This patch fixes the Castellan secret store use of SecretDTO objects,
which require that the "secret" member be base64 encoded. [1]

Prior to this fix all secrets that were generated were stored in
plaintext, but secrets coming in through the API were base64 encoded
before being stored in the backend.

On secret retreival the Castellan plugin wrongly assumed everything in
the backend was encoded, so attempts to retrieve generated keys failed.

This patch fixes this inconsistency by always storing data un-encoded in
the backend.

A helper method was added to sort out the inconsistent data stored prior
to this fix.

A "version" property was added to the Castellan plugin metadata that is
stored in barbican to help differentiate secrets stored prior to this
fix vs secrets stored after this fix.

Story: 2008335
Task: 41236

[1]
https://opendev.org/openstack/barbican/src/tag/12.0.0/barbican/plugin/interface/secret_store.py#L356

Change-Id: I46fe77a471bf7927a24ca4d64dfccb385cd6402e

This patch fixes an issue where a 500 response is sent instead of a 403
when a request is made using the wrong scope.  e.g.  Using project
scope instead of system scope.

Story: 2009170
Task: 43200

Change-Id: Id399d2220118efe1033426c658d1834cbff02f94

The oslo_utils.fnmatch module was added to solve an issue in py2.7 but
it is no longer required because py2.7 is no longer supported.
The module was deprecated since oslo.utils 4.9.1[1] and the stdlib's
fnmatch module should be used instead.

[1] 4c893c92f551c9dd2a7cfbe7ae8171ad8139df0b

Change-Id: If6ea16bbad5a7454e3a0f190c5a5e8da17f01a89

A change was introduced to SQL Alchemy 1.4.8 that breaks our Alembic
migrations.  Specifically it breaks the "add_secret_consumers" migration
because it attempts to check for a table using an object that is no
longer allowed to call that function.

This patch removes the bespoke validation, because alembic should take
care of checking the schema.

Story: 2008967
Task:  42606

Change-Id: I36fb10445413fb1ec4046ab6c2525eae47d85ea1

Currently there are 2 failing unit tests:

- test_soft_deleting_expired_secrets: Caused by passing a column instead
  of a table on the query creation.

- test_should_raise_for_pycrypto_stored_key_no_private_key: Caused by
  the conjunction of Barbican using scoped sessions and SQLAlchemy's
  identity mapping.

And a migration issue on add_secret_consumers.

This patch fixes all those issues to unblock the gate.

Story: 2008967

Change-Id: I6dc7d2671f2ba9d97af42d3155ae2bf3a8e33453

Add a new FIPS enabled gate job  This job will be
for Centos 8 with FIPS enabled, and will use a playbook in
zuul-jobs to enable FIPS.

The dogtag bindep dependencies are curently broken.  Lets
temporarily remove them here until we can figure out how to
fix them and thereby fix the dogtag gate.

Change-Id: Ibcd8cb6fc356e27266ba04cd972834dcd97c1a9b
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778

see: http://lists.openstack.org/pipermail/openstack-discuss/2021-May/022718.html
Change-Id: Ibcaf9929c35dc62ff2aedbe9a3c21be5d3ae1b1d

The default maximum allowed size is too small for some certificates.
This patch doubles the allowed size from 10Kb to 20Kb, and raises the
maximum request size by the same amount.

Change-Id: I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I503641691f8414c4c4562cbedc31dc8047054f0c

Resolves warnings like the following:

  UserWarning: Usage of dash-separated 'description-file' will not be
  supported in future versions. Please use the underscore name
  'description_file' instead

Change-Id: I5f4746bc4d40b76c562c39c2254f3b8381b4b52f

It was previously using the wrong Devstack service name.

Change-Id: I52838cfe63d5a0b81757c278b9bfad516a442274

Add the secure-rbac tempest tests as a new gate to barbican.  This
will help ensure that new patches don't break the default
secure-rbac policy.

Change-Id: I91d50aa08574a2f8aeaaa2bf431266ee74c79ae3

This patch adds the missing access control data to enforce access
control for adding/removing secrets in containers.

Change-Id: I6879f566117db5ec0099ddad35ba649a3c674bd1

This patch fixes a couple of broken policies for transport keys.

Change-Id: I5a7790210b32f3511446b4bacbb07678a7e52238

This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for xena.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I191fc8a2df82de74d0390688e3c1322de238e890

Add file to the reno documentation build to show release notes for
stable/wallaby.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.

Sem-Ver: feature
Change-Id: I759f186c485a75afa88edc72c28ed121292a1029

Allow a project to read secrets and containers by default.  This is
needed when those objects have no ACL in the database.  The policy enforcer
defaults to False for missing values. [1]  So, attempting to check the
read_project_access for a secret or container will always return False.

If a secret does have an ACL, we'll still return whatever is stored
in the database.

[1] https://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/_checks.py#L335-L338

Change-Id: I584f7b67f2f95caa7c4db3d9d9222d0a9d38442d

Monkey patch the original current_thread to use the up-to-date _active
global variable. This solution is based on that documented at:
https://github.com/eventlet/eventlet/issues/592

Change-Id: I35335325828c10f7a0a1c97edfd1a842dda77577
Story: 2007614

Fix cases where all users are supposed to have access.  We expicitly
include the reader role for both project and system scopes

Change-Id: I405c723ab2caa8bc8e47d7fab56f53d31c282898

Add new system scope specific RBAC rules for the quota API.

Change-Id: I4fd1676e8ead673b91bad1cc9749147ac5d62d7f

    Add new system scope specific RBAC rules for the secretstore API.
    The new rules allow all roles to list and get secret stores.

Change-Id: Ibb19e9854e8bafd2a454c0792503c6f4360e7cf7

Change-Id: I36ee83f552d528b467dcf2210d1920b6bb269cac

This patch adds the new RBAC rules for secure RBAC to the ACL API.  The
existing RBAC rules are not changed and should continue to work as
expected.

Change-Id: I175a4aa7e41b6ac88d1509dd85e0cb96ea6ee411

Add new system scope specific RBAC rules for the transport key API.
The new rules tighten the policy to only allow system admins to
add or delete transport keys.

Change-Id: Icbe81724fb8b4f28fc4b5d24afe2618e759fcbad

Add new project scope specific RBAC rules for the secretmeta API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: Ib771a4615c1aa5a9beb1dc036b79c6ed982ba4de

Add new project scope specific RBAC rules for the orders API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I8e6963d7ab788038102c7f4570b3f2c9a342eabf

Add new project scope specific RBAC rules for the consumers API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I89ed0113238446ee96e486af0540b6b24336a29c

Add new project scope specific RBAC rules for the containers API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I992e32832fee258ffb7b6397710f42759f28083d