The Keystone defines a 'description' field on its schema which can be
returned if the user have set it on resource creation/update, but the
docs doesn't mention this field, which can be confusing.
Change-Id: Id64792411d2704fee581cf86806eb430f0319256
Signed-off-by: Winicius Silva <winiciusab12@gmail.com>
For some reason a bug went unnoticed where in the schema validation we
log the message from the decorators, but logging itself in not imported.
Change-Id: I6ddb69d21d22eafbfcde5c8952a63e39750e6328
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
In change I61429b39086d15aed7d2315d7c3971727a9fa419 we
removed documentation for the name attribute since it is not
recommended. However, the api still accepts and (optionally)
returns this field, which can be confusing.
Rather than pretend it does not exist from a docs perspective,
instead indicate that it does exist but should not be used.
Change-Id: I381de2daf422f3328c75b79ed8c8b543290abe23
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
When validating a token, under load, a full table scan could happen
because of missing indexes.
This new index drastically help the database to get through the
revocation events.
Closes-Bug: #2081082
Change-Id: Ic44c945f3cb65b48ff72052fd2b4f6d45e118b2e
Signed-off-by: Quentin GROLLEAU <quentin.grolleau@corp.ovh.com>
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
When federated users' group membership changes in the IdP and they
reauthenticate, their role assignments should reflect the change
immediately, respecting the IdP's TTL configuration rather than
waiting for the role assignment cache to expire.
This change ensures that federated authentication triggers
appropriate cache invalidation for role assignments when group
membership has changed.
Closes-Bug: #2119031
Change-Id: I79505f3d9e7d9ba46ed6ff40ee0071bdf92b95a0
Signed-off-by: Moutaz Chaara <moutaz.chaara@sap.com>
When passlib was dropped scrypt support was implemented using the
cryptography library. Keep requirements declaration match the reality.
Change-Id: Ic36ab00c43ac9f74777d0ebda55f109cc24a74ff
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
We should use the correct naming convention for alembic migration
folder.
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I33933e51c05d0c6ae884d7ae429d542621804e79
We were applying the migration up to 2024.01.
Since we added a new expand in 2025.02, let's apply it.
We forgot to do that in a previous change
I51e6c32f17df9473f9a055013eed1fe0a90c8afa
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I90460353510d77f6d9094902c7925a47a58a3156
We support custom identity plugins. They (and also LDAP backend) may be
considered as a read-only (not supporting user data modification through
Keystone API). When a user of such backend is disabled in the remote
system Keystone will never learn about that and as such tokens for those
users will remain active. They cannot be renewed, but still they stay
valid.
In order to address this situation we need to do additional steps in the
token validation and identify the current state of the user in the
backend. Due to the use of the token caching it is not possible to reuse
normal token validation functionality (it will never gets invalidated as
such). In order to keep performance impact as low as possible modify the
token validation as following:
- regular checks
- revocation check
- if token is still active and revoke check passed fetch current user
data. When user is disabled - log a warning (explaining the situation)
and raise `UserDisabled` exception.
Since Keystone also does not receive a message when user is reactivated
(i.e. it was accidentally disabled) we cannot use the same approach as
for regular user disabling and generate a token revocation event. This
would cause the user to be locked out until the revocation event
expires.
Closes-bug: #2122615
Change-Id: If5b83feabc670ced54ef12fe7826267af7e3419d
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
This fixes the protection tests for creds and ec2
creds that is executed by the protection tox
env.
Change-Id: Ic93ca4ecd80be9dbcb1759de39060eb194e9e1f0
Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
Add a policy to enforce authentication with a user in the service
group. This maintains AWS compatibility with the added security
layer.
Closes-Bug: 2119646
Change-Id: Ic84b84247e05f29874e2c5636a033aaedd4de83c
Signed-off-by: Grzegorz Grasza <xek@redhat.com>
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
The world (and requriements) broke us again, not a surprise, but it is
not really sustainable anymore. requirements updated markdown-it-py
which is not supported by myst_parser (which got in limbo) which is
necessary by os-openapi to build sphinx extension. There seems to be no
fast workaround possible for that so temporary (hopefully) disable the
part of building openapi docs.
Change-Id: Idbf4901604522c2b2bafd976a6914963212def83
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
Some multiline strings (descriptions) that are in brackets have a comma
at the end which result in it being treated as a list rather than a
string.
Change-Id: Ib39e2196d1781a24afb152ba1e61c999ab474712
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
This should not be used in production for the reasons given inline.
Change-Id: Ie40f41f57e316888c2b33f2952edcbac702c1c79
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Depends-on: https://review.opendev.org/c/openstack/devstack/+/962852
Closes-bug: #2126676
LDAP drivers can yield refs with values encoded as bytestrings,
which inclues bytes local IDs, while the ID mapping layer
stores/returns strings.
During list post-processing, this mismatch prevents lookups from hitting
the seeded mapping and triggers create_id_mapping again on each pass,
causing unnecessary churn and latency during token issuance.
This change adds unit test for both cases:
- bytes IDs: the original behavior was that the cumulative
create_id_mapping count increased with each iteration.
- string IDs: seeded mapping is reused; no creates across iterations.
The helper always seeds with a string local_id, normalizing the mapping
list local_id to string. After the fix, the results are the same for
string and bytestring.
Signed-off-by: Grzegorz Grasza <xek@redhat.com>
Change-Id: I89235b2721380544304221a2da67a30971c62bf9
... to run all pep8 checks by pre-commit .
Change-Id: Icadac8a5566816fa17257b36c6885a578e888e6e
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This has been unused since bandit was moved to PyCQA organization.
Also maintain bandit options in pyproject.toml so that these can be
used by different tools more easily.
Change-Id: I7d16d6e58666a943677a18fcc19f66c7bb7a2c8c
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
Now that reference from keystone-tempest-plugin have been cleaned up,
we can remove these aliases.
Change-Id: I80267d2fb74cebd5f2884d539436c44f17f117e1
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Depends-on: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/951384
The module keystone.oauth1.backends.sql was using the random library to
generate the verifier of a request token. The bandit security scanner
tool from version 1.8.4 onwards identifies the use random.sample as a
low security issue, despite random actually being an alias to
random.SystemRandom(). This change replaces the use of random library
with the secrets library and avoids the use of shadowing random.
Change-Id: I1a0ecd80a44eae6032e985091032aa91ee5c81a5
Signed-off-by: Adrian Jarvis <adrian.jarvis@catalystcloud.nz>
Add file to the reno documentation build to show release notes for
stable/2025.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2025.2.
Sem-Ver: feature
Change-Id: I502489b74d553f0bfac193e61c9aa6887be7a710
Signed-off-by: OpenStack Release Bot <infra-root@openstack.org>
Generated-By: openstack/project-config:roles/copy-release-tools-scripts/files/release-tools/add_release_note_page.sh
When using dogpile.cache.memory as the cache backend, the underlying
Python dict gets cached. Then, since we decrypt it in-place, the
decrypted dict remains in cache. As a result, subsequent attempts to
fetch (and decrypt) the credential result in KeyErrors, since
'encrypted_blob' was popped off in the original decryption.
Now, check for 'blob' (and the absence of 'encrypted_blob') in the
dict; if it looks like the credential has already been decrypted, skip
decryption.
Change-Id: Ic634c1c7db16c9acff5cdf39de74c3f82710a16e
Signed-off-by: Tim Burke <tim.burke@gmail.com>
interpretation of the ldap enabled attribute as boolean
is only done if enabled_invert setting is set to true.
Closes-Bug: #2121152
Change-Id: I7260bf46adf003aef7c7ac0d436c3758f658cb0c
Signed-off-by: Benedikt Trefzer <benedikt.trefzer@cirrax.com>
