A fix for bug 1824017 bumped the minimum version requirement of
python-cinderclient to 4.0.0. The fix was backported to stable/stein,
so the minimum version bump should be covered by a release note.

python-cinderclient requirement is bumped to >=4.0.1
as 4.0.0 is blocked by global-requirements.txt [1].

It was suggested by the release team in the review of
horizon stein update release [2].

[1] https://opendev.org/openstack/requirements/src/commit/1baf07a77333fc57d9d4a669d0265b0e687fd031/global-requirements.txt#L256
[2] https://review.opendev.org/#/c/655447/

Change-Id: I2b43e159da7e58980b2810a104ae2418f237d1c7
Related-Bug: #1824017

As of Stein, a minimum of python-cinderclient 4.0.0 is required to
create a volume. Cinder schema no longer accepts additional
properties on volume create that are not part of the API spec [1].

[1] https://review.openstack.org/#/c/573093/

Change-Id: I0fc4d5db39080985b471fe2465b7078e37417e4d
Closes-Bug: #1824017

This command checks the configuration for invalid and deprecated
settings, as described in
https://governance.openstack.org/tc/goals/stein/upgrade-checkers.html

There is also a script in tools/find_settings.py that scans all python
files for the potential new settings, which is supposed to make it
easier to update the lists that the checks use.

Change-Id: Ie85cf4be3da1ab446c10883a4580e20ea154b67c
Story: 2003657
Task: 26132

requests is used in non-test code in horizon
(openstack_dashboard/exceptions.py).
It should be declared in requirements.txt.

Closes-Bug: #1789040
Change-Id: I325b5344d45f797d256bb213093082927068a88e

BREACH is a category of vulnerabilities and not a specific
instance affecting a specific piece of software. To be vulnerable,
a web application must:

  * Be served from a server that uses HTTP-level compression
  * Reflect user-input in HTTP response bodies
  * Reflect a secret (such as a CSRF token) in HTTP response bodies

More details on breach attack - http://breachattack.com/

Since horizon falls under this category, we can include django-debreach
module within horizon as a requirement which provides mitigation against the breach attacks.

https://github.com/lpomfrey/django-debreach

CSRF token masking is a built-in feature within Django 1.10+,
therefore only content-length modification feature provided by django-debreach
can be enabled.

Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a

Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339
Blueprint: mitigate-breach-attacks

When a request that is being profiled completes and the response is
received, the middleware expires the profiling cookie. It also needs
to delete the profiling object that holds the base_id UUID so a new
base_id will be created for the next profile. Otherwise the same
base_id is used for subsequent queries and they become merged togther
in the database.

Change-Id: I379cebfa2ed5282c96df0e255a8ba04c65a8523c
Closes-Bug: #1777486
Depends-On: https://review.openstack.org/578362

After 7e91070789187d9e6b5ac2b57ca755504e058e32 in openstack/requirements
repo, all entries in project requirements.txt must have lower bound
although we don't track lower bound in global-requirements.txt.
This commit re-adds Django lower bound.

Change-Id: I065e1bd904975f10bdcaacef7b0ad1336915492a

Change-Id: I34e193725da4d860cee223e274301fc04f3b2954

This patch adds support for creating application credentials in
keystone[1]. Application credentials can be created by any user for
themselves. An application credential is created for the currently
selected project. A user may provide their own secret for the application
credential, or may allow keystone to generate a secret for them. After
the application credential is created, the secret is revealed once to
the user. At that point they may download a clouds.yaml or openrc file
that contains the application credential secret and will enable them to
use it to authenticate. The secret is not revealed again.

[1] https://docs.openstack.org/keystone/latest/user/application_credentials.html

bp application-credentials

Depends-On: https://review.openstack.org/557927
Depends-On: https://review.openstack.org/557932
Change-Id: Ida2e836cf81d2b96e0b66afed29a900c312223a4

Change-Id: I075e6e743b40c28f7e256250f594396c35659bba

Create a tox environment for running the unit tests against the lower
bounds of the dependencies.

Create a lower-constraints.txt to be used to enforce the lower bounds
in those tests.

Add openstack-tox-lower-constraints job to the zuul configuration.

See http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html
for more details.

---

horizon specific change:
* Django minimum version is bumped to >=1.11 as horizon rocky
  dropped Django 1.8-1.10 support.
* django-babel needs to be bumped to 0.6.2 to support Django 2.0
  https://github.com/python-babel/django-babel/commit/8762ff5dc00c4c552655134970c8a261f9bd7366
* nose-exclude needs to be bumped to 0.5.0 to run horizon unit tests
  properly. According to my test, 0.4.0 also works but this is
  a testing dependency, so we don't need to care multiple versions much.
  Otherwise only one test is run for openstack_dashboard unit tests.

https://review.openstack.org/555402

 allows us to bump lower requirements.

Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I73c3e4531c57d015f6016ca00b056a6fd0d8fc1a
Depends-On: https://review.openstack.org/555034
Depends-On: https://review.openstack.org/555402


Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Signed-off-by: Akihiro Motoki <amotoki@gmail.com>

Change-Id: I65c2f5d032c68494ab9a1bdbc96775c57873f056

Change-Id: I4c0152c075953315b7309d843d633498e123a33f

Change-Id: I7b70f3f74f3a95d3cd0b34f9af3f97c1003090b6

Change-Id: I48b91d3b8dbf0f3d8761b893a839f814fbe9e191

Change-Id: I1f1cc1fb371fb8cd267140cb9940fb1ee1113215

Change-Id: Ief450d07147f54be2561cce1226864e97167faad

Change-Id: I89fcdfb7fccdf8a79cc21a9a63e026bb72a4153c

Change-Id: I6787fc413dac0cb0626e27861093c7bcc811c993

Change-Id: I92226d5a6afe99db08ca698f466288025ed298bb

Orchestration tab in the admin info panel needs a discussion.
It seems not to be covered by heat-dashboard yet.

blueprint heat-dashboard-split-out

Change-Id: I56e6edb1f2ac72e2f42d0e9f3291308e67f24cad

Change-Id: I31471c602d63ae0a5513cfe9c4611afa356aa5f0

Change-Id: Ie7a7e6613eb154b79c322d171005b91726b172fa

Change-Id: If804870445e46f660dce72c09ec13708f1065127

Change-Id: Ia700645172c0c7157d9e51217cb70f3d014acab9

Moves Django OpenStack Auth content to Horizon, since they are so
tightly coupled. This cleans up the development workflow and should
make keystone / auth related contributions easier.

Implements: blueprint merge-openstack-auth
Change-Id: Ia1cdc47bad1ca6e633073a9f9445b0c7f70d05bc

Change-Id: I75b6fc8284a2824a0cae30835ff409cc5b0527f9

Change-Id: I2452ac44ba4b9a67a2fe75a65e8199227fd8c6e8

Change-Id: I9a29a896e613eb259df687230126b9e8d0e1c18f

Change-Id: I7a7fd6b1088556e301eb0d186326d4cb5b503e28

Change-Id: I5d72f9c20bde24b7de45164b664cf850173f9d1a

Change-Id: Ifc8400d0ab1378a25dc4ec0f743c27a411cec654

Change-Id: Iecff3114f3ad942f9ab87eb7db96cb7a99d2dc1a

Change-Id: I9a4c93fedaac271efcfc2186ea915898c1bf2860

Change-Id: Iecc1ca9c213f6fc75920e978795c0dc88c644fc6

Change-Id: Iea9f58c0f7afaca343ca2797dcb7a899c3c71a71

Change-Id: Ia911b857e504a3025ae64381733614ca48a33def

Change-Id: I2d8863d31a9c99bf04574fd9837ad4ce35b10619

Change-Id: I693683836d18b94d93e1f88f83362f6c587199ad

Change-Id: I7f5c7f96f888b1c5c45dff4eab5d35d183ebc8e3