From 03f6932e16aa0b72a32a10fc04a52125c45dd5d7 Mon Sep 17 00:00:00 2001 From: Sergiy Markin Date: Fri, 28 Apr 2023 19:20:58 +0000 Subject: [PATCH] Deckhand updates This PS delivers the following updates: - fixed sample config and policy files generation in tox - rolled back chart version incremention back to 0.2.0 Change-Id: I509030319a724b18bb21f45f7ede7c07ab18e894 --- ChangeLog | 2 + charts/deckhand/Chart.yaml | 2 +- etc/deckhand/deckhand.conf.sample | 172 +++++++++++++++++------------- etc/deckhand/policy.yaml.sample | 40 +++---- tox.ini | 8 +- 5 files changed, 125 insertions(+), 99 deletions(-) diff --git a/ChangeLog b/ChangeLog index c2924cd0..da2ee233 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ CHANGES ======= +* Removing egg-info folder +* Sync requirements with shipyard * [focal] Deckhand project updates * update to focal and python 3.8 * Allow source substring extraction diff --git a/charts/deckhand/Chart.yaml b/charts/deckhand/Chart.yaml index ad0a0871..a87c0ba7 100644 --- a/charts/deckhand/Chart.yaml +++ b/charts/deckhand/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 description: A Helm chart for Deckhand name: deckhand -version: 0.2.2 +version: 0.2.0 appVersion: 1.1.0 keywords: - deckhand diff --git a/etc/deckhand/deckhand.conf.sample b/etc/deckhand/deckhand.conf.sample index aac2dc80..29bb5d52 100644 --- a/etc/deckhand/deckhand.conf.sample +++ b/etc/deckhand/deckhand.conf.sample @@ -11,6 +11,10 @@ # in production. (boolean value) #development_mode = false +# How many times Deckhand should attempt to create a secret in Barbican before +# raising an exception. (integer value) +#secret_create_attempts = 2 + # # From oslo.log # @@ -25,7 +29,7 @@ # files, see the Python logging module documentation. Note that when logging # configuration files are used then all logging configuration is set in the # configuration file and other logging configuration options are ignored (for -# example, logging_context_format_string). (string value) +# example, log-date-format). (string value) # Note: This option can be changed without restarting. # Deprecated group/name - [DEFAULT]/log_config #log_config_append = @@ -76,27 +80,62 @@ # set. (boolean value) #use_stderr = false -# Format string to use for log messages with context. (string value) +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is set to "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when the +# service was started) is used when scheduling the next rotation. (string value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s -# Format string to use for log messages when context is undefined. (string -# value) +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s # Additional data to append to log message when logging level for the message is -# DEBUG. (string value) +# DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d -# Prefix each line of exception output with this format. (string value) +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s # Defines the format string for %(user_identity)s that is used in -# logging_context_format_string. (string value) +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) #logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s # List of package logging levels in logger=LEVEL pairs. This option is ignored # if log_config_append is set. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO # Enables or disables publication of error events. (boolean value) #publish_errors = false @@ -132,6 +171,10 @@ # # URL override for the Barbican API endpoint. (string value) +# +# This option has a sample default set, which means that +# its actual default value may vary from the one documented +# below. #api_endpoint = http://barbican.example.org:9311/ # Maximum number of threads used to call secret storage service concurrently. @@ -199,7 +242,7 @@ # Domain name containing project (string value) #project_domain_name = -# Trust ID (string value) +# ID of the trust to use as a trustee use (string value) #trust_id = # User ID (string value) @@ -285,27 +328,10 @@ # Connections which have been present in the connection pool longer than this # number of seconds will be replaced with a new one the next time they are # checked out from the pool. (integer value) -# Deprecated group/name - [DATABASE]/idle_timeout -# Deprecated group/name - [database]/idle_timeout -# Deprecated group/name - [DEFAULT]/sql_idle_timeout -# Deprecated group/name - [DATABASE]/sql_idle_timeout -# Deprecated group/name - [sql]/idle_timeout #connection_recycle_time = 3600 -# DEPRECATED: Minimum number of SQL connections to keep open in a pool. (integer -# value) -# Deprecated group/name - [DEFAULT]/sql_min_pool_size -# Deprecated group/name - [DATABASE]/sql_min_pool_size -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: The option to set the minimum pool size is not supported by -# sqlalchemy. -#min_pool_size = 1 - # Maximum number of SQL connections to keep open in a pool. Setting a value of 0 # indicates no limit. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_pool_size -# Deprecated group/name - [DATABASE]/sql_max_pool_size #max_pool_size = 5 # Maximum number of database connection retries during startup. Set to -1 to @@ -363,6 +389,23 @@ #connection_parameters = +[engine] +# Engine options for allowing behavior specific to Deckhand's engine to be +# configured. + +# +# From deckhand.conf +# + +# Whether to enable the document rendering caching. Useful for testing to avoid +# cross-test caching conflicts. (boolean value) +#enable_cache = true + +# How long (in seconds) document rendering results should remain cached in +# memory. (integer value) +#cache_timeout = 3600 + + [healthcheck] # @@ -374,7 +417,10 @@ # Its value may be silently ignored in the future. #path = /healthcheck -# Show more detailed information as part of the response (boolean value) +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) #detailed = false # Additional backends that can perform health checks and report that information @@ -462,7 +508,7 @@ # Domain name containing project (string value) #project_domain_name = -# Trust ID (string value) +# ID of the trust to use as a trustee use (string value) #trust_id = # Optional domain ID to use with v3 and v2 parameters. It will be used for both @@ -520,9 +566,13 @@ # will be removed in the S release. #auth_uri = -# API version of the admin Identity API endpoint. (string value) +# API version of the Identity API endpoint. (string value) #auth_version = +# Interface to use for the Identity API endpoint. Valid values are "public", +# "internal" (default) or "admin". (string value) +#interface = internal + # Do not handle authorization requests within the middleware, but delegate the # authorization decision to downstream WSGI components. (boolean value) #delay_auth_decision = false @@ -557,14 +607,6 @@ # The region in which the identity server can be found. (string value) #region_name = -# DEPRECATED: Directory used to cache files related to PKI tokens. This option -# has been deprecated in the Ocata release and will be removed in the P release. -# (string value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#signing_dir = - # Optionally specify a list of memcached server(s) to use for caching. If left # undefined, tokens will instead be cached in-process. (list value) # Deprecated group/name - [keystone_authtoken]/memcache_servers @@ -575,16 +617,6 @@ # -1 to disable caching completely. (integer value) #token_cache_time = 300 -# DEPRECATED: Determines the frequency at which the list of revoked tokens is -# retrieved from the Identity service (in seconds). A high number of revocation -# events combined with a low cache duration may significantly reduce -# performance. Only valid for PKI tokens. This option has been deprecated in the -# Ocata release and will be removed in the P release. (integer value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#revocation_cache_time = 10 - # (Optional) If defined, indicate whether token data should be authenticated or # authenticated and encrypted. If MAC, token data is authenticated (with HMAC) # in the cache. If ENCRYPT, token data is encrypted and authenticated in the @@ -620,9 +652,9 @@ # client connection from the pool. (integer value) #memcache_pool_conn_get_timeout = 10 -# (Optional) Use the advanced (eventlet safe) memcached client pool. The -# advanced pool will only work under python 2.x. (boolean value) -#memcache_use_advanced_pool = false +# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean +# value) +#memcache_use_advanced_pool = true # (Optional) Indicate whether to set the X-Service-Catalog header. If False, # middleware will not ask for service catalog on token validation and will not @@ -638,27 +670,6 @@ # value) #enforce_token_bind = permissive -# DEPRECATED: If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. (boolean -# value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#check_revocations_for_cached = false - -# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will be -# stored in the cache. This will typically be set to multiple values only while -# migrating from a less secure algorithm to a more secure one. Once all the old -# tokens are expired this option should be set to a single value for better -# performance. (list value) -# This option is deprecated for removal since Ocata. -# Its value may be silently ignored in the future. -# Reason: PKI token format is no longer supported. -#hash_algorithms = md5 - # A choice of roles that must be present in a service token. Service tokens are # allowed to request that an expired token can be used and so this check should # tightly control that only actual services should be sending this token. Roles @@ -673,6 +684,10 @@ # (boolean value) #service_token_roles_required = false +# The name or type of the service as it appears in the service catalog. This is +# used to validate tokens that have restricted access rules. (string value) +#service_type = + # Authentication type to load (string value) # Deprecated group/name - [keystone_authtoken]/auth_plugin #auth_type = @@ -718,7 +733,20 @@ # scope. (boolean value) #enforce_scope = false -# The file that defines policies. (string value) +# This option controls whether or not to use old deprecated defaults when +# evaluating policies. If ``True``, the old deprecated defaults are not going to +# be evaluated. This means if any existing token is allowed for old defaults but +# is disallowed for new defaults, it will be disallowed. It is encouraged to +# enable this flag along with the ``enforce_scope`` flag so that you can get the +# benefits of new defaults and ``scope_type`` together. If ``False``, the +# deprecated policy check string is logically OR'd with the new policy check +# string, allowing for a graceful upgrade experience between releases with new +# policies, which is the default behavior. (boolean value) +#enforce_new_defaults = false + +# The relative or absolute path of a file that maps roles to permissions for a +# given service. Relative paths must be specified in relation to the +# configuration file setting this option. (string value) #policy_file = policy.json # Default rule. Enforced when a requested rule is not found. (string value) diff --git a/etc/deckhand/policy.yaml.sample b/etc/deckhand/policy.yaml.sample index 43a9dc1e..f95687e6 100644 --- a/etc/deckhand/policy.yaml.sample +++ b/etc/deckhand/policy.yaml.sample @@ -1,53 +1,45 @@ # Default rule for most Admin APIs. #"admin_api": "role:admin" -# Create a batch of documents specified in the request body, whereby -# a new revision is created. Also, roll back a revision to a previous -# one in the -# revision history, whereby the target revision's documents are re- -# created for -# the new revision. +# Create a batch of documents specified in the request body, whereby a +# new revision is created. Also, roll back a revision to a previous +# one in the revision history, whereby the target revision's documents +# are re-created for the new revision. # PUT /api/v1.0/buckets/{bucket_name}/documents # POST /api/v1.0/rollback/{target_revision_id} #"deckhand:create_cleartext_documents": "rule:admin_api" -# Create a batch of documents specified in the request body, whereby -# a new revision is created. Also, roll back a revision to a previous -# one in the -# history, whereby the target revision's documents are re-created for -# the new -# revision. +# Create a batch of documents specified in the request body, whereby a +# new revision is created. Also, roll back a revision to a previous +# one in the history, whereby the target revision's documents are re- +# created for the new revision. # # Only enforced after ``create_cleartext_documents`` passes. # # Conditionally enforced for the endpoints below if the any of the -# documents in -# the request body have a ``metadata.storagePolicy`` of "encrypted". +# documents in the request body have a ``metadata.storagePolicy`` of +# "encrypted". # PUT /api/v1.0/buckets/{bucket_name}/documents # POST /api/v1.0/rollback/{target_revision_id} #"deckhand:create_encrypted_documents": "rule:admin_api" # List cleartext documents for a revision (with no layering or # substitution applied) as well as fully layered and substituted -# concrete -# documents. +# concrete documents. # GET api/v1.0/revisions/{revision_id}/documents # GET api/v1.0/revisions/{revision_id}/rendered-documents #"deckhand:list_cleartext_documents": "rule:admin_api" # List encrypted documents for a revision (with no layering or # substitution applied) as well as fully layered and substituted -# concrete -# documents. +# concrete documents. # # Only enforced after ``list_cleartext_documents`` passes. # # Conditionally enforced for the endpoints below if any of the -# documents in the -# request body have a ``metadata.storagePolicy`` of "encrypted". If -# policy -# enforcement fails, encrypted documents are excluded from the -# response. +# documents in the request body have a ``metadata.storagePolicy`` of +# "encrypted". If policy enforcement fails, encrypted documents are +# excluded from the response. # GET api/v1.0/revisions/{revision_id}/documents # GET api/v1.0/revisions/{revision_id}/rendered-documents #"deckhand:list_encrypted_documents": "rule:admin_api" @@ -65,7 +57,7 @@ # DELETE /api/v1.0/revisions #"deckhand:delete_revisions": "rule:admin_api" -# Show revision deepdiff between two revisions. +# Show revision deep diff between two revisions. # GET /api/v1.0/revisions/{revision_id}/deepdiff/{comparison_revision_id} #"deckhand:show_revision_deepdiff": "rule:admin_api" diff --git a/tox.ini b/tox.ini index dbcc4627..b44caf6c 100644 --- a/tox.ini +++ b/tox.ini @@ -131,10 +131,14 @@ allowlist_externals = commands = bandit -r deckhand --skip B311,B301,B106 -x deckhand/tests -n 5 [testenv:genconfig] -commands = oslo-config-generator --config-file=etc/deckhand/config-generator.conf +commands = + pip install . --use-pep517 + oslo-config-generator --config-file=etc/deckhand/config-generator.conf [testenv:genpolicy] -commands = oslopolicy-sample-generator --config-file=etc/deckhand/policy-generator.conf +commands = + pip install . --use-pep517 + oslopolicy-sample-generator --config-file=etc/deckhand/policy-generator.conf [testenv:pep8] allowlist_externals =