Move the job definitions in-tree, updating them when needed.
This lead to several changes:
- update tox.ini and setup.cfg to align it to the newest standards
(including newer python classifiers);
- no more python 2.x jobs;
- bump hacking requirements to make the pep8 job work with the newest
python releases;
- ignore a few spurious flake8 warnings;
- switch to stestr as test runner;
- update cryptography dependency.
The old barbican simple-crypto job name is still available as an alias
for a while, but it is time to switch away from it, so directly
use the new job.
Depends-On: https://review.opendev.org/771443
Change-Id: Iba7b4106c49e4b492c97097648c7b8f599a2ca4b
The use of signer and verifier in cryptography has been
deprecated, and causes the following warning:
cursive/cursive/signature_utils.py:139: DeprecationWarning: signer
and verifier have been deprecated. Please use sign and verify
instead.
This patch adds a wrapper around the use of verifier, so
that sign and verify are used with cryptography, but the
client use of the library doesn't have to change.
Change-Id: Ib4aaa4fc9eb893b74f08bc8ff732a4dae152f685
ManagedObjectNotFoundError which is raised from a several places of
castellan library
(for example castellan/key_manager/barbican_key_manager.py) is not
caught in signature_utils.py.
Caught ManagedObjectNotFoundError and raised SignatureVerificationError
to avoid 500 error response.
Change-Id: Ia8310f8cc9604d11cc4a25617b55a1b61436cd71
Closes-Bug: #1736679
This change adds support for certificate validation, including
certificate inspection utilities. Validating a certificate
requires the certificate UUID of the certificate to validate,
a set of UUIDs corresponding to the set of trusted certificates
needed to validate the certificate, and a user context for
authentication to the key manager. A new certificate verification
context is included that is used to store the set of trusted
certificates once they are loaded from the key manager. This
context is used to validate the signing certificate, verifying
that the certificate belongs to a valid certificate chain rooted
in the set of trusted certificates.
All new certificate utility code is added in a new module named
certificate_utils.
For more information on this work, see the spec:
https://review.openstack.org/#/c/488541/
SecurityImpact
DocImpact
Change-Id: I8d7f43fb4c0573ac3681147eac213b369bbbcb3b
Implements: blueprint nova-validate-certificates
This change makes the _REGISTERED_TYPES member
of the signature_utils object public so that it
can be referenced by Nova.
Change-Id: Ia1615dcd4ca20702693b6c5ebddc472fe29f224c
This change adds a should_create_verifier method
to the signature_utils module, since the existing
signature verification code in Glance requires
this method.
Change-Id: Ic4be5dd900425ba0eceafca97b549a499dc6606e