Currently tox ignores D202 and D203.
D202: No blank lines allowed after function docstring.
D203: 1 blank required before class docstring.
This change removes D202 and D203 ignores in tox and fix violations.
Change-Id: I97ef88c9cfd56774e47f789cbbcf8ccfe85d7737
Currently tox ignores D400.
D400: First line should end with a period.
This change removes it and make keystoneclient docstrings compliant with it.
Change-Id: I29ecb4c58bb03c0b9a3be0b7a74d18fb06a350f2
Currently tox ignores D401.
401: First line should be in imperative mood.
This change removes it and make keystoneclient docstrings compliant with it.
Change-Id: If34ff12d18390b357342cf29f2d116dd3c86a44d
Removing old configuration options for build-in defaults of latest
bandit functionality. Also, marking flagged items with _# nosec_
with a descriptive comment on why the code is acceptable as is.
Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com>
Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com>
Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d
Previously, there were a string of commits to keystone that addresed ignored
hacking checks. This commit does the same for H405 in keystoneclient. This
also modifies our tox.ini so that we no longer ignore H405 violations.
Change-Id: I2af152e5425a0e9c82314039fdbb90d661c22680
Closes-Bug: 1482773
AccessInfo's management_url parameter wasn't properly deprecated
since all it had was a comment in the code. Proper deprecation
requires use of warnings and documentation.
bp deprecations
Change-Id: I0ee07c5adc6a7c91f8b23b291eea76f4ae7b3b89
The audit_id is now a standard part of the v2 and v3 tokens. Expose it
via AccessInfo so that it is usable for services and middleware.
Change-Id: I14ddcfee5434084ad9da73c384e6f456602fdd2b
Closes-Bug: #1437129
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
The :returns: directive doesn't take an argument. To specify the
return type, use the :rtype: directive.
Change-Id: I3aaab824792333b3f75a10af92f5b712cc9b4ff6
Some of the docstrings have ``:return:`` instead of ``:returns:``
keyword. This patch fixes that and make it consistent.
Change-Id: I4321a63798ab9e2abdf0bbd716bf2b995be22ba3
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
Federated tokens don't include domains in the user object.
Keystoneclient should be able to estimate whether the token is a
federated one and, if so, don't expect user domain information.
In case of the federated token keystoneclient returns None in response
to user_domain_name and user_domain_id calls.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Closes-Bug: #1346820
Change-Id: I3453275fa1b0a41b1c015b0c3a92895a77d69a41
When settings tokens via the factory v2 and v3 work completely
differently. This is somewhat expected due to tokens working differently
but it makes it hard to work with.
For example, if i have a v3 token but not the requests.Response that
created it there is no way for me to set the token data on the
AccessInfo object via factory.
Also in the case of V2 CMS tokens the value at ['token']['id'] is a fake
so that the signing process will work.
Allow overriding the token value from the factory and force setting the
token id on the AccessInfo in a standard way.
Change-Id: I856096dc5fae2ab0d1bedbac3294dc4976c3f3ad
A trust should always contain a trustee_user_id and a trustor_user_id.
Expose these values via AccessInfo if available.
Change-Id: Ic46a44300e6bf8aa694f1543d470c16fcac643fc
Allow access to the access_token_id and the consumer_id that are set as
part of the Oauth authentication process.
This only makes sense for V3 tokens, as Oauth cannot be used with v2.
Change-Id: I9ac76f92acdfd6446a13f535b24e0a99f02f2eef
issued_at is a standard part of V2 and V3 tokens so add it to
AccessInfo in a similar way to expiry. Also it should be included when
generating tokens so include it in fixtures.
Change-Id: I0d62d8ce6472466886751e10e98046b8e398e079
All the clients are currently storing samples of keystone tokens so that
they can use them in testing. This is bad as they are often out of date
or contain data that they shouldn't.
Create a V2 Token generator and make use of that for generating tokens
within our tests.
Change-Id: I72928692142c967d13391752ba57b3bdf7c1feab
blueprint: share-tokens
A new method was introduced on AccessInfo class. The method role_names
returns a list of role names of a user associated to the authorization
request.
bp keystoneclient-auth-ref-get-roles
DocImpact
Change-Id: I0862aaaa27193119dc83ef38100c88b48a1d24a4
Region name is taken as a parameter but is ignored in all communication
with the service catalog. Currently region can be stored in the token
data and then requests to url functions will return the appropriate
region. This is the wrong approach because there is nothing specific to
the token (or auth_data) that is region specific. Instead region
information should be held by the client.
Closes-Bug: 1147530
Closes-Bug: 1255992
Change-Id: I812aa89c8b4af28e294e63926a7f88e8246fffc5
It should be possible to authenticate against the v2 tokens
API with a trust_id, because it suports rescoping an existing
token to a trust, this patch adds client support for this.
Note with the current keystone code it's necessary to pass the
trustor tenant ID when rescoping with a trust where
impersonation==True, e.g:
c = client_v2.Client(username=TRUSTEE_USERNAME,
password=TRUSTEE_USERNAME,
tenant_name=TRUSTEE_TENANT_NAME,
auth_url=OS_AUTH_URL_V2)
c.authenticate(trust_id=trust_i.id, tenant_id=TRUSTOR_TENANT_ID)
Change-Id: I177c41af298b7437e2c6fb437aa9ce9a09773b9d
Closes-Bug: #1231483
Closes-Bug: #1217777
Method has_service_catalog is duplicate in AccessInfo, remove the
first one because this class is used as a base class.
Change-Id: Id5f6f0cfe223bd4f31b7c01a6bc1e750ad5a7cd8
user_domain_id and project_domain_id are already available, so simply
add an equivalent user_domain_name and project_domain_name if available.
The use of 'default' for v2 tokens is inspired from the default behaviour of
similar functions and what is used in auth_token middleware.
Change-Id: Ia9b345529072ab893d04c7a38fb7ba3acdc28227
Older token formats get decoded as a v2 token so we should support
reading project information from these tokens.
Change-Id: I31473a00b294bd0d7b535cfab8d2eaf09db97ff5
Implements client support for the basic trusts API operations,
note this does not include support for the roles subpath operations,
support for those can be added in a subsequent patch.
Change-Id: I0c6ba12bad5cc8f3f10697d2a3dcf4f3be8c7ece
blueprint: delegation-impersonation-support
Added support for domain scoping.
Enhancement on AccessInfo to support reading v2/v3 token information.
Enhancement on ServiceCatalog for reading/filtering v2/v3 service
catalog information.
Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
- E125: continuation line does not distinguish itself from next logical
line
- E126: continuation line over-indented for hanging indent
Change-Id: I626a6d5d57db927e8b239f90569b5601c772f28b
- There's no need to call parent init function since that's the default
behaviour.
- The token attribute is nor used nor updated anywhere.
Change-Id: Ib0b2729a396a2d761931ce0e178c49c49814eb21
Signed-off-by: Julien Danjou <julien@danjou.info>
User can optionally turn off keyring by specifying the --no-cache option.
It can also be disabled with environment variable OS-NO-CACHE.
Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
blueprint solidify-python-api
* extended and updated documentation strings
* updated README.rst with latest options
* made debug a pass-through value, optionally set on client (instead of
just being pulled from environment variable)
* adding AccessInfo object and associated tests
(access.AccessInfo meant to be a cacheable object external to client
and ultimately to replace service_catalog and it's existing functionality)
* extending authtoken to support lists of endpoints
* maintaining a single entity for client.management_url with first from
list of possible endpoints
* create project_name and project_id synonyms to match tenant_name and
tenant_id
* replacing authenticate call to a pure method, not overloading the
resource/manager path that confuses base URL concepts.
* throw AuthorizationFailure if client attempts to access keystone
resources before it has a management url
* special case listing tenant using auth_url for unscoped tokens authorized
through client
* special case listing tokens.authenticate for Dashboard to allow unscoped
tokens to hand back parity information to dashboard
Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
