Commit Graph

107 Commits

Author SHA1 Message Date
Stephen Finucane 2bf70a10a2 sql: Fix incorrect columns
In these instances, we take the migrations to be the "official" version
- since they're stricter in almost all cases - updating the models to
suit.

This change highlights a slight issue in our use of a config option in
our database schema, which we shouldn't really do. A TODO is left to
address this later. We can also remove a now-unnecessary TODO from our
initial migration related to the same issue: we have our own tooling for
migrations that *does* load and register config options so there is no
longer an issue here.

Change-Id: I906cb8f7b76833c880a40c1aa0584fe7ab93cb7a
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-07-03 12:32:58 +01:00
Stephen Finucane 5d2ab6c63b db: Replace use of Query.get()
Resolve the following LegacyAPIWarning warning:

  The Query.get() method is considered legacy as of the 1.x series of
  SQLAlchemy and becomes a legacy construct in 2.0. The method is now
  available as Session.get()

Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-02-28 17:26:39 +00:00
Zuul a3fc9e7c38 Merge "Properly instantiate FernetUtils" 2022-02-17 18:15:40 +00:00
Lance Bragstad d023b103e5 Properly instantiate FernetUtils
The FernetUtils object had kwargs for the key_repository,
max_active_keys, and the config_group. The credential API uses an
instance of the FernetUtils object to encrypt and decrypt credentials,
but the object wasn't instantiated with the config_group set. This
resulted in an error message like:

  Either [None] key_repository does...

When the credential key repository wasn't configured. We should be
setting the config_group so that we provide a more useful error
message instead of a random `None`.

All of the arguments are now made mandatory, since this is how
they are called in all but this one place.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: Ia32cc12121ee243a003e5eb2fc832cc6a33ef499
2022-02-04 16:38:09 +01:00
Vishakha Agarwal a49ee620fa New config option 'user_limit' in credentials
This patch allows adds new config option 'user_limit'
to credentials to set maximum number of credentials a
user is permitted to create.
Closes-Bug: #1872732

Change-Id: Ic9dc9a4a9ec1ecbf01842c865e19a7a100e5041d
2020-06-12 13:52:45 +05:30
Vishakha Agarwal 4530041931 Remove six usage
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.

Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
2020-01-30 06:06:51 +00:00
Ralf Haferkamp a4be0cb9e8 Fix PostgreSQL specifc issue with credentials encoding
Decode the encrypted credential value to a string value before handing
it over the database, when running under Python 3.x. Otherwise the
underlying database driver (e.g. psycopg2) might treat it as binary
data.

Change-Id: I87425b54f471e66a9ab3974ab46c4b7f3838b962
Closes-Bug: #1833739
2019-09-18 11:43:52 +02:00
Rabi Mishra e989bd0637 Add retry for DBDeadlock in credential delete
Adds oslo.db retry wrapper to delete_credential_for_user method.

Change-Id: Ib9e161411f0985785eec46c51d721ef7421ee090
Closes-Bug: #1840291
2019-08-19 21:06:40 +05:30
Lance Bragstad 8817a26ee2 Update misleading comment about fernet credential encryption
If credential keys are over-rotated, the credentials will be
unrecoverable. Also clarify the usage of fernet for tokens and the
usage of fernet for credential encryption.

Change-Id: I539769bc4af0bfa04112cbfd0fccd6b78b4e7c87
2019-06-20 15:13:06 +00:00
Nathan Oyler 579cc19857 Add cadf auditing to credentials
added audit logging to credentials.

Closes-bug: #1831918
Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
2019-06-12 13:34:05 -07:00
Jose Castro Leon 479a2a0afa Adds caching of credentials
Allows to cache the credentials as they are currently fetched
directly from the database

Change-Id: I9a706ac506b0f65402f2433e6fd56097e0830657
Closes-Bug: #1815771
2019-05-17 15:04:31 +02:00
Vishakha Agarwal 67435147ec Incorrect use of translation _()
Keystone uses translated strings both in
logging an exceptions. This is incorrect.
All strings that are passed to logging
should remain un-translated. This patch
addresses above issue.

Change-Id: Idf4f0bc1bd63eb8dc6dc61d8a49a9e2a93320474
Closes-Bug: #1777671
2018-09-03 21:52:56 +05:30
Morgan Fainberg cb130ffae8 Move Credentials API to Flask Native
Move the Credentials API to Flask Native dispatching.

This change fixes some circular importing in the
conversion.

Change-Id: I5e2485ba471d09c3454e78ca2c9dfa19aaf0e4e2
Partial-Bug: #1776504
2018-07-16 21:58:21 -07:00
Zuul 5f6cac06da Merge "Convert Keystone to use Flask" 2018-06-06 23:41:28 +00:00
Adrian Turjak 45d724f535 Revert "Rename fernet_utils to token_utils"
This reverts commit 03ba867327.

Because of the introduction of auth receipts we will be
using fernet for more than just tokens. Lets make this a
generic util for fernet key handling.

Change-Id: I3a870a63239491f84db3350178bd2313eeccdbf3
2018-06-06 16:49:27 +12:00
Morgan Fainberg 4ec6bc5a44 Convert Keystone to use Flask
Basic conversion of Keystone's core application to flask framework.

This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.

Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
2018-06-04 20:14:41 -07:00
Zuul 54b0f9d126 Merge "Rename fernet_utils to token_utils" 2018-01-16 13:48:28 +00:00
Lance Bragstad 224dfff570 Use keystone.common.provider_api for credential APIs
This change converts the usage of self.<provider_api> to
keystone.common.providers_api.ProviderAPIs.<provider_api> in manager
and controller logic. This is the correct way to reference
providers from other managers and controllers now that dependency
injection has been eliminated.

Change-Id: I84ec240922c85d616aa0b15b1fa7dcad5455e6eb
2017-12-27 16:50:46 +00:00
Morgan Fainberg 81f9fe6fed Remove Dependency Injection
Refactors all of keystone's dependency injection to maintain a
single centralized repository of instantiated objects. This
means that we are no longer having to resolve order. All
objects that need to reference the various manager APIs simply
do so via the __getattr__ built into the Manager common object
or the ProviderAPIMixin object.

This is also the first step towards correcting our tests to
where they cannot run "load_backends" multiple times.

This forces any/all managers to properly run super()
as the way to register the api is via __init__.

This eliminates all use of the @dependency.requires and
@dependency.provides decorators, simplifying the objects
all around.

Any instantiations of a Manager after keystone is running
will now generate an error, ensuring everything for keystone
is running before handling requests. An exception is for
CLI and CLI tests, as the CLI may directly instantiate
managers and will not lock the registry.

Change-Id: I4ba17855efd797c0db9f4824936b49e4bff54b6a
2017-12-13 10:59:39 -08:00
Gage Hugo 03ba867327 Rename fernet_utils to token_utils
This change renames the fernet_utils from keystone.common to
token_utils in order to provide more generic tools for the
implementation of alternative token providers.

Change-Id: I85091709ed4ed7bdd2c2d053e342e4b1b615ef08
2017-12-12 16:38:42 -06:00
lhinds 76bd54d491 Adds Bandit #nosec flag to instances of SHA1
Currently, bandit marks usages of SHA1 as insecure, which
results in false positives for instances of SHA1 in keystone.
However, keystone uses HMAC-SHA1 which is currently considered
secure as opposed to just SHA1 hashing.

This change marks a # nosec comment against the lines which
are triggering the false positives in Bandit in order to
tell bandit to avoid these instances of SHA1.

See [1] for HMAC-SHA1 discussion in keystone

[1] https://review.openstack.org/#/c/453365/

Change-Id: Ibb44db1f8727d014d186b412106d0cd4e2f4a6dd
2017-09-07 14:01:35 -05:00
Jenkins 39c6b0ff53 Merge "Make use of Dict-base including extras explicit" 2017-03-31 20:11:14 +00:00
wingwj ca35d003dc Remove log translations in keystone
Log messages are no longer being translated. This removes all use of
the _LC, _LE, _LI, and _LW translation markers to simplify logging
and to avoid confusion with new contributions.

See:
http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html
http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html

Co-Authored-By: David Stanek <dstanek@dstanek.com>

Change-Id: I45862f944107c1b4b73aa4d2fd95940f0b67eb1b
2017-03-25 18:17:15 +00:00
Morgan Fainberg dce7c52de9 Make use of Dict-base including extras explicit
This change replaces the use of DictBase with the ModelDictMixin
for any SQL models that do not contain an extra column and renames
the DictBase to a more descriptive name of ModelDictMixinWithExtras.

A Docstring has been added indicating the continued usage of
ModelDictMixinWithExtras should not be done for any "new"
models.

Change-Id: I9a4767cacf7620e878df70084060f3e43e1318df
2017-02-06 19:15:15 -08:00
Morgan Fainberg 8354fb34af Fix bad error message from FernetUtils
FernetUtils is giving incorrect error messages to administrators
indicating that [fernet_tokens] option is always where the
fernet repository information is stored even if it is referenced
from the [credential] option group.

Change-Id: I7b8344bb306eeb0a9e1cf5093dfd42d3e6c2dd1b
2017-01-30 19:11:49 -08:00
jolie 2870deb933 log.error use _ of i18n
log.error msg should be translated with _ of i18n

Change-Id: I2fb8249c0f5c0460f3f3f61a2dde516e775667da
Closes-Bug:#1635162
2016-10-25 10:35:43 +08:00
Steve Martinelli 810e15689b Remove stable driver interfaces
bp removed-as-of-ocata

Change-Id: I4672cf7d9d72ef725212085972dbcd90db0e47cf
2016-09-28 17:18:37 +00:00
Lance Bragstad 59f117f6a8 Log warning if null key is used for encryption
The null key doesn't provide any real encryption protection. It only
provides security through obscurity since the null key is a known
thing. This commit makes it so we log a warning every time it is
used for encryption.

Change-Id: I10e8b6697c3b35c3ae6e8a1cec5e53f0913b42e6
Related-Bug: 1619758
2016-09-07 18:38:49 +00:00
Lance Bragstad e9b64378e6 Introduce null key for credential encryption
To ease upgrades from Mitaka to Newton, we are introducing the
concept of a null key to keystone's implementation of credential
encryption. The null key can be assumed by keystone if no other
keys exists in the configured `CONF [credential] key_repository`
and it is a known value, so it doesn't need to be orchestrated
across nodes in multi-node deployments.

This allows an operator to upgrade from Mitaka to Newton without
having to setup a credential key repository beforehand. It is
strongly recommended that deployers configure their key_repository
and migrate off of the null key as soon as possible. Since the null
key is a known value, it is no more secure than storing secrets in
plain text. It is only here to ease the upgrade process for
deployers.

Change-Id: I6cca7e40ce36a8a24dc73f92b22487998da6a1ae
Related-Bug: 1619758
2016-09-07 18:38:34 +00:00
Lance Bragstad 0edf1fe46c Implement encryption of credentials at rest
This commit implements credential encryption through the following changes:

 - additive schema change to store key hashes for credentials
 - database migration to encrypt all pre-existing credentials
 - contractive schema change to remove unencrypted credential column
 - added code to the credential Manager to handle credential encryption

All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.

Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.

Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>

bp credential-encryption

Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
2016-09-02 04:25:49 +00:00
Rodrigo Duarte Sousa 8144e28336 Fix credential update to ec2 type
It was possible to create a credential without providing a project_id
and later updating it to the ec2 type.

This patch fixes the issue by adding a manual checking in the
manager layer since it needs to check the old credential contents
prior failing the request.

Change-Id: I1eb28a46c89e17d9c990cc798867d1a59714fe5f
Closes-Bug: #1613466
2016-08-23 06:58:03 +00:00
Werner Mendizabal a6d4512ef5 Add create and update methods to credential Manager
Previously, the credential controller would just call
``self.credential_api.<crud_method>`` which would just automatically call
the driver since the credential manager didn't implement any sort of business
logic around credentials.

With the implementation of encrypted credentials at rest, it makes sense to
have the encryption logic in the credential manager, instead of the driver or
controller layer. This commit creates those methods in the manager which will
be more useful for credential encryption in a subsequent commit.

bp credential-encryption

Change-Id: I22ec70aeaf12b5df9ed7d27985fc284c5c31533e
2016-08-18 16:13:30 +00:00
Werner Mendizabal e10811cffd Create a fernet credential provider
This commit introduces a fernet provider for the credential API. This new
provider isn't actually wired up to the existing credential implementation, so
it's functionality isn't exposed. We'll do that in a subsequent patch.

bp credential-encryption
Change-Id: I217004c5fb94191d397059b1333bebd385792fb7
2016-08-18 16:07:13 +00:00
Jamie Lennox d23bfc04a6 Remove get_trust_id_for_request function
This function tries to determine the current trust_id by looking up the
auth_context's token model. If this information was available it would
have been put on the request.context object so we can use that instead.

Change-Id: I7ce33b30f220be619c638c77eeb76503f1af79a7
2016-07-14 19:01:42 +10:00
Jenkins 7fd720be1f Merge "Move request validation inline" 2016-07-09 09:47:39 +00:00
Jenkins 7faa001f10 Merge "Move the credential abstract base class out of core" 2016-07-09 03:03:30 +00:00
Lance Bragstad 8ff6b0ea51 Move request validation inline
This commit moves all the decorated call to validate request inline with the
method. This is one way we can lazily validate requests - which allows us to
pick validation configuration options specifed in config.

Change-Id: Iee71fb3c34d296427cd485180dacb6bf02581845
2016-07-08 20:22:33 +00:00
Ronald De Rose 093f2c207b Move the credential abstract base class out of core
This patch moves the credential abstract base class out of core and
into backends/base.py

This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.

Partial-Bug: #1563101

Change-Id: I4007a5fe05e61f08999a4b3f6801727c08aaaa14
2016-07-07 16:52:32 +00:00
Jamie Lennox 3dd17505d0 Pass request to build_driver_hints
Pass the request object through to the build_driver_hints function so
that it can use request.params instead of context.query_string.

This shows the problem with the domain_id filter in list roles. For
whatever reason the driver doesn't filter on domain_id=None by default
so we need to add this filter manually. Because we can no longer
influence the query string we add it to the hints object directly if the
param is not set.

Change-Id: I732c603a24f6b884820ee6837d4c0f752d77987d
2016-07-07 13:48:55 +10:00
Dolph Mathews d9c6b50a3a Replace keystone.common.config with keystone.conf package
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.

This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.

There are a couple special modules in keystone.conf introduced here as
well:

- keystone.conf.__init__: This causes all of Keystone options to be
  registered on import, so consumers of keystone.conf don't have
  races with config initialization code while trying to use
  oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
  oslo_config.cfg.CONF in keystone).

- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
  this to be called 'default.py', but I'm just copying nova's lead here.

- keystone.conf.opts: The entry point for oslo.config itself.

- keystone.conf.constants: There are a few constants (deprecation
  messages, default paths, etc) that are used by multiple configuration
  modules, so they need to live in a common place.

Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
2016-06-24 17:02:15 +00:00
Jamie Lennox da6ea7e224 Pass a request to controllers instead of a context
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.

Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
2016-06-08 14:56:52 +10:00
Morgan Fainberg e518535bd3 Enable py3 for credential tests
Enable python3 testing for credential tests.

Change-Id: I8827b51f17ff547a8ab734a9f8fcf7b30d1cbddf
2016-05-18 23:13:36 +00:00
Navid Pustchi aabc213040 Fix D401 PEP8 violation.
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.

Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
2016-04-14 20:08:52 +00:00
Grzegorz Grasza 0e156737d0 Use the new enginefacade from oslo.db
EngineFacade is deprecated. This partially switches keystone to
use oslo.db.sqlalchemy.enginefacade. 'get_session' and 'get_engine'
methods are still used in sql migrations and related tests.

Change-Id: I221232d50821fe2adb9881f237f06714003ce79d
Partial-Bug: #1490571
2016-02-24 08:20:12 -08:00
Tony Wang 9fc1cc67d9 Add `type' filter for list_credentials_for_user
When getting, or operating on a credential, EC2 controller needs to
specify it's a ec2 credential, avoiding conflicts with other type of
credentials.

Closes-Bug: #1506473
Change-Id: Id92fc87bf1be5448aa929224bbce4d3f7f4359b6
2015-12-11 01:02:38 -05:00
Boris Bobrov 19a25bab9c Make @truncated common for all backends
Although not used in all backends now, @truncated decorator can be
useful in all of them and there is no sense in making it sql-only.

Change-Id: I063cb1d621f4e2bf4d350450a56044d0b6cee7c1
Partial-Bug: 1501698
2015-12-10 02:26:55 -05:00
Samuel de Medeiros Queiroz e64a1b5891 Remove exposure of routers at package level
Keystone API routers are exposed at their package
level (in __init__.py files). This causes them to
be unnecessarily executed each time something
whithin that package is used.

For example, simply importing
keystone.federation.constants would make the
federation routers code to be executed.

This patch remove routers exposure from package
level and import them directly in services.py,
which is the single place that needs them.

Change-Id: If68184c871ac77659ad2e64aa5f0aafac7a4bf70
2015-12-03 15:06:56 -03:00
Dave Chen 5070039812 Using the right format to render the docstring correctly
There are several issues in the docstring, the format is not
correct, not using the full path of class etc.

This patch corrects all of them, so the docstring will be rendered
correctly.

Change-Id: I04d5818f38b5e75b6f6197ef5e13dcd64ed91bf4
2015-11-24 04:37:14 +00:00
Jenkins a1b1ac1ee5 Merge "List credentials by type" 2015-09-04 00:30:18 +00:00
mari-linhares 4c9a5353ef List credentials by type
Currently the only attribute that you can filter a credential list by is
user_id. I want to be able to list by user_id and credential type (a
required field) so that I only get back my EC2 credentials (for example)
when I do a list.

Change-Id: I91f8fb15a2e9a8326059d7a60d2bf1b4c4aa6daa
Closes-bug: #1460492
bp list-credentials-by-type
2015-09-02 21:51:57 -05:00