Change-Id: I7fda5a229cab5899978f1233fe27252be2faf70f

Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.

Until the requirements repository has as stable/zed branch, tests will
continue to use the upper-constraints list on master.

Change-Id: I3acc0a817f5b8d5425d8d662d1919ac7e3cdaa0d

If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.

Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
(cherry picked from commit 8f999d1)

result3 does not invoke message.clean() when an exception is thrown
by `message.connection.result3()` call, causing pool connection
associated with the message to be marked active forever. This causes
a denial-of-service on ldappool.

The fix ensures message.clean() is invoked by wrapping the offending
call in try-except-finally and putting the message.clean() in finally
block.

Closes-Bug: #1998789

Change-Id: I59ebf0fa77391d49b2349e918fc55f96318c42a6
Signed-off-by: Mustafa Kemal Gilor <mustafa.gilor@canonical.com>
(cherry picked from commit ff632a8)

The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0].  This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.

Conflicts:
* tox.ini

[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues

Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
(cherry picked from commit 3288af5)

When using a numerical group name, the current codebase which
relies on ast.literal_eval does not account for the value
being a number.  Therefore, it can be parsed as a number and
fail in further steps since it will not be a list.

This patch adds a test to handle that use case and refactor the
code that leverages ast.literal_eval to be the same everywhere
so that it adds that fix everywhere.

Closes-Bug: #1992186
Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
(cherry picked from commit c70d0c3)

bcrypt  hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.

With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.

[1] https://review.opendev.org/c/openstack/keystone/+/828595

Closes-Bug: #2028809
Related-Bug: #1901891
Change-Id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
(cherry picked from commit 6730c76)

…e/zed

Since LDAP is now readonly, the current behavior might be
unexpected. By randomizing the list, we assure a more gradual
failure scenario if the first server on the list (as specified
by the user) fails.

Change-Id: I23f31bd85443784013a6aa158d80c7aeeb343993
Closes-Bug: #1953622
Resolves: rhbz#2024602
(cherry picked from commit 36d57d2)

Ubuntu Xenial, CentOS7 and OpenSUSE 15 are all too old.

Change-Id: I0a87cc5a35e6033d670bab56d5cdc8b8312819d8
(cherry picked from commit 609ec29)

Change-Id: I7eed91b31c188045c5296048e6b0064ee2ab8731

devstack-gate was deprecated in xena and is being retired now[1].

[1] https://review.opendev.org/c/openstack/governance/+/919629

Change-Id: I14007ad2356fd41198ac412895c6ae88232b2681
(cherry picked from commit c725173)

Validating an application credential token is very slow, taking at least
400ms+ in a simple devstack environment, 5-10x longer than validating a
user/password project token.

The primary bottleneck during a token validation request
(/v3/auth/tokens) is that token.roles is evaluated at least 5 times.
validate_token is called twice, first during RBAC to populate the
subject token context and again to actually validate the token. Each
call to validate_token then called token.roles twice because it first
checks if it is None, before calling it again to use the result. Lastly
token.roles is evaluated a fifth time during
render_token_response_from_model.

Each evaluation of token.roles calls through
_get_application_credential_roles into list_role_assignments which then
makes multiple round-trip SQL queries to the database.

Unlike the related get_roles_for_user_and_project function, none of
these calls are currently cached/memoized. We memoize
list_role_assignments to get the same-speedup.

Reduce the number of token.roles calls to only 3 by storing and re-using
the token.roles result in validate_token, then memoize
list_role_assignments so the 2nd and 3rd call fetch from the cache
instead of repeating many SQL queries.

This provides a substantial performance improvement bringing validation
time in-line with user/password tokens.

Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48
(cherry picked from commit 67b5cca)

Force using wallaby-last tag for keystone-tempest-plugin
as later tags introduced a requirements change that
breaks package install.

Change-Id: I464ddb8f8402afa846f45c44a036a541ab323a98

…ined/zed

unit test jobs fail with error 'pkg_resources module not found',
because it was removed from setuptools in version 82.0.0, and on
these old branches we still rely on it. Pin setuptools<82 to
ensure pkg_resources remains available.

Change-Id: I179c4411dbca450f75552d5332ec07472ab2242d
Signed-off-by: Elod Illes <elod.illes@est.tech>

The templates for Xena are to be removed since that branch is EOL.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I8a1e39823340c050c07d328d5b40c67c4dd7c594
(cherry picked from commit 58bbe96)