proxy removed from identity and changed to assignment
The identity_api served as a proxy for calling the assignment_api but it was suggested that this proxy should be removed and the calls should be made directly to the assignment_api. bug: #1220913 Change-Id: I20c461c06db22c03eb6d16399d1ca50999d053d5
This commit is contained in:
Telles Nobrega
parent
4a100d4d10
commit
bb1ac459a4
|
|
@ -14,7 +14,7 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from keystone import assignment
|
||||||
from keystone.common import controller
|
from keystone.common import controller
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
|
@ -49,10 +49,12 @@ def get_auth_method(method_name):
|
||||||
return AUTH_METHODS[method_name]
|
return AUTH_METHODS[method_name]
|
||||||
|
|
||||||
|
|
||||||
|
@dependency.requires('assignment_api')
|
||||||
class AuthInfo(object):
|
class AuthInfo(object):
|
||||||
"""Encapsulation of "auth" request."""
|
"""Encapsulation of "auth" request."""
|
||||||
|
|
||||||
def __init__(self, context, auth=None):
|
def __init__(self, context, auth=None):
|
||||||
|
self.assignment_api = assignment.Manager()
|
||||||
self.identity_api = identity.Manager()
|
self.identity_api = identity.Manager()
|
||||||
self.trust_api = trust.Manager()
|
self.trust_api = trust.Manager()
|
||||||
self.context = context
|
self.context = context
|
||||||
|
|
@ -115,10 +117,10 @@ class AuthInfo(object):
|
||||||
raise exception.ValidationError(attribute='domain',
|
raise exception.ValidationError(attribute='domain',
|
||||||
target='project')
|
target='project')
|
||||||
domain_ref = self._lookup_domain(project_info['domain'])
|
domain_ref = self._lookup_domain(project_info['domain'])
|
||||||
project_ref = self.identity_api.get_project_by_name(
|
project_ref = self.assignment_api.get_project_by_name(
|
||||||
project_name, domain_ref['id'])
|
project_name, domain_ref['id'])
|
||||||
else:
|
else:
|
||||||
project_ref = self.identity_api.get_project(project_id)
|
project_ref = self.assignment_api.get_project(project_id)
|
||||||
except exception.ProjectNotFound as e:
|
except exception.ProjectNotFound as e:
|
||||||
LOG.exception(e)
|
LOG.exception(e)
|
||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
|
|
|
||||||
|
|
@ -79,7 +79,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
|
||||||
except AttributeError:
|
except AttributeError:
|
||||||
LOG.debug(_('RBAC: Proceeding without tenant'))
|
LOG.debug(_('RBAC: Proceeding without tenant'))
|
||||||
# NOTE(vish): this is pretty inefficient
|
# NOTE(vish): this is pretty inefficient
|
||||||
creds['roles'] = [self.identity_api.get_role(role)['name']
|
creds['roles'] = [self.assignment_api.get_role(role)['name']
|
||||||
for role in creds.get('roles', [])]
|
for role in creds.get('roles', [])]
|
||||||
|
|
||||||
return creds
|
return creds
|
||||||
|
|
|
||||||
|
|
@ -303,7 +303,7 @@ class Application(BaseApplication):
|
||||||
raise exception.Unauthorized()
|
raise exception.Unauthorized()
|
||||||
|
|
||||||
# NOTE(vish): this is pretty inefficient
|
# NOTE(vish): this is pretty inefficient
|
||||||
creds['roles'] = [self.identity_api.get_role(role)['name']
|
creds['roles'] = [self.assignment_api.get_role(role)['name']
|
||||||
for role in creds.get('roles', [])]
|
for role in creds.get('roles', [])]
|
||||||
# Accept either is_admin or the admin role
|
# Accept either is_admin or the admin role
|
||||||
self.policy_api.enforce(creds, 'admin_required', {})
|
self.policy_api.enforce(creds, 'admin_required', {})
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,8 @@ from keystone import exception
|
||||||
from keystone import token
|
from keystone import token
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('catalog_api', 'credential_api', 'token_provider_api')
|
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
|
||||||
|
'token_provider_api')
|
||||||
class Ec2Controller(controller.V2Controller):
|
class Ec2Controller(controller.V2Controller):
|
||||||
def check_signature(self, creds_ref, credentials):
|
def check_signature(self, creds_ref, credentials):
|
||||||
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
|
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
|
||||||
|
|
@ -99,11 +100,11 @@ class Ec2Controller(controller.V2Controller):
|
||||||
# TODO(termie): don't create new tokens every time
|
# TODO(termie): don't create new tokens every time
|
||||||
# TODO(termie): this is copied from TokenController.authenticate
|
# TODO(termie): this is copied from TokenController.authenticate
|
||||||
token_id = uuid.uuid4().hex
|
token_id = uuid.uuid4().hex
|
||||||
tenant_ref = self.identity_api.get_project(creds_ref['tenant_id'])
|
tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
|
||||||
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
||||||
metadata_ref = {}
|
metadata_ref = {}
|
||||||
metadata_ref['roles'] = (
|
metadata_ref['roles'] = (
|
||||||
self.identity_api.get_roles_for_user_and_project(
|
self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_ref['id'], tenant_ref['id']))
|
user_ref['id'], tenant_ref['id']))
|
||||||
|
|
||||||
# Validate that the auth info is valid and nothing is disabled
|
# Validate that the auth info is valid and nothing is disabled
|
||||||
|
|
@ -112,7 +113,7 @@ class Ec2Controller(controller.V2Controller):
|
||||||
roles = metadata_ref.get('roles', [])
|
roles = metadata_ref.get('roles', [])
|
||||||
if not roles:
|
if not roles:
|
||||||
raise exception.Unauthorized(message='User not valid for tenant.')
|
raise exception.Unauthorized(message='User not valid for tenant.')
|
||||||
roles_ref = [self.identity_api.get_role(role_id)
|
roles_ref = [self.assignment_api.get_role(role_id)
|
||||||
for role_id in roles]
|
for role_id in roles]
|
||||||
|
|
||||||
catalog_ref = self.catalog_api.get_catalog(
|
catalog_ref = self.catalog_api.get_catalog(
|
||||||
|
|
@ -289,6 +290,6 @@ class Ec2Controller(controller.V2Controller):
|
||||||
:raises exception.ProjectNotFound: on failure
|
:raises exception.ProjectNotFound: on failure
|
||||||
|
|
||||||
"""
|
"""
|
||||||
project_ref = self.identity_api.get_project(project_id)
|
project_ref = self.assignment_api.get_project(project_id)
|
||||||
if not project_ref:
|
if not project_ref:
|
||||||
raise exception.ProjectNotFound(project_id=project_id)
|
raise exception.ProjectNotFound(project_id=project_id)
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ from keystone.common import dependency
|
||||||
from keystone.identity import controllers as identity_controllers
|
from keystone.identity import controllers as identity_controllers
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('catalog_api', 'identity_api', 'endpoint_filter_api')
|
@dependency.requires('assignment_api', 'endpoint_filter_api')
|
||||||
class EndpointFilterV3Controller(controller.V3Controller):
|
class EndpointFilterV3Controller(controller.V3Controller):
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
|
|
@ -32,7 +32,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
|
||||||
# The relationship can still be establed even with a disabled project
|
# The relationship can still be establed even with a disabled project
|
||||||
# as there are no security implications.
|
# as there are no security implications.
|
||||||
self.catalog_api.get_endpoint(endpoint_id)
|
self.catalog_api.get_endpoint(endpoint_id)
|
||||||
self.identity_api.get_project(project_id)
|
self.assignment_api.get_project(project_id)
|
||||||
# NOTE(gyee): we may need to cleanup any existing project-endpoint
|
# NOTE(gyee): we may need to cleanup any existing project-endpoint
|
||||||
# associations here if either project or endpoint is not found.
|
# associations here if either project or endpoint is not found.
|
||||||
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
|
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
|
||||||
|
|
@ -42,7 +42,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
|
||||||
def check_endpoint_in_project(self, context, project_id, endpoint_id):
|
def check_endpoint_in_project(self, context, project_id, endpoint_id):
|
||||||
"""Verifies endpoint is currently associated with given project."""
|
"""Verifies endpoint is currently associated with given project."""
|
||||||
self.catalog_api.get_endpoint(endpoint_id)
|
self.catalog_api.get_endpoint(endpoint_id)
|
||||||
self.identity_api.get_project(project_id)
|
self.assignment_api.get_project(project_id)
|
||||||
# TODO(gyee): we may need to cleanup any existing project-endpoint
|
# TODO(gyee): we may need to cleanup any existing project-endpoint
|
||||||
# associations here if either project or endpoint is not found.
|
# associations here if either project or endpoint is not found.
|
||||||
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
|
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
|
||||||
|
|
@ -51,7 +51,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_endpoints_for_project(self, context, project_id):
|
def list_endpoints_for_project(self, context, project_id):
|
||||||
"""Lists all endpoints currently associated with a given project."""
|
"""Lists all endpoints currently associated with a given project."""
|
||||||
self.identity_api.get_project(project_id)
|
self.assignment_api.get_project(project_id)
|
||||||
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
|
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
|
||||||
|
|
||||||
endpoints = [self.catalog_api.get_endpoint(
|
endpoints = [self.catalog_api.get_endpoint(
|
||||||
|
|
@ -70,7 +70,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
|
||||||
"""Return a list of projects associated with the endpoint."""
|
"""Return a list of projects associated with the endpoint."""
|
||||||
refs = self.endpoint_filter_api.list_project_endpoints(endpoint_id)
|
refs = self.endpoint_filter_api.list_project_endpoints(endpoint_id)
|
||||||
|
|
||||||
projects = [self.identity_api.get_project(
|
projects = [self.assignment_api.get_project(
|
||||||
ref.project_id) for ref in refs]
|
ref.project_id) for ref in refs]
|
||||||
return identity_controllers.ProjectV3.wrap_collection(context,
|
return identity_controllers.ProjectV3.wrap_collection(context,
|
||||||
projects)
|
projects)
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ class Tenant(controller.V2Controller):
|
||||||
context, context['query_string'].get('name'))
|
context, context['query_string'].get('name'))
|
||||||
|
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
tenant_refs = self.identity_api.list_projects()
|
tenant_refs = self.assignment_api.list_projects()
|
||||||
for tenant_ref in tenant_refs:
|
for tenant_ref in tenant_refs:
|
||||||
tenant_ref = self.filter_domain_id(tenant_ref)
|
tenant_ref = self.filter_domain_id(tenant_ref)
|
||||||
params = {
|
params = {
|
||||||
|
|
@ -77,12 +77,12 @@ class Tenant(controller.V2Controller):
|
||||||
def get_project(self, context, tenant_id):
|
def get_project(self, context, tenant_id):
|
||||||
# TODO(termie): this stuff should probably be moved to middleware
|
# TODO(termie): this stuff should probably be moved to middleware
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
ref = self.identity_api.get_project(tenant_id)
|
ref = self.assignment_api.get_project(tenant_id)
|
||||||
return {'tenant': self.filter_domain_id(ref)}
|
return {'tenant': self.filter_domain_id(ref)}
|
||||||
|
|
||||||
def get_project_by_name(self, context, tenant_name):
|
def get_project_by_name(self, context, tenant_name):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
ref = self.identity_api.get_project_by_name(
|
ref = self.assignment_api.get_project_by_name(
|
||||||
tenant_name, DEFAULT_DOMAIN_ID)
|
tenant_name, DEFAULT_DOMAIN_ID)
|
||||||
return {'tenant': self.filter_domain_id(ref)}
|
return {'tenant': self.filter_domain_id(ref)}
|
||||||
|
|
||||||
|
|
@ -214,7 +214,8 @@ class User(controller.V2Controller):
|
||||||
self.identity_api.create_user(user_id, user_ref))
|
self.identity_api.create_user(user_id, user_ref))
|
||||||
|
|
||||||
if default_project_id is not None:
|
if default_project_id is not None:
|
||||||
self.identity_api.add_user_to_project(default_project_id, user_id)
|
self.assignment_api.add_user_to_project(default_project_id,
|
||||||
|
user_id)
|
||||||
return {'user': new_user_ref}
|
return {'user': new_user_ref}
|
||||||
|
|
||||||
def update_user(self, context, user_id, user):
|
def update_user(self, context, user_id, user):
|
||||||
|
|
@ -312,15 +313,15 @@ class Role(controller.V2Controller):
|
||||||
raise exception.NotImplemented(message='User roles not supported: '
|
raise exception.NotImplemented(message='User roles not supported: '
|
||||||
'tenant ID required')
|
'tenant ID required')
|
||||||
|
|
||||||
roles = self.identity_api.get_roles_for_user_and_project(
|
roles = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_id, tenant_id)
|
user_id, tenant_id)
|
||||||
return {'roles': [self.identity_api.get_role(x)
|
return {'roles': [self.assignment_api.get_role(x)
|
||||||
for x in roles]}
|
for x in roles]}
|
||||||
|
|
||||||
# CRUD extension
|
# CRUD extension
|
||||||
def get_role(self, context, role_id):
|
def get_role(self, context, role_id):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'role': self.identity_api.get_role(role_id)}
|
return {'role': self.assignment_api.get_role(role_id)}
|
||||||
|
|
||||||
def create_role(self, context, role):
|
def create_role(self, context, role):
|
||||||
role = self._normalize_dict(role)
|
role = self._normalize_dict(role)
|
||||||
|
|
@ -332,7 +333,7 @@ class Role(controller.V2Controller):
|
||||||
|
|
||||||
role_id = uuid.uuid4().hex
|
role_id = uuid.uuid4().hex
|
||||||
role['id'] = role_id
|
role['id'] = role_id
|
||||||
role_ref = self.identity_api.create_role(role_id, role)
|
role_ref = self.assignment_api.create_role(role_id, role)
|
||||||
return {'role': role_ref}
|
return {'role': role_ref}
|
||||||
|
|
||||||
def delete_role(self, context, role_id):
|
def delete_role(self, context, role_id):
|
||||||
|
|
@ -341,11 +342,11 @@ class Role(controller.V2Controller):
|
||||||
# We must first, however, revoke any tokens for users that have an
|
# We must first, however, revoke any tokens for users that have an
|
||||||
# assignment with this role.
|
# assignment with this role.
|
||||||
self._delete_tokens_for_role(role_id)
|
self._delete_tokens_for_role(role_id)
|
||||||
self.identity_api.delete_role(role_id)
|
self.assignment_api.delete_role(role_id)
|
||||||
|
|
||||||
def get_roles(self, context):
|
def get_roles(self, context):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'roles': self.identity_api.list_roles()}
|
return {'roles': self.assignment_api.list_roles()}
|
||||||
|
|
||||||
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
|
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
|
||||||
"""Add a role to a user and tenant pair.
|
"""Add a role to a user and tenant pair.
|
||||||
|
|
@ -359,10 +360,10 @@ class Role(controller.V2Controller):
|
||||||
raise exception.NotImplemented(message='User roles not supported: '
|
raise exception.NotImplemented(message='User roles not supported: '
|
||||||
'tenant_id required')
|
'tenant_id required')
|
||||||
|
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
user_id, tenant_id, role_id)
|
user_id, tenant_id, role_id)
|
||||||
|
|
||||||
role_ref = self.identity_api.get_role(role_id)
|
role_ref = self.assignment_api.get_role(role_id)
|
||||||
return {'role': role_ref}
|
return {'role': role_ref}
|
||||||
|
|
||||||
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
|
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
|
||||||
|
|
@ -379,7 +380,7 @@ class Role(controller.V2Controller):
|
||||||
|
|
||||||
# This still has the weird legacy semantics that adding a role to
|
# This still has the weird legacy semantics that adding a role to
|
||||||
# a user also adds them to a tenant, so we must follow up on that
|
# a user also adds them to a tenant, so we must follow up on that
|
||||||
self.identity_api.remove_role_from_user_and_project(
|
self.assignment_api.remove_role_from_user_and_project(
|
||||||
user_id, tenant_id, role_id)
|
user_id, tenant_id, role_id)
|
||||||
self._delete_tokens_for_user(user_id)
|
self._delete_tokens_for_user(user_id)
|
||||||
|
|
||||||
|
|
@ -403,7 +404,7 @@ class Role(controller.V2Controller):
|
||||||
# the default domain.
|
# the default domain.
|
||||||
if tenant['domain_id'] != DEFAULT_DOMAIN_ID:
|
if tenant['domain_id'] != DEFAULT_DOMAIN_ID:
|
||||||
continue
|
continue
|
||||||
role_ids = self.identity_api.get_roles_for_user_and_project(
|
role_ids = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_id, tenant['id'])
|
user_id, tenant['id'])
|
||||||
for role_id in role_ids:
|
for role_id in role_ids:
|
||||||
ref = {'roleId': role_id,
|
ref = {'roleId': role_id,
|
||||||
|
|
@ -425,11 +426,11 @@ class Role(controller.V2Controller):
|
||||||
# TODO(termie): for now we're ignoring the actual role
|
# TODO(termie): for now we're ignoring the actual role
|
||||||
tenant_id = role.get('tenantId')
|
tenant_id = role.get('tenantId')
|
||||||
role_id = role.get('roleId')
|
role_id = role.get('roleId')
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
user_id, tenant_id, role_id)
|
user_id, tenant_id, role_id)
|
||||||
self._delete_tokens_for_user(user_id)
|
self._delete_tokens_for_user(user_id)
|
||||||
|
|
||||||
role_ref = self.identity_api.get_role(role_id)
|
role_ref = self.assignment_api.get_role(role_id)
|
||||||
return {'role': role_ref}
|
return {'role': role_ref}
|
||||||
|
|
||||||
# COMPAT(diablo): CRUD extension
|
# COMPAT(diablo): CRUD extension
|
||||||
|
|
@ -449,7 +450,7 @@ class Role(controller.V2Controller):
|
||||||
role_ref_ref = urlparse.parse_qs(role_ref_id)
|
role_ref_ref = urlparse.parse_qs(role_ref_id)
|
||||||
tenant_id = role_ref_ref.get('tenantId')[0]
|
tenant_id = role_ref_ref.get('tenantId')[0]
|
||||||
role_id = role_ref_ref.get('roleId')[0]
|
role_id = role_ref_ref.get('roleId')[0]
|
||||||
self.identity_api.remove_role_from_user_and_project(
|
self.assignment_api.remove_role_from_user_and_project(
|
||||||
user_id, tenant_id, role_id)
|
user_id, tenant_id, role_id)
|
||||||
self._delete_tokens_for_user(user_id)
|
self._delete_tokens_for_user(user_id)
|
||||||
|
|
||||||
|
|
@ -467,31 +468,31 @@ class DomainV3(controller.V3Controller):
|
||||||
self._require_attribute(domain, 'name')
|
self._require_attribute(domain, 'name')
|
||||||
|
|
||||||
ref = self._assign_unique_id(self._normalize_dict(domain))
|
ref = self._assign_unique_id(self._normalize_dict(domain))
|
||||||
ref = self.identity_api.create_domain(ref['id'], ref)
|
ref = self.assignment_api.create_domain(ref['id'], ref)
|
||||||
return DomainV3.wrap_member(context, ref)
|
return DomainV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.filterprotected('enabled', 'name')
|
@controller.filterprotected('enabled', 'name')
|
||||||
def list_domains(self, context, filters):
|
def list_domains(self, context, filters):
|
||||||
refs = self.identity_api.list_domains()
|
refs = self.assignment_api.list_domains()
|
||||||
return DomainV3.wrap_collection(context, refs, filters)
|
return DomainV3.wrap_collection(context, refs, filters)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_domain(self, context, domain_id):
|
def get_domain(self, context, domain_id):
|
||||||
ref = self.identity_api.get_domain(domain_id)
|
ref = self.assignment_api.get_domain(domain_id)
|
||||||
return DomainV3.wrap_member(context, ref)
|
return DomainV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def update_domain(self, context, domain_id, domain):
|
def update_domain(self, context, domain_id, domain):
|
||||||
self._require_matching_id(domain_id, domain)
|
self._require_matching_id(domain_id, domain)
|
||||||
|
|
||||||
ref = self.identity_api.update_domain(domain_id, domain)
|
ref = self.assignment_api.update_domain(domain_id, domain)
|
||||||
|
|
||||||
# disable owned users & projects when the API user specifically set
|
# disable owned users & projects when the API user specifically set
|
||||||
# enabled=False
|
# enabled=False
|
||||||
# FIXME(dolph): need a driver call to directly revoke all tokens by
|
# FIXME(dolph): need a driver call to directly revoke all tokens by
|
||||||
# project or domain, regardless of user
|
# project or domain, regardless of user
|
||||||
if not domain.get('enabled', True):
|
if not domain.get('enabled', True):
|
||||||
projects = [x for x in self.identity_api.list_projects()
|
projects = [x for x in self.assignment_api.list_projects()
|
||||||
if x.get('domain_id') == domain_id]
|
if x.get('domain_id') == domain_id]
|
||||||
for user in self.identity_api.list_users():
|
for user in self.identity_api.list_users():
|
||||||
# TODO(dolph): disable domain-scoped tokens
|
# TODO(dolph): disable domain-scoped tokens
|
||||||
|
|
@ -548,7 +549,7 @@ class DomainV3(controller.V3Controller):
|
||||||
user_refs = self.identity_api.list_users()
|
user_refs = self.identity_api.list_users()
|
||||||
user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id]
|
user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id]
|
||||||
|
|
||||||
proj_refs = self.identity_api.list_projects()
|
proj_refs = self.assignment_api.list_projects()
|
||||||
proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id]
|
proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id]
|
||||||
|
|
||||||
# First delete the projects themselves
|
# First delete the projects themselves
|
||||||
|
|
@ -581,14 +582,14 @@ class DomainV3(controller.V3Controller):
|
||||||
# has been previously disabled. This also prevents a user deleting
|
# has been previously disabled. This also prevents a user deleting
|
||||||
# their own domain since, once it is disabled, they won't be able
|
# their own domain since, once it is disabled, they won't be able
|
||||||
# to get a valid token to issue this delete.
|
# to get a valid token to issue this delete.
|
||||||
ref = self.identity_api.get_domain(domain_id)
|
ref = self.assignment_api.get_domain(domain_id)
|
||||||
if ref['enabled']:
|
if ref['enabled']:
|
||||||
raise exception.ForbiddenAction(
|
raise exception.ForbiddenAction(
|
||||||
action='delete a domain that is not disabled')
|
action='delete a domain that is not disabled')
|
||||||
|
|
||||||
# OK, we are go for delete!
|
# OK, we are go for delete!
|
||||||
self._delete_domain_contents(context, domain_id)
|
self._delete_domain_contents(context, domain_id)
|
||||||
return self.identity_api.delete_domain(domain_id)
|
return self.assignment_api.delete_domain(domain_id)
|
||||||
|
|
||||||
def _get_domain_by_name(self, context, domain_name):
|
def _get_domain_by_name(self, context, domain_name):
|
||||||
"""Get the domain via its unique name.
|
"""Get the domain via its unique name.
|
||||||
|
|
@ -597,7 +598,7 @@ class DomainV3(controller.V3Controller):
|
||||||
router as a public api.
|
router as a public api.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
ref = self.identity_api.get_domain_by_name(domain_name)
|
ref = self.assignment_api.get_domain_by_name(domain_name)
|
||||||
return {'domain': ref}
|
return {'domain': ref}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -620,17 +621,17 @@ class ProjectV3(controller.V3Controller):
|
||||||
|
|
||||||
@controller.filterprotected('domain_id', 'enabled', 'name')
|
@controller.filterprotected('domain_id', 'enabled', 'name')
|
||||||
def list_projects(self, context, filters):
|
def list_projects(self, context, filters):
|
||||||
refs = self.identity_api.list_projects()
|
refs = self.assignment_api.list_projects()
|
||||||
return ProjectV3.wrap_collection(context, refs, filters)
|
return ProjectV3.wrap_collection(context, refs, filters)
|
||||||
|
|
||||||
@controller.filterprotected('enabled', 'name')
|
@controller.filterprotected('enabled', 'name')
|
||||||
def list_user_projects(self, context, filters, user_id):
|
def list_user_projects(self, context, filters, user_id):
|
||||||
refs = self.identity_api.list_projects_for_user(user_id)
|
refs = self.assignment_api.list_projects_for_user(user_id)
|
||||||
return ProjectV3.wrap_collection(context, refs, filters)
|
return ProjectV3.wrap_collection(context, refs, filters)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_project(self, context, project_id):
|
def get_project(self, context, project_id):
|
||||||
ref = self.identity_api.get_project(project_id)
|
ref = self.assignment_api.get_project(project_id)
|
||||||
return ProjectV3.wrap_member(context, ref)
|
return ProjectV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
|
|
@ -840,24 +841,24 @@ class RoleV3(controller.V3Controller):
|
||||||
self._require_attribute(role, 'name')
|
self._require_attribute(role, 'name')
|
||||||
|
|
||||||
ref = self._assign_unique_id(self._normalize_dict(role))
|
ref = self._assign_unique_id(self._normalize_dict(role))
|
||||||
ref = self.identity_api.create_role(ref['id'], ref)
|
ref = self.assignment_api.create_role(ref['id'], ref)
|
||||||
return RoleV3.wrap_member(context, ref)
|
return RoleV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.filterprotected('name')
|
@controller.filterprotected('name')
|
||||||
def list_roles(self, context, filters):
|
def list_roles(self, context, filters):
|
||||||
refs = self.identity_api.list_roles()
|
refs = self.assignment_api.list_roles()
|
||||||
return RoleV3.wrap_collection(context, refs, filters)
|
return RoleV3.wrap_collection(context, refs, filters)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_role(self, context, role_id):
|
def get_role(self, context, role_id):
|
||||||
ref = self.identity_api.get_role(role_id)
|
ref = self.assignment_api.get_role(role_id)
|
||||||
return RoleV3.wrap_member(context, ref)
|
return RoleV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def update_role(self, context, role_id, role):
|
def update_role(self, context, role_id, role):
|
||||||
self._require_matching_id(role_id, role)
|
self._require_matching_id(role_id, role)
|
||||||
|
|
||||||
ref = self.identity_api.update_role(role_id, role)
|
ref = self.assignment_api.update_role(role_id, role)
|
||||||
return RoleV3.wrap_member(context, ref)
|
return RoleV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
|
|
@ -866,7 +867,7 @@ class RoleV3(controller.V3Controller):
|
||||||
# We must first, however, revoke any tokens for users that have an
|
# We must first, however, revoke any tokens for users that have an
|
||||||
# assignment with this role.
|
# assignment with this role.
|
||||||
self._delete_tokens_for_role(role_id)
|
self._delete_tokens_for_role(role_id)
|
||||||
self.identity_api.delete_role(role_id)
|
self.assignment_api.delete_role(role_id)
|
||||||
|
|
||||||
def _require_domain_xor_project(self, domain_id, project_id):
|
def _require_domain_xor_project(self, domain_id, project_id):
|
||||||
if (domain_id and project_id) or (not domain_id and not project_id):
|
if (domain_id and project_id) or (not domain_id and not project_id):
|
||||||
|
|
@ -895,7 +896,7 @@ class RoleV3(controller.V3Controller):
|
||||||
"""
|
"""
|
||||||
ref = {}
|
ref = {}
|
||||||
if role_id:
|
if role_id:
|
||||||
ref['role'] = self.identity_api.get_role(role_id)
|
ref['role'] = self.assignment_api.get_role(role_id)
|
||||||
if user_id:
|
if user_id:
|
||||||
ref['user'] = self.identity_api.get_user(user_id)
|
ref['user'] = self.identity_api.get_user(user_id)
|
||||||
else:
|
else:
|
||||||
|
|
@ -920,7 +921,7 @@ class RoleV3(controller.V3Controller):
|
||||||
if group_id:
|
if group_id:
|
||||||
self.identity_api.get_group(group_id)
|
self.identity_api.get_group(group_id)
|
||||||
|
|
||||||
self.identity_api.create_grant(
|
self.assignment_api.create_grant(
|
||||||
role_id, user_id, group_id, domain_id, project_id,
|
role_id, user_id, group_id, domain_id, project_id,
|
||||||
self._check_if_inherited(context))
|
self._check_if_inherited(context))
|
||||||
|
|
||||||
|
|
@ -931,7 +932,7 @@ class RoleV3(controller.V3Controller):
|
||||||
self._require_domain_xor_project(domain_id, project_id)
|
self._require_domain_xor_project(domain_id, project_id)
|
||||||
self._require_user_xor_group(user_id, group_id)
|
self._require_user_xor_group(user_id, group_id)
|
||||||
|
|
||||||
refs = self.identity_api.list_grants(
|
refs = self.assignment_api.list_grants(
|
||||||
user_id, group_id, domain_id, project_id,
|
user_id, group_id, domain_id, project_id,
|
||||||
self._check_if_inherited(context))
|
self._check_if_inherited(context))
|
||||||
return RoleV3.wrap_collection(context, refs)
|
return RoleV3.wrap_collection(context, refs)
|
||||||
|
|
@ -948,7 +949,7 @@ class RoleV3(controller.V3Controller):
|
||||||
if group_id:
|
if group_id:
|
||||||
self.identity_api.get_group(group_id)
|
self.identity_api.get_group(group_id)
|
||||||
|
|
||||||
self.identity_api.get_grant(
|
self.assignment_api.get_grant(
|
||||||
role_id, user_id, group_id, domain_id, project_id,
|
role_id, user_id, group_id, domain_id, project_id,
|
||||||
self._check_if_inherited(context))
|
self._check_if_inherited(context))
|
||||||
|
|
||||||
|
|
@ -959,7 +960,7 @@ class RoleV3(controller.V3Controller):
|
||||||
self._require_domain_xor_project(domain_id, project_id)
|
self._require_domain_xor_project(domain_id, project_id)
|
||||||
self._require_user_xor_group(user_id, group_id)
|
self._require_user_xor_group(user_id, group_id)
|
||||||
|
|
||||||
self.identity_api.delete_grant(
|
self.assignment_api.delete_grant(
|
||||||
role_id, user_id, group_id, domain_id, project_id,
|
role_id, user_id, group_id, domain_id, project_id,
|
||||||
self._check_if_inherited(context))
|
self._check_if_inherited(context))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -457,85 +457,9 @@ class Manager(manager.Manager):
|
||||||
# API should be removed, with the controller and tests making the correct
|
# API should be removed, with the controller and tests making the correct
|
||||||
# calls direct to assignment.
|
# calls direct to assignment.
|
||||||
|
|
||||||
def get_project_by_name(self, tenant_name, domain_id):
|
# NOTE(tellesmvn):The following 4 methods where not removed since ayoung
|
||||||
return self.assignment_api.get_project_by_name(tenant_name, domain_id)
|
# told me not to because someone else is working on a new feature involving
|
||||||
|
# these methods where the idea is to identify in which domain the user is
|
||||||
def get_project(self, tenant_id):
|
|
||||||
return self.assignment_api.get_project(tenant_id)
|
|
||||||
|
|
||||||
def list_projects(self, domain_id=None):
|
|
||||||
return self.assignment_api.list_projects(domain_id)
|
|
||||||
|
|
||||||
def get_role(self, role_id):
|
|
||||||
return self.assignment_api.get_role(role_id)
|
|
||||||
|
|
||||||
def list_roles(self):
|
|
||||||
return self.assignment_api.list_roles()
|
|
||||||
|
|
||||||
def get_project_users(self, tenant_id):
|
|
||||||
return self.assignment_api.get_project_users(tenant_id)
|
|
||||||
|
|
||||||
def get_roles_for_user_and_project(self, user_id, tenant_id):
|
|
||||||
return self.assignment_api.get_roles_for_user_and_project(
|
|
||||||
user_id, tenant_id)
|
|
||||||
|
|
||||||
def get_roles_for_user_and_domain(self, user_id, domain_id):
|
|
||||||
return (self.assignment_api.get_roles_for_user_and_domain
|
|
||||||
(user_id, domain_id))
|
|
||||||
|
|
||||||
def _subrole_id_to_dn(self, role_id, tenant_id):
|
|
||||||
return self.assignment_api._subrole_id_to_dn(role_id, tenant_id)
|
|
||||||
|
|
||||||
def add_role_to_user_and_project(self, user_id,
|
|
||||||
tenant_id, role_id):
|
|
||||||
return (self.assignment_api.add_role_to_user_and_project
|
|
||||||
(user_id, tenant_id, role_id))
|
|
||||||
|
|
||||||
def create_role(self, role_id, role):
|
|
||||||
return self.assignment_api.create_role(role_id, role)
|
|
||||||
|
|
||||||
def delete_role(self, role_id):
|
|
||||||
return self.assignment_api.delete_role(role_id)
|
|
||||||
|
|
||||||
def remove_role_from_user_and_project(self, user_id,
|
|
||||||
tenant_id, role_id):
|
|
||||||
return (self.assignment_api.remove_role_from_user_and_project
|
|
||||||
(user_id, tenant_id, role_id))
|
|
||||||
|
|
||||||
def update_role(self, role_id, role):
|
|
||||||
return self.assignment_api.update_role(role_id, role)
|
|
||||||
|
|
||||||
def create_grant(self, role_id, user_id=None, group_id=None,
|
|
||||||
domain_id=None, project_id=None,
|
|
||||||
inherited_to_projects=False):
|
|
||||||
return (self.assignment_api.create_grant
|
|
||||||
(role_id, user_id, group_id, domain_id, project_id,
|
|
||||||
inherited_to_projects))
|
|
||||||
|
|
||||||
def list_grants(self, user_id=None, group_id=None,
|
|
||||||
domain_id=None, project_id=None,
|
|
||||||
inherited_to_projects=False):
|
|
||||||
return (self.assignment_api.list_grants
|
|
||||||
(user_id, group_id, domain_id, project_id,
|
|
||||||
inherited_to_projects))
|
|
||||||
|
|
||||||
def get_grant(self, role_id, user_id=None, group_id=None,
|
|
||||||
domain_id=None, project_id=None,
|
|
||||||
inherited_to_projects=False):
|
|
||||||
return (self.assignment_api.get_grant
|
|
||||||
(role_id, user_id, group_id, domain_id, project_id,
|
|
||||||
inherited_to_projects))
|
|
||||||
|
|
||||||
def delete_grant(self, role_id, user_id=None, group_id=None,
|
|
||||||
domain_id=None, project_id=None,
|
|
||||||
inherited_to_projects=False):
|
|
||||||
return (self.assignment_api.delete_grant
|
|
||||||
(role_id, user_id, group_id, domain_id, project_id,
|
|
||||||
inherited_to_projects))
|
|
||||||
|
|
||||||
def create_domain(self, domain_id, domain):
|
|
||||||
return self.assignment_api.create_domain(domain_id, domain)
|
|
||||||
|
|
||||||
def get_domain_by_name(self, domain_name):
|
def get_domain_by_name(self, domain_name):
|
||||||
return self.assignment_api.get_domain_by_name(domain_name)
|
return self.assignment_api.get_domain_by_name(domain_name)
|
||||||
|
|
||||||
|
|
@ -545,21 +469,9 @@ class Manager(manager.Manager):
|
||||||
def update_domain(self, domain_id, domain):
|
def update_domain(self, domain_id, domain):
|
||||||
return self.assignment_api.update_domain(domain_id, domain)
|
return self.assignment_api.update_domain(domain_id, domain)
|
||||||
|
|
||||||
def delete_domain(self, domain_id):
|
|
||||||
return self.assignment_api.delete_domain(domain_id)
|
|
||||||
|
|
||||||
def list_domains(self):
|
def list_domains(self):
|
||||||
return self.assignment_api.list_domains()
|
return self.assignment_api.list_domains()
|
||||||
|
|
||||||
def list_projects_for_user(self, user_id):
|
|
||||||
return self.assignment_api.list_projects_for_user(user_id)
|
|
||||||
|
|
||||||
def add_user_to_project(self, tenant_id, user_id):
|
|
||||||
return self.assignment_api.add_user_to_project(tenant_id, user_id)
|
|
||||||
|
|
||||||
def remove_user_from_project(self, tenant_id, user_id):
|
|
||||||
return self.assignment_api.remove_user_from_project(tenant_id, user_id)
|
|
||||||
|
|
||||||
|
|
||||||
@six.add_metaclass(abc.ABCMeta)
|
@six.add_metaclass(abc.ABCMeta)
|
||||||
class Driver(object):
|
class Driver(object):
|
||||||
|
|
|
||||||
|
|
@ -333,12 +333,13 @@ class TestCase(NoModule, testtools.TestCase):
|
||||||
"""
|
"""
|
||||||
# TODO(termie): doing something from json, probably based on Django's
|
# TODO(termie): doing something from json, probably based on Django's
|
||||||
# loaddata will be much preferred.
|
# loaddata will be much preferred.
|
||||||
if hasattr(self, 'identity_api'):
|
if hasattr(self, 'identity_api') and hasattr(self, 'assignment_api'):
|
||||||
for domain in fixtures.DOMAINS:
|
for domain in fixtures.DOMAINS:
|
||||||
try:
|
try:
|
||||||
rv = self.identity_api.create_domain(domain['id'], domain)
|
rv = self.assignment_api.create_domain(domain['id'],
|
||||||
|
domain)
|
||||||
except exception.Conflict:
|
except exception.Conflict:
|
||||||
rv = self.identity_api.get_domain(domain['id'])
|
rv = self.assignment_api.get_domain(domain['id'])
|
||||||
except exception.NotImplemented:
|
except exception.NotImplemented:
|
||||||
rv = domain
|
rv = domain
|
||||||
setattr(self, 'domain_%s' % domain['id'], rv)
|
setattr(self, 'domain_%s' % domain['id'], rv)
|
||||||
|
|
@ -348,15 +349,15 @@ class TestCase(NoModule, testtools.TestCase):
|
||||||
rv = self.assignment_api.create_project(
|
rv = self.assignment_api.create_project(
|
||||||
tenant['id'], tenant)
|
tenant['id'], tenant)
|
||||||
except exception.Conflict:
|
except exception.Conflict:
|
||||||
rv = self.identity_api.get_project(tenant['id'])
|
rv = self.assignment_api.get_project(tenant['id'])
|
||||||
pass
|
pass
|
||||||
setattr(self, 'tenant_%s' % tenant['id'], rv)
|
setattr(self, 'tenant_%s' % tenant['id'], rv)
|
||||||
|
|
||||||
for role in fixtures.ROLES:
|
for role in fixtures.ROLES:
|
||||||
try:
|
try:
|
||||||
rv = self.identity_api.create_role(role['id'], role)
|
rv = self.assignment_api.create_role(role['id'], role)
|
||||||
except exception.Conflict:
|
except exception.Conflict:
|
||||||
rv = self.identity_api.get_role(role['id'])
|
rv = self.assignment_api.get_role(role['id'])
|
||||||
pass
|
pass
|
||||||
setattr(self, 'role_%s' % role['id'], rv)
|
setattr(self, 'role_%s' % role['id'], rv)
|
||||||
|
|
||||||
|
|
@ -370,8 +371,8 @@ class TestCase(NoModule, testtools.TestCase):
|
||||||
pass
|
pass
|
||||||
for tenant_id in tenants:
|
for tenant_id in tenants:
|
||||||
try:
|
try:
|
||||||
self.identity_api.add_user_to_project(tenant_id,
|
self.assignment_api.add_user_to_project(tenant_id,
|
||||||
user['id'])
|
user['id'])
|
||||||
except exception.Conflict:
|
except exception.Conflict:
|
||||||
pass
|
pass
|
||||||
setattr(self, 'user_%s' % user['id'], user_copy)
|
setattr(self, 'user_%s' % user['id'], user_copy)
|
||||||
|
|
|
||||||
|
|
@ -230,7 +230,7 @@ class AuthWithToken(AuthTest):
|
||||||
def test_auth_unscoped_token_project(self):
|
def test_auth_unscoped_token_project(self):
|
||||||
"""Verify getting a token in a tenant with an unscoped token."""
|
"""Verify getting a token in a tenant with an unscoped token."""
|
||||||
# Add a role in so we can check we get this back
|
# Add a role in so we can check we get this back
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'],
|
self.user_foo['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
|
|
@ -253,19 +253,19 @@ class AuthWithToken(AuthTest):
|
||||||
def test_auth_token_project_group_role(self):
|
def test_auth_token_project_group_role(self):
|
||||||
"""Verify getting a token in a tenant with group roles."""
|
"""Verify getting a token in a tenant with group roles."""
|
||||||
# Add a v2 style role in so we can check we get this back
|
# Add a v2 style role in so we can check we get this back
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'],
|
self.user_foo['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
# Now create a group role for this user as well
|
# Now create a group role for this user as well
|
||||||
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_domain(domain1['id'], domain1)
|
self.assignment_api.create_domain(domain1['id'], domain1)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
self.identity_api.add_user_to_group(self.user_foo['id'],
|
self.identity_api.add_user_to_group(self.user_foo['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
self.identity_api.create_grant(
|
self.assignment_api.create_grant(
|
||||||
group_id=new_group['id'],
|
group_id=new_group['id'],
|
||||||
project_id=self.tenant_bar['id'],
|
project_id=self.tenant_bar['id'],
|
||||||
role_id=self.role_admin['id'])
|
role_id=self.role_admin['id'])
|
||||||
|
|
@ -288,38 +288,38 @@ class AuthWithToken(AuthTest):
|
||||||
"""Verify getting a token in cross domain group/project roles."""
|
"""Verify getting a token in cross domain group/project roles."""
|
||||||
# create domain, project and group and grant roles to user
|
# create domain, project and group and grant roles to user
|
||||||
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_domain(domain1['id'], domain1)
|
self.assignment_api.create_domain(domain1['id'], domain1)
|
||||||
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
'domain_id': domain1['id']}
|
'domain_id': domain1['id']}
|
||||||
self.assignment_api.create_project(project1['id'], project1)
|
self.assignment_api.create_project(project1['id'], project1)
|
||||||
role_foo_domain1 = {'id': uuid.uuid4().hex,
|
role_foo_domain1 = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_role(role_foo_domain1['id'],
|
self.assignment_api.create_role(role_foo_domain1['id'],
|
||||||
role_foo_domain1)
|
role_foo_domain1)
|
||||||
role_group_domain1 = {'id': uuid.uuid4().hex,
|
role_group_domain1 = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_role(role_group_domain1['id'],
|
self.assignment_api.create_role(role_group_domain1['id'],
|
||||||
role_group_domain1)
|
role_group_domain1)
|
||||||
self.identity_api.add_user_to_project(project1['id'],
|
self.assignment_api.add_user_to_project(project1['id'],
|
||||||
self.user_foo['id'])
|
self.user_foo['id'])
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
self.identity_api.add_user_to_group(self.user_foo['id'],
|
self.identity_api.add_user_to_group(self.user_foo['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
self.identity_api.create_grant(
|
self.assignment_api.create_grant(
|
||||||
user_id=self.user_foo['id'],
|
user_id=self.user_foo['id'],
|
||||||
project_id=project1['id'],
|
project_id=project1['id'],
|
||||||
role_id=self.role_member['id'])
|
role_id=self.role_member['id'])
|
||||||
self.identity_api.create_grant(
|
self.assignment_api.create_grant(
|
||||||
group_id=new_group['id'],
|
group_id=new_group['id'],
|
||||||
project_id=project1['id'],
|
project_id=project1['id'],
|
||||||
role_id=self.role_admin['id'])
|
role_id=self.role_admin['id'])
|
||||||
self.identity_api.create_grant(
|
self.assignment_api.create_grant(
|
||||||
user_id=self.user_foo['id'],
|
user_id=self.user_foo['id'],
|
||||||
domain_id=domain1['id'],
|
domain_id=domain1['id'],
|
||||||
role_id=role_foo_domain1['id'])
|
role_id=role_foo_domain1['id'])
|
||||||
self.identity_api.create_grant(
|
self.assignment_api.create_grant(
|
||||||
group_id=new_group['id'],
|
group_id=new_group['id'],
|
||||||
domain_id=domain1['id'],
|
domain_id=domain1['id'],
|
||||||
role_id=role_group_domain1['id'])
|
role_id=role_group_domain1['id'])
|
||||||
|
|
@ -410,7 +410,7 @@ class AuthWithToken(AuthTest):
|
||||||
self.assignment_api.create_project(project1['id'], project1)
|
self.assignment_api.create_project(project1['id'], project1)
|
||||||
role_one = {'id': 'role_one', 'name': uuid.uuid4().hex}
|
role_one = {'id': 'role_one', 'name': uuid.uuid4().hex}
|
||||||
self.assignment_api.create_role(role_one['id'], role_one)
|
self.assignment_api.create_role(role_one['id'], role_one)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'], project1['id'], role_one['id'])
|
self.user_foo['id'], project1['id'], role_one['id'])
|
||||||
no_context = {}
|
no_context = {}
|
||||||
|
|
||||||
|
|
@ -597,7 +597,7 @@ class AuthWithTrust(AuthTest):
|
||||||
self.assigned_roles = [self.role_member['id'],
|
self.assigned_roles = [self.role_member['id'],
|
||||||
self.role_browser['id']]
|
self.role_browser['id']]
|
||||||
for assigned_role in self.assigned_roles:
|
for assigned_role in self.assigned_roles:
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.trustor['id'], self.tenant_bar['id'], assigned_role)
|
self.trustor['id'], self.tenant_bar['id'], assigned_role)
|
||||||
|
|
||||||
self.sample_data = {'trustor_user_id': self.trustor['id'],
|
self.sample_data = {'trustor_user_id': self.trustor['id'],
|
||||||
|
|
@ -801,7 +801,7 @@ class AuthWithTrust(AuthTest):
|
||||||
|
|
||||||
def test_token_from_trust_with_no_role_fails(self):
|
def test_token_from_trust_with_no_role_fails(self):
|
||||||
for assigned_role in self.assigned_roles:
|
for assigned_role in self.assigned_roles:
|
||||||
self.identity_api.remove_role_from_user_and_project(
|
self.assignment_api.remove_role_from_user_and_project(
|
||||||
self.trustor['id'], self.tenant_bar['id'], assigned_role)
|
self.trustor['id'], self.tenant_bar['id'], assigned_role)
|
||||||
request_body = self.build_v2_token_request('TWO', 'two2')
|
request_body = self.build_v2_token_request('TWO', 'two2')
|
||||||
self.assertRaises(
|
self.assertRaises(
|
||||||
|
|
@ -817,12 +817,12 @@ class AuthWithTrust(AuthTest):
|
||||||
self.controller.authenticate, {}, request_body)
|
self.controller.authenticate, {}, request_body)
|
||||||
|
|
||||||
def test_token_from_trust_with_wrong_role_fails(self):
|
def test_token_from_trust_with_wrong_role_fails(self):
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.trustor['id'],
|
self.trustor['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
self.role_other['id'])
|
self.role_other['id'])
|
||||||
for assigned_role in self.assigned_roles:
|
for assigned_role in self.assigned_roles:
|
||||||
self.identity_api.remove_role_from_user_and_project(
|
self.assignment_api.remove_role_from_user_and_project(
|
||||||
self.trustor['id'], self.tenant_bar['id'], assigned_role)
|
self.trustor['id'], self.tenant_bar['id'], assigned_role)
|
||||||
|
|
||||||
request_body = self.build_v2_token_request('TWO', 'two2')
|
request_body = self.build_v2_token_request('TWO', 'two2')
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load Diff
|
|
@ -273,8 +273,8 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
||||||
'enabled': True,
|
'enabled': True,
|
||||||
}
|
}
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
self.identity_api.add_user_to_project(self.tenant_baz['id'],
|
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||||
user['id'])
|
user['id'])
|
||||||
driver = self.identity_api._select_identity_driver(
|
driver = self.identity_api._select_identity_driver(
|
||||||
user['domain_id'])
|
user['domain_id'])
|
||||||
driver.user.LDAP_USER = None
|
driver.user.LDAP_USER = None
|
||||||
|
|
@ -345,7 +345,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
def test_configurable_allowed_project_actions(self):
|
def test_configurable_allowed_project_actions(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
||||||
self.assignment_api.create_project('fake1', tenant)
|
self.assignment_api.create_project('fake1', tenant)
|
||||||
tenant_ref = self.identity_api.get_project('fake1')
|
tenant_ref = self.assignment_api.get_project('fake1')
|
||||||
self.assertEqual(tenant_ref['id'], 'fake1')
|
self.assertEqual(tenant_ref['id'], 'fake1')
|
||||||
|
|
||||||
tenant['enabled'] = False
|
tenant['enabled'] = False
|
||||||
|
|
@ -353,7 +353,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
|
|
||||||
self.assignment_api.delete_project('fake1')
|
self.assignment_api.delete_project('fake1')
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.assignment_api.get_project,
|
||||||
'fake1')
|
'fake1')
|
||||||
|
|
||||||
def test_configurable_forbidden_project_actions(self):
|
def test_configurable_forbidden_project_actions(self):
|
||||||
|
|
@ -379,16 +379,16 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
|
|
||||||
def test_configurable_allowed_role_actions(self):
|
def test_configurable_allowed_role_actions(self):
|
||||||
role = {'id': 'fake1', 'name': 'fake1'}
|
role = {'id': 'fake1', 'name': 'fake1'}
|
||||||
self.identity_api.create_role('fake1', role)
|
self.assignment_api.create_role('fake1', role)
|
||||||
role_ref = self.identity_api.get_role('fake1')
|
role_ref = self.assignment_api.get_role('fake1')
|
||||||
self.assertEqual(role_ref['id'], 'fake1')
|
self.assertEqual(role_ref['id'], 'fake1')
|
||||||
|
|
||||||
role['name'] = 'fake2'
|
role['name'] = 'fake2'
|
||||||
self.identity_api.update_role('fake1', role)
|
self.assignment_api.update_role('fake1', role)
|
||||||
|
|
||||||
self.identity_api.delete_role('fake1')
|
self.assignment_api.delete_role('fake1')
|
||||||
self.assertRaises(exception.RoleNotFound,
|
self.assertRaises(exception.RoleNotFound,
|
||||||
self.identity_api.get_role,
|
self.assignment_api.get_role,
|
||||||
'fake1')
|
'fake1')
|
||||||
|
|
||||||
def test_configurable_forbidden_role_actions(self):
|
def test_configurable_forbidden_role_actions(self):
|
||||||
|
|
@ -399,22 +399,22 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
|
|
||||||
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
self.assertRaises(exception.ForbiddenAction,
|
self.assertRaises(exception.ForbiddenAction,
|
||||||
self.identity_api.create_role,
|
self.assignment_api.create_role,
|
||||||
role['id'],
|
role['id'],
|
||||||
role)
|
role)
|
||||||
|
|
||||||
self.role_member['name'] = uuid.uuid4().hex
|
self.role_member['name'] = uuid.uuid4().hex
|
||||||
self.assertRaises(exception.ForbiddenAction,
|
self.assertRaises(exception.ForbiddenAction,
|
||||||
self.identity_api.update_role,
|
self.assignment_api.update_role,
|
||||||
self.role_member['id'],
|
self.role_member['id'],
|
||||||
self.role_member)
|
self.role_member)
|
||||||
|
|
||||||
self.assertRaises(exception.ForbiddenAction,
|
self.assertRaises(exception.ForbiddenAction,
|
||||||
self.identity_api.delete_role,
|
self.assignment_api.delete_role,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
|
|
||||||
def test_project_filter(self):
|
def test_project_filter(self):
|
||||||
tenant_ref = self.identity_api.get_project(self.tenant_bar['id'])
|
tenant_ref = self.assignment_api.get_project(self.tenant_bar['id'])
|
||||||
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
||||||
|
|
||||||
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
|
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
|
||||||
|
|
@ -427,15 +427,15 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_role.invalidate(self.assignment_api,
|
self.assignment_api.get_role.invalidate(self.assignment_api,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
self.identity_api.get_role(self.role_member['id'])
|
self.assignment_api.get_role(self.role_member['id'])
|
||||||
self.assignment_api.get_project.invalidate(self.assignment_api,
|
self.assignment_api.get_project.invalidate(self.assignment_api,
|
||||||
self.tenant_bar['id'])
|
self.tenant_bar['id'])
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.assignment_api.get_project,
|
||||||
self.tenant_bar['id'])
|
self.tenant_bar['id'])
|
||||||
|
|
||||||
def test_role_filter(self):
|
def test_role_filter(self):
|
||||||
role_ref = self.identity_api.get_role(self.role_member['id'])
|
role_ref = self.assignment_api.get_role(self.role_member['id'])
|
||||||
self.assertDictEqual(role_ref, self.role_member)
|
self.assertDictEqual(role_ref, self.role_member)
|
||||||
|
|
||||||
CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)'
|
CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)'
|
||||||
|
|
@ -449,7 +449,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
self.assignment_api.get_role.invalidate(self.assignment_api,
|
self.assignment_api.get_role.invalidate(self.assignment_api,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
self.assertRaises(exception.RoleNotFound,
|
self.assertRaises(exception.RoleNotFound,
|
||||||
self.identity_api.get_role,
|
self.assignment_api.get_role,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
|
|
||||||
def test_dumb_member(self):
|
def test_dumb_member(self):
|
||||||
|
|
@ -479,7 +479,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_project.invalidate(self.assignment_api,
|
self.assignment_api.get_project.invalidate(self.assignment_api,
|
||||||
self.tenant_baz['id'])
|
self.tenant_baz['id'])
|
||||||
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
|
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
|
||||||
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
||||||
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
|
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
|
|
@ -500,7 +500,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_project.invalidate(self.assignment_api,
|
self.assignment_api.get_project.invalidate(self.assignment_api,
|
||||||
self.tenant_baz['id'])
|
self.tenant_baz['id'])
|
||||||
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
|
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
|
||||||
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
||||||
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
|
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
|
||||||
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
|
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
|
||||||
|
|
@ -521,7 +521,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_project.invalidate(self.assignment_api,
|
self.assignment_api.get_project.invalidate(self.assignment_api,
|
||||||
self.tenant_baz['id'])
|
self.tenant_baz['id'])
|
||||||
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
|
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
|
||||||
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
||||||
self.assertNotIn('name', tenant_ref)
|
self.assertNotIn('name', tenant_ref)
|
||||||
self.assertNotIn('description', tenant_ref)
|
self.assertNotIn('description', tenant_ref)
|
||||||
|
|
@ -540,7 +540,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_role.invalidate(self.assignment_api,
|
self.assignment_api.get_role.invalidate(self.assignment_api,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
role_ref = self.identity_api.get_role(self.role_member['id'])
|
role_ref = self.assignment_api.get_role(self.role_member['id'])
|
||||||
self.assertEqual(role_ref['id'], self.role_member['id'])
|
self.assertEqual(role_ref['id'], self.role_member['id'])
|
||||||
self.assertEqual(role_ref['name'], self.role_member['name'])
|
self.assertEqual(role_ref['name'], self.role_member['name'])
|
||||||
|
|
||||||
|
|
@ -554,7 +554,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_role.invalidate(self.assignment_api,
|
self.assignment_api.get_role.invalidate(self.assignment_api,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
role_ref = self.identity_api.get_role(self.role_member['id'])
|
role_ref = self.assignment_api.get_role(self.role_member['id'])
|
||||||
self.assertEqual(role_ref['id'], self.role_member['id'])
|
self.assertEqual(role_ref['id'], self.role_member['id'])
|
||||||
self.assertNotIn('name', role_ref)
|
self.assertNotIn('name', role_ref)
|
||||||
|
|
||||||
|
|
@ -571,7 +571,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# cache population.
|
# cache population.
|
||||||
self.assignment_api.get_role.invalidate(self.assignment_api,
|
self.assignment_api.get_role.invalidate(self.assignment_api,
|
||||||
self.role_member['id'])
|
self.role_member['id'])
|
||||||
role_ref = self.identity_api.get_role(self.role_member['id'])
|
role_ref = self.assignment_api.get_role(self.role_member['id'])
|
||||||
self.assertEqual(role_ref['id'], self.role_member['id'])
|
self.assertEqual(role_ref['id'], self.role_member['id'])
|
||||||
self.assertNotIn('name', role_ref)
|
self.assertNotIn('name', role_ref)
|
||||||
|
|
||||||
|
|
@ -692,11 +692,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
'enabled': True, 'description': uuid.uuid4().hex}
|
'enabled': True, 'description': uuid.uuid4().hex}
|
||||||
self.assertRaises(exception.Forbidden,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.identity_api.create_domain,
|
self.assignment_api.create_domain,
|
||||||
domain['id'],
|
domain['id'],
|
||||||
domain)
|
domain)
|
||||||
self.assertRaises(exception.Conflict,
|
self.assertRaises(exception.Conflict,
|
||||||
self.identity_api.create_domain,
|
self.assignment_api.create_domain,
|
||||||
CONF.identity.default_domain_id,
|
CONF.identity.default_domain_id,
|
||||||
domain)
|
domain)
|
||||||
self.assertRaises(exception.DomainNotFound,
|
self.assertRaises(exception.DomainNotFound,
|
||||||
|
|
@ -705,21 +705,21 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
|
|
||||||
domain['description'] = uuid.uuid4().hex
|
domain['description'] = uuid.uuid4().hex
|
||||||
self.assertRaises(exception.DomainNotFound,
|
self.assertRaises(exception.DomainNotFound,
|
||||||
self.identity_api.update_domain,
|
self.assignment_api.update_domain,
|
||||||
domain['id'],
|
domain['id'],
|
||||||
domain)
|
domain)
|
||||||
self.assertRaises(exception.Forbidden,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.identity_api.update_domain,
|
self.assignment_api.update_domain,
|
||||||
CONF.identity.default_domain_id,
|
CONF.identity.default_domain_id,
|
||||||
domain)
|
domain)
|
||||||
self.assertRaises(exception.DomainNotFound,
|
self.assertRaises(exception.DomainNotFound,
|
||||||
self.identity_api.get_domain,
|
self.identity_api.get_domain,
|
||||||
domain['id'])
|
domain['id'])
|
||||||
self.assertRaises(exception.DomainNotFound,
|
self.assertRaises(exception.DomainNotFound,
|
||||||
self.identity_api.delete_domain,
|
self.assignment_api.delete_domain,
|
||||||
domain['id'])
|
domain['id'])
|
||||||
self.assertRaises(exception.Forbidden,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.identity_api.delete_domain,
|
self.assignment_api.delete_domain,
|
||||||
CONF.identity.default_domain_id)
|
CONF.identity.default_domain_id)
|
||||||
self.assertRaises(exception.DomainNotFound,
|
self.assertRaises(exception.DomainNotFound,
|
||||||
self.identity_api.get_domain,
|
self.identity_api.get_domain,
|
||||||
|
|
@ -756,12 +756,12 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
|
|
||||||
project['description'] = uuid.uuid4().hex
|
project['description'] = uuid.uuid4().hex
|
||||||
self.assignment_api.update_project(project['id'], project)
|
self.assignment_api.update_project(project['id'], project)
|
||||||
project_ref = self.identity_api.get_project(project['id'])
|
project_ref = self.assignment_api.get_project(project['id'])
|
||||||
self.assertDictEqual(project_ref, project)
|
self.assertDictEqual(project_ref, project)
|
||||||
|
|
||||||
self.assignment_api.delete_project(project['id'])
|
self.assignment_api.delete_project(project['id'])
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.assignment_api.get_project,
|
||||||
project['id'])
|
project['id'])
|
||||||
|
|
||||||
def test_cache_layer_project_crud(self):
|
def test_cache_layer_project_crud(self):
|
||||||
|
|
@ -826,7 +826,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
role_list = []
|
role_list = []
|
||||||
for _ in range(2):
|
for _ in range(2):
|
||||||
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_role(role['id'], role)
|
self.assignment_api.create_role(role['id'], role)
|
||||||
role_list.append(role)
|
role_list.append(role)
|
||||||
|
|
||||||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
|
|
@ -838,11 +838,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
'domain_id': CONF.identity.default_domain_id}
|
'domain_id': CONF.identity.default_domain_id}
|
||||||
self.assignment_api.create_project(project1['id'], project1)
|
self.assignment_api.create_project(project1['id'], project1)
|
||||||
|
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
user_id=user1['id'],
|
user_id=user1['id'],
|
||||||
tenant_id=project1['id'],
|
tenant_id=project1['id'],
|
||||||
role_id=role_list[0]['id'])
|
role_id=role_list[0]['id'])
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
user_id=user1['id'],
|
user_id=user1['id'],
|
||||||
tenant_id=project1['id'],
|
tenant_id=project1['id'],
|
||||||
role_id=role_list[1]['id'])
|
role_id=role_list[1]['id'])
|
||||||
|
|
@ -852,17 +852,18 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||||
# and group roles are combined. Only directly assigned user
|
# and group roles are combined. Only directly assigned user
|
||||||
# roles are available, since group grants are not yet supported
|
# roles are available, since group grants are not yet supported
|
||||||
|
|
||||||
combined_role_list = self.identity_api.get_roles_for_user_and_project(
|
combined_list = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user1['id'], project1['id'])
|
user1['id'],
|
||||||
self.assertEqual(len(combined_role_list), 2)
|
project1['id'])
|
||||||
self.assertIn(role_list[0]['id'], combined_role_list)
|
self.assertEqual(len(combined_list), 2)
|
||||||
self.assertIn(role_list[1]['id'], combined_role_list)
|
self.assertIn(role_list[0]['id'], combined_list)
|
||||||
|
self.assertIn(role_list[1]['id'], combined_list)
|
||||||
|
|
||||||
# Finally, although domain roles are not implemented, check we can
|
# Finally, although domain roles are not implemented, check we can
|
||||||
# issue the combined get roles call with benign results, since thus is
|
# issue the combined get roles call with benign results, since thus is
|
||||||
# used in token generation
|
# used in token generation
|
||||||
|
|
||||||
combined_role_list = self.identity_api.get_roles_for_user_and_domain(
|
combined_role_list = self.assignment_api.get_roles_for_user_and_domain(
|
||||||
user1['id'], CONF.identity.default_domain_id)
|
user1['id'], CONF.identity.default_domain_id)
|
||||||
self.assertEqual(len(combined_role_list), 0)
|
self.assertEqual(len(combined_role_list), 0)
|
||||||
|
|
||||||
|
|
@ -897,7 +898,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
||||||
'description': uuid.uuid4().hex}
|
'description': uuid.uuid4().hex}
|
||||||
|
|
||||||
self.assignment_api.create_project(project['id'], project)
|
self.assignment_api.create_project(project['id'], project)
|
||||||
project_ref = self.identity_api.get_project(project['id'])
|
project_ref = self.assignment_api.get_project(project['id'])
|
||||||
|
|
||||||
# self.assignment_api.create_project adds an enabled
|
# self.assignment_api.create_project adds an enabled
|
||||||
# key with a value of True when LDAPIdentityEnabledEmulation
|
# key with a value of True when LDAPIdentityEnabledEmulation
|
||||||
|
|
@ -907,12 +908,12 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
||||||
|
|
||||||
project['description'] = uuid.uuid4().hex
|
project['description'] = uuid.uuid4().hex
|
||||||
self.assignment_api.update_project(project['id'], project)
|
self.assignment_api.update_project(project['id'], project)
|
||||||
project_ref = self.identity_api.get_project(project['id'])
|
project_ref = self.assignment_api.get_project(project['id'])
|
||||||
self.assertDictEqual(project_ref, project)
|
self.assertDictEqual(project_ref, project)
|
||||||
|
|
||||||
self.assignment_api.delete_project(project['id'])
|
self.assignment_api.delete_project(project['id'])
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.assignment_api.get_project,
|
||||||
project['id'])
|
project['id'])
|
||||||
|
|
||||||
def test_user_crud(self):
|
def test_user_crud(self):
|
||||||
|
|
|
||||||
|
|
@ -158,8 +158,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
||||||
'domain_id': DEFAULT_DOMAIN_ID,
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': uuid.uuid4().hex}
|
'password': uuid.uuid4().hex}
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
||||||
user['id'])
|
user['id'])
|
||||||
self.identity_api.delete_user(user['id'])
|
self.identity_api.delete_user(user['id'])
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.assignment_api.list_projects_for_user,
|
self.assignment_api.list_projects_for_user,
|
||||||
|
|
@ -191,10 +191,10 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
||||||
tenant['id'],
|
tenant['id'],
|
||||||
tenant)
|
tenant)
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.assignment_api.get_project,
|
||||||
tenant['id'])
|
tenant['id'])
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project_by_name,
|
self.assignment_api.get_project_by_name,
|
||||||
tenant['name'],
|
tenant['name'],
|
||||||
DEFAULT_DOMAIN_ID)
|
DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
|
|
@ -202,11 +202,11 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
||||||
role = {'id': uuid.uuid4().hex,
|
role = {'id': uuid.uuid4().hex,
|
||||||
'name': None}
|
'name': None}
|
||||||
self.assertRaises(exception.Conflict,
|
self.assertRaises(exception.Conflict,
|
||||||
self.identity_api.create_role,
|
self.assignment_api.create_role,
|
||||||
role['id'],
|
role['id'],
|
||||||
role)
|
role)
|
||||||
self.assertRaises(exception.RoleNotFound,
|
self.assertRaises(exception.RoleNotFound,
|
||||||
self.identity_api.get_role,
|
self.assignment_api.get_role,
|
||||||
role['id'])
|
role['id'])
|
||||||
|
|
||||||
def test_delete_project_with_user_association(self):
|
def test_delete_project_with_user_association(self):
|
||||||
|
|
@ -215,8 +215,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
||||||
'domain_id': DEFAULT_DOMAIN_ID,
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'passwd'}
|
'password': 'passwd'}
|
||||||
self.identity_api.create_user('fake', user)
|
self.identity_api.create_user('fake', user)
|
||||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
||||||
user['id'])
|
user['id'])
|
||||||
self.assignment_api.delete_project(self.tenant_bar['id'])
|
self.assignment_api.delete_project(self.tenant_bar['id'])
|
||||||
tenants = self.assignment_api.list_projects_for_user(user['id'])
|
tenants = self.assignment_api.list_projects_for_user(user['id'])
|
||||||
self.assertEqual(tenants, [])
|
self.assertEqual(tenants, [])
|
||||||
|
|
@ -231,8 +231,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
role = {'id': uuid.uuid4().hex,
|
role = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_role(role['id'], role)
|
self.assignment_api.create_role(role['id'], role)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
user['id'],
|
user['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
role['id'])
|
role['id'])
|
||||||
|
|
@ -255,8 +255,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
role = {'id': uuid.uuid4().hex,
|
role = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_role(role['id'], role)
|
self.assignment_api.create_role(role['id'], role)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
user['id'],
|
user['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
role['id'])
|
role['id'])
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@ class RestfulTestCase(tests.TestCase):
|
||||||
|
|
||||||
# TODO(termie): add an admin user to the fixtures and use that user
|
# TODO(termie): add an admin user to the fixtures and use that user
|
||||||
# override the fixtures, for now
|
# override the fixtures, for now
|
||||||
self.metadata_foobar = self.identity_api.add_role_to_user_and_project(
|
self.md_foobar = self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'],
|
self.user_foo['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
self.role_admin['id'])
|
self.role_admin['id'])
|
||||||
|
|
@ -412,7 +412,7 @@ class CoreApiTests(object):
|
||||||
expected_status=404)
|
expected_status=404)
|
||||||
|
|
||||||
def test_validate_token_service_role(self):
|
def test_validate_token_service_role(self):
|
||||||
self.metadata_foobar = self.identity_api.add_role_to_user_and_project(
|
self.md_foobar = self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'],
|
self.user_foo['id'],
|
||||||
self.tenant_service['id'],
|
self.tenant_service['id'],
|
||||||
self.role_service['id'])
|
self.role_service['id'])
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ class CompatTestCase(tests.TestCase):
|
||||||
|
|
||||||
# TODO(termie): add an admin user to the fixtures and use that user
|
# TODO(termie): add an admin user to the fixtures and use that user
|
||||||
# override the fixtures, for now
|
# override the fixtures, for now
|
||||||
self.metadata_foobar = self.identity_api.add_role_to_user_and_project(
|
self.md_foobar = self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'],
|
self.user_foo['id'],
|
||||||
self.tenant_bar['id'],
|
self.tenant_bar['id'],
|
||||||
self.role_admin['id'])
|
self.role_admin['id'])
|
||||||
|
|
@ -927,8 +927,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
|
||||||
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
|
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
|
||||||
'domain_id': DEFAULT_DOMAIN_ID}
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assignment_api.create_project(tenant_id, tenant)
|
self.assignment_api.create_project(tenant_id, tenant)
|
||||||
self.identity_api.add_user_to_project(tenant_id,
|
self.assignment_api.add_user_to_project(tenant_id,
|
||||||
self.user_foo['id'])
|
self.user_foo['id'])
|
||||||
|
|
||||||
tenants = client.tenants.list()
|
tenants = client.tenants.list()
|
||||||
self.assertEqual(len(tenants), 3)
|
self.assertEqual(len(tenants), 3)
|
||||||
|
|
@ -954,8 +954,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
|
||||||
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
|
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
|
||||||
'domain_id': DEFAULT_DOMAIN_ID}
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assignment_api.create_project(tenant_id, tenant)
|
self.assignment_api.create_project(tenant_id, tenant)
|
||||||
self.identity_api.add_user_to_project(tenant_id,
|
self.assignment_api.add_user_to_project(tenant_id,
|
||||||
self.user_foo['id'])
|
self.user_foo['id'])
|
||||||
|
|
||||||
tenants = client.tenants.list()
|
tenants = client.tenants.list()
|
||||||
self.assertEqual(len(tenants), 3)
|
self.assertEqual(len(tenants), 3)
|
||||||
|
|
|
||||||
|
|
@ -100,7 +100,7 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
|
||||||
self.domain_id = uuid.uuid4().hex
|
self.domain_id = uuid.uuid4().hex
|
||||||
self.domain = self.new_domain_ref()
|
self.domain = self.new_domain_ref()
|
||||||
self.domain['id'] = self.domain_id
|
self.domain['id'] = self.domain_id
|
||||||
self.identity_api.create_domain(self.domain_id, self.domain)
|
self.assignment_api.create_domain(self.domain_id, self.domain)
|
||||||
|
|
||||||
self.project_id = uuid.uuid4().hex
|
self.project_id = uuid.uuid4().hex
|
||||||
self.project = self.new_project_ref(
|
self.project = self.new_project_ref(
|
||||||
|
|
@ -132,13 +132,13 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
|
||||||
self.role = self.new_role_ref()
|
self.role = self.new_role_ref()
|
||||||
self.role['id'] = self.role_id
|
self.role['id'] = self.role_id
|
||||||
self.role['name'] = 'admin'
|
self.role['name'] = 'admin'
|
||||||
self.identity_api.create_role(self.role_id, self.role)
|
self.assignment_api.create_role(self.role_id, self.role)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.user_id, self.project_id, self.role_id)
|
self.user_id, self.project_id, self.role_id)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.default_domain_user_id, self.default_domain_project_id,
|
self.default_domain_user_id, self.default_domain_project_id,
|
||||||
self.role_id)
|
self.role_id)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
self.default_domain_user_id, self.project_id,
|
self.default_domain_user_id, self.project_id,
|
||||||
self.role_id)
|
self.role_id)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -372,7 +372,7 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||||
super(TestTokenRevokeSelfAndAdmin, self).setUp()
|
super(TestTokenRevokeSelfAndAdmin, self).setUp()
|
||||||
|
|
||||||
self.domainA = self.new_domain_ref()
|
self.domainA = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainA['id'], self.domainA)
|
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
|
||||||
|
|
||||||
self.userAdminA = self.new_user_ref(domain_id=self.domainA['id'])
|
self.userAdminA = self.new_user_ref(domain_id=self.domainA['id'])
|
||||||
self.userAdminA['password'] = uuid.uuid4().hex
|
self.userAdminA['password'] = uuid.uuid4().hex
|
||||||
|
|
@ -385,11 +385,11 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||||
|
|
||||||
self.role1 = self.new_role_ref()
|
self.role1 = self.new_role_ref()
|
||||||
self.role1['name'] = 'admin'
|
self.role1['name'] = 'admin'
|
||||||
self.identity_api.create_role(self.role1['id'], self.role1)
|
self.assignment_api.create_role(self.role1['id'], self.role1)
|
||||||
|
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.userAdminA['id'],
|
user_id=self.userAdminA['id'],
|
||||||
domain_id=self.domainA['id'])
|
domain_id=self.domainA['id'])
|
||||||
|
|
||||||
# Finally, switch to the v3 sample policy file
|
# Finally, switch to the v3 sample policy file
|
||||||
self.orig_policy_file = CONF.policy_file
|
self.orig_policy_file = CONF.policy_file
|
||||||
|
|
@ -503,9 +503,9 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
||||||
|
|
||||||
# Start by creating a couple of domains and projects
|
# Start by creating a couple of domains and projects
|
||||||
self.domainA = self.new_domain_ref()
|
self.domainA = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainA['id'], self.domainA)
|
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
|
||||||
self.domainB = self.new_domain_ref()
|
self.domainB = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainB['id'], self.domainB)
|
self.assignment_api.create_domain(self.domainB['id'], self.domainB)
|
||||||
self.projectA = self.new_project_ref(domain_id=self.domainA['id'])
|
self.projectA = self.new_project_ref(domain_id=self.domainA['id'])
|
||||||
self.assignment_api.create_project(self.projectA['id'], self.projectA)
|
self.assignment_api.create_project(self.projectA['id'], self.projectA)
|
||||||
self.projectB = self.new_project_ref(domain_id=self.domainA['id'])
|
self.projectB = self.new_project_ref(domain_id=self.domainA['id'])
|
||||||
|
|
@ -547,25 +547,25 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
||||||
self.group2['id'])
|
self.group2['id'])
|
||||||
|
|
||||||
self.role1 = self.new_role_ref()
|
self.role1 = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role1['id'], self.role1)
|
self.assignment_api.create_role(self.role1['id'], self.role1)
|
||||||
self.role2 = self.new_role_ref()
|
self.role2 = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role2['id'], self.role2)
|
self.assignment_api.create_role(self.role2['id'], self.role2)
|
||||||
|
|
||||||
self.identity_api.create_grant(self.role2['id'],
|
self.assignment_api.create_grant(self.role2['id'],
|
||||||
user_id=self.user1['id'],
|
user_id=self.user1['id'],
|
||||||
domain_id=self.domainA['id'])
|
domain_id=self.domainA['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.user1['id'],
|
user_id=self.user1['id'],
|
||||||
project_id=self.projectA['id'])
|
project_id=self.projectA['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.user2['id'],
|
user_id=self.user2['id'],
|
||||||
project_id=self.projectA['id'])
|
project_id=self.projectA['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.user3['id'],
|
user_id=self.user3['id'],
|
||||||
project_id=self.projectA['id'])
|
project_id=self.projectA['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
group_id=self.group1['id'],
|
group_id=self.group1['id'],
|
||||||
project_id=self.projectA['id'])
|
project_id=self.projectA['id'])
|
||||||
|
|
||||||
def test_unscoped_token_remains_valid_after_role_assignment(self):
|
def test_unscoped_token_remains_valid_after_role_assignment(self):
|
||||||
r = self.post(
|
r = self.post(
|
||||||
|
|
@ -592,7 +592,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
||||||
|
|
||||||
# create a new role
|
# create a new role
|
||||||
role = self.new_role_ref()
|
role = self.new_role_ref()
|
||||||
self.identity_api.create_role(role['id'], role)
|
self.assignment_api.create_role(role['id'], role)
|
||||||
|
|
||||||
# assign a new role
|
# assign a new role
|
||||||
self.put(
|
self.put(
|
||||||
|
|
@ -685,18 +685,18 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
||||||
self.identity_api.create_user(self.user6['id'], self.user6)
|
self.identity_api.create_user(self.user6['id'], self.user6)
|
||||||
self.identity_api.add_user_to_group(self.user5['id'],
|
self.identity_api.add_user_to_group(self.user5['id'],
|
||||||
self.group1['id'])
|
self.group1['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
group_id=self.group1['id'],
|
group_id=self.group1['id'],
|
||||||
project_id=self.projectB['id'])
|
project_id=self.projectB['id'])
|
||||||
self.identity_api.create_grant(self.role2['id'],
|
self.assignment_api.create_grant(self.role2['id'],
|
||||||
user_id=self.user4['id'],
|
user_id=self.user4['id'],
|
||||||
project_id=self.projectC['id'])
|
project_id=self.projectC['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.user6['id'],
|
user_id=self.user6['id'],
|
||||||
project_id=self.projectA['id'])
|
project_id=self.projectA['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.user6['id'],
|
user_id=self.user6['id'],
|
||||||
domain_id=self.domainA['id'])
|
domain_id=self.domainA['id'])
|
||||||
|
|
||||||
# Now we are ready to start issuing requests
|
# Now we are ready to start issuing requests
|
||||||
auth_data = self.build_authentication_request(
|
auth_data = self.build_authentication_request(
|
||||||
|
|
@ -1306,7 +1306,7 @@ class TestAuthJSON(test_v3.RestfulTestCase):
|
||||||
"""
|
"""
|
||||||
|
|
||||||
domainA = self.new_domain_ref()
|
domainA = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(domainA['id'], domainA)
|
self.assignment_api.create_domain(domainA['id'], domainA)
|
||||||
projectA = self.new_project_ref(domain_id=domainA['id'])
|
projectA = self.new_project_ref(domain_id=domainA['id'])
|
||||||
self.assignment_api.create_project(projectA['id'], projectA)
|
self.assignment_api.create_project(projectA['id'], projectA)
|
||||||
|
|
||||||
|
|
@ -1337,33 +1337,33 @@ class TestAuthJSON(test_v3.RestfulTestCase):
|
||||||
role_list = []
|
role_list = []
|
||||||
for _ in range(8):
|
for _ in range(8):
|
||||||
role = self.new_role_ref()
|
role = self.new_role_ref()
|
||||||
self.identity_api.create_role(role['id'], role)
|
self.assignment_api.create_role(role['id'], role)
|
||||||
role_list.append(role)
|
role_list.append(role)
|
||||||
|
|
||||||
self.identity_api.create_grant(role_list[0]['id'],
|
self.assignment_api.create_grant(role_list[0]['id'],
|
||||||
user_id=user1['id'],
|
user_id=user1['id'],
|
||||||
domain_id=domainA['id'])
|
domain_id=domainA['id'])
|
||||||
self.identity_api.create_grant(role_list[1]['id'],
|
self.assignment_api.create_grant(role_list[1]['id'],
|
||||||
user_id=user1['id'],
|
user_id=user1['id'],
|
||||||
project_id=projectA['id'])
|
project_id=projectA['id'])
|
||||||
self.identity_api.create_grant(role_list[2]['id'],
|
self.assignment_api.create_grant(role_list[2]['id'],
|
||||||
user_id=user2['id'],
|
user_id=user2['id'],
|
||||||
domain_id=domainA['id'])
|
domain_id=domainA['id'])
|
||||||
self.identity_api.create_grant(role_list[3]['id'],
|
self.assignment_api.create_grant(role_list[3]['id'],
|
||||||
user_id=user2['id'],
|
user_id=user2['id'],
|
||||||
project_id=projectA['id'])
|
project_id=projectA['id'])
|
||||||
self.identity_api.create_grant(role_list[4]['id'],
|
self.assignment_api.create_grant(role_list[4]['id'],
|
||||||
group_id=group1['id'],
|
group_id=group1['id'],
|
||||||
domain_id=domainA['id'])
|
domain_id=domainA['id'])
|
||||||
self.identity_api.create_grant(role_list[5]['id'],
|
self.assignment_api.create_grant(role_list[5]['id'],
|
||||||
group_id=group1['id'],
|
group_id=group1['id'],
|
||||||
project_id=projectA['id'])
|
project_id=projectA['id'])
|
||||||
self.identity_api.create_grant(role_list[6]['id'],
|
self.assignment_api.create_grant(role_list[6]['id'],
|
||||||
group_id=group2['id'],
|
group_id=group2['id'],
|
||||||
domain_id=domainA['id'])
|
domain_id=domainA['id'])
|
||||||
self.identity_api.create_grant(role_list[7]['id'],
|
self.assignment_api.create_grant(role_list[7]['id'],
|
||||||
group_id=group2['id'],
|
group_id=group2['id'],
|
||||||
project_id=projectA['id'])
|
project_id=projectA['id'])
|
||||||
|
|
||||||
# First, get a project scoped token - which should
|
# First, get a project scoped token - which should
|
||||||
# contain the direct user role and the one by virtue
|
# contain the direct user role and the one by virtue
|
||||||
|
|
|
||||||
|
|
@ -156,7 +156,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
|
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
|
||||||
# Create a 2nd set of entities in a 2nd domain
|
# Create a 2nd set of entities in a 2nd domain
|
||||||
self.domain2 = self.new_domain_ref()
|
self.domain2 = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domain2['id'], self.domain2)
|
self.assignment_api.create_domain(self.domain2['id'], self.domain2)
|
||||||
|
|
||||||
self.project2 = self.new_project_ref(
|
self.project2 = self.new_project_ref(
|
||||||
domain_id=self.domain2['id'])
|
domain_id=self.domain2['id'])
|
||||||
|
|
@ -167,8 +167,8 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
project_id=self.project2['id'])
|
project_id=self.project2['id'])
|
||||||
self.identity_api.create_user(self.user2['id'], self.user2)
|
self.identity_api.create_user(self.user2['id'], self.user2)
|
||||||
|
|
||||||
self.identity_api.add_user_to_project(self.project2['id'],
|
self.assignment_api.add_user_to_project(self.project2['id'],
|
||||||
self.user2['id'])
|
self.user2['id'])
|
||||||
|
|
||||||
# First check a user in that domain can authenticate, via
|
# First check a user in that domain can authenticate, via
|
||||||
# Both v2 and v3
|
# Both v2 and v3
|
||||||
|
|
@ -254,7 +254,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
|
|
||||||
# Create a 2nd set of entities in a 2nd domain
|
# Create a 2nd set of entities in a 2nd domain
|
||||||
self.domain2 = self.new_domain_ref()
|
self.domain2 = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domain2['id'], self.domain2)
|
self.assignment_api.create_domain(self.domain2['id'], self.domain2)
|
||||||
|
|
||||||
self.project2 = self.new_project_ref(
|
self.project2 = self.new_project_ref(
|
||||||
domain_id=self.domain2['id'])
|
domain_id=self.domain2['id'])
|
||||||
|
|
@ -290,7 +290,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
self.identity_api.get_domain,
|
self.identity_api.get_domain,
|
||||||
self.domain2['id'])
|
self.domain2['id'])
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.assignment_api.get_project,
|
||||||
self.project2['id'])
|
self.project2['id'])
|
||||||
self.assertRaises(exception.GroupNotFound,
|
self.assertRaises(exception.GroupNotFound,
|
||||||
self.identity_api.get_group,
|
self.identity_api.get_group,
|
||||||
|
|
@ -305,7 +305,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
# ...and that all self.domain entities are still here
|
# ...and that all self.domain entities are still here
|
||||||
r = self.identity_api.get_domain(self.domain['id'])
|
r = self.identity_api.get_domain(self.domain['id'])
|
||||||
self.assertDictEqual(r, self.domain)
|
self.assertDictEqual(r, self.domain)
|
||||||
r = self.identity_api.get_project(self.project['id'])
|
r = self.assignment_api.get_project(self.project['id'])
|
||||||
self.assertDictEqual(r, self.project)
|
self.assertDictEqual(r, self.project)
|
||||||
r = self.identity_api.get_group(self.group['id'])
|
r = self.identity_api.get_group(self.group['id'])
|
||||||
self.assertDictEqual(r, self.group)
|
self.assertDictEqual(r, self.group)
|
||||||
|
|
@ -1015,9 +1015,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
domain_id=self.domain['id'])
|
domain_id=self.domain['id'])
|
||||||
self.assignment_api.create_project(self.project1['id'], self.project1)
|
self.assignment_api.create_project(self.project1['id'], self.project1)
|
||||||
self.role1 = self.new_role_ref()
|
self.role1 = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role1['id'], self.role1)
|
self.assignment_api.create_role(self.role1['id'], self.role1)
|
||||||
self.role2 = self.new_role_ref()
|
self.role2 = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role2['id'], self.role2)
|
self.assignment_api.create_role(self.role2['id'], self.role2)
|
||||||
|
|
||||||
# Now add one of each of the four types of assignment
|
# Now add one of each of the four types of assignment
|
||||||
|
|
||||||
|
|
@ -1203,7 +1203,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
||||||
role_list.append(role)
|
role_list.append(role)
|
||||||
|
|
||||||
domain = self.new_domain_ref()
|
domain = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(domain['id'], domain)
|
self.assignment_api.create_domain(domain['id'], domain)
|
||||||
user1 = self.new_user_ref(
|
user1 = self.new_user_ref(
|
||||||
domain_id=domain['id'])
|
domain_id=domain['id'])
|
||||||
user1['password'] = uuid.uuid4().hex
|
user1['password'] = uuid.uuid4().hex
|
||||||
|
|
@ -1295,7 +1295,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
||||||
role_list.append(role)
|
role_list.append(role)
|
||||||
|
|
||||||
domain = self.new_domain_ref()
|
domain = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(domain['id'], domain)
|
self.assignment_api.create_domain(domain['id'], domain)
|
||||||
user1 = self.new_user_ref(
|
user1 = self.new_user_ref(
|
||||||
domain_id=domain['id'])
|
domain_id=domain['id'])
|
||||||
user1['password'] = uuid.uuid4().hex
|
user1['password'] = uuid.uuid4().hex
|
||||||
|
|
@ -1388,7 +1388,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
||||||
role_list.append(role)
|
role_list.append(role)
|
||||||
|
|
||||||
domain = self.new_domain_ref()
|
domain = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(domain['id'], domain)
|
self.assignment_api.create_domain(domain['id'], domain)
|
||||||
user1 = self.new_user_ref(
|
user1 = self.new_user_ref(
|
||||||
domain_id=domain['id'])
|
domain_id=domain['id'])
|
||||||
user1['password'] = uuid.uuid4().hex
|
user1['password'] = uuid.uuid4().hex
|
||||||
|
|
@ -1491,7 +1491,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
||||||
role_list.append(role)
|
role_list.append(role)
|
||||||
|
|
||||||
domain = self.new_domain_ref()
|
domain = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(domain['id'], domain)
|
self.assignment_api.create_domain(domain['id'], domain)
|
||||||
user1 = self.new_user_ref(
|
user1 = self.new_user_ref(
|
||||||
domain_id=domain['id'])
|
domain_id=domain['id'])
|
||||||
user1['password'] = uuid.uuid4().hex
|
user1['password'] = uuid.uuid4().hex
|
||||||
|
|
|
||||||
|
|
@ -507,9 +507,9 @@ class MaliciousOAuth1Tests(OAuth1Tests):
|
||||||
credentials = urlparse.parse_qs(content.result)
|
credentials = urlparse.parse_qs(content.result)
|
||||||
request_key = credentials.get('oauth_token')[0]
|
request_key = credentials.get('oauth_token')[0]
|
||||||
|
|
||||||
self.identity_api.remove_role_from_user_and_project(self.user_id,
|
self.assignment_api.remove_role_from_user_and_project(self.user_id,
|
||||||
self.project_id,
|
self.project_id,
|
||||||
self.role_id)
|
self.role_id)
|
||||||
url = self._authorize_request_token(request_key)
|
url = self._authorize_request_token(request_key)
|
||||||
body = {'roles': [{'id': self.role_id}]}
|
body = {'roles': [{'id': self.role_id}]}
|
||||||
self.admin_request(path=url, method='PUT',
|
self.admin_request(path=url, method='PUT',
|
||||||
|
|
|
||||||
|
|
@ -55,12 +55,12 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
|
||||||
super(IdentityTestProtectedCase, self).setUp(load_sample_data=False)
|
super(IdentityTestProtectedCase, self).setUp(load_sample_data=False)
|
||||||
# Start by creating a couple of domains
|
# Start by creating a couple of domains
|
||||||
self.domainA = self.new_domain_ref()
|
self.domainA = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainA['id'], self.domainA)
|
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
|
||||||
self.domainB = self.new_domain_ref()
|
self.domainB = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainB['id'], self.domainB)
|
self.assignment_api.create_domain(self.domainB['id'], self.domainB)
|
||||||
self.domainC = self.new_domain_ref()
|
self.domainC = self.new_domain_ref()
|
||||||
self.domainC['enabled'] = False
|
self.domainC['enabled'] = False
|
||||||
self.identity_api.create_domain(self.domainC['id'], self.domainC)
|
self.assignment_api.create_domain(self.domainC['id'], self.domainC)
|
||||||
|
|
||||||
# Now create some users, one in domainA and two of them in domainB
|
# Now create some users, one in domainA and two of them in domainB
|
||||||
self.user1 = self.new_user_ref(domain_id=self.domainA['id'])
|
self.user1 = self.new_user_ref(domain_id=self.domainA['id'])
|
||||||
|
|
@ -85,18 +85,18 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
|
||||||
self.identity_api.create_group(self.group3['id'], self.group3)
|
self.identity_api.create_group(self.group3['id'], self.group3)
|
||||||
|
|
||||||
self.role = self.new_role_ref()
|
self.role = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role['id'], self.role)
|
self.assignment_api.create_role(self.role['id'], self.role)
|
||||||
self.role1 = self.new_role_ref()
|
self.role1 = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role1['id'], self.role1)
|
self.assignment_api.create_role(self.role1['id'], self.role1)
|
||||||
self.identity_api.create_grant(self.role['id'],
|
self.assignment_api.create_grant(self.role['id'],
|
||||||
user_id=self.user1['id'],
|
user_id=self.user1['id'],
|
||||||
domain_id=self.domainA['id'])
|
domain_id=self.domainA['id'])
|
||||||
self.identity_api.create_grant(self.role['id'],
|
self.assignment_api.create_grant(self.role['id'],
|
||||||
user_id=self.user2['id'],
|
user_id=self.user2['id'],
|
||||||
domain_id=self.domainA['id'])
|
domain_id=self.domainA['id'])
|
||||||
self.identity_api.create_grant(self.role1['id'],
|
self.assignment_api.create_grant(self.role1['id'],
|
||||||
user_id=self.user1['id'],
|
user_id=self.user1['id'],
|
||||||
domain_id=self.domainA['id'])
|
domain_id=self.domainA['id'])
|
||||||
|
|
||||||
# Initialize the policy engine and allow us to write to a temp
|
# Initialize the policy engine and allow us to write to a temp
|
||||||
# file in each test to create the policies
|
# file in each test to create the policies
|
||||||
|
|
@ -411,9 +411,9 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
||||||
load_sample_data=False)
|
load_sample_data=False)
|
||||||
# Start by creating a couple of domains
|
# Start by creating a couple of domains
|
||||||
self.domainA = self.new_domain_ref()
|
self.domainA = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainA['id'], self.domainA)
|
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
|
||||||
self.domainB = self.new_domain_ref()
|
self.domainB = self.new_domain_ref()
|
||||||
self.identity_api.create_domain(self.domainB['id'], self.domainB)
|
self.assignment_api.create_domain(self.domainB['id'], self.domainB)
|
||||||
self.admin_domain = {'id': 'admin_domain_id', 'name': 'Admin_domain'}
|
self.admin_domain = {'id': 'admin_domain_id', 'name': 'Admin_domain'}
|
||||||
self.assignment_api.create_domain(self.admin_domain['id'],
|
self.assignment_api.create_domain(self.admin_domain['id'],
|
||||||
self.admin_domain)
|
self.admin_domain)
|
||||||
|
|
@ -442,7 +442,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
||||||
self.admin_role = {'id': uuid.uuid4().hex, 'name': 'admin'}
|
self.admin_role = {'id': uuid.uuid4().hex, 'name': 'admin'}
|
||||||
self.assignment_api.create_role(self.admin_role['id'], self.admin_role)
|
self.assignment_api.create_role(self.admin_role['id'], self.admin_role)
|
||||||
self.role = self.new_role_ref()
|
self.role = self.new_role_ref()
|
||||||
self.identity_api.create_role(self.role['id'], self.role)
|
self.assignment_api.create_role(self.role['id'], self.role)
|
||||||
|
|
||||||
# The cloud admin just gets the admin role
|
# The cloud admin just gets the admin role
|
||||||
self.assignment_api.create_grant(self.admin_role['id'],
|
self.assignment_api.create_grant(self.admin_role['id'],
|
||||||
|
|
|
||||||
|
|
@ -120,7 +120,7 @@ class Auth(controller.V2Controller):
|
||||||
|
|
||||||
roles_ref = []
|
roles_ref = []
|
||||||
for role_id in metadata_ref.get('roles', []):
|
for role_id in metadata_ref.get('roles', []):
|
||||||
role_ref = self.identity_api.get_role(role_id)
|
role_ref = self.assignment_api.get_role(role_id)
|
||||||
roles_ref.append(dict(name=role_ref['name']))
|
roles_ref.append(dict(name=role_ref['name']))
|
||||||
|
|
||||||
(token_id, token_data) = self.token_provider_api.issue_v2_token(
|
(token_id, token_data) = self.token_provider_api.issue_v2_token(
|
||||||
|
|
@ -331,7 +331,7 @@ class Auth(controller.V2Controller):
|
||||||
|
|
||||||
if tenant_name:
|
if tenant_name:
|
||||||
try:
|
try:
|
||||||
tenant_ref = self.identity_api.get_project_by_name(
|
tenant_ref = self.assignment_api.get_project_by_name(
|
||||||
tenant_name, DEFAULT_DOMAIN_ID)
|
tenant_name, DEFAULT_DOMAIN_ID)
|
||||||
tenant_id = tenant_ref['id']
|
tenant_id = tenant_ref['id']
|
||||||
except exception.ProjectNotFound as e:
|
except exception.ProjectNotFound as e:
|
||||||
|
|
@ -364,8 +364,8 @@ class Auth(controller.V2Controller):
|
||||||
role_list = []
|
role_list = []
|
||||||
if tenant_id:
|
if tenant_id:
|
||||||
try:
|
try:
|
||||||
tenant_ref = self.identity_api.get_project(tenant_id)
|
tenant_ref = self.assignment_api.get_project(tenant_id)
|
||||||
role_list = self.identity_api.get_roles_for_user_and_project(
|
role_list = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_id, tenant_id)
|
user_id, tenant_id)
|
||||||
except exception.ProjectNotFound:
|
except exception.ProjectNotFound:
|
||||||
pass
|
pass
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ CONF = config.CONF
|
||||||
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('catalog_api', 'identity_api')
|
@dependency.requires('assignment_api', 'catalog_api', 'identity_api')
|
||||||
class V2TokenDataHelper(object):
|
class V2TokenDataHelper(object):
|
||||||
"""Creates V2 token data."""
|
"""Creates V2 token data."""
|
||||||
@classmethod
|
@classmethod
|
||||||
|
|
@ -132,7 +132,7 @@ class V2TokenDataHelper(object):
|
||||||
return services.values()
|
return services.values()
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('catalog_api', 'identity_api')
|
@dependency.requires('assignment_api', 'catalog_api', 'identity_api')
|
||||||
class V3TokenDataHelper(object):
|
class V3TokenDataHelper(object):
|
||||||
"""Token data helper."""
|
"""Token data helper."""
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
|
|
@ -144,7 +144,7 @@ class V3TokenDataHelper(object):
|
||||||
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
||||||
|
|
||||||
def _get_filtered_project(self, project_id):
|
def _get_filtered_project(self, project_id):
|
||||||
project_ref = self.identity_api.get_project(project_id)
|
project_ref = self.assignment_api.get_project(project_id)
|
||||||
filtered_project = {
|
filtered_project = {
|
||||||
'id': project_ref['id'],
|
'id': project_ref['id'],
|
||||||
'name': project_ref['name']}
|
'name': project_ref['name']}
|
||||||
|
|
@ -165,12 +165,12 @@ class V3TokenDataHelper(object):
|
||||||
def _get_roles_for_user(self, user_id, domain_id, project_id):
|
def _get_roles_for_user(self, user_id, domain_id, project_id):
|
||||||
roles = []
|
roles = []
|
||||||
if domain_id:
|
if domain_id:
|
||||||
roles = self.identity_api.get_roles_for_user_and_domain(
|
roles = self.assignment_api.get_roles_for_user_and_domain(
|
||||||
user_id, domain_id)
|
user_id, domain_id)
|
||||||
if project_id:
|
if project_id:
|
||||||
roles = self.identity_api.get_roles_for_user_and_project(
|
roles = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_id, project_id)
|
user_id, project_id)
|
||||||
return [self.identity_api.get_role(role_id) for role_id in roles]
|
return [self.assignment_api.get_role(role_id) for role_id in roles]
|
||||||
|
|
||||||
def _populate_user(self, token_data, user_id, domain_id, project_id,
|
def _populate_user(self, token_data, user_id, domain_id, project_id,
|
||||||
trust):
|
trust):
|
||||||
|
|
@ -215,7 +215,7 @@ class V3TokenDataHelper(object):
|
||||||
if access_token:
|
if access_token:
|
||||||
filtered_roles = []
|
filtered_roles = []
|
||||||
authed_role_ids = json.loads(access_token['role_ids'])
|
authed_role_ids = json.loads(access_token['role_ids'])
|
||||||
all_roles = self.identity_api.list_roles()
|
all_roles = self.assignment_api.list_roles()
|
||||||
for role in all_roles:
|
for role in all_roles:
|
||||||
for authed_role in authed_role_ids:
|
for authed_role in authed_role_ids:
|
||||||
if authed_role == role['id']:
|
if authed_role == role['id']:
|
||||||
|
|
@ -329,7 +329,8 @@ class V3TokenDataHelper(object):
|
||||||
|
|
||||||
|
|
||||||
@dependency.optional('oauth_api')
|
@dependency.optional('oauth_api')
|
||||||
@dependency.requires('token_api', 'identity_api', 'catalog_api')
|
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||||
|
'token_api')
|
||||||
class Provider(token.provider.Provider):
|
class Provider(token.provider.Provider):
|
||||||
def __init__(self, *args, **kwargs):
|
def __init__(self, *args, **kwargs):
|
||||||
super(Provider, self).__init__(*args, **kwargs)
|
super(Provider, self).__init__(*args, **kwargs)
|
||||||
|
|
@ -507,7 +508,7 @@ class Provider(token.provider.Provider):
|
||||||
trust_ref['trustor_user_id'])
|
trust_ref['trustor_user_id'])
|
||||||
if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
||||||
raise exception.Unauthorized(msg)
|
raise exception.Unauthorized(msg)
|
||||||
project_ref = self.identity_api.get_project(
|
project_ref = self.assignment_api.get_project(
|
||||||
trust_ref['project_id'])
|
trust_ref['project_id'])
|
||||||
if project_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
if project_ref['domain_id'] != DEFAULT_DOMAIN_ID:
|
||||||
raise exception.Unauthorized(msg)
|
raise exception.Unauthorized(msg)
|
||||||
|
|
@ -535,7 +536,7 @@ class Provider(token.provider.Provider):
|
||||||
metadata_ref = token_ref['metadata']
|
metadata_ref = token_ref['metadata']
|
||||||
roles_ref = []
|
roles_ref = []
|
||||||
for role_id in metadata_ref.get('roles', []):
|
for role_id in metadata_ref.get('roles', []):
|
||||||
roles_ref.append(self.identity_api.get_role(role_id))
|
roles_ref.append(self.assignment_api.get_role(role_id))
|
||||||
|
|
||||||
# Get a service catalog if possible
|
# Get a service catalog if possible
|
||||||
# This is needed for on-behalf-of requests
|
# This is needed for on-behalf-of requests
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,8 @@ def _admin_trustor_only(context, trust, user_id):
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('identity_api', 'trust_api', 'token_api')
|
@dependency.requires('assignment_api', 'identity_api', 'trust_api',
|
||||||
|
'token_api')
|
||||||
class TrustV3(controller.V3Controller):
|
class TrustV3(controller.V3Controller):
|
||||||
collection_name = "trusts"
|
collection_name = "trusts"
|
||||||
member_name = "trust"
|
member_name = "trust"
|
||||||
|
|
@ -86,7 +87,7 @@ class TrustV3(controller.V3Controller):
|
||||||
user_id != trust['trustee_user_id']):
|
user_id != trust['trustee_user_id']):
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
self._fill_in_roles(context, trust,
|
self._fill_in_roles(context, trust,
|
||||||
self.identity_api.list_roles())
|
self.assignment_api.list_roles())
|
||||||
return TrustV3.wrap_member(context, trust)
|
return TrustV3.wrap_member(context, trust)
|
||||||
|
|
||||||
def _fill_in_roles(self, context, trust, global_roles):
|
def _fill_in_roles(self, context, trust, global_roles):
|
||||||
|
|
@ -154,15 +155,16 @@ class TrustV3(controller.V3Controller):
|
||||||
trustee_ref = self.identity_api.get_user(trust['trustee_user_id'])
|
trustee_ref = self.identity_api.get_user(trust['trustee_user_id'])
|
||||||
if not trustee_ref:
|
if not trustee_ref:
|
||||||
raise exception.UserNotFound(user_id=trust['trustee_user_id'])
|
raise exception.UserNotFound(user_id=trust['trustee_user_id'])
|
||||||
global_roles = self.identity_api.list_roles()
|
global_roles = self.assignment_api.list_roles()
|
||||||
clean_roles = self._clean_role_list(context, trust, global_roles)
|
clean_roles = self._clean_role_list(context, trust, global_roles)
|
||||||
if trust.get('project_id'):
|
if trust.get('project_id'):
|
||||||
user_roles = self.identity_api.get_roles_for_user_and_project(
|
user_role = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_id, trust['project_id'])
|
user_id,
|
||||||
|
trust['project_id'])
|
||||||
else:
|
else:
|
||||||
user_roles = []
|
user_role = []
|
||||||
for trust_role in clean_roles:
|
for trust_role in clean_roles:
|
||||||
matching_roles = [x for x in user_roles
|
matching_roles = [x for x in user_role
|
||||||
if x == trust_role['id']]
|
if x == trust_role['id']]
|
||||||
if not matching_roles:
|
if not matching_roles:
|
||||||
raise exception.RoleNotFound(role_id=trust_role['id'])
|
raise exception.RoleNotFound(role_id=trust_role['id'])
|
||||||
|
|
@ -203,7 +205,7 @@ class TrustV3(controller.V3Controller):
|
||||||
if user_id != calling_user_id:
|
if user_id != calling_user_id:
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
trusts += self.trust_api.list_trusts_for_trustee(user_id)
|
trusts += self.trust_api.list_trusts_for_trustee(user_id)
|
||||||
global_roles = self.identity_api.list_roles()
|
global_roles = self.assignment_api.list_roles()
|
||||||
for trust in trusts:
|
for trust in trusts:
|
||||||
self._fill_in_roles(context, trust, global_roles)
|
self._fill_in_roles(context, trust, global_roles)
|
||||||
return TrustV3.wrap_collection(context, trusts)
|
return TrustV3.wrap_collection(context, trusts)
|
||||||
|
|
@ -256,7 +258,7 @@ class TrustV3(controller.V3Controller):
|
||||||
if x['id'] == role_id]
|
if x['id'] == role_id]
|
||||||
if not matching_roles:
|
if not matching_roles:
|
||||||
raise exception.RoleNotFound(role_id=role_id)
|
raise exception.RoleNotFound(role_id=role_id)
|
||||||
global_roles = self.identity_api.list_roles()
|
global_roles = self.assignment_api.list_roles()
|
||||||
matching_roles = [x for x in global_roles
|
matching_roles = [x for x in global_roles
|
||||||
if x['id'] == role_id]
|
if x['id'] == role_id]
|
||||||
if matching_roles:
|
if matching_roles:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue