Merge branch 'master' into master

Author: arm4b

.circleci/config.yml

@@ -219,7 +219,7 @@ jobs:
   deploy:
     docker:
       # The primary container is an instance of the first list image listed. Your build commands run in this container.
-      - image: circleci/ruby:2.6
+      - image: circleci/ruby:2.7
     working_directory: /tmp/deploy
     environment:
       - DISTROS: "bionic focal el7 el8"

CHANGELOG.rst

@@ -29,13 +29,17 @@ Fixed
 
 * Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055
 
-* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061
+* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. (security) #6061
   Contributed by @jk464
 
+* Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050
+
+* Fix KV value lookup in actions when RBAC is enabled #5934
+
+* Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063
+
 Added
 ~~~~~
-* Added Schwarz Digits to ADOPTERS.md by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG)
-
 * Move `git clone` to `user_home/.st2packs` #5845
 
 * Error on `st2ctl status` when running in Kubernetes. #5851

contrib/runners/orquesta_runner/in-requirements.txt

@@ -1 +1 @@
-orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
+orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0

contrib/runners/orquesta_runner/requirements.txt

@@ -5,4 +5,4 @@
 # If you want to update depdencies for a single component, modify the
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
-orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
+orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0

fixed-requirements.txt

@@ -12,7 +12,9 @@ cryptography==39.0.1
 # depend on rely
 eventlet==0.33.3
 flex==6.14.1
-gitpython==3.1.15
+# Note: installs gitpython==3.1.37 (security fixed) under py3.8 and gitpython==3.1.18 (latest available, vulnerable) under py3.6
+# TODO: Pin to 3.1.37 or higher after dropping python3.6 support
+gitpython<=3.1.37
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2
 # Note: greenlet is used by eventlet
@@ -26,8 +28,8 @@ lockfile==0.12.2
 # >=0.23 was from jinja2
 MarkupSafe<2.1.0,>=0.23
 mongoengine==0.23.0
-# networkx v2.6 does not support Python3.6.  Update networkx to match orquesta
-networkx>=2.5.1,<2.6
+# required by orquesta (networkx<2.6 for py3.6, networkx<3 for py3.8)
+networkx<3
 # networkx requires decorator>=4.3,<5 which should resolve to version 4.4.2
 # but the wheel on pypi does not say it supports python3.8, so pip gets
 # confused. For now, pin decorator to work around pip's confusion.

requirements-pants.txt

@@ -31,7 +31,7 @@ mongoengine
 # networkx version is constrained in orquesta.
 networkx
 orjson
-orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.5.0
+orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.6.0
 # NOTE: Recent version substantially affect the performance and add big import time overhead
 # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details
 oslo.config>=1.12.1,<1.13

requirements.txt

@@ -20,7 +20,7 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
-gitpython==3.1.15
+gitpython<=3.1.37
 greenlet==1.0.0
 gunicorn==21.2.0
 importlib-metadata==3.10.1
@@ -32,12 +32,12 @@ lockfile==0.12.2
 logshipper@ git+https://github.com/StackStorm/logshipper.git@stackstorm_patched ; platform_system=="Linux"
 mock==4.0.3
 mongoengine==0.23.0
-networkx>=2.5.1,<2.6
+networkx<3
 nose
 nose-parallel==0.4.0
 nose-timer==1.0.1
 orjson==3.5.2
-orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
+orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
 paramiko==2.11.0

st2actions/requirements.txt

@@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23
 apscheduler==3.7.0
 chardet<3.1.0
 eventlet==0.33.3
-gitpython==3.1.15
+gitpython<=3.1.37
 jinja2==2.11.3
 kombu==5.0.2
 lockfile==0.12.2

st2common/in-requirements.txt

@@ -14,7 +14,7 @@ mongoengine
 networkx
 # used by networkx
 decorator
-orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
+orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0
 st2-rbac-backend@ git+https://github.com/StackStorm/st2-rbac-backend.git@master
 oslo.config
 paramiko

st2common/requirements.txt

@@ -17,17 +17,17 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
-gitpython==3.1.15
+gitpython<=3.1.37
 greenlet==1.0.0
 jinja2==2.11.3
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
 kombu==5.0.2
 lockfile==0.12.2
 mongoengine==0.23.0
-networkx>=2.5.1,<2.6
+networkx<3
 orjson==3.5.2
-orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
+orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0
 oslo.config>=1.12.1,<1.13
 paramiko==2.11.0
 pyOpenSSL==23.1.0

st2common/st2common/services/keyvalues.py

@@ -191,17 +191,17 @@ def _get_kv(self, key):
         if kvp:
             LOG.debug("Got value %s from datastore.", kvp.value)
 
-        # Check that user has permission to the key value pair.
-        # If RBAC is enabled, this check will verify if user has system role with all access.
-        # If RBAC is enabled, this check guards against a user accessing another user's kvp.
-        # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
-        # The check is sufficient to allow decryption of the system kvp.
-        rbac_utils = get_rbac_backend().get_utils_class()
-        rbac_utils.assert_user_has_resource_db_permission(
-            user_db=UserDB(name=self._user),
-            resource_db=kvp,
-            permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
-        )
+            # Check that user has permission to the key value pair.
+            # If RBAC is enabled, this check will verify if user has system role with all access.
+            # If RBAC is enabled, this check guards against a user accessing another user's kvp.
+            # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
+            # The check is sufficient to allow decryption of the system kvp.
+            rbac_utils = get_rbac_backend().get_utils_class()
+            rbac_utils.assert_user_has_resource_db_permission(
+                user_db=UserDB(name=self._user),
+                resource_db=kvp,
+                permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
+            )
 
         return kvp.value if kvp else ""