Address the couple of small issues it highlights.
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: I0b0b8ff96d024cc3432ce902e781fff7e594924e
Address incompatibility with Python 3.8, which happens due to the older
bandits use of the private '_ast' module instead of 'ast' [1] and the
deprecated 'Num' having been removed from the former. The bump requires
an additional nosec for a line that is misidentified as a hardcoded
password.
A note about requirements ordering is removed as it hasn't been relevant
since pip 20.3 introduced the new dependency resolver.
[1] 09b0207e2b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: Icaaa3a2e24429bba5cf70c04062cfa5820c8a1bf
Per the note in requirements.txt, we do not want to depend on any oslo
library. Fix the accidental inclusion of this library.
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: I0287fc2493831e9b52790f7d6db13b8a4ed7158e
When redirected, the server *generally* returns a fully
formed URI, but does not really have to, so we may end up
in a "depending on how the redirect was triggered" would
result in the response handling.
Ultimately, any behavior which is not an fully formed URI
would be invalid.
But our code was taking the URI we got back, and would then
re-issue the request with a list of parameters with the new
URL. Duplicating the parameters on the URI.
Example of what was occuring, when only provision_state=active
was a parameter before the redirect:
/v1/nodes?provision_state=active&provision_state=active
Co-Authored-By: Kristi Nikolla <knikolla@bu.edu>
Co-Authored-By: Jay Faulkner <jay@jvf.cc>
Story: 2010029
Task: 45316
Change-Id: I4969a42ee651ac2c559e378d879b673a1d788c57
Currently when redirects are used, the request id can get lost on redirect.
Proposed patch reuses req-id from redirect response and passes it to
actual request
Closes-Bug: #2000742
Change-Id: I98d5d4490b3d5667677cdd19f3c7b39abe6044ef
In case the OAuth 2.0 client for keystone is configured in Keycloak to
require PKCE (for horizon Web-SSO), this also applies to other flows
like v3oidcdeviceauthz.
https://www.rfc-editor.org/rfc/rfc7636
Signed-off-by: Arvid Requate <requate@univention.de>
Change-Id: I8475a583844d9b97ed65a9909c31cebc31cfbebb
Updates the v3oidcpassword function to also send the client_id as part of the request body,
this seems to be a requirement for services like onelogin.
Change-Id: I2392ef51302804c0c66c0fb52227db5f35bca3fd
Added a new OAuth2mTlsClientCredential plugin, accessible via the
'v3oauth2mtlsclientcredential' entry point, making possible to
authenticate using an OAuth 2.0 Mutual-TLS client credentials.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I0e02ef18da5d60cdd1bcde07b07c2071b74b73d6
Implements: blueprint support-oauth2-mtls
Add keyword option to get_version_data() to allow passing
of the version header so that we can get the microversions.
Specifically, this is so that we can re-use this function
in barbican, which recently implemented microversions, but
doesn't return them by default, for backward compatibility
with old clients.
Change-Id: I909750381a559f9dc61650c9f98c88d4481012b7
This is no longer necessary since we only support Python 3.x.
A note is removed from requirements.txt since it's no longer relevant:
pip 20.3+ has a real dependency resolver.
Change-Id: Ie3006813a79fef1f128d388b906e4f1752347fa4
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
while e.g. V3Password works perfectly fine with unversioned auth_url
like 'http://keystone', everything based on FederationBaseAuth
does not and only requires versioned v3 auth_url.
Since OS_FEDERATION is implemented only in v3, this patch
makes sure that federated_token_url has v3 in it, thus allowing
for unversoned auth_url as well.
Closes-Bug: #1998366
Change-Id: I1f0b00b6f721c53bb5308e03223d0c1564ca81b3
we already fail when mutliple scope identifiers are provided, however
not when system scope is involved. As a result of the undocumented
priority of checks, when system scope is specified together with any
other scope, that other scope will silently be used.
Change-Id: I120ed63f6c1262d067eeb6168feab35278cacf6a
Bump linter requirements - follow the changes
made in keystone in commits
6dfde5b48b388e32e34a385c3a9ef48da7c7c49b and
5c71ebd7a92d25df83e2e7cc5fad9990e9eebbf5 in
order to fix compatibility with Python 3.10.
Remove python-dev from bindep - it's no longer
supported by jammy and lead us to the following
errors with the announce-release job:
```
No package matching 'python-dev' is available
```
Co-Authored-By: Herve Beraud <hberaud@redhat.com>
Change-Id: If687a2678733ce018bd31c602140f073ab1a1a65
Added a new OAuth2ClientCredential plugin, accessible via the
'v3oauth2clientcredential' entry point, making possible to authenticate
using an application credentials as an OAuth2.0 client credentials.
Change-Id: I77d6faef4cbc75abb8e7d86f386fb6d16e40cabf
Noticed this while doing some local testing, if a WSGI app replies with
a text/plain content type to communicate a server error, we aren't able
to see the error response message when passing --debug to the
openstackclient, example:
RESP: [500] Date: Thu, 01 Oct 2020 23:54:15 GMT Server: Apache/2.4.18
(Ubuntu) Content-Type: text/plain; charset=UTF-8 Connection: close
Transfer-Encoding: chunked
RESP BODY: Omitted, Content-Type is set to text/plain; charset=UTF-8.
Only application/json responses have their bodies logged.
Change-Id: Ibfd46c7725bd0aa26f1f80b0e8fc6eda2ac2e090
Add the super method to the ServiceTokenAuthWrapper class
to get the _discovery_cache attribute of the parent class.
the error info is below while neutron is authenticated by
keystoneauth plug in task inspector enroll baremetal node:
ERROR oslo_messaging.rpc.server:
Exception during message handling: AttributeError:
'ServiceTokenAuthWrapper' object has no attribute '_discovery_cache'
Change-Id: Icc7c4e25a123b5565c94f43f932ee32f9f304a76
Check if the last url segment matches the project id.
Previously the check only confirmed whether the last url segment
endswith the project id which could cause problems with spurious
matches of some legacy integer project ids.
Closes-Bug: 1968793
Change-Id: I7c6c22e41bde2a73508635b7e964c58a02c12146
The passage about discovery document and allow_version_hack makes little
sense for people unfamiliar with keystoneauth internals. What it
actually means in most cases is that the remote service is not
available. Rephrase the error message and add some debug logging.
Change-Id: I156dbb45bd8c07ace1900894f6779ed9f38cf3c6
Manila API honors a "X-OpenStack-Manila-API-Version"
header to specify microversions.
It may support the OpenStack-API-Version header
in a future release, however, we'll need to maintain
backwards compatibility with the existing API.
Change-Id: Ia2e62d3a11a08adeb6d488b7c9b365f7ff2be3c8
When a non-keystone plugin is used together with an unversioned endpoint,
we give up on discovery before figuring out both major version and
the correct endpoint. This is because get_endpoint_data is called with
discover_versions=False, so discovery assumes we have all information
already. It may be an issue in discovery itself, but I'm afraid to
touch that code. Instead, if get_endpoint_data returns no API version
with discover_versions=False, try with discover_versions=True, which
matches what the identity plugins do.
Also increase the unit test coverage.
Change-Id: Ie623931b150748d7759cf276e0023a2f06a8d4db
We expect endpoint_override, but these plugins won't necessary
have it, they have endpoint instead.
Co-Authored-By: Dmitry Tantsur <dtantsur@protonmail.com>
Change-Id: Iead4b95c1f5b8d84cec705da32f41049e2eea641
A new basic auth plugin is added which enables HTTP Basic
authentication for standalone services. Like the noauth plugin, the
endpoint needs to be specified explicitly, along with the
username and password.
An example of a standalone server implementing HTTP Basic can be seen
in Ironic change https://review.opendev.org/#/c/727467/
Change-Id: Ib3f0a9c518d031a67f9605cf64a8a9cc81131ed3
Story: 2007656
Task: 39741
Zuul