Add federated support for updating a user

This patch adds functionality to allow an operator to pass in a
federated attribute when updating a user. When a user is updated
the federated objects in the federated attribute will be updated
and associated along with the user.

Co-Authored-By: Kristi Nikolla <knikolla@bu.edu>

Partial-Bug: 1816076
Change-Id: I8ee43b437b551858c198320204b768cdba311506
This commit is contained in:
Richard Avelar 2017-03-22 19:49:55 +00:00 committed by Kristi Nikolla
parent 1627c28282
commit e723a1c16e
5 changed files with 146 additions and 1 deletions

View File

@ -1125,6 +1125,32 @@ class Manager(manager.Manager):
if new_ref['domain_id'] != orig_ref['domain_id']:
raise exception.ValidationError(_('Cannot change Domain ID'))
def _update_user_with_federated_objects(self, user, driver, entity_id):
# If the user did not pass a federated object along inside the user
# object then we simply update the user as normal and add the
# currently associated federated objects to user to be added to the
# dictionary.
if not user.get('federated'):
if 'federated' in user:
del user['federated']
user = driver.update_user(entity_id, user)
fed_objects = self.shadow_users_api.get_federated_objects(
user['id'])
if fed_objects:
user['federated'] = fed_objects
return user
# Otherwise, we validate, remove the previous user's federated objects,
# and update the user along with their updated federated objects.
else:
user_ref = user.copy()
self._validate_federated_objects(user_ref['federated'])
self.shadow_users_api.delete_federated_object(entity_id)
del user['federated']
user = driver.update_user(entity_id, user)
self._create_federated_objects(user, user_ref['federated'])
user['federated'] = user_ref['federated']
return user
@domains_configured
@exception_translated('user')
def update_user(self, user_id, user_ref, initiator=None):
@ -1153,7 +1179,7 @@ class Manager(manager.Manager):
self.get_user_by_name.invalidate(self, old_user_ref['name'],
old_user_ref['domain_id'])
ref = driver.update_user(entity_id, user)
ref = self._update_user_with_federated_objects(user, driver, entity_id)
notifications.Audit.updated(self._USER, user_id, initiator)

View File

@ -70,6 +70,13 @@ class ShadowUsersDriverBase(object, metaclass=abc.ABCMeta):
"""
raise exception.NotImplemented()
def delete_federated_object(self, user_id):
"""Delete a user's federated objects.
:param user_id: Unique identifier of the user
"""
raise exception.NotImplemented()
@abc.abstractmethod
def get_federated_objects(self, user_id):
"""Get all federated objects for a user.

View File

@ -60,6 +60,12 @@ class ShadowUsers(base.ShadowUsersDriverBase):
fed_ref = model.FederatedUser.from_dict(fed_dict)
session.add(fed_ref)
def delete_federated_object(self, user_id):
with sql.session_for_write() as session:
q = session.query(model.FederatedUser)
q = q.filter(model.FederatedUser.user_id == user_id)
q.delete(False)
def get_federated_objects(self, user_id):
with sql.session_for_read() as session:
query = session.query(model.FederatedUser)

View File

@ -149,3 +149,57 @@ class TestUserWithFederatedUser(ShadowUsersTests):
self.protocol['id'],
unique_id)
self.assertIsNotNone(fed_user)
def test_update_user_with_invalid_idp_and_protocol_fails(self):
baduser = unit.new_user_ref(domain_id=self.domain_id)
baduser['federated'] = [
{
'idp_id': 'fakeidp',
'protocols': [
{
'protocol_id': 'nonexistent',
'unique_id': 'unknown'
}
]
}
]
# Check validation works by throwing a federated object with
# invalid idp_id, protocol_id inside the user passed to create_user.
self.assertRaises(exception.ValidationError,
self.identity_api.create_user,
baduser)
baduser['federated'][0]['idp_id'] = self.idp['id']
self.assertRaises(exception.ValidationError,
self.identity_api.create_user,
baduser)
def test_update_user_with_federated_attributes(self):
user = self.shadow_users_api.create_federated_user(
self.domain_id, self.federated_user)
user = self.identity_api.get_user(user['id'])
# Test that update user can return a federated object with the user as
# a response if the user has any
user = self.identity_api.update_user(user['id'], user)
self.assertFederatedDictsEqual(self.federated_user,
user['federated'][0])
# Test that update user can replace a users federated objects if added
# in the request and that its response is that new federated objects
new_fed = [
{
'idp_id': self.idp['id'],
'protocols': [
{
'protocol_id': self.protocol['id'],
'unique_id': uuid.uuid4().hex
}
]
}
]
user['federated'] = new_fed
user = self.identity_api.update_user(user['id'], user)
self.assertTrue('federated' in user)
self.assertTrue(len(user['federated']), 1)
self.assertEqual(user['federated'][0], new_fed[0])

View File

@ -1222,3 +1222,55 @@ class UserFederatedAttributesTests(test_v3.RestfulTestCase):
ref['federated'][0]['idp_id'] = idp['id']
self.post('/users', body={'user': ref}, token=self.get_admin_token(),
expected_status=http.client.BAD_REQUEST)
def test_update_user_with_federated_attributes(self):
"""Call ``PATCH /users/{user_id}``."""
user = self.fed_user.copy()
del user['id']
user['name'] = 'James Doe'
idp, protocol = self._create_federated_attributes()
user['federated'] = [
{
'idp_id': idp['id'],
'protocols': [
{
'protocol_id': protocol['id'],
'unique_id': 'jdoe'
}
]
}
]
r = self.patch('/users/%(user_id)s' % {
'user_id': self.fed_user['id']},
body={'user': user})
resp_user = r.result['user']
self.assertEqual(user['name'], resp_user['name'])
self.assertEqual(user['federated'], resp_user['federated'])
self.assertValidUserResponse(r, user)
def test_update_user_fails_when_given_invalid_idp_and_protocols(self):
"""Call ``PATCH /users/{user_id}``."""
user = self.fed_user.copy()
del user['id']
idp, protocol = self._create_federated_attributes()
user['federated'] = [
{
'idp_id': 'fakeidp',
'protocols': [
{
'protocol_id': 'fakeprotocol_id',
'unique_id': uuid.uuid4().hex
}
]
}
]
self.patch('/users/%(user_id)s' % {
'user_id': self.fed_user['id']},
body={'user': user},
expected_status=http.client.BAD_REQUEST)
user['federated'][0]['idp_id'] = idp['id']
self.patch('/users/%(user_id)s' % {
'user_id': self.fed_user['id']},
body={'user': user},
expected_status=http.client.BAD_REQUEST)