Update Keystone code from official Github repository with branch Master on 09/01/2015.

Change-Id: I0ff6099e6e2580f87f502002a998bbfe12673498

1 files changed, 60 insertions, 38 deletions

diff --git a/keystone-moon/keystone/common/controller.py b/keystone-moon/keystone/common/controller.py
index bd26b7c4..bc7074ac 100644
--- a/keystone-moon/keystone/common/controller.py
+++ b/keystone-moon/keystone/common/controller.py
@@ -17,6 +17,7 @@ import uuid
 
 from oslo_config import cfg
 from oslo_log import log
+from oslo_utils import strutils
 import six
 
 from keystone.common import authorization
@@ -39,7 +40,7 @@ def v2_deprecated(f):
     This is a placeholder for the pending deprecation of v2. The implementation
     of this decorator can be replaced with::
 
-        from keystone.openstack.common import versionutils
+        from oslo_log import versionutils
 
 
         v2_deprecated = versionutils.deprecated(
@@ -52,9 +53,12 @@ def v2_deprecated(f):
 
 
 def _build_policy_check_credentials(self, action, context, kwargs):
+    kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
+    kwargs_str = strutils.mask_password(kwargs_str)
+
     LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
         'action': action,
-        'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
+        'kwargs': kwargs_str})
 
     # see if auth context has already been created. If so use it.
     if ('environment' in context and
@@ -219,7 +223,11 @@ class V2Controller(wsgi.Application):
     @staticmethod
     def filter_domain_id(ref):
         """Remove domain_id since v2 calls are not domain-aware."""
-        ref.pop('domain_id', None)
+        if 'domain_id' in ref:
+            if ref['domain_id'] != CONF.identity.default_domain_id:
+                raise exception.Unauthorized(
+                    _('Non-default domain is not supported'))
+            del ref['domain_id']
         return ref
 
     @staticmethod
@@ -239,6 +247,18 @@ class V2Controller(wsgi.Application):
         return ref
 
     @staticmethod
+    def filter_project_parent_id(ref):
+        """Remove parent_id since v2 calls are not hierarchy-aware."""
+        ref.pop('parent_id', None)
+        return ref
+
+    @staticmethod
+    def filter_is_domain(ref):
+        """Remove is_domain field since v2 calls are not domain-aware."""
+        ref.pop('is_domain', None)
+        return ref
+
+    @staticmethod
     def normalize_username_in_response(ref):
         """Adds username to outgoing user refs to match the v2 spec.
 
@@ -266,9 +286,12 @@ class V2Controller(wsgi.Application):
     def v3_to_v2_user(ref):
         """Convert a user_ref from v3 to v2 compatible.
 
-        * v2.0 users are not domain aware, and should have domain_id removed
-        * v2.0 users expect the use of tenantId instead of default_project_id
-        * v2.0 users have a username attribute
+        - v2.0 users are not domain aware, and should have domain_id validated
+          to be the default domain, and then removed.
+
+        - v2.0 users expect the use of tenantId instead of default_project_id.
+
+        - v2.0 users have a username attribute.
 
         This method should only be applied to user_refs being returned from the
         v2.0 controller(s).
@@ -304,6 +327,35 @@ class V2Controller(wsgi.Application):
         else:
             raise ValueError(_('Expected dict or list: %s') % type(ref))
 
+    @staticmethod
+    def v3_to_v2_project(ref):
+        """Convert a project_ref from v3 to v2.
+
+        * v2.0 projects are not domain aware, and should have domain_id removed
+        * v2.0 projects are not hierarchy aware, and should have parent_id
+          removed
+
+        This method should only be applied to project_refs being returned from
+        the v2.0 controller(s).
+
+        If ref is a list type, we will iterate through each element and do the
+        conversion.
+        """
+
+        def _filter_project_properties(ref):
+            """Run through the various filter methods."""
+            V2Controller.filter_domain_id(ref)
+            V2Controller.filter_project_parent_id(ref)
+            V2Controller.filter_is_domain(ref)
+            return ref
+
+        if isinstance(ref, dict):
+            return _filter_project_properties(ref)
+        elif isinstance(ref, list):
+            return [_filter_project_properties(x) for x in ref]
+        else:
+            raise ValueError(_('Expected dict or list: %s') % type(ref))
+
     def format_project_list(self, tenant_refs, **kwargs):
         """Format a v2 style project list, including marker/limits."""
         marker = kwargs.get('marker')
@@ -656,19 +708,7 @@ class V3Controller(wsgi.Application):
         if context['query_string'].get('domain_id') is not None:
             return context['query_string'].get('domain_id')
 
-        try:
-            token_ref = token_model.KeystoneToken(
-                token_id=context['token_id'],
-                token_data=self.token_provider_api.validate_token(
-                    context['token_id']))
-        except KeyError:
-            raise exception.ValidationError(
-                _('domain_id is required as part of entity'))
-        except (exception.TokenNotFound,
-                exception.UnsupportedTokenVersionException):
-            LOG.warning(_LW('Invalid token found while getting domain ID '
-                            'for list request'))
-            raise exception.Unauthorized()
+        token_ref = utils.get_token_ref(context)
 
         if token_ref.domain_scoped:
             return token_ref.domain_id
@@ -685,25 +725,7 @@ class V3Controller(wsgi.Application):
         being used.
 
         """
-        # We could make this more efficient by loading the domain_id
-        # into the context in the wrapper function above (since
-        # this version of normalize_domain will only be called inside
-        # a v3 protected call).  However, this optimization is probably not
-        # worth the duplication of state
-        try:
-            token_ref = token_model.KeystoneToken(
-                token_id=context['token_id'],
-                token_data=self.token_provider_api.validate_token(
-                    context['token_id']))
-        except KeyError:
-            # This might happen if we use the Admin token, for instance
-            raise exception.ValidationError(
-                _('A domain-scoped token must be used'))
-        except (exception.TokenNotFound,
-                exception.UnsupportedTokenVersionException):
-            LOG.warning(_LW('Invalid token found while getting domain ID '
-                            'for list request'))
-            raise exception.Unauthorized()
+        token_ref = utils.get_token_ref(context)
 
         if token_ref.domain_scoped:
             return token_ref.domain_id