0ce4982fcb9255dc86050b791308
* Update barbican from branch 'master'
to b6edfda3443f80b20915e020143573b84114a252
- Merge "Drop all remaining logics for certificate resources"
- Drop all remaining logics for certificate resources
Since we removed certificate order, we no longer have to maintain
these logics.
This also removes the release note for deprecation of symantec
certificate plugin, which was added during this cycle, because
the plugin is also being removed by this change.
Change-Id: I8e901024677e889d05ad8653389fb46487bc7745
* Update barbican from branch 'master'
to 33d188e0afdbbc7a781c9b7de36226790c98e089
- Merge "Prohibit certificate order resource"
- Prohibit certificate order resource
It was announced that this resource will be removed in Pike release.
Multiple cycles have passed since then, so we may be really ready to
remove it.
Note that this is the first step and removes only API layer logic.
Further logic removal will be done in the subsequent change.
Change-Id: Ib0eb3b11815b40237d42735097076b7c89cf9516
* Update barbican from branch 'master'
to 8f92d6f5085428d200bd5b6b6adf00c25075fb2b
- Update devstack plugin for Secure RBAC
This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.
The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.
Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
* Update barbican from branch 'master'
to 5a458ecc98c0b799cfa84ca8ea08d43ec1dc6ad8
- Merge "Update python classifier in setup.cfg"
- Update python classifier in setup.cfg
As per the current release tested runtime, we test
till python 3.11 so updating the same in python
classifier in setup.cfg
Change-Id: I3d018102a9390ff4ba2a00c09025fcee28b37423
* Update barbican from branch 'master'
to da1ebfc7f5a4f11a7361846814e3f9b8e6e56cf8
- Merge "Fix releasenotes build of yoga moved to unmaintained"
- Fix releasenotes build of yoga moved to unmaintained
The stable/yoga branch has been deleted and replaced with the
unmaintained/yoga branch, update the reno config accordingly.
Co-Authored-By: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I442eb5dcdb04d2dbeb5925f200257524abb53868
* Update barbican from branch 'master'
to 1250e8dc25a1c4ce230de9b13a9af62f6be206d6
- Merge "Simplify .coveragerc"
- Simplify .coveragerc
We check only files in the barbican directory so can use the source
option.
Change-Id: I3b5ddb6ed73d558db42031618e2e1bee3318ffa2
* Update barbican from branch 'master'
to 2316790cda734522aae5333031cbaf0daf704d51
- Merge "Enable SRBAC test"
- Enable SRBAC test
The previous patch in this chain disables rbac to work around a chicken
and egg problem with updating the tempest tests.
This patch re-enables the SRBAC test.
Depends-On: I735cefe2b1cb4eb09c9770f0bdc738ffeee34f0e
Change-Id: I239c3e9980a1fff1cdc0e72f75e861ded8248857
* Update barbican from branch 'master'
to 73de2e8c3557706eb8bde74d69e5ee32ff6fc4e0
- Get rid of unused periodic_task
Currently Barbican is not using the periodic_task framework implemented
in oslo_service but implements its own mechanism based on the lower-
level thread group.
Change-Id: Idc69d61e07826923f3227aad6249252c3f739362
* Update barbican from branch 'master'
to 6acb4f8d241e94c97341589d349502fc6ea42924
- Remove unused wsgi/ssl options from oslo.service
Barbican does not provide wsgi server based on oslo.service library,
thus these options are not used.
Change-Id: I74c67b61796bcc7e5418144b10134e6171b1777f
* Update barbican from branch 'master'
to 85fbe403fe74f8dd3637ecb1758b10d9867290d0
- Merge "Remove unnecessary comment lines from setup.cfg"
- Remove unnecessary comment lines from setup.cfg
These lines have been kept so long without being commented in, so are
not needed.
Change-Id: I742d793169828cae97ea617c1b025d98672487e3
* Update barbican from branch 'master'
to 47f4df915fc08bd9b5a76f1a11d279ecac4e7a04
- Merge "Fix zuul config warning"
- Fix zuul config warning
This change resolves the following warning detected by zuul.
All regular expressions must conform to RE2 syntax, but an
expression using the deprecated Perl-style syntax has been detected.
Adjust the configuration to conform to RE2 syntax.
The RE2 syntax error is: invalid perl operator: (?!
Change-Id: I0c1be68030470b88dd4268d509e4c445667dc645
* Update barbican from branch 'master'
to 04f91f01d3e23293ee549c4dd3a15b5715656e01
- Merge "pkcs11: Remove deprecated token_label option"
- pkcs11: Remove deprecated token_label option
It was deprecated in favor of the token_labels option some cycles
ago[1].
[1] 1ca03610d7257c782b11d6bcf54074d66a79c545
Change-Id: I20b15e23f06af8df86d888e86081058b8c96a77a
* Update barbican from branch 'master'
to 15bb4e180b08288938592d32f8c3449d97b1521d
- Merge "Fix python shebang"
- Fix python shebang
The current shebang requires /usr/bin/python which is not available in
Ubuntu Jammy by default.
Change-Id: Id64d6bba35e3dcecac7772964b81aea51661b6cb
* Update barbican from branch 'master'
to 7decf74ae5c066bfde1d1dc658c9746590db1ef4
- Merge "Enable Secure RBAC by default"
- Enable Secure RBAC by default
This patch sets both `enforce_new_defaults` and `enforce_scope` to the
default value of `True` as the next step in the implementation of Secure
RBAC [1].
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Change-Id: I935cb34877c8edf62f33f1ba1fe31c942780b3a0
* Update barbican from branch 'master'
to a3c0df0435cb2911b60e709081a00d41a4b5315a
- Merge "Use consistent [database] options"
- Use consistent [database] options
Currently Barbican is not using oslo.db to set up database connection
but it's own implementation directly using sqlalchemy. Because of this
the database parameters were not updated and these are based on
the names in quite old oslo.db library.
This change updates the database options so that the name of these
parameters become consistent with oslo.db.
This would help us replace current own implementation by oslo.db in
the future.
Change-Id: I36926e62842780068f7e66564233c121c37565d0
* Update barbican from branch 'master'
to 4fb8df1e8e4e852627426008adad157b075316a4
- Replace deprecated pyOpenSSL API
This was removed [1] recently and is preventing us bumping the upper
constraint.
[1] 0035c11382
Change-Id: I77debbfa35a8eeeb30ce83a32954da21d9c9ba62
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to 6dc5a6c8d3af1d01058da6067fa062624752143e
- Merge "Deprecate Symantec certificate plugin"
- Deprecate Symantec certificate plugin
This plugin has never been updated for 7 years. This plugin requires
the symantecssl library but the library can't be found in the Internet
and is not generally available. We have never tested it in upstream
CI because of lack of that dependent library.
Change-Id: I26493c2b0130f3cb86d866bd08fa5bbacbcc4725
* Update barbican from branch 'master'
to 02a3e5e3d624b917a94d176a90b3b05cbea73e6c
- Merge "Revert "Temporarily make sqlalchemy master job no-voting""
- Revert "Temporarily make sqlalchemy master job no-voting"
This reverts commit 2e89feed005437bf1bdbefb3311f7140f4010f28.
Reason for revert:
The new oslo.utils version is now available in upper constraints.
Change-Id: I088584c65eae2a9930e37eff3377ad10b2a795f3
* Update barbican from branch 'master'
to ebc296e3c23fb06031ed405922bf5757b3720588
- Merge "Update master for stable/2023.2"
- Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I78055f46d39df17cb373de1e56fe9ef4598ecfe9
* Update barbican from branch 'master'
to 2e89feed005437bf1bdbefb3311f7140f4010f28
- Temporarily make sqlalchemy master job no-voting
The job is currently broken because of [1].
[1] https://bugs.launchpad.net/oslo.utils/+bug/2042886
Change-Id: I131bd8e54e34bf953ad043842232927c00ee68c7
* Update barbican from branch 'master'
to fa8e52ccb7c81d6dbd61e36d60230917f4654943
- Merge "Update secret:delete policy to allow admin to delete secret"
- Update secret:delete policy to allow admin to delete secret
Currently a secret can be orphan, if the project that owns it
is deleted by an user that doesn`t have permission on the
project.[1]
The orphan secret cannot be deleted because the current rule
enforces a scoped token on that project to delete it (that
doesn't exist anymore).
To solve this issue, it's necessary to override the secret:delete
policy rule to allow the cloud admin to delete it.
The secret:get policy rule also needed to be changed because the
Python Barbican client gets the secret to check if it has
consumers before actually deleting it. This patch is making these
updates by default
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1932705
Co-author: Mauricio Harley <mharley@redhat.com>
Change-Id: Id755a9efd896b900d31eca93c0136398ed1925b8
* Update barbican from branch 'master'
to 8830b38b46c3880b696608022250ab9b55adb222
- Merge "Vault: enable RSA from ordered container functional test"
- Vault: enable RSA from ordered container functional test
This functional test was being skipped, but seems to pass. Others
currently being skipped still do not pass.
Change-Id: If20fc134ff55494915b58872122888823edf31b3
* Update barbican from branch 'master'
to 43d8643bb9222bac874d9163a5d3cea3d2462ef5
- Merge "Bump Hashicorp Vault version to 1.13.2"
- Bump Hashicorp Vault version to 1.13.2
We are currently testing with a very old version
and we should try with a newer one.
Change-Id: I8f6a1d80734c782f2da08a0b196342fe05fdbd3d
* Update barbican from branch 'master'
to 59553828943f237db3862c338e1be7dca2947605
- Merge "Logrotate all log files"
- Logrotate all log files
Depending on the paste configuration there
might be other log files in log directory
that needs to be rotated.
Also removes the comment that about the
debian directory that does not exist.
Change-Id: I90c50355f84e0e5c3b9fc1940ee6084c01bed97a
* Update barbican from branch 'master'
to a5dc2f60a2cfbb14ac2dd6d1bf6453ad1ad41436
- Merge "Fix missing oslo.versionedobjects library option"
- Fix missing oslo.versionedobjects library option
This ensures the options for oslo.versionedobjects library are
included in the file generated by oslo-config-generator.
Change-Id: I330b0bff32538bf22094257ecff5494af6d8e3d2
* Update barbican from branch 'master'
to de0f9a929bd44c2b1b5d83052159ccba5ec9e234
- Merge "Migrate back to Launchpad"
- Migrate back to Launchpad
Change bug tracker link and other references to StoryBoard
back to Launchpad.
Change-Id: Ifedbf85d8cfbe3a5b439a579dcee1fc6f947f392
* Update barbican from branch 'master'
to c8e3dc14e6225f1d400131434e8afec0aa410ae7
- Merge "db: Replace use of backref"
- db: Replace use of backref
Per the SQLAlchemy docs [1]:
The relationship.backref keyword should be considered legacy, and use
of relationship.back_populates with explicit relationship() constructs
should be preferred.
A blog post is available to explain what's going on here [2] and might
be worth a read. The learnings from that blog post do have the benefit
of allowing us to simplify some existing relationships that had
unnecessary arguments defined.
[1] https://docs.sqlalchemy.org/en/14/orm/backref.html
[2] https://that.guru/blog/sqlalchemy-relationships-without-foreign-keys/
Change-Id: I882e9a918ab1a44b205fc86bbcbb6fef5209ab76
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to 92afa382c47f17019b41ac32d3b5b32e686194bd
- Merge "Add job to test with SQLAlchemy master (2.x)"
- Add job to test with SQLAlchemy master (2.x)
Change-Id: I1283c057d804aa12ea09dad2ca467d2287bf7384
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to 9f5b1e6bf61d478c6cb8ee59644bda23083cef52
- Merge "db: Update 'select()' calls"
- db: Update 'select()' calls
Resolve the following RemovedIn20Warning warning:
The legacy calling style of select() is deprecated and will be removed
in SQLAlchemy 2.0. Please use the new calling style described at
select().
For more information, refer to http://sqlalche.me/e/b8d9.
Change-Id: I59e694358dfb3e6e6d0412a5519a412404260937
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to e8f9d4b5ff5719fbe8c6d8b46f7e9243984e217b
- Merge "db: Replace use of reverse cascades"
- db: Replace use of reverse cascades
Resolve the following RemovedIn20Warning warning:
"SecretStoreMetadatum" object is being merged into a Session along the
backref cascade path for relationship "Secret.secret_store_metadata";
in SQLAlchemy 2.0, this reverse cascade will not take place. Set
cascade_backrefs to False in either the relationship() or backref()
function for the 2.0 behavior; or to set globally for the whole
Session, set the future=True flag
In effect, this means if you have a model that refers to another model,
creating/saving the former will no longer create/save the latter. We
have only one instance of this error - the error message above - and in
our case we are explicitly saving the 'Secret' instance before saving
the 'SecretStoreMetadatum' instance. As such, we can opt-in to the 2.0
behavior with no further changes. We do this for all relationships to be
safe.
More information on this issue can be found at [1].
[1] https://groups.google.com/g/sqlalchemy/c/VoY-qEiJA3U?pli=1
Change-Id: I4b4fa4c224113863643e16153478183447796146
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to c40cb3519529aa12d87894994ba2f24693a3026f
- Merge "tests: Enable SQLAlchemy 2.0 deprecation warnings"
- tests: Enable SQLAlchemy 2.0 deprecation warnings
Well, sort of. We enable them but immediately filter out the ones we're
actually seeing, the rationale being that we can address these in a
piecemeal fashion without the risk of introducing new issues.
There's a bit more to be done here. However, the work done in oslo.db
and other projects [1] should provide a guide for how to resolve the
outstanding issues.
[1] https://review.opendev.org/q/topic:sqlalchemy-20
Change-Id: I36a79377016a6913f2c63cac4c820ad8342ffbf6
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to 962466f71c11c31e2f74a470ef06f84f6ed0b5dd
- Merge "Resolve misc deprecation warnings"
- Resolve misc deprecation warnings
These were highlighted by the new 'WarningsFixture'.
Change-Id: I07beae9c9e518eeaae66d8d6accfdd16753de152
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to 4019cd2c741121e7a7921a4ddb50a225dea7be84
- Merge "Imported Translations from Zanata"
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Id60394f3259cb1e0c3f5bc3295bbd2b58fafb81c
* Update barbican from branch 'master'
to a70fb634dc8abc5bc1eb6d4b54f27aebaa167a69
- Merge "tests: Enable warnings"
- tests: Enable warnings
Add the warnings fixture so we can catch deprecation warnings earlier.
Change-Id: I37a349237470beb60240d0b6c208aa75f2a075ac
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to 2726129022b429ce2de3242dcb5da212e57a55e9
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I167ffeb71a1c1148ce000ddd41011056ce09701d
* Update barbican from branch 'master'
to fb9e98577ff3955534d36d530c962ecdff6386fb
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Ibe0cfb66cc7199c9024abd780ae56282282a25a8
* Update barbican from branch 'master'
to 34979553e79fb6a6e887abe811c13762dd0916c0
- tox: Remove basepython
Python 3 is EOL. No environment should be defaulting to it. Our CI
environments certainly aren't.
Change-Id: I317072eab37ffe284c820a4c41cb6df82f1a05c5
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Update barbican from branch 'master'
to d929cd84e40e2093a2647fd5d9515c4269fd47ee
- Merge "Add support for Vault Namespaces"
- Add support for Vault Namespaces
Change https://review.opendev.org/c/openstack/castellan/+/810124
added support for Vault namespaces to castellan.
In order to be able to use that functionality in Barbican, we need
to register and pass a corresponding config option in Barbican as well.
Change-Id: I4abb46dba51a00628c58eeb516074e1a149b8f35
* Update barbican from branch 'master'
to 5a1b80f38a894044235ba1209256352daed7bbfe
- Merge "Remove System scope from policy"
- Remove System scope from policy
As specified in Phase 1 of the Consistent and Secure Default RBAC
goal [1] policies have been updated to remove "system" scope and
only use "project" scope in all policies.
APIs with policies that previously required "system" scope have been
updated to accept "project" scoped tokens with the "admin" role instead.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
* Update barbican from branch 'master'
to 3c1c30918dfa7daccf6e8729bedfde774c65235d
- Make FIPS job non-voting
Temporarly prevent the FIPS job from voting to unblock the gate.
We'll need to revert back to voting once devstack is working under FIPS
again. [1]
[1] https://review.opendev.org/c/openstack/devstack/+/884277
Change-Id: I2f946125d447d960e96dfac4699c557288750c3c
* Update barbican from branch 'master'
to 7b57e5b47b0bbfa150e90f3c17f3001523629047
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I372ea04414fdf050e167bb0fb2b712ec58d18a74
* Update barbican from branch 'master'
to 64eac2407155b86b68978479504dba653b7d51c0
- Fix functional tests
This adds find to the allow list in tox.
Change-Id: Icba7968657ac476861a4fe4cbffd05a728ca54b0
* Update barbican from branch 'master'
to 9ba66a67b99782c8cea986b51744c0d3d5d25f63
- Merge "Remove TripleO job"
- Remove TripleO job
This job has actually attracted no interest and has been kept
experimental. Now TripleO project is being deprecated so we should
drop this unused job.
Change-Id: Ifab4ef02d8bf6d0713e70e225f32b1d51bd2a7ce