proxy removed from identity and changed to assignment

The identity_api served as a proxy for calling the assignment_api
but it was suggested that this proxy should be removed and the calls
should be made directly to the assignment_api.

bug: #1220913

Change-Id: I20c461c06db22c03eb6d16399d1ca50999d053d5
changes/88/51688/11
Telles Nobrega 9 years ago
parent 4a100d4d10
commit bb1ac459a4
  1. 8
      keystone/auth/controllers.py
  2. 2
      keystone/common/controller.py
  3. 2
      keystone/common/wsgi.py
  4. 11
      keystone/contrib/ec2/controllers.py
  5. 10
      keystone/contrib/endpoint_filter/controllers.py
  6. 79
      keystone/identity/controllers.py
  7. 94
      keystone/identity/core.py
  8. 17
      keystone/tests/core.py
  9. 40
      keystone/tests/test_auth.py
  10. 980
      keystone/tests/test_backend.py
  11. 87
      keystone/tests/test_backend_ldap.py
  12. 24
      keystone/tests/test_backend_sql.py
  13. 4
      keystone/tests/test_content_types.py
  14. 10
      keystone/tests/test_keystoneclient.py
  15. 10
      keystone/tests/test_v3.py
  16. 128
      keystone/tests/test_v3_auth.py
  17. 24
      keystone/tests/test_v3_identity.py
  18. 6
      keystone/tests/test_v3_oauth1.py
  19. 34
      keystone/tests/test_v3_protection.py
  20. 8
      keystone/token/controllers.py
  21. 21
      keystone/token/providers/uuid.py
  22. 20
      keystone/trust/controllers.py

@ -14,7 +14,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from keystone import assignment
from keystone.common import controller
from keystone.common import dependency
from keystone.common import wsgi
@ -49,10 +49,12 @@ def get_auth_method(method_name):
return AUTH_METHODS[method_name]
@dependency.requires('assignment_api')
class AuthInfo(object):
"""Encapsulation of "auth" request."""
def __init__(self, context, auth=None):
self.assignment_api = assignment.Manager()
self.identity_api = identity.Manager()
self.trust_api = trust.Manager()
self.context = context
@ -115,10 +117,10 @@ class AuthInfo(object):
raise exception.ValidationError(attribute='domain',
target='project')
domain_ref = self._lookup_domain(project_info['domain'])
project_ref = self.identity_api.get_project_by_name(
project_ref = self.assignment_api.get_project_by_name(
project_name, domain_ref['id'])
else:
project_ref = self.identity_api.get_project(project_id)
project_ref = self.assignment_api.get_project(project_id)
except exception.ProjectNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)

@ -79,7 +79,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
except AttributeError:
LOG.debug(_('RBAC: Proceeding without tenant'))
# NOTE(vish): this is pretty inefficient
creds['roles'] = [self.identity_api.get_role(role)['name']
creds['roles'] = [self.assignment_api.get_role(role)['name']
for role in creds.get('roles', [])]
return creds

@ -303,7 +303,7 @@ class Application(BaseApplication):
raise exception.Unauthorized()
# NOTE(vish): this is pretty inefficient
creds['roles'] = [self.identity_api.get_role(role)['name']
creds['roles'] = [self.assignment_api.get_role(role)['name']
for role in creds.get('roles', [])]
# Accept either is_admin or the admin role
self.policy_api.enforce(creds, 'admin_required', {})

@ -45,7 +45,8 @@ from keystone import exception
from keystone import token
@dependency.requires('catalog_api', 'credential_api', 'token_provider_api')
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
'token_provider_api')
class Ec2Controller(controller.V2Controller):
def check_signature(self, creds_ref, credentials):
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
@ -99,11 +100,11 @@ class Ec2Controller(controller.V2Controller):
# TODO(termie): don't create new tokens every time
# TODO(termie): this is copied from TokenController.authenticate
token_id = uuid.uuid4().hex
tenant_ref = self.identity_api.get_project(creds_ref['tenant_id'])
tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
user_ref = self.identity_api.get_user(creds_ref['user_id'])
metadata_ref = {}
metadata_ref['roles'] = (
self.identity_api.get_roles_for_user_and_project(
self.assignment_api.get_roles_for_user_and_project(
user_ref['id'], tenant_ref['id']))
# Validate that the auth info is valid and nothing is disabled
@ -112,7 +113,7 @@ class Ec2Controller(controller.V2Controller):
roles = metadata_ref.get('roles', [])
if not roles:
raise exception.Unauthorized(message='User not valid for tenant.')
roles_ref = [self.identity_api.get_role(role_id)
roles_ref = [self.assignment_api.get_role(role_id)
for role_id in roles]
catalog_ref = self.catalog_api.get_catalog(
@ -289,6 +290,6 @@ class Ec2Controller(controller.V2Controller):
:raises exception.ProjectNotFound: on failure
"""
project_ref = self.identity_api.get_project(project_id)
project_ref = self.assignment_api.get_project(project_id)
if not project_ref:
raise exception.ProjectNotFound(project_id=project_id)

@ -21,7 +21,7 @@ from keystone.common import dependency
from keystone.identity import controllers as identity_controllers
@dependency.requires('catalog_api', 'identity_api', 'endpoint_filter_api')
@dependency.requires('assignment_api', 'endpoint_filter_api')
class EndpointFilterV3Controller(controller.V3Controller):
@controller.protected()
@ -32,7 +32,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
# The relationship can still be establed even with a disabled project
# as there are no security implications.
self.catalog_api.get_endpoint(endpoint_id)
self.identity_api.get_project(project_id)
self.assignment_api.get_project(project_id)
# NOTE(gyee): we may need to cleanup any existing project-endpoint
# associations here if either project or endpoint is not found.
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
@ -42,7 +42,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
def check_endpoint_in_project(self, context, project_id, endpoint_id):
"""Verifies endpoint is currently associated with given project."""
self.catalog_api.get_endpoint(endpoint_id)
self.identity_api.get_project(project_id)
self.assignment_api.get_project(project_id)
# TODO(gyee): we may need to cleanup any existing project-endpoint
# associations here if either project or endpoint is not found.
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
@ -51,7 +51,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
@controller.protected()
def list_endpoints_for_project(self, context, project_id):
"""Lists all endpoints currently associated with a given project."""
self.identity_api.get_project(project_id)
self.assignment_api.get_project(project_id)
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
endpoints = [self.catalog_api.get_endpoint(
@ -70,7 +70,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
"""Return a list of projects associated with the endpoint."""
refs = self.endpoint_filter_api.list_project_endpoints(endpoint_id)
projects = [self.identity_api.get_project(
projects = [self.assignment_api.get_project(
ref.project_id) for ref in refs]
return identity_controllers.ProjectV3.wrap_collection(context,
projects)

@ -39,7 +39,7 @@ class Tenant(controller.V2Controller):
context, context['query_string'].get('name'))
self.assert_admin(context)
tenant_refs = self.identity_api.list_projects()
tenant_refs = self.assignment_api.list_projects()
for tenant_ref in tenant_refs:
tenant_ref = self.filter_domain_id(tenant_ref)
params = {
@ -77,12 +77,12 @@ class Tenant(controller.V2Controller):
def get_project(self, context, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
ref = self.identity_api.get_project(tenant_id)
ref = self.assignment_api.get_project(tenant_id)
return {'tenant': self.filter_domain_id(ref)}
def get_project_by_name(self, context, tenant_name):
self.assert_admin(context)
ref = self.identity_api.get_project_by_name(
ref = self.assignment_api.get_project_by_name(
tenant_name, DEFAULT_DOMAIN_ID)
return {'tenant': self.filter_domain_id(ref)}
@ -214,7 +214,8 @@ class User(controller.V2Controller):
self.identity_api.create_user(user_id, user_ref))
if default_project_id is not None:
self.identity_api.add_user_to_project(default_project_id, user_id)
self.assignment_api.add_user_to_project(default_project_id,
user_id)
return {'user': new_user_ref}
def update_user(self, context, user_id, user):
@ -312,15 +313,15 @@ class Role(controller.V2Controller):
raise exception.NotImplemented(message='User roles not supported: '
'tenant ID required')
roles = self.identity_api.get_roles_for_user_and_project(
roles = self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
return {'roles': [self.identity_api.get_role(x)
return {'roles': [self.assignment_api.get_role(x)
for x in roles]}
# CRUD extension
def get_role(self, context, role_id):
self.assert_admin(context)
return {'role': self.identity_api.get_role(role_id)}
return {'role': self.assignment_api.get_role(role_id)}
def create_role(self, context, role):
role = self._normalize_dict(role)
@ -332,7 +333,7 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
role_ref = self.identity_api.create_role(role_id, role)
role_ref = self.assignment_api.create_role(role_id, role)
return {'role': role_ref}
def delete_role(self, context, role_id):
@ -341,11 +342,11 @@ class Role(controller.V2Controller):
# We must first, however, revoke any tokens for users that have an
# assignment with this role.
self._delete_tokens_for_role(role_id)
self.identity_api.delete_role(role_id)
self.assignment_api.delete_role(role_id)
def get_roles(self, context):
self.assert_admin(context)
return {'roles': self.identity_api.list_roles()}
return {'roles': self.assignment_api.list_roles()}
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
"""Add a role to a user and tenant pair.
@ -359,10 +360,10 @@ class Role(controller.V2Controller):
raise exception.NotImplemented(message='User roles not supported: '
'tenant_id required')
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
role_ref = self.identity_api.get_role(role_id)
role_ref = self.assignment_api.get_role(role_id)
return {'role': role_ref}
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
@ -379,7 +380,7 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant, so we must follow up on that
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
@ -403,7 +404,7 @@ class Role(controller.V2Controller):
# the default domain.
if tenant['domain_id'] != DEFAULT_DOMAIN_ID:
continue
role_ids = self.identity_api.get_roles_for_user_and_project(
role_ids = self.assignment_api.get_roles_for_user_and_project(
user_id, tenant['id'])
for role_id in role_ids:
ref = {'roleId': role_id,
@ -425,11 +426,11 @@ class Role(controller.V2Controller):
# TODO(termie): for now we're ignoring the actual role
tenant_id = role.get('tenantId')
role_id = role.get('roleId')
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
role_ref = self.identity_api.get_role(role_id)
role_ref = self.assignment_api.get_role(role_id)
return {'role': role_ref}
# COMPAT(diablo): CRUD extension
@ -449,7 +450,7 @@ class Role(controller.V2Controller):
role_ref_ref = urlparse.parse_qs(role_ref_id)
tenant_id = role_ref_ref.get('tenantId')[0]
role_id = role_ref_ref.get('roleId')[0]
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
@ -467,31 +468,31 @@ class DomainV3(controller.V3Controller):
self._require_attribute(domain, 'name')
ref = self._assign_unique_id(self._normalize_dict(domain))
ref = self.identity_api.create_domain(ref['id'], ref)
ref = self.assignment_api.create_domain(ref['id'], ref)
return DomainV3.wrap_member(context, ref)
@controller.filterprotected('enabled', 'name')
def list_domains(self, context, filters):
refs = self.identity_api.list_domains()
refs = self.assignment_api.list_domains()
return DomainV3.wrap_collection(context, refs, filters)
@controller.protected()
def get_domain(self, context, domain_id):
ref = self.identity_api.get_domain(domain_id)
ref = self.assignment_api.get_domain(domain_id)
return DomainV3.wrap_member(context, ref)
@controller.protected()
def update_domain(self, context, domain_id, domain):
self._require_matching_id(domain_id, domain)
ref = self.identity_api.update_domain(domain_id, domain)
ref = self.assignment_api.update_domain(domain_id, domain)
# disable owned users & projects when the API user specifically set
# enabled=False
# FIXME(dolph): need a driver call to directly revoke all tokens by
# project or domain, regardless of user
if not domain.get('enabled', True):
projects = [x for x in self.identity_api.list_projects()
projects = [x for x in self.assignment_api.list_projects()
if x.get('domain_id') == domain_id]
for user in self.identity_api.list_users():
# TODO(dolph): disable domain-scoped tokens
@ -548,7 +549,7 @@ class DomainV3(controller.V3Controller):
user_refs = self.identity_api.list_users()
user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id]
proj_refs = self.identity_api.list_projects()
proj_refs = self.assignment_api.list_projects()
proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id]
# First delete the projects themselves
@ -581,14 +582,14 @@ class DomainV3(controller.V3Controller):
# has been previously disabled. This also prevents a user deleting
# their own domain since, once it is disabled, they won't be able
# to get a valid token to issue this delete.
ref = self.identity_api.get_domain(domain_id)
ref = self.assignment_api.get_domain(domain_id)
if ref['enabled']:
raise exception.ForbiddenAction(
action='delete a domain that is not disabled')
# OK, we are go for delete!
self._delete_domain_contents(context, domain_id)
return self.identity_api.delete_domain(domain_id)
return self.assignment_api.delete_domain(domain_id)
def _get_domain_by_name(self, context, domain_name):
"""Get the domain via its unique name.
@ -597,7 +598,7 @@ class DomainV3(controller.V3Controller):
router as a public api.
"""
ref = self.identity_api.get_domain_by_name(domain_name)
ref = self.assignment_api.get_domain_by_name(domain_name)
return {'domain': ref}
@ -620,17 +621,17 @@ class ProjectV3(controller.V3Controller):
@controller.filterprotected('domain_id', 'enabled', 'name')
def list_projects(self, context, filters):
refs = self.identity_api.list_projects()
refs = self.assignment_api.list_projects()
return ProjectV3.wrap_collection(context, refs, filters)
@controller.filterprotected('enabled', 'name')
def list_user_projects(self, context, filters, user_id):
refs = self.identity_api.list_projects_for_user(user_id)
refs = self.assignment_api.list_projects_for_user(user_id)
return ProjectV3.wrap_collection(context, refs, filters)
@controller.protected()
def get_project(self, context, project_id):
ref = self.identity_api.get_project(project_id)
ref = self.assignment_api.get_project(project_id)
return ProjectV3.wrap_member(context, ref)
@controller.protected()
@ -840,24 +841,24 @@ class RoleV3(controller.V3Controller):
self._require_attribute(role, 'name')
ref = self._assign_unique_id(self._normalize_dict(role))
ref = self.identity_api.create_role(ref['id'], ref)
ref = self.assignment_api.create_role(ref['id'], ref)
return RoleV3.wrap_member(context, ref)
@controller.filterprotected('name')
def list_roles(self, context, filters):
refs = self.identity_api.list_roles()
refs = self.assignment_api.list_roles()
return RoleV3.wrap_collection(context, refs, filters)
@controller.protected()
def get_role(self, context, role_id):
ref = self.identity_api.get_role(role_id)
ref = self.assignment_api.get_role(role_id)
return RoleV3.wrap_member(context, ref)
@controller.protected()
def update_role(self, context, role_id, role):
self._require_matching_id(role_id, role)
ref = self.identity_api.update_role(role_id, role)
ref = self.assignment_api.update_role(role_id, role)
return RoleV3.wrap_member(context, ref)
@controller.protected()
@ -866,7 +867,7 @@ class RoleV3(controller.V3Controller):
# We must first, however, revoke any tokens for users that have an
# assignment with this role.
self._delete_tokens_for_role(role_id)
self.identity_api.delete_role(role_id)
self.assignment_api.delete_role(role_id)
def _require_domain_xor_project(self, domain_id, project_id):
if (domain_id and project_id) or (not domain_id and not project_id):
@ -895,7 +896,7 @@ class RoleV3(controller.V3Controller):
"""
ref = {}
if role_id:
ref['role'] = self.identity_api.get_role(role_id)
ref['role'] = self.assignment_api.get_role(role_id)
if user_id:
ref['user'] = self.identity_api.get_user(user_id)
else:
@ -920,7 +921,7 @@ class RoleV3(controller.V3Controller):
if group_id:
self.identity_api.get_group(group_id)
self.identity_api.create_grant(
self.assignment_api.create_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
@ -931,7 +932,7 @@ class RoleV3(controller.V3Controller):
self._require_domain_xor_project(domain_id, project_id)
self._require_user_xor_group(user_id, group_id)
refs = self.identity_api.list_grants(
refs = self.assignment_api.list_grants(
user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
return RoleV3.wrap_collection(context, refs)
@ -948,7 +949,7 @@ class RoleV3(controller.V3Controller):
if group_id:
self.identity_api.get_group(group_id)
self.identity_api.get_grant(
self.assignment_api.get_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
@ -959,7 +960,7 @@ class RoleV3(controller.V3Controller):
self._require_domain_xor_project(domain_id, project_id)
self._require_user_xor_group(user_id, group_id)
self.identity_api.delete_grant(
self.assignment_api.delete_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))

@ -457,85 +457,9 @@ class Manager(manager.Manager):
# API should be removed, with the controller and tests making the correct
# calls direct to assignment.
def get_project_by_name(self, tenant_name, domain_id):
return self.assignment_api.get_project_by_name(tenant_name, domain_id)
def get_project(self, tenant_id):
return self.assignment_api.get_project(tenant_id)
def list_projects(self, domain_id=None):
return self.assignment_api.list_projects(domain_id)
def get_role(self, role_id):
return self.assignment_api.get_role(role_id)
def list_roles(self):
return self.assignment_api.list_roles()
def get_project_users(self, tenant_id):
return self.assignment_api.get_project_users(tenant_id)
def get_roles_for_user_and_project(self, user_id, tenant_id):
return self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
def get_roles_for_user_and_domain(self, user_id, domain_id):
return (self.assignment_api.get_roles_for_user_and_domain
(user_id, domain_id))
def _subrole_id_to_dn(self, role_id, tenant_id):
return self.assignment_api._subrole_id_to_dn(role_id, tenant_id)
def add_role_to_user_and_project(self, user_id,
tenant_id, role_id):
return (self.assignment_api.add_role_to_user_and_project
(user_id, tenant_id, role_id))
def create_role(self, role_id, role):
return self.assignment_api.create_role(role_id, role)
def delete_role(self, role_id):
return self.assignment_api.delete_role(role_id)
def remove_role_from_user_and_project(self, user_id,
tenant_id, role_id):
return (self.assignment_api.remove_role_from_user_and_project
(user_id, tenant_id, role_id))
def update_role(self, role_id, role):
return self.assignment_api.update_role(role_id, role)
def create_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.create_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
def list_grants(self, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.list_grants
(user_id, group_id, domain_id, project_id,
inherited_to_projects))
def get_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.get_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
def delete_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.delete_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
def create_domain(self, domain_id, domain):
return self.assignment_api.create_domain(domain_id, domain)
# NOTE(tellesmvn):The following 4 methods where not removed since ayoung
# told me not to because someone else is working on a new feature involving
# these methods where the idea is to identify in which domain the user is
def get_domain_by_name(self, domain_name):
return self.assignment_api.get_domain_by_name(domain_name)
@ -545,21 +469,9 @@ class Manager(manager.Manager):
def update_domain(self, domain_id, domain):
return self.assignment_api.update_domain(domain_id, domain)
def delete_domain(self, domain_id):
return self.assignment_api.delete_domain(domain_id)
def list_domains(self):
return self.assignment_api.list_domains()
def list_projects_for_user(self, user_id):
return self.assignment_api.list_projects_for_user(user_id)
def add_user_to_project(self, tenant_id, user_id):
return self.assignment_api.add_user_to_project(tenant_id, user_id)
def remove_user_from_project(self, tenant_id, user_id):
return self.assignment_api.remove_user_from_project(tenant_id, user_id)
@six.add_metaclass(abc.ABCMeta)
class Driver(object):

@ -333,12 +333,13 @@ class TestCase(NoModule, testtools.TestCase):
"""
# TODO(termie): doing something from json, probably based on Django's
# loaddata will be much preferred.
if hasattr(self, 'identity_api'):
if hasattr(self, 'identity_api') and hasattr(self, 'assignment_api'):
for domain in fixtures.DOMAINS:
try:
rv = self.identity_api.create_domain(domain['id'], domain)
rv = self.assignment_api.create_domain(domain['id'],
domain)
except exception.Conflict:
rv = self.identity_api.get_domain(domain['id'])
rv = self.assignment_api.get_domain(domain['id'])
except exception.NotImplemented:
rv = domain
setattr(self, 'domain_%s' % domain['id'], rv)
@ -348,15 +349,15 @@ class TestCase(NoModule, testtools.TestCase):
rv = self.assignment_api.create_project(
tenant['id'], tenant)
except exception.Conflict:
rv = self.identity_api.get_project(tenant['id'])
rv = self.assignment_api.get_project(tenant['id'])
pass
setattr(self, 'tenant_%s' % tenant['id'], rv)
for role in fixtures.ROLES:
try:
rv = self.identity_api.create_role(role['id'], role)
rv = self.assignment_api.create_role(role['id'], role)
except exception.Conflict:
rv = self.identity_api.get_role(role['id'])
rv = self.assignment_api.get_role(role['id'])
pass
setattr(self, 'role_%s' % role['id'], rv)
@ -370,8 +371,8 @@ class TestCase(NoModule, testtools.TestCase):
pass
for tenant_id in tenants:
try:
self.identity_api.add_user_to_project(tenant_id,
user['id'])
self.assignment_api.add_user_to_project(tenant_id,
user['id'])
except exception.Conflict:
pass
setattr(self, 'user_%s' % user['id'], user_copy)

@ -230,7 +230,7 @@ class AuthWithToken(AuthTest):
def test_auth_unscoped_token_project(self):
"""Verify getting a token in a tenant with an unscoped token."""
# Add a role in so we can check we get this back
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])
@ -253,19 +253,19 @@ class AuthWithToken(AuthTest):
def test_auth_token_project_group_role(self):
"""Verify getting a token in a tenant with group roles."""
# Add a v2 style role in so we can check we get this back
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])
# Now create a group role for this user as well
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_domain(domain1['id'], domain1)
self.assignment_api.create_domain(domain1['id'], domain1)
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
'name': uuid.uuid4().hex}
self.identity_api.create_group(new_group['id'], new_group)
self.identity_api.add_user_to_group(self.user_foo['id'],
new_group['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
group_id=new_group['id'],
project_id=self.tenant_bar['id'],
role_id=self.role_admin['id'])
@ -288,38 +288,38 @@ class AuthWithToken(AuthTest):
"""Verify getting a token in cross domain group/project roles."""
# create domain, project and group and grant roles to user
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_domain(domain1['id'], domain1)
self.assignment_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.assignment_api.create_project(project1['id'], project1)
role_foo_domain1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role_foo_domain1['id'],
role_foo_domain1)
self.assignment_api.create_role(role_foo_domain1['id'],
role_foo_domain1)
role_group_domain1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role_group_domain1['id'],
role_group_domain1)
self.identity_api.add_user_to_project(project1['id'],
self.user_foo['id'])
self.assignment_api.create_role(role_group_domain1['id'],
role_group_domain1)
self.assignment_api.add_user_to_project(project1['id'],
self.user_foo['id'])
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
'name': uuid.uuid4().hex}
self.identity_api.create_group(new_group['id'], new_group)
self.identity_api.add_user_to_group(self.user_foo['id'],
new_group['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
user_id=self.user_foo['id'],
project_id=project1['id'],
role_id=self.role_member['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
group_id=new_group['id'],
project_id=project1['id'],
role_id=self.role_admin['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
user_id=self.user_foo['id'],
domain_id=domain1['id'],
role_id=role_foo_domain1['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
group_id=new_group['id'],
domain_id=domain1['id'],
role_id=role_group_domain1['id'])
@ -410,7 +410,7 @@ class AuthWithToken(AuthTest):
self.assignment_api.create_project(project1['id'], project1)
role_one = {'id': 'role_one', 'name': uuid.uuid4().hex}
self.assignment_api.create_role(role_one['id'], role_one)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'], project1['id'], role_one['id'])
no_context = {}
@ -597,7 +597,7 @@ class AuthWithTrust(AuthTest):
self.assigned_roles = [self.role_member['id'],
self.role_browser['id']]
for assigned_role in self.assigned_roles:
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role)
self.sample_data = {'trustor_user_id': self.trustor['id'],
@ -801,7 +801,7 @@ class AuthWithTrust(AuthTest):
def test_token_from_trust_with_no_role_fails(self):
for assigned_role in self.assigned_roles:
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role)
request_body = self.build_v2_token_request('TWO', 'two2')
self.assertRaises(
@ -817,12 +817,12 @@ class AuthWithTrust(AuthTest):
self.controller.authenticate, {}, request_body)
def test_token_from_trust_with_wrong_role_fails(self):
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.trustor['id'],
self.tenant_bar['id'],
self.role_other['id'])
for assigned_role in self.assigned_roles:
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role)
request_body = self.build_v2_token_request('TWO', 'two2')

File diff suppressed because it is too large Load Diff

@ -273,8 +273,8 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
'enabled': True,
}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
driver = self.identity_api._select_identity_driver(
user['domain_id'])
driver.user.LDAP_USER = None
@ -345,7 +345,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
def test_configurable_allowed_project_actions(self):
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.assignment_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
tenant_ref = self.assignment_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1')
tenant['enabled'] = False
@ -353,7 +353,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
self.assignment_api.delete_project('fake1')
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
'fake1')
def test_configurable_forbidden_project_actions(self):
@ -379,16 +379,16 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
def test_configurable_allowed_role_actions(self):
role = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_role('fake1', role)
role_ref = self.identity_api.get_role('fake1')
self.assignment_api.create_role('fake1', role)
role_ref = self.assignment_api.get_role('fake1')
self.assertEqual(role_ref['id'], 'fake1')
role['name'] = 'fake2'
self.identity_api.update_role('fake1', role)
self.assignment_api.update_role('fake1', role)
self.identity_api.delete_role('fake1')
self.assignment_api.delete_role('fake1')
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.assignment_api.get_role,
'fake1')
def test_configurable_forbidden_role_actions(self):
@ -399,22 +399,22 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_role,
self.assignment_api.create_role,
role['id'],
role)
self.role_member['name'] = uuid.uuid4().hex
self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_role,
self.assignment_api.update_role,
self.role_member['id'],
self.role_member)
self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_role,
self.assignment_api.delete_role,
self.role_member['id'])
def test_project_filter(self):
tenant_ref = self.identity_api.get_project(self.tenant_bar['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar)
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
@ -427,15 +427,15 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
self.identity_api.get_role(self.role_member['id'])
self.assignment_api.get_role(self.role_member['id'])
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_bar['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
self.tenant_bar['id'])
def test_role_filter(self):
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertDictEqual(role_ref, self.role_member)
CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)'
@ -449,7 +449,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.assignment_api.get_role,
self.role_member['id'])
def test_dumb_member(self):
@ -479,7 +479,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
self.assertEqual(
@ -500,7 +500,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
@ -521,7 +521,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertNotIn('name', tenant_ref)
self.assertNotIn('description', tenant_ref)
@ -540,7 +540,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertEqual(role_ref['name'], self.role_member['name'])
@ -554,7 +554,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertNotIn('name', role_ref)
@ -571,7 +571,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertNotIn('name', role_ref)
@ -692,11 +692,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'enabled': True, 'description': uuid.uuid4().hex}
self.assertRaises(exception.Forbidden,
self.identity_api.create_domain,
self.assignment_api.create_domain,
domain['id'],
domain)
self.assertRaises(exception.Conflict,
self.identity_api.create_domain,
self.assignment_api.create_domain,
CONF.identity.default_domain_id,
domain)
self.assertRaises(exception.DomainNotFound,
@ -705,21 +705,21 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
domain['description'] = uuid.uuid4().hex
self.assertRaises(exception.DomainNotFound,
self.identity_api.update_domain,
self.assignment_api.update_domain,
domain['id'],
domain)
self.assertRaises(exception.Forbidden,
self.identity_api.update_domain,
self.assignment_api.update_domain,
CONF.identity.default_domain_id,
domain)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
domain['id'])
self.assertRaises(exception.DomainNotFound,
self.identity_api.delete_domain,
self.assignment_api.delete_domain,
domain['id'])
self.assertRaises(exception.Forbidden,
self.identity_api.delete_domain,
self.assignment_api.delete_domain,
CONF.identity.default_domain_id)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
@ -756,12 +756,12 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
project['description'] = uuid.uuid4().hex
self.assignment_api.update_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
project_ref = self.assignment_api.get_project(project['id'])
self.assertDictEqual(project_ref, project)
self.assignment_api.delete_project(project['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
project['id'])
def test_cache_layer_project_crud(self):
@ -826,7 +826,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
role_list = []
for _ in range(2):
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.assignment_api.create_role(role['id'], role)
role_list.append(role)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
@ -838,11 +838,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
'domain_id': CONF.identity.default_domain_id}
self.assignment_api.create_project(project1['id'], project1)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id=user1['id'],
tenant_id=project1['id'],
role_id=role_list[0]['id'])
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id=user1['id'],
tenant_id=project1['id'],
role_id=role_list[1]['id'])
@ -852,17 +852,18 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# and group roles are combined. Only directly assigned user
# roles are available, since group grants are not yet supported
combined_role_list = self.identity_api.get_roles_for_user_and_project(
user1['id'], project1['id'])
self.assertEqual(len(combined_role_list), 2)
self.assertIn(role_list[0]['id'], combined_role_list)
self.assertIn(role_list[1]['id'], combined_role_list)
combined_list = self.assignment_api.get_roles_for_user_and_project(
user1['id'],
project1['id'])
self.assertEqual(len(combined_list), 2)
self.assertIn(role_list[0]['id'], combined_list)
self.assertIn(role_list[1]['id'], combined_list)
# Finally, although domain roles are not implemented, check we can
# issue the combined get roles call with benign results, since thus is
# used in token generation
combined_role_list = self.identity_api.get_roles_for_user_and_domain(
combined_role_list = self.assignment_api.get_roles_for_user_and_domain(
user1['id'], CONF.identity.default_domain_id)
self.assertEqual(len(combined_role_list), 0)
@ -897,7 +898,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
'description': uuid.uuid4().hex}
self.assignment_api.create_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
project_ref = self.assignment_api.get_project(project['id'])
# self.assignment_api.create_project adds an enabled
# key with a value of True when LDAPIdentityEnabledEmulation
@ -907,12 +908,12 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
project['description'] = uuid.uuid4().hex
self.assignment_api.update_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
project_ref = self.assignment_api.get_project(project['id'])
self.assertDictEqual(project_ref, project)
self.assignment_api.delete_project(project['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
project['id'])
def test_user_crud(self):

@ -158,8 +158,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound,
self.assignment_api.list_projects_for_user,
@ -191,10 +191,10 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
tenant['id'],
tenant)
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
tenant['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project_by_name,
self.assignment_api.get_project_by_name,
tenant['name'],
DEFAULT_DOMAIN_ID)
@ -202,11 +202,11 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
role = {'id': uuid.uuid4().hex,
'name': None}
self.assertRaises(exception.Conflict,
self.identity_api.create_role,
self.assignment_api.create_role,
role['id'],
role)
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.assignment_api.get_role,
role['id'])
def test_delete_project_with_user_association(self):
@ -215,8 +215,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'passwd'}
self.identity_api.create_user('fake', user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.assignment_api.delete_project(self.tenant_bar['id'])
tenants = self.assignment_api.list_projects_for_user(user['id'])
self.assertEqual(tenants, [])
@ -231,8 +231,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.create_user(user['id'], user)
role = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.create_role(role['id'], role)
self.assignment_api.add_role_to_user_and_project(
user['id'],
self.tenant_bar['id'],
role['id'])
@ -255,8 +255,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.create_user(user['id'], user)
role = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.create_role(role['id'], role)
self.assignment_api.add_role_to_user_and_project(
user['id'],
self.tenant_bar['id'],
role['id'])