openstack
/
keystone
Code Issues Proposed changes

Merge "Add manager support for app cred access rules"

This commit is contained in:
Zuul 2019-04-07 23:13:36 +00:00 committed by Gerrit Code Review
parent 8d31705806 37fc2b9120
commit 6d306d936a
3 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
keystone/application_credential/core.py
View File

@ -114,6 +114,15 @@ class Manager(manager.Manager):
app_cred_ref['roles'])
return app_cred_ref
def _validate_access_rules(self, access_rules):
for access_rule in access_rules:
valid = PROVIDERS.access_rules_config_api.check_access_rule(
access_rule['service'],
access_rule['path'],
access_rule['method'])
if not valid:
raise exception.AccessRuleNotAllowed
def create_application_credential(self, application_credential,
initiator=None):
"""Create a new application credential.
@ -127,12 +136,15 @@ class Manager(manager.Manager):
user_id = application_credential['user_id']
project_id = application_credential['project_id']
roles = application_credential.pop('roles', [])
access_rules = application_credential.pop('access_rules', None)
self._assert_limit_not_exceeded(user_id)
self._require_user_has_role_in_project(roles, user_id, project_id)
if access_rules: # None or []
self._validate_access_rules(access_rules)
unhashed_secret = application_credential['secret']
ref = self.driver.create_application_credential(
application_credential, roles)
application_credential, roles, access_rules)
ref['secret'] = unhashed_secret
ref = self._process_app_cred(ref)
notifications.Audit.created(

5
keystone/exception.py
View File

@ -550,6 +550,11 @@ class AccessRulesConfigNotFound(NotFound):
"Could not find access rules config for service %(service)s.")
class AccessRuleNotAllowed(ValidationError):
message_format = _("The operator has not permitted application "
"credentials to use the provided access rules.")
class Conflict(Error):
message_format = _("Conflict occurred attempting to store %(type)s -"
" %(details)s.")

36
keystone/tests/unit/application_credential/test_backends.py
View File

@ -19,6 +19,8 @@ from keystone.common import driver_hints
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit.ksfixtures import access_rules_config
CONF = keystone.conf.CONF
@ -107,6 +109,40 @@ class ApplicationCredentialTests(object):
self.app_cred_api.create_application_credential,
app_cred)
def test_create_application_credential_with_access_rules(self):
self.config_fixture.config(group='access_rules_config', permissive=True)
app_cred = self._new_app_cred_data(self.user_foo['id'],
project_id=self.project_bar['id'])
app_cred['access_rules'] = [{
'service': uuid.uuid4().hex,
'path': uuid.uuid4().hex,
'method': uuid.uuid4().hex[16:]
}]
resp = self.app_cred_api.create_application_credential(app_cred)
resp.pop('roles')
resp_access_rules = resp.pop('access_rules')
app_cred.pop('roles')
orig_access_rules = app_cred.pop('access_rules')
self.assertDictEqual(app_cred, resp)
for i, ar in enumerate(resp_access_rules):
self.assertDictEqual(orig_access_rules[i], ar)
def test_create_application_credential_with_invalid_access_rule(self):
rules_file = '%s/access_rules.json' % unit.TESTCONF
self.useFixture(access_rules_config.AccessRulesConfig(
self.config_fixture, rules_file=rules_file))
self.load_backends()
app_cred = self._new_app_cred_data(self.user_foo['id'],
project_id=self.project_bar['id'])
app_cred['access_rules'] = [{
'service': uuid.uuid4().hex,
'path': uuid.uuid4().hex,
'method': uuid.uuid4().hex[16:]
}]
self.assertRaises(exception.AccessRuleNotAllowed,
self.app_cred_api.create_application_credential,
app_cred)
def test_get_application_credential(self):
app_cred = self._new_app_cred_data(self.user_foo['id'],
project_id=self.project_bar['id'])