Merge "Add manager support for app cred access rules"
This commit is contained in:
commit
6d306d936a
|
@ -114,6 +114,15 @@ class Manager(manager.Manager):
|
|||
app_cred_ref['roles'])
|
||||
return app_cred_ref
|
||||
|
||||
def _validate_access_rules(self, access_rules):
|
||||
for access_rule in access_rules:
|
||||
valid = PROVIDERS.access_rules_config_api.check_access_rule(
|
||||
access_rule['service'],
|
||||
access_rule['path'],
|
||||
access_rule['method'])
|
||||
if not valid:
|
||||
raise exception.AccessRuleNotAllowed
|
||||
|
||||
def create_application_credential(self, application_credential,
|
||||
initiator=None):
|
||||
"""Create a new application credential.
|
||||
|
@ -127,12 +136,15 @@ class Manager(manager.Manager):
|
|||
user_id = application_credential['user_id']
|
||||
project_id = application_credential['project_id']
|
||||
roles = application_credential.pop('roles', [])
|
||||
access_rules = application_credential.pop('access_rules', None)
|
||||
|
||||
self._assert_limit_not_exceeded(user_id)
|
||||
self._require_user_has_role_in_project(roles, user_id, project_id)
|
||||
if access_rules: # None or []
|
||||
self._validate_access_rules(access_rules)
|
||||
unhashed_secret = application_credential['secret']
|
||||
ref = self.driver.create_application_credential(
|
||||
application_credential, roles)
|
||||
application_credential, roles, access_rules)
|
||||
ref['secret'] = unhashed_secret
|
||||
ref = self._process_app_cred(ref)
|
||||
notifications.Audit.created(
|
||||
|
|
|
@ -550,6 +550,11 @@ class AccessRulesConfigNotFound(NotFound):
|
|||
"Could not find access rules config for service %(service)s.")
|
||||
|
||||
|
||||
class AccessRuleNotAllowed(ValidationError):
|
||||
message_format = _("The operator has not permitted application "
|
||||
"credentials to use the provided access rules.")
|
||||
|
||||
|
||||
class Conflict(Error):
|
||||
message_format = _("Conflict occurred attempting to store %(type)s -"
|
||||
" %(details)s.")
|
||||
|
|
|
@ -19,6 +19,8 @@ from keystone.common import driver_hints
|
|||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.ksfixtures import access_rules_config
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -107,6 +109,40 @@ class ApplicationCredentialTests(object):
|
|||
self.app_cred_api.create_application_credential,
|
||||
app_cred)
|
||||
|
||||
def test_create_application_credential_with_access_rules(self):
|
||||
self.config_fixture.config(group='access_rules_config', permissive=True)
|
||||
app_cred = self._new_app_cred_data(self.user_foo['id'],
|
||||
project_id=self.project_bar['id'])
|
||||
app_cred['access_rules'] = [{
|
||||
'service': uuid.uuid4().hex,
|
||||
'path': uuid.uuid4().hex,
|
||||
'method': uuid.uuid4().hex[16:]
|
||||
}]
|
||||
resp = self.app_cred_api.create_application_credential(app_cred)
|
||||
resp.pop('roles')
|
||||
resp_access_rules = resp.pop('access_rules')
|
||||
app_cred.pop('roles')
|
||||
orig_access_rules = app_cred.pop('access_rules')
|
||||
self.assertDictEqual(app_cred, resp)
|
||||
for i, ar in enumerate(resp_access_rules):
|
||||
self.assertDictEqual(orig_access_rules[i], ar)
|
||||
|
||||
def test_create_application_credential_with_invalid_access_rule(self):
|
||||
rules_file = '%s/access_rules.json' % unit.TESTCONF
|
||||
self.useFixture(access_rules_config.AccessRulesConfig(
|
||||
self.config_fixture, rules_file=rules_file))
|
||||
self.load_backends()
|
||||
app_cred = self._new_app_cred_data(self.user_foo['id'],
|
||||
project_id=self.project_bar['id'])
|
||||
app_cred['access_rules'] = [{
|
||||
'service': uuid.uuid4().hex,
|
||||
'path': uuid.uuid4().hex,
|
||||
'method': uuid.uuid4().hex[16:]
|
||||
}]
|
||||
self.assertRaises(exception.AccessRuleNotAllowed,
|
||||
self.app_cred_api.create_application_credential,
|
||||
app_cred)
|
||||
|
||||
def test_get_application_credential(self):
|
||||
app_cred = self._new_app_cred_data(self.user_foo['id'],
|
||||
project_id=self.project_bar['id'])
|
||||
|
|
Loading…
Reference in New Issue