From dc3175afb16fedaf5216b5d4a7a521d16636b4d1 Mon Sep 17 00:00:00 2001
From: Jim Rollenhagen <jim@jimrollenhagen.com>
Date: Tue, 14 May 2019 20:47:18 +0000
Subject: [PATCH] Revert "Blacklist bandit 1.6.0"

This reverts commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee.

Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.

Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
---
 keystone/assignment/core.py                                  | 2 +-
 keystone/common/authorization.py                             | 4 ++--
 keystone/common/policies/base.py                             | 5 +++--
 .../versions/097_drop_user_name_domainid_constraint.py       | 2 +-
 .../versions/104_drop_user_name_domainid_constraint.py       | 2 +-
 keystone/identity/backends/sql_model.py                      | 2 +-
 keystone/notifications.py                                    | 2 +-
 keystone/oauth1/core.py                                      | 4 ++--
 setup.cfg                                                    | 2 +-
 tox.ini                                                      | 4 ++--
 10 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index 4e21efdbf5..8db1a7bc4c 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -58,7 +58,7 @@ class Manager(manager.Manager):
     driver_namespace = 'keystone.assignment'
     _provides_api = 'assignment_api'
 
-    _SYSTEM_SCOPE_TOKEN = 'system'
+    _SYSTEM_SCOPE_TOKEN = 'system'  # nosec
     _USER_SYSTEM = 'UserSystem'
     _GROUP_SYSTEM = 'GroupSystem'
     _PROJECT = 'project'
diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py
index 5c4581b963..a15c9eaac3 100644
--- a/keystone/common/authorization.py
+++ b/keystone/common/authorization.py
@@ -19,7 +19,7 @@
 # A couple common constants for Auth data
 
 # Header used to transmit the auth token
-AUTH_TOKEN_HEADER = 'X-Auth-Token'
+AUTH_TOKEN_HEADER = 'X-Auth-Token'  # nosec
 
 
 # Header used to transmit the auth receipt
@@ -27,7 +27,7 @@ AUTH_RECEIPT_HEADER = 'Openstack-Auth-Receipt'
 
 
 # Header used to transmit the subject token
-SUBJECT_TOKEN_HEADER = 'X-Subject-Token'
+SUBJECT_TOKEN_HEADER = 'X-Subject-Token'  # nosec
 
 # Environment variable used to convey the Keystone auth context,
 # the user credential used for policy enforcement.
diff --git a/keystone/common/policies/base.py b/keystone/common/policies/base.py
index 00b24e2c63..38d948f91b 100644
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@@ -24,9 +24,10 @@ RULE_ADMIN_OR_TARGET_DOMAIN = (
 RULE_ADMIN_OR_TARGET_PROJECT = (
     'rule:admin_required or '
     'project_id:%(target.project.id)s')
-RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
+RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'  # nosec
 RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
-RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
+RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = (
+    'rule:service_admin_or_token_subject')  # nosec
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
 
diff --git a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
index bb1aea8823..d99d6aa6a1 100644
--- a/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/097_drop_user_name_domainid_constraint.py
@@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec
 
 
 def upgrade(migrate_engine):
diff --git a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
index b54af234a9..a8740c5948 100644
--- a/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
+++ b/keystone/common/sql/migrate_repo/versions/104_drop_user_name_domainid_constraint.py
@@ -16,7 +16,7 @@ import sqlalchemy as sql
 _USER_TABLE_NAME = 'user'
 _USER_NAME_COLUMN_NAME = 'name'
 _USER_DOMAINID_COLUMN_NAME = 'domain_id'
-_USER_PASSWORD_COLUMN_NAME = 'password'
+_USER_PASSWORD_COLUMN_NAME = 'password'  # nosec
 
 
 def upgrade(migrate_engine):
diff --git a/keystone/identity/backends/sql_model.py b/keystone/identity/backends/sql_model.py
index a8f7b214c5..8798d326cb 100644
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@@ -243,7 +243,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
         new_dict = user_dict.copy()
         resource_options = {}
         options = new_dict.pop('options', {})
-        password_expires_at_key = 'password_expires_at'
+        password_expires_at_key = 'password_expires_at'  # nosec
         if password_expires_at_key in user_dict:
             del new_dict[password_expires_at_key]
         for opt in cls.resource_options_registry.options:
diff --git a/keystone/notifications.py b/keystone/notifications.py
index fb2a5f543d..3f59d151e8 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -80,7 +80,7 @@ CONF = keystone.conf.CONF
 
 # NOTE(morganfainberg): Special case notifications that are only used
 # internally for handling token persistence token deletions
-INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'
+INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache'  # nosec
 PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
 REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
 DOMAIN_DELETED = 'domain_deleted'
diff --git a/keystone/oauth1/core.py b/keystone/oauth1/core.py
index a693e25f5d..68e208e2ad 100644
--- a/keystone/oauth1/core.py
+++ b/keystone/oauth1/core.py
@@ -118,8 +118,8 @@ class Manager(manager.Manager):
     driver_namespace = 'keystone.oauth1'
     _provides_api = 'oauth_api'
 
-    _ACCESS_TOKEN = "OS-OAUTH1:access_token"
-    _REQUEST_TOKEN = "OS-OAUTH1:request_token"
+    _ACCESS_TOKEN = "OS-OAUTH1:access_token"  # nosec
+    _REQUEST_TOKEN = "OS-OAUTH1:request_token"  # nosec
     _CONSUMER = "OS-OAUTH1:consumer"
 
     def __init__(self):
diff --git a/setup.cfg b/setup.cfg
index 9efe858caa..20f674d9ac 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -35,7 +35,7 @@ memcache =
 mongodb =
   pymongo!=3.1,>=3.0.2 # Apache-2.0
 bandit =
-  bandit!=1.6.0,>=1.1.0 # Apache-2.0
+  bandit>=1.1.0 # Apache-2.0
 
 [global]
 setup-hooks =
diff --git a/tox.ini b/tox.ini
index 186981cea7..800610accd 100644
--- a/tox.ini
+++ b/tox.ini
@@ -37,7 +37,7 @@ commands =
   # the check and gate queues
   bashate devstack/plugin.sh
   # Run security linter
-  bandit -r keystone -x tests
+  bandit -r keystone -x 'keystone/tests/*'
 
 [testenv:bandit]
 basepython = python3
@@ -46,7 +46,7 @@ basepython = python3
 deps = -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt}
        -r{toxinidir}/requirements.txt
        .[bandit]
-commands = bandit -r keystone -x tests
+commands = bandit -r keystone -x 'keystone/tests/*'
 
 [testenv:cover]
 basepython = python3