openstack
/
keystone
Code Issues Proposed changes

Stop passing context to managers (bug 1194938) 

We don't have a use case for passing the request context to the manager
layer, so this patch removes a bunch of cruft.

Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
This commit is contained in:
Dolph Mathews 2013-06-27 10:35:39 -05:00 committed by Adam Young
parent 6c6d15ca8c
commit 911c315656
26 changed files with 444 additions and 605 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
keystone/auth/controllers.py
View File

@ -94,11 +94,9 @@ class AuthInfo(object):
target='domain')
try:
if domain_name:
domain_ref = self.identity_api.get_domain_by_name(
context=self.context, domain_name=domain_name)
domain_ref = self.identity_api.get_domain_by_name(domain_name)
else:
domain_ref = self.identity_api.get_domain(
context=self.context, domain_id=domain_id)
domain_ref = self.identity_api.get_domain(domain_id)
except exception.DomainNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)
@ -119,11 +117,9 @@ class AuthInfo(object):
target='project')
domain_ref = self._lookup_domain(project_info['domain'])
project_ref = self.identity_api.get_project_by_name(
context=self.context, tenant_name=project_name,
domain_id=domain_ref['id'])
project_name, domain_ref['id'])
else:
project_ref = self.identity_api.get_project(
context=self.context, tenant_id=project_id)
project_ref = self.identity_api.get_project(project_id)
except exception.ProjectNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)
@ -135,7 +131,7 @@ class AuthInfo(object):
if not trust_id:
raise exception.ValidationError(attribute='trust_id',
target='trust')
trust = self.trust_api.get_trust(self.context, trust_id)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
return trust
@ -154,11 +150,9 @@ class AuthInfo(object):
target='user')
domain_ref = self._lookup_domain(user_info['domain'])
user_ref = self.identity_api.get_user_by_name(
context=self.context, user_name=user_name,
domain_id=domain_ref['id'])
user_name, domain_ref['id'])
else:
user_ref = self.identity_api.get_user(
context=self.context, user_id=user_id)
user_ref = self.identity_api.get_user(user_id)
except exception.UserNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)
@ -285,10 +279,9 @@ class Auth(controller.V3Controller):
auth_info = AuthInfo(context, auth=auth)
auth_context = {'extras': {}, 'method_names': []}
self.authenticate(context, auth_info, auth_context)
self._check_and_set_default_scoping(context, auth_info,
auth_context)
self._check_and_set_default_scoping(auth_info, auth_context)
(token_id, token_data) = token_factory.create_token(
context, auth_context, auth_info)
auth_context, auth_info)
return token_factory.render_token_data_response(
token_id, token_data, created=True)
except exception.SecurityError:
@ -297,7 +290,7 @@ class Auth(controller.V3Controller):
LOG.exception(e)
raise exception.Unauthorized(e)
def _check_and_set_default_scoping(self, context, auth_info, auth_context):
def _check_and_set_default_scoping(self, auth_info, auth_context):
(domain_id, project_id, trust) = auth_info.get_scope()
if trust:
project_id = trust['project_id']
@ -307,8 +300,7 @@ class Auth(controller.V3Controller):
# fill in default_project_id if it is available
try:
user_ref = self.identity_api.get_user(
context=context, user_id=auth_context['user_id'])
user_ref = self.identity_api.get_user(auth_context['user_id'])
default_project_id = user_ref.get('default_project_id')
if default_project_id:
auth_info.set_scope(domain_id=None,
@ -364,8 +356,7 @@ class Auth(controller.V3Controller):
raise exception.Unauthorized(msg)
def _get_token_ref(self, context, token_id, belongs_to=None):
token_ref = self.token_api.get_token(context=context,
token_id=token_id)
token_ref = self.token_api.get_token(token_id)
if cms.is_ans1_token(token_id):
verified_token = cms.cms_verify(cms.token_to_cms(token_id),
CONF.signing.certfile,
@ -394,9 +385,8 @@ class Auth(controller.V3Controller):
def validate_token(self, context):
token_id = context.get('subject_token_id')
self.check_token(context)
token_ref = self.token_api.get_token(context, token_id)
token_ref = self.token_api.get_token(token_id)
token_data = token_factory.recreate_token_data(
context,
token_ref.get('token_data'),
token_ref['expires'],
token_ref.get('user'),

20
keystone/auth/plugins/password.py
View File

@ -26,9 +26,8 @@ LOG = logging.getLogger(__name__)
class UserAuthInfo(object):
def __init__(self, context, auth_payload):
def __init__(self, auth_payload):
self.identity_api = identity.Manager()
self.context = context
self.user_id = None
self.password = None
self.user_ref = None
@ -55,11 +54,9 @@ class UserAuthInfo(object):
target='domain')
try:
if domain_name:
domain_ref = self.identity_api.get_domain_by_name(
context=self.context, domain_name=domain_name)
domain_ref = self.identity_api.get_domain_by_name(domain_name)
else:
domain_ref = self.identity_api.get_domain(
context=self.context, domain_id=domain_id)
domain_ref = self.identity_api.get_domain(domain_id)
except exception.DomainNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)
@ -85,13 +82,11 @@ class UserAuthInfo(object):
target='user')
domain_ref = self._lookup_domain(user_info['domain'])
user_ref = self.identity_api.get_user_by_name(
context=self.context, user_name=user_name,
domain_id=domain_ref['id'])
user_name, domain_ref['id'])
else:
user_ref = self.identity_api.get_user(
context=self.context, user_id=user_id)
user_ref = self.identity_api.get_user(user_id)
domain_ref = self.identity_api.get_domain(
context=self.context, domain_id=user_ref['domain_id'])
user_ref['domain_id'])
self._assert_domain_is_enabled(domain_ref)
except exception.UserNotFound as e:
LOG.exception(e)
@ -104,12 +99,11 @@ class UserAuthInfo(object):
class Password(auth.AuthMethodHandler):
def authenticate(self, context, auth_payload, user_context):
"""Try to authenticate against the identity backend."""
user_info = UserAuthInfo(context, auth_payload)
user_info = UserAuthInfo(auth_payload)
# FIXME(gyee): identity.authenticate() can use some refactoring since
# all we care is password matches
self.identity_api.authenticate(
context=context,
user_id=user_info.user_id,
password=user_info.password)
if 'user_id' not in user_context:

2
keystone/auth/plugins/token.py
View File

@ -35,7 +35,7 @@ class Token(auth.AuthMethodHandler):
raise exception.ValidationError(attribute='id',
target=METHOD_NAME)
token_id = auth_payload['id']
token_ref = self.token_api.get_token(context, token_id)
token_ref = self.token_api.get_token(token_id)
user_context.setdefault(
'user_id', token_ref['token_data']['token']['user']['id'])
# to support Grizzly-3 to Grizzly-RC1 transition

38
keystone/auth/token_factory.py
View File

@ -42,15 +42,13 @@ LOG = logging.getLogger(__name__)
class TokenDataHelper(object):
"""Token data helper."""
def __init__(self, context):
def __init__(self):
self.identity_api = identity.Manager()
self.catalog_api = catalog.Manager()
self.trust_api = trust.Manager()
self.context = context
def _get_filtered_domain(self, domain_id):
domain_ref = self.identity_api.get_domain(self.context,
domain_id)
domain_ref = self.identity_api.get_domain(domain_id)
return {'id': domain_ref['id'], 'name': domain_ref['name']}
def _populate_scope(self, token_data, domain_id, project_id):
@ -60,8 +58,7 @@ class TokenDataHelper(object):
if domain_id:
token_data['domain'] = self._get_filtered_domain(domain_id)
if project_id:
project_ref = self.identity_api.get_project(
self.context, project_id)
project_ref = self.identity_api.get_project(project_id)
filtered_project = {
'id': project_ref['id'],
'name': project_ref['name']}
@ -71,10 +68,10 @@ class TokenDataHelper(object):
def _get_project_roles_for_user(self, user_id, project_id):
roles = self.identity_api.get_roles_for_user_and_project(
self.context, user_id, project_id)
user_id, project_id)
roles_ref = []
for role_id in roles:
role_ref = self.identity_api.get_role(self.context, role_id)
role_ref = self.identity_api.get_role(role_id)
role_ref.setdefault('project_id', project_id)
roles_ref.append(role_ref)
# user have no project roles, therefore access denied
@ -86,10 +83,10 @@ class TokenDataHelper(object):
def _get_domain_roles_for_user(self, user_id, domain_id):
roles = self.identity_api.get_roles_for_user_and_domain(
self.context, user_id, domain_id)
user_id, domain_id)
roles_ref = []
for role_id in roles:
role_ref = self.identity_api.get_role(self.context, role_id)
role_ref = self.identity_api.get_role(role_id)
role_ref.setdefault('domain_id', domain_id)
roles_ref.append(role_ref)
# user have no domain roles, therefore access denied
@ -112,11 +109,10 @@ class TokenDataHelper(object):
if 'user' in token_data:
return
user_ref = self.identity_api.get_user(self.context,
user_id)
user_ref = self.identity_api.get_user(user_id)
if CONF.trust.enabled and trust:
trustor_user_ref = (self.identity_api.get_user(self.context,
trust['trustor_user_id']))
trustor_user_ref = self.identity_api.get_user(
trust['trustor_user_id'])
if not trustor_user_ref['enabled']:
raise exception.Forbidden()
if trust['impersonation']:
@ -178,7 +174,7 @@ class TokenDataHelper(object):
if project_id or domain_id:
try:
service_catalog = self.catalog_api.get_v3_catalog(
self.context, user_id, project_id)
user_id, project_id)
# TODO(ayoung): KVS backend needs a sample implementation
except exception.NotImplemented:
service_catalog = {}
@ -218,7 +214,7 @@ class TokenDataHelper(object):
return {'token': token_data}
def recreate_token_data(context, token_data=None, expires=None,
def recreate_token_data(token_data=None, expires=None,
user_ref=None, project_ref=None):
"""Recreate token from an existing token.
@ -280,7 +276,7 @@ def recreate_token_data(context, token_data=None, expires=None,
token = None
project_id = project_ref['id'] if project_ref else None
user_id = user_ref['id']
token_data_helper = TokenDataHelper(context)
token_data_helper = TokenDataHelper()
return token_data_helper.get_token_data(user_id,
methods,
extras,
@ -290,8 +286,8 @@ def recreate_token_data(context, token_data=None, expires=None,
token=token)
def create_token(context, auth_context, auth_info):
token_data_helper = TokenDataHelper(context)
def create_token(auth_context, auth_info):
token_data_helper = TokenDataHelper()
(domain_id, project_id, trust) = auth_info.get_scope()
method_names = list(set(auth_info.get_method_names() +
auth_context.get('method_names', [])))
@ -338,13 +334,13 @@ def create_token(context, auth_context, auth_info):
metadata=metadata_ref,
token_data=token_data,
trust_id=trust['id'] if trust else None)
token_api.create_token(context, token_id, data)
token_api.create_token(token_id, data)
except Exception:
exc_info = sys.exc_info()
# an identical token may have been created already.
# if so, return the token_data as it is also identical
try:
token_api.get_token(context=context, token_id=token_id)
token_api.get_token(token_id)
except exception.TokenNotFound:
raise exc_info[0], exc_info[1], exc_info[2]

41
keystone/catalog/controllers.py
View File

@ -29,17 +29,17 @@ INTERFACES = ['public', 'internal', 'admin']
class Service(controller.V2Controller):
def get_services(self, context):
self.assert_admin(context)
service_list = self.catalog_api.list_services(context)
service_list = self.catalog_api.list_services()
return {'OS-KSADM:services': service_list}
def get_service(self, context, service_id):
self.assert_admin(context)
service_ref = self.catalog_api.get_service(context, service_id)
service_ref = self.catalog_api.get_service(service_id)
return {'OS-KSADM:service': service_ref}
def delete_service(self, context, service_id):
self.assert_admin(context)
self.catalog_api.delete_service(context, service_id)
self.catalog_api.delete_service(service_id)
def create_service(self, context, OS_KSADM_service):
self.assert_admin(context)
@ -47,7 +47,7 @@ class Service(controller.V2Controller):
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
new_service_ref = self.catalog_api.create_service(
context, service_id, service_ref)
service_id, service_ref)
return {'OS-KSADM:service': new_service_ref}
@ -57,7 +57,7 @@ class Endpoint(controller.V2Controller):
"""Merge matching v3 endpoint refs into legacy refs."""
self.assert_admin(context)
legacy_endpoints = {}
for endpoint in self.catalog_api.list_endpoints(context):
for endpoint in self.catalog_api.list_endpoints():
if not endpoint.get('legacy_endpoint_id'):
# endpoints created in v3 should not appear on the v2 API
continue
@ -104,8 +104,7 @@ class Endpoint(controller.V2Controller):
endpoint_ref['interface'] = interface
endpoint_ref['url'] = url
self.catalog_api.create_endpoint(
context, endpoint_ref['id'], endpoint_ref)
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
legacy_endpoint_ref['id'] = legacy_endpoint_id
return {'endpoint': legacy_endpoint_ref}
@ -115,9 +114,9 @@ class Endpoint(controller.V2Controller):
self.assert_admin(context)
deleted_at_least_one = False
for endpoint in self.catalog_api.list_endpoints(context):
for endpoint in self.catalog_api.list_endpoints():
if endpoint['legacy_endpoint_id'] == endpoint_id:
self.catalog_api.delete_endpoint(context, endpoint['id'])
self.catalog_api.delete_endpoint(endpoint['id'])
deleted_at_least_one = True
if not deleted_at_least_one:
@ -134,29 +133,29 @@ class ServiceV3(controller.V3Controller):
ref = self._assign_unique_id(self._normalize_dict(service))
self._require_attribute(ref, 'type')
ref = self.catalog_api.create_service(context, ref['id'], ref)
ref = self.catalog_api.create_service(ref['id'], ref)
return ServiceV3.wrap_member(context, ref)
@controller.filterprotected('type')
def list_services(self, context, filters):
refs = self.catalog_api.list_services(context)
refs = self.catalog_api.list_services()
return ServiceV3.wrap_collection(context, refs, filters)
@controller.protected
def get_service(self, context, service_id):
ref = self.catalog_api.get_service(context, service_id)
ref = self.catalog_api.get_service(service_id)
return ServiceV3.wrap_member(context, ref)
@controller.protected
def update_service(self, context, service_id, service):
self._require_matching_id(service_id, service)
ref = self.catalog_api.update_service(context, service_id, service)
ref = self.catalog_api.update_service(service_id, service)
return ServiceV3.wrap_member(context, ref)
@controller.protected
def delete_service(self, context, service_id):
return self.catalog_api.delete_service(context, service_id)
return self.catalog_api.delete_service(service_id)
@dependency.requires('catalog_api')
@ -180,19 +179,19 @@ class EndpointV3(controller.V3Controller):
ref = self._assign_unique_id(self._normalize_dict(endpoint))
self._require_attribute(ref, 'service_id')
self._require_attribute(ref, 'interface')
self.catalog_api.get_service(context, ref['service_id'])
self.catalog_api.get_service(ref['service_id'])
ref = self.catalog_api.create_endpoint(context, ref['id'], ref)
ref = self.catalog_api.create_endpoint(ref['id'], ref)
return EndpointV3.wrap_member(context, ref)
@controller.filterprotected('interface', 'service_id')
def list_endpoints(self, context, filters):
refs = self.catalog_api.list_endpoints(context)
refs = self.catalog_api.list_endpoints()
return EndpointV3.wrap_collection(context, refs, filters)
@controller.protected
def get_endpoint(self, context, endpoint_id):
ref = self.catalog_api.get_endpoint(context, endpoint_id)
ref = self.catalog_api.get_endpoint(endpoint_id)
return EndpointV3.wrap_member(context, ref)
@controller.protected
@ -200,11 +199,11 @@ class EndpointV3(controller.V3Controller):
self._require_matching_id(endpoint_id, endpoint)
if 'service_id' in endpoint:
self.catalog_api.get_service(context, endpoint['service_id'])
self.catalog_api.get_service(endpoint['service_id'])
ref = self.catalog_api.update_endpoint(context, endpoint_id, endpoint)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint)
return EndpointV3.wrap_member(context, ref)
@controller.protected
def delete_endpoint(self, context, endpoint_id):
return self.catalog_api.delete_endpoint(context, endpoint_id)
return self.catalog_api.delete_endpoint(endpoint_id)

12
keystone/catalog/core.py
View File

@ -64,38 +64,38 @@ class Manager(manager.Manager):
def __init__(self):
super(Manager, self).__init__(CONF.catalog.driver)
def get_service(self, context, service_id):
def get_service(self, service_id):
try:
return self.driver.get_service(service_id)
except exception.NotFound:
raise exception.ServiceNotFound(service_id=service_id)
def delete_service(self, context, service_id):
def delete_service(self, service_id):
try:
return self.driver.delete_service(service_id)
except exception.NotFound:
raise exception.ServiceNotFound(service_id=service_id)
def create_endpoint(self, context, endpoint_id, endpoint_ref):
def create_endpoint(self, endpoint_id, endpoint_ref):
try:
return self.driver.create_endpoint(endpoint_id, endpoint_ref)
except exception.NotFound:
service_id = endpoint_ref.get('service_id')
raise exception.ServiceNotFound(service_id=service_id)
def delete_endpoint(self, context, endpoint_id):
def delete_endpoint(self, endpoint_id):
try:
return self.driver.delete_endpoint(endpoint_id)
except exception.NotFound:
raise exception.EndpointNotFound(endpoint_id=endpoint_id)
def get_endpoint(self, context, endpoint_id):
def get_endpoint(self, endpoint_id):
try:
return self.driver.get_endpoint(endpoint_id)
except exception.NotFound:
raise exception.EndpointNotFound(endpoint_id=endpoint_id)
def get_catalog(self, context, user_id, tenant_id, metadata=None):
def get_catalog(self, user_id, tenant_id, metadata=None):
try:
return self.driver.get_catalog(user_id, tenant_id, metadata)
except exception.NotFound:

36
keystone/common/controller.py
View File

@ -20,8 +20,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
try:
token_ref = self.token_api.get_token(
context=context, token_id=context['token_id'])
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
@ -61,7 +60,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
except AttributeError:
LOG.debug(_('RBAC: Proceeding without tenant'))
# NOTE(vish): this is pretty inefficient
creds['roles'] = [self.identity_api.get_role(context, role)['name']
creds['roles'] = [self.identity_api.get_role(role)['name']
for role in creds.get('roles', [])]
return creds
@ -97,7 +96,7 @@ def protected(f):
# Simply use the passed kwargs as the target dict, which
# would typically include the prime key of a get/update/delete
# call.
self.policy_api.enforce(context, creds, action, flatten(kwargs))
self.policy_api.enforce(creds, action, flatten(kwargs))
LOG.debug(_('RBAC: Authorization granted'))
return f(self, context, *args, **kwargs)
@ -136,8 +135,7 @@ def filterprotected(*filters):
for key in kwargs:
target[key] = kwargs[key]
self.policy_api.enforce(context, creds, action,
flatten(target))
self.policy_api.enforce(creds, action, flatten(target))
LOG.debug(_('RBAC: Authorization granted'))
else:
@ -152,22 +150,18 @@ def filterprotected(*filters):
class V2Controller(wsgi.Application):
"""Base controller class for Identity API v2."""
def _delete_tokens_for_trust(self, context, user_id, trust_id):
self.token_api.delete_tokens(context, user_id,
trust_id=trust_id)
def _delete_tokens_for_trust(self, user_id, trust_id):
self.token_api.delete_tokens(user_id, trust_id=trust_id)
def _delete_tokens_for_user(self, context, user_id, project_id=None):
def _delete_tokens_for_user(self, user_id, project_id=None):
#First delete tokens that could get other tokens.
self.token_api.delete_tokens(context,
user_id,
tenant_id=project_id)
self.token_api.delete_tokens(user_id, tenant_id=project_id)
#delete tokens generated from trusts
for trust in self.trust_api.list_trusts_for_trustee(context, user_id):
self._delete_tokens_for_trust(context, user_id, trust['id'])
for trust in self.trust_api.list_trusts_for_trustor(context, user_id):
self._delete_tokens_for_trust(context,
trust['trustee_user_id'],
for trust in self.trust_api.list_trusts_for_trustee(user_id):
self._delete_tokens_for_trust(user_id, trust['id'])
for trust in self.trust_api.list_trusts_for_trustor(user_id):
self._delete_tokens_for_trust(trust['trustee_user_id'],
trust['id'])
def _require_attribute(self, ref, attr):
@ -205,10 +199,10 @@ class V3Controller(V2Controller):
collection_name = 'entities'
member_name = 'entity'
def _delete_tokens_for_group(self, context, group_id):
user_refs = self.identity_api.list_users_in_group(context, group_id)
def _delete_tokens_for_group(self, group_id):
user_refs = self.identity_api.list_users_in_group(group_id)
for user in user_refs:
self._delete_tokens_for_user(context, user['id'])
self._delete_tokens_for_user(user['id'])
@classmethod
def base_url(cls, path=None):

5
keystone/common/manager.py
View File

@ -37,13 +37,10 @@ class Manager(object):
def __getattr__(self, name):
"""Forward calls to the underlying driver."""
# NOTE(termie): context is the first argument, we're going to strip
# that for now, in the future we'll probably do some
# logging and whatnot in this class
f = getattr(self.driver, name)
@functools.wraps(f)
def _wrapper(context, *args, **kw):
def _wrapper(*args, **kw):
return f(*args, **kw)
setattr(self, name, _wrapper)
return _wrapper

6
keystone/common/wsgi.py
View File

@ -227,7 +227,7 @@ class Application(BaseApplication):
if not context['is_admin']:
try:
user_token_ref = self.token_api.get_token(
context=context, token_id=context['token_id'])
token_id=context['token_id'])
except exception.TokenNotFound as e:
raise exception.Unauthorized(e)
@ -246,10 +246,10 @@ class Application(BaseApplication):
raise exception.Unauthorized()
# NOTE(vish): this is pretty inefficient
creds['roles'] = [self.identity_api.get_role(context, role)['name']
creds['roles'] = [self.identity_api.get_role(role)['name']
for role in creds.get('roles', [])]
# Accept either is_admin or the admin role
self.policy_api.enforce(context, creds, 'admin_required', {})
self.policy_api.enforce(creds, 'admin_required', {})
class Middleware(Application):

74
keystone/contrib/ec2/core.py
View File

@ -145,26 +145,20 @@ class Ec2Controller(controller.V2Controller):
if 'access' not in credentials:
raise exception.Unauthorized(message='EC2 signature not supplied.')
creds_ref = self._get_credentials(context,
credentials['access'])
creds_ref = self._get_credentials(credentials['access'])
self.check_signature(creds_ref, credentials)
# TODO(termie): don't create new tokens every time
# TODO(termie): this is copied from TokenController.authenticate
token_id = uuid.uuid4().hex
tenant_ref = self.identity_api.get_project(
context=context,
tenant_id=creds_ref['tenant_id'])
user_ref = self.identity_api.get_user(
context=context,
user_id=creds_ref['user_id'])
tenant_ref = self.identity_api.get_project(creds_ref['tenant_id'])
user_ref = self.identity_api.get_user(creds_ref['user_id'])
metadata_ref = self.identity_api.get_metadata(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'])
# Validate that the auth info is valid and nothing is disabled
token.validate_auth_info(self, context, user_ref, tenant_ref)
token.validate_auth_info(self, user_ref, tenant_ref)
# TODO(termie): optimize this call at some point and put it into the
# the return for metadata
@ -172,20 +166,19 @@ class Ec2Controller(controller.V2Controller):
roles = metadata_ref.get('roles', [])
if not roles:
raise exception.Unauthorized(message='User not valid for tenant.')
roles_ref = [self.identity_api.get_role(context, role_id)
roles_ref = [self.identity_api.get_role(role_id)
for role_id in roles]
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'],
metadata=metadata_ref)
token_ref = self.token_api.create_token(
context, token_id, dict(id=token_id,
user=user_ref,
tenant=tenant_ref,
metadata=metadata_ref))
token_id, dict(id=token_id,
user=user_ref,
tenant=tenant_ref,
metadata=metadata_ref))
# TODO(termie): i don't think the ec2 middleware currently expects a
# full return, but it contains a note saying that it
@ -207,14 +200,14 @@ class Ec2Controller(controller.V2Controller):
if not self._is_admin(context):
self._assert_identity(context, user_id)
self._assert_valid_user_id(context, user_id)
self._assert_valid_project_id(context, tenant_id)
self._assert_valid_user_id(user_id)
self._assert_valid_project_id(tenant_id)
cred_ref = {'user_id': user_id,
'tenant_id': tenant_id,
'access': uuid.uuid4().hex,
'secret': uuid.uuid4().hex}
self.ec2_api.create_credential(context, cred_ref['access'], cred_ref)
self.ec2_api.create_credential(cred_ref['access'], cred_ref)
return {'credential': cred_ref}
def get_credentials(self, context, user_id):
@ -226,8 +219,8 @@ class Ec2Controller(controller.V2Controller):
"""
if not self._is_admin(context):
self._assert_identity(context, user_id)
self._assert_valid_user_id(context, user_id)
return {'credentials': self.ec2_api.list_credentials(context, user_id)}
self._assert_valid_user_id(user_id)
return {'credentials': self.ec2_api.list_credentials(user_id)}
def get_credential(self, context, user_id, credential_id):
"""Retrieve a user's access/secret pair by the access key.
@ -241,8 +234,8 @@ class Ec2Controller(controller.V2Controller):
"""
if not self._is_admin(context):
self._assert_identity(context, user_id)
self._assert_valid_user_id(context, user_id)
creds = self._get_credentials(context, credential_id)
self._assert_valid_user_id(user_id)
creds = self._get_credentials(credential_id)
return {'credential': creds}
def delete_credential(self, context, user_id, credential_id):
@ -257,22 +250,20 @@ class Ec2Controller(controller.V2Controller):
"""
if not self._is_admin(context):
self._assert_identity(context, user_id)
self._assert_owner(context, user_id, credential_id)
self._assert_owner(user_id, credential_id)
self._assert_valid_user_id(context, user_id)
self._get_credentials(context, credential_id)
return self.ec2_api.delete_credential(context, credential_id)
self._assert_valid_user_id(user_id)
self._get_credentials(credential_id)
return self.ec2_api.delete_credential(credential_id)
def _get_credentials(self, context, credential_id):
def _get_credentials(self, credential_id):
"""Return credentials from an ID.
:param context: standard context
:param credential_id: id of credential
:raises exception.Unauthorized: when credential id is invalid
:returns: credential: dict of ec2 credential.
"""
creds = self.ec2_api.get_credential(context,
credential_id)
creds = self.ec2_api.get_credential(credential_id)
if not creds:
raise exception.Unauthorized(message='EC2 access key not found.')
return creds
@ -286,9 +277,7 @@ class Ec2Controller(controller.V2Controller):
"""
try:
token_ref = self.token_api.get_token(
context=context,
token_id=context['token_id'])
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound as e:
raise exception.Unauthorized(e)
@ -308,20 +297,19 @@ class Ec2Controller(controller.V2Controller):
except exception.Forbidden:
return False
def _assert_owner(self, context, user_id, credential_id):
def _assert_owner(self, user_id, credential_id):
"""Ensure the provided user owns the credential.
:param context: standard context
:param user_id: expected credential owner
:param credential_id: id of credential object
:raises exception.Forbidden: on failure
"""
cred_ref = self.ec2_api.get_credential(context, credential_id)
cred_ref = self.ec2_api.get_credential(credential_id)
if not user_id == cred_ref['user_id']:
raise exception.Forbidden('Credential belongs to another user')
def _assert_valid_user_id(self, context, user_id):
def _assert_valid_user_id(self, user_id):
"""Ensure a valid user id.
:param context: standard context
@ -329,13 +317,11 @@ class Ec2Controller(controller.V2Controller):
:raises exception.UserNotFound: on failure
"""
user_ref = self.identity_api.get_user(
context=context,
user_id=user_id)
user_ref = self.identity_api.get_user(user_id)
if not user_ref:
raise exception.UserNotFound(user_id=user_id)
def _assert_valid_project_id(self, context, tenant_id):
def _assert_valid_project_id(self, tenant_id):
"""Ensure a valid tenant id.
:param context: standard context
@ -343,8 +329,6 @@ class Ec2Controller(controller.V2Controller):
:raises exception.ProjectNotFound: on failure
"""
tenant_ref = self.identity_api.get_project(
context=context,
tenant_id=tenant_id)
tenant_ref = self.identity_api.get_project(tenant_id)
if not tenant_ref:
raise exception.ProjectNotFound(project_id=tenant_id)

14
keystone/contrib/stats/core.py
View File

@ -89,20 +89,20 @@ class StatsController(wsgi.Application):
{
'type': 'identity',
'api': 'admin',
'extra': self.stats_api.get_stats(context, 'admin'),
'extra': self.stats_api.get_stats('admin'),
},
{
'type': 'identity',
'api': 'public',
'extra': self.stats_api.get_stats(context, 'public'),
'extra': self.stats_api.get_stats('public'),
},
]
}
def reset_stats(self, context):
self.assert_admin(context)
self.stats_api.set_stats(context, 'public', dict())
self.stats_api.set_stats(context, 'admin', dict())
self.stats_api.set_stats('public', dict())
self.stats_api.set_stats('admin', dict())
class StatsMiddleware(wsgi.Middleware):
@ -131,10 +131,8 @@ class StatsMiddleware(wsgi.Middleware):
def capture_stats(self, host, obj, attributes):
"""Collect each attribute from the given object."""
for attribute in attributes:
self.stats_api.increment_stat(None,
self._resolve_api(host),
attribute,
getattr(obj, attribute))
self.stats_api.increment_stat(
self._resolve_api(host), attribute, getattr(obj, attribute))
def process_request(self, request):
"""Monitor incoming request attributes."""

7
keystone/contrib/user_crud/core.py
View File

@ -31,8 +31,7 @@ class UserController(identity.controllers.User):
token_id = context.get('token_id')
original_password = user.get('original_password')
token_ref = self.token_api.get_token(context=context,
token_id=token_id)
token_ref = self.token_api.get_token(token_id)
user_id_from_token = token_ref['user']['id']
if user_id_from_token != user_id:
@ -43,7 +42,6 @@ class UserController(identity.controllers.User):
try:
user_ref = self.identity_api.authenticate(
context=context,
user_id=user_id_from_token,
password=original_password)[0]
if not user_ref.get('enabled', True):
@ -63,8 +61,7 @@ class UserController(identity.controllers.User):
token_id = uuid.uuid4().hex
new_token_ref = copy.copy(token_ref)
new_token_ref['id'] = token_id
self.token_api.create_token(context=context, token_id=token_id,
data=new_token_ref)
self.token_api.create_token(token_id, new_token_ref)
logging.debug('TOKEN_REF %s', new_token_ref)
return {'access': {'token': new_token_ref}}

13
keystone/credential/controllers.py
View File

@ -24,29 +24,26 @@ class CredentialV3(controller.V3Controller):
@controller.protected
def create_credential(self, context, credential):
ref = self._assign_unique_id(self._normalize_dict(credential))
ref = self.credential_api.create_credential(context, ref['id'], ref)
ref = self.credential_api.create_credential(ref['id'], ref)
return CredentialV3.wrap_member(context, ref)
@controller.protected
def list_credentials(self, context):
refs = self.credential_api.list_credentials(context)
refs = self.credential_api.list_credentials()
return CredentialV3.wrap_collection(context, refs)
@controller.protected
def get_credential(self, context, credential_id):
ref = self.credential_api.get_credential(context, credential_id)
ref = self.credential_api.get_credential(credential_id)
return CredentialV3.wrap_member(context, ref)
@controller.protected
def update_credential(self, context, credential_id, credential):
self._require_matching_id(credential_id, credential)
ref = self.credential_api.update_credential(
context,
credential_id,
credential)
ref = self.credential_api.update_credential(credential_id, credential)
return CredentialV3.wrap_member(context, ref)
@controller.protected
def delete_credential(self, context, credential_id):
return self.credential_api.delete_credential(context, credential_id)
return self.credential_api.delete_credential(credential_id)

209
keystone/identity/controllers.py
View File

@ -39,7 +39,7 @@ class Tenant(controller.V2Controller):
context, context['query_string'].get('name'))
self.assert_admin(context)
tenant_refs = self.identity_api.list_projects(context)
tenant_refs = self.identity_api.list_projects()
for tenant_ref in tenant_refs:
tenant_ref = self._filter_domain_id(tenant_ref)
params = {
@ -58,19 +58,16 @@ class Tenant(controller.V2Controller):
"""
try:
token_ref = self.token_api.get_token(context=context,
token_id=context['token_id'])
token_ref = self.token_api.get_token(context['token_id'])
except exception.NotFound as e:
LOG.warning('Authentication failed: %s' % e)
raise exception.Unauthorized(e)
user_ref = token_ref['user']
tenant_ids = self.identity_api.get_projects_for_user(
context, user_ref['id'])
tenant_ids = self.identity_api.get_projects_for_user(user_ref['id'])
tenant_refs = []
for tenant_id in tenant_ids:
ref = self.identity_api.get_project(
context=context, tenant_id=tenant_id)
ref = self.identity_api.get_project(tenant_id)
tenant_refs.append(self._filter_domain_id(ref))
params = {
'limit': context['query_string'].get('limit'),
@ -81,13 +78,13 @@ class Tenant(controller.V2Controller):
def get_project(self, context, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
ref = self.identity_api.get_project(context, tenant_id)
ref = self.identity_api.get_project(tenant_id)
return {'tenant': self._filter_domain_id(ref)}
def get_project_by_name(self, context, tenant_name):
self.assert_admin(context)
ref = self.identity_api.get_project_by_name(
context, tenant_name, DEFAULT_DOMAIN_ID)
tenant_name, DEFAULT_DOMAIN_ID)
return {'tenant': self._filter_domain_id(ref)}
# CRUD Extension
@ -101,7 +98,7 @@ class Tenant(controller.V2Controller):
self.assert_admin(context)
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
tenant = self.identity_api.create_project(
context, tenant_ref['id'],
tenant_ref['id'],
self._normalize_domain_id(context, tenant_ref))
return {'tenant': self._filter_domain_id(tenant)}
@ -112,16 +109,16 @@ class Tenant(controller.V2Controller):
clean_tenant = tenant.copy()
clean_tenant.pop('domain_id', None)
tenant_ref = self.identity_api.update_project(
context, tenant_id, clean_tenant)
tenant_id, clean_tenant)
return {'tenant': tenant_ref}
def delete_project(self, context, tenant_id):
self.assert_admin(context)
self.identity_api.delete_project(context, tenant_id)
self.identity_api.delete_project(tenant_id)
def get_project_users(self, context, tenant_id, **kw):
self.assert_admin(context)
user_refs = self.identity_api.get_project_users(context, tenant_id)
user_refs = self.identity_api.get_project_users(tenant_id)
for user_ref in user_refs:
self._filter_domain_id(user_ref)
return {'users': user_refs}
@ -164,7 +161,7 @@ class Tenant(controller.V2Controller):
class User(controller.V2Controller):
def get_user(self, context, user_id):
self.assert_admin(context)
ref = self.identity_api.get_user(context, user_id)
ref = self.identity_api.get_user(user_id)
return {'user': self._filter_domain_id(ref)}
def get_users(self, context):
@ -175,7 +172,7 @@ class User(controller.V2Controller):
context, context['query_string'].get('name'))
self.assert_admin(context)
user_list = self.identity_api.list_users(context)
user_list = self.identity_api.list_users()
for x in user_list:
self._filter_domain_id(x)
return {'users': user_list}
@ -183,7 +180,7 @@ class User(controller.V2Controller):
def get_user_by_name(self, context, user_name):
self.assert_admin(context)
ref = self.identity_api.get_user_by_name(
context, user_name, DEFAULT_DOMAIN_ID)
user_name, DEFAULT_DOMAIN_ID)
return {'user': self._filter_domain_id(ref)}
# CRUD extension
@ -200,17 +197,14 @@ class User(controller.V2Controller):
default_tenant_id = user.get('tenantId', None)
if (default_tenant_id is not None
and self.identity_api.get_project(context,
default_tenant_id) is None):
and self.identity_api.get_project(default_tenant_id) is None):
raise exception.ProjectNotFound(project_id=default_tenant_id)
user_id = uuid.uuid4().hex
user_ref = self._normalize_domain_id(context, user.copy())
user_ref['id'] = user_id
new_user_ref = self.identity_api.create_user(
context, user_id, user_ref)
new_user_ref = self.identity_api.create_user(user_id, user_ref)
if default_tenant_id:
self.identity_api.add_user_to_project(context,
default_tenant_id, user_id)
self.identity_api.add_user_to_project(default_tenant_id, user_id)
return {'user': self._filter_domain_id(new_user_ref)}
def update_user(self, context, user_id, user):
@ -221,17 +215,17 @@ class User(controller.V2Controller):
msg = 'Enabled field should be a boolean'
raise exception.ValidationError(message=msg)
user_ref = self.identity_api.update_user(context, user_id, user)
user_ref = self.identity_api.update_user(user_id, user)
if user.get('password') or not user.get('enabled', True):
# If the password was changed or the user was disabled we clear tokens
self._delete_tokens_for_user(context, user_id)
self._delete_tokens_for_user(user_id)
return {'user': self._filter_domain_id(user_ref)}
def delete_user(self, context, user_id):
self.assert_admin(context)
self.identity_api.delete_user(context, user_id)
self._delete_tokens_for_user(context, user_id)
self.identity_api.delete_user(user_id)
self._delete_tokens_for_user(user_id)
def set_user_enabled(self, context, user_id, user):
return self.update_user(context, user_id, user)
@ -246,7 +240,7 @@ class User(controller.V2Controller):
try:
# ensure that we're a member of that tenant
self.identity_api.add_user_to_project(
context, user.get('tenantId'), user_id)
user.get('tenantId'), user_id)
except exception.Conflict:
# we're already a member of that tenant
pass
@ -269,14 +263,14 @@ class Role(controller.V2Controller):
'tenant ID required')
roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id)
return {'roles': [self.identity_api.get_role(context, x)
user_id, tenant_id)
return {'roles': [self.identity_api.get_role(x)
for x in roles]}
# CRUD extension
def get_role(self, context, role_id):
self.assert_admin(context)
return {'role': self.identity_api.get_role(context, role_id)}
return {'role': self.identity_api.get_role(role_id)}
def create_role(self, context, role):
role = self._normalize_dict(role)
@ -288,16 +282,16 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
role_ref = self.identity_api.create_role(context, role_id, role)
role_ref = self.identity_api.create_role(role_id, role)
return {'role': role_ref}
def delete_role(self, context, role_id):
self.assert_admin(context)
self.identity_api.delete_role(context, role_id)
self.identity_api.delete_role(role_id)
def get_roles(self, context):
self.assert_admin(context)
return {'roles': self.identity_api.list_roles(context)}
return {'roles': self.identity_api.list_roles()}
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
"""Add a role to a user and tenant pair.
@ -312,9 +306,9 @@ class Role(controller.V2Controller):
'tenant_id required')
self.identity_api.add_role_to_user_and_project(
context, user_id, tenant_id, role_id)
user_id, tenant_id, role_id)
role_ref = self.identity_api.get_role(context, role_id)
role_ref = self.identity_api.get_role(role_id)
return {'role': role_ref}
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
@ -332,8 +326,8 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant, so we must follow up on that
self.identity_api.remove_role_from_user_and_project(
context, user_id, tenant_id, role_id)
self._delete_tokens_for_user(context, user_id)
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
# COMPAT(diablo): CRUD extension
def get_role_refs(self, context, user_id):
@ -347,12 +341,12 @@ class Role(controller.V2Controller):
"""
self.assert_admin(context)
# Ensure user exists by getting it first.
self.identity_api.get_user(context, user_id)
tenant_ids = self.identity_api.get_projects_for_user(context, user_id)
self.identity_api.get_user(user_id)
tenant_ids = self.identity_api.get_projects_for_user(user_id)
o = []
for tenant_id in tenant_ids:
role_ids = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id)
user_id, tenant_id)
for role_id in role_ids:
ref = {'roleId': role_id,
'tenantId': tenant_id,
@ -374,10 +368,10 @@ class Role(controller.V2Controller):
tenant_id = role.get('tenantId')
role_id = role.get('roleId')
self.identity_api.add_role_to_user_and_project(
context, user_id, tenant_id, role_id)
self._delete_tokens_for_user(context, user_id)
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
role_ref = self.identity_api.get_role(context, role_id)
role_ref = self.identity_api.get_role(role_id)
return {'role': role_ref}
# COMPAT(diablo): CRUD extension
@ -398,8 +392,8 @@ class Role(controller.V2Controller):
tenant_id = role_ref_ref.get('tenantId')[0]
role_id = role_ref_ref.get('roleId')[0]
self.identity_api.remove_role_from_user_and_project(
context, user_id, tenant_id, role_id)
self._delete_tokens_for_user(context, user_id)
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
class DomainV3(controller.V3Controller):
@ -409,50 +403,47 @@ class DomainV3(controller.V3Controller):
@controller.protected
def create_domain(self, context, domain):
ref = self._assign_unique_id(self._normalize_dict(domain))
ref = self.identity_api.create_domain(context, ref['id'], ref)
ref = self.identity_api.create_domain(ref['id'], ref)
return DomainV3.wrap_member(context, ref)
@controller.filterprotected('enabled', 'name')
def list_domains(self, context, filters):
refs = self.identity_api.list_domains(context)
refs = self.identity_api.list_domains()
return DomainV3.wrap_collection(context, refs, filters)
@controller.protected
def get_domain(self, context, domain_id):
ref = self.identity_api.get_domain(context, domain_id)
ref = self.identity_api.get_domain(domain_id)
return DomainV3.wrap_member(context, ref)
@controller.protected
def update_domain(self, context, domain_id, domain):
self._require_matching_id(domain_id, domain)
ref = self.identity_api.update_domain(context, domain_id, domain)
ref = self.identity_api.update_domain(domain_id, domain)
# disable owned users & projects when the API user specifically set
# enabled=False
# FIXME(dolph): need a driver call to directly revoke all tokens by
# project or domain, regardless of user
if not domain.get('enabled', True):
projects = [x for x in self.identity_api.list_projects(context)
projects = [x for x in self.identity_api.list_projects()
if x.get('domain_id') == domain_id]
for user in self.identity_api.list_users(context):
for user in self.identity_api.list_users():
# TODO(dolph): disable domain-scoped tokens
"""
self.token_api.revoke_tokens(
context,
user_id=user['id'],
domain_id=domain_id)
"""
# revoke all tokens for users owned by this domain
if user.get('domain_id') == domain_id:
self._delete_tokens_for_user(
context, user['id'])
self._delete_tokens_for_user(user['id'])
else:
# only revoke tokens on projects owned by this domain
for project in projects:
self._delete_tokens_for_user(
context, user['id'],
project_id=project['id'])
user['id'], project_id=project['id'])
return DomainV3.wrap_member(context, ref)
def _delete_domain_contents(self, context, domain_id):
@ -480,20 +471,20 @@ class DomainV3(controller.V3Controller):
# users of a disabled domain are prevented from authenticating.
# However there are some existing bugs in this area (e.g. 1130236).
# Consider removing this code once these have been fixed.
user_refs = self.identity_api.list_users(context)
user_refs = self.identity_api.list_users()
user_refs = [r for r in user_refs if r['domain_id'] == domain_id]
for user in user_refs:
if user['enabled']:
user['enabled'] = False
self.identity_api.update_user(context, user['id'], user)
self._delete_tokens_for_user(context, user['id'])
self.identity_api.update_user(user['id'], user)
self._delete_tokens_for_user(user['id'])
# Now, for safety, reload list of users, as well as projects, that are
# owned by this domain.
user_refs = self.identity_api.list_users(context)
user_refs = self.identity_api.list_users()
user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id]
proj_refs = self.identity_api.list_projects(context)
proj_refs = self.identity_api.list_projects()
proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id]
# First delete the projects themselves
@ -502,7 +493,7 @@ class DomainV3(controller.V3Controller):
project_cntl._delete_project(context, project)
# Get the list of groups owned by this domain and delete them
group_refs = self.identity_api.list_groups(context)
group_refs = self.identity_api.list_groups()
group_ids = ([r['id'] for r in group_refs
if r['domain_id'] == domain_id])
group_cntl = GroupV3()
@ -526,14 +517,14 @@ class DomainV3(controller.V3Controller):
# has been previously disabled. This also prevents a user deleting
# their own domain since, once it is disabled, they won't be able
# to get a valid token to issue this delete.
ref = self.identity_api.get_domain(context, domain_id)
ref = self.identity_api.get_domain(domain_id)
if ref['enabled']:
raise exception.ForbiddenAction(
action='delete a domain that is not disabled')
# OK, we are go for delete!
self._delete_domain_contents(context, domain_id)
return self.identity_api.delete_domain(context, domain_id)
return self.identity_api.delete_domain(domain_id)
def _get_domain_by_name(self, context, domain_name):
"""Get the domain via its unique name.
@ -542,8 +533,7 @@ class DomainV3(controller.V3Controller):
router as a public api.
"""
ref = self.identity_api.get_domain_by_name(
context, domain_name)
ref = self.identity_api.get_domain_by_name(domain_name)
return {'domain': ref}
@ -555,40 +545,40 @@ class ProjectV3(controller.V3Controller):
def create_project(self, context, project):
ref = self._assign_unique_id(self._normalize_dict(project))
ref = self._normalize_domain_id(context, ref)
ref = self.identity_api.create_project(context, ref['id'], ref)
ref = self.identity_api.create_project(ref['id'], ref)
return ProjectV3.wrap_member(context, ref)
@controller.filterprotected('domain_id', 'enabled', 'name')
def list_projects(self, context, filters):
refs = self.identity_api.list_projects(context)
refs = self.identity_api.list_projects()
return ProjectV3.wrap_collection(context, refs, filters)
@controller.filterprotected('enabled', 'name')
def list_user_projects(self, context, filters, user_id):
refs = self.identity_api.list_user_projects(context, user_id)
refs = self.identity_api.list_user_projects(user_id)
return ProjectV3.wrap_collection(context, refs, filters)
@controller.protected
def get_project(self, context, project_id):
ref = self.identity_api.get_project(context, project_id)
ref = self.identity_api.get_project(project_id)
return ProjectV3.wrap_member(context, ref)
@controller.protected
def update_project(self, context, project_id, project):
self._require_matching_id(project_id, project)
ref = self.identity_api.update_project(context, project_id, project)
ref = self.identity_api.update_project(project_id, project)
return ProjectV3.wrap_member(context, ref)
def _delete_project(self, context, project_id):
# Delete any credentials that reference this project
for cred in self.credential_api.list_credentials(context):
for cred in self.credential_api.list_credentials():
if cred['project_id'] == project_id:
self.credential_api.delete_credential(context, cred['id'])
self.credential_api.delete_credential(cred['id'])
# Finally delete the project itself - the backend is
# responsible for deleting any role assignments related
# to this project
return self.identity_api.delete_project(context, project_id)
return self.identity_api.delete_project(project_id)
@controller.protected
def delete_project(self, context, project_id):
@ -603,66 +593,63 @@ class UserV3(controller.V3Controller):
def create_user(self, context, user):
ref = self._assign_unique_id(self._normalize_dict(user))
ref = self._normalize_domain_id(context, ref)
ref = self.identity_api.create_user(context, ref['id'], ref)
ref = self.identity_api.create_user(ref['id'], ref)
return UserV3.wrap_member(context, ref)
@controller.filterprotected('domain_id', 'email', 'enabled', 'name')
def list_users(self, context, filters):
refs = self.identity_api.list_users(context)
refs = self.identity_api.list_users()
return UserV3.wrap_collection(context, refs, filters)
@controller.filterprotected('domain_id', 'email', 'enabled', 'name')
def list_users_in_group(self, context, filters, group_id):
refs = self.identity_api.list_users_in_group(context, group_id)
refs = self.identity_api.list_users_in_group(group_id)
return UserV3.wrap_collection(context, refs, filters)
@controller.protected
def get_user(self, context, user_id):
ref = self.identity_api.get_user(context, user_id)
ref = self.identity_api.get_user(user_id)
return UserV3.wrap_member(context, ref)
@controller.protected
def update_user(self, context, user_id, user):
self._require_matching_id(user_id, user)
ref = self.identity_api.update_user(context, user_id, user)
ref = self.identity_api.update_user(user_id, user)
if user.get('password') or not user.get('enabled', True):
# revoke all tokens owned by this user
self._delete_tokens_for_user(context, user_id)
self._delete_tokens_for_user(user_id)
return UserV3.wrap_member(context, ref)
@controller.protected
def add_user_to_group(self, context, user_id, group_id):
self.identity_api.add_user_to_group(
context, user_id, group_id)
self.identity_api.add_user_to_group(user_id, group_id)
# Delete any tokens so that group membership can have an
# immediate effect
self._delete_tokens_for_user(context, user_id)
self._delete_tokens_for_user(user_id)
@controller.protected
def check_user_in_group(self, context, user_id, group_id):
return self.identity_api.check_user_in_group(context,
user_id, group_id)
return self.identity_api.check_user_in_group(user_id, group_id)
@controller.protected
def remove_user_from_group(self, context, user_id, group_id):
self.identity_api.remove_user_from_group(
context, user_id, group_id)
self._delete_tokens_for_user(context, user_id)
self.identity_api.remove_user_from_group(user_id, group_id)
self._delete_tokens_for_user(user_id)
def _delete_user(self, context, user_id):
# Delete any credentials that reference this user
for cred in self.credential_api.list_credentials(context):
for cred in self.credential_api.list_credentials():
if cred['user_id'] == user_id:
self.credential_api.delete_credential(context, cred['id'])
self.credential_api.delete_credential(cred['id'])
# Make sure any tokens are marked as deleted
self._delete_tokens_for_user(context, user_id)
self._delete_tokens_for_user(user_id)
# Finally delete the user itself - the backend is
# responsible for deleting any role assignments related
# to this user
return self.identity_api.delete_user(context, user_id)
return self.identity_api.delete_user(user_id)
@controller.protected
def delete_user(self, context, user_id):
@ -677,29 +664,29 @@ class GroupV3(controller.V3Controller):
def create_group(self, context, group):
ref = self._assign_unique_id(self._normalize_dict(group))
ref = self._normalize_domain_id(context, ref)
ref = self.identity_api.create_group(context, ref['id'], ref)
ref = self.identity_api.create_group(ref['id'], ref)
return GroupV3.wrap_member(context, ref)
@controller.filterprotected('domain_id', 'name')
def list_groups(self, context, filters):
refs = self.identity_api.list_groups(context)
refs = self.identity_api.list_groups()
return GroupV3.wrap_collection(context, refs, filters)
@controller.filterprotected('name')
def list_groups_for_user(self, context, filters, user_id):
refs = self.identity_api.list_groups_for_user(context, user_id)
refs = self.identity_api.list_groups_for_user(user_id)
return GroupV3.wrap_collection(context, refs, filters)
@controller.protected
def get_group(self, context, group_id):
ref = self.identity_api.get_group(context, group_id)
ref = self.identity_api.get_group(group_id)
return GroupV3.wrap_member(context, ref)
@controller.protected
def update_group(self, context, group_id, group):
self._require_matching_id(group_id, group)
ref = self.identity_api.update_group(context, group_id, group)
ref = self.identity_api.update_group(group_id, group)
return GroupV3.wrap_member(context, ref)
def _delete_group(self, context, group_id):
@ -709,10 +696,10 @@ class GroupV3(controller.V3Controller):
# deletion, so that we can remove these tokens after we know
# the group deletion succeeded.
user_refs = self.identity_api.list_users_in_group(context, group_id)
self.identity_api.delete_group(context, group_id)
user_refs = self.identity_api.list_users_in_group(group_id)
self.identity_api.delete_group(group_id)
for user in user_refs:
self._delete_tokens_for_user(context, user['id'])
self._delete_tokens_for_user(user['id'])
@controller.protected
def delete_group(self, context, group_id):
@ -726,29 +713,29 @@ class RoleV3(controller.V3Controller):
@controller.protected
def create_role(self, context, role):
ref = self._assign_unique_id(self._normalize_dict(role))
ref = self.identity_api.create_role(context, ref['id'], ref)
ref = self.identity_api.create_role(ref['id'], ref)
return RoleV3.wrap_member(context, ref)
@controller.filterprotected('name')
def list_roles(self, context, filters):
refs = self.identity_api.list_roles(context)
refs = self.identity_api.list_roles()
return RoleV3.wrap_collection(context, refs, filters)
@controller.protected
def get_role(self, context, role_id):
ref = self.identity_api.get_role(context, role_id)
ref = self.identity_api.get_role(role_id)
return RoleV3.wrap_member(context, ref)
@controller.protected
def update_role(self, context, role_id, role):
self._require_matching_id(role_id, role)
ref = self.identity_api.update_role(context, role_id, role)
ref = self.identity_api.update_role(role_id, role)
return RoleV3.wrap_member(context, ref)
@controller.protected
def delete_role(self, context, role_id):
return self.identity_api.delete_role(context, role_id)
return self.identity_api.delete_role(role_id)
def _require_domain_xor_project(self, domain_id, project_id):
if (domain_id and project_id) or (not domain_id and not project_id):
@ -768,7 +755,7 @@ class RoleV3(controller.V3Controller):
self._require_user_xor_group(user_id, group_id)
self.identity_api.create_grant(
context, role_id, user_id, group_id, domain_id, project_id)
role_id, user_id, group_id, domain_id, project_id)
@controller.protected
def list_grants(self, context, user_id=None, group_id=None,
@ -778,7 +765,7 @@ class RoleV3(controller.V3Controller):
self._require_user_xor_group(user_id, group_id)
refs = self.identity_api.list_grants(
context, user_id, group_id, domain_id, project_id)
user_id, group_id, domain_id, project_id)
return RoleV3.wrap_collection(context, refs)
@controller.protected
@ -789,7 +776,7 @@ class RoleV3(controller.V3Controller):
self._require_user_xor_group(user_id, group_id)
self.identity_api.get_grant(
context, role_id, user_id, group_id, domain_id, project_id)
role_id, user_id, group_id, domain_id, project_id)
@controller.protected
def revoke_grant(self, context, role_id, user_id=None, group_id=None,
@ -799,11 +786,11 @@ class RoleV3(controller.V3Controller):
self._require_user_xor_group(user_id, group_id)
self.identity_api.delete_grant(
context, role_id, user_id, group_id, domain_id, project_id)
role_id, user_id, group_id, domain_id, project_id)
# Now delete any tokens for this user or, in the case of a group,
# tokens from all the uses who are members of this group.
if user_id:
self._delete_tokens_for_user(context, user_id)
self._delete_tokens_for_user(user_id)
else:
self._delete_tokens_for_group(context, group_id)
self._delete_tokens_for_group(group_id)

13
keystone/identity/core.py
View File

@ -63,8 +63,7 @@ class Manager(manager.Manager):
def __init__(self):
super(Manager, self).__init__(CONF.identity.driver)
def authenticate(self, context, user_id=None,
tenant_id=None, password=None):
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate a given user and password and
authorize them for a tenant.
:returns: (user_ref, tenant_ref, metadata_ref)
@ -73,14 +72,14 @@ class Manager(manager.Manager):
user_ref = self.driver.authenticate_user(user_id, password)
return self.driver.authorize_for_project(user_ref, tenant_id)
def create_user(self, context, user_id, user_ref):
def create_user(self, user_id, user_ref):
user = user_ref.copy()
user['name'] = clean.user_name(user['name'])
user.setdefault('enabled', True)
user['enabled'] = clean.user_enabled(user['enabled'])
return self.driver.create_user(user_id, user)
def update_user(self, context, user_id, user_ref):
def update_user(self, user_id, user_ref):
user = user_ref.copy()
if 'name' in user:
user['name'] = clean.user_name(user['name'])
@ -88,19 +87,19 @@ class Manager(manager.Manager):
user['enabled'] = clean.user_enabled(user['enabled'])
return self.driver.update_user(user_id, user)
def create_group(self, context, group_id, group_ref):
def create_group(self, group_id, group_ref):
group = group_ref.copy()
group.setdefault('description', '')
return self.driver.create_group(group_id, group)
def create_project(self, context, tenant_id, tenant_ref):
def create_project(self, tenant_id, tenant_ref):
tenant = tenant_ref.copy()
tenant.setdefault('enabled', True)
tenant['enabled'] = clean.project_enabled(tenant['enabled'])
tenant.setdefault('description', '')
return self.driver.create_project(tenant_id, tenant)
def update_project(self, context, tenant_id, tenant_ref):
def update_project(self, tenant_id, tenant_ref):
tenant = tenant_ref.copy()
if 'enabled' in tenant:
tenant['enabled'] = clean.project_enabled(tenant['enabled'])

10
keystone/policy/controllers.py
View File

@ -27,24 +27,24 @@ class PolicyV3(controller.V3Controller):
self._require_attribute(ref, 'blob')
self._require_attribute(ref, 'type')
ref = self.policy_api.create_policy(context, ref['id'], ref)
ref = self.policy_api.create_policy(ref['id'], ref)
return PolicyV3.wrap_member(context, ref)
@controller.filterprotected('type')
def list_policies(self, context, filters):
refs = self.policy_api.list_policies(context)
refs = self.policy_api.list_policies()
return PolicyV3.wrap_collection(context, refs, filters)
@controller.protected
def get_policy(self, context, policy_id):
ref = self.policy_api.get_policy(context, policy_id)
ref = self.policy_api.get_policy(policy_id)
return PolicyV3.wrap_member(context, ref)
@controller.protected
def update_policy(self, context, policy_id, policy):
ref = self.policy_api.update_policy(context, policy_id, policy)
ref = self.policy_api.update_policy(policy_id, policy)
return PolicyV3.wrap_member(context, ref)
@controller.protected
def delete_policy(self, context, policy_id):
return self.policy_api.delete_policy(context, policy_id)
return self.policy_api.delete_policy(policy_id)

6
keystone/policy/core.py
View File

@ -38,13 +38,13 @@ class Manager(manager.Manager):
def __init__(self):
super(Manager, self).__init__(CONF.policy.driver)
def get_policy(self, context, policy_id):
def get_policy(self, policy_id):
try:
return self.driver.get_policy(policy_id)
except exception.NotFound:
raise exception.PolicyNotFound(policy_id=policy_id)
def update_policy(self, context, policy_id, policy):
def update_policy(self, policy_id, policy):
if 'id' in policy and policy_id != policy['id']:
raise exception.ValidationError('Cannot change policy ID')
try:
@ -52,7 +52,7 @@ class Manager(manager.Manager):
except exception.NotFound:
raise exception.PolicyNotFound(policy_id=policy_id)
def delete_policy(self, context, policy_id):
def delete_policy(self, policy_id):
try:
return self.driver.delete_policy(policy_id)
except exception.NotFound:

122
keystone/token/controllers.py
View File

@ -80,7 +80,7 @@ class Auth(controller.V2Controller):
context, auth)
user_ref, tenant_ref, metadata_ref, expiry = auth_info
core.validate_auth_info(self, context, user_ref, tenant_ref)
core.validate_auth_info(self, user_ref, tenant_ref)
trust_id = metadata_ref.get('trust_id')
user_ref = self._filter_domain_id(user_ref)
if tenant_ref:
@ -92,7 +92,6 @@ class Auth(controller.V2Controller):
if tenant_ref:
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'],
metadata=metadata_ref)
@ -103,7 +102,7 @@ class Auth(controller.V2Controller):
roles_ref = []
for role_id in metadata_ref.get('roles', []):
role_ref = self.identity_api.get_role(context, role_id)
role_ref = self.identity_api.get_role(role_id)
roles_ref.append(dict(name=role_ref['name']))
token_data = Auth.format_token(auth_token_data, roles_ref)
@ -128,19 +127,19 @@ class Auth(controller.V2Controller):
CONF.signing.token_format)
try:
self.token_api.create_token(
context, token_id, dict(key=token_id,
id=token_id,
expires=auth_token_data['expires'],
user=user_ref,
tenant=tenant_ref,
metadata=metadata_ref,
trust_id=trust_id))
token_id, dict(key=token_id,
id=token_id,
expires=auth_token_data['expires'],
user=user_ref,
tenant=tenant_ref,
metadata=metadata_ref,
trust_id=trust_id))
except Exception:
exc_info = sys.exc_info()
# an identical token may have been created already.
# if so, return the token_data as it is also identical
try:
self.token_api.get_token(context=context, token_id=token_id)
self.token_api.get_token(token_id)
except exception.TokenNotFound:
raise exc_info[0], exc_info[1], exc_info[2]
@ -167,8 +166,7 @@ class Auth(controller.V2Controller):
size=CONF.max_token_size)
try:
old_token_ref = self.token_api.get_token(context=context,
token_id=old_token)
old_token_ref = self.token_api.get_token(old_token)
except exception.NotFound as e:
raise exception.Unauthorized(e)
@ -183,7 +181,7 @@ class Auth(controller.V2Controller):
if not CONF.trust.enabled and 'trust_id' in auth:
raise exception.Forbidden('Trusts are disabled.')
elif CONF.trust.enabled and 'trust_id' in auth:
trust_ref = self.trust_api.get_trust(context, auth['trust_id'])
trust_ref = self.trust_api.get_trust(auth['trust_id'])
if trust_ref is None:
raise exception.Forbidden()
if user_id != trust_ref['trustee_user_id']:
@ -193,13 +191,12 @@ class Auth(controller.V2Controller):
if expiry < timeutils.parse_isotime(timeutils.isotime()):
raise exception.Forbidden()()
user_id = trust_ref['trustor_user_id']
trustor_user_ref = (self.identity_api.get_user(
context=context,
user_id=trust_ref['trustor_user_id']))
trustor_user_ref = self.identity_api.get_user(
trust_ref['trustor_user_id'])
if not trustor_user_ref['enabled']:
raise exception.Forbidden()()
trustee_user_ref = self.identity_api.get_user(
context, trust_ref['trustee_user_id'])
trust_ref['trustee_user_id'])
if not trustee_user_ref['enabled']:
raise exception.Forbidden()()
if trust_ref['impersonation'] == 'True':
@ -208,13 +205,12 @@ class Auth(controller.V2Controller):
current_user_ref = trustee_user_ref
else:
current_user_ref = self.identity_api.get_user(context=context,
user_id=user_id)
current_user_ref = self.identity_api.get_user(user_id)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
tenant_ref = self._get_project_ref(user_id, tenant_id)
metadata_ref = self._get_metadata_ref(user_id, tenant_id)
# TODO(henry-nash): If no tenant was specified, instead check for a
# domain and find any related user/group roles
@ -282,17 +278,15 @@ class Auth(controller.V2Controller):
if username:
try:
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username,
domain_id=DEFAULT_DOMAIN_ID)
username, DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_id = self._get_project_id_from_auth(auth)
try:
auth_info = self.identity_api.authenticate(
context=context,
user_id=user_id,
password=password,
tenant_id=tenant_id)
@ -325,16 +319,15 @@ class Auth(controller.V2Controller):
username = context['REMOTE_USER']
try:
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username,
domain_id=DEFAULT_DOMAIN_ID)
username, DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
tenant_ref = self._get_project_ref(user_id, tenant_id)
metadata_ref = self._get_metadata_ref(user_id, tenant_id)
# TODO(henry-nash): If no tenant was specified, instead check for a
# domain and find any related user/group roles
@ -352,7 +345,7 @@ class Auth(controller.V2Controller):
metadata=metadata,
expires=expiry)
def _get_project_id_from_auth(self, context, auth):
def _get_project_id_from_auth(self, auth):
"""Extract tenant information from auth dict.
Returns a valid tenant_id if it exists, or None if not specified.
@ -370,14 +363,13 @@ class Auth(controller.V2Controller):
if tenant_name:
try:
tenant_ref = self.identity_api.get_project_by_name(
context=context, tenant_name=tenant_name,
domain_id=DEFAULT_DOMAIN_ID)
tenant_name, DEFAULT_DOMAIN_ID)
tenant_id = tenant_ref['id']
except exception.ProjectNotFound as e:
raise exception.Unauthorized(e)
return tenant_id
def _get_domain_id_from_auth(self, context, auth):
def _get_domain_id_from_auth(self, auth):
"""Extract domain information from v3 auth dict.
Returns a valid domain_id if it exists, or None if not specified.
@ -390,17 +382,17 @@ class Auth(controller.V2Controller):
if domain_name:
try:
domain_ref = self.identity_api._get_domain_by_name(
context=context, domain_name=domain_name)
domain_name)
domain_id = domain_ref['id']
except exception.DomainNotFound as e:
raise exception.Unauthorized(e)
return domain_id
def _get_project_ref(self, context, user_id, tenant_id):
def _get_project_ref(self, user_id, tenant_id):
"""Returns the tenant_ref for the user's tenant."""
tenant_ref = None
if tenant_id:
tenants = self.identity_api.get_projects_for_user(context, user_id)
tenants = self.identity_api.get_projects_for_user(user_id)
if tenant_id not in tenants:
msg = 'User %s is unauthorized for tenant %s' % (
user_id, tenant_id)
@ -408,21 +400,20 @@ class Auth(controller.V2Controller):
raise exception.Unauthorized(msg)
try:
tenant_ref = self.identity_api.get_project(context=context,
tenant_id=tenant_id)
tenant_ref = self.identity_api.get_project(tenant_id)
except exception.ProjectNotFound as e:
exception.Unauthorized(e)
return tenant_ref
def _get_metadata_ref(self, context, user_id=None, tenant_id=None,
domain_id=None, group_id=None):
def _get_metadata_ref(self, user_id=None, tenant_id=None, domain_id=None,
group_id=None):
"""Returns metadata_ref for a user or group in a tenant or domain."""
metadata_ref = {}
if (user_id or group_id) and (tenant_id or domain_id):
try:
metadata_ref = self.identity_api.get_metadata(
context=context, user_id=user_id, tenant_id=tenant_id,
user_id=user_id, tenant_id=tenant_id,
domain_id=domain_id, group_id=group_id)
except exception.MetadataNotFound:
pass
@ -431,14 +422,11 @@ class Auth(controller.V2Controller):
def _get_group_metadata_ref(self, context, user_id,
tenant_id=None, domain_id=None):
"""Return any metadata for this project/domain due to group grants."""
group_refs = self.identity_api.list_groups_for_user(context=context,
user_id=user_id)
group_refs = self.identity_api.list_groups_for_user(user_id)
metadata_ref = {}
for x in group_refs:
metadata_ref.update(self._get_metadata_ref(context,
group_id=x['id'],
tenant_id=tenant_id,
domain_id=domain_id))
metadata_ref.update(self._get_metadata_ref(
group_id=x['id'], tenant_id=tenant_id, domain_id=domain_id))
return metadata_ref
def _append_roles(self, metadata, additional_metadata):
@ -452,14 +440,13 @@ class Auth(controller.V2Controller):
second = set(additional_metadata.get('roles', []))
metadata['roles'] = list(first.union(second))
def _get_token_ref(self, context, token_id, belongs_to=None):
def _get_token_ref(self, token_id, belongs_to=None):
"""Returns a token if a valid one exists.
Optionally, limited to a token owned by a specific tenant.
"""
data = self.token_api.get_token(context=context,
token_id=token_id)
data = self.token_api.get_token(token_id)
if belongs_to:
if data.get('tenant') is None:
raise exception.Unauthorized(
@ -469,7 +456,7 @@ class Auth(controller.V2Controller):
_('Token does not belong to specified tenant.'))
return data
def _assert_default_domain(self, context, token_ref):
def _assert_default_domain(self, token_ref):
"""Make sure we are operating on default domain only."""
if token_ref.get('token_data'):
# this is a V3 token
@ -494,18 +481,17 @@ class Auth(controller.V2Controller):
# must also be in the default domain
metadata_ref = token_ref['metadata']
if CONF.trust.enabled and 'trust_id' in metadata_ref:
trust_ref = self.trust_api.get_trust(context,
metadata_ref['trust_id'])
trust_ref = self.trust_api.get_trust(metadata_ref['trust_id'])
trustee_user_ref = self.identity_api.get_user(
context, trust_ref['trustee_user_id'])
trust_ref['trustee_user_id'])
if trustee_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
raise exception.Unauthorized(msg)
trustor_user_ref = self.identity_api.get_user(
context, trust_ref['trustor_user_id'])
trust_ref['trustor_user_id'])
if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
raise exception.Unauthorized(msg)
project_ref = self.identity_api.get_project(
context, trust_ref['project_id'])
trust_ref['project_id'])
if project_ref['domain_id'] != DEFAULT_DOMAIN_ID:
raise exception.Unauthorized(msg)
@ -519,9 +505,9 @@ class Auth(controller.V2Controller):
"""
belongs_to = context['query_string'].get('belongsTo')
token_ref = self._get_token_ref(context, token_id, belongs_to)
token_ref = self._get_token_ref(token_id, belongs_to)
assert token_ref
self._assert_default_domain(context, token_ref)
self._assert_default_domain(token_ref)
@controller.protected
def validate_token(self, context, token_id):
@ -533,8 +519,8 @@ class Auth(controller.V2Controller):
"""
belongs_to = context['query_string'].get('belongsTo')
token_ref = self._get_token_ref(context, token_id, belongs_to)
self._assert_default_domain(context, token_ref)
token_ref = self._get_token_ref(token_id, belongs_to)
self._assert_default_domain(token_ref)
# TODO(termie): optimize this call at some point and put it into the
# the return for metadata
@ -542,14 +528,13 @@ class Auth(controller.V2Controller):
metadata_ref = token_ref['metadata']
roles_ref = []
for role_id in metadata_ref.get('roles', []):
roles_ref.append(self.identity_api.get_role(context, role_id))
roles_ref.append(self.identity_api.get_role(role_id))
# Get a service catalog if possible
# This is needed for on-behalf-of requests
catalog_ref = None
if token_ref.get('tenant'):
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=token_ref['user']['id'],
tenant_id=token_ref['tenant']['id'],
metadata=metadata_ref)
@ -559,11 +544,11 @@ class Auth(controller.V2Controller):
"""Delete a token, effectively invalidating it for authz."""
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
self.token_api.delete_token(context=context, token_id=token_id)
self.token_api.delete_token(token_id)
@controller.protected
def revocation_list(self, context, auth=None):
tokens = self.token_api.list_revoked_tokens(context)
tokens = self.token_api.list_revoked_tokens()
for t in tokens:
expires = t['expires']
@ -581,12 +566,11 @@ class Auth(controller.V2Controller):
"""Return a list of endpoints available to the token."""
self.assert_admin(context)
token_ref = self._get_token_ref(context, token_id)
token_ref = self._get_token_ref(token_id)
catalog_ref = None
if token_ref.get('tenant'):
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=token_ref['user']['id'],
tenant_id=token_ref['tenant']['id'],
metadata=token_ref['metadata'])

5
keystone/token/core.py
View File

@ -57,7 +57,7 @@ def default_expire_time():
return timeutils.utcnow() + expire_delta
def validate_auth_info(self, context, user_ref, tenant_ref):
def validate_auth_info(self, user_ref, tenant_ref):
"""Validate user and tenant auth info.
Validate the user and tenant auth into in order to ensure that user and
@ -66,7 +66,6 @@ def validate_auth_info(self, context, user_ref, tenant_ref):
Consolidate the checks here to ensure consistency between token auth and
ec2 auth.
:params context: keystone's request context
:params user_ref: the authenticating user
:params tenant_ref: the scope of authorization, if any
:raises Unauthorized: if any of the user, user's domain, tenant or
@ -80,7 +79,6 @@ def validate_auth_info(self, context, user_ref, tenant_ref):
# If the user's domain is disabled don't allow them to authenticate
user_domain_ref = self.identity_api.get_domain(
context,
user_ref['domain_id'])
if user_domain_ref and not user_domain_ref.get('enabled', True):
msg = 'Domain is disabled: %s' % user_domain_ref['id']
@ -96,7 +94,6 @@ def validate_auth_info(self, context, user_ref, tenant_ref):
# If the project's domain is disabled don't allow them to authenticate
project_domain_ref = self.identity_api.get_domain(
context,
tenant_ref['domain_id'])
if (project_domain_ref and
not project_domain_ref.get('enabled', True)):

39
keystone/trust/controllers.py
View File

@ -38,14 +38,14 @@ class TrustV3(controller.V3Controller):
def _get_user_id(self, context):
if 'token_id' in context:
token_id = context['token_id']
token = self.token_api.get_token(context, token_id)
token = self.token_api.get_token(token_id)
user_id = token['user']['id']
return user_id
return None
def get_trust(self, context, trust_id):
user_id = self._get_user_id(context)
trust = self.trust_api.get_trust(context, trust_id)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
_admin_trustor_trustee_only(context, trust, user_id)
@ -55,7 +55,7 @@ class TrustV3(controller.V3Controller):
user_id != trust['trustee_user_id']):
raise exception.Forbidden()
self._fill_in_roles(context, trust,
self.identity_api.list_roles(context))
self.identity_api.list_roles())
return TrustV3.wrap_member(context, trust)
def _fill_in_roles(self, context, trust, global_roles):
@ -121,15 +121,14 @@ class TrustV3(controller.V3Controller):
user_id = self._get_user_id(context)
_trustor_only(context, trust, user_id)
#confirm that the trustee exists
trustee_ref = self.identity_api.get_user(context,
trust['trustee_user_id'])
trustee_ref = self.identity_api.get_user(trust['trustee_user_id'])
if not trustee_ref:
raise exception.UserNotFound(user_id=trust['trustee_user_id'])
global_roles = self.identity_api.list_roles(context)
global_roles = self.identity_api.list_roles()
clean_roles = self._clean_role_list(context, trust, global_roles)
if trust.get('project_id'):
user_roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, trust['project_id'])
user_id, trust['project_id'])
else:
user_roles = []
for trust_role in clean_roles:
@ -143,7 +142,6 @@ class TrustV3(controller.V3Controller):
trust['expires_at'] = (timeutils.parse_isotime
(trust['expires_at']))
new_trust = self.trust_api.create_trust(
context=context,
trust_id=uuid.uuid4().hex,
trust=trust,
roles=clean_roles)
@ -161,41 +159,38 @@ class TrustV3(controller.V3Controller):
trusts = []
if not query:
self.assert_admin(context)
trusts += self.trust_api.list_trusts(context)
trusts += self.trust_api.list_trusts()
if 'trustor_user_id' in query:
user_id = query['trustor_user_id']
calling_user_id = self._get_user_id(context)
if user_id != calling_user_id:
raise exception.Forbidden()
trusts += (self.trust_api.
list_trusts_for_trustor(context, user_id))
list_trusts_for_trustor(user_id))
if 'trustee_user_id' in query:
user_id = query['trustee_user_id']
calling_user_id = self._get_user_id(context)
if user_id != calling_user_id:
raise exception.Forbidden()
trusts += (self.trust_api.
list_trusts_for_trustee(context, user_id))
global_roles = self.identity_api.list_roles(context)
trusts += self.trust_api.list_trusts_for_trustee(user_id)
global_roles = self.identity_api.list_roles()
for trust in trusts:
self._fill_in_roles(context, trust, global_roles)
return TrustV3.wrap_collection(context, trusts)
@controller.protected
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(context, trust_id)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
self.trust_api.delete_trust(context, trust_id)
self.trust_api.delete_trust(trust_id)
userid = trust['trustor_user_id']
token_list = self.token_api.list_tokens(context,
userid,
trust_id=trust_id)
token_list = self.token_api.list_tokens(userid, trust_id=trust_id)
for token in token_list:
self.token_api.delete_token(context, token)
self.token_api.delete_token(token)
@controller.protected
def list_roles_for_trust(self, context, trust_id):
@ -210,7 +205,7 @@ class TrustV3(controller.V3Controller):
@controller.protected
def check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(context, trust_id)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
@ -223,7 +218,7 @@ class TrustV3(controller.V3Controller):
@controller.protected
def get_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(context, trust_id)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
@ -233,7 +228,7 @@ class TrustV3(controller.V3Controller):
if x['id'] == role_id]
if not matching_roles:
raise exception.RoleNotFound(role_id=role_id)
global_roles = self.identity_api.list_roles(context)
global_roles = self.identity_api.list_roles()
matching_roles = [x for x in global_roles
if x['id'] == role_id]
if matching_roles:

10
tests/test_auth.py
View File

@ -532,8 +532,8 @@ class AuthWithTrust(AuthTest):
trust_data['expires_at'] = expires_at
trust_data['impersonation'] = impersonation
self.new_trust = (self.trust_controller.create_trust
(context, trust=trust_data)['trust'])
self.new_trust = self.trust_controller.create_trust(
context, trust=trust_data)['trust']
def build_v2_token_request(self, username, password):
body_dict = _build_user_auth(username=username, password=password)
@ -673,7 +673,7 @@ class AuthWithTrust(AuthTest):
def assert_token_count_for_trust(self, expected_value):
tokens = self.trust_controller.token_api.list_tokens(
{}, self.trustee['id'], trust_id=self.new_trust['id'])
self.trustee['id'], trust_id=self.new_trust['id'])
token_count = len(tokens)
self.assertEquals(token_count, expected_value)
@ -681,9 +681,7 @@ class AuthWithTrust(AuthTest):
self.assert_token_count_for_trust(0)
self.fetch_v2_token_from_trust()
self.assert_token_count_for_trust(1)
self.trust_controller._delete_tokens_for_user(
{},
self.trustee['id'])
self.trust_controller._delete_tokens_for_user(self.trustee['id'])
self.assert_token_count_for_trust(0)
def test_token_from_trust_cant_get_another_token(self):

298
tests/test_backend.py
View File

@ -15,7 +15,6 @@
# under the License.
import datetime
import default_fixtures
import uuid
from keystone import test
@ -25,12 +24,13 @@ from keystone import config
from keystone import exception
from keystone.openstack.common import timeutils
import default_fixtures
CONF = config.CONF
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
NULL_OBJECT = object()
EMPTY_CONTEXT = {}
class IdentityTests(object):
@ -61,7 +61,6 @@ class IdentityTests(object):
def test_authenticate_bad_user(self):
self.assertRaises(AssertionError,
self.identity_man.authenticate,
EMPTY_CONTEXT,
user_id=uuid.uuid4().hex,
tenant_id=self.tenant_bar['id'],
password=self.user_foo['password'])
@ -69,7 +68,6 @@ class IdentityTests(object):
def test_authenticate_bad_password(self):
self.assertRaises(AssertionError,
self.identity_man.authenticate,
EMPTY_CONTEXT,
user_id=self.user_foo['id'],
tenant_id=self.tenant_bar['id'],
password=uuid.uuid4().hex)
@ -77,14 +75,12 @@ class IdentityTests(object):
def test_authenticate_bad_project(self):
self.assertRaises(AssertionError,
self.identity_man.authenticate,
EMPTY_CONTEXT,
user_id=self.user_foo['id'],
tenant_id=uuid.uuid4().hex,
password=self.user_foo['password'])
def test_authenticate_no_project(self):
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
EMPTY_CONTEXT,
user_id=self.user_foo['id'],
password=self.user_foo['password'])
# NOTE(termie): the password field is left in user_foo to make
@ -97,7 +93,6 @@ class IdentityTests(object):
def test_authenticate(self):
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
EMPTY_CONTEXT,
user_id=self.user_sna['id'],
tenant_id=self.tenant_bar['id'],
password=self.user_sna['password'])
@ -115,7 +110,6 @@ class IdentityTests(object):
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_baz['id'], self.role_admin['id'])
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
EMPTY_CONTEXT,
user_id=self.user_foo['id'],
tenant_id=self.tenant_baz['id'],
password=self.user_foo['password'])
@ -129,11 +123,10 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'no_meta2',
}
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
EMPTY_CONTEXT,
user_id=user['id'],
tenant_id=self.tenant_baz['id'],
password=user['password'])
@ -156,7 +149,7 @@ class IdentityTests(object):
'name': unicode_name,
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
ref = self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
ref = self.identity_man.create_user(user['id'], user)
self.assertEqual(unicode_name, ref['name'])
def test_get_project(self):
@ -288,11 +281,10 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user['name'] = 'fake2'
self.assertRaises(exception.Conflict,
self.identity_man.create_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -302,11 +294,10 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user['id'] = 'fake2'
self.assertRaises(exception.Conflict,
self.identity_man.create_user,
EMPTY_CONTEXT,
'fake2',
user)
@ -321,8 +312,8 @@ class IdentityTests(object):
'name': user1['name'],
'domain_id': new_domain['id'],
'password': uuid.uuid4().hex}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(EMPTY_CONTEXT, user2['id'], user2)
self.identity_man.create_user(user1['id'], user1)
self.identity_man.create_user(user2['id'], user2)
def test_move_user_between_domains(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@ -333,9 +324,9 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': domain1['id'],
'password': uuid.uuid4().hex}
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.create_user(user['id'], user)
user['domain_id'] = domain2['id']
self.identity_man.update_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.update_user(user['id'], user)
def test_move_user_between_domains_with_clashing_names_fails(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@ -347,20 +338,19 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': domain1['id'],
'password': uuid.uuid4().hex}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
# Now create a user in domain2 with a potentially clashing
# name - which should work since we have domain separation
user2 = {'id': uuid.uuid4().hex,
'name': user1['name'],
'domain_id': domain2['id'],
'password': uuid.uuid4().hex}
self.identity_man.create_user(EMPTY_CONTEXT, user2['id'], user2)
self.identity_man.create_user(user2['id'], user2)
# Now try and move user1 into the 2nd domain - which should
# fail since the names clash
user1['domain_id'] = domain2['id']
self.assertRaises(exception.Conflict,
self.identity_man.update_user,
EMPTY_CONTEXT,
user1['id'],
user1)
@ -375,12 +365,11 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user1)
self.identity_man.create_user(EMPTY_CONTEXT, 'fake2', user2)
self.identity_man.create_user('fake1', user1)
self.identity_man.create_user('fake2', user2)
user2['name'] = 'fake1'
self.assertRaises(exception.Conflict,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake2',
user2)
@ -390,11 +379,10 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user['id'] = 'fake2'
self.assertRaises(exception.ValidationError,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake1',
user)
user_ref = self.identity_api.get_user('fake1')
@ -406,20 +394,20 @@ class IdentityTests(object):
def test_create_duplicate_project_id_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
self.identity_man.create_project('fake1', tenant)
tenant['name'] = 'fake2'
self.assertRaises(exception.Conflict,
self.identity_man.create_project, EMPTY_CONTEXT,
self.identity_man.create_project,
'fake1',
tenant)
def test_create_duplicate_project_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
self.identity_man.create_project('fake1', tenant)
tenant['id'] = 'fake2'
self.assertRaises(exception.Conflict,
self.identity_man.create_project, EMPTY_CONTEXT,
self.identity_man.create_project,
'fake1',
tenant)
@ -430,8 +418,8 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
tenant2 = {'id': uuid.uuid4().hex, 'name': tenant1['name'],
'domain_id': new_domain['id']}
self.identity_man.create_project(EMPTY_CONTEXT, tenant1['id'], tenant1)
self.identity_man.create_project(EMPTY_CONTEXT, tenant2['id'], tenant2)
self.identity_man.create_project(tenant1['id'], tenant1)
self.identity_man.create_project(tenant2['id'], tenant2)
def test_move_project_between_domains(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@ -441,7 +429,7 @@ class IdentityTests(object):
project = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_project(EMPTY_CONTEXT, project['id'], project)
self.identity_man.create_project(project['id'], project)
project['domain_id'] = domain2['id']
self.identity_api.update_project(project['id'], project)
@ -454,15 +442,13 @@ class IdentityTests(object):
project1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
# Now create a project in domain2 with a potentially clashing
# name - which should work since we have domain separation
project2 = {'id': uuid.uuid4().hex,
'name': project1['name'],
'domain_id': domain2['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project2['id'], project2)
self.identity_man.create_project(project2['id'], project2)
# Now try and move project1 into the 2nd domain - which should
# fail since the names clash
project1['domain_id'] = domain2['id']
@ -476,8 +462,8 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
tenant2 = {'id': 'fake2', 'name': 'fake2',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant1)
self.identity_man.create_project(EMPTY_CONTEXT, 'fake2', tenant2)
self.identity_man.create_project('fake1', tenant1)
self.identity_man.create_project('fake2', tenant2)
tenant2['name'] = 'fake1'
self.assertRaises(exception.Error,
self.identity_api.update_project,
@ -544,15 +530,11 @@ class IdentityTests(object):
new_user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT,
new_user1['id'],
new_user1)
self.identity_man.create_user(new_user1['id'], new_user1)
new_user2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT,
new_user2['id'],
new_user2)
self.identity_man.create_user(new_user2['id'], new_user2)
roles_ref = self.identity_api.list_grants(
user_id=new_user1['id'],
domain_id=new_domain['id'])
@ -598,9 +580,7 @@ class IdentityTests(object):
new_user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT,
new_user1['id'],
new_user1)
self.identity_man.create_user(new_user1['id'], new_user1)
self.assertRaises(exception.UserNotFound,
self.identity_api.get_roles_for_user_and_domain,
@ -740,12 +720,11 @@ class IdentityTests(object):
self.identity_api.create_domain(new_domain['id'], new_domain)
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': 'secret', 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
roles_ref = self.identity_api.list_grants(
@ -778,12 +757,11 @@ class IdentityTests(object):
self.identity_api.create_domain(new_domain['id'], new_domain)
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
@ -819,25 +797,21 @@ class IdentityTests(object):
self.identity_api.create_domain(new_domain['id'], new_domain)
new_project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': new_domain['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
new_project['id'], new_project)
self.identity_man.create_project(new_project['id'], new_project)
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group2['id'], new_group2)
self.identity_man.create_group(new_group2['id'], new_group2)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
new_user2 = {'id': uuid.uuid4().hex, 'name': 'new_user2',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT,
new_user2['id'], new_user2)
self.identity_man.create_user(new_user2['id'], new_user2)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
# First check we have no grants
@ -885,7 +859,7 @@ class IdentityTests(object):
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': 'secret', 'enabled': True,
'domain_id': new_domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
roles_ref = self.identity_api.list_grants(
user_id=new_user['id'],
domain_id=new_domain['id'])
@ -926,7 +900,7 @@ class IdentityTests(object):
self.identity_api.create_domain(domain2['id'], domain2)
group1 = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
roles_ref = self.identity_api.list_grants(
group_id=group1['id'],
domain_id=domain1['id'])
@ -979,7 +953,7 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
roles_ref = self.identity_api.list_grants(
user_id=user1['id'],
domain_id=domain1['id'])
@ -1027,11 +1001,10 @@ class IdentityTests(object):
self.identity_api.create_domain(domain2['id'], domain2)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain2['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
roles_ref = self.identity_api.list_grants(
group_id=group1['id'],
project_id=project1['id'])
@ -1073,11 +1046,10 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain2['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
roles_ref = self.identity_api.list_grants(
user_id=user1['id'],
project_id=project1['id'])
@ -1118,15 +1090,13 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
self.identity_man.create_group(EMPTY_CONTEXT,
group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
self.identity_api.add_user_to_group(user1['id'],
group1['id'])
@ -1187,15 +1157,14 @@ class IdentityTests(object):
self.identity_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
self.identity_api.create_grant(user_id=user1['id'],
project_id=project1['id'],
role_id=role1['id'])
@ -1249,15 +1218,14 @@ class IdentityTests(object):
self.identity_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
self.identity_api.create_grant(user_id=user1['id'],
project_id=project1['id'],
role_id=role1['id'])
@ -1298,15 +1266,14 @@ class IdentityTests(object):
self.identity_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_project(EMPTY_CONTEXT,
project1['id'], project1)
self.identity_man.create_project(project1['id'], project1)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
self.identity_api.create_grant(group_id=group1['id'],
project_id=project1['id'],
role_id=role1['id'])
@ -1427,7 +1394,6 @@ class IdentityTests(object):
user_id = uuid.uuid4().hex
self.assertRaises(exception.UserNotFound,
self.identity_man.update_user,
EMPTY_CONTEXT,
user_id,
{'id': user_id})
@ -1436,7 +1402,7 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
@ -1449,7 +1415,7 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.create_user(user['id'], user)
self.identity_api.add_role_to_user_and_project(
user['id'],
self.tenant_bar['id'],
@ -1473,7 +1439,7 @@ class IdentityTests(object):
tenant = {'id': 'fake1', 'name': 'a' * 65,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_project, EMPTY_CONTEXT,
self.identity_man.create_project,
tenant['id'],
tenant)
@ -1481,7 +1447,7 @@ class IdentityTests(object):
tenant = {'id': 'fake1', 'name': '',
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_project, EMPTY_CONTEXT,
self.identity_man.create_project,
tenant['id'],
tenant)
@ -1489,20 +1455,20 @@ class IdentityTests(object):
tenant = {'id': 'fake1', 'name': None,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_project, EMPTY_CONTEXT,
self.identity_man.create_project,
tenant['id'],
tenant)
tenant = {'id': 'fake1', 'name': 123,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_project, EMPTY_CONTEXT,
self.identity_man.create_project,
tenant['id'],
tenant)
def test_update_project_blank_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
self.identity_man.create_project('fake1', tenant)
tenant['name'] = ''
self.assertRaises(exception.ValidationError,
self.identity_api.update_project,
@ -1512,7 +1478,7 @@ class IdentityTests(object):
def test_update_project_long_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
self.identity_man.create_project('fake1', tenant)
tenant['name'] = 'a' * 65
self.assertRaises(exception.ValidationError,
self.identity_api.update_project,
@ -1522,7 +1488,7 @@ class IdentityTests(object):
def test_update_project_invalid_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
self.identity_man.create_project('fake1', tenant)
tenant['name'] = None
self.assertRaises(exception.ValidationError,
self.identity_api.update_project,
@ -1540,7 +1506,6 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -1549,7 +1514,6 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -1558,7 +1522,6 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -1566,7 +1529,6 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -1575,9 +1537,7 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'enabled': True,
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project(EMPTY_CONTEXT,
project['id'],
project)
self.identity_man.create_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
self.assertEqual(project_ref['enabled'], True)
@ -1585,7 +1545,6 @@ class IdentityTests(object):
project['enabled'] = "false"
self.assertRaises(exception.ValidationError,
self.identity_man.update_project,
EMPTY_CONTEXT,
project['id'],
project)
@ -1597,7 +1556,6 @@ class IdentityTests(object):
'enabled': "true"}
self.assertRaises(exception.ValidationError,
self.identity_man.create_project,
EMPTY_CONTEXT,
project['id'],
project)
@ -1610,48 +1568,43 @@ class IdentityTests(object):
'enabled': "true"}
self.assertRaises(exception.ValidationError,
self.identity_man.create_user,
EMPTY_CONTEXT,
user['id'],
user)
def test_update_user_long_name_fails(self):
user = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user['name'] = 'a' * 65
self.assertRaises(exception.ValidationError,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake1',
user)
def test_update_user_blank_name_fails(self):
user = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user['name'] = ''
self.assertRaises(exception.ValidationError,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake1',
user)
def test_update_user_invalid_name_fails(self):
user = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user['name'] = None
self.assertRaises(exception.ValidationError,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake1',
user)
user['name'] = 123
self.assertRaises(exception.ValidationError,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -1669,8 +1622,8 @@ class IdentityTests(object):
'id': uuid.uuid4().hex,
'domain_id': CONF.identity.default_domain_id,
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
self.identity_man.create_group(group1['id'], group1)
self.identity_man.create_group(group2['id'], group2)
groups = self.identity_api.list_groups()
self.assertEquals(len(groups), 2)
group_ids = []
@ -1737,8 +1690,7 @@ class IdentityTests(object):
new_project = {'id': 'tenant_id', 'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID}
original_project = new_project.copy()
self.identity_man.create_project(EMPTY_CONTEXT,
'tenant_id', new_project)
self.identity_man.create_project('tenant_id', new_project)
self.assertDictEqual(original_project, new_project)
def test_create_user_doesnt_modify_passed_in_dict(self):
@ -1746,53 +1698,53 @@ class IdentityTests(object):
'password': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID}
original_user = new_user.copy()
self.identity_man.create_user(EMPTY_CONTEXT, 'user_id', new_user)
self.identity_man.create_user('user_id', new_user)
self.assertDictEqual(original_user, new_user)
def test_update_user_enable(self):
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
user['enabled'] = False
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], user['enabled'])
# If not present, enabled field should not be updated
del user['enabled']
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], False)
user['enabled'] = True
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], user['enabled'])
del user['enabled']
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
# Integers are valid Python's booleans. Explicitly test it.
user['enabled'] = 0
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], False)
# Any integers other than 0 are interpreted as True
user['enabled'] = -42
self.identity_man.update_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
def test_update_user_enable_fails(self):
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
self.identity_man.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
@ -1800,7 +1752,6 @@ class IdentityTests(object):
user['enabled'] = "false"
self.assertRaises(exception.ValidationError,
self.identity_man.update_user,
EMPTY_CONTEXT,
'fake1',
user)
@ -1836,12 +1787,11 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
groups = self.identity_api.list_groups_for_user(new_user['id'])
@ -1857,8 +1807,7 @@ class IdentityTests(object):
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT,
new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.assertRaises(exception.GroupNotFound,
self.identity_api.add_user_to_group,
new_user['id'],
@ -1866,8 +1815,7 @@ class IdentityTests(object):
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
self.assertRaises(exception.UserNotFound,
self.identity_api.add_user_to_group,
uuid.uuid4().hex,
@ -1877,12 +1825,11 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
self.identity_api.check_user_in_group(new_user['id'], new_group['id'])
@ -1892,8 +1839,7 @@ class IdentityTests(object):
'id': uuid.uuid4().hex,
'domain_id': CONF.identity.default_domain_id,
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
self.assertRaises(exception.UserNotFound,
self.identity_api.check_user_in_group,
uuid.uuid4().hex,
@ -1903,13 +1849,11 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT,
new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
user_refs = self.identity_api.list_users_in_group(new_group['id'])
@ -1923,12 +1867,11 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
groups = self.identity_api.list_groups_for_user(new_user['id'])
@ -1943,11 +1886,10 @@ class IdentityTests(object):
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_man.create_user(new_user['id'], new_user)
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT,
new_group['id'], new_group)
self.identity_man.create_group(new_group['id'], new_group)
self.assertRaises(exception.NotFound,
self.identity_api.remove_user_from_group,
new_user['id'],
@ -1968,7 +1910,7 @@ class IdentityTests(object):
self.identity_api.create_domain(domain['id'], domain)
group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
self.identity_man.create_group(EMPTY_CONTEXT, group['id'], group)
self.identity_man.create_group(group['id'], group)
group_ref = self.identity_api.get_group(group['id'])
self.assertDictContainsSubset(group, group_ref)
@ -1987,9 +1929,9 @@ class IdentityTests(object):
'name': uuid.uuid4().hex}
group2 = {'id': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID,
'name': group1['name']}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
self.assertRaises(exception.Conflict,
self.identity_man.create_group, EMPTY_CONTEXT,
self.identity_man.create_group,
group2['id'], group2)
def test_create_duplicate_group_name_in_different_domains(self):
@ -1999,8 +1941,8 @@ class IdentityTests(object):
'name': uuid.uuid4().hex}
group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': group1['name']}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
self.identity_man.create_group(group1['id'], group1)
self.identity_man.create_group(group2['id'], group2)
def test_move_group_between_domains(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@ -2010,7 +1952,7 @@ class IdentityTests(object):
group = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_group(EMPTY_CONTEXT, group['id'], group)
self.identity_man.create_group(group['id'], group)
group['domain_id'] = domain2['id']
self.identity_api.update_group(group['id'], group)
@ -2023,13 +1965,13 @@ class IdentityTests(object):
group1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_man.create_group(group1['id'], group1)
# Now create a group in domain2 with a potentially clashing
# name - which should work since we have domain separation
group2 = {'id': uuid.uuid4().hex,
'name': group1['name'],
'domain_id': domain2['id']}
self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
self.identity_man.create_group(group2['id'], group2)
# Now try and move group1 into the 2nd domain - which should
# fail since the names clash
group1['domain_id'] = domain2['id']
@ -2044,7 +1986,7 @@ class IdentityTests(object):
self.identity_api.create_domain(domain['id'], domain)
project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain['id']}
self.identity_man.create_project(EMPTY_CONTEXT, project['id'], project)
self.identity_man.create_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
self.assertDictContainsSubset(project, project_ref)
@ -2079,14 +2021,14 @@ class IdentityTests(object):
user = {'domain_id': CONF.identity.default_domain_id,
'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex, 'password': 'passw0rd'}
self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.create_user(user['id'], user)
user_ref = self.identity_api.get_user(user['id'])
del user['password']
user_ref_dict = dict((x, user_ref[x]) for x in user_ref)
self.assertDictContainsSubset(user, user_ref_dict)
user['password'] = uuid.uuid4().hex
self.identity_man.update_user(EMPTY_CONTEXT, user['id'], user)
self.identity_man.update_user(user['id'], user)
user_ref = self.identity_api.get_user(user['id'])
del user['password']
user_ref_dict = dict((x, user_ref[x]) for x in user_ref)
@ -2103,7 +2045,7 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex, 'domain_id': domain['id'],
'enabled': True}
self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
self.identity_man.create_user(user1['id'], user1)
user_projects = self.identity_api.list_user_projects(user1['id'])
self.assertEquals(len(user_projects), 0)
self.identity_api.create_grant(user_id=user1['id'],
@ -2472,10 +2414,10 @@ class CatalogTests(object):
self.catalog_api.delete_service(service_id)
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.delete_service,
EMPTY_CONTEXT, service_id)
service_id)
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.get_service,
EMPTY_CONTEXT, service_id)
service_id)
def test_delete_service_with_endpoint(self):
# create a service
@ -2501,21 +2443,19 @@ class CatalogTests(object):
self.catalog_api.delete_service(service['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_man.get_endpoint,
EMPTY_CONTEXT, endpoint['id'])
endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_man.delete_endpoint,
EMPTY_CONTEXT, endpoint['id'])
endpoint['id'])
def test_get_service_404(self):
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.get_service,
EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_delete_service_404(self):
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.delete_service,
EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_create_endpoint_404(self):
@ -2525,20 +2465,17 @@ class CatalogTests(object):
}
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.create_endpoint,
EMPTY_CONTEXT,
endpoint['id'],
endpoint)
def test_get_endpoint_404(self):
self.assertRaises(exception.EndpointNotFound,
self.catalog_man.get_endpoint,
EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_delete_endpoint_404(self):
self.assertRaises(exception.EndpointNotFound,
self.catalog_man.delete_endpoint,
EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_create_endpoint(self):
@ -2605,7 +2542,6 @@ class PolicyTests(object):
# (cannot change policy ID)
self.assertRaises(exception.ValidationError,
self.policy_man.update_policy,
EMPTY_CONTEXT,
orig['id'],
ref)
@ -2620,28 +2556,26 @@ class PolicyTests(object):
self.policy_api.delete_policy(ref['id'])
self.assertRaises(exception.PolicyNotFound,
self.policy_man.delete_policy,
EMPTY_CONTEXT, ref['id'])
ref['id'])
self.assertRaises(exception.PolicyNotFound,
self.policy_man.get_policy,
EMPTY_CONTEXT, ref['id'])
ref['id'])
res = self.policy_api.list_policies()
self.assertFalse(len([x for x in res if x['id'] == ref['id']]))
def test_get_policy_404(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_man.get_policy,
EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_update_policy_404(self):
ref = self._new_policy_ref()
self.assertRaises(exception.PolicyNotFound,
self.policy_man.update_policy,
EMPTY_CONTEXT,
uuid.uuid4().hex,
EMPTY_CONTEXT)
ref['id'],
ref)
def test_delete_policy_404(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_man.delete_policy,
EMPTY_CONTEXT,
uuid.uuid4().hex)

7
tests/test_backend_ldap.py
View File

@ -604,7 +604,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
'password': 'no_meta2',
'enabled': True,
}
self.identity_man.create_user({}, user['id'], user)
self.identity_man.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
self.identity_api.user.LDAP_USER = None
@ -640,11 +640,10 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
'password': 'no_meta2',
'enabled': True,
}
self.identity_man.create_user({}, user['id'], user)
self.identity_man.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
{},
user_id=user['id'],
tenant_id=self.tenant_baz['id'],
password=user['password'])
@ -692,7 +691,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
'domain_id': CONF.identity.default_domain_id,
'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex}
self.identity_man.create_user({}, user['id'], user)
self.identity_man.create_user(user['id'], user)
user['enabled'] = True
user_ref = self.identity_api.get_user(user['id'])
del user['password']

17
tests/test_backend_sql.py
View File

@ -30,6 +30,7 @@ from keystone import trust
import default_fixtures
import test_backend
CONF = config.CONF
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
@ -84,7 +85,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_man.create_user({}, user['id'], user)
self.identity_man.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
@ -98,7 +99,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.assertRaises(exception.ValidationError,
self.identity_man.create_user, {},
self.identity_man.create_user,
user['id'],
user)
self.assertRaises(exception.UserNotFound,
@ -114,7 +115,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'name': None,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
self.identity_man.create_project, {},
self.identity_man.create_project,
tenant['id'],
tenant)
self.assertRaises(exception.ProjectNotFound,
@ -141,7 +142,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'name': 'fakeuser',
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'passwd'}
self.identity_man.create_user({}, 'fake', user)
self.identity_man.create_user('fake', user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_project(self.tenant_bar['id'])
@ -153,7 +154,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'name': 'fakeuser',
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'passwd'}
self.identity_man.create_user({}, 'fake', user)
self.identity_man.create_user('fake', user)
self.identity_api.create_metadata(user['id'],
self.tenant_bar['id'],
{'extra': 'extra'})
@ -168,7 +169,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'name': 'fakeuser',
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'passwd'}
self.identity_man.create_user({}, 'fake', user)
self.identity_man.create_user('fake', user)
self.identity_api.create_metadata(user['id'],
self.tenant_bar['id'],
{'extra': 'extra'})
@ -196,7 +197,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID,
arbitrary_key: arbitrary_value}
ref = self.identity_man.create_project({}, tenant_id, tenant)
ref = self.identity_man.create_project(tenant_id, tenant)
self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('extra'))
@ -224,7 +225,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex,
arbitrary_key: arbitrary_value}
ref = self.identity_man.create_user({}, user_id, user)
ref = self.identity_man.create_user(user_id, user)
self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('password'))
self.assertIsNone(ref.get('extra'))

6
tests/test_import_legacy.py
View File

@ -74,7 +74,7 @@ class ImportLegacy(test.TestCase):
# check password hashing
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
{}, user_id=admin_id, password='secrete')
user_id=admin_id, password='secrete')
# check catalog
self._check_catalog(migration)
@ -91,7 +91,7 @@ class ImportLegacy(test.TestCase):
# check password hashing
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
{}, user_id=admin_id, password='secrete')
user_id=admin_id, password='secrete')
# check catalog
self._check_catalog(migration)
@ -108,7 +108,7 @@ class ImportLegacy(test.TestCase):
# check password hashing
user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
{}, user_id=admin_id, password='secrete')
user_id=admin_id, password='secrete')
# check catalog
self._check_catalog(migration)

3
tests/test_migrate_nova_auth.py
View File

@ -121,8 +121,7 @@ class MigrateNovaAuth(test.TestCase):
for _user in FIXTURE['users']:
if _user['id'] == old_user:
password = _user['password']
self.identity_man.authenticate({}, user['id'],
tenant_id, password)
self.identity_man.authenticate(user['id'], tenant_id, password)
for ec2_cred in FIXTURE['ec2_credentials']:
user_id = users[ec2_cred['user_id']]['id']