Refactor revoke matcher
This makes the code more verbose (and more redundant) in favor of making it easier to read. There was a pretty consistent pattern to what it was actually doing, but each block of code was basically written differently. This makes them all the same. Change-Id: I0804f490e28cedfaea2016e796a773ba50cc821a
This commit is contained in:
parent
93248d23a1
commit
e9b0f2f52e
|
@ -177,41 +177,60 @@ def matches(event, token_values):
|
|||
# that the token is still valid and short-circuits the
|
||||
# rest of the logic.
|
||||
|
||||
# The token has three attributes that can match the user_id
|
||||
if event.user_id is not None:
|
||||
if all(event.user_id != token_values[attribute_name]
|
||||
for attribute_name in ['user_id', 'trustor_id', 'trustee_id']):
|
||||
return False
|
||||
# The token has three attributes that can match the user_id.
|
||||
if event.user_id is not None and event.user_id not in (
|
||||
token_values['user_id'],
|
||||
token_values['trustor_id'],
|
||||
token_values['trustee_id'],):
|
||||
return False
|
||||
|
||||
# The token has two attributes that can match the domain_id
|
||||
if event.domain_id is not None:
|
||||
if all(event.domain_id != token_values[attribute_name]
|
||||
for attribute_name in ['identity_domain_id',
|
||||
'assignment_domain_id']):
|
||||
return False
|
||||
# The token has two attributes that can match the domain_id.
|
||||
if event.domain_id is not None and event.domain_id not in(
|
||||
token_values['identity_domain_id'],
|
||||
token_values['assignment_domain_id'],):
|
||||
return False
|
||||
|
||||
if event.domain_scope_id is not None:
|
||||
if event.domain_scope_id != token_values['assignment_domain_id']:
|
||||
return False
|
||||
if event.domain_scope_id is not None and event.domain_scope_id not in (
|
||||
token_values['assignment_domain_id'],):
|
||||
return False
|
||||
|
||||
# If an event specifies an attribute name, but it does not match,
|
||||
# the token is not revoked.
|
||||
attribute_names = ['project_id',
|
||||
'expires_at', 'trust_id', 'consumer_id',
|
||||
'access_token_id', 'audit_id', 'audit_chain_id']
|
||||
for attribute_name in attribute_names:
|
||||
if getattr(event, attribute_name) is not None:
|
||||
if (getattr(event, attribute_name) !=
|
||||
token_values[attribute_name]):
|
||||
return False
|
||||
# If an event specifies an attribute name, but it does not match, the token
|
||||
# is not revoked.
|
||||
if event.project_id is not None and event.project_id not in (
|
||||
token_values['project_id'],):
|
||||
return False
|
||||
|
||||
if event.role_id is not None:
|
||||
roles = token_values['roles']
|
||||
if all(event.role_id != role for role in roles):
|
||||
return False
|
||||
if event.expires_at is not None and event.expires_at not in (
|
||||
token_values['expires_at'],):
|
||||
return False
|
||||
|
||||
if event.trust_id is not None and event.trust_id not in (
|
||||
token_values['trust_id'],):
|
||||
return False
|
||||
|
||||
if event.consumer_id is not None and event.consumer_id not in (
|
||||
token_values['consumer_id'],):
|
||||
return False
|
||||
|
||||
if event.access_token_id is not None and event.access_token_id not in (
|
||||
token_values['access_token_id'],):
|
||||
return False
|
||||
|
||||
if event.audit_id is not None and event.audit_id not in (
|
||||
token_values['audit_id'],):
|
||||
return False
|
||||
|
||||
if event.audit_chain_id is not None and event.audit_chain_id not in (
|
||||
token_values['audit_chain_id'],):
|
||||
return False
|
||||
|
||||
if event.role_id is not None and event.role_id not in (
|
||||
token_values['roles']):
|
||||
return False
|
||||
|
||||
if token_values['issued_at'] > event.issued_before:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue