Browse Source

Trust controller refactoring

In lieu of new more complicated role system role collections tend to grow,
so extracting all roles to normalize/populate trust scope should be more
granular. This patch is a rework of role treating logic in trust controller.

Change-Id: Id6945ff9be23250d72909beceaa9cd73eebde04f
changes/60/351260/1
Alexander Makarov 6 years ago
parent
commit
9838e542af
  1. 80
      keystone/trust/controllers.py

80
keystone/trust/controllers.py

@ -15,11 +15,11 @@
import uuid
from oslo_utils import timeutils
import six
from keystone import assignment
from keystone.common import controller
from keystone.common import dependency
from keystone.common import driver_hints
from keystone.common import utils
from keystone.common import validation
from keystone import exception
@ -51,61 +51,50 @@ class TrustV3(controller.V3Controller):
def get_trust(self, request, trust_id):
trust = self.trust_api.get_trust(trust_id)
_trustor_trustee_only(trust, request.context.user_id)
self._fill_in_roles(request.context_dict, trust,
self.role_api.list_roles())
self._fill_in_roles(request.context_dict, trust)
return TrustV3.wrap_member(request.context_dict, trust)
def _fill_in_roles(self, context, trust, all_roles):
def _fill_in_roles(self, context, trust):
if trust.get('expires_at') is not None:
trust['expires_at'] = (utils.isotime
(trust['expires_at'],
subsecond=True))
if 'roles' not in trust:
trust['roles'] = []
trust_full_roles = []
for trust_role in trust['roles']:
if isinstance(trust_role, six.string_types):
trust_role = {'id': trust_role}
matching_roles = [x for x in all_roles
if x['id'] == trust_role['id']]
if matching_roles:
for trust_role in trust.get('roles', []):
if isinstance(trust_role, dict):
trust_role = trust_role['id']
try:
matching_role = self.role_api.get_role(trust_role)
full_role = assignment.controllers.RoleV3.wrap_member(
context, matching_roles[0])['role']
context, matching_role)['role']
trust_full_roles.append(full_role)
except exception.RoleNotFound:
pass
trust['roles'] = trust_full_roles
trust['roles_links'] = {
'self': (self.base_url(context) + "/%s/roles" % trust['id']),
'next': None,
'previous': None}
def _normalize_role_list(self, trust, all_roles):
trust_roles = []
all_role_names = {r['name']: r for r in all_roles}
for role in trust.get('roles', []):
if 'id' in role:
trust_roles.append({'id': role['id']})
elif 'name' in role:
rolename = role['name']
if rolename in all_role_names:
trust_roles.append({'id':
all_role_names[rolename]['id']})
def _normalize_role_list(self, trust_roles):
roles = [{'id': role['id']} for role in trust_roles if 'id' in role]
names = [role['name'] for role in trust_roles if 'id' not in role]
if len(names):
# Long way
for name in names:
hints = driver_hints.Hints()
hints.add_filter("name", name, case_sensitive=True)
found_roles = self.role_api.list_roles(hints)
if len(found_roles) == 1:
roles.append({'id': found_roles[0]['id']})
else:
raise exception.RoleNotFound(_("role %s is not defined") %
rolename)
else:
raise exception.ValidationError(attribute='id or name',
target='roles')
return trust_roles
@controller.protected()
def create_trust(self, request, trust):
"""Create a new trust.
The user creating the trust must be the trustor.
name)
return roles
"""
validation.lazy_validate(schema.trust_create, trust)
def _find_redelegated_trust(self, request):
# Check if delegated via trust
if request.context.is_delegated_auth:
# Redelegation case
@ -117,6 +106,17 @@ class TrustV3(controller.V3Controller):
redelegated_trust = self.trust_api.get_trust(src_trust_id)
else:
redelegated_trust = None
return redelegated_trust
@controller.protected()
def create_trust(self, request, trust):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
validation.lazy_validate(schema.trust_create, trust)
redelegated_trust = self._find_redelegated_trust(request)
if trust.get('project_id') and not trust.get('roles'):
msg = _('At least one role should be specified.')
@ -130,9 +130,8 @@ class TrustV3(controller.V3Controller):
# ensure trustee exists
self.identity_api.get_user(trust['trustee_user_id'])
all_roles = self.role_api.list_roles()
# Normalize roles
normalized_roles = self._normalize_role_list(trust, all_roles)
normalized_roles = self._normalize_role_list(trust.get('roles', []))
trust['roles'] = normalized_roles
self._require_trustor_has_role_in_project(trust)
trust['expires_at'] = self._parse_expiration_date(
@ -143,7 +142,8 @@ class TrustV3(controller.V3Controller):
normalized_roles,
redelegated_trust,
initiator)
self._fill_in_roles(request.context_dict, new_trust, all_roles)
self._fill_in_roles(request.context_dict, new_trust)
return TrustV3.wrap_member(request.context_dict, new_trust)
def _get_trustor_roles(self, trust):

Loading…
Cancel
Save