openstack
/
keystone
Code Issues Proposed changes

Merge "Cleanup trusts controller"

This commit is contained in:
Jenkins 2016-07-20 20:33:09 +00:00 committed by Gerrit Code Review
parent 0fe056d639 813536b4dd
commit 7c6ea30ccf
1 changed files with 26 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
keystone/trust/controllers.py
View File

@ -34,12 +34,6 @@ def _trustor_trustee_only(trust, user_id):
raise exception.Forbidden()
def _admin_trustor_only(request, trust, user_id):
if (user_id != trust.get('trustor_user_id') and
not request.context.is_admin):
raise exception.Forbidden()
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
'role_api', 'token_provider_api', 'trust_api')
class TrustV3(controller.V3Controller):
@ -132,10 +126,20 @@ class TrustV3(controller.V3Controller):
else:
redelegated_trust = None
if trust.get('project_id'):
self._require_role(trust)
self._require_user_is_trustor(request.context_dict, trust)
self._require_trustee_exists(trust['trustee_user_id'])
if trust.get('project_id') and not trust.get('roles'):
msg = _('At least one role should be specified.')
raise exception.Forbidden(msg)
user_id = self._get_user_id(request.context_dict)
# the creating user must be the trustor
if user_id != trust.get('trustor_user_id'):
msg = _("The authenticated user should match the trustor.")
raise exception.Forbidden(msg)
# ensure trustee exists
self.identity_api.get_user(trust['trustee_user_id'])
all_roles = self.role_api.list_roles()
# Normalize roles
normalized_roles = self._normalize_role_list(trust, all_roles)
@ -152,20 +156,6 @@ class TrustV3(controller.V3Controller):
self._fill_in_roles(request.context_dict, new_trust, all_roles)
return TrustV3.wrap_member(request.context_dict, new_trust)
def _require_trustee_exists(self, trustee_user_id):
self.identity_api.get_user(trustee_user_id)
def _require_user_is_trustor(self, context, trust):
user_id = self._get_user_id(context)
if user_id != trust.get('trustor_user_id'):
raise exception.Forbidden(
_("The authenticated user should match the trustor."))
def _require_role(self, trust):
if not trust.get('roles'):
raise exception.Forbidden(
_('At least one role should be specified.'))
def _get_trustor_roles(self, trust):
original_trust = trust.copy()
while original_trust.get('redelegated_trust_id'):
@ -204,14 +194,6 @@ class TrustV3(controller.V3Controller):
raise exception.ValidationExpirationError()
return expiration_time
def _check_role_for_trust(self, context, trust_id, role_id):
"""Check if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
@controller.protected()
def list_trusts(self, request):
trusts = []
@ -247,7 +229,11 @@ class TrustV3(controller.V3Controller):
def delete_trust(self, request, trust_id):
trust = self.trust_api.get_trust(trust_id)
user_id = self._get_user_id(request.context_dict)
_admin_trustor_only(request, trust, user_id)
if (user_id != trust.get('trustor_user_id') and
not request.context.is_admin):
raise exception.Forbidden()
initiator = notifications._get_request_audit_info(request.context_dict)
self.trust_api.delete_trust(trust_id, initiator)
@ -262,7 +248,13 @@ class TrustV3(controller.V3Controller):
@controller.protected()
def get_role_for_trust(self, request, trust_id, role_id):
"""Get a role that has been assigned to a trust."""
self._check_role_for_trust(request.context_dict, trust_id, role_id)
trust = self.trust_api.get_trust(trust_id)
user_id = self._get_user_id(request.context_dict)
_trustor_trustee_only(trust, user_id)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
role = self.role_api.get_role(role_id)
return assignment.controllers.RoleV3.wrap_member(request.context_dict,
role)