14ac08431f
We propose to extend Keystone identity provider (IdP) attribute mapping schema to make Keystone honor the `domain` configuration that we have on it. Currently, that configuration is only used to define a default domain for groups (and then each group there, could override it). It is interesting to expand this configuration (as long as it is in the root of the attribute mapping) to be also applied for users and projects. Moreover, to facilitate the development and extension concerning attribute mappings for IdPs, we changed the way the attribute mapping schema is handled. We introduce a new configuration `federation_attribute_mapping_schema_version`, which defaults to "1.0". This attribute mapping schema version will then be used to control the validation of attribute mapping, and also the rule processors used to process the attributes that come from the IdP. So far, with this PR, we introduce the attribute mapping schema "2.0", which enables operators to also define a domain for the projects they want to assign users. If no domain is defined either in the project or in the global domain definition for the attribute mapping, we take the IdP domain as the default. Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d Implements: https://bugs.launchpad.net/keystone/+bug/1887515 Closes-Bug: #1887515
181 lines
5.5 KiB
INI
181 lines
5.5 KiB
INI
[tox]
|
|
minversion = 3.18.0
|
|
envlist = py3,pep8,api-ref,docs,genconfig,genpolicy,releasenotes,protection
|
|
ignore_basepython_conflict = true
|
|
|
|
[testenv]
|
|
basepython = python3
|
|
usedevelop = True
|
|
setenv =
|
|
PYTHONDONTWRITEBYTECODE=1
|
|
# TODO(stephenfin): Remove once we bump our upper-constraint to SQLAlchemy 2.0
|
|
SQLALCHEMY_WARN_20=1
|
|
deps =
|
|
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
|
|
-r{toxinidir}/test-requirements.txt
|
|
.[ldap,memcache,mongodb]
|
|
commands =
|
|
stestr run {posargs}
|
|
allowlist_externals =
|
|
bash
|
|
passenv = http_proxy,HTTP_PROXY,https_proxy,HTTPS_PROXY,no_proxy,NO_PROXY,PBR_VERSION
|
|
|
|
[testenv:pep8]
|
|
deps =
|
|
.[bandit]
|
|
{[testenv]deps}
|
|
commands =
|
|
flake8
|
|
# Run bash8 during pep8 runs to ensure violations are caught by
|
|
# the check and gate queues
|
|
bashate devstack/plugin.sh
|
|
# Run security linter
|
|
bandit -r keystone -x 'keystone/tests/*'
|
|
|
|
[testenv:fast8]
|
|
envdir = {toxworkdir}/pep8
|
|
deps = {[testenv:pep8]deps}
|
|
commands =
|
|
{toxinidir}/tools/fast8.sh
|
|
passenv = FAST8_NUM_COMMITS
|
|
allowlist_externals = {toxinidir}/tools/fast8.sh
|
|
|
|
[testenv:bandit]
|
|
# NOTE(browne): This is required for the integration test job of the bandit
|
|
# project. Please do not remove.
|
|
deps =
|
|
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
|
|
-r{toxinidir}/requirements.txt
|
|
.[bandit]
|
|
commands = bandit -r keystone -x 'keystone/tests/*'
|
|
|
|
[testenv:cover]
|
|
# Also do not run test_coverage_ext tests while gathering coverage as those
|
|
# tests conflict with coverage.
|
|
setenv =
|
|
{[testenv]setenv}
|
|
PYTHON=coverage run --source keystone --parallel-mode
|
|
commands =
|
|
stestr run {posargs}
|
|
coverage combine
|
|
coverage html -d cover
|
|
coverage xml -o cover/coverage.xml
|
|
|
|
[testenv:patch_cover]
|
|
commands =
|
|
bash tools/cover.sh
|
|
|
|
[testenv:venv]
|
|
commands = {posargs}
|
|
|
|
[testenv:debug]
|
|
commands =
|
|
oslo_debug_helper {posargs}
|
|
passenv = KSTEST_*
|
|
|
|
[testenv:functional]
|
|
deps =
|
|
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
|
|
-r{toxinidir}/test-requirements.txt
|
|
setenv = OS_TEST_PATH=./keystone/tests/functional
|
|
commands =
|
|
stestr run {posargs}
|
|
stestr slowest
|
|
passenv = KSTEST_*
|
|
|
|
[flake8]
|
|
filename= *.py,keystone-manage
|
|
show-source = true
|
|
enable-extensions = H203,H904
|
|
# D100: Missing docstring in public module
|
|
# D101: Missing docstring in public class
|
|
# D102: Missing docstring in public method
|
|
# D103: Missing docstring in public function
|
|
# D104: Missing docstring in public package
|
|
# D106: Missing docstring in public nested class
|
|
# D107: Missing docstring in __init__
|
|
# D203: 1 blank line required before class docstring (deprecated in pep257)
|
|
# D401: First line should be in imperative mood; try rephrasing
|
|
# E402: module level import not at top of file
|
|
# H211: Use assert{Is,IsNot}instance
|
|
# H214: Use assertIn/NotIn(A, B) rather than assertTrue/False(A in/not in B) when checking collection contents.
|
|
# W503: line break before binary operator
|
|
# W504: line break after binary operator
|
|
ignore = D100,D101,D102,D103,D104,D106,D107,D203,D401,E402,H211,H214,W503,W504
|
|
exclude = .venv,.git,.tox,build,dist,*lib/python*,*egg,tools,vendor,.update-venv,*.ini,*.po,*.pot
|
|
max-complexity = 24
|
|
per-file-ignores =
|
|
# URL lines too long
|
|
keystone/common/password_hashing.py: E501
|
|
|
|
[testenv:docs]
|
|
deps =
|
|
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
|
|
-r{toxinidir}/doc/requirements.txt
|
|
.[ldap,memcache,mongodb]
|
|
commands=
|
|
bash -c "rm -rf doc/build"
|
|
bash -c "rm -rf doc/source/api"
|
|
sphinx-build -W -b html -d doc/build/doctrees doc/source doc/build/html
|
|
|
|
# FIXME(gyee): we need to pre-create the doc/build/pdf/_static directory as a
|
|
# workaround because sphinx_feature_classification.support_matrix extension
|
|
# is operating under the assumption that the _static directory already exist
|
|
# and trying to copy support-matrix.css into it. We need to remove
|
|
# the workaround after this patch has merged:
|
|
# https://review.opendev.org/#/c/679860
|
|
[testenv:pdf-docs]
|
|
envdir = {toxworkdir}/docs
|
|
deps = {[testenv:docs]deps}
|
|
allowlist_externals =
|
|
make
|
|
mkdir
|
|
rm
|
|
commands =
|
|
rm -rf doc/build/pdf
|
|
mkdir -p doc/build/pdf/_static
|
|
sphinx-build -W -b latex doc/source doc/build/pdf
|
|
make -C doc/build/pdf
|
|
|
|
[testenv:releasenotes]
|
|
envdir = {toxworkdir}/docs
|
|
deps = {[testenv:docs]deps}
|
|
commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
|
|
|
|
[testenv:api-ref]
|
|
envdir = {toxworkdir}/docs
|
|
deps = {[testenv:docs]deps}
|
|
commands =
|
|
bash -c "rm -rf api-ref/build"
|
|
sphinx-build -W -b html -d api-ref/build/doctrees api-ref/source api-ref/build/html
|
|
|
|
[testenv:genconfig]
|
|
commands = oslo-config-generator --config-file=config-generator/keystone.conf
|
|
|
|
[testenv:genpolicy]
|
|
commands = oslopolicy-sample-generator --config-file config-generator/keystone-policy-generator.conf
|
|
|
|
[hacking]
|
|
import_exceptions =
|
|
keystone.i18n
|
|
|
|
[flake8:local-plugins]
|
|
extension =
|
|
K001 = checks:CheckForMutableDefaultArgs
|
|
K002 = checks:block_comments_begin_with_a_space
|
|
K005 = checks:CheckForTranslationIssues
|
|
K008 = checks:dict_constructor_with_sequence_copy
|
|
paths = ./keystone/tests/hacking
|
|
|
|
[testenv:bindep]
|
|
# Do not install any requirements. We want this to be fast and work even if
|
|
# system dependencies are missing, since it's used to tell you what system
|
|
# dependencies are missing! This also means that bindep must be installed
|
|
# separately, outside of the requirements files.
|
|
deps = bindep
|
|
commands = bindep test
|
|
|
|
[testenv:protection]
|
|
commands =
|
|
stestr run --test-path=./keystone/tests/protection {posargs}
|