Add manager support for app cred access rules

bp whitelist-extension-for-app-creds Change-Id: Icce8b54e45ad94ca41a6b47ec6109346dc886334
2019-06-05 17:31:52 -07:00 · 2019-06-05 17:31:52 -07:00 · ee7315971c
parent 2203e81729
commit ee7315971c
2 changed files with 38 additions and 1 deletions
--- a/keystone/application_credential/core.py
+++ b/keystone/application_credential/core.py
@ -127,12 +127,13 @@ class Manager(manager.Manager):
        user_id = application_credential['user_id']
        project_id = application_credential['project_id']
        roles = application_credential.pop('roles', [])
+        access_rules = application_credential.pop('access_rules', None)

        self._assert_limit_not_exceeded(user_id)
        self._require_user_has_role_in_project(roles, user_id, project_id)
        unhashed_secret = application_credential['secret']
        ref = self.driver.create_application_credential(
-            application_credential, roles)
+            application_credential, roles, access_rules)
        ref['secret'] = unhashed_secret
        ref = self._process_app_cred(ref)
        notifications.Audit.created(
--- a/keystone/tests/unit/application_credential/test_backends.py
+++ b/keystone/tests/unit/application_credential/test_backends.py
@ -107,6 +107,42 @@ class ApplicationCredentialTests(object):
                          self.app_cred_api.create_application_credential,
                          app_cred)

+    def test_create_application_credential_with_access_rules(self):
+        app_cred = self._new_app_cred_data(self.user_foo['id'],
+                                           project_id=self.project_bar['id'])
+        app_cred['access_rules'] = [{
+            'id': uuid.uuid4().hex,
+            'service': uuid.uuid4().hex,
+            'path': uuid.uuid4().hex,
+            'method': uuid.uuid4().hex[16:]
+        }]
+        resp = self.app_cred_api.create_application_credential(app_cred)
+        resp.pop('roles')
+        resp_access_rules = resp.pop('access_rules')
+        app_cred.pop('roles')
+        orig_access_rules = app_cred.pop('access_rules')
+        self.assertDictEqual(app_cred, resp)
+        for i, ar in enumerate(resp_access_rules):
+            self.assertDictEqual(orig_access_rules[i], ar)
+
+    def test_create_application_credential_with_preexisting_access_rules(self):
+        app_cred_1 = self._new_app_cred_data(self.user_foo['id'],
+                                             project_id=self.project_bar['id'])
+        app_cred_1['access_rules'] = [{
+            'id': uuid.uuid4().hex,
+            'service': uuid.uuid4().hex,
+            'path': uuid.uuid4().hex,
+            'method': uuid.uuid4().hex[16:]
+        }]
+        resp = self.app_cred_api.create_application_credential(app_cred_1)
+        resp_access_rules_1 = resp.pop('access_rules')
+        app_cred_2 = self._new_app_cred_data(self.user_foo['id'],
+                                             project_id=self.project_bar['id'])
+        app_cred_2['access_rules'] = [{'id': resp_access_rules_1[0]['id']}]
+        resp = self.app_cred_api.create_application_credential(app_cred_2)
+        resp_access_rules_2 = resp.pop('access_rules')
+        self.assertDictEqual(resp_access_rules_1[0], resp_access_rules_2[0])
+
    def test_get_application_credential(self):
        app_cred = self._new_app_cred_data(self.user_foo['id'],
                                           project_id=self.project_bar['id'])