Stop passing context to managers (bug 1194938)
We don't have a use case for passing the request context to the manager layer, so this patch removes a bunch of cruft. Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
This commit is contained in:
parent
6c6d15ca8c
commit
911c315656
|
@ -94,11 +94,9 @@ class AuthInfo(object):
|
|||
target='domain')
|
||||
try:
|
||||
if domain_name:
|
||||
domain_ref = self.identity_api.get_domain_by_name(
|
||||
context=self.context, domain_name=domain_name)
|
||||
domain_ref = self.identity_api.get_domain_by_name(domain_name)
|
||||
else:
|
||||
domain_ref = self.identity_api.get_domain(
|
||||
context=self.context, domain_id=domain_id)
|
||||
domain_ref = self.identity_api.get_domain(domain_id)
|
||||
except exception.DomainNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -119,11 +117,9 @@ class AuthInfo(object):
|
|||
target='project')
|
||||
domain_ref = self._lookup_domain(project_info['domain'])
|
||||
project_ref = self.identity_api.get_project_by_name(
|
||||
context=self.context, tenant_name=project_name,
|
||||
domain_id=domain_ref['id'])
|
||||
project_name, domain_ref['id'])
|
||||
else:
|
||||
project_ref = self.identity_api.get_project(
|
||||
context=self.context, tenant_id=project_id)
|
||||
project_ref = self.identity_api.get_project(project_id)
|
||||
except exception.ProjectNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -135,7 +131,7 @@ class AuthInfo(object):
|
|||
if not trust_id:
|
||||
raise exception.ValidationError(attribute='trust_id',
|
||||
target='trust')
|
||||
trust = self.trust_api.get_trust(self.context, trust_id)
|
||||
trust = self.trust_api.get_trust(trust_id)
|
||||
if not trust:
|
||||
raise exception.TrustNotFound(trust_id=trust_id)
|
||||
return trust
|
||||
|
@ -154,11 +150,9 @@ class AuthInfo(object):
|
|||
target='user')
|
||||
domain_ref = self._lookup_domain(user_info['domain'])
|
||||
user_ref = self.identity_api.get_user_by_name(
|
||||
context=self.context, user_name=user_name,
|
||||
domain_id=domain_ref['id'])
|
||||
user_name, domain_ref['id'])
|
||||
else:
|
||||
user_ref = self.identity_api.get_user(
|
||||
context=self.context, user_id=user_id)
|
||||
user_ref = self.identity_api.get_user(user_id)
|
||||
except exception.UserNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -285,10 +279,9 @@ class Auth(controller.V3Controller):
|
|||
auth_info = AuthInfo(context, auth=auth)
|
||||
auth_context = {'extras': {}, 'method_names': []}
|
||||
self.authenticate(context, auth_info, auth_context)
|
||||
self._check_and_set_default_scoping(context, auth_info,
|
||||
auth_context)
|
||||
self._check_and_set_default_scoping(auth_info, auth_context)
|
||||
(token_id, token_data) = token_factory.create_token(
|
||||
context, auth_context, auth_info)
|
||||
auth_context, auth_info)
|
||||
return token_factory.render_token_data_response(
|
||||
token_id, token_data, created=True)
|
||||
except exception.SecurityError:
|
||||
|
@ -297,7 +290,7 @@ class Auth(controller.V3Controller):
|
|||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
def _check_and_set_default_scoping(self, context, auth_info, auth_context):
|
||||
def _check_and_set_default_scoping(self, auth_info, auth_context):
|
||||
(domain_id, project_id, trust) = auth_info.get_scope()
|
||||
if trust:
|
||||
project_id = trust['project_id']
|
||||
|
@ -307,8 +300,7 @@ class Auth(controller.V3Controller):
|
|||
|
||||
# fill in default_project_id if it is available
|
||||
try:
|
||||
user_ref = self.identity_api.get_user(
|
||||
context=context, user_id=auth_context['user_id'])
|
||||
user_ref = self.identity_api.get_user(auth_context['user_id'])
|
||||
default_project_id = user_ref.get('default_project_id')
|
||||
if default_project_id:
|
||||
auth_info.set_scope(domain_id=None,
|
||||
|
@ -364,8 +356,7 @@ class Auth(controller.V3Controller):
|
|||
raise exception.Unauthorized(msg)
|
||||
|
||||
def _get_token_ref(self, context, token_id, belongs_to=None):
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=token_id)
|
||||
token_ref = self.token_api.get_token(token_id)
|
||||
if cms.is_ans1_token(token_id):
|
||||
verified_token = cms.cms_verify(cms.token_to_cms(token_id),
|
||||
CONF.signing.certfile,
|
||||
|
@ -394,9 +385,8 @@ class Auth(controller.V3Controller):
|
|||
def validate_token(self, context):
|
||||
token_id = context.get('subject_token_id')
|
||||
self.check_token(context)
|
||||
token_ref = self.token_api.get_token(context, token_id)
|
||||
token_ref = self.token_api.get_token(token_id)
|
||||
token_data = token_factory.recreate_token_data(
|
||||
context,
|
||||
token_ref.get('token_data'),
|
||||
token_ref['expires'],
|
||||
token_ref.get('user'),
|
||||
|
|
|
@ -26,9 +26,8 @@ LOG = logging.getLogger(__name__)
|
|||
|
||||
|
||||
class UserAuthInfo(object):
|
||||
def __init__(self, context, auth_payload):
|
||||
def __init__(self, auth_payload):
|
||||
self.identity_api = identity.Manager()
|
||||
self.context = context
|
||||
self.user_id = None
|
||||
self.password = None
|
||||
self.user_ref = None
|
||||
|
@ -55,11 +54,9 @@ class UserAuthInfo(object):
|
|||
target='domain')
|
||||
try:
|
||||
if domain_name:
|
||||
domain_ref = self.identity_api.get_domain_by_name(
|
||||
context=self.context, domain_name=domain_name)
|
||||
domain_ref = self.identity_api.get_domain_by_name(domain_name)
|
||||
else:
|
||||
domain_ref = self.identity_api.get_domain(
|
||||
context=self.context, domain_id=domain_id)
|
||||
domain_ref = self.identity_api.get_domain(domain_id)
|
||||
except exception.DomainNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -85,13 +82,11 @@ class UserAuthInfo(object):
|
|||
target='user')
|
||||
domain_ref = self._lookup_domain(user_info['domain'])
|
||||
user_ref = self.identity_api.get_user_by_name(
|
||||
context=self.context, user_name=user_name,
|
||||
domain_id=domain_ref['id'])
|
||||
user_name, domain_ref['id'])
|
||||
else:
|
||||
user_ref = self.identity_api.get_user(
|
||||
context=self.context, user_id=user_id)
|
||||
user_ref = self.identity_api.get_user(user_id)
|
||||
domain_ref = self.identity_api.get_domain(
|
||||
context=self.context, domain_id=user_ref['domain_id'])
|
||||
user_ref['domain_id'])
|
||||
self._assert_domain_is_enabled(domain_ref)
|
||||
except exception.UserNotFound as e:
|
||||
LOG.exception(e)
|
||||
|
@ -104,12 +99,11 @@ class UserAuthInfo(object):
|
|||
class Password(auth.AuthMethodHandler):
|
||||
def authenticate(self, context, auth_payload, user_context):
|
||||
"""Try to authenticate against the identity backend."""
|
||||
user_info = UserAuthInfo(context, auth_payload)
|
||||
user_info = UserAuthInfo(auth_payload)
|
||||
|
||||
# FIXME(gyee): identity.authenticate() can use some refactoring since
|
||||
# all we care is password matches
|
||||
self.identity_api.authenticate(
|
||||
context=context,
|
||||
user_id=user_info.user_id,
|
||||
password=user_info.password)
|
||||
if 'user_id' not in user_context:
|
||||
|
|
|
@ -35,7 +35,7 @@ class Token(auth.AuthMethodHandler):
|
|||
raise exception.ValidationError(attribute='id',
|
||||
target=METHOD_NAME)
|
||||
token_id = auth_payload['id']
|
||||
token_ref = self.token_api.get_token(context, token_id)
|
||||
token_ref = self.token_api.get_token(token_id)
|
||||
user_context.setdefault(
|
||||
'user_id', token_ref['token_data']['token']['user']['id'])
|
||||
# to support Grizzly-3 to Grizzly-RC1 transition
|
||||
|
|
|
@ -42,15 +42,13 @@ LOG = logging.getLogger(__name__)
|
|||
|
||||
class TokenDataHelper(object):
|
||||
"""Token data helper."""
|
||||
def __init__(self, context):
|
||||
def __init__(self):
|
||||
self.identity_api = identity.Manager()
|
||||
self.catalog_api = catalog.Manager()
|
||||
self.trust_api = trust.Manager()
|
||||
self.context = context
|
||||
|
||||
def _get_filtered_domain(self, domain_id):
|
||||
domain_ref = self.identity_api.get_domain(self.context,
|
||||
domain_id)
|
||||
domain_ref = self.identity_api.get_domain(domain_id)
|
||||
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
||||
|
||||
def _populate_scope(self, token_data, domain_id, project_id):
|
||||
|
@ -60,8 +58,7 @@ class TokenDataHelper(object):
|
|||
if domain_id:
|
||||
token_data['domain'] = self._get_filtered_domain(domain_id)
|
||||
if project_id:
|
||||
project_ref = self.identity_api.get_project(
|
||||
self.context, project_id)
|
||||
project_ref = self.identity_api.get_project(project_id)
|
||||
filtered_project = {
|
||||
'id': project_ref['id'],
|
||||
'name': project_ref['name']}
|
||||
|
@ -71,10 +68,10 @@ class TokenDataHelper(object):
|
|||
|
||||
def _get_project_roles_for_user(self, user_id, project_id):
|
||||
roles = self.identity_api.get_roles_for_user_and_project(
|
||||
self.context, user_id, project_id)
|
||||
user_id, project_id)
|
||||
roles_ref = []
|
||||
for role_id in roles:
|
||||
role_ref = self.identity_api.get_role(self.context, role_id)
|
||||
role_ref = self.identity_api.get_role(role_id)
|
||||
role_ref.setdefault('project_id', project_id)
|
||||
roles_ref.append(role_ref)
|
||||
# user have no project roles, therefore access denied
|
||||
|
@ -86,10 +83,10 @@ class TokenDataHelper(object):
|
|||
|
||||
def _get_domain_roles_for_user(self, user_id, domain_id):
|
||||
roles = self.identity_api.get_roles_for_user_and_domain(
|
||||
self.context, user_id, domain_id)
|
||||
user_id, domain_id)
|
||||
roles_ref = []
|
||||
for role_id in roles:
|
||||
role_ref = self.identity_api.get_role(self.context, role_id)
|
||||
role_ref = self.identity_api.get_role(role_id)
|
||||
role_ref.setdefault('domain_id', domain_id)
|
||||
roles_ref.append(role_ref)
|
||||
# user have no domain roles, therefore access denied
|
||||
|
@ -112,11 +109,10 @@ class TokenDataHelper(object):
|
|||
if 'user' in token_data:
|
||||
return
|
||||
|
||||
user_ref = self.identity_api.get_user(self.context,
|
||||
user_id)
|
||||
user_ref = self.identity_api.get_user(user_id)
|
||||
if CONF.trust.enabled and trust:
|
||||
trustor_user_ref = (self.identity_api.get_user(self.context,
|
||||
trust['trustor_user_id']))
|
||||
trustor_user_ref = self.identity_api.get_user(
|
||||
trust['trustor_user_id'])
|
||||
if not trustor_user_ref['enabled']:
|
||||
raise exception.Forbidden()
|
||||
if trust['impersonation']:
|
||||
|
@ -178,7 +174,7 @@ class TokenDataHelper(object):
|
|||
if project_id or domain_id:
|
||||
try:
|
||||
service_catalog = self.catalog_api.get_v3_catalog(
|
||||
self.context, user_id, project_id)
|
||||
user_id, project_id)
|
||||
# TODO(ayoung): KVS backend needs a sample implementation
|
||||
except exception.NotImplemented:
|
||||
service_catalog = {}
|
||||
|
@ -218,7 +214,7 @@ class TokenDataHelper(object):
|
|||
return {'token': token_data}
|
||||
|
||||
|
||||
def recreate_token_data(context, token_data=None, expires=None,
|
||||
def recreate_token_data(token_data=None, expires=None,
|
||||
user_ref=None, project_ref=None):
|
||||
"""Recreate token from an existing token.
|
||||
|
||||
|
@ -280,7 +276,7 @@ def recreate_token_data(context, token_data=None, expires=None,
|
|||
token = None
|
||||
project_id = project_ref['id'] if project_ref else None
|
||||
user_id = user_ref['id']
|
||||
token_data_helper = TokenDataHelper(context)
|
||||
token_data_helper = TokenDataHelper()
|
||||
return token_data_helper.get_token_data(user_id,
|
||||
methods,
|
||||
extras,
|
||||
|
@ -290,8 +286,8 @@ def recreate_token_data(context, token_data=None, expires=None,
|
|||
token=token)
|
||||
|
||||
|
||||
def create_token(context, auth_context, auth_info):
|
||||
token_data_helper = TokenDataHelper(context)
|
||||
def create_token(auth_context, auth_info):
|
||||
token_data_helper = TokenDataHelper()
|
||||
(domain_id, project_id, trust) = auth_info.get_scope()
|
||||
method_names = list(set(auth_info.get_method_names() +
|
||||
auth_context.get('method_names', [])))
|
||||
|
@ -338,13 +334,13 @@ def create_token(context, auth_context, auth_info):
|
|||
metadata=metadata_ref,
|
||||
token_data=token_data,
|
||||
trust_id=trust['id'] if trust else None)
|
||||
token_api.create_token(context, token_id, data)
|
||||
token_api.create_token(token_id, data)
|
||||
except Exception:
|
||||
exc_info = sys.exc_info()
|
||||
# an identical token may have been created already.
|
||||
# if so, return the token_data as it is also identical
|
||||
try:
|
||||
token_api.get_token(context=context, token_id=token_id)
|
||||
token_api.get_token(token_id)
|
||||
except exception.TokenNotFound:
|
||||
raise exc_info[0], exc_info[1], exc_info[2]
|
||||
|
||||
|
|
|
@ -29,17 +29,17 @@ INTERFACES = ['public', 'internal', 'admin']
|
|||
class Service(controller.V2Controller):
|
||||
def get_services(self, context):
|
||||
self.assert_admin(context)
|
||||
service_list = self.catalog_api.list_services(context)
|
||||
service_list = self.catalog_api.list_services()
|
||||
return {'OS-KSADM:services': service_list}
|
||||
|
||||
def get_service(self, context, service_id):
|
||||
self.assert_admin(context)
|
||||
service_ref = self.catalog_api.get_service(context, service_id)
|
||||
service_ref = self.catalog_api.get_service(service_id)
|
||||
return {'OS-KSADM:service': service_ref}
|
||||
|
||||
def delete_service(self, context, service_id):
|
||||
self.assert_admin(context)
|
||||
self.catalog_api.delete_service(context, service_id)
|
||||
self.catalog_api.delete_service(service_id)
|
||||
|
||||
def create_service(self, context, OS_KSADM_service):
|
||||
self.assert_admin(context)
|
||||
|
@ -47,7 +47,7 @@ class Service(controller.V2Controller):
|
|||
service_ref = OS_KSADM_service.copy()
|
||||
service_ref['id'] = service_id
|
||||
new_service_ref = self.catalog_api.create_service(
|
||||
context, service_id, service_ref)
|
||||
service_id, service_ref)
|
||||
return {'OS-KSADM:service': new_service_ref}
|
||||
|
||||
|
||||
|
@ -57,7 +57,7 @@ class Endpoint(controller.V2Controller):
|
|||
"""Merge matching v3 endpoint refs into legacy refs."""
|
||||
self.assert_admin(context)
|
||||
legacy_endpoints = {}
|
||||
for endpoint in self.catalog_api.list_endpoints(context):
|
||||
for endpoint in self.catalog_api.list_endpoints():
|
||||
if not endpoint.get('legacy_endpoint_id'):
|
||||
# endpoints created in v3 should not appear on the v2 API
|
||||
continue
|
||||
|
@ -104,8 +104,7 @@ class Endpoint(controller.V2Controller):
|
|||
endpoint_ref['interface'] = interface
|
||||
endpoint_ref['url'] = url
|
||||
|
||||
self.catalog_api.create_endpoint(
|
||||
context, endpoint_ref['id'], endpoint_ref)
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
|
||||
legacy_endpoint_ref['id'] = legacy_endpoint_id
|
||||
return {'endpoint': legacy_endpoint_ref}
|
||||
|
@ -115,9 +114,9 @@ class Endpoint(controller.V2Controller):
|
|||
self.assert_admin(context)
|
||||
|
||||
deleted_at_least_one = False
|
||||
for endpoint in self.catalog_api.list_endpoints(context):
|
||||
for endpoint in self.catalog_api.list_endpoints():
|
||||
if endpoint['legacy_endpoint_id'] == endpoint_id:
|
||||
self.catalog_api.delete_endpoint(context, endpoint['id'])
|
||||
self.catalog_api.delete_endpoint(endpoint['id'])
|
||||
deleted_at_least_one = True
|
||||
|
||||
if not deleted_at_least_one:
|
||||
|
@ -134,29 +133,29 @@ class ServiceV3(controller.V3Controller):
|
|||
ref = self._assign_unique_id(self._normalize_dict(service))
|
||||
self._require_attribute(ref, 'type')
|
||||
|
||||
ref = self.catalog_api.create_service(context, ref['id'], ref)
|
||||
ref = self.catalog_api.create_service(ref['id'], ref)
|
||||
return ServiceV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('type')
|
||||
def list_services(self, context, filters):
|
||||
refs = self.catalog_api.list_services(context)
|
||||
refs = self.catalog_api.list_services()
|
||||
return ServiceV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_service(self, context, service_id):
|
||||
ref = self.catalog_api.get_service(context, service_id)
|
||||
ref = self.catalog_api.get_service(service_id)
|
||||
return ServiceV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_service(self, context, service_id, service):
|
||||
self._require_matching_id(service_id, service)
|
||||
|
||||
ref = self.catalog_api.update_service(context, service_id, service)
|
||||
ref = self.catalog_api.update_service(service_id, service)
|
||||
return ServiceV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def delete_service(self, context, service_id):
|
||||
return self.catalog_api.delete_service(context, service_id)
|
||||
return self.catalog_api.delete_service(service_id)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api')
|
||||
|
@ -180,19 +179,19 @@ class EndpointV3(controller.V3Controller):
|
|||
ref = self._assign_unique_id(self._normalize_dict(endpoint))
|
||||
self._require_attribute(ref, 'service_id')
|
||||
self._require_attribute(ref, 'interface')
|
||||
self.catalog_api.get_service(context, ref['service_id'])
|
||||
self.catalog_api.get_service(ref['service_id'])
|
||||
|
||||
ref = self.catalog_api.create_endpoint(context, ref['id'], ref)
|
||||
ref = self.catalog_api.create_endpoint(ref['id'], ref)
|
||||
return EndpointV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('interface', 'service_id')
|
||||
def list_endpoints(self, context, filters):
|
||||
refs = self.catalog_api.list_endpoints(context)
|
||||
refs = self.catalog_api.list_endpoints()
|
||||
return EndpointV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_endpoint(self, context, endpoint_id):
|
||||
ref = self.catalog_api.get_endpoint(context, endpoint_id)
|
||||
ref = self.catalog_api.get_endpoint(endpoint_id)
|
||||
return EndpointV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
|
@ -200,11 +199,11 @@ class EndpointV3(controller.V3Controller):
|
|||
self._require_matching_id(endpoint_id, endpoint)
|
||||
|
||||
if 'service_id' in endpoint:
|
||||
self.catalog_api.get_service(context, endpoint['service_id'])
|
||||
self.catalog_api.get_service(endpoint['service_id'])
|
||||
|
||||
ref = self.catalog_api.update_endpoint(context, endpoint_id, endpoint)
|
||||
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint)
|
||||
return EndpointV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def delete_endpoint(self, context, endpoint_id):
|
||||
return self.catalog_api.delete_endpoint(context, endpoint_id)
|
||||
return self.catalog_api.delete_endpoint(endpoint_id)
|
||||
|
|
|
@ -64,38 +64,38 @@ class Manager(manager.Manager):
|
|||
def __init__(self):
|
||||
super(Manager, self).__init__(CONF.catalog.driver)
|
||||
|
||||
def get_service(self, context, service_id):
|
||||
def get_service(self, service_id):
|
||||
try:
|
||||
return self.driver.get_service(service_id)
|
||||
except exception.NotFound:
|
||||
raise exception.ServiceNotFound(service_id=service_id)
|
||||
|
||||
def delete_service(self, context, service_id):
|
||||
def delete_service(self, service_id):
|
||||
try:
|
||||
return self.driver.delete_service(service_id)
|
||||
except exception.NotFound:
|
||||
raise exception.ServiceNotFound(service_id=service_id)
|
||||
|
||||
def create_endpoint(self, context, endpoint_id, endpoint_ref):
|
||||
def create_endpoint(self, endpoint_id, endpoint_ref):
|
||||
try:
|
||||
return self.driver.create_endpoint(endpoint_id, endpoint_ref)
|
||||
except exception.NotFound:
|
||||
service_id = endpoint_ref.get('service_id')
|
||||
raise exception.ServiceNotFound(service_id=service_id)
|
||||
|
||||
def delete_endpoint(self, context, endpoint_id):
|
||||
def delete_endpoint(self, endpoint_id):
|
||||
try:
|
||||
return self.driver.delete_endpoint(endpoint_id)
|
||||
except exception.NotFound:
|
||||
raise exception.EndpointNotFound(endpoint_id=endpoint_id)
|
||||
|
||||
def get_endpoint(self, context, endpoint_id):
|
||||
def get_endpoint(self, endpoint_id):
|
||||
try:
|
||||
return self.driver.get_endpoint(endpoint_id)
|
||||
except exception.NotFound:
|
||||
raise exception.EndpointNotFound(endpoint_id=endpoint_id)
|
||||
|
||||
def get_catalog(self, context, user_id, tenant_id, metadata=None):
|
||||
def get_catalog(self, user_id, tenant_id, metadata=None):
|
||||
try:
|
||||
return self.driver.get_catalog(user_id, tenant_id, metadata)
|
||||
except exception.NotFound:
|
||||
|
|
|
@ -20,8 +20,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
|
|||
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
|
||||
|
||||
try:
|
||||
token_ref = self.token_api.get_token(
|
||||
context=context, token_id=context['token_id'])
|
||||
token_ref = self.token_api.get_token(context['token_id'])
|
||||
except exception.TokenNotFound:
|
||||
LOG.warning(_('RBAC: Invalid token'))
|
||||
raise exception.Unauthorized()
|
||||
|
@ -61,7 +60,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
|
|||
except AttributeError:
|
||||
LOG.debug(_('RBAC: Proceeding without tenant'))
|
||||
# NOTE(vish): this is pretty inefficient
|
||||
creds['roles'] = [self.identity_api.get_role(context, role)['name']
|
||||
creds['roles'] = [self.identity_api.get_role(role)['name']
|
||||
for role in creds.get('roles', [])]
|
||||
|
||||
return creds
|
||||
|
@ -97,7 +96,7 @@ def protected(f):
|
|||
# Simply use the passed kwargs as the target dict, which
|
||||
# would typically include the prime key of a get/update/delete
|
||||
# call.
|
||||
self.policy_api.enforce(context, creds, action, flatten(kwargs))
|
||||
self.policy_api.enforce(creds, action, flatten(kwargs))
|
||||
LOG.debug(_('RBAC: Authorization granted'))
|
||||
|
||||
return f(self, context, *args, **kwargs)
|
||||
|
@ -136,8 +135,7 @@ def filterprotected(*filters):
|
|||
for key in kwargs:
|
||||
target[key] = kwargs[key]
|
||||
|
||||
self.policy_api.enforce(context, creds, action,
|
||||
flatten(target))
|
||||
self.policy_api.enforce(creds, action, flatten(target))
|
||||
|
||||
LOG.debug(_('RBAC: Authorization granted'))
|
||||
else:
|
||||
|
@ -152,22 +150,18 @@ def filterprotected(*filters):
|
|||
class V2Controller(wsgi.Application):
|
||||
"""Base controller class for Identity API v2."""
|
||||
|
||||
def _delete_tokens_for_trust(self, context, user_id, trust_id):
|
||||
self.token_api.delete_tokens(context, user_id,
|
||||
trust_id=trust_id)
|
||||
def _delete_tokens_for_trust(self, user_id, trust_id):
|
||||
self.token_api.delete_tokens(user_id, trust_id=trust_id)
|
||||
|
||||
def _delete_tokens_for_user(self, context, user_id, project_id=None):
|
||||
def _delete_tokens_for_user(self, user_id, project_id=None):
|
||||
#First delete tokens that could get other tokens.
|
||||
self.token_api.delete_tokens(context,
|
||||
user_id,
|
||||
tenant_id=project_id)
|
||||
self.token_api.delete_tokens(user_id, tenant_id=project_id)
|
||||
|
||||
#delete tokens generated from trusts
|
||||
for trust in self.trust_api.list_trusts_for_trustee(context, user_id):
|
||||
self._delete_tokens_for_trust(context, user_id, trust['id'])
|
||||
for trust in self.trust_api.list_trusts_for_trustor(context, user_id):
|
||||
self._delete_tokens_for_trust(context,
|
||||
trust['trustee_user_id'],
|
||||
for trust in self.trust_api.list_trusts_for_trustee(user_id):
|
||||
self._delete_tokens_for_trust(user_id, trust['id'])
|
||||
for trust in self.trust_api.list_trusts_for_trustor(user_id):
|
||||
self._delete_tokens_for_trust(trust['trustee_user_id'],
|
||||
trust['id'])
|
||||
|
||||
def _require_attribute(self, ref, attr):
|
||||
|
@ -205,10 +199,10 @@ class V3Controller(V2Controller):
|
|||
collection_name = 'entities'
|
||||
member_name = 'entity'
|
||||
|
||||
def _delete_tokens_for_group(self, context, group_id):
|
||||
user_refs = self.identity_api.list_users_in_group(context, group_id)
|
||||
def _delete_tokens_for_group(self, group_id):
|
||||
user_refs = self.identity_api.list_users_in_group(group_id)
|
||||
for user in user_refs:
|
||||
self._delete_tokens_for_user(context, user['id'])
|
||||
self._delete_tokens_for_user(user['id'])
|
||||
|
||||
@classmethod
|
||||
def base_url(cls, path=None):
|
||||
|
|
|
@ -37,13 +37,10 @@ class Manager(object):
|
|||
|
||||
def __getattr__(self, name):
|
||||
"""Forward calls to the underlying driver."""
|
||||
# NOTE(termie): context is the first argument, we're going to strip
|
||||
# that for now, in the future we'll probably do some
|
||||
# logging and whatnot in this class
|
||||
f = getattr(self.driver, name)
|
||||
|
||||
@functools.wraps(f)
|
||||
def _wrapper(context, *args, **kw):
|
||||
def _wrapper(*args, **kw):
|
||||
return f(*args, **kw)
|
||||
setattr(self, name, _wrapper)
|
||||
return _wrapper
|
||||
|
|
|
@ -227,7 +227,7 @@ class Application(BaseApplication):
|
|||
if not context['is_admin']:
|
||||
try:
|
||||
user_token_ref = self.token_api.get_token(
|
||||
context=context, token_id=context['token_id'])
|
||||
token_id=context['token_id'])
|
||||
except exception.TokenNotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
|
@ -246,10 +246,10 @@ class Application(BaseApplication):
|
|||
raise exception.Unauthorized()
|
||||
|
||||
# NOTE(vish): this is pretty inefficient
|
||||
creds['roles'] = [self.identity_api.get_role(context, role)['name']
|
||||
creds['roles'] = [self.identity_api.get_role(role)['name']
|
||||
for role in creds.get('roles', [])]
|
||||
# Accept either is_admin or the admin role
|
||||
self.policy_api.enforce(context, creds, 'admin_required', {})
|
||||
self.policy_api.enforce(creds, 'admin_required', {})
|
||||
|
||||
|
||||
class Middleware(Application):
|
||||
|
|
|
@ -145,26 +145,20 @@ class Ec2Controller(controller.V2Controller):
|
|||
if 'access' not in credentials:
|
||||
raise exception.Unauthorized(message='EC2 signature not supplied.')
|
||||
|
||||
creds_ref = self._get_credentials(context,
|
||||
credentials['access'])
|
||||
creds_ref = self._get_credentials(credentials['access'])
|
||||
self.check_signature(creds_ref, credentials)
|
||||
|
||||
# TODO(termie): don't create new tokens every time
|
||||
# TODO(termie): this is copied from TokenController.authenticate
|
||||
token_id = uuid.uuid4().hex
|
||||
tenant_ref = self.identity_api.get_project(
|
||||
context=context,
|
||||
tenant_id=creds_ref['tenant_id'])
|
||||
user_ref = self.identity_api.get_user(
|
||||
context=context,
|
||||
user_id=creds_ref['user_id'])
|
||||
tenant_ref = self.identity_api.get_project(creds_ref['tenant_id'])
|
||||
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
||||
metadata_ref = self.identity_api.get_metadata(
|
||||
context=context,
|
||||
user_id=user_ref['id'],
|
||||
tenant_id=tenant_ref['id'])
|
||||
|
||||
# Validate that the auth info is valid and nothing is disabled
|
||||
token.validate_auth_info(self, context, user_ref, tenant_ref)
|
||||
token.validate_auth_info(self, user_ref, tenant_ref)
|
||||
|
||||
# TODO(termie): optimize this call at some point and put it into the
|
||||
# the return for metadata
|
||||
|
@ -172,20 +166,19 @@ class Ec2Controller(controller.V2Controller):
|
|||
roles = metadata_ref.get('roles', [])
|
||||
if not roles:
|
||||
raise exception.Unauthorized(message='User not valid for tenant.')
|
||||
roles_ref = [self.identity_api.get_role(context, role_id)
|
||||
roles_ref = [self.identity_api.get_role(role_id)
|
||||
for role_id in roles]
|
||||
|
||||
catalog_ref = self.catalog_api.get_catalog(
|
||||
context=context,
|
||||
user_id=user_ref['id'],
|
||||
tenant_id=tenant_ref['id'],
|
||||
metadata=metadata_ref)
|
||||
|
||||
token_ref = self.token_api.create_token(
|
||||
context, token_id, dict(id=token_id,
|
||||
user=user_ref,
|
||||
tenant=tenant_ref,
|
||||
metadata=metadata_ref))
|
||||
token_id, dict(id=token_id,
|
||||
user=user_ref,
|
||||
tenant=tenant_ref,
|
||||
metadata=metadata_ref))
|
||||
|
||||
# TODO(termie): i don't think the ec2 middleware currently expects a
|
||||
# full return, but it contains a note saying that it
|
||||
|
@ -207,14 +200,14 @@ class Ec2Controller(controller.V2Controller):
|
|||
if not self._is_admin(context):
|
||||
self._assert_identity(context, user_id)
|
||||
|
||||
self._assert_valid_user_id(context, user_id)
|
||||
self._assert_valid_project_id(context, tenant_id)
|
||||
self._assert_valid_user_id(user_id)
|
||||
self._assert_valid_project_id(tenant_id)
|
||||
|
||||
cred_ref = {'user_id': user_id,
|
||||
'tenant_id': tenant_id,
|
||||
'access': uuid.uuid4().hex,
|
||||
'secret': uuid.uuid4().hex}
|
||||
self.ec2_api.create_credential(context, cred_ref['access'], cred_ref)
|
||||
self.ec2_api.create_credential(cred_ref['access'], cred_ref)
|
||||
return {'credential': cred_ref}
|
||||
|
||||
def get_credentials(self, context, user_id):
|
||||
|
@ -226,8 +219,8 @@ class Ec2Controller(controller.V2Controller):
|
|||
"""
|
||||
if not self._is_admin(context):
|
||||
self._assert_identity(context, user_id)
|
||||
self._assert_valid_user_id(context, user_id)
|
||||
return {'credentials': self.ec2_api.list_credentials(context, user_id)}
|
||||
self._assert_valid_user_id(user_id)
|
||||
return {'credentials': self.ec2_api.list_credentials(user_id)}
|
||||
|
||||
def get_credential(self, context, user_id, credential_id):
|
||||
"""Retrieve a user's access/secret pair by the access key.
|
||||
|
@ -241,8 +234,8 @@ class Ec2Controller(controller.V2Controller):
|
|||
"""
|
||||
if not self._is_admin(context):
|
||||
self._assert_identity(context, user_id)
|
||||
self._assert_valid_user_id(context, user_id)
|
||||
creds = self._get_credentials(context, credential_id)
|
||||
self._assert_valid_user_id(user_id)
|
||||
creds = self._get_credentials(credential_id)
|
||||
return {'credential': creds}
|
||||
|
||||
def delete_credential(self, context, user_id, credential_id):
|
||||
|
@ -257,22 +250,20 @@ class Ec2Controller(controller.V2Controller):
|
|||
"""
|
||||
if not self._is_admin(context):
|
||||
self._assert_identity(context, user_id)
|
||||
self._assert_owner(context, user_id, credential_id)
|
||||
self._assert_owner(user_id, credential_id)
|
||||
|
||||
self._assert_valid_user_id(context, user_id)
|
||||
self._get_credentials(context, credential_id)
|
||||
return self.ec2_api.delete_credential(context, credential_id)
|
||||
self._assert_valid_user_id(user_id)
|
||||
self._get_credentials(credential_id)
|
||||
return self.ec2_api.delete_credential(credential_id)
|
||||
|
||||
def _get_credentials(self, context, credential_id):
|
||||
def _get_credentials(self, credential_id):
|
||||
"""Return credentials from an ID.
|
||||
|
||||
:param context: standard context
|
||||
:param credential_id: id of credential
|
||||
:raises exception.Unauthorized: when credential id is invalid
|
||||
:returns: credential: dict of ec2 credential.
|
||||
"""
|
||||
creds = self.ec2_api.get_credential(context,
|
||||
credential_id)
|
||||
creds = self.ec2_api.get_credential(credential_id)
|
||||
if not creds:
|
||||
raise exception.Unauthorized(message='EC2 access key not found.')
|
||||
return creds
|
||||
|
@ -286,9 +277,7 @@ class Ec2Controller(controller.V2Controller):
|
|||
|
||||
"""
|
||||
try:
|
||||
token_ref = self.token_api.get_token(
|
||||
context=context,
|
||||
token_id=context['token_id'])
|
||||
token_ref = self.token_api.get_token(context['token_id'])
|
||||
except exception.TokenNotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
|
@ -308,20 +297,19 @@ class Ec2Controller(controller.V2Controller):
|
|||
except exception.Forbidden:
|
||||
return False
|
||||
|
||||
def _assert_owner(self, context, user_id, credential_id):
|
||||
def _assert_owner(self, user_id, credential_id):
|
||||
"""Ensure the provided user owns the credential.
|
||||
|
||||
:param context: standard context
|
||||
:param user_id: expected credential owner
|
||||
:param credential_id: id of credential object
|
||||
:raises exception.Forbidden: on failure
|
||||
|
||||
"""
|
||||
cred_ref = self.ec2_api.get_credential(context, credential_id)
|
||||
cred_ref = self.ec2_api.get_credential(credential_id)
|
||||
if not user_id == cred_ref['user_id']:
|
||||
raise exception.Forbidden('Credential belongs to another user')
|
||||
|
||||
def _assert_valid_user_id(self, context, user_id):
|
||||
def _assert_valid_user_id(self, user_id):
|
||||
"""Ensure a valid user id.
|
||||
|
||||
:param context: standard context
|
||||
|
@ -329,13 +317,11 @@ class Ec2Controller(controller.V2Controller):
|
|||
:raises exception.UserNotFound: on failure
|
||||
|
||||
"""
|
||||
user_ref = self.identity_api.get_user(
|
||||
context=context,
|
||||
user_id=user_id)
|
||||
user_ref = self.identity_api.get_user(user_id)
|
||||
if not user_ref:
|
||||
raise exception.UserNotFound(user_id=user_id)
|
||||
|
||||
def _assert_valid_project_id(self, context, tenant_id):
|
||||
def _assert_valid_project_id(self, tenant_id):
|
||||
"""Ensure a valid tenant id.
|
||||
|
||||
:param context: standard context
|
||||
|
@ -343,8 +329,6 @@ class Ec2Controller(controller.V2Controller):
|
|||
:raises exception.ProjectNotFound: on failure
|
||||
|
||||
"""
|
||||
tenant_ref = self.identity_api.get_project(
|
||||
context=context,
|
||||
tenant_id=tenant_id)
|
||||
tenant_ref = self.identity_api.get_project(tenant_id)
|
||||
if not tenant_ref:
|
||||
raise exception.ProjectNotFound(project_id=tenant_id)
|
||||
|
|
|
@ -89,20 +89,20 @@ class StatsController(wsgi.Application):
|
|||
{
|
||||
'type': 'identity',
|
||||
'api': 'admin',
|
||||
'extra': self.stats_api.get_stats(context, 'admin'),
|
||||
'extra': self.stats_api.get_stats('admin'),
|
||||
},
|
||||
{
|
||||
'type': 'identity',
|
||||
'api': 'public',
|
||||
'extra': self.stats_api.get_stats(context, 'public'),
|
||||
'extra': self.stats_api.get_stats('public'),
|
||||
},
|
||||
]
|
||||
}
|
||||
|
||||
def reset_stats(self, context):
|
||||
self.assert_admin(context)
|
||||
self.stats_api.set_stats(context, 'public', dict())
|
||||
self.stats_api.set_stats(context, 'admin', dict())
|
||||
self.stats_api.set_stats('public', dict())
|
||||
self.stats_api.set_stats('admin', dict())
|
||||
|
||||
|
||||
class StatsMiddleware(wsgi.Middleware):
|
||||
|
@ -131,10 +131,8 @@ class StatsMiddleware(wsgi.Middleware):
|
|||
def capture_stats(self, host, obj, attributes):
|
||||
"""Collect each attribute from the given object."""
|
||||
for attribute in attributes:
|
||||
self.stats_api.increment_stat(None,
|
||||
self._resolve_api(host),
|
||||
attribute,
|
||||
getattr(obj, attribute))
|
||||
self.stats_api.increment_stat(
|
||||
self._resolve_api(host), attribute, getattr(obj, attribute))
|
||||
|
||||
def process_request(self, request):
|
||||
"""Monitor incoming request attributes."""
|
||||
|
|
|
@ -31,8 +31,7 @@ class UserController(identity.controllers.User):
|
|||
token_id = context.get('token_id')
|
||||
original_password = user.get('original_password')
|
||||
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=token_id)
|
||||
token_ref = self.token_api.get_token(token_id)
|
||||
user_id_from_token = token_ref['user']['id']
|
||||
|
||||
if user_id_from_token != user_id:
|
||||
|
@ -43,7 +42,6 @@ class UserController(identity.controllers.User):
|
|||
|
||||
try:
|
||||
user_ref = self.identity_api.authenticate(
|
||||
context=context,
|
||||
user_id=user_id_from_token,
|
||||
password=original_password)[0]
|
||||
if not user_ref.get('enabled', True):
|
||||
|
@ -63,8 +61,7 @@ class UserController(identity.controllers.User):
|
|||
token_id = uuid.uuid4().hex
|
||||
new_token_ref = copy.copy(token_ref)
|
||||
new_token_ref['id'] = token_id
|
||||
self.token_api.create_token(context=context, token_id=token_id,
|
||||
data=new_token_ref)
|
||||
self.token_api.create_token(token_id, new_token_ref)
|
||||
logging.debug('TOKEN_REF %s', new_token_ref)
|
||||
return {'access': {'token': new_token_ref}}
|
||||
|
||||
|
|
|
@ -24,29 +24,26 @@ class CredentialV3(controller.V3Controller):
|
|||
@controller.protected
|
||||
def create_credential(self, context, credential):
|
||||
ref = self._assign_unique_id(self._normalize_dict(credential))
|
||||
ref = self.credential_api.create_credential(context, ref['id'], ref)
|
||||
ref = self.credential_api.create_credential(ref['id'], ref)
|
||||
return CredentialV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def list_credentials(self, context):
|
||||
refs = self.credential_api.list_credentials(context)
|
||||
refs = self.credential_api.list_credentials()
|
||||
return CredentialV3.wrap_collection(context, refs)
|
||||
|
||||
@controller.protected
|
||||
def get_credential(self, context, credential_id):
|
||||
ref = self.credential_api.get_credential(context, credential_id)
|
||||
ref = self.credential_api.get_credential(credential_id)
|
||||
return CredentialV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_credential(self, context, credential_id, credential):
|
||||
self._require_matching_id(credential_id, credential)
|
||||
|
||||
ref = self.credential_api.update_credential(
|
||||
context,
|
||||
credential_id,
|
||||
credential)
|
||||
ref = self.credential_api.update_credential(credential_id, credential)
|
||||
return CredentialV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def delete_credential(self, context, credential_id):
|
||||
return self.credential_api.delete_credential(context, credential_id)
|
||||
return self.credential_api.delete_credential(credential_id)
|
||||
|
|
|
@ -39,7 +39,7 @@ class Tenant(controller.V2Controller):
|
|||
context, context['query_string'].get('name'))
|
||||
|
||||
self.assert_admin(context)
|
||||
tenant_refs = self.identity_api.list_projects(context)
|
||||
tenant_refs = self.identity_api.list_projects()
|
||||
for tenant_ref in tenant_refs:
|
||||
tenant_ref = self._filter_domain_id(tenant_ref)
|
||||
params = {
|
||||
|
@ -58,19 +58,16 @@ class Tenant(controller.V2Controller):
|
|||
|
||||
"""
|
||||
try:
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=context['token_id'])
|
||||
token_ref = self.token_api.get_token(context['token_id'])
|
||||
except exception.NotFound as e:
|
||||
LOG.warning('Authentication failed: %s' % e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
user_ref = token_ref['user']
|
||||
tenant_ids = self.identity_api.get_projects_for_user(
|
||||
context, user_ref['id'])
|
||||
tenant_ids = self.identity_api.get_projects_for_user(user_ref['id'])
|
||||
tenant_refs = []
|
||||
for tenant_id in tenant_ids:
|
||||
ref = self.identity_api.get_project(
|
||||
context=context, tenant_id=tenant_id)
|
||||
ref = self.identity_api.get_project(tenant_id)
|
||||
tenant_refs.append(self._filter_domain_id(ref))
|
||||
params = {
|
||||
'limit': context['query_string'].get('limit'),
|
||||
|
@ -81,13 +78,13 @@ class Tenant(controller.V2Controller):
|
|||
def get_project(self, context, tenant_id):
|
||||
# TODO(termie): this stuff should probably be moved to middleware
|
||||
self.assert_admin(context)
|
||||
ref = self.identity_api.get_project(context, tenant_id)
|
||||
ref = self.identity_api.get_project(tenant_id)
|
||||
return {'tenant': self._filter_domain_id(ref)}
|
||||
|
||||
def get_project_by_name(self, context, tenant_name):
|
||||
self.assert_admin(context)
|
||||
ref = self.identity_api.get_project_by_name(
|
||||
context, tenant_name, DEFAULT_DOMAIN_ID)
|
||||
tenant_name, DEFAULT_DOMAIN_ID)
|
||||
return {'tenant': self._filter_domain_id(ref)}
|
||||
|
||||
# CRUD Extension
|
||||
|
@ -101,7 +98,7 @@ class Tenant(controller.V2Controller):
|
|||
self.assert_admin(context)
|
||||
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
||||
tenant = self.identity_api.create_project(
|
||||
context, tenant_ref['id'],
|
||||
tenant_ref['id'],
|
||||
self._normalize_domain_id(context, tenant_ref))
|
||||
return {'tenant': self._filter_domain_id(tenant)}
|
||||
|
||||
|
@ -112,16 +109,16 @@ class Tenant(controller.V2Controller):
|
|||
clean_tenant = tenant.copy()
|
||||
clean_tenant.pop('domain_id', None)
|
||||
tenant_ref = self.identity_api.update_project(
|
||||
context, tenant_id, clean_tenant)
|
||||
tenant_id, clean_tenant)
|
||||
return {'tenant': tenant_ref}
|
||||
|
||||
def delete_project(self, context, tenant_id):
|
||||
self.assert_admin(context)
|
||||
self.identity_api.delete_project(context, tenant_id)
|
||||
self.identity_api.delete_project(tenant_id)
|
||||
|
||||
def get_project_users(self, context, tenant_id, **kw):
|
||||
self.assert_admin(context)
|
||||
user_refs = self.identity_api.get_project_users(context, tenant_id)
|
||||
user_refs = self.identity_api.get_project_users(tenant_id)
|
||||
for user_ref in user_refs:
|
||||
self._filter_domain_id(user_ref)
|
||||
return {'users': user_refs}
|
||||
|
@ -164,7 +161,7 @@ class Tenant(controller.V2Controller):
|
|||
class User(controller.V2Controller):
|
||||
def get_user(self, context, user_id):
|
||||
self.assert_admin(context)
|
||||
ref = self.identity_api.get_user(context, user_id)
|
||||
ref = self.identity_api.get_user(user_id)
|
||||
return {'user': self._filter_domain_id(ref)}
|
||||
|
||||
def get_users(self, context):
|
||||
|
@ -175,7 +172,7 @@ class User(controller.V2Controller):
|
|||
context, context['query_string'].get('name'))
|
||||
|
||||
self.assert_admin(context)
|
||||
user_list = self.identity_api.list_users(context)
|
||||
user_list = self.identity_api.list_users()
|
||||
for x in user_list:
|
||||
self._filter_domain_id(x)
|
||||
return {'users': user_list}
|
||||
|
@ -183,7 +180,7 @@ class User(controller.V2Controller):
|
|||
def get_user_by_name(self, context, user_name):
|
||||
self.assert_admin(context)
|
||||
ref = self.identity_api.get_user_by_name(
|
||||
context, user_name, DEFAULT_DOMAIN_ID)
|
||||
user_name, DEFAULT_DOMAIN_ID)
|
||||
return {'user': self._filter_domain_id(ref)}
|
||||
|
||||
# CRUD extension
|
||||
|
@ -200,17 +197,14 @@ class User(controller.V2Controller):
|
|||
|
||||
default_tenant_id = user.get('tenantId', None)
|
||||
if (default_tenant_id is not None
|
||||
and self.identity_api.get_project(context,
|
||||
default_tenant_id) is None):
|
||||
and self.identity_api.get_project(default_tenant_id) is None):
|
||||
raise exception.ProjectNotFound(project_id=default_tenant_id)
|
||||
user_id = uuid.uuid4().hex
|
||||
user_ref = self._normalize_domain_id(context, user.copy())
|
||||
user_ref['id'] = user_id
|
||||
new_user_ref = self.identity_api.create_user(
|
||||
context, user_id, user_ref)
|
||||
new_user_ref = self.identity_api.create_user(user_id, user_ref)
|
||||
if default_tenant_id:
|
||||
self.identity_api.add_user_to_project(context,
|
||||
default_tenant_id, user_id)
|
||||
self.identity_api.add_user_to_project(default_tenant_id, user_id)
|
||||
return {'user': self._filter_domain_id(new_user_ref)}
|
||||
|
||||
def update_user(self, context, user_id, user):
|
||||
|
@ -221,17 +215,17 @@ class User(controller.V2Controller):
|
|||
msg = 'Enabled field should be a boolean'
|
||||
raise exception.ValidationError(message=msg)
|
||||
|
||||
user_ref = self.identity_api.update_user(context, user_id, user)
|
||||
user_ref = self.identity_api.update_user(user_id, user)
|
||||
|
||||
if user.get('password') or not user.get('enabled', True):
|
||||
# If the password was changed or the user was disabled we clear tokens
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
return {'user': self._filter_domain_id(user_ref)}
|
||||
|
||||
def delete_user(self, context, user_id):
|
||||
self.assert_admin(context)
|
||||
self.identity_api.delete_user(context, user_id)
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self.identity_api.delete_user(user_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
def set_user_enabled(self, context, user_id, user):
|
||||
return self.update_user(context, user_id, user)
|
||||
|
@ -246,7 +240,7 @@ class User(controller.V2Controller):
|
|||
try:
|
||||
# ensure that we're a member of that tenant
|
||||
self.identity_api.add_user_to_project(
|
||||
context, user.get('tenantId'), user_id)
|
||||
user.get('tenantId'), user_id)
|
||||
except exception.Conflict:
|
||||
# we're already a member of that tenant
|
||||
pass
|
||||
|
@ -269,14 +263,14 @@ class Role(controller.V2Controller):
|
|||
'tenant ID required')
|
||||
|
||||
roles = self.identity_api.get_roles_for_user_and_project(
|
||||
context, user_id, tenant_id)
|
||||
return {'roles': [self.identity_api.get_role(context, x)
|
||||
user_id, tenant_id)
|
||||
return {'roles': [self.identity_api.get_role(x)
|
||||
for x in roles]}
|
||||
|
||||
# CRUD extension
|
||||
def get_role(self, context, role_id):
|
||||
self.assert_admin(context)
|
||||
return {'role': self.identity_api.get_role(context, role_id)}
|
||||
return {'role': self.identity_api.get_role(role_id)}
|
||||
|
||||
def create_role(self, context, role):
|
||||
role = self._normalize_dict(role)
|
||||
|
@ -288,16 +282,16 @@ class Role(controller.V2Controller):
|
|||
|
||||
role_id = uuid.uuid4().hex
|
||||
role['id'] = role_id
|
||||
role_ref = self.identity_api.create_role(context, role_id, role)
|
||||
role_ref = self.identity_api.create_role(role_id, role)
|
||||
return {'role': role_ref}
|
||||
|
||||
def delete_role(self, context, role_id):
|
||||
self.assert_admin(context)
|
||||
self.identity_api.delete_role(context, role_id)
|
||||
self.identity_api.delete_role(role_id)
|
||||
|
||||
def get_roles(self, context):
|
||||
self.assert_admin(context)
|
||||
return {'roles': self.identity_api.list_roles(context)}
|
||||
return {'roles': self.identity_api.list_roles()}
|
||||
|
||||
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
|
||||
"""Add a role to a user and tenant pair.
|
||||
|
@ -312,9 +306,9 @@ class Role(controller.V2Controller):
|
|||
'tenant_id required')
|
||||
|
||||
self.identity_api.add_role_to_user_and_project(
|
||||
context, user_id, tenant_id, role_id)
|
||||
user_id, tenant_id, role_id)
|
||||
|
||||
role_ref = self.identity_api.get_role(context, role_id)
|
||||
role_ref = self.identity_api.get_role(role_id)
|
||||
return {'role': role_ref}
|
||||
|
||||
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
|
||||
|
@ -332,8 +326,8 @@ class Role(controller.V2Controller):
|
|||
# This still has the weird legacy semantics that adding a role to
|
||||
# a user also adds them to a tenant, so we must follow up on that
|
||||
self.identity_api.remove_role_from_user_and_project(
|
||||
context, user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
# COMPAT(diablo): CRUD extension
|
||||
def get_role_refs(self, context, user_id):
|
||||
|
@ -347,12 +341,12 @@ class Role(controller.V2Controller):
|
|||
"""
|
||||
self.assert_admin(context)
|
||||
# Ensure user exists by getting it first.
|
||||
self.identity_api.get_user(context, user_id)
|
||||
tenant_ids = self.identity_api.get_projects_for_user(context, user_id)
|
||||
self.identity_api.get_user(user_id)
|
||||
tenant_ids = self.identity_api.get_projects_for_user(user_id)
|
||||
o = []
|
||||
for tenant_id in tenant_ids:
|
||||
role_ids = self.identity_api.get_roles_for_user_and_project(
|
||||
context, user_id, tenant_id)
|
||||
user_id, tenant_id)
|
||||
for role_id in role_ids:
|
||||
ref = {'roleId': role_id,
|
||||
'tenantId': tenant_id,
|
||||
|
@ -374,10 +368,10 @@ class Role(controller.V2Controller):
|
|||
tenant_id = role.get('tenantId')
|
||||
role_id = role.get('roleId')
|
||||
self.identity_api.add_role_to_user_and_project(
|
||||
context, user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
role_ref = self.identity_api.get_role(context, role_id)
|
||||
role_ref = self.identity_api.get_role(role_id)
|
||||
return {'role': role_ref}
|
||||
|
||||
# COMPAT(diablo): CRUD extension
|
||||
|
@ -398,8 +392,8 @@ class Role(controller.V2Controller):
|
|||
tenant_id = role_ref_ref.get('tenantId')[0]
|
||||
role_id = role_ref_ref.get('roleId')[0]
|
||||
self.identity_api.remove_role_from_user_and_project(
|
||||
context, user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
|
||||
class DomainV3(controller.V3Controller):
|
||||
|
@ -409,50 +403,47 @@ class DomainV3(controller.V3Controller):
|
|||
@controller.protected
|
||||
def create_domain(self, context, domain):
|
||||
ref = self._assign_unique_id(self._normalize_dict(domain))
|
||||
ref = self.identity_api.create_domain(context, ref['id'], ref)
|
||||
ref = self.identity_api.create_domain(ref['id'], ref)
|
||||
return DomainV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('enabled', 'name')
|
||||
def list_domains(self, context, filters):
|
||||
refs = self.identity_api.list_domains(context)
|
||||
refs = self.identity_api.list_domains()
|
||||
return DomainV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_domain(self, context, domain_id):
|
||||
ref = self.identity_api.get_domain(context, domain_id)
|
||||
ref = self.identity_api.get_domain(domain_id)
|
||||
return DomainV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_domain(self, context, domain_id, domain):
|
||||
self._require_matching_id(domain_id, domain)
|
||||
|
||||
ref = self.identity_api.update_domain(context, domain_id, domain)
|
||||
ref = self.identity_api.update_domain(domain_id, domain)
|
||||
|
||||
# disable owned users & projects when the API user specifically set
|
||||
# enabled=False
|
||||
# FIXME(dolph): need a driver call to directly revoke all tokens by
|
||||
# project or domain, regardless of user
|
||||
if not domain.get('enabled', True):
|
||||
projects = [x for x in self.identity_api.list_projects(context)
|
||||
projects = [x for x in self.identity_api.list_projects()
|
||||
if x.get('domain_id') == domain_id]
|
||||
for user in self.identity_api.list_users(context):
|
||||
for user in self.identity_api.list_users():
|
||||
# TODO(dolph): disable domain-scoped tokens
|
||||
"""
|
||||
self.token_api.revoke_tokens(
|
||||
context,
|
||||
user_id=user['id'],
|
||||
domain_id=domain_id)
|
||||
"""
|
||||
# revoke all tokens for users owned by this domain
|
||||
if user.get('domain_id') == domain_id:
|
||||
self._delete_tokens_for_user(
|
||||
context, user['id'])
|
||||
self._delete_tokens_for_user(user['id'])
|
||||
else:
|
||||
# only revoke tokens on projects owned by this domain
|
||||
for project in projects:
|
||||
self._delete_tokens_for_user(
|
||||
context, user['id'],
|
||||
project_id=project['id'])
|
||||
user['id'], project_id=project['id'])
|
||||
return DomainV3.wrap_member(context, ref)
|
||||
|
||||
def _delete_domain_contents(self, context, domain_id):
|
||||
|
@ -480,20 +471,20 @@ class DomainV3(controller.V3Controller):
|
|||
# users of a disabled domain are prevented from authenticating.
|
||||
# However there are some existing bugs in this area (e.g. 1130236).
|
||||
# Consider removing this code once these have been fixed.
|
||||
user_refs = self.identity_api.list_users(context)
|
||||
user_refs = self.identity_api.list_users()
|
||||
user_refs = [r for r in user_refs if r['domain_id'] == domain_id]
|
||||
for user in user_refs:
|
||||
if user['enabled']:
|
||||
user['enabled'] = False
|
||||
self.identity_api.update_user(context, user['id'], user)
|
||||
self._delete_tokens_for_user(context, user['id'])
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
self._delete_tokens_for_user(user['id'])
|
||||
|
||||
# Now, for safety, reload list of users, as well as projects, that are
|
||||
# owned by this domain.
|
||||
user_refs = self.identity_api.list_users(context)
|
||||
user_refs = self.identity_api.list_users()
|
||||
user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id]
|
||||
|
||||
proj_refs = self.identity_api.list_projects(context)
|
||||
proj_refs = self.identity_api.list_projects()
|
||||
proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id]
|
||||
|
||||
# First delete the projects themselves
|
||||
|
@ -502,7 +493,7 @@ class DomainV3(controller.V3Controller):
|
|||
project_cntl._delete_project(context, project)
|
||||
|
||||
# Get the list of groups owned by this domain and delete them
|
||||
group_refs = self.identity_api.list_groups(context)
|
||||
group_refs = self.identity_api.list_groups()
|
||||
group_ids = ([r['id'] for r in group_refs
|
||||
if r['domain_id'] == domain_id])
|
||||
group_cntl = GroupV3()
|
||||
|
@ -526,14 +517,14 @@ class DomainV3(controller.V3Controller):
|
|||
# has been previously disabled. This also prevents a user deleting
|
||||
# their own domain since, once it is disabled, they won't be able
|
||||
# to get a valid token to issue this delete.
|
||||
ref = self.identity_api.get_domain(context, domain_id)
|
||||
ref = self.identity_api.get_domain(domain_id)
|
||||
if ref['enabled']:
|
||||
raise exception.ForbiddenAction(
|
||||
action='delete a domain that is not disabled')
|
||||
|
||||
# OK, we are go for delete!
|
||||
self._delete_domain_contents(context, domain_id)
|
||||
return self.identity_api.delete_domain(context, domain_id)
|
||||
return self.identity_api.delete_domain(domain_id)
|
||||
|
||||
def _get_domain_by_name(self, context, domain_name):
|
||||
"""Get the domain via its unique name.
|
||||
|
@ -542,8 +533,7 @@ class DomainV3(controller.V3Controller):
|
|||
router as a public api.
|
||||
|
||||
"""
|
||||
ref = self.identity_api.get_domain_by_name(
|
||||
context, domain_name)
|
||||
ref = self.identity_api.get_domain_by_name(domain_name)
|
||||
return {'domain': ref}
|
||||
|
||||
|
||||
|
@ -555,40 +545,40 @@ class ProjectV3(controller.V3Controller):
|
|||
def create_project(self, context, project):
|
||||
ref = self._assign_unique_id(self._normalize_dict(project))
|
||||
ref = self._normalize_domain_id(context, ref)
|
||||
ref = self.identity_api.create_project(context, ref['id'], ref)
|
||||
ref = self.identity_api.create_project(ref['id'], ref)
|
||||
return ProjectV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'enabled', 'name')
|
||||
def list_projects(self, context, filters):
|
||||
refs = self.identity_api.list_projects(context)
|
||||
refs = self.identity_api.list_projects()
|
||||
return ProjectV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.filterprotected('enabled', 'name')
|
||||
def list_user_projects(self, context, filters, user_id):
|
||||
refs = self.identity_api.list_user_projects(context, user_id)
|
||||
refs = self.identity_api.list_user_projects(user_id)
|
||||
return ProjectV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_project(self, context, project_id):
|
||||
ref = self.identity_api.get_project(context, project_id)
|
||||
ref = self.identity_api.get_project(project_id)
|
||||
return ProjectV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_project(self, context, project_id, project):
|
||||
self._require_matching_id(project_id, project)
|
||||
|
||||
ref = self.identity_api.update_project(context, project_id, project)
|
||||
ref = self.identity_api.update_project(project_id, project)
|
||||
return ProjectV3.wrap_member(context, ref)
|
||||
|
||||
def _delete_project(self, context, project_id):
|
||||
# Delete any credentials that reference this project
|
||||
for cred in self.credential_api.list_credentials(context):
|
||||
for cred in self.credential_api.list_credentials():
|
||||
if cred['project_id'] == project_id:
|
||||
self.credential_api.delete_credential(context, cred['id'])
|
||||
self.credential_api.delete_credential(cred['id'])
|
||||
# Finally delete the project itself - the backend is
|
||||
# responsible for deleting any role assignments related
|
||||
# to this project
|
||||
return self.identity_api.delete_project(context, project_id)
|
||||
return self.identity_api.delete_project(project_id)
|
||||
|
||||
@controller.protected
|
||||
def delete_project(self, context, project_id):
|
||||
|
@ -603,66 +593,63 @@ class UserV3(controller.V3Controller):
|
|||
def create_user(self, context, user):
|
||||
ref = self._assign_unique_id(self._normalize_dict(user))
|
||||
ref = self._normalize_domain_id(context, ref)
|
||||
ref = self.identity_api.create_user(context, ref['id'], ref)
|
||||
ref = self.identity_api.create_user(ref['id'], ref)
|
||||
return UserV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'email', 'enabled', 'name')
|
||||
def list_users(self, context, filters):
|
||||
refs = self.identity_api.list_users(context)
|
||||
refs = self.identity_api.list_users()
|
||||
return UserV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.filterprotected('domain_id', 'email', 'enabled', 'name')
|
||||
def list_users_in_group(self, context, filters, group_id):
|
||||
refs = self.identity_api.list_users_in_group(context, group_id)
|
||||
refs = self.identity_api.list_users_in_group(group_id)
|
||||
return UserV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_user(self, context, user_id):
|
||||
ref = self.identity_api.get_user(context, user_id)
|
||||
ref = self.identity_api.get_user(user_id)
|
||||
return UserV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_user(self, context, user_id, user):
|
||||
self._require_matching_id(user_id, user)
|
||||
ref = self.identity_api.update_user(context, user_id, user)
|
||||
ref = self.identity_api.update_user(user_id, user)
|
||||
|
||||
if user.get('password') or not user.get('enabled', True):
|
||||
# revoke all tokens owned by this user
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
return UserV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def add_user_to_group(self, context, user_id, group_id):
|
||||
self.identity_api.add_user_to_group(
|
||||
context, user_id, group_id)
|
||||
self.identity_api.add_user_to_group(user_id, group_id)
|
||||
# Delete any tokens so that group membership can have an
|
||||
# immediate effect
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
@controller.protected
|
||||
def check_user_in_group(self, context, user_id, group_id):
|
||||
return self.identity_api.check_user_in_group(context,
|
||||
user_id, group_id)
|
||||
return self.identity_api.check_user_in_group(user_id, group_id)
|
||||
|
||||
@controller.protected
|
||||
def remove_user_from_group(self, context, user_id, group_id):
|
||||
self.identity_api.remove_user_from_group(
|
||||
context, user_id, group_id)
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self.identity_api.remove_user_from_group(user_id, group_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
|
||||
def _delete_user(self, context, user_id):
|
||||
# Delete any credentials that reference this user
|
||||
for cred in self.credential_api.list_credentials(context):
|
||||
for cred in self.credential_api.list_credentials():
|
||||
if cred['user_id'] == user_id:
|
||||
self.credential_api.delete_credential(context, cred['id'])
|
||||
self.credential_api.delete_credential(cred['id'])
|
||||
|
||||
# Make sure any tokens are marked as deleted
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
# Finally delete the user itself - the backend is
|
||||
# responsible for deleting any role assignments related
|
||||
# to this user
|
||||
return self.identity_api.delete_user(context, user_id)
|
||||
return self.identity_api.delete_user(user_id)
|
||||
|
||||
@controller.protected
|
||||
def delete_user(self, context, user_id):
|
||||
|
@ -677,29 +664,29 @@ class GroupV3(controller.V3Controller):
|
|||
def create_group(self, context, group):
|
||||
ref = self._assign_unique_id(self._normalize_dict(group))
|
||||
ref = self._normalize_domain_id(context, ref)
|
||||
ref = self.identity_api.create_group(context, ref['id'], ref)
|
||||
ref = self.identity_api.create_group(ref['id'], ref)
|
||||
return GroupV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'name')
|
||||
def list_groups(self, context, filters):
|
||||
refs = self.identity_api.list_groups(context)
|
||||
refs = self.identity_api.list_groups()
|
||||
return GroupV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.filterprotected('name')
|
||||
def list_groups_for_user(self, context, filters, user_id):
|
||||
refs = self.identity_api.list_groups_for_user(context, user_id)
|
||||
refs = self.identity_api.list_groups_for_user(user_id)
|
||||
return GroupV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_group(self, context, group_id):
|
||||
ref = self.identity_api.get_group(context, group_id)
|
||||
ref = self.identity_api.get_group(group_id)
|
||||
return GroupV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_group(self, context, group_id, group):
|
||||
self._require_matching_id(group_id, group)
|
||||
|
||||
ref = self.identity_api.update_group(context, group_id, group)
|
||||
ref = self.identity_api.update_group(group_id, group)
|
||||
return GroupV3.wrap_member(context, ref)
|
||||
|
||||
def _delete_group(self, context, group_id):
|
||||
|
@ -709,10 +696,10 @@ class GroupV3(controller.V3Controller):
|
|||
# deletion, so that we can remove these tokens after we know
|
||||
# the group deletion succeeded.
|
||||
|
||||
user_refs = self.identity_api.list_users_in_group(context, group_id)
|
||||
self.identity_api.delete_group(context, group_id)
|
||||
user_refs = self.identity_api.list_users_in_group(group_id)
|
||||
self.identity_api.delete_group(group_id)
|
||||
for user in user_refs:
|
||||
self._delete_tokens_for_user(context, user['id'])
|
||||
self._delete_tokens_for_user(user['id'])
|
||||
|
||||
@controller.protected
|
||||
def delete_group(self, context, group_id):
|
||||
|
@ -726,29 +713,29 @@ class RoleV3(controller.V3Controller):
|
|||
@controller.protected
|
||||
def create_role(self, context, role):
|
||||
ref = self._assign_unique_id(self._normalize_dict(role))
|
||||
ref = self.identity_api.create_role(context, ref['id'], ref)
|
||||
ref = self.identity_api.create_role(ref['id'], ref)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('name')
|
||||
def list_roles(self, context, filters):
|
||||
refs = self.identity_api.list_roles(context)
|
||||
refs = self.identity_api.list_roles()
|
||||
return RoleV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_role(self, context, role_id):
|
||||
ref = self.identity_api.get_role(context, role_id)
|
||||
ref = self.identity_api.get_role(role_id)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_role(self, context, role_id, role):
|
||||
self._require_matching_id(role_id, role)
|
||||
|
||||
ref = self.identity_api.update_role(context, role_id, role)
|
||||
ref = self.identity_api.update_role(role_id, role)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def delete_role(self, context, role_id):
|
||||
return self.identity_api.delete_role(context, role_id)
|
||||
return self.identity_api.delete_role(role_id)
|
||||
|
||||
def _require_domain_xor_project(self, domain_id, project_id):
|
||||
if (domain_id and project_id) or (not domain_id and not project_id):
|
||||
|
@ -768,7 +755,7 @@ class RoleV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
self.identity_api.create_grant(
|
||||
context, role_id, user_id, group_id, domain_id, project_id)
|
||||
role_id, user_id, group_id, domain_id, project_id)
|
||||
|
||||
@controller.protected
|
||||
def list_grants(self, context, user_id=None, group_id=None,
|
||||
|
@ -778,7 +765,7 @@ class RoleV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
refs = self.identity_api.list_grants(
|
||||
context, user_id, group_id, domain_id, project_id)
|
||||
user_id, group_id, domain_id, project_id)
|
||||
return RoleV3.wrap_collection(context, refs)
|
||||
|
||||
@controller.protected
|
||||
|
@ -789,7 +776,7 @@ class RoleV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
self.identity_api.get_grant(
|
||||
context, role_id, user_id, group_id, domain_id, project_id)
|
||||
role_id, user_id, group_id, domain_id, project_id)
|
||||
|
||||
@controller.protected
|
||||
def revoke_grant(self, context, role_id, user_id=None, group_id=None,
|
||||
|
@ -799,11 +786,11 @@ class RoleV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
self.identity_api.delete_grant(
|
||||
context, role_id, user_id, group_id, domain_id, project_id)
|
||||
role_id, user_id, group_id, domain_id, project_id)
|
||||
|
||||
# Now delete any tokens for this user or, in the case of a group,
|
||||
# tokens from all the uses who are members of this group.
|
||||
if user_id:
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
self._delete_tokens_for_user(user_id)
|
||||
else:
|
||||
self._delete_tokens_for_group(context, group_id)
|
||||
self._delete_tokens_for_group(group_id)
|
||||
|
|
|
@ -63,8 +63,7 @@ class Manager(manager.Manager):
|
|||
def __init__(self):
|
||||
super(Manager, self).__init__(CONF.identity.driver)
|
||||
|
||||
def authenticate(self, context, user_id=None,
|
||||
tenant_id=None, password=None):
|
||||
def authenticate(self, user_id=None, tenant_id=None, password=None):
|
||||
"""Authenticate a given user and password and
|
||||
authorize them for a tenant.
|
||||
:returns: (user_ref, tenant_ref, metadata_ref)
|
||||
|
@ -73,14 +72,14 @@ class Manager(manager.Manager):
|
|||
user_ref = self.driver.authenticate_user(user_id, password)
|
||||
return self.driver.authorize_for_project(user_ref, tenant_id)
|
||||
|
||||
def create_user(self, context, user_id, user_ref):
|
||||
def create_user(self, user_id, user_ref):
|
||||
user = user_ref.copy()
|
||||
user['name'] = clean.user_name(user['name'])
|
||||
user.setdefault('enabled', True)
|
||||
user['enabled'] = clean.user_enabled(user['enabled'])
|
||||
return self.driver.create_user(user_id, user)
|
||||
|
||||
def update_user(self, context, user_id, user_ref):
|
||||
def update_user(self, user_id, user_ref):
|
||||
user = user_ref.copy()
|
||||
if 'name' in user:
|
||||
user['name'] = clean.user_name(user['name'])
|
||||
|
@ -88,19 +87,19 @@ class Manager(manager.Manager):
|
|||
user['enabled'] = clean.user_enabled(user['enabled'])
|
||||
return self.driver.update_user(user_id, user)
|
||||
|
||||
def create_group(self, context, group_id, group_ref):
|
||||
def create_group(self, group_id, group_ref):
|
||||
group = group_ref.copy()
|
||||
group.setdefault('description', '')
|
||||
return self.driver.create_group(group_id, group)
|
||||
|
||||
def create_project(self, context, tenant_id, tenant_ref):
|
||||
def create_project(self, tenant_id, tenant_ref):
|
||||
tenant = tenant_ref.copy()
|
||||
tenant.setdefault('enabled', True)
|
||||
tenant['enabled'] = clean.project_enabled(tenant['enabled'])
|
||||
tenant.setdefault('description', '')
|
||||
return self.driver.create_project(tenant_id, tenant)
|
||||
|
||||
def update_project(self, context, tenant_id, tenant_ref):
|
||||
def update_project(self, tenant_id, tenant_ref):
|
||||
tenant = tenant_ref.copy()
|
||||
if 'enabled' in tenant:
|
||||
tenant['enabled'] = clean.project_enabled(tenant['enabled'])
|
||||
|
|
|
@ -27,24 +27,24 @@ class PolicyV3(controller.V3Controller):
|
|||
self._require_attribute(ref, 'blob')
|
||||
self._require_attribute(ref, 'type')
|
||||
|
||||
ref = self.policy_api.create_policy(context, ref['id'], ref)
|
||||
ref = self.policy_api.create_policy(ref['id'], ref)
|
||||
return PolicyV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('type')
|
||||
def list_policies(self, context, filters):
|
||||
refs = self.policy_api.list_policies(context)
|
||||
refs = self.policy_api.list_policies()
|
||||
return PolicyV3.wrap_collection(context, refs, filters)
|
||||
|
||||
@controller.protected
|
||||
def get_policy(self, context, policy_id):
|
||||
ref = self.policy_api.get_policy(context, policy_id)
|
||||
ref = self.policy_api.get_policy(policy_id)
|
||||
return PolicyV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def update_policy(self, context, policy_id, policy):
|
||||
ref = self.policy_api.update_policy(context, policy_id, policy)
|
||||
ref = self.policy_api.update_policy(policy_id, policy)
|
||||
return PolicyV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected
|
||||
def delete_policy(self, context, policy_id):
|
||||
return self.policy_api.delete_policy(context, policy_id)
|
||||
return self.policy_api.delete_policy(policy_id)
|
||||
|
|
|
@ -38,13 +38,13 @@ class Manager(manager.Manager):
|
|||
def __init__(self):
|
||||
super(Manager, self).__init__(CONF.policy.driver)
|
||||
|
||||
def get_policy(self, context, policy_id):
|
||||
def get_policy(self, policy_id):
|
||||
try:
|
||||
return self.driver.get_policy(policy_id)
|
||||
except exception.NotFound:
|
||||
raise exception.PolicyNotFound(policy_id=policy_id)
|
||||
|
||||
def update_policy(self, context, policy_id, policy):
|
||||
def update_policy(self, policy_id, policy):
|
||||
if 'id' in policy and policy_id != policy['id']:
|
||||
raise exception.ValidationError('Cannot change policy ID')
|
||||
try:
|
||||
|
@ -52,7 +52,7 @@ class Manager(manager.Manager):
|
|||
except exception.NotFound:
|
||||
raise exception.PolicyNotFound(policy_id=policy_id)
|
||||
|
||||
def delete_policy(self, context, policy_id):
|
||||
def delete_policy(self, policy_id):
|
||||
try:
|
||||
return self.driver.delete_policy(policy_id)
|
||||
except exception.NotFound:
|
||||
|
|
|
@ -80,7 +80,7 @@ class Auth(controller.V2Controller):
|
|||
context, auth)
|
||||
|
||||
user_ref, tenant_ref, metadata_ref, expiry = auth_info
|
||||
core.validate_auth_info(self, context, user_ref, tenant_ref)
|
||||
core.validate_auth_info(self, user_ref, tenant_ref)
|
||||
trust_id = metadata_ref.get('trust_id')
|
||||
user_ref = self._filter_domain_id(user_ref)
|
||||
if tenant_ref:
|
||||
|
@ -92,7 +92,6 @@ class Auth(controller.V2Controller):
|
|||
|
||||
if tenant_ref:
|
||||
catalog_ref = self.catalog_api.get_catalog(
|
||||
context=context,
|
||||
user_id=user_ref['id'],
|
||||
tenant_id=tenant_ref['id'],
|
||||
metadata=metadata_ref)
|
||||
|
@ -103,7 +102,7 @@ class Auth(controller.V2Controller):
|
|||
|
||||
roles_ref = []
|
||||
for role_id in metadata_ref.get('roles', []):
|
||||
role_ref = self.identity_api.get_role(context, role_id)
|
||||
role_ref = self.identity_api.get_role(role_id)
|
||||
roles_ref.append(dict(name=role_ref['name']))
|
||||
|
||||
token_data = Auth.format_token(auth_token_data, roles_ref)
|
||||
|
@ -128,19 +127,19 @@ class Auth(controller.V2Controller):
|
|||
CONF.signing.token_format)
|
||||
try:
|
||||
self.token_api.create_token(
|
||||
context, token_id, dict(key=token_id,
|
||||
id=token_id,
|
||||
expires=auth_token_data['expires'],
|
||||
user=user_ref,
|
||||
tenant=tenant_ref,
|
||||
metadata=metadata_ref,
|
||||
trust_id=trust_id))
|
||||
token_id, dict(key=token_id,
|
||||
id=token_id,
|
||||
expires=auth_token_data['expires'],
|
||||
user=user_ref,
|
||||
tenant=tenant_ref,
|
||||
metadata=metadata_ref,
|
||||
trust_id=trust_id))
|
||||
except Exception:
|
||||
exc_info = sys.exc_info()
|
||||
# an identical token may have been created already.
|
||||
# if so, return the token_data as it is also identical
|
||||
try:
|
||||
self.token_api.get_token(context=context, token_id=token_id)
|
||||
self.token_api.get_token(token_id)
|
||||
except exception.TokenNotFound:
|
||||
raise exc_info[0], exc_info[1], exc_info[2]
|
||||
|
||||
|
@ -167,8 +166,7 @@ class Auth(controller.V2Controller):
|
|||
size=CONF.max_token_size)
|
||||
|
||||
try:
|
||||
old_token_ref = self.token_api.get_token(context=context,
|
||||
token_id=old_token)
|
||||
old_token_ref = self.token_api.get_token(old_token)
|
||||
except exception.NotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
|
@ -183,7 +181,7 @@ class Auth(controller.V2Controller):
|
|||
if not CONF.trust.enabled and 'trust_id' in auth:
|
||||
raise exception.Forbidden('Trusts are disabled.')
|
||||
elif CONF.trust.enabled and 'trust_id' in auth:
|
||||
trust_ref = self.trust_api.get_trust(context, auth['trust_id'])
|
||||
trust_ref = self.trust_api.get_trust(auth['trust_id'])
|
||||
if trust_ref is None:
|
||||
raise exception.Forbidden()
|
||||
if user_id != trust_ref['trustee_user_id']:
|
||||
|
@ -193,13 +191,12 @@ class Auth(controller.V2Controller):
|
|||
if expiry < timeutils.parse_isotime(timeutils.isotime()):
|
||||
raise exception.Forbidden()()
|
||||
user_id = trust_ref['trustor_user_id']
|
||||
trustor_user_ref = (self.identity_api.get_user(
|
||||
context=context,
|
||||
user_id=trust_ref['trustor_user_id']))
|
||||
trustor_user_ref = self.identity_api.get_user(
|
||||
trust_ref['trustor_user_id'])
|
||||
if not trustor_user_ref['enabled']:
|
||||
raise exception.Forbidden()()
|
||||
trustee_user_ref = self.identity_api.get_user(
|
||||
context, trust_ref['trustee_user_id'])
|
||||
trust_ref['trustee_user_id'])
|
||||
if not trustee_user_ref['enabled']:
|
||||
raise exception.Forbidden()()
|
||||
if trust_ref['impersonation'] == 'True':
|
||||
|
@ -208,13 +205,12 @@ class Auth(controller.V2Controller):
|
|||
current_user_ref = trustee_user_ref
|
||||
|
||||
else:
|
||||
current_user_ref = self.identity_api.get_user(context=context,
|
||||
user_id=user_id)
|
||||
current_user_ref = self.identity_api.get_user(user_id)
|
||||
|
||||
tenant_id = self._get_project_id_from_auth(context, auth)
|
||||
tenant_id = self._get_project_id_from_auth(auth)
|
||||
|
||||
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
|
||||
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
|
||||
tenant_ref = self._get_project_ref(user_id, tenant_id)
|
||||
metadata_ref = self._get_metadata_ref(user_id, tenant_id)
|
||||
|
||||
# TODO(henry-nash): If no tenant was specified, instead check for a
|
||||
# domain and find any related user/group roles
|
||||
|
@ -282,17 +278,15 @@ class Auth(controller.V2Controller):
|
|||
if username:
|
||||
try:
|
||||
user_ref = self.identity_api.get_user_by_name(
|
||||
context=context, user_name=username,
|
||||
domain_id=DEFAULT_DOMAIN_ID)
|
||||
username, DEFAULT_DOMAIN_ID)
|
||||
user_id = user_ref['id']
|
||||
except exception.UserNotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
tenant_id = self._get_project_id_from_auth(context, auth)
|
||||
tenant_id = self._get_project_id_from_auth(auth)
|
||||
|
||||
try:
|
||||
auth_info = self.identity_api.authenticate(
|
||||
context=context,
|
||||
user_id=user_id,
|
||||
password=password,
|
||||
tenant_id=tenant_id)
|
||||
|
@ -325,16 +319,15 @@ class Auth(controller.V2Controller):
|
|||
username = context['REMOTE_USER']
|
||||
try:
|
||||
user_ref = self.identity_api.get_user_by_name(
|
||||
context=context, user_name=username,
|
||||
domain_id=DEFAULT_DOMAIN_ID)
|
||||
username, DEFAULT_DOMAIN_ID)
|
||||
user_id = user_ref['id']
|
||||
except exception.UserNotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
|
||||
tenant_id = self._get_project_id_from_auth(context, auth)
|
||||
tenant_id = self._get_project_id_from_auth(auth)
|
||||
|
||||
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
|
||||
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
|
||||
tenant_ref = self._get_project_ref(user_id, tenant_id)
|
||||
metadata_ref = self._get_metadata_ref(user_id, tenant_id)
|
||||
|
||||
# TODO(henry-nash): If no tenant was specified, instead check for a
|
||||
# domain and find any related user/group roles
|
||||
|
@ -352,7 +345,7 @@ class Auth(controller.V2Controller):
|
|||
metadata=metadata,
|
||||
expires=expiry)
|
||||
|
||||
def _get_project_id_from_auth(self, context, auth):
|
||||
def _get_project_id_from_auth(self, auth):
|
||||
"""Extract tenant information from auth dict.
|
||||
|
||||
Returns a valid tenant_id if it exists, or None if not specified.
|
||||
|
@ -370,14 +363,13 @@ class Auth(controller.V2Controller):
|
|||
if tenant_name:
|
||||
try:
|
||||
tenant_ref = self.identity_api.get_project_by_name(
|
||||
context=context, tenant_name=tenant_name,
|
||||
domain_id=DEFAULT_DOMAIN_ID)
|
||||
tenant_name, DEFAULT_DOMAIN_ID)
|
||||
tenant_id = tenant_ref['id']
|
||||
except exception.ProjectNotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
return tenant_id
|
||||
|
||||
def _get_domain_id_from_auth(self, context, auth):
|
||||
def _get_domain_id_from_auth(self, auth):
|
||||
"""Extract domain information from v3 auth dict.
|
||||
|
||||
Returns a valid domain_id if it exists, or None if not specified.
|
||||
|
@ -390,17 +382,17 @@ class Auth(controller.V2Controller):
|
|||
if domain_name:
|
||||
try:
|
||||
domain_ref = self.identity_api._get_domain_by_name(
|
||||
context=context, domain_name=domain_name)
|
||||
domain_name)
|
||||
domain_id = domain_ref['id']
|
||||
except exception.DomainNotFound as e:
|
||||
raise exception.Unauthorized(e)
|
||||
return domain_id
|
||||
|
||||
def _get_project_ref(self, context, user_id, tenant_id):
|
||||
def _get_project_ref(self, user_id, tenant_id):
|
||||
"""Returns the tenant_ref for the user's tenant."""
|
||||
tenant_ref = None
|
||||
if tenant_id:
|
||||
tenants = self.identity_api.get_projects_for_user(context, user_id)
|
||||
tenants = self.identity_api.get_projects_for_user(user_id)
|
||||
if tenant_id not in tenants:
|
||||
msg = 'User %s is unauthorized for tenant %s' % (
|
||||
user_id, tenant_id)
|
||||
|
@ -408,21 +400,20 @@ class Auth(controller.V2Controller):
|
|||
raise exception.Unauthorized(msg)
|
||||
|
||||
try:
|
||||
tenant_ref = self.identity_api.get_project(context=context,
|
||||
tenant_id=tenant_id)
|
||||
tenant_ref = self.identity_api.get_project(tenant_id)
|
||||
except exception.ProjectNotFound as e:
|
||||
exception.Unauthorized(e)
|
||||
return tenant_ref
|
||||
|
||||
def _get_metadata_ref(self, context, user_id=None, tenant_id=None,
|
||||
domain_id=None, group_id=None):
|
||||
def _get_metadata_ref(self, user_id=None, tenant_id=None, domain_id=None,
|
||||
group_id=None):
|
||||
"""Returns metadata_ref for a user or group in a tenant or domain."""
|
||||
|
||||
metadata_ref = {}
|
||||
if (user_id or group_id) and (tenant_id or domain_id):
|
||||
try:
|
||||
metadata_ref = self.identity_api.get_metadata(
|
||||
context=context, user_id=user_id, tenant_id=tenant_id,
|
||||
user_id=user_id, tenant_id=tenant_id,
|
||||
domain_id=domain_id, group_id=group_id)
|
||||
except exception.MetadataNotFound:
|
||||
pass
|
||||
|
@ -431,14 +422,11 @@ class Auth(controller.V2Controller):
|
|||
def _get_group_metadata_ref(self, context, user_id,
|
||||
tenant_id=None, domain_id=None):
|
||||
"""Return any metadata for this project/domain due to group grants."""
|
||||
group_refs = self.identity_api.list_groups_for_user(context=context,
|
||||
user_id=user_id)
|
||||
group_refs = self.identity_api.list_groups_for_user(user_id)
|
||||
metadata_ref = {}
|
||||
for x in group_refs:
|
||||
metadata_ref.update(self._get_metadata_ref(context,
|
||||
group_id=x['id'],
|
||||
tenant_id=tenant_id,
|
||||
domain_id=domain_id))
|
||||
metadata_ref.update(self._get_metadata_ref(
|
||||
group_id=x['id'], tenant_id=tenant_id, domain_id=domain_id))
|
||||
return metadata_ref
|
||||
|
||||
def _append_roles(self, metadata, additional_metadata):
|
||||
|
@ -452,14 +440,13 @@ class Auth(controller.V2Controller):
|
|||
second = set(additional_metadata.get('roles', []))
|
||||
metadata['roles'] = list(first.union(second))
|
||||
|
||||
def _get_token_ref(self, context, token_id, belongs_to=None):
|
||||
def _get_token_ref(self, token_id, belongs_to=None):
|
||||
"""Returns a token if a valid one exists.
|
||||
|
||||
Optionally, limited to a token owned by a specific tenant.
|
||||
|
||||
"""
|
||||
data = self.token_api.get_token(context=context,
|
||||
token_id=token_id)
|
||||
data = self.token_api.get_token(token_id)
|
||||
if belongs_to:
|
||||
if data.get('tenant') is None:
|
||||
raise exception.Unauthorized(
|
||||
|
@ -469,7 +456,7 @@ class Auth(controller.V2Controller):
|
|||
_('Token does not belong to specified tenant.'))
|
||||
return data
|
||||
|
||||
def _assert_default_domain(self, context, token_ref):
|
||||
def _assert_default_domain(self, token_ref):
|
||||
"""Make sure we are operating on default domain only."""
|
||||
if token_ref.get('token_data'):
|
||||
# this is a V3 token
|
||||
|
@ -494,18 +481,17 @@ class Auth(controller.V2Controller):
|
|||
# must also be in the default domain
|
||||
metadata_ref = token_ref['metadata']
|
||||
if CONF.trust.enabled and 'trust_id' in metadata_ref:
|
||||
trust_ref = self.trust_api.get_trust(context,
|
||||
metadata_ref['trust_id'])
|
||||
trust_ref = self.trust_api.get_trust(metadata_ref['trust_id'])
|
||||
trustee_user_ref = self.identity_api.get_user(
|
||||
context, trust_ref['trustee_user_id'])
|
||||
trust_ref['trustee_user_id'])
|
||||
if trustee_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
||||
raise exception.Unauthorized(msg)
|
||||
trustor_user_ref = self.identity_api.get_user(
|
||||
context, trust_ref['trustor_user_id'])
|
||||
trust_ref['trustor_user_id'])
|
||||
if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
||||
raise exception.Unauthorized(msg)
|
||||
project_ref = self.identity_api.get_project(
|
||||
context, trust_ref['project_id'])
|
||||
trust_ref['project_id'])
|
||||
if project_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
||||
raise exception.Unauthorized(msg)
|
||||
|
||||
|
@ -519,9 +505,9 @@ class Auth(controller.V2Controller):
|
|||
|
||||
"""
|
||||
belongs_to = context['query_string'].get('belongsTo')
|
||||
token_ref = self._get_token_ref(context, token_id, belongs_to)
|
||||
token_ref = self._get_token_ref(token_id, belongs_to)
|
||||
assert token_ref
|
||||
self._assert_default_domain(context, token_ref)
|
||||
self._assert_default_domain(token_ref)
|
||||
|
||||
@controller.protected
|
||||
def validate_token(self, context, token_id):
|
||||
|
@ -533,8 +519,8 @@ class Auth(controller.V2Controller):
|
|||
|
||||
"""
|
||||
belongs_to = context['query_string'].get('belongsTo')
|
||||
token_ref = self._get_token_ref(context, token_id, belongs_to)
|
||||
self._assert_default_domain(context, token_ref)
|
||||
token_ref = self._get_token_ref(token_id, belongs_to)
|
||||
self._assert_default_domain(token_ref)
|
||||
|
||||
# TODO(termie): optimize this call at some point and put it into the
|
||||
# the return for metadata
|
||||
|
@ -542,14 +528,13 @@ class Auth(controller.V2Controller):
|
|||
metadata_ref = token_ref['metadata']
|
||||
roles_ref = []
|
||||
for role_id in metadata_ref.get('roles', []):
|
||||
roles_ref.append(self.identity_api.get_role(context, role_id))
|
||||
roles_ref.append(self.identity_api.get_role(role_id))
|
||||
|
||||
# Get a service catalog if possible
|
||||
# This is needed for on-behalf-of requests
|
||||
catalog_ref = None
|
||||
if token_ref.get('tenant'):
|
||||
catalog_ref = self.catalog_api.get_catalog(
|
||||
context=context,
|
||||
user_id=token_ref['user']['id'],
|
||||
tenant_id=token_ref['tenant']['id'],
|
||||
metadata=metadata_ref)
|
||||
|
@ -559,11 +544,11 @@ class Auth(controller.V2Controller):
|
|||
"""Delete a token, effectively invalidating it for authz."""
|
||||
# TODO(termie): this stuff should probably be moved to middleware
|
||||
self.assert_admin(context)
|
||||
self.token_api.delete_token(context=context, token_id=token_id)
|
||||
self.token_api.delete_token(token_id)
|
||||
|
||||
@controller.protected
|
||||
def revocation_list(self, context, auth=None):
|
||||
tokens = self.token_api.list_revoked_tokens(context)
|
||||
tokens = self.token_api.list_revoked_tokens()
|
||||
|
||||
for t in tokens:
|
||||
expires = t['expires']
|
||||
|
@ -581,12 +566,11 @@ class Auth(controller.V2Controller):
|
|||
"""Return a list of endpoints available to the token."""
|
||||
self.assert_admin(context)
|
||||
|
||||
token_ref = self._get_token_ref(context, token_id)
|
||||
token_ref = self._get_token_ref(token_id)
|
||||
|
||||
catalog_ref = None
|
||||
if token_ref.get('tenant'):
|
||||
catalog_ref = self.catalog_api.get_catalog(
|
||||
context=context,
|
||||
user_id=token_ref['user']['id'],
|
||||
tenant_id=token_ref['tenant']['id'],
|
||||
metadata=token_ref['metadata'])
|
||||
|
|
|
@ -57,7 +57,7 @@ def default_expire_time():
|
|||
return timeutils.utcnow() + expire_delta
|
||||
|
||||
|
||||
def validate_auth_info(self, context, user_ref, tenant_ref):
|
||||
def validate_auth_info(self, user_ref, tenant_ref):
|
||||
"""Validate user and tenant auth info.
|
||||
|
||||
Validate the user and tenant auth into in order to ensure that user and
|
||||
|
@ -66,7 +66,6 @@ def validate_auth_info(self, context, user_ref, tenant_ref):
|
|||
Consolidate the checks here to ensure consistency between token auth and
|
||||
ec2 auth.
|
||||
|
||||
:params context: keystone's request context
|
||||
:params user_ref: the authenticating user
|
||||
:params tenant_ref: the scope of authorization, if any
|
||||
:raises Unauthorized: if any of the user, user's domain, tenant or
|
||||
|
@ -80,7 +79,6 @@ def validate_auth_info(self, context, user_ref, tenant_ref):
|
|||
|
||||
# If the user's domain is disabled don't allow them to authenticate
|
||||
user_domain_ref = self.identity_api.get_domain(
|
||||
context,
|
||||
user_ref['domain_id'])
|
||||
if user_domain_ref and not user_domain_ref.get('enabled', True):
|
||||
msg = 'Domain is disabled: %s' % user_domain_ref['id']
|
||||
|
@ -96,7 +94,6 @@ def validate_auth_info(self, context, user_ref, tenant_ref):
|
|||
|
||||
# If the project's domain is disabled don't allow them to authenticate
|
||||
project_domain_ref = self.identity_api.get_domain(
|
||||
context,
|
||||
tenant_ref['domain_id'])
|
||||
if (project_domain_ref and
|
||||
not project_domain_ref.get('enabled', True)):
|
||||
|
|
|
@ -38,14 +38,14 @@ class TrustV3(controller.V3Controller):
|
|||
def _get_user_id(self, context):
|
||||
if 'token_id' in context:
|
||||
token_id = context['token_id']
|
||||
token = self.token_api.get_token(context, token_id)
|
||||
token = self.token_api.get_token(token_id)
|
||||
user_id = token['user']['id']
|
||||
return user_id
|
||||
return None
|
||||
|
||||
def get_trust(self, context, trust_id):
|
||||
user_id = self._get_user_id(context)
|
||||
trust = self.trust_api.get_trust(context, trust_id)
|
||||
trust = self.trust_api.get_trust(trust_id)
|
||||
if not trust:
|
||||
raise exception.TrustNotFound(trust_id)
|
||||
_admin_trustor_trustee_only(context, trust, user_id)
|
||||
|
@ -55,7 +55,7 @@ class TrustV3(controller.V3Controller):
|
|||
user_id != trust['trustee_user_id']):
|
||||
raise exception.Forbidden()
|
||||
self._fill_in_roles(context, trust,
|
||||
self.identity_api.list_roles(context))
|
||||
self.identity_api.list_roles())
|
||||
return TrustV3.wrap_member(context, trust)
|
||||
|
||||
def _fill_in_roles(self, context, trust, global_roles):
|
||||
|
@ -121,15 +121,14 @@ class TrustV3(controller.V3Controller):
|
|||
user_id = self._get_user_id(context)
|
||||
_trustor_only(context, trust, user_id)
|
||||
#confirm that the trustee exists
|
||||
trustee_ref = self.identity_api.get_user(context,
|
||||
trust['trustee_user_id'])
|
||||
trustee_ref = self.identity_api.get_user(trust['trustee_user_id'])
|
||||
if not trustee_ref:
|
||||
raise exception.UserNotFound(user_id=trust['trustee_user_id'])
|
||||
global_roles = self.identity_api.list_roles(context)
|
||||
global_roles = self.identity_api.list_roles()
|
||||
clean_roles = self._clean_role_list(context, trust, global_roles)
|
||||
if trust.get('project_id'):
|
||||
user_roles = self.identity_api.get_roles_for_user_and_project(
|
||||
context, user_id, trust['project_id'])
|
||||
user_id, trust['project_id'])
|
||||
else:
|
||||
user_roles = []
|
||||
for trust_role in clean_roles:
|
||||
|
@ -143,7 +142,6 @@ class TrustV3(controller.V3Controller):
|
|||
trust['expires_at'] = (timeutils.parse_isotime
|
||||
(trust['expires_at']))
|
||||
new_trust = self.trust_api.create_trust(
|
||||
context=context,
|
||||
trust_id=uuid.uuid4().hex,
|
||||
trust=trust,
|
||||
roles=clean_roles)
|
||||
|
@ -161,41 +159,38 @@ class TrustV3(controller.V3Controller):
|
|||
trusts = []
|
||||
if not query:
|
||||
self.assert_admin(context)
|
||||
trusts += self.trust_api.list_trusts(context)
|
||||
trusts += self.trust_api.list_trusts()
|
||||
if 'trustor_user_id' in query:
|
||||
user_id = query['trustor_user_id']
|
||||
calling_user_id = self._get_user_id(context)
|
||||
if user_id != calling_user_id:
|
||||
raise exception.Forbidden()
|
||||
trusts += (self.trust_api.
|
||||
list_trusts_for_trustor(context, user_id))
|
||||
list_trusts_for_trustor(user_id))
|
||||
if 'trustee_user_id' in query:
|
||||
user_id = query['trustee_user_id']
|
||||
calling_user_id = self._get_user_id(context)
|
||||
if user_id != calling_user_id:
|
||||
raise exception.Forbidden()
|
||||
trusts += (self.trust_api.
|
||||
list_trusts_for_trustee(context, user_id))
|
||||
global_roles = self.identity_api.list_roles(context)
|
||||
trusts += self.trust_api.list_trusts_for_trustee(user_id)
|
||||
global_roles = self.identity_api.list_roles()
|
||||
for trust in trusts:
|
||||
self._fill_in_roles(context, trust, global_roles)
|
||||
return TrustV3.wrap_collection(context, trusts)
|
||||
|
||||
@controller.protected
|
||||
def delete_trust(self, context, trust_id):
|
||||
trust = self.trust_api.get_trust(context, trust_id)
|
||||
trust = self.trust_api.get_trust(trust_id)
|
||||
if not trust:
|
||||
raise exception.TrustNotFound(trust_id)
|
||||
|
||||
user_id = self._get_user_id(context)
|
||||
_admin_trustor_only(context, trust, user_id)
|
||||
self.trust_api.delete_trust(context, trust_id)
|
||||
self.trust_api.delete_trust(trust_id)
|
||||
userid = trust['trustor_user_id']
|
||||
token_list = self.token_api.list_tokens(context,
|
||||
userid,
|
||||
trust_id=trust_id)
|
||||
token_list = self.token_api.list_tokens(userid, trust_id=trust_id)
|
||||
for token in token_list:
|
||||
self.token_api.delete_token(context, token)
|
||||
self.token_api.delete_token(token)
|
||||
|
||||
@controller.protected
|
||||
def list_roles_for_trust(self, context, trust_id):
|
||||
|
@ -210,7 +205,7 @@ class TrustV3(controller.V3Controller):
|
|||
@controller.protected
|
||||
def check_role_for_trust(self, context, trust_id, role_id):
|
||||
"""Checks if a role has been assigned to a trust."""
|
||||
trust = self.trust_api.get_trust(context, trust_id)
|
||||
trust = self.trust_api.get_trust(trust_id)
|
||||
if not trust:
|
||||
raise exception.TrustNotFound(trust_id)
|
||||
user_id = self._get_user_id(context)
|
||||
|
@ -223,7 +218,7 @@ class TrustV3(controller.V3Controller):
|
|||
@controller.protected
|
||||
def get_role_for_trust(self, context, trust_id, role_id):
|
||||
"""Checks if a role has been assigned to a trust."""
|
||||
trust = self.trust_api.get_trust(context, trust_id)
|
||||
trust = self.trust_api.get_trust(trust_id)
|
||||
if not trust:
|
||||
raise exception.TrustNotFound(trust_id)
|
||||
|
||||
|
@ -233,7 +228,7 @@ class TrustV3(controller.V3Controller):
|
|||
if x['id'] == role_id]
|
||||
if not matching_roles:
|
||||
raise exception.RoleNotFound(role_id=role_id)
|
||||
global_roles = self.identity_api.list_roles(context)
|
||||
global_roles = self.identity_api.list_roles()
|
||||
matching_roles = [x for x in global_roles
|
||||
if x['id'] == role_id]
|
||||
if matching_roles:
|
||||
|
|
|
@ -532,8 +532,8 @@ class AuthWithTrust(AuthTest):
|
|||
trust_data['expires_at'] = expires_at
|
||||
trust_data['impersonation'] = impersonation
|
||||
|
||||
self.new_trust = (self.trust_controller.create_trust
|
||||
(context, trust=trust_data)['trust'])
|
||||
self.new_trust = self.trust_controller.create_trust(
|
||||
context, trust=trust_data)['trust']
|
||||
|
||||
def build_v2_token_request(self, username, password):
|
||||
body_dict = _build_user_auth(username=username, password=password)
|
||||
|
@ -673,7 +673,7 @@ class AuthWithTrust(AuthTest):
|
|||
|
||||
def assert_token_count_for_trust(self, expected_value):
|
||||
tokens = self.trust_controller.token_api.list_tokens(
|
||||
{}, self.trustee['id'], trust_id=self.new_trust['id'])
|
||||
self.trustee['id'], trust_id=self.new_trust['id'])
|
||||
token_count = len(tokens)
|
||||
self.assertEquals(token_count, expected_value)
|
||||
|
||||
|
@ -681,9 +681,7 @@ class AuthWithTrust(AuthTest):
|
|||
self.assert_token_count_for_trust(0)
|
||||
self.fetch_v2_token_from_trust()
|
||||
self.assert_token_count_for_trust(1)
|
||||
self.trust_controller._delete_tokens_for_user(
|
||||
{},
|
||||
self.trustee['id'])
|
||||
self.trust_controller._delete_tokens_for_user(self.trustee['id'])
|
||||
self.assert_token_count_for_trust(0)
|
||||
|
||||
def test_token_from_trust_cant_get_another_token(self):
|
||||
|
|
|
@ -15,7 +15,6 @@
|
|||
# under the License.
|
||||
|
||||
import datetime
|
||||
import default_fixtures
|
||||
import uuid
|
||||
|
||||
from keystone import test
|
||||
|
@ -25,12 +24,13 @@ from keystone import config
|
|||
from keystone import exception
|
||||
from keystone.openstack.common import timeutils
|
||||
|
||||
import default_fixtures
|
||||
|
||||
|
||||
CONF = config.CONF
|
||||
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||
TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
|
||||
NULL_OBJECT = object()
|
||||
EMPTY_CONTEXT = {}
|
||||
|
||||
|
||||
class IdentityTests(object):
|
||||
|
@ -61,7 +61,6 @@ class IdentityTests(object):
|
|||
def test_authenticate_bad_user(self):
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_man.authenticate,
|
||||
EMPTY_CONTEXT,
|
||||
user_id=uuid.uuid4().hex,
|
||||
tenant_id=self.tenant_bar['id'],
|
||||
password=self.user_foo['password'])
|
||||
|
@ -69,7 +68,6 @@ class IdentityTests(object):
|
|||
def test_authenticate_bad_password(self):
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_man.authenticate,
|
||||
EMPTY_CONTEXT,
|
||||
user_id=self.user_foo['id'],
|
||||
tenant_id=self.tenant_bar['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
|
@ -77,14 +75,12 @@ class IdentityTests(object):
|
|||
def test_authenticate_bad_project(self):
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_man.authenticate,
|
||||
EMPTY_CONTEXT,
|
||||
user_id=self.user_foo['id'],
|
||||
tenant_id=uuid.uuid4().hex,
|
||||
password=self.user_foo['password'])
|
||||
|
||||
def test_authenticate_no_project(self):
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
EMPTY_CONTEXT,
|
||||
user_id=self.user_foo['id'],
|
||||
password=self.user_foo['password'])
|
||||
# NOTE(termie): the password field is left in user_foo to make
|
||||
|
@ -97,7 +93,6 @@ class IdentityTests(object):
|
|||
|
||||
def test_authenticate(self):
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
EMPTY_CONTEXT,
|
||||
user_id=self.user_sna['id'],
|
||||
tenant_id=self.tenant_bar['id'],
|
||||
password=self.user_sna['password'])
|
||||
|
@ -115,7 +110,6 @@ class IdentityTests(object):
|
|||
self.identity_api.add_role_to_user_and_project(
|
||||
self.user_foo['id'], self.tenant_baz['id'], self.role_admin['id'])
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
EMPTY_CONTEXT,
|
||||
user_id=self.user_foo['id'],
|
||||
tenant_id=self.tenant_baz['id'],
|
||||
password=self.user_foo['password'])
|
||||
|
@ -129,11 +123,10 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'no_meta2',
|
||||
}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
self.identity_api.add_user_to_project(self.tenant_baz['id'],
|
||||
user['id'])
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
EMPTY_CONTEXT,
|
||||
user_id=user['id'],
|
||||
tenant_id=self.tenant_baz['id'],
|
||||
password=user['password'])
|
||||
|
@ -156,7 +149,7 @@ class IdentityTests(object):
|
|||
'name': unicode_name,
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': uuid.uuid4().hex}
|
||||
ref = self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
|
||||
ref = self.identity_man.create_user(user['id'], user)
|
||||
self.assertEqual(unicode_name, ref['name'])
|
||||
|
||||
def test_get_project(self):
|
||||
|
@ -288,11 +281,10 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'fakepass',
|
||||
'tenants': ['bar']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user['name'] = 'fake2'
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -302,11 +294,10 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'fakepass',
|
||||
'tenants': ['bar']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user['id'] = 'fake2'
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake2',
|
||||
user)
|
||||
|
||||
|
@ -321,8 +312,8 @@ class IdentityTests(object):
|
|||
'name': user1['name'],
|
||||
'domain_id': new_domain['id'],
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user2['id'], user2)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
self.identity_man.create_user(user2['id'], user2)
|
||||
|
||||
def test_move_user_between_domains(self):
|
||||
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
|
@ -333,9 +324,9 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'],
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
user['domain_id'] = domain2['id']
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.update_user(user['id'], user)
|
||||
|
||||
def test_move_user_between_domains_with_clashing_names_fails(self):
|
||||
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
|
@ -347,20 +338,19 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'],
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
# Now create a user in domain2 with a potentially clashing
|
||||
# name - which should work since we have domain separation
|
||||
user2 = {'id': uuid.uuid4().hex,
|
||||
'name': user1['name'],
|
||||
'domain_id': domain2['id'],
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user2['id'], user2)
|
||||
self.identity_man.create_user(user2['id'], user2)
|
||||
# Now try and move user1 into the 2nd domain - which should
|
||||
# fail since the names clash
|
||||
user1['domain_id'] = domain2['id']
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
user1['id'],
|
||||
user1)
|
||||
|
||||
|
@ -375,12 +365,11 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'fakepass',
|
||||
'tenants': ['bar']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user1)
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake2', user2)
|
||||
self.identity_man.create_user('fake1', user1)
|
||||
self.identity_man.create_user('fake2', user2)
|
||||
user2['name'] = 'fake1'
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake2',
|
||||
user2)
|
||||
|
||||
|
@ -390,11 +379,10 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'fakepass',
|
||||
'tenants': ['bar']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user['id'] = 'fake2'
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
|
@ -406,20 +394,20 @@ class IdentityTests(object):
|
|||
def test_create_duplicate_project_id_fails(self):
|
||||
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
|
||||
self.identity_man.create_project('fake1', tenant)
|
||||
tenant['name'] = 'fake2'
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.create_project, EMPTY_CONTEXT,
|
||||
self.identity_man.create_project,
|
||||
'fake1',
|
||||
tenant)
|
||||
|
||||
def test_create_duplicate_project_name_fails(self):
|
||||
tenant = {'id': 'fake1', 'name': 'fake',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
|
||||
self.identity_man.create_project('fake1', tenant)
|
||||
tenant['id'] = 'fake2'
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.create_project, EMPTY_CONTEXT,
|
||||
self.identity_man.create_project,
|
||||
'fake1',
|
||||
tenant)
|
||||
|
||||
|
@ -430,8 +418,8 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
tenant2 = {'id': uuid.uuid4().hex, 'name': tenant1['name'],
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, tenant1['id'], tenant1)
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, tenant2['id'], tenant2)
|
||||
self.identity_man.create_project(tenant1['id'], tenant1)
|
||||
self.identity_man.create_project(tenant2['id'], tenant2)
|
||||
|
||||
def test_move_project_between_domains(self):
|
||||
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
|
@ -441,7 +429,7 @@ class IdentityTests(object):
|
|||
project = {'id': uuid.uuid4().hex,
|
||||
'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, project['id'], project)
|
||||
self.identity_man.create_project(project['id'], project)
|
||||
project['domain_id'] = domain2['id']
|
||||
self.identity_api.update_project(project['id'], project)
|
||||
|
||||
|
@ -454,15 +442,13 @@ class IdentityTests(object):
|
|||
project1 = {'id': uuid.uuid4().hex,
|
||||
'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
# Now create a project in domain2 with a potentially clashing
|
||||
# name - which should work since we have domain separation
|
||||
project2 = {'id': uuid.uuid4().hex,
|
||||
'name': project1['name'],
|
||||
'domain_id': domain2['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project2['id'], project2)
|
||||
self.identity_man.create_project(project2['id'], project2)
|
||||
# Now try and move project1 into the 2nd domain - which should
|
||||
# fail since the names clash
|
||||
project1['domain_id'] = domain2['id']
|
||||
|
@ -476,8 +462,8 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
tenant2 = {'id': 'fake2', 'name': 'fake2',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant1)
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake2', tenant2)
|
||||
self.identity_man.create_project('fake1', tenant1)
|
||||
self.identity_man.create_project('fake2', tenant2)
|
||||
tenant2['name'] = 'fake1'
|
||||
self.assertRaises(exception.Error,
|
||||
self.identity_api.update_project,
|
||||
|
@ -544,15 +530,11 @@ class IdentityTests(object):
|
|||
new_user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT,
|
||||
new_user1['id'],
|
||||
new_user1)
|
||||
self.identity_man.create_user(new_user1['id'], new_user1)
|
||||
new_user2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT,
|
||||
new_user2['id'],
|
||||
new_user2)
|
||||
self.identity_man.create_user(new_user2['id'], new_user2)
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
user_id=new_user1['id'],
|
||||
domain_id=new_domain['id'])
|
||||
|
@ -598,9 +580,7 @@ class IdentityTests(object):
|
|||
new_user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT,
|
||||
new_user1['id'],
|
||||
new_user1)
|
||||
self.identity_man.create_user(new_user1['id'], new_user1)
|
||||
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.identity_api.get_roles_for_user_and_domain,
|
||||
|
@ -740,12 +720,11 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(new_domain['id'], new_domain)
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': 'secret', 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
|
@ -778,12 +757,11 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(new_domain['id'], new_domain)
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
|
||||
|
@ -819,25 +797,21 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(new_domain['id'], new_domain)
|
||||
new_project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
new_project['id'], new_project)
|
||||
self.identity_man.create_project(new_project['id'], new_project)
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group2['id'], new_group2)
|
||||
self.identity_man.create_group(new_group2['id'], new_group2)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
new_user2 = {'id': uuid.uuid4().hex, 'name': 'new_user2',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT,
|
||||
new_user2['id'], new_user2)
|
||||
self.identity_man.create_user(new_user2['id'], new_user2)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
# First check we have no grants
|
||||
|
@ -885,7 +859,7 @@ class IdentityTests(object):
|
|||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': 'secret', 'enabled': True,
|
||||
'domain_id': new_domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
user_id=new_user['id'],
|
||||
domain_id=new_domain['id'])
|
||||
|
@ -926,7 +900,7 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain2['id'], domain2)
|
||||
group1 = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
group_id=group1['id'],
|
||||
domain_id=domain1['id'])
|
||||
|
@ -979,7 +953,7 @@ class IdentityTests(object):
|
|||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
user_id=user1['id'],
|
||||
domain_id=domain1['id'])
|
||||
|
@ -1027,11 +1001,10 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain2['id'], domain2)
|
||||
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'enabled': True}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain2['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
group_id=group1['id'],
|
||||
project_id=project1['id'])
|
||||
|
@ -1073,11 +1046,10 @@ class IdentityTests(object):
|
|||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain2['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
roles_ref = self.identity_api.list_grants(
|
||||
user_id=user1['id'],
|
||||
project_id=project1['id'])
|
||||
|
@ -1118,15 +1090,13 @@ class IdentityTests(object):
|
|||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'enabled': True}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
|
||||
self.identity_api.add_user_to_group(user1['id'],
|
||||
group1['id'])
|
||||
|
@ -1187,15 +1157,14 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain1['id'], domain1)
|
||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'enabled': True}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
self.identity_api.create_grant(user_id=user1['id'],
|
||||
project_id=project1['id'],
|
||||
role_id=role1['id'])
|
||||
|
@ -1249,15 +1218,14 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain1['id'], domain1)
|
||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'enabled': True}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
self.identity_api.create_grant(user_id=user1['id'],
|
||||
project_id=project1['id'],
|
||||
role_id=role1['id'])
|
||||
|
@ -1298,15 +1266,14 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain1['id'], domain1)
|
||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project1['id'], project1)
|
||||
self.identity_man.create_project(project1['id'], project1)
|
||||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id'], 'enabled': True}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
self.identity_api.create_grant(group_id=group1['id'],
|
||||
project_id=project1['id'],
|
||||
role_id=role1['id'])
|
||||
|
@ -1427,7 +1394,6 @@ class IdentityTests(object):
|
|||
user_id = uuid.uuid4().hex
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
user_id,
|
||||
{'id': user_id})
|
||||
|
||||
|
@ -1436,7 +1402,7 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex,
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user['id'])
|
||||
self.identity_api.delete_user(user['id'])
|
||||
|
@ -1449,7 +1415,7 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex,
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
self.identity_api.add_role_to_user_and_project(
|
||||
user['id'],
|
||||
self.tenant_bar['id'],
|
||||
|
@ -1473,7 +1439,7 @@ class IdentityTests(object):
|
|||
tenant = {'id': 'fake1', 'name': 'a' * 65,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_project, EMPTY_CONTEXT,
|
||||
self.identity_man.create_project,
|
||||
tenant['id'],
|
||||
tenant)
|
||||
|
||||
|
@ -1481,7 +1447,7 @@ class IdentityTests(object):
|
|||
tenant = {'id': 'fake1', 'name': '',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_project, EMPTY_CONTEXT,
|
||||
self.identity_man.create_project,
|
||||
tenant['id'],
|
||||
tenant)
|
||||
|
||||
|
@ -1489,20 +1455,20 @@ class IdentityTests(object):
|
|||
tenant = {'id': 'fake1', 'name': None,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_project, EMPTY_CONTEXT,
|
||||
self.identity_man.create_project,
|
||||
tenant['id'],
|
||||
tenant)
|
||||
tenant = {'id': 'fake1', 'name': 123,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_project, EMPTY_CONTEXT,
|
||||
self.identity_man.create_project,
|
||||
tenant['id'],
|
||||
tenant)
|
||||
|
||||
def test_update_project_blank_name_fails(self):
|
||||
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
|
||||
self.identity_man.create_project('fake1', tenant)
|
||||
tenant['name'] = ''
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_api.update_project,
|
||||
|
@ -1512,7 +1478,7 @@ class IdentityTests(object):
|
|||
def test_update_project_long_name_fails(self):
|
||||
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
|
||||
self.identity_man.create_project('fake1', tenant)
|
||||
tenant['name'] = 'a' * 65
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_api.update_project,
|
||||
|
@ -1522,7 +1488,7 @@ class IdentityTests(object):
|
|||
def test_update_project_invalid_name_fails(self):
|
||||
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
|
||||
self.identity_man.create_project('fake1', tenant)
|
||||
tenant['name'] = None
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_api.update_project,
|
||||
|
@ -1540,7 +1506,6 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -1549,7 +1514,6 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -1558,7 +1522,6 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -1566,7 +1529,6 @@ class IdentityTests(object):
|
|||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -1575,9 +1537,7 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex,
|
||||
'enabled': True,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
project['id'],
|
||||
project)
|
||||
self.identity_man.create_project(project['id'], project)
|
||||
project_ref = self.identity_api.get_project(project['id'])
|
||||
self.assertEqual(project_ref['enabled'], True)
|
||||
|
||||
|
@ -1585,7 +1545,6 @@ class IdentityTests(object):
|
|||
project['enabled'] = "false"
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_project,
|
||||
EMPTY_CONTEXT,
|
||||
project['id'],
|
||||
project)
|
||||
|
||||
|
@ -1597,7 +1556,6 @@ class IdentityTests(object):
|
|||
'enabled': "true"}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_project,
|
||||
EMPTY_CONTEXT,
|
||||
project['id'],
|
||||
project)
|
||||
|
||||
|
@ -1610,48 +1568,43 @@ class IdentityTests(object):
|
|||
'enabled': "true"}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_user,
|
||||
EMPTY_CONTEXT,
|
||||
user['id'],
|
||||
user)
|
||||
|
||||
def test_update_user_long_name_fails(self):
|
||||
user = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user['name'] = 'a' * 65
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
def test_update_user_blank_name_fails(self):
|
||||
user = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user['name'] = ''
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
def test_update_user_invalid_name_fails(self):
|
||||
user = {'id': 'fake1', 'name': 'fake1',
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
|
||||
user['name'] = None
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
user['name'] = 123
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -1669,8 +1622,8 @@ class IdentityTests(object):
|
|||
'id': uuid.uuid4().hex,
|
||||
'domain_id': CONF.identity.default_domain_id,
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
self.identity_man.create_group(group2['id'], group2)
|
||||
groups = self.identity_api.list_groups()
|
||||
self.assertEquals(len(groups), 2)
|
||||
group_ids = []
|
||||
|
@ -1737,8 +1690,7 @@ class IdentityTests(object):
|
|||
new_project = {'id': 'tenant_id', 'name': uuid.uuid4().hex,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
original_project = new_project.copy()
|
||||
self.identity_man.create_project(EMPTY_CONTEXT,
|
||||
'tenant_id', new_project)
|
||||
self.identity_man.create_project('tenant_id', new_project)
|
||||
self.assertDictEqual(original_project, new_project)
|
||||
|
||||
def test_create_user_doesnt_modify_passed_in_dict(self):
|
||||
|
@ -1746,53 +1698,53 @@ class IdentityTests(object):
|
|||
'password': uuid.uuid4().hex,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
original_user = new_user.copy()
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'user_id', new_user)
|
||||
self.identity_man.create_user('user_id', new_user)
|
||||
self.assertDictEqual(original_user, new_user)
|
||||
|
||||
def test_update_user_enable(self):
|
||||
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], True)
|
||||
|
||||
user['enabled'] = False
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.update_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], user['enabled'])
|
||||
|
||||
# If not present, enabled field should not be updated
|
||||
del user['enabled']
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.update_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], False)
|
||||
|
||||
user['enabled'] = True
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.update_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], user['enabled'])
|
||||
|
||||
del user['enabled']
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.update_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], True)
|
||||
|
||||
# Integers are valid Python's booleans. Explicitly test it.
|
||||
user['enabled'] = 0
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.update_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], False)
|
||||
|
||||
# Any integers other than 0 are interpreted as True
|
||||
user['enabled'] = -42
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.update_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], True)
|
||||
|
||||
def test_update_user_enable_fails(self):
|
||||
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
|
||||
self.identity_man.create_user('fake1', user)
|
||||
user_ref = self.identity_api.get_user('fake1')
|
||||
self.assertEqual(user_ref['enabled'], True)
|
||||
|
||||
|
@ -1800,7 +1752,6 @@ class IdentityTests(object):
|
|||
user['enabled'] = "false"
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.update_user,
|
||||
EMPTY_CONTEXT,
|
||||
'fake1',
|
||||
user)
|
||||
|
||||
|
@ -1836,12 +1787,11 @@ class IdentityTests(object):
|
|||
domain = self._get_domain_fixture()
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
groups = self.identity_api.list_groups_for_user(new_user['id'])
|
||||
|
@ -1857,8 +1807,7 @@ class IdentityTests(object):
|
|||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT,
|
||||
new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.assertRaises(exception.GroupNotFound,
|
||||
self.identity_api.add_user_to_group,
|
||||
new_user['id'],
|
||||
|
@ -1866,8 +1815,7 @@ class IdentityTests(object):
|
|||
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.identity_api.add_user_to_group,
|
||||
uuid.uuid4().hex,
|
||||
|
@ -1877,12 +1825,11 @@ class IdentityTests(object):
|
|||
domain = self._get_domain_fixture()
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
self.identity_api.check_user_in_group(new_user['id'], new_group['id'])
|
||||
|
@ -1892,8 +1839,7 @@ class IdentityTests(object):
|
|||
'id': uuid.uuid4().hex,
|
||||
'domain_id': CONF.identity.default_domain_id,
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.identity_api.check_user_in_group,
|
||||
uuid.uuid4().hex,
|
||||
|
@ -1903,13 +1849,11 @@ class IdentityTests(object):
|
|||
domain = self._get_domain_fixture()
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT,
|
||||
new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
user_refs = self.identity_api.list_users_in_group(new_group['id'])
|
||||
|
@ -1923,12 +1867,11 @@ class IdentityTests(object):
|
|||
domain = self._get_domain_fixture()
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
groups = self.identity_api.list_groups_for_user(new_user['id'])
|
||||
|
@ -1943,11 +1886,10 @@ class IdentityTests(object):
|
|||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||
'password': uuid.uuid4().hex, 'enabled': True,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
|
||||
self.identity_man.create_user(new_user['id'], new_user)
|
||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT,
|
||||
new_group['id'], new_group)
|
||||
self.identity_man.create_group(new_group['id'], new_group)
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.identity_api.remove_user_from_group,
|
||||
new_user['id'],
|
||||
|
@ -1968,7 +1910,7 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain['id'], domain)
|
||||
group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'name': uuid.uuid4().hex}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group['id'], group)
|
||||
self.identity_man.create_group(group['id'], group)
|
||||
group_ref = self.identity_api.get_group(group['id'])
|
||||
self.assertDictContainsSubset(group, group_ref)
|
||||
|
||||
|
@ -1987,9 +1929,9 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex}
|
||||
group2 = {'id': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'name': group1['name']}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.identity_man.create_group, EMPTY_CONTEXT,
|
||||
self.identity_man.create_group,
|
||||
group2['id'], group2)
|
||||
|
||||
def test_create_duplicate_group_name_in_different_domains(self):
|
||||
|
@ -1999,8 +1941,8 @@ class IdentityTests(object):
|
|||
'name': uuid.uuid4().hex}
|
||||
group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||
'name': group1['name']}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
self.identity_man.create_group(group2['id'], group2)
|
||||
|
||||
def test_move_group_between_domains(self):
|
||||
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
|
@ -2010,7 +1952,7 @@ class IdentityTests(object):
|
|||
group = {'id': uuid.uuid4().hex,
|
||||
'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group['id'], group)
|
||||
self.identity_man.create_group(group['id'], group)
|
||||
group['domain_id'] = domain2['id']
|
||||
self.identity_api.update_group(group['id'], group)
|
||||
|
||||
|
@ -2023,13 +1965,13 @@ class IdentityTests(object):
|
|||
group1 = {'id': uuid.uuid4().hex,
|
||||
'name': uuid.uuid4().hex,
|
||||
'domain_id': domain1['id']}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
|
||||
self.identity_man.create_group(group1['id'], group1)
|
||||
# Now create a group in domain2 with a potentially clashing
|
||||
# name - which should work since we have domain separation
|
||||
group2 = {'id': uuid.uuid4().hex,
|
||||
'name': group1['name'],
|
||||
'domain_id': domain2['id']}
|
||||
self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
|
||||
self.identity_man.create_group(group2['id'], group2)
|
||||
# Now try and move group1 into the 2nd domain - which should
|
||||
# fail since the names clash
|
||||
group1['domain_id'] = domain2['id']
|
||||
|
@ -2044,7 +1986,7 @@ class IdentityTests(object):
|
|||
self.identity_api.create_domain(domain['id'], domain)
|
||||
project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'domain_id': domain['id']}
|
||||
self.identity_man.create_project(EMPTY_CONTEXT, project['id'], project)
|
||||
self.identity_man.create_project(project['id'], project)
|
||||
project_ref = self.identity_api.get_project(project['id'])
|
||||
self.assertDictContainsSubset(project, project_ref)
|
||||
|
||||
|
@ -2079,14 +2021,14 @@ class IdentityTests(object):
|
|||
user = {'domain_id': CONF.identity.default_domain_id,
|
||||
'id': uuid.uuid4().hex,
|
||||
'name': uuid.uuid4().hex, 'password': 'passw0rd'}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
user_ref = self.identity_api.get_user(user['id'])
|
||||
del user['password']
|
||||
user_ref_dict = dict((x, user_ref[x]) for x in user_ref)
|
||||
self.assertDictContainsSubset(user, user_ref_dict)
|
||||
|
||||
user['password'] = uuid.uuid4().hex
|
||||
self.identity_man.update_user(EMPTY_CONTEXT, user['id'], user)
|
||||
self.identity_man.update_user(user['id'], user)
|
||||
user_ref = self.identity_api.get_user(user['id'])
|
||||
del user['password']
|
||||
user_ref_dict = dict((x, user_ref[x]) for x in user_ref)
|
||||
|
@ -2103,7 +2045,7 @@ class IdentityTests(object):
|
|||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex, 'domain_id': domain['id'],
|
||||
'enabled': True}
|
||||
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
|
||||
self.identity_man.create_user(user1['id'], user1)
|
||||
user_projects = self.identity_api.list_user_projects(user1['id'])
|
||||
self.assertEquals(len(user_projects), 0)
|
||||
self.identity_api.create_grant(user_id=user1['id'],
|
||||
|
@ -2472,10 +2414,10 @@ class CatalogTests(object):
|
|||
self.catalog_api.delete_service(service_id)
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_man.delete_service,
|
||||
EMPTY_CONTEXT, service_id)
|
||||
service_id)
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_man.get_service,
|
||||
EMPTY_CONTEXT, service_id)
|
||||
service_id)
|
||||
|
||||
def test_delete_service_with_endpoint(self):
|
||||
# create a service
|
||||
|
@ -2501,21 +2443,19 @@ class CatalogTests(object):
|
|||
self.catalog_api.delete_service(service['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_man.get_endpoint,
|
||||
EMPTY_CONTEXT, endpoint['id'])
|
||||
endpoint['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_man.delete_endpoint,
|
||||
EMPTY_CONTEXT, endpoint['id'])
|
||||
endpoint['id'])
|
||||
|
||||
def test_get_service_404(self):
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_man.get_service,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_service_404(self):
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_man.delete_service,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_create_endpoint_404(self):
|
||||
|
@ -2525,20 +2465,17 @@ class CatalogTests(object):
|
|||
}
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_man.create_endpoint,
|
||||
EMPTY_CONTEXT,
|
||||
endpoint['id'],
|
||||
endpoint)
|
||||
|
||||
def test_get_endpoint_404(self):
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_man.get_endpoint,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_endpoint_404(self):
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_man.delete_endpoint,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_create_endpoint(self):
|
||||
|
@ -2605,7 +2542,6 @@ class PolicyTests(object):
|
|||
# (cannot change policy ID)
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.policy_man.update_policy,
|
||||
EMPTY_CONTEXT,
|
||||
orig['id'],
|
||||
ref)
|
||||
|
||||
|
@ -2620,28 +2556,26 @@ class PolicyTests(object):
|
|||
self.policy_api.delete_policy(ref['id'])
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_man.delete_policy,
|
||||
EMPTY_CONTEXT, ref['id'])
|
||||
ref['id'])
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_man.get_policy,
|
||||
EMPTY_CONTEXT, ref['id'])
|
||||
ref['id'])
|
||||
res = self.policy_api.list_policies()
|
||||
self.assertFalse(len([x for x in res if x['id'] == ref['id']]))
|
||||
|
||||
def test_get_policy_404(self):
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_man.get_policy,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_update_policy_404(self):
|
||||
ref = self._new_policy_ref()
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_man.update_policy,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex,
|
||||
EMPTY_CONTEXT)
|
||||
ref['id'],
|
||||
ref)
|
||||
|
||||
def test_delete_policy_404(self):
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_man.delete_policy,
|
||||
EMPTY_CONTEXT,
|
||||
uuid.uuid4().hex)
|
||||
|
|
|
@ -604,7 +604,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
|
|||
'password': 'no_meta2',
|
||||
'enabled': True,
|
||||
}
|
||||
self.identity_man.create_user({}, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
self.identity_api.add_user_to_project(self.tenant_baz['id'],
|
||||
user['id'])
|
||||
self.identity_api.user.LDAP_USER = None
|
||||
|
@ -640,11 +640,10 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
|||
'password': 'no_meta2',
|
||||
'enabled': True,
|
||||
}
|
||||
self.identity_man.create_user({}, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
self.identity_api.add_user_to_project(self.tenant_baz['id'],
|
||||
user['id'])
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
{},
|
||||
user_id=user['id'],
|
||||
tenant_id=self.tenant_baz['id'],
|
||||
password=user['password'])
|
||||
|
@ -692,7 +691,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
|||
'domain_id': CONF.identity.default_domain_id,
|
||||
'name': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user({}, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
user['enabled'] = True
|
||||
user_ref = self.identity_api.get_user(user['id'])
|
||||
del user['password']
|
||||
|
|
|
@ -30,6 +30,7 @@ from keystone import trust
|
|||
import default_fixtures
|
||||
import test_backend
|
||||
|
||||
|
||||
CONF = config.CONF
|
||||
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||
|
||||
|
@ -84,7 +85,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'name': uuid.uuid4().hex,
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': uuid.uuid4().hex}
|
||||
self.identity_man.create_user({}, user['id'], user)
|
||||
self.identity_man.create_user(user['id'], user)
|
||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user['id'])
|
||||
self.identity_api.delete_user(user['id'])
|
||||
|
@ -98,7 +99,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': uuid.uuid4().hex}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_user, {},
|
||||
self.identity_man.create_user,
|
||||
user['id'],
|
||||
user)
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
|
@ -114,7 +115,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'name': None,
|
||||
'domain_id': DEFAULT_DOMAIN_ID}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.identity_man.create_project, {},
|
||||
self.identity_man.create_project,
|
||||
tenant['id'],
|
||||
tenant)
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
|
@ -141,7 +142,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'name': 'fakeuser',
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'passwd'}
|
||||
self.identity_man.create_user({}, 'fake', user)
|
||||
self.identity_man.create_user('fake', user)
|
||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user['id'])
|
||||
self.identity_api.delete_project(self.tenant_bar['id'])
|
||||
|
@ -153,7 +154,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'name': 'fakeuser',
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'passwd'}
|
||||
self.identity_man.create_user({}, 'fake', user)
|
||||
self.identity_man.create_user('fake', user)
|
||||
self.identity_api.create_metadata(user['id'],
|
||||
self.tenant_bar['id'],
|
||||
{'extra': 'extra'})
|
||||
|
@ -168,7 +169,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'name': 'fakeuser',
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': 'passwd'}
|
||||
self.identity_man.create_user({}, 'fake', user)
|
||||
self.identity_man.create_user('fake', user)
|
||||
self.identity_api.create_metadata(user['id'],
|
||||
self.tenant_bar['id'],
|
||||
{'extra': 'extra'})
|
||||
|
@ -196,7 +197,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'name': uuid.uuid4().hex,
|
||||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
arbitrary_key: arbitrary_value}
|
||||
ref = self.identity_man.create_project({}, tenant_id, tenant)
|
||||
ref = self.identity_man.create_project(tenant_id, tenant)
|
||||
self.assertEqual(arbitrary_value, ref[arbitrary_key])
|
||||
self.assertIsNone(ref.get('extra'))
|
||||
|
||||
|
@ -224,7 +225,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||
'domain_id': DEFAULT_DOMAIN_ID,
|
||||
'password': uuid.uuid4().hex,
|
||||
arbitrary_key: arbitrary_value}
|
||||
ref = self.identity_man.create_user({}, user_id, user)
|
||||
ref = self.identity_man.create_user(user_id, user)
|
||||
self.assertEqual(arbitrary_value, ref[arbitrary_key])
|
||||
self.assertIsNone(ref.get('password'))
|
||||
self.assertIsNone(ref.get('extra'))
|
||||
|
|
|
@ -74,7 +74,7 @@ class ImportLegacy(test.TestCase):
|
|||
|
||||
# check password hashing
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
{}, user_id=admin_id, password='secrete')
|
||||
user_id=admin_id, password='secrete')
|
||||
|
||||
# check catalog
|
||||
self._check_catalog(migration)
|
||||
|
@ -91,7 +91,7 @@ class ImportLegacy(test.TestCase):
|
|||
|
||||
# check password hashing
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
{}, user_id=admin_id, password='secrete')
|
||||
user_id=admin_id, password='secrete')
|
||||
|
||||
# check catalog
|
||||
self._check_catalog(migration)
|
||||
|
@ -108,7 +108,7 @@ class ImportLegacy(test.TestCase):
|
|||
|
||||
# check password hashing
|
||||
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
|
||||
{}, user_id=admin_id, password='secrete')
|
||||
user_id=admin_id, password='secrete')
|
||||
|
||||
# check catalog
|
||||
self._check_catalog(migration)
|
||||
|
|
|
@ -121,8 +121,7 @@ class MigrateNovaAuth(test.TestCase):
|
|||
for _user in FIXTURE['users']:
|
||||
if _user['id'] == old_user:
|
||||
password = _user['password']
|
||||
self.identity_man.authenticate({}, user['id'],
|
||||
tenant_id, password)
|
||||
self.identity_man.authenticate(user['id'], tenant_id, password)
|
||||
|
||||
for ec2_cred in FIXTURE['ec2_credentials']:
|
||||
user_id = users[ec2_cred['user_id']]['id']
|
||||
|
|
Loading…
Reference in New Issue