* Fix 00_default_policy.yaml.

barbican 13.0.0.0rc1 release candidate

meta:version: 13.0.0.0rc1
meta:diff-start: -
meta:series: xena
meta:release-type: release candidate
meta:pypi: no
meta:first: no
meta:release:Author: Hervé Beraud <hberaud@redhat.com>
meta:release:Commit: Douglas Mendizábal <dmendiza@redhat.com>
meta:release:Change-Id: I16f87d6442dc21c308c3241806f19a5f1d4e6398
meta:release:Code-Review+2: Hervé Beraud <herveberaud.pro@gmail.com>
meta:release:Code-Review+2: Elod Illes <elod.illes@est.tech>
meta:release:Workflow+1: Elod Illes <elod.illes@est.tech>

This patch fixes the Castellan secret store use of SecretDTO objects,
which require that the "secret" member be base64 encoded. [1]

Prior to this fix all secrets that were generated were stored in
plaintext, but secrets coming in through the API were base64 encoded
before being stored in the backend.

On secret retreival the Castellan plugin wrongly assumed everything in
the backend was encoded, so attempts to retrieve generated keys failed.

This patch fixes this inconsistency by always storing data un-encoded in
the backend.

A helper method was added to sort out the inconsistent data stored prior
to this fix.

A "version" property was added to the Castellan plugin metadata that is
stored in barbican to help differentiate secrets stored prior to this
fix vs secrets stored after this fix.

Story: 2008335
Task: 41236

[1]
https://opendev.org/openstack/barbican/src/tag/12.0.0/barbican/plugin/interface/secret_store.py#L356

Change-Id: I46fe77a471bf7927a24ca4d64dfccb385cd6402e

This patch fixes an issue where a 500 response is sent instead of a 403
when a request is made using the wrong scope.  e.g.  Using project
scope instead of system scope.

Story: 2009170
Task: 43200

Change-Id: Id399d2220118efe1033426c658d1834cbff02f94

The oslo_utils.fnmatch module was added to solve an issue in py2.7 but
it is no longer required because py2.7 is no longer supported.
The module was deprecated since oslo.utils 4.9.1[1] and the stdlib's
fnmatch module should be used instead.

[1] 4c893c92f551c9dd2a7cfbe7ae8171ad8139df0b

Change-Id: If6ea16bbad5a7454e3a0f190c5a5e8da17f01a89

A change was introduced to SQL Alchemy 1.4.8 that breaks our Alembic
migrations.  Specifically it breaks the "add_secret_consumers" migration
because it attempts to check for a table using an object that is no
longer allowed to call that function.

This patch removes the bespoke validation, because alembic should take
care of checking the schema.

Story: 2008967
Task:  42606

Change-Id: I36fb10445413fb1ec4046ab6c2525eae47d85ea1

Currently there are 2 failing unit tests:

- test_soft_deleting_expired_secrets: Caused by passing a column instead
  of a table on the query creation.

- test_should_raise_for_pycrypto_stored_key_no_private_key: Caused by
  the conjunction of Barbican using scoped sessions and SQLAlchemy's
  identity mapping.

And a migration issue on add_secret_consumers.

This patch fixes all those issues to unblock the gate.

Story: 2008967

Change-Id: I6dc7d2671f2ba9d97af42d3155ae2bf3a8e33453

Add a new FIPS enabled gate job  This job will be
for Centos 8 with FIPS enabled, and will use a playbook in
zuul-jobs to enable FIPS.

The dogtag bindep dependencies are curently broken.  Lets
temporarily remove them here until we can figure out how to
fix them and thereby fix the dogtag gate.

Change-Id: Ibcd8cb6fc356e27266ba04cd972834dcd97c1a9b
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778

see: http://lists.openstack.org/pipermail/openstack-discuss/2021-May/022718.html
Change-Id: Ibcaf9929c35dc62ff2aedbe9a3c21be5d3ae1b1d

The default maximum allowed size is too small for some certificates.
This patch doubles the allowed size from 10Kb to 20Kb, and raises the
maximum request size by the same amount.

Change-Id: I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I503641691f8414c4c4562cbedc31dc8047054f0c

Resolves warnings like the following:

  UserWarning: Usage of dash-separated 'description-file' will not be
  supported in future versions. Please use the underscore name
  'description_file' instead

Change-Id: I5f4746bc4d40b76c562c39c2254f3b8381b4b52f

It was previously using the wrong Devstack service name.

Change-Id: I52838cfe63d5a0b81757c278b9bfad516a442274

barbican 12.0.0 release

meta:version: 12.0.0
meta:diff-start: 11.0.0
meta:series: wallaby
meta:release-type: release
meta:pypi: no
meta:first: yes
meta:release:Author: Hervé Beraud <hberaud@redhat.com>
meta:release:Commit: Hervé Beraud <hberaud@redhat.com>
meta:release:Change-Id: Ia6d79df224a792915976864857fe2271e031b54d
meta:release:Code-Review+1: Radosław Piliszek <radoslaw.piliszek@gmail.com>
meta:release:Code-Review+1: Slawek Kaplonski <skaplons@redhat.com>
meta:release:Code-Review+1: Yasufumi Ogawa <yasufum.o@gmail.com>
meta:release:Code-Review+1: Lingxian Kong <anlin.kong@gmail.com>
meta:release:Code-Review+1: Andrey Pavlov <andrey.mp@gmail.com>
meta:release:Code-Review+1: Takashi Kajinami <tkajinam@redhat.com>
meta:release:Code-Review+1: Carl caihui <cai.hui@zte.com.cn>
meta:release:Code-Review+1: Rafael Weingartner <rafael@apache.org>
meta:release:Code-Review+1: Xinran WANG <xin-ran.wang@intel.com>
meta:release:Code-Review+1: chenker <chen.ke14@zte.com.cn>
meta:release:Code-Review+1: 刘雪峰 <liu.xuefeng1@zte.com.cn>
meta:release:Code-Review+1: Martin Chacon Piza <martin@chaconpiza.com>
meta:release:Code-Review+1: Rico Lin <ricolin@ricolky.com>
meta:release:Code-Review+1: Balazs Gibizer <balazs.gibizer@est.tech>
meta:release:Code-Review+1: Matthias Runge <mrunge@redhat.com>
meta:release:Code-Review+1: Douglas Mendizábal <dmendiza@redhat.com>
meta:release:Code-Review+1: Michael Johnson <johnsomor@gmail.com>
meta:release:Code-Review+1: Gregory Thiemonge <gthiemon@redhat.com>
meta:release:Code-Review+1: Maysa de Macedo Souza <maysa.macedo95@gmail.com>
meta:release:Code-Review+1: Adrian Turjak <adriant@catalystcloud.nz>
meta:release:Code-Review+1: Akihiro Motoki <amotoki@gmail.com>
meta:release:Code-Review+1: Lucian Petrut <lpetrut@cloudbasesolutions.com>
meta:release:Code-Review+1: Goutham Pacha Ravi <gouthampravi@gmail.com>
meta:release:Code-Review+1: Brian Rosmaita <rosmaita.fossdev@gmail.com>
meta:release:Code-Review+1: Abhishek Kekane <akekane@redhat.com>
meta:release:Code-Review+2: Hervé Beraud <herveberaud.pro@gmail.com>
meta:release:Code-Review+2: Elod Illes <elod.illes@est.tech>
meta:release:Workflow+1: Hervé Beraud <herveberaud.pro@gmail.com>

Add the secure-rbac tempest tests as a new gate to barbican.  This
will help ensure that new patches don't break the default
secure-rbac policy.

Change-Id: I91d50aa08574a2f8aeaaa2bf431266ee74c79ae3

This patch adds the missing access control data to enforce access
control for adding/removing secrets in containers.

Change-Id: I6879f566117db5ec0099ddad35ba649a3c674bd1
(cherry picked from commit 922c68ba)

This patch adds the missing access control data to enforce access
control for adding/removing secrets in containers.

Change-Id: I6879f566117db5ec0099ddad35ba649a3c674bd1

This patch fixes a couple of broken policies for transport keys.

Change-Id: I5a7790210b32f3511446b4bacbb07678a7e52238
(cherry picked from commit 57f334e0)

Allow a project to read secrets and containers by default.  This is
needed when those objects have no ACL in the database.  The policy enforcer
defaults to False for missing values. [1]  So, attempting to check the
read_project_access for a secret or container will always return False.

If a secret does have an ACL, we'll still return whatever is stored
in the database.

[1] https://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/_checks.py#L335-L338

Change-Id: I584f7b67f2f95caa7c4db3d9d9222d0a9d38442d
(cherry picked from commit 672dc0b5)

This patch fixes a couple of broken policies for transport keys.

Change-Id: I5a7790210b32f3511446b4bacbb07678a7e52238

    - Add-a-healthcheck-URL.patch
    - python-3.9-use-decodebytes-not-decodestring.patch