Add API for /v3/access_rules_config

Add Flask resources for access rules config. This exposes listing all configured access rules or filtering by service type, which users can use to be informed about what rules are valid. It does not expose the ability to check a rule against the configured list, which is only used internally. This API is deliberately unprotected. bp whitelist-extension-for-app-creds Change-Id: I9e25087b2ddb6e76e39eb62893378678a5cbc03c
2019-02-17 21:27:28 +01:00 · 2019-02-17 21:27:28 +01:00 · 8d31705806
parent 4d42e48ba2
commit 8d31705806
4 changed files with 98 additions and 1 deletions
--- a/keystone/api/init.py
+++ b/keystone/api/init.py
@ -10,6 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from keystone.api import access_rules_config
 from keystone.api import auth
 from keystone.api import credentials
 from keystone.api import discovery
@ -38,6 +39,7 @@ from keystone.api import trusts
 from keystone.api import users

 __all__ = (
+    'access_rules_config',
    'auth',
    'discovery',
    'credentials',
@ -68,6 +70,7 @@ __all__ = (

 __apis__ = (
    discovery,
+    access_rules_config,
    auth,
    credentials,
    domains,
--- a/keystone/api/access_rules_config.py
+++ b/keystone/api/access_rules_config.py
@ -0,0 +1,51 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# This file handles all flask-restful resources for /v3/access_rules_config
+
+from keystone.common import provider_api
+import keystone.conf
+from keystone.server import flask as ks_flask
+
+
+CONF = keystone.conf.CONF
+PROVIDERS = provider_api.ProviderAPIs
+
+
+class AccessRulesConfigResource(ks_flask.ResourceBase):
+    collection_key = 'access_rules_config'
+
+    @ks_flask.unenforced_api
+    def get(self, service=None):
+        """List all access rules config.
+
+        GET/HEAD /v3/access_rules_config
+        """
+        refs = PROVIDERS.access_rules_config_api.list_access_rules_config(
+            service=service)
+        return refs
+
+
+class AccessRulesConfigAPI(ks_flask.APIBase):
+    _name = 'access_rules_config'
+    _import_name = __name__
+    resources = []
+    resource_mapping = [
+        ks_flask.construct_resource_map(
+            resource=AccessRulesConfigResource,
+            url='/access_rules_config',
+            resource_kwargs={},
+            rel='access_rules_config')
+    ]
+
+
+APIs = (AccessRulesConfigAPI,)
--- a/keystone/tests/unit/test_v3_access_rules_config.py
+++ b/keystone/tests/unit/test_v3_access_rules_config.py
@ -0,0 +1,41 @@
+# Copyright 2019 SUSE Linux GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from six.moves import http_client
+
+from keystone.tests import unit
+from keystone.tests.unit.ksfixtures import access_rules_config
+from keystone.tests.unit import test_v3
+
+
+class AccessRulesConfigTestCase(test_v3.RestfulTestCase):
+    """Test list operation for access rules config."""
+
+    def setUp(self):
+        super(AccessRulesConfigTestCase, self).setUp()
+        rules_file = '%s/access_rules.json' % unit.TESTCONF
+        self.useFixture(access_rules_config.AccessRulesConfig(
+            self.config_fixture, rules_file=rules_file))
+        self.load_backends()
+
+    def test_list_access_rules_config(self):
+        with self.test_client() as c:
+            token = self.get_scoped_token()
+            resp = c.get('/v3/access_rules_config',
+                         expected_status_code=http_client.OK,
+                         headers={'X-Auth-Token': token})
+            self.assertIn("identity", resp.json)
+            self.assertIn("image", resp.json)
+            self.assertIn("block-storage", resp.json)
+            self.assertIn("compute", resp.json)
--- a/keystone/tests/unit/test_versions.py
+++ b/keystone/tests/unit/test_versions.py
@ -641,7 +641,9 @@ V3_JSON_HOME_RESOURCES = {
        'href-template': APPLICATION_CREDENTIAL,
        'href-vars': {
            'application_credential_id': APPLICATION_CREDENTIAL_RELATION,
-            'user_id': json_home.build_v3_parameter_relation('user_id')}}
+            'user_id': json_home.build_v3_parameter_relation('user_id')}},
+    json_home.build_v3_resource_relation('access_rules_config'): {
+        'href': '/access_rules_config'},
 }