Revert "Add manager support for app cred access rules"

This reverts commit 37fc2b9120. In the Train PTG[1] we agreed to defer the access rules config part of this feature until we had some kind of traceability or discoverability for APIs. For simplicity of review, this patch reverts the access rules addition to the app cred manager so that we can reimplement it in a way that doesn't require using the access_rules_config API provider. [1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials Change-Id: I65ac52b8730221562391adc8b0dbccd22ea79b16
2019-05-28 08:32:52 -07:00 · 2019-05-28 08:32:52 -07:00 · 25b2f151a7
parent d7a2dd48e4
commit 25b2f151a7
3 changed files with 1 additions and 54 deletions
--- a/keystone/application_credential/core.py
+++ b/keystone/application_credential/core.py
@ -114,15 +114,6 @@ class Manager(manager.Manager):
            app_cred_ref['roles'])
        return app_cred_ref

-    def _validate_access_rules(self, access_rules):
-        for access_rule in access_rules:
-            valid = PROVIDERS.access_rules_config_api.check_access_rule(
-                access_rule['service'],
-                access_rule['path'],
-                access_rule['method'])
-            if not valid:
-                raise exception.AccessRuleNotAllowed
-
    def create_application_credential(self, application_credential,
                                      initiator=None):
        """Create a new application credential.
@ -136,15 +127,12 @@ class Manager(manager.Manager):
        user_id = application_credential['user_id']
        project_id = application_credential['project_id']
        roles = application_credential.pop('roles', [])
-        access_rules = application_credential.pop('access_rules', None)

        self._assert_limit_not_exceeded(user_id)
        self._require_user_has_role_in_project(roles, user_id, project_id)
-        if access_rules:  # None or []
-            self._validate_access_rules(access_rules)
        unhashed_secret = application_credential['secret']
        ref = self.driver.create_application_credential(
-            application_credential, roles, access_rules)
+            application_credential, roles)
        ref['secret'] = unhashed_secret
        ref = self._process_app_cred(ref)
        notifications.Audit.created(
--- a/keystone/exception.py
+++ b/keystone/exception.py
@ -554,11 +554,6 @@ class AccessRulesConfigNotFound(NotFound):
        "Could not find access rules config for service %(service)s.")


-class AccessRuleNotAllowed(ValidationError):
-    message_format = _("The operator has not permitted application "
-                       "credentials to use the provided access rules.")
-
-
 class Conflict(Error):
    message_format = _("Conflict occurred attempting to store %(type)s -"
                       " %(details)s.")
--- a/keystone/tests/unit/application_credential/test_backends.py
+++ b/keystone/tests/unit/application_credential/test_backends.py
@ -19,8 +19,6 @@ from keystone.common import driver_hints
 from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
-from keystone.tests import unit
-from keystone.tests.unit.ksfixtures import access_rules_config


 CONF = keystone.conf.CONF
@ -109,40 +107,6 @@ class ApplicationCredentialTests(object):
                          self.app_cred_api.create_application_credential,
                          app_cred)

-    def test_create_application_credential_with_access_rules(self):
-        self.config_fixture.config(group='access_rules_config', permissive=True)
-        app_cred = self._new_app_cred_data(self.user_foo['id'],
-                                           project_id=self.project_bar['id'])
-        app_cred['access_rules'] = [{
-            'service': uuid.uuid4().hex,
-            'path': uuid.uuid4().hex,
-            'method': uuid.uuid4().hex[16:]
-        }]
-        resp = self.app_cred_api.create_application_credential(app_cred)
-        resp.pop('roles')
-        resp_access_rules = resp.pop('access_rules')
-        app_cred.pop('roles')
-        orig_access_rules = app_cred.pop('access_rules')
-        self.assertDictEqual(app_cred, resp)
-        for i, ar in enumerate(resp_access_rules):
-            self.assertDictEqual(orig_access_rules[i], ar)
-
-    def test_create_application_credential_with_invalid_access_rule(self):
-        rules_file = '%s/access_rules.json' % unit.TESTCONF
-        self.useFixture(access_rules_config.AccessRulesConfig(
-            self.config_fixture, rules_file=rules_file))
-        self.load_backends()
-        app_cred = self._new_app_cred_data(self.user_foo['id'],
-                                           project_id=self.project_bar['id'])
-        app_cred['access_rules'] = [{
-            'service': uuid.uuid4().hex,
-            'path': uuid.uuid4().hex,
-            'method': uuid.uuid4().hex[16:]
-        }]
-        self.assertRaises(exception.AccessRuleNotAllowed,
-                          self.app_cred_api.create_application_credential,
-                          app_cred)
-
    def test_get_application_credential(self):
        app_cred = self._new_app_cred_data(self.user_foo['id'],
                                           project_id=self.project_bar['id'])