Merge "Remove trust dependency on token_api"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
949c65db39
@ -3479,6 +3479,19 @@ class TrustTests(object):
|
||||
self.assertIsNotNone(trust_data)
|
||||
trust_data = self.trust_api.get_trust(trust_id)
|
||||
self.assertEqual(new_id, trust_data['id'])
|
||||
self.trust_api.delete_trust(trust_data['id'])
|
||||
|
||||
def test_get_deleted_trust(self):
|
||||
new_id = uuid.uuid4().hex
|
||||
trust_data = self.create_sample_trust(new_id)
|
||||
self.assertIsNotNone(trust_data)
|
||||
self.assertIsNone(trust_data['deleted_at'])
|
||||
self.trust_api.delete_trust(new_id)
|
||||
self.assertIsNone(self.trust_api.get_trust(new_id))
|
||||
deleted_trust = self.trust_api.get_trust(trust_data['id'],
|
||||
deleted=True)
|
||||
self.assertEqual(trust_data['id'], deleted_trust['id'])
|
||||
self.assertIsNotNone(deleted_trust.get('deleted_at'))
|
||||
|
||||
def test_create_trust(self):
|
||||
new_id = uuid.uuid4().hex
|
||||
|
||||
@ -149,6 +149,12 @@ class Manager(manager.Manager):
|
||||
def __init__(self):
|
||||
super(Manager, self).__init__(self.get_token_provider())
|
||||
|
||||
# This is used by the @dependency.provider decorator to register the
|
||||
# provider (token_provider_api) manager to listen for trust deletions.
|
||||
self.event_callbacks = {
|
||||
'deleted': {'OS-TRUST:trust': [self._trust_deleted_event_callback]}
|
||||
}
|
||||
|
||||
@property
|
||||
def persistence(self):
|
||||
# NOTE(morganfainberg): This should not be handled via __init__ to
|
||||
@ -455,6 +461,13 @@ class Manager(manager.Manager):
|
||||
def list_revoked_tokens(self):
|
||||
return self.persistence.list_revoked_tokens()
|
||||
|
||||
def _trust_deleted_event_callback(self, service, resource_type, operation,
|
||||
payload):
|
||||
trust_id = payload['resource_info']
|
||||
trust = self.trust_api.get_trust(trust_id, deleted=True)
|
||||
self.persistence.delete_tokens(user_id=trust['trustor_user_id'],
|
||||
trust_id=trust_id)
|
||||
|
||||
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class Provider(object):
|
||||
|
||||
@ -24,14 +24,15 @@ from keystone import exception
|
||||
from keystone import trust as keystone_trust
|
||||
|
||||
|
||||
def _filter_trust(ref):
|
||||
if ref['deleted']:
|
||||
def _filter_trust(ref, deleted=False):
|
||||
if ref['deleted_at'] and not deleted:
|
||||
return None
|
||||
if ref.get('expires_at') and timeutils.utcnow() > ref['expires_at']:
|
||||
if (ref.get('expires_at') and timeutils.utcnow() > ref['expires_at'] and
|
||||
not deleted):
|
||||
return None
|
||||
remaining_uses = ref.get('remaining_uses')
|
||||
# Do not return trusts that can't be used anymore
|
||||
if remaining_uses is not None:
|
||||
if remaining_uses is not None and not deleted:
|
||||
if remaining_uses <= 0:
|
||||
return None
|
||||
ref = copy.deepcopy(ref)
|
||||
@ -42,7 +43,7 @@ class Trust(kvs.Base, keystone_trust.Driver):
|
||||
def create_trust(self, trust_id, trust, roles):
|
||||
trust_ref = copy.deepcopy(trust)
|
||||
trust_ref['id'] = trust_id
|
||||
trust_ref['deleted'] = False
|
||||
trust_ref['deleted_at'] = None
|
||||
trust_ref['roles'] = roles
|
||||
if (trust_ref.get('expires_at') and
|
||||
trust_ref['expires_at'].tzinfo is not None):
|
||||
@ -76,10 +77,10 @@ class Trust(kvs.Base, keystone_trust.Driver):
|
||||
else:
|
||||
raise exception.TrustUseLimitReached(trust_id=trust_id)
|
||||
|
||||
def get_trust(self, trust_id):
|
||||
def get_trust(self, trust_id, deleted=False):
|
||||
try:
|
||||
ref = self.db.get('trust-%s' % trust_id)
|
||||
return _filter_trust(ref)
|
||||
return _filter_trust(ref, deleted=deleted)
|
||||
except exception.NotFound:
|
||||
return None
|
||||
|
||||
@ -88,13 +89,13 @@ class Trust(kvs.Base, keystone_trust.Driver):
|
||||
ref = self.db.get('trust-%s' % trust_id)
|
||||
except exception.NotFound:
|
||||
raise exception.TrustNotFound(trust_id=trust_id)
|
||||
ref['deleted'] = True
|
||||
ref['deleted_at'] = timeutils.utcnow()
|
||||
self.db.set('trust-%s' % trust_id, ref)
|
||||
|
||||
def list_trusts(self):
|
||||
trusts = []
|
||||
for key, value in self.db.items():
|
||||
if key.startswith("trust-") and not value['deleted']:
|
||||
if key.startswith("trust-") and not value['deleted_at']:
|
||||
trusts.append(value)
|
||||
return trusts
|
||||
|
||||
|
||||
@ -32,7 +32,7 @@ class TrustModel(sql.ModelBase, sql.DictBase):
|
||||
__tablename__ = 'trust'
|
||||
attributes = ['id', 'trustor_user_id', 'trustee_user_id',
|
||||
'project_id', 'impersonation', 'expires_at',
|
||||
'remaining_uses']
|
||||
'remaining_uses', 'deleted_at']
|
||||
id = sql.Column(sql.String(64), primary_key=True)
|
||||
# user id of owner
|
||||
trustor_user_id = sql.Column(sql.String(64), nullable=False,)
|
||||
@ -128,19 +128,20 @@ class Trust(trust.Driver):
|
||||
# incorrectly indicating a trust was consumed.
|
||||
raise exception.TrustConsumeMaximumAttempt(trust_id=trust_id)
|
||||
|
||||
def get_trust(self, trust_id):
|
||||
def get_trust(self, trust_id, deleted=False):
|
||||
session = sql.get_session()
|
||||
ref = (session.query(TrustModel).
|
||||
filter_by(deleted_at=None).
|
||||
filter_by(id=trust_id).first())
|
||||
query = session.query(TrustModel).filter_by(id=trust_id)
|
||||
if not deleted:
|
||||
query = query.filter_by(deleted_at=None)
|
||||
ref = query.first()
|
||||
if ref is None:
|
||||
return None
|
||||
if ref.expires_at is not None:
|
||||
if ref.expires_at is not None and not deleted:
|
||||
now = timeutils.utcnow()
|
||||
if now > ref.expires_at:
|
||||
return None
|
||||
# Do not return trusts that can't be used anymore
|
||||
if ref.remaining_uses is not None:
|
||||
if ref.remaining_uses is not None and not deleted:
|
||||
if ref.remaining_uses <= 0:
|
||||
return None
|
||||
trust_dict = ref.to_dict()
|
||||
|
||||
@ -22,6 +22,7 @@ from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.models import token_model
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
||||
@ -39,8 +40,8 @@ def _admin_trustor_only(context, trust, user_id):
|
||||
raise exception.Forbidden()
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api', 'trust_api',
|
||||
'token_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api',
|
||||
'trust_api')
|
||||
class TrustV3(controller.V3Controller):
|
||||
collection_name = "trusts"
|
||||
member_name = "trust"
|
||||
@ -57,9 +58,10 @@ class TrustV3(controller.V3Controller):
|
||||
def _get_user_id(self, context):
|
||||
if 'token_id' in context:
|
||||
token_id = context['token_id']
|
||||
token = self.token_api.get_token(token_id)
|
||||
user_id = token['user']['id']
|
||||
return user_id
|
||||
token_data = self.token_provider_api.validate_token(token_id)
|
||||
token_ref = token_model.KeystoneToken(token_id=token_id,
|
||||
token_data=token_data)
|
||||
return token_ref.user_id
|
||||
return None
|
||||
|
||||
def get_trust(self, context, trust_id):
|
||||
@ -229,8 +231,6 @@ class TrustV3(controller.V3Controller):
|
||||
user_id = self._get_user_id(context)
|
||||
_admin_trustor_only(context, trust, user_id)
|
||||
self.trust_api.delete_trust(trust_id)
|
||||
userid = trust['trustor_user_id']
|
||||
self.token_api.delete_tokens(userid, trust_id=trust_id)
|
||||
|
||||
@controller.protected()
|
||||
def list_roles_for_trust(self, context, trust_id):
|
||||
|
||||
@ -80,7 +80,15 @@ class Driver(object):
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
@abc.abstractmethod
|
||||
def get_trust(self, trust_id):
|
||||
def get_trust(self, trust_id, deleted=False):
|
||||
"""Get a trust by the trust id.
|
||||
|
||||
:param trust_id: the trust identifier
|
||||
:type trust_id: string
|
||||
:param deleted: return the trust even if it is deleted, expired, or
|
||||
has no consumptions left
|
||||
:type deleted: bool
|
||||
"""
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
@abc.abstractmethod
|
||||
|
||||
Loading…
Reference in New Issue
Block a user