diff --git a/.gitreview b/.gitreview index fbbb9cff8..27c8be8c5 100644 --- a/.gitreview +++ b/.gitreview @@ -2,3 +2,4 @@ host=review.opendev.org port=29418 project=openstack/barbican.git +defaultbranch=unmaintained/zed diff --git a/.zuul.yaml b/.zuul.yaml index 85817a587..eff77cc25 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -53,16 +53,36 @@ kmip: true - job: - name: barbican-simple-crypto-devstack-tempest + name: barbican-tempest-plugin-simple-crypto-zed parent: barbican-tempest-plugin-simple-crypto - description: | - Compatibility alias for barbican-tempest-plugin-simple-crypto + nodeset: openstack-single-node-focal + override-checkout: unmaintained/zed + required-projects: + - name: openstack/barbican-tempest-plugin + override-checkout: zed-last + vars: + devstack_local_conf: + test-config: + $TEMPEST_CONFIG: + key_manager: + min_microversion: '1.0' + max_microversion: '1.1' - job: - name: barbican-simple-crypto-devstack-tempest-ipv6-only + name: barbican-tempest-plugin-simple-crypto-ipv6-only-zed parent: barbican-tempest-plugin-simple-crypto-ipv6-only - description: | - Compatibility alias for barbican-tempest-plugin-simple-crypto-ipv6-only + nodeset: openstack-single-node-focal + override-checkout: unmaintained/zed + required-projects: + - name: openstack/barbican-tempest-plugin + override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b + vars: + devstack_local_conf: + test-config: + $TEMPEST_CONFIG: + key_manager: + min_microversion: '1.0' + max_microversion: '1.0' - job: name: barbican-simple-crypto-devstack-tempest-castellan-from-git @@ -82,7 +102,8 @@ required-projects: - opendev.org/openstack/grenade - opendev.org/openstack/barbican - - opendev.org/openstack/barbican-tempest-plugin + - name: opendev.org/openstack/barbican-tempest-plugin + override-checkout: zed-last - opendev.org/openstack/python-barbicanclient vars: devstack_plugins: @@ -96,6 +117,7 @@ tox_envlist: all - project: + queue: barbican templates: - check-requirements - openstack-cover-jobs @@ -107,21 +129,16 @@ - barbican-tox-functional - barbican-vault-tox-functional: voting: false - - barbican-grenade - - barbican-tempest-plugin-simple-crypto - - barbican-tempest-plugin-simple-crypto-secure-rbac - - barbican-tempest-plugin-simple-crypto-ipv6-only + - barbican-grenade: + voting: false + - barbican-tempest-plugin-simple-crypto-zed + - barbican-tempest-plugin-simple-crypto-secure-rbac: + voting: false + - barbican-tempest-plugin-simple-crypto-ipv6-only-zed: + voting: false - barbican-tox-functional-fips - octavia-v2-dsvm-tls-barbican - # TripleO jobs that deploy Barbican. - # Note we don't use a project-template here, so it's easier - # to disable voting on one specific job if things go wrong. - # If you need any support to debug these jobs in case of - # failures, please reach us on #tripleo IRC channel. - - tripleo-ci-centos-9-scenario002-standalone: - voting: false gate: - queue: barbican jobs: - barbican-tox-functional experimental: diff --git a/barbican/api/controllers/__init__.py b/barbican/api/controllers/__init__.py index e5db8cbf4..e944d3bd6 100644 --- a/barbican/api/controllers/__init__.py +++ b/barbican/api/controllers/__init__.py @@ -64,7 +64,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs): if target_name and target_data: policy_dict['target'] = {target_name: target_data} - policy_dict.update(kwargs) # Enforce access controls. if ctx.policy_enforcer: target = flatten(policy_dict) diff --git a/barbican/api/controllers/consumers.py b/barbican/api/controllers/consumers.py index 037d67d6d..84983d437 100644 --- a/barbican/api/controllers/consumers.py +++ b/barbican/api/controllers/consumers.py @@ -353,6 +353,8 @@ def on_delete(self, external_project_id, **kwargs): consumer = self.consumer_repo.get_by_values( self.secret_id, + data["service"], + data["resource_type"], data["resource_id"], suppress_exception=True ) @@ -374,7 +376,7 @@ def on_delete(self, external_project_id, **kwargs): _consumer_not_found() ret_data = self._return_secret_data(self.secret_id) - LOG.info('Deleted a consumer for project: %s', + LOG.info('Deleted a secret consumer for project: %s', external_project_id) return ret_data diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index cbd3c4a33..0ade1071f 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -24,7 +24,7 @@ check_str='role:reader and system_scope:all'), policy.RuleDefault( name='system_admin', - check_str='role:amdin and system_scope:all'), + check_str='role:admin and system_scope:all'), policy.RuleDefault( name='secret_project_match', diff --git a/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py b/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py new file mode 100644 index 000000000..aaf1ca156 --- /dev/null +++ b/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py @@ -0,0 +1,49 @@ +# Copyright 2022 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +"""Update secret consumers unique constraint to mach the updated spec + +Revision ID: 8c74e2d7f1ff +Revises: 0f8c192a061f +Create Date: 2022-09-12 13:03:26.428642 + +""" + +# revision identifiers, used by Alembic. +revision = '8c74e2d7f1ff' +down_revision = '0f8c192a061f' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + with op.batch_alter_table('secret_consumer_metadata') as batch_op: + batch_op.alter_column('project_id', + existing_type=sa.VARCHAR(length=36), + nullable=True) + batch_op.drop_constraint( + '_secret_consumer_resource_uc', type_='unique') + batch_op.create_unique_constraint( + constraint_name='_secret_consumer_resource_uc', + columns=['secret_id', 'service', 'resource_type', 'resource_id']) + batch_op.create_index( + index_name=op.f('ix_secret_consumer_metadata_project_id'), + columns=['project_id'], + unique=False) + batch_op.create_foreign_key(constraint_name=op.f('fk_project_id'), + referent_table='projects', + local_cols=['project_id'], + remote_cols=['id']) diff --git a/barbican/model/models.py b/barbican/model/models.py index 7a7b761c4..d0f5a6983 100644 --- a/barbican/model/models.py +++ b/barbican/model/models.py @@ -1528,7 +1528,8 @@ class SecretConsumerMetadatum(BASE, SoftDeleteMixIn, ModelBase): __table_args__ = ( sa.UniqueConstraint( - "secret_id", "resource_id", name="_secret_consumer_resource_uc" + "secret_id", "service", "resource_type", "resource_id", + name="_secret_consumer_resource_uc" ), ) diff --git a/barbican/model/repositories.py b/barbican/model/repositories.py index deb5cc23e..1c95cb7a4 100644 --- a/barbican/model/repositories.py +++ b/barbican/model/repositories.py @@ -2507,7 +2507,8 @@ def get_by_resource_id(self, resource_id, return entities, offset, limit, total - def get_by_values(self, secret_id, resource_id, suppress_exception=False, + def get_by_values(self, secret_id, service, resource_type, resource_id, + suppress_exception=False, show_deleted=False, session=None): session = self.get_session(session) @@ -2515,6 +2516,8 @@ def get_by_values(self, secret_id, resource_id, suppress_exception=False, query = session.query(models.SecretConsumerMetadatum) query = query.filter_by( secret_id=secret_id, + service=service, + resource_type=resource_type, resource_id=resource_id, ) @@ -2547,6 +2550,8 @@ def create_or_update_from(self, new_consumer, secret, session=None): # Get the existing entry and reuse it by clearing the deleted flags existing_consumer = self.get_by_values( new_consumer.secret_id, + new_consumer.service, + new_consumer.resource_type, new_consumer.resource_id, show_deleted=True ) diff --git a/barbican/tests/certificate_utils.py b/barbican/tests/certificate_utils.py index cfb4bf950..b993f3571 100644 --- a/barbican/tests/certificate_utils.py +++ b/barbican/tests/certificate_utils.py @@ -16,6 +16,7 @@ """ The following functions were created for testing purposes. """ + from OpenSSL import crypto @@ -44,14 +45,21 @@ def create_good_csr(): def create_csr_that_has_not_been_signed(): - """Generate a CSR that has not been signed.""" - key_pair = create_key_pair(crypto.TYPE_RSA, 2048) - csr = crypto.X509Req() - subject = csr.get_subject() - setattr(subject, "CN", "host.example.net") - csr.set_pubkey(key_pair) - pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) - return pem + """Return a CSR that has not been signed.""" + # NOTE(xek): This method was relying on unsupported behaviour + # in OpenSSL to create an unsigned CSR in the past, so just + # return a pre-generated certificate request. + return b"""-----BEGIN CERTIFICATE REQUEST----- +MIIBUTCCAUgCAQAwGzEZMBcGA1UEAwwQaG9zdC5leGFtcGxlLm5ldDCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPPO24Fzfoh4pAqfzGrJGEwINi42MY4S +NMI8+l53vwD0Ld5FN9O044NAuDrGv5KbCoKI6APRYsESZ3adaiHKXfIiEX9QPn8D +wJVU388O7gi43tUFl02a65ffczDDYQqHc05rFACvYhYzsjXescqeQjQydI8GcSe0 +UGsi4IEyU3iI9hKgYwGRRbPezlkpK5t/wW08Qv1muPNkJi1kJklSrNbVYfN+lj7U +e3hntigVIo9AP7d++YcMVelrQqFRkhC9+LPo75cKZ5qONQKp5qbDXuHyXh8/H3gv +G903n2Dy9QqqV3zNbDyhBLcjv6802ITtSZSv/GuGM2UUj1o+Eo4B2ycCAwEAAaAA +MAADAQA= +-----END CERTIFICATE REQUEST----- +""" def create_csr_signed_with_wrong_key(): diff --git a/tox.ini b/tox.ini index 399cae1eb..f6d54f117 100644 --- a/tox.ini +++ b/tox.ini @@ -10,7 +10,7 @@ setenv = PYTHON=coverage run --source barbican --parallel-mode usedevelop = True deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed} -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt @@ -77,7 +77,7 @@ commands = # the main docs to https://docs.openstack.org/barbican description = Build main documentation deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed} -r{toxinidir}/doc/requirements.txt commands= rm -rf doc/build doc/build/doctrees @@ -114,7 +114,8 @@ allowlist_externals = rm # Note: This requires local running instances of Barbican and Keystone # TODO(dmend): remove --serial and uncomment coverage commands deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed} + -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt setenv = OS_TEST_PATH={toxinidir}/functionaltests @@ -124,6 +125,8 @@ commands = # coverage combine # coverage html -d cover # coverage xml -o cover/coverage.xml +allowlist_externals = + /usr/bin/find passenv = KMIP_PLUGIN_ENABLED VAULT_PLUGIN_ENABLED PKCS11_PLUGIN_ENABLED @@ -132,7 +135,7 @@ passenv = KMIP_PLUGIN_ENABLED # This tox env is purely to make local test development easier # Note: This requires local running instances of Barbican and Keystone deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed} -r{toxinidir}/test-requirements.txt setenv = OS_TEST_PATH={toxinidir}/barbican/cmd/functionaltests @@ -142,6 +145,8 @@ commands = coverage combine coverage html -d cover coverage xml -o cover/coverage.xml +allowlist_externals = + /usr/bin/find [doc8] ignore = D001