Merge branch 'master' into st2help_rbac

StackStorm · Nov 18, 2023 · 177c4fe · 177c4fe
2 parents 666443e + 8c77acb
commit 177c4fe
Show file tree

Hide file tree

Showing 21 changed files with 238 additions and 44 deletions.
diff --git a/.github/workflows/orquesta-integration-tests.yaml b/.github/workflows/orquesta-integration-tests.yaml
@@ -106,7 +106,6 @@ jobs:
 
     env:
       TASK: '${{ matrix.task }}'
-      PYTHON_VERSION_SHORT: '${{ matrix.python-version-short }}'
       NODE_TOTAL: '${{ matrix.nosetests_node_total }}'
       NODE_INDEX: '${{ matrix.nosetests_node_index }}'
 
@@ -224,13 +223,6 @@ jobs:
         with:
           name: logs
           path: logs/
-      - name: Codecov
-        # NOTE: We only generate and submit coverage report for master and version branches and only when the build succeeds (default on GitHub Actions, this was not the case on Travis so we had to explicitly check success)
-        if: "${{ success() && (env.ENABLE_COVERAGE == 'yes') && (env.PYTHON_VERSION_SHORT == '3.8')}}"
-        run: |
-          ./scripts/ci/submit-codecov-coverage.sh
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       - name: Compress Service Logs Before upload
         if: ${{ failure() }}
         run: |

diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -1,3 +1,6 @@
+# Who uses StackStorm?
+As the StackStorm Community evolves, we'd like to keep track of our users. Please submit a PR with your organization and a brief use case description below.
+
 This is an alphabetical list of known [StackStorm](https://stackstorm.com/) adopters:
 
 <!-- Max 3 Github lines for each adopter! -->

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -6,6 +6,9 @@ in development
 
 Fixed
 ~~~~~
+* Additional fixes for st2 client auth when proxy auth mode enabled #6049
+  Contributed by @floatingstatic
+
 * Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042
   Contributed by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG)
 
@@ -23,7 +26,14 @@ Fixed
 
 * Avoid logging sensitive information in debug (fix #5977)
 
-* Fix codecov for intergration and unit tests stackstorm/st2 (#6035 and #6046)
+* Fix codecov failures for stackstorm/st2 tests. #6035, #6046, #6048
+
+* Fix #4676, edge case where --inherit-env is skipped if the action has no parameters
+
+* Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055
+
+* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061
+  Contributed by @jk464
 
 Added
 ~~~~~

diff --git a/contrib/runners/python_runner/python_runner/python_action_wrapper.py b/contrib/runners/python_runner/python_runner/python_action_wrapper.py
@@ -15,11 +15,11 @@
 
 from __future__ import absolute_import
 
-# Ignore CryptographyDeprecationWarning warnings which appear on older versions of Python 2.7
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
 import warnings
-from cryptography.utils import CryptographyDeprecationWarning
 
-warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
 
 import os
 import sys

diff --git a/fixed-requirements.txt b/fixed-requirements.txt
@@ -7,17 +7,17 @@ chardet<3.1.0
 cffi<1.15.0
 # NOTE: 2.0 version breaks pymongo work with hosts
 dnspython>=1.16.0,<2.0.0
-cryptography==3.4.7
+cryptography==39.0.1
 # Note: 0.20.0 removed select.poll() on which some of our code and libraries we
 # depend on rely
-eventlet==0.30.2
+eventlet==0.33.3
 flex==6.14.1
 gitpython==3.1.15
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2
 # Note: greenlet is used by eventlet
 greenlet==1.0.0
-gunicorn==20.1.0
+gunicorn==21.2.0
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
 kombu==5.0.2
@@ -36,15 +36,16 @@ decorator==4.4.2
 # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
-paramiko==2.10.5
+# paramiko 2.11.0 is needed by cryptography > 37.0.0
+paramiko==2.11.0
 passlib==1.7.4
 prompt-toolkit==1.0.15
 pyinotify==0.9.6 ; platform_system=="Linux"
 pymongo==3.11.3
 pyparsing<3
 zstandard==0.15.2
-# pyOpenSSL 22.0.0 requires cryptography>=35.0
-pyOpenSSL<=21.0.0
+# pyOpenSSL 23.1.0 supports cryptography up to 40.0.x
+pyOpenSSL==23.1.0
 python-editor==1.0.4
 python-keyczar==0.716
 pytz==2021.1

diff --git a/requirements.txt b/requirements.txt
@@ -14,15 +14,15 @@ bcrypt==3.2.0
 cffi<1.15.0
 chardet<3.1.0
 ciso8601
-cryptography==3.4.7
+cryptography==39.0.1
 decorator==4.4.2
 dnspython>=1.16.0,<2.0.0
-eventlet==0.30.2
+eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
 gitpython==3.1.15
 greenlet==1.0.0
-gunicorn==20.1.0
+gunicorn==21.2.0
 importlib-metadata==3.10.1
 jinja2==2.11.3
 jsonpath-rw==1.4.0
@@ -40,12 +40,12 @@ orjson==3.5.2
 orquesta@ git+https://github.com/StackStorm/[email protected]
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
-paramiko==2.10.5
+paramiko==2.11.0
 passlib==1.7.4
 prettytable==2.1.0
 prompt-toolkit==1.0.15
 psutil==5.8.0
-pyOpenSSL<=21.0.0
+pyOpenSSL==23.1.0
 pyinotify==0.9.6 ; platform_system=="Linux"
 pymongo==3.11.3
 pyparsing<3

diff --git a/st2actions/requirements.txt b/st2actions/requirements.txt
@@ -8,7 +8,7 @@
 MarkupSafe<2.1.0,>=0.23
 apscheduler==3.7.0
 chardet<3.1.0
-eventlet==0.30.2
+eventlet==0.33.3
 gitpython==3.1.15
 jinja2==2.11.3
 kombu==5.0.2

diff --git a/st2api/requirements.txt b/st2api/requirements.txt
@@ -5,8 +5,8 @@
 # If you want to update depdencies for a single component, modify the
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
-eventlet==0.30.2
-gunicorn==20.1.0
+eventlet==0.33.3
+gunicorn==21.2.0
 jsonschema==2.6.0
 kombu==5.0.2
 mongoengine==0.23.0

diff --git a/st2auth/requirements.txt b/st2auth/requirements.txt
@@ -6,8 +6,8 @@
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
 bcrypt==3.2.0
-eventlet==0.30.2
-gunicorn==20.1.0
+eventlet==0.33.3
+gunicorn==21.2.0
 oslo.config>=1.12.1,<1.13
 passlib==1.7.4
 pymongo==3.11.3

diff --git a/st2auth/st2auth/handlers.py b/st2auth/st2auth/handlers.py
@@ -130,6 +130,25 @@ def handle_auth(
         remote_addr = headers.get("x-forwarded-for", remote_addr)
         extra = {"remote_addr": remote_addr}
 
+        # Needed to support st2client which does not connect via st2web
+        if authorization and not remote_user:
+            try:
+                auth_value = base64.b64decode(authorization[1])
+            except Exception:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            split = auth_value.split(b":", 1)
+            if len(split) != 2:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            remote_user = split[0]
+            if six.PY3 and isinstance(remote_user, six.binary_type):
+                remote_user = remote_user.decode("utf-8")
+
         if remote_user:
             ttl = getattr(request, "ttl", None)
             username = self._get_username_for_request(remote_user, request)

diff --git a/st2auth/tests/unit/test_handlers.py b/st2auth/tests/unit/test_handlers.py
@@ -48,6 +48,31 @@ def test_proxy_handler(self):
         )
         self.assertEqual(token.user, "test_proxy_handler")
 
+    def test_proxy_handler_no_remote_user(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+        token = h.handle_auth(
+            request,
+            headers={},
+            remote_addr=None,
+            remote_user=None,
+            authorization=("basic", DUMMY_CREDS),
+        )
+        self.assertEqual(token.user, "auser")
+
+    def test_proxy_handler_bad_auth(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+
+        with self.assertRaises(exc.HTTPUnauthorized):
+            h.handle_auth(
+                request,
+                headers={},
+                remote_addr=None,
+                remote_user=None,
+                authorization=None,
+            )
+
     def test_standalone_bad_auth_type(self):
         h = handlers.StandaloneAuthHandler()
         request = {}

diff --git a/st2client/requirements.txt b/st2client/requirements.txt
@@ -8,14 +8,14 @@
 argcomplete==1.12.2
 cffi<1.15.0
 chardet<3.1.0
-cryptography==3.4.7
+cryptography==39.0.1
 importlib-metadata==3.10.1
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
 orjson==3.5.2
 prettytable==2.1.0
 prompt-toolkit==1.0.15
-pyOpenSSL<=21.0.0
+pyOpenSSL==23.1.0
 pysocks
 python-dateutil==2.8.1
 python-editor==1.0.4

diff --git a/st2client/st2client/commands/action.py b/st2client/st2client/commands/action.py
@@ -945,6 +945,9 @@ def normalize(name, value, action_params=None, auto_dict=False):
 
         result = {}
 
+        if args.inherit_env:
+            result["env"] = self._get_inherited_env_vars()
+
         if not args.parameters:
             return result
 
@@ -1008,9 +1011,6 @@ def normalize(name, value, action_params=None, auto_dict=False):
 
             del result["_file_name"]
 
-        if args.inherit_env:
-            result["env"] = self._get_inherited_env_vars()
-
         return result
 
     @add_auth_token_to_kwargs_from_cli

diff --git a/st2client/st2client/shell.py b/st2client/st2client/shell.py
@@ -22,11 +22,11 @@
 from __future__ import print_function
 from __future__ import absolute_import
 
-# Ignore CryptographyDeprecationWarning warnings which appear on older versions of Python 2.7
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
 import warnings
-from cryptography.utils import CryptographyDeprecationWarning
 
-warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
 
 import os
 import sys