Commit Graph

241 Commits

Author SHA1 Message Date
Ondřej Nový 022f688a7c Retire swauth
Change-Id: Ib8e22a1e2e35d22a754943e34501305a0cfdd9b9
Depends-On: https://review.opendev.org/678368
See: http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008416.html
2019-08-24 20:04:50 +02:00
Zuul f91a945590 Merge "Change openstack-dev to openstack-discuss" 2019-07-16 18:15:50 +00:00
Zuul b6d0618b63 Merge "Fix .gitreview after renaming to OpenDev" 2019-07-15 18:12:52 +00:00
Zuul 0b3f632f37 Merge "Use stdlib urlparse" 2019-07-15 17:55:52 +00:00
Ondřej Nový 965459f660 Fix .gitreview after renaming to OpenDev
Change-Id: I25089bf0adfed5b64fdd60c9806c70f1c6bb1bbc
2019-07-15 14:48:02 -03:00
Zuul ef649372c9 Merge "Add exclusion for bandit check B303" 2019-05-15 12:26:18 +00:00
Tim Burke 50b8688e7e Use stdlib urlparse
The wrapper swift wrote for IPv6 support hasn't been necessary since
dropping support for Python 2.6 back in 2015. See

- https://github.com/openstack/swift/commit/67de0c8
- https://github.com/python/cpython/commit/8c6d9d7
- https://bugs.python.org/issue2987

Drive-by: use range() since xrange() doesn't exist on py3 and we're only
going to 16; clean up an invalid escape sequence.

Change-Id: Ib124cb27edd4c3defdb4a9e2404dcdcb71e6dd99
2019-05-10 11:04:29 -07:00
Tim Burke e9e8c51a92 Add exclusion for bandit check B303
Starting in bandit 1.5.0, sha-1 will trip

    [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.

However, there are surely clusters out there that have users with
sha-1-hashed passwords, so we can't simply rip it out. A deprecation
period is probably in order, but in the mean time this unblocks the
gate.

Change-Id: I65ff882b1a1cb52ec522e41baa29e4420cd889bd
2019-05-10 11:03:08 -07:00
OpenDev Sysadmins 70eea35b78 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:50:11 +00:00
huang.zhiping bf99dd5caf Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.

Change-Id: I78ef858b71868b61545cd322e90781a479191c2f
2018-12-04 11:34:25 +00:00
Vu Cong Tuan 0c8eaf50a9 Replace unicode with six.text_type
The unicode() built-in does not exist under Python 3 so use
six.text_type, which is set correctly to str or unicode, instead.

Change-Id: Ieb29486c99400b4a10ce642cb3adc83f5e4420f6
2018-07-05 11:14:12 +07:00
Doug Hellmann 6b5b2aa356 uncap eventlet
We will manage the eventlet version using constraints now. See the
thread starting at
http://lists.openstack.org/pipermail/openstack-dev/2018-April/129096.html
for more details.

Change-Id: I6857291b46a1289ec6267109ae09536c59e14517
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2018-04-11 11:52:30 -04:00
melissaml 1f6515cec4 Update the invalid url for swift page
Change-Id: I2e2c158d0a785f9198fa2050aee0ecd25bdd92f4
2018-03-07 22:26:49 +08:00
Ondřej Nový c6584fa923 Release 1.3.0
Change-Id: Ie5ada4be21b0e229e97ce854fe59e7ac4072984b
2017-12-09 17:15:53 +01:00
OpenStack Proposal Bot c844fb742a Updated from global requirements
Change-Id: I3d9f55f662ef4c72e56fd0ef588b017c5d3995a2
2017-12-09 15:58:26 +00:00
Tim Burke 2a84fe7c69 Stop using client headers for cross-middleware communication
Previously, Swift3 used client-facing HTTP headers to pass the S3 access
key, signature, and normalized request through the WSGI pipeline.
However, swauth did not validate that Swift3 actually set the headers;
as a result, an attacker who has captured a single valid request through
the S3 API may impersonate the user that issued the request indefinitely
through the Swift API.

Now, the S3 authentication information will be taken from a separate,
client-inaccessible namespace in the WSGI environment as defined in the
related change.

UpgradeImpact

This addresses a breaking API change in Swift3. No currently deployed
version of Swift3 will work with this. When upgrading swauth, operators
will need to upgrade Swift3 as well.

Change-Id: Ie5481a316397f46734e9dd0e77a8a87197ceec16
Related-Change: Ia3fbb4938f0daa8845cba4137a01cc43bc1a713c
2017-12-09 15:54:01 +00:00
Ondřej Nový 404b467be5 List system dependencies for running tests
Change-Id: I46b4b55028a6331489beafc2bc7fbe314bfc357f
2017-12-09 16:48:02 +01:00
Pavel Kvasnicka 70af798626 Hash token before storing it in Swift
Swauth uses token value as object name. Object names are logged in proxy
and object servers. Anybody with access to proxy/object server logs can
see token values. Attacker can use this token to access user's data in
Swift store. Instead of token, hashed token (with HASH_PATH_PREFIX and
HASH_PATH_SUFFIX) is used as object name now.

WARNING: In deployments without memcached this patch logs out all users
because tokens became invalid.

CVE-2017-16613

SecurityImpact
Closes-Bug: #1655781
Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c
2017-11-21 12:01:22 +01:00
OpenStack Proposal Bot 54ac16ad67 Updated from global requirements
Change-Id: Ic6c7e75af1d2d5c590cb799f3d630451640f7fe6
2017-11-14 19:33:03 +00:00
Ondřej Nový 91a9abbc00 Swift dependency bump to Pike
Change-Id: I0f56ff6835af1556b4325b18a16142d6ea9675b2
2017-11-06 14:39:49 +01:00
Andreas Jaeger 07d757cd90 Replace obsolete vanity openstack.org URLs
Project specific URLs are obsolete, use docs.openstack.org - and use
https for that site.

Change-Id: Iab3d2d2c05fa1bd9d8aa5d01e9511d3234616212
2017-03-28 16:34:52 +02:00
Jenkins b935e49add Merge "Drop MANIFEST.in - it's not needed by pbr" 2017-02-16 13:11:37 +00:00
nizam 6573269e37 Drop MANIFEST.in - it's not needed by pbr
swauth already uses PBR:
setuptools.setup(
    setup_requires=['pbr>=1.8'],
    pbr=True)

This patch removes `MANIFEST.in` file as pbr generates a
sensible manifest from git files and some standard files
and it removes the need for an explicit `MANIFEST.in` file.

Change-Id: Idb30c13b6c75129e07e46cbdd75a4aa92dcb5858
Closes-Bug: #1608980
2016-12-12 16:11:07 +00:00
Ondřej Nový 2d22f804a7 Fixed typo in docstring
Change-Id: Ib635eac542b26573560e714449960176380fa4fa
2016-11-21 16:40:40 +01:00
OpenStack Proposal Bot d4567f2232 Updated from global requirements
Change-Id: I13ad84968015230502aaf12a1f3129a843641e68
2016-11-08 12:57:44 +00:00
Jenkins 15745ad0c6 Merge "Don't ignore logger exception" 2016-11-08 11:34:34 +00:00
Ondřej Nový bb377d790d Don't ignore logger exception
Change-Id: I4a5001bf47b5910c1a543cbe5462758381274eb0
2016-10-29 15:14:29 +02:00
Ondřej Nový 0268a1605a Swift dependency bump to Newton.
Change-Id: I72013fa7a14a402bbe0a581cf4a4a35b3ae81b8f
2016-10-29 15:04:47 +02:00
Ondřej Nový 6f6380ffc8 Added Bandit
Change-Id: I9e3c548c23e2dc891cb7b1409b1df235706bbb17
2016-10-17 21:00:30 +02:00
pawnesh.kumar 9ed7577909 Constraints are ready to be used for tox.ini
Per email[1] from Andreas, we don't need to hack at install_command
any longer.

[1] http://openstack.markmail.org/thread/a4l7tokbotwqvuoh

Change-Id: If6e351a0ca3c60cce807ef4213da16ae7840ccfe
2016-10-10 20:58:49 +05:30
OpenStack Proposal Bot d7ae244d70 Updated from global requirements
Change-Id: Ib1f60f6ff6776a6c0cc0a622b471bf2bf443872c
2016-09-28 17:01:49 +00:00
Ondřej Nový 1752c2773b Release 1.2.0
Change-Id: Ifa251698f41c92a866bd98ac831b4b9359aa3f12
2016-09-22 13:36:42 +02:00
Jenkins d4d52ad8fe Merge "s3: Make s3 support configurable" 2016-08-04 19:37:15 +00:00
Jenkins 9e74e87472 Merge "Don't include salt in HMAC computation" 2016-08-04 19:36:52 +00:00
Prashanth Pai 26cf5aa107 s3: Make s3 support configurable
Amazon S3 compatibility:
Due to security concerns raised, this change makes S3 support tunable
using a config option and is turned off by default.

Change-Id: I077f78946983f5d6b3b725dd6aa3ed178dc5604e
Signed-off-by: Prashanth Pai <ppai@redhat.com>
2016-07-28 23:07:35 +05:30
OpenStack Proposal Bot 01d8e4e51b Updated from global requirements
Change-Id: I4a0c4edc34950a024970abc0ef4e057bf05efd49
2016-06-21 18:06:35 +00:00
Prashanth Pai 5d15daaab6 Don't include salt in HMAC computation
Currently, the input to HMAC function is the entire stored credential
in the format '<salt>$<hash>` but it should rather be only the hashed
key/password.

With this change, validate_creds() method is invoked and only the hash
of the password is used in HMAC computation.

Change-Id: I1a9bbcac6f49c23f3256572f148e55249a59f7ed
Signed-off-by: Prashanth Pai <ppai@redhat.com>
2016-06-07 15:12:27 +05:30
Jenkins 92c55ece9c Merge "Swift dependency bump to Mitaka." 2016-06-01 08:11:15 +00:00
Jenkins a5eef7d4cb Merge "More authtypes validation checks" 2016-06-01 08:00:11 +00:00
Ondřej Nový 2b1e3a7148 Swift dependency bump to Mitaka.
Change-Id: I70a4c3984ebf306c01b9600562a872266e025c1f
2016-05-31 21:39:51 +02:00
Jenkins c6d7ac91c5 Merge "creds validation function" 2016-05-31 18:50:45 +00:00
Ondřej Nový 5c76099efd More authtypes validation checks
Change-Id: I47e139dc100333e2befc362196ede1b238ee0588
2016-05-31 20:42:16 +02:00
Peter Lisák 07d1c0a3d0 creds validation function
Change-Id: Iae92c06b2f24a6ca80d98513cc54f3ca6910afa8
2016-05-31 17:00:48 +02:00
OpenStack Proposal Bot 66358d2ef6 Updated from global requirements
Change-Id: I1a8437255aa82227ba65b768edee0bded51eebaf
2016-05-26 17:06:34 +00:00
Ondřej Nový b548d3dcf7 Add support for setting already hashed password
You can use this for restoring dumped users list from swauth-list
command.
Change-Id: Ia77d7a0b91b2f79999286858e383477a80d7db15
2016-05-24 12:08:38 +02:00
Ondřej Nový 9b27778987 Changed Read the Docs TLD domain to .io
This change was requested from Read the Docs for security reasons

Change-Id: Ide2e42c64bd60b713eedd641f8b91b2dab50a880
2016-04-28 10:14:57 +02:00
OpenStack Proposal Bot 2af101fa42 Updated from global requirements
Change-Id: I0b9803d37df6a65427809eaf3e2cc4b346b73ac9
2016-04-08 13:29:58 +00:00
Jenkins 19f9beeb9d Merge "Fix changing of auth_type in existing deployments" 2016-03-08 10:26:55 +00:00
Jenkins 64eab78a92 Merge "Allow configuring salt manually" 2016-03-08 09:27:13 +00:00
Jenkins ac85c1c96e Merge "Document swift3 compatibility" 2016-03-08 08:45:05 +00:00