A fix for bug 1824017 bumped the minimum version requirement of
python-cinderclient to 4.0.0. The fix was backported to stable/stein,
so the minimum version bump should be covered by a release note.

python-cinderclient requirement is bumped to >=4.0.1
as 4.0.0 is blocked by global-requirements.txt [1].

It was suggested by the release team in the review of
horizon stein update release [2].

[1] https://opendev.org/openstack/requirements/src/commit/1baf07a77333fc57d9d4a669d0265b0e687fd031/global-requirements.txt#L256
[2] https://review.opendev.org/#/c/655447/

Change-Id: I2b43e159da7e58980b2810a104ae2418f237d1c7
Related-Bug: #1824017

As of Stein, a minimum of python-cinderclient 4.0.0 is required to
create a volume. Cinder schema no longer accepts additional
properties on volume create that are not part of the API spec [1].

[1] https://review.openstack.org/#/c/573093/

Change-Id: I0fc4d5db39080985b471fe2465b7078e37417e4d
Closes-Bug: #1824017

Horizon uses python-memcached while running "tox -e runserver"
so we need to add it to test-requirement.txt as well as
lower-constraints.txt.

Change-Id: I4319cf1a54310171baf1dbaf2e10acae8123dac6

This command checks the configuration for invalid and deprecated
settings, as described in
https://governance.openstack.org/tc/goals/stein/upgrade-checkers.html

There is also a script in tools/find_settings.py that scans all python
files for the potential new settings, which is supposed to make it
easier to update the lists that the checks use.

Change-Id: Ie85cf4be3da1ab446c10883a4580e20ea154b67c
Story: 2003657
Task: 26132

appdirs v1.3.0 breaks gates because it's not compatible with isort
v4.3.9.

Change-Id: I54d0d840b4a34137283074dbf022b3467774d73c

Commit I7fb2fd7dd40f301ea822154b9809a9a07610c507 changed test runner to
not use nose. So it's safe to remove all references now.

Change-Id: I8856e4e91b25f059645eb5e0356d207f6fc119f2

BREACH is a category of vulnerabilities and not a specific
instance affecting a specific piece of software. To be vulnerable,
a web application must:

  * Be served from a server that uses HTTP-level compression
  * Reflect user-input in HTTP response bodies
  * Reflect a secret (such as a CSRF token) in HTTP response bodies

More details on breach attack - http://breachattack.com/

Since horizon falls under this category, we can include django-debreach
module within horizon as a requirement which provides mitigation against the breach attacks.

https://github.com/lpomfrey/django-debreach

CSRF token masking is a built-in feature within Django 1.10+,
therefore only content-length modification feature provided by django-debreach
can be enabled.

Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a

Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339
Blueprint: mitigate-breach-attacks

When a request that is being profiled completes and the response is
received, the middleware expires the profiling cookie. It also needs
to delete the profiling object that holds the base_id UUID so a new
base_id will be created for the next profile. Otherwise the same
base_id is used for subsequent queries and they become merged togther
in the database.

Change-Id: I379cebfa2ed5282c96df0e255a8ba04c65a8523c
Closes-Bug: #1777486
Depends-On: https://review.openstack.org/578362

Nose has been in maintenance mode for the past several years. It has
issue with exit code [1] which leads to false positive results for our
seleniun-headless job.

This patch changes test runner for Horizon tests and does the following
things:

* Django test runner  executes test in a different order than Nose does.
  That's why we've got an issue with side-effect in
  horizon.tests.unit.tables.test_tables.MyToggleAction class. This patch
  adds workaround to it.
* Rename filename of test files to names starting with 'test_'
  so that the django test runner can find tests expectedly.
* '--with-html-output' option is temporary dropped and will be added in
  a following patch.
* Integraion tests is marked via django.test.tag mechanism which is
  introduced in Django 1.10
* 'selenium-headless' is broken now because we don't have geckodriver on
  gates, this patch makes it non-voting.
* 'tox -e cover' is fixed
* Remove @memorized decorator from
  dashboards.project.images.images.tables.filter_tenant_ids function.

[1] https://github.com/nose-devs/nose/issues/984

Depends-On: https://review.openstack.org/572095
Depends-On: https://review.openstack.org/572124
Depends-On: https://review.openstack.org/572390
Depends-On: https://review.openstack.org/572391

Related blueprint: improve-horizon-testing
Change-Id: I7fb2fd7dd40f301ea822154b9809a9a07610c507

This patch adds support for creating application credentials in
keystone[1]. Application credentials can be created by any user for
themselves. An application credential is created for the currently
selected project. A user may provide their own secret for the application
credential, or may allow keystone to generate a secret for them. After
the application credential is created, the secret is revealed once to
the user. At that point they may download a clouds.yaml or openrc file
that contains the application credential secret and will enable them to
use it to authenticate. The secret is not revealed again.

[1] https://docs.openstack.org/keystone/latest/user/application_credentials.html

bp application-credentials

Depends-On: https://review.openstack.org/557927
Depends-On: https://review.openstack.org/557932
Change-Id: Ida2e836cf81d2b96e0b66afed29a900c312223a4

Some entries in lower-constraints.txt are incompatible
with the current requirements.txt.

requirements repo now implements lower-constraints check,
so it is time to sync these two.

Depends-On: https://review.openstack.org/#/c/557927/


Change-Id: I99124afd2b88b80da21df96c16baeef49b31e097
Signed-off-by: Akihiro Motoki <amotoki@gmail.com>

Create a tox environment for running the unit tests against the lower
bounds of the dependencies.

Create a lower-constraints.txt to be used to enforce the lower bounds
in those tests.

Add openstack-tox-lower-constraints job to the zuul configuration.

See http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html
for more details.

---

horizon specific change:
* Django minimum version is bumped to >=1.11 as horizon rocky
  dropped Django 1.8-1.10 support.
* django-babel needs to be bumped to 0.6.2 to support Django 2.0
  https://github.com/python-babel/django-babel/commit/8762ff5dc00c4c552655134970c8a261f9bd7366
* nose-exclude needs to be bumped to 0.5.0 to run horizon unit tests
  properly. According to my test, 0.4.0 also works but this is
  a testing dependency, so we don't need to care multiple versions much.
  Otherwise only one test is run for openstack_dashboard unit tests.

https://review.openstack.org/555402

 allows us to bump lower requirements.

Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I73c3e4531c57d015f6016ca00b056a6fd0d8fc1a
Depends-On: https://review.openstack.org/555034
Depends-On: https://review.openstack.org/555402


Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Signed-off-by: Akihiro Motoki <amotoki@gmail.com>