126 lines
4.0 KiB
Python
126 lines
4.0 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from __future__ import absolute_import
|
|
|
|
from oslo_log import log
|
|
|
|
from keystone import assignment
|
|
from keystone.common import ldap as common_ldap
|
|
from keystone.common import models
|
|
from keystone import config
|
|
from keystone import exception
|
|
from keystone.i18n import _
|
|
from keystone.identity.backends import ldap as ldap_identity
|
|
|
|
|
|
CONF = config.CONF
|
|
LOG = log.getLogger(__name__)
|
|
|
|
|
|
class Role(assignment.RoleDriver):
|
|
|
|
def __init__(self):
|
|
super(Role, self).__init__()
|
|
self.LDAP_URL = CONF.ldap.url
|
|
self.LDAP_USER = CONF.ldap.user
|
|
self.LDAP_PASSWORD = CONF.ldap.password
|
|
self.suffix = CONF.ldap.suffix
|
|
|
|
# This is the only deep dependency from resource back
|
|
# to identity. The assumption is that if you are using
|
|
# LDAP for resource, you are using it for identity as well.
|
|
self.user = ldap_identity.UserApi(CONF)
|
|
self.role = RoleApi(CONF, self.user)
|
|
|
|
def get_role(self, role_id):
|
|
return self.role.get(role_id)
|
|
|
|
def list_roles(self, hints):
|
|
return self.role.get_all()
|
|
|
|
def list_roles_from_ids(self, ids):
|
|
return [self.get_role(id) for id in ids]
|
|
|
|
def create_role(self, role_id, role):
|
|
self.role.check_allow_create()
|
|
try:
|
|
self.get_role(role_id)
|
|
except exception.NotFound:
|
|
pass
|
|
else:
|
|
msg = _('Duplicate ID, %s.') % role_id
|
|
raise exception.Conflict(type='role', details=msg)
|
|
|
|
try:
|
|
self.role.get_by_name(role['name'])
|
|
except exception.NotFound:
|
|
pass
|
|
else:
|
|
msg = _('Duplicate name, %s.') % role['name']
|
|
raise exception.Conflict(type='role', details=msg)
|
|
|
|
return self.role.create(role)
|
|
|
|
def delete_role(self, role_id):
|
|
self.role.check_allow_delete()
|
|
return self.role.delete(role_id)
|
|
|
|
def update_role(self, role_id, role):
|
|
self.role.check_allow_update()
|
|
self.get_role(role_id)
|
|
return self.role.update(role_id, role)
|
|
|
|
|
|
# NOTE(heny-nash): A mixin class to enable the sharing of the LDAP structure
|
|
# between here and the assignment LDAP.
|
|
class RoleLdapStructureMixin(object):
|
|
DEFAULT_OU = 'ou=Roles'
|
|
DEFAULT_STRUCTURAL_CLASSES = []
|
|
DEFAULT_OBJECTCLASS = 'organizationalRole'
|
|
DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant'
|
|
NotFound = exception.RoleNotFound
|
|
options_name = 'role'
|
|
attribute_options_names = {'name': 'name'}
|
|
immutable_attrs = ['id']
|
|
model = models.Role
|
|
|
|
|
|
# TODO(termie): turn this into a data object and move logic to driver
|
|
class RoleApi(RoleLdapStructureMixin, common_ldap.BaseLdap):
|
|
|
|
def __init__(self, conf, user_api):
|
|
super(RoleApi, self).__init__(conf)
|
|
self._user_api = user_api
|
|
|
|
def get(self, role_id, role_filter=None):
|
|
model = super(RoleApi, self).get(role_id, role_filter)
|
|
return model
|
|
|
|
def create(self, values):
|
|
return super(RoleApi, self).create(values)
|
|
|
|
def update(self, role_id, role):
|
|
new_name = role.get('name')
|
|
if new_name is not None:
|
|
try:
|
|
old_role = self.get_by_name(new_name)
|
|
if old_role['id'] != role_id:
|
|
raise exception.Conflict(
|
|
_('Cannot duplicate name %s') % old_role)
|
|
except exception.NotFound:
|
|
pass
|
|
return super(RoleApi, self).update(role_id, role)
|
|
|
|
def delete(self, role_id):
|
|
super(RoleApi, self).delete(role_id)
|