This patch modifies the Consumer controller to enable the use of
ownership information in policy checks. e.g. policies that use a target
container:

   project_id:%(target.container.project_id)

Story: 2009664
Task: 43872

Depends-On: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999
Change-Id: I1724152839f0f5850f8d32d40b36d1670c0ad996

Users with the "creator" role on a project can now delete secrets owned
by the project even if the user is different than the user that
originally created the secret.  Previous to this fix a user with the
"creator" role was only allowed to delete a secret owned by the project
if they were also the same user that originally created, which was
inconsistent with the way that deletes are handled by other OpenStack
projects that integrate with Barbican.

This change does not affect the policy for delting private secrets
(i.e. secrets with the "project-access" flag set to "false").

Story: 2009791
Task: 44324
Change-Id: Ie3e3adc1ee02d770de050f5cfa8110774bb1f661

Yoga testing runtime[1] has been updated to add py39
testing as voting. Unit tests update are handled by the
job template change in openstack-zuul-job

- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286

this commit updates the classifier in setup.cfg file.

[1] https://governance.openstack.org/tc/reference/runtimes/yoga.html

Change-Id: I92cc78df6245774c2038d35fb6e353cb2fa83cda

For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I2aa0e23030d96a1f8891940aa0d2fece3a0f6961

This patch adds checks to make sure that the project_id of the token
matches the project_id that owns the Order.

Currently, having a role on any project will allow the request to be
processed, which results in a 404 - Not Found instead of 401 -
Forbidden.

Change-Id: Ie0e6f6edae40e47d45afbe92fd509032cb091b1a

Temporarily moving the Dogtag test to the experimental pipeline.  The
tests has not passed in months and we won't be fixing it any time soon
so we should stop wasting resources.

Change-Id: Ie3fce8f4dda33d0eff166d1b1698f001f4d74e8f

Change-Id: I7322f64b20649770d84e42fcbd0fac2f44b0d8c0

This patch fixes a mismatch between the size of the column for a
consumer "name" in the database and the value being checked by the api
validator.

The maximum size in the database is 36 chars [1], so we must use that value
in the validator.

[1] https://opendev.org/openstack/barbican/src/branch/stable/xena/barbican/model/models.py#L826

Story: 2009672
Task: 43939

Change-Id: I76f075a94056aa65cd44fd1d7f5d4b24109b6ed1

This patch fixes the policies for adding and removing secrets from a
secret container.

Story: 2009297
Task: 43646
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc

This patch fixes the secure-rbac rules to ensure that the user making
the request is authenticated for the project that owns the secret.

Story: 2009253
Task: 43451

Change-Id: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c

This patch fixes the legacy policy rules for accessing secret metadata
by checking that the user making the request is authenticated for the
project that owns the secret.

Story: 2009253
Task: 43451

Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592

This patch fixes the response to POST requests in the metadata API so it
actually matches the documentation. [1]

Story: 2009247
Task: 43424

[1]
https://docs.openstack.org/barbican/latest/api/reference/secret_metadata.html#post-v1-secrets-uuid-metadata

Change-Id: I5505a8c56ed7274519cac8ad1e6d7adf5086c8d1

The create_secret() helper function returns the tuple
(secret_uuid, http_response), but the tests confusingly unpack
the values into varialbes that are flipped. i.e. the UUID was unpacked
into a secret_resp variable and the response was unpacked into a
secret_uuid variable.

This patch fixes the order of names so the variable names actually reflect
the value they contain.

Change-Id: Iece4b91d7cbc5559645bb83dd158753926e2ba4a

For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ia137aebb8536efbb0030f47fdeaf61b290aec9c7

The Trustway Proteccio HSM can somtimes return a network error when
attempting to finalize the cryptoki library.

The error can prevent reinitialization because we attempt to finalize
the library before initalizing a new connection.  When a network error
occurrs, barbican gets stuck in an error loop trying to finalize the
dead connection before starting a new one.

This patch adds code to ignore the network error when finalizing to
ensure we are able to attempt to reinitialize.

Connection errors during other operations will still result in 500
errors as expected.

Change-Id: I9ac6c7bbda0f81cb26e1c589803317df1ef11f39

This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I5d3bf5fdef9a8e6c337909110829dfac83086599

Add file to the reno documentation build to show release notes for
stable/xena.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.

Sem-Ver: feature
Change-Id: I5c5eaf3b4603ceed6c53811f9e9ebd6c84ee09ae

This patch fixes the Castellan secret store use of SecretDTO objects,
which require that the "secret" member be base64 encoded. [1]

Prior to this fix all secrets that were generated were stored in
plaintext, but secrets coming in through the API were base64 encoded
before being stored in the backend.

On secret retreival the Castellan plugin wrongly assumed everything in
the backend was encoded, so attempts to retrieve generated keys failed.

This patch fixes this inconsistency by always storing data un-encoded in
the backend.

A helper method was added to sort out the inconsistent data stored prior
to this fix.

A "version" property was added to the Castellan plugin metadata that is
stored in barbican to help differentiate secrets stored prior to this
fix vs secrets stored after this fix.

Story: 2008335
Task: 41236

[1]
https://opendev.org/openstack/barbican/src/tag/12.0.0/barbican/plugin/interface/secret_store.py#L356

Change-Id: I46fe77a471bf7927a24ca4d64dfccb385cd6402e

As we are cleaning up the c7 jobs and obselete featuresets [1].
This change replaces usage of CentOS7 in TripleO jobs by CentOS8.

[1]: https://review.opendev.org/q/topic:%22cleanup_featuresets%22+(status:open%20OR%20status:merged)

Change-Id: I5795d58c58b04ed7283d9ba1aad7aa9364a5e475

This patch fixes an issue where a 500 response is sent instead of a 403
when a request is made using the wrong scope.  e.g.  Using project
scope instead of system scope.

Story: 2009170
Task: 43200

Change-Id: Id399d2220118efe1033426c658d1834cbff02f94

The oslo_utils.fnmatch module was added to solve an issue in py2.7 but
it is no longer required because py2.7 is no longer supported.
The module was deprecated since oslo.utils 4.9.1[1] and the stdlib's
fnmatch module should be used instead.

[1] 4c893c92f551c9dd2a7cfbe7ae8171ad8139df0b

Change-Id: If6ea16bbad5a7454e3a0f190c5a5e8da17f01a89

A change was introduced to SQL Alchemy 1.4.8 that breaks our Alembic
migrations.  Specifically it breaks the "add_secret_consumers" migration
because it attempts to check for a table using an object that is no
longer allowed to call that function.

This patch removes the bespoke validation, because alembic should take
care of checking the schema.

Story: 2008967
Task:  42606

Change-Id: I36fb10445413fb1ec4046ab6c2525eae47d85ea1

Currently there are 2 failing unit tests:

- test_soft_deleting_expired_secrets: Caused by passing a column instead
  of a table on the query creation.

- test_should_raise_for_pycrypto_stored_key_no_private_key: Caused by
  the conjunction of Barbican using scoped sessions and SQLAlchemy's
  identity mapping.

And a migration issue on add_secret_consumers.

This patch fixes all those issues to unblock the gate.

Story: 2008967

Change-Id: I6dc7d2671f2ba9d97af42d3155ae2bf3a8e33453

Add a new FIPS enabled gate job  This job will be
for Centos 8 with FIPS enabled, and will use a playbook in
zuul-jobs to enable FIPS.

The dogtag bindep dependencies are curently broken.  Lets
temporarily remove them here until we can figure out how to
fix them and thereby fix the dogtag gate.

Change-Id: Ibcd8cb6fc356e27266ba04cd972834dcd97c1a9b
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778

The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23

Change-Id: I17ce1b72e7e9acb64b342a149b68ad31b79a2dff

see: http://lists.openstack.org/pipermail/openstack-discuss/2021-May/022718.html
Change-Id: Ibcaf9929c35dc62ff2aedbe9a3c21be5d3ae1b1d