This change moves the various api ref entries for project
tags to be consistent with other api-ref entries, organized
by route.
Change-Id: I6ccd9a2878224cfb7357e8ad1ae1aca77de368ef
This change adds in a new arguement "build_target" which takes
in a passed function to build the enforement target after
the authentication check. This is to avoid leaking existance
data when determining scope.
Change-Id: I9aab71dd0032d40aa2f2e088b529af08b112671f
Partial-Bug: #1776504
Mapping Engine Tester is untested. Looking
at a coverage report for the Keystone CLI
shows missing test cases for MappingEngine
Tester. This patch adds the test cases and
also fixes the compatibility issues of
MappingEngine with python3.
Change-Id: Id0844ba1f4e2979d91414d3bc821ab25650c6935
Closes-Bug: #1782197
As part of the python3-first goal, this patch ensures we have a voting
functional job that uses python3. The choice to call it py3 rather than
py35 is conscious, as the underlying python3 version is controlled by
the choice of test node which the job inherits from its ancestor jobs.
Change-Id: I97ced2047964055966fd6c2e8acfec29b48bdfe3
Enable the sqlite foreign keys function for unit test.
This patch is the first part to solve sql backend test issues.
Change-Id: I5d29d05e64b76ff6530c9af5ee39a2df1b26aa03
Partial-Bug: #1744195
This adds a releasenote for the related bug fix for
mapped groups.
[0] https://review.openstack.org/#/c/597992/
Change-Id: Ied9cc012e0728276bcd083089658c9c1020d9521
These tests have not been run in > 2 years. They are commented out
with an updated FIXME to rework once the flask port is done (auth).
It is out of scope of Flask to re-enable long disabled tests.
We do not want to lose the context of the coverage the tests provide
thus we are commenting them out instead of outright deletion.
Change-Id: I0760746dc62b65607ac0e88ee6d03395c9226fe7
The issue occurs if a user has a group that
does not map to a project in OpenStack. At
which point an exception is raised and the
websso login blows up with a 500 message.
This is because of the exception being raised
when the group name not matches thus replacing
that with a log.
Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
Closes-Bug: #1789450
Previously domain_id normalization was done (in webob) resulting
in possibly one of four results (ref['domain_id'] is changed):
* Domain ID present in ref -> no change to ref
* Domain ID not present, domain scoped token ->
ref['domain_id'] = scope domain id
* Domain ID not present, "admin" token -> raise ValidationError
* Domain ID not present, project scoped token -> default domain
[Deprecated functionality]
In flask, only the first case worked. This change corrects the behavior
and adds a test to ensure proper data is extracted from oslo.context.
Change-Id: Iacb502a2aa3fe633f74c7e19e13c46f4f85e55db
Closes-Bug: #1793027
Use openstack-tox-cover template, this runs the cover job as
non-voting in the check queue only.
Use openstack-lower-constraints-jobs template
Remove jobs that are part of the templates.
Change-Id: Ifc97a5a59ae9ffc184a30110d1f49fd2fbb0a160
Unfortunately this test has been failing consistently for some
time due to some ways the test is implemented. While we regroup
to implement something more reliable, it's best to just remove
it from the check pipeline and have it be experimental for now.
Change-Id: Iaff476524fa95a0d96b72e0905716f812138eb3e
The v3-only functional job was repurposed to run federation. This
change renames the job in order to reflect this.
Change-Id: Ib7c8a2f1cfa19f332aad20ac528f8fa86addd5f9
This patch removes a method that wasn't being
used anymore anywhere except for a single unit
test. Since keystone now validates Fernet
tokens the same way - by rebuilding the token
context at validation time, we no longer need
to persist certain types of revocation events.
Change-Id: Ic9dcc6a5fd40e504ec04dcefab995d03927362bc
partial-bug: #1671887
This change addresses the following issues with the flask conversion:
* Filter attributes on get_idp (added to wrap_member)
Change-Id: I028f894845d1d6553c6372cd67b53102b10b8a4c
Partial-Bug: #1776504
If you have a -c in the install_cmd it gets used with all the deps
supplied this means that the lower-constraints job actually install from
upper-constraints :(
You can see what I mean in [1]
Note both lower-constraints.txt and upper-constraints.txt are used ; and
---
Collecting oslo.log===3.39.0 (from -c /home/zuul/src/git.openstack.org/openstack/requirements/upper-constraints.txt (line 247))
---
With this fixed we find a few minimums that needs to be bumped:
* oslo.policy >= 1.33.0
keystone uses the scope_types[2] kwarg to RuleDefault which was
introduced in 52c82ff9ab04dd78ff7045cb30d2f5de535dd7da which is
contained in 1.32.0 ; also we need the 'policy-in-code' feature
which is in 1.33.0
* oslo.log >= 0.38.0
keystone used the ROCKY[3] constant for deprecations which was
introduced in d68a895ee8e61b5c9d4ef368e7f04252e84649e9 which is
contained in 3.38.0
* msgpack >= 0.5.0
the 0.4.x versions have been removed from pypi so we have to bump the
minimum :(
* SQLAlchemy >= 1.0.13
identity_provider_id in token payload is byte in python3 which
triggers a sqlalchemy bug[4]. The bug has been fixed in 1.0.13
* keystonemiddleware >= 5.1.0
unified limit feature uses system scope feature which is supported
in keystonemiddleware after 5.1.0
We also add correct some errors in bindep.txt related to use on Fedora
[1] http://logs.openstack.org/47/599447/2/check/openstack-tox-lower-constraints/bbc912b/tox/lower-constraints-1.log
[2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/access_token.py#n24
[3] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/default.py#n50
[4] http://docs.sqlalchemy.org/en/latest/changelog/changelog_10.html#change-a14dd2e73d889d065acc07a77b1ee7cb
Change-Id: Ic0de6799fddd86a70abae2c87c92d565072ebdb9
The policy_dict (in enforcement) was not populating the view args
in a similar manner to the old style @protected decorator. This
change ensures that we mirror the old behavior (required for
proper use of v3cloud policy).
Change-Id: Ida9009a95a874be9cc60c3152d4e3225726562eb
Partial-Bug: #1776504
Closes-Bug: #1792047
This renames the "keystone-dsvm-py35-functional-v3-only" check to
"keystone-dsvm-py35-functional-federation" in order to better
describe what this job does. This also removes the
"ENABLE_IDENTITY_V2=FALSE" setting since v2 has since been removed
from keystone.
Change-Id: If6c4a5844eb1d2f9f75c614634c781c2915c4a11
Convert OS-INHERIT API to flask native dispatching.
NOTE: A minor test change was needed, the test was mis-constructing the
URI with multiple slashes. The test now properly constructs the URI
using an lstrip when combining the direct_url bits.
Change-Id: I0907eb00cdfb9849342220f9b528f94175e71545
Partial-Bug: #1776504
Correct an issue with the RBACEnforcer requiring 'member_name' instead
of 'member_key' for the inferred lookup. Due to how flask works and that
all views are instantiated on demand (and not accessible outside of
the active method without a lot of extra introspection), the provider
object now supports a "deferred" lookup mechanism. This mechanism
leverages the descriptor construct and does the lookup of the provider
api property and method at runtime. This, in essence, works like a
"@classproperty" would.
Change-Id: I264384dd521ea60ba6ee98652aaeb939f1a75521
Partial-Bug: #1776504
