error info of "tox -e docs" is below
doc/source/signing_backends.rst:74: D003 Tabulation used for indentation
doc/source/signing_backends.rst:75: D003 Tabulation used for indentation
doc/source/signing_backends.rst:76: D003 Tabulation used for indentation
doc/source/signing_backends.rst:77: D003 Tabulation used for indentation
doc/source/signing_backends.rst:52: D001 Line too long
This patch correct it
Closes-Bug: #1664796
Change-Id: I55798c2823f8a98ae7bfee0612c3a2639b4ca8d5
Original validator checked for domain labels as defined by RFC1034, however real
internet deals with other domains as well - starting with digits or symbols.
This change allows modifying the pattern to allow custom / relaxed rules.
Validation has been removed from adding a domain to a new extension, since it's
only used in fixups and the domain should be already validated. (or not, if not
configured)
Closes-bug: 1592489
Change-Id: Ib453054ba5f554bab28cff392c539e713fa28918
Prepare for new signing backend implementations which reuse the existing
functionality. This abstracts most of the current signing function, so that the
signature generation itself can be replaced.
Change-Id: I99a28f4bcb08f010f397faf49e23276672977bc1
Previous name validators have multiple issues. They do not prevent
unknown entires from passing through. They require repeating rules for
various name locations (cn, san). They also disregard wildcards when
matching only the suffix. The inflexible configuration also makes
specific validators like server_group required.
The new validator whitelist_names solves all those issues and allows to
deprecate old validators.
Implements: blueprint validator-improvement
Change-Id: Id31889f735eb34323f21a91d68a50602351f6611
Add a validator for the public key sizes. This allows to reject a
request with a 512b long RSA key for example.
Change-Id: Ib4988e595c4c5cdc643af56e9529e8c0de31d993
Remove a validator which has been marked for an update for some time.
CA certificate signing should not be handled by Anchor at all.
Change-Id: Ib13a0ca3445956e35c23c559f59f37e6721c1a33
Closes-bug: 1508776
Unknown and not verified extensions could possibly give the requester
more capabilities than they are allowed to have. Each backend needs to
have its own policy what to do with unknown extensions. Anchor either
ignors them, or refuses signing, depending on the critical flag.
Change-Id: I711aa4aabae76ddd489501c100f51873c0fcc7d6
Closes-bug: 1494111
Add a validator which collects various standard format/behaviour tests.
These are not user-configurable and any valid request failing them is a
bug in Anchor.
All checks reference the document where they're defined.
Closes-bug: 1476877
Partial-bug: 1476875
Change-Id: I208685d8d7cde40ed5294e7235d64ca17617c094
Fixups allow changing the submitted CSR before signing. This may be
useful for enforcing rules, like removing deprecated options.
All fixups are available in the "anchor.fixups" namespace and each one
returns either a new or a modified CSR when it's finished.
Partial-bug: #1401580
Change-Id: Id42802194bbdf36799660899eb34f728782bc893
This should allow our documentation to post to
http://docs.openstack.org/developer/anchor
Running locally both pass:
python setup.py build_sphinx
tox -e venv python setup.py build_sphinx
"tox -e docs" still works and you can run
that if you desire.
"tox -e venv python setup.py build_sphinx"
is what's required to work by infra so that
documentation can be built upstream and
published to the developer documentation pages.
It also allows the documentation jobs to run in
the gate so that documentation is built at
review time.
Change-Id: If67961a1b68223ed4ca002037cb7e8c6a51fbe3e
lhinds