barbican 14.0.0.0rc1 release candidate

meta:version: 14.0.0.0rc1
meta:diff-start: -
meta:series: yoga
meta:release-type: release candidate
meta:pypi: no
meta:first: no
meta:release:Author: Elod Illes <elod.illes@est.tech>
meta:release:Commit: Elod Illes <elod.illes@est.tech>
meta:release:Change-Id: I8f4509b4cf8d210e2b2013b211db4976f8bb2db6
meta:release:Code-Review+2: Hervé Beraud <herveberaud.pro@gmail.com>
meta:release:Code-Review+2: Elod Illes <elod.illes@est.tech>
meta:release:Workflow+1: Elod Illes <elod.illes@est.tech>

This patch modifies the Consumer controller to enable the use of
ownership information in policy checks. e.g. policies that use a target
container:

   project_id:%(target.container.project_id)

Story: 2009664
Task: 43872

Depends-On: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999
Change-Id: I1724152839f0f5850f8d32d40b36d1670c0ad996

Users with the "creator" role on a project can now delete secrets owned
by the project even if the user is different than the user that
originally created the secret.  Previous to this fix a user with the
"creator" role was only allowed to delete a secret owned by the project
if they were also the same user that originally created, which was
inconsistent with the way that deletes are handled by other OpenStack
projects that integrate with Barbican.

This change does not affect the policy for delting private secrets
(i.e. secrets with the "project-access" flag set to "false").

Story: 2009791
Task: 44324
Change-Id: Ie3e3adc1ee02d770de050f5cfa8110774bb1f661

Yoga testing runtime[1] has been updated to add py39
testing as voting. Unit tests update are handled by the
job template change in openstack-zuul-job

- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286

this commit updates the classifier in setup.cfg file.

[1] https://governance.openstack.org/tc/reference/runtimes/yoga.html

Change-Id: I92cc78df6245774c2038d35fb6e353cb2fa83cda

For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I2aa0e23030d96a1f8891940aa0d2fece3a0f6961

This patch adds checks to make sure that the project_id of the token
matches the project_id that owns the Order.

Currently, having a role on any project will allow the request to be
processed, which results in a 404 - Not Found instead of 401 -
Forbidden.

Change-Id: Ie0e6f6edae40e47d45afbe92fd509032cb091b1a

Temporarily moving the Dogtag test to the experimental pipeline.  The
tests has not passed in months and we won't be fixing it any time soon
so we should stop wasting resources.

Change-Id: Ie3fce8f4dda33d0eff166d1b1698f001f4d74e8f

Change-Id: I7322f64b20649770d84e42fcbd0fac2f44b0d8c0

This patch fixes a mismatch between the size of the column for a
consumer "name" in the database and the value being checked by the api
validator.

The maximum size in the database is 36 chars [1], so we must use that value
in the validator.

[1] https://opendev.org/openstack/barbican/src/branch/stable/xena/barbican/model/models.py#L826

Story: 2009672
Task: 43939

Change-Id: I76f075a94056aa65cd44fd1d7f5d4b24109b6ed1

This patch fixes the policies for adding and removing secrets from a
secret container.

Story: 2009297
Task: 43646
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc

This patch fixes the secure-rbac rules to ensure that the user making
the request is authenticated for the project that owns the secret.

Story: 2009253
Task: 43451

Change-Id: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c

This patch fixes the legacy policy rules for accessing secret metadata
by checking that the user making the request is authenticated for the
project that owns the secret.

Story: 2009253
Task: 43451

Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592

  * Fix 00_default_policy.yaml.

This patch fixes the response to POST requests in the metadata API so it
actually matches the documentation. [1]

Story: 2009247
Task: 43424

[1]
https://docs.openstack.org/barbican/latest/api/reference/secret_metadata.html#post-v1-secrets-uuid-metadata

Change-Id: I5505a8c56ed7274519cac8ad1e6d7adf5086c8d1

The create_secret() helper function returns the tuple
(secret_uuid, http_response), but the tests confusingly unpack
the values into varialbes that are flipped. i.e. the UUID was unpacked
into a secret_resp variable and the response was unpacked into a
secret_uuid variable.

This patch fixes the order of names so the variable names actually reflect
the value they contain.

Change-Id: Iece4b91d7cbc5559645bb83dd158753926e2ba4a

For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ia137aebb8536efbb0030f47fdeaf61b290aec9c7

barbican 13.0.0.0rc1 release candidate

meta:version: 13.0.0.0rc1
meta:diff-start: -
meta:series: xena
meta:release-type: release candidate
meta:pypi: no
meta:first: no
meta:release:Author: Hervé Beraud <hberaud@redhat.com>
meta:release:Commit: Douglas Mendizábal <dmendiza@redhat.com>
meta:release:Change-Id: I16f87d6442dc21c308c3241806f19a5f1d4e6398
meta:release:Code-Review+2: Hervé Beraud <herveberaud.pro@gmail.com>
meta:release:Code-Review+2: Elod Illes <elod.illes@est.tech>
meta:release:Workflow+1: Elod Illes <elod.illes@est.tech>

The Trustway Proteccio HSM can somtimes return a network error when
attempting to finalize the cryptoki library.

The error can prevent reinitialization because we attempt to finalize
the library before initalizing a new connection.  When a network error
occurrs, barbican gets stuck in an error loop trying to finalize the
dead connection before starting a new one.

This patch adds code to ignore the network error when finalizing to
ensure we are able to attempt to reinitialize.

Connection errors during other operations will still result in 500
errors as expected.

Change-Id: I9ac6c7bbda0f81cb26e1c589803317df1ef11f39

This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I5d3bf5fdef9a8e6c337909110829dfac83086599

Add file to the reno documentation build to show release notes for
stable/xena.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.

Sem-Ver: feature
Change-Id: I5c5eaf3b4603ceed6c53811f9e9ebd6c84ee09ae