Merge branch 'master' into fix/4676_inherit_env

Author: rebrowning

ADOPTERS.md

@@ -1,3 +1,6 @@
+# Who uses StackStorm?
+As the StackStorm Community evolves, we'd like to keep track of our users. Please submit a PR with your organization and a brief use case description below.
+
 This is an alphabetical list of known [StackStorm](https://stackstorm.com/) adopters:
 
 <!-- Max 3 Github lines for each adopter! -->

CHANGELOG.rst

@@ -6,6 +6,9 @@ in development
 
 Fixed
 ~~~~~
+* Additional fixes for st2 client auth when proxy auth mode enabled #6049
+  Contributed by @floatingstatic
+
 * Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042
   Contributed by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG)
 
@@ -24,6 +27,11 @@ Fixed
 
 * Fix #4676, edge case where --inherit-env is skipped if the action has no parameters
 
+* Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055
+
+* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061
+  Contributed by @jk464
+
 Added
 ~~~~~
 

contrib/runners/python_runner/python_runner/python_action_wrapper.py

@@ -15,11 +15,11 @@
 
 from __future__ import absolute_import
 
-# Ignore CryptographyDeprecationWarning warnings which appear on older versions of Python 2.7
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
 import warnings
-from cryptography.utils import CryptographyDeprecationWarning
 
-warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
 
 import os
 import sys

fixed-requirements.txt

@@ -7,17 +7,17 @@ chardet<3.1.0
 cffi<1.15.0
 # NOTE: 2.0 version breaks pymongo work with hosts
 dnspython>=1.16.0,<2.0.0
-cryptography==3.4.7
+cryptography==39.0.1
 # Note: 0.20.0 removed select.poll() on which some of our code and libraries we
 # depend on rely
-eventlet==0.30.2
+eventlet==0.33.3
 flex==6.14.1
 gitpython==3.1.15
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2
 # Note: greenlet is used by eventlet
 greenlet==1.0.0
-gunicorn==20.1.0
+gunicorn==21.2.0
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
 kombu==5.0.2
@@ -36,15 +36,16 @@ decorator==4.4.2
 # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
-paramiko==2.10.5
+# paramiko 2.11.0 is needed by cryptography > 37.0.0
+paramiko==2.11.0
 passlib==1.7.4
 prompt-toolkit==1.0.15
 pyinotify==0.9.6 ; platform_system=="Linux"
 pymongo==3.11.3
 pyparsing<3
 zstandard==0.15.2
-# pyOpenSSL 22.0.0 requires cryptography>=35.0
-pyOpenSSL<=21.0.0
+# pyOpenSSL 23.1.0 supports cryptography up to 40.0.x
+pyOpenSSL==23.1.0
 python-editor==1.0.4
 python-keyczar==0.716
 pytz==2021.1

requirements.txt

@@ -14,15 +14,15 @@ bcrypt==3.2.0
 cffi<1.15.0
 chardet<3.1.0
 ciso8601
-cryptography==3.4.7
+cryptography==39.0.1
 decorator==4.4.2
 dnspython>=1.16.0,<2.0.0
-eventlet==0.30.2
+eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
 gitpython==3.1.15
 greenlet==1.0.0
-gunicorn==20.1.0
+gunicorn==21.2.0
 importlib-metadata==3.10.1
 jinja2==2.11.3
 jsonpath-rw==1.4.0
@@ -40,12 +40,12 @@ orjson==3.5.2
 orquesta@ git+https://github.com/StackStorm/[email protected]
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
-paramiko==2.10.5
+paramiko==2.11.0
 passlib==1.7.4
 prettytable==2.1.0
 prompt-toolkit==1.0.15
 psutil==5.8.0
-pyOpenSSL<=21.0.0
+pyOpenSSL==23.1.0
 pyinotify==0.9.6 ; platform_system=="Linux"
 pymongo==3.11.3
 pyparsing<3

st2actions/requirements.txt

@@ -8,7 +8,7 @@
 MarkupSafe<2.1.0,>=0.23
 apscheduler==3.7.0
 chardet<3.1.0
-eventlet==0.30.2
+eventlet==0.33.3
 gitpython==3.1.15
 jinja2==2.11.3
 kombu==5.0.2

st2api/requirements.txt

@@ -5,8 +5,8 @@
 # If you want to update depdencies for a single component, modify the
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
-eventlet==0.30.2
-gunicorn==20.1.0
+eventlet==0.33.3
+gunicorn==21.2.0
 jsonschema==2.6.0
 kombu==5.0.2
 mongoengine==0.23.0

st2auth/requirements.txt

@@ -6,8 +6,8 @@
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
 bcrypt==3.2.0
-eventlet==0.30.2
-gunicorn==20.1.0
+eventlet==0.33.3
+gunicorn==21.2.0
 oslo.config>=1.12.1,<1.13
 passlib==1.7.4
 pymongo==3.11.3

st2auth/st2auth/handlers.py

@@ -130,6 +130,25 @@ def handle_auth(
         remote_addr = headers.get("x-forwarded-for", remote_addr)
         extra = {"remote_addr": remote_addr}
 
+        # Needed to support st2client which does not connect via st2web
+        if authorization and not remote_user:
+            try:
+                auth_value = base64.b64decode(authorization[1])
+            except Exception:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            split = auth_value.split(b":", 1)
+            if len(split) != 2:
+                LOG.audit("Invalid authorization header", extra=extra)
+                abort_request()
+                return
+
+            remote_user = split[0]
+            if six.PY3 and isinstance(remote_user, six.binary_type):
+                remote_user = remote_user.decode("utf-8")
+
         if remote_user:
             ttl = getattr(request, "ttl", None)
             username = self._get_username_for_request(remote_user, request)

st2auth/tests/unit/test_handlers.py

@@ -48,6 +48,31 @@ def test_proxy_handler(self):
         )
         self.assertEqual(token.user, "test_proxy_handler")
 
+    def test_proxy_handler_no_remote_user(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+        token = h.handle_auth(
+            request,
+            headers={},
+            remote_addr=None,
+            remote_user=None,
+            authorization=("basic", DUMMY_CREDS),
+        )
+        self.assertEqual(token.user, "auser")
+
+    def test_proxy_handler_bad_auth(self):
+        h = handlers.ProxyAuthHandler()
+        request = {}
+
+        with self.assertRaises(exc.HTTPUnauthorized):
+            h.handle_auth(
+                request,
+                headers={},
+                remote_addr=None,
+                remote_user=None,
+                authorization=None,
+            )
+
     def test_standalone_bad_auth_type(self):
         h = handlers.StandaloneAuthHandler()
         request = {}