Browse Source

Expiring Group Memberships API - Allow set idp authorization_ttl

This patch extends the identity provider API to receive, return
and set the authorization_ttl on an identity provider.

Change-Id: I3c58da290d52149e307280042ed20447da4687f7
Partial-Bug: 1809116
changes/07/714507/5
Kristi Nikolla 1 year ago
committed by Kristi Nikolla
parent
commit
c18956f198
  1. 6
      api-ref/source/v3-ext/federation/identity-provider/idp.inc
  2. 9
      api-ref/source/v3-ext/federation/identity-provider/parameters.yaml
  3. 3
      api-ref/source/v3-ext/federation/identity-provider/samples/get-response.json
  4. 3
      api-ref/source/v3-ext/federation/identity-provider/samples/update-response.json
  5. 3
      keystone/api/os_federation.py
  6. 5
      keystone/common/validation/parameter_types.py
  7. 2
      keystone/federation/schema.py
  8. 38
      keystone/tests/unit/test_v3_federation.py

6
api-ref/source/v3-ext/federation/identity-provider/idp.inc

@ -16,6 +16,7 @@ Parameters
~~~~~~~~~~
.. rest_parameters:: federation/identity-provider/parameters.yaml
- authorization_ttl: authorization_ttl
- domain_id: domain_id
- description: description
- enabled: enabled
@ -39,6 +40,7 @@ Parameters
.. rest_parameters:: federation/identity-provider/parameters.yaml
- authorization_ttl: authorization_ttl
- domain_id: domain_id
- description: description
- enabled: enabled
@ -131,6 +133,7 @@ Parameters
.. rest_parameters:: federation/identity-provider/parameters.yaml
- authorization_ttl: authorization_ttl
- domain_id: domain_id
- description: description
- enabled: enabled
@ -221,6 +224,7 @@ Parameters
.. rest_parameters:: federation/identity-provider/parameters.yaml
- authorization_ttl: authorization_ttl
- domain_id: domain_id
- description: description
- enabled: enabled
@ -460,4 +464,4 @@ Status Codes
.. rest_status_code:: success ../v3/status.yaml
- 204
- 204

9
api-ref/source/v3-ext/federation/identity-provider/parameters.yaml

@ -33,6 +33,15 @@ id_query:
# variables in body
authorization_ttl:
description: |
The length of validity in minutes for group memberships carried over
through mapping and persisted in the database. If left unset, the
default value configured in keystone will be used, if enabled.
in: body
required: false
type: integer
description:
description: |
The Identity Provider description

3
api-ref/source/v3-ext/federation/identity-provider/samples/get-response.json

@ -1,5 +1,6 @@
{
"identity_provider": {
"authorization_ttl": null,
"domain_id": "1789d1",
"description": "Stores ACME identities",
"remote_ids": ["acme_id_1", "acme_id_2"],
@ -10,4 +11,4 @@
"self": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME"
}
}
}
}

3
api-ref/source/v3-ext/federation/identity-provider/samples/update-response.json

@ -1,5 +1,6 @@
{
"identity_provider": {
"authorization_ttl": null,
"domain_id": "1789d1",
"description": "Beta dev idp",
"remote_ids": ["beta_id_1", "beta_id_2"],
@ -10,4 +11,4 @@
"self": "http://example.com/identity/v3/OS-FEDERATION/identity_providers/ACME"
}
}
}
}

3
keystone/api/os_federation.py

@ -74,7 +74,8 @@ class IdentityProvidersResource(_ResourceBase):
member_key = 'identity_provider'
api_prefix = '/OS-FEDERATION'
_public_parameters = frozenset(['id', 'enabled', 'description',
'remote_ids', 'links', 'domain_id'
'remote_ids', 'links', 'domain_id',
'authorization_ttl'
])
_id_path_param_name_override = 'idp_id'

5
keystone/common/validation/parameter_types.py

@ -69,3 +69,8 @@ email = {
'type': 'string',
'format': 'email'
}
integer_min0 = {
'type': 'integer',
'minimum': 0
}

2
keystone/federation/schema.py

@ -82,6 +82,7 @@ _identity_provider_properties_create = {
'enabled': parameter_types.boolean,
'description': validation.nullable(parameter_types.description),
'domain_id': validation.nullable(parameter_types.id_string),
'authorization_ttl': validation.nullable(parameter_types.integer_min0),
'remote_ids': {
'type': ['array', 'null'],
'items': {
@ -94,6 +95,7 @@ _identity_provider_properties_create = {
_identity_provider_properties_update = {
'enabled': parameter_types.boolean,
'description': validation.nullable(parameter_types.description),
'authorization_ttl': validation.nullable(parameter_types.integer_min0),
'remote_ids': {
'type': ['array', 'null'],
'items': {

38
keystone/tests/unit/test_v3_federation.py

@ -1132,6 +1132,18 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
keys_to_check=keys_to_check,
ref=expected)
def test_create_idp_authorization_ttl(self):
keys_to_check = list(self.idp_keys)
keys_to_check.append('authorization_ttl')
body = self.default_body.copy()
body['description'] = uuid.uuid4().hex
body['authorization_ttl'] = 10080
resp = self._create_default_idp(body)
expected = body.copy()
self.assertValidResponse(resp, 'identity_provider', dummy_validator,
keys_to_check=keys_to_check,
ref=expected)
def test_update_idp_remote_ids(self):
"""Update IdP's remote_ids parameter."""
body = self.default_body.copy()
@ -1216,6 +1228,32 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
self.assertIn('Duplicate remote ID',
resp_data['error']['message'])
def test_update_idp_authorization_ttl(self):
body = self.default_body.copy()
body['authorization_ttl'] = 10080
default_resp = self._create_default_idp(body=body)
default_idp = self._fetch_attribute_from_response(default_resp,
'identity_provider')
idp_id = default_idp.get('id')
url = self.base_url(suffix=idp_id)
self.assertIsNotNone(idp_id)
body['authorization_ttl'] = None
body = {'identity_provider': body}
resp = self.patch(url, body=body)
updated_idp = self._fetch_attribute_from_response(resp,
'identity_provider')
body = body['identity_provider']
self.assertEqual(body['authorization_ttl'],
updated_idp.get('authorization_ttl'))
resp = self.get(url)
returned_idp = self._fetch_attribute_from_response(resp,
'identity_provider')
self.assertEqual(body['authorization_ttl'],
returned_idp.get('authorization_ttl'))
def test_list_head_idps(self, iterations=5):
"""List all available IdentityProviders.

Loading…
Cancel
Save