aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon
diff options
context:
space:
mode:
authorasteroide <thomas.duval@orange.com>2015-07-24 12:36:12 +0200
committerasteroide <thomas.duval@orange.com>2015-07-24 12:36:12 +0200
commit7348b8effd253c355e998875877a3135817d6eb0 (patch)
tree9e5b38203c99b79b984fd0d4522c8a6f462d700d /keystone-moon
parent5637b139e1696f665263fcfdaf97f8a2b37c5bfb (diff)
add_tenant function in controllers.py nox check if tenant name exist in Keystone
fix some bugs in enforce function and SQL functions Change-Id: Ie760aad146d249fa6d98edbbb64dae732724e756
Diffstat (limited to 'keystone-moon')
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/scope.json2
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/assignment.json2
-rw-r--r--keystone-moon/keystone/contrib/moon/backends/sql.py16
-rw-r--r--keystone-moon/keystone/contrib/moon/controllers.py10
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py120
-rw-r--r--keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py7
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py4
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py4
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py2
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py291
10 files changed, 293 insertions, 165 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json
index 74b1d019..9de90206 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json
@@ -11,7 +11,7 @@
]
},
"object_scopes": {
- "action_id": [
+ "object_id": [
"authz.subjects",
"authz.objects",
"authz.actions",
diff --git a/keystone-moon/examples/moon/policies/policy_root/assignment.json b/keystone-moon/examples/moon/policies/policy_root/assignment.json
index 2852de0c..e849ae13 100644
--- a/keystone-moon/examples/moon/policies/policy_root/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_root/assignment.json
@@ -15,7 +15,7 @@
"object_assignments": {
"object_id": {
"templates": ["templates"],
- "sub_meta_rule_algorithm": ["sub_meta_rule_relations"],
+ "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"],
"aggregation_algorithms": ["aggregation_algorithms"],
"tenants": ["tenants"],
"intra_extensions": ["intra_extensions"],
diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py
index b2e91db0..c2f384bd 100644
--- a/keystone-moon/keystone/contrib/moon/backends/sql.py
+++ b/keystone-moon/keystone/contrib/moon/backends/sql.py
@@ -47,16 +47,12 @@ class Tenant(sql.ModelBase, sql.DictBase):
"""Override parent from_dict() method with a different implementation.
"""
new_d = d.copy()
- uuid = new_d.keys()[0]
- return cls(id=uuid, **new_d[uuid])
+ return cls(**new_d)
def to_dict(self):
"""
"""
- tenant_dict = {}
- for key in ("id", "name", "authz", "admin"):
- tenant_dict[key] = getattr(self, key)
- return tenant_dict
+ return dict(six.iteritems(self))
class SubjectCategory(sql.ModelBase, sql.DictBase):
@@ -334,7 +330,7 @@ class TenantConnector(TenantDriver):
with sql.transaction() as session:
query = session.query(Tenant)
tenants = query.all()
- return {tenant.id: Tenant.to_dict(tenant) for tenant in tenants}
+ return {tenant.id: tenant.tenant for tenant in tenants}
def add_tenant_dict(self, tenant_id, tenant_dict):
with sql.transaction() as session:
@@ -374,9 +370,9 @@ class IntraExtensionConnector(IntraExtensionDriver):
def get_intra_extensions_dict(self):
with sql.transaction() as session:
- query = session.query(IntraExtension.id)
+ query = session.query(IntraExtension)
ref_list = query.all()
- return {_ref.id: _ref.intraextension for _ref in ref_list}
+ return {_ref.id: _ref.intra_extension for _ref in ref_list}
def del_intra_extension(self, intra_extension_id):
with sql.transaction() as session:
@@ -947,7 +943,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
def get_rules_dict(self, intra_extension_id, sub_meta_rule_id):
with sql.transaction() as session:
query = session.query(Rule)
- query = query.filter_by(intra_extension_id=intra_extension_id, id=sub_meta_rule_id)
+ query = query.filter_by(intra_extension_id=intra_extension_id, sub_meta_rule_id=sub_meta_rule_id)
ref_list = query.all()
return {_ref.id: _ref.rule for _ref in ref_list}
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py
index fadc2731..047059d0 100644
--- a/keystone-moon/keystone/contrib/moon/controllers.py
+++ b/keystone-moon/keystone/contrib/moon/controllers.py
@@ -74,8 +74,10 @@ class Tenants(controller.V3Controller):
@controller.protected()
def add_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get("token_id"))
- # TODO: get tenant name from keystone
+ # Next line will raise an error if tenant doesn't exist
+ k_tenant_dict = self.resource_api.get_project_by_name(kw.get("name", None))
tenant_dict = dict()
+ tenant_dict['id'] = k_tenant_dict['id']
tenant_dict['name'] = kw.get("name", None)
tenant_dict['description'] = kw.get("description", None)
tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id", None)
@@ -97,9 +99,11 @@ class Tenants(controller.V3Controller):
@controller.protected()
def set_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
+ # Next line will raise an error if tenant doesn't exist
+ k_tenant_dict = self.resource_api.get_project(kw.get('id', None))
tenant_id = kw.get('id', None)
tenant_dict = dict()
- tenant_dict['name'] = kw.get("name", None)
+ tenant_dict['name'] = k_tenant_dict.get("name", None)
tenant_dict['description'] = kw.get("description", None)
tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id", None)
tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id", None)
@@ -162,7 +166,7 @@ class IntraExtensions(controller.V3Controller):
intra_extension_dict["aggregation_algorithm"] = kw.get("intra_extension_aggregation_algorithm", dict())
intra_extension_dict["sub_meta_rules"] = kw.get("intra_extension_sub_meta_rules", dict())
intra_extension_dict["rules"] = kw.get("intra_extension_rules", dict())
- return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict)
+ return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict=intra_extension_dict)
@controller.protected()
def get_intra_extension(self, context, **kw):
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index 03467ca5..e7d606c6 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -62,7 +62,8 @@ CONF.register_opts(_OPTS, group='moon')
def filter_input(func_or_str):
def __filter(string):
- return "".join(re.findall("[\w\-+]*", string))
+ if string:
+ return "".join(re.findall("[\w\-+]*", string))
def wrapped(*args, **kwargs):
_args = []
@@ -70,11 +71,11 @@ def filter_input(func_or_str):
if isinstance(arg, str) or isinstance(arg, unicode):
arg = __filter(arg)
elif isinstance(arg, list):
- arg = [__filter(item) for item in arg]
+ arg = [__filter(item) for item in arg]
elif isinstance(arg, tuple):
- arg = (__filter(item) for item in arg)
+ arg = (__filter(item) for item in arg)
elif isinstance(arg, dict):
- arg = {item: __filter(arg[item]) for item in arg.keys()}
+ arg = {item: __filter(arg[item]) for item in arg.keys()}
_args.append(arg)
for arg in kwargs:
if type(kwargs[arg]) in (unicode, str):
@@ -82,11 +83,11 @@ def filter_input(func_or_str):
if isinstance(kwargs[arg], str) or isinstance(kwargs[arg], unicode):
kwargs[arg] = __filter(kwargs[arg])
elif isinstance(kwargs[arg], list):
- kwargs[arg] = [__filter(item) for item in kwargs[arg]]
+ kwargs[arg] = [__filter(item) for item in kwargs[arg]]
elif isinstance(kwargs[arg], tuple):
- kwargs[arg] = (__filter(item) for item in kwargs[arg])
+ kwargs[arg] = (__filter(item) for item in kwargs[arg])
elif isinstance(kwargs[arg], dict):
- kwargs[arg] = {item: __filter(kwargs[arg][item]) for item in kwargs[arg].keys()}
+ kwargs[arg] = {item: __filter(kwargs[arg][item]) for item in kwargs[arg].keys()}
return func_or_str(*_args, **kwargs)
if isinstance(func_or_str, str) or isinstance(func_or_str, unicode):
@@ -107,30 +108,41 @@ def enforce(action_names, object_name, **extra):
_object_name = object_name
def wrap(func):
- def wrapped(*args):
- # global actions
+
+ def wrapped(*args, **kwargs):
self = args[0]
- user_id = args[1]
+ try:
+ user_id = args[1]
+ except IndexError:
+ user_id = kwargs['user_id']
+ intra_extension_id = None
intra_admin_extension_id = None
+ if user_id == ADMIN_ID:
+ # TODO: check if there is no security hole here
+ return func(*args, **kwargs)
+
try:
intra_extension_id = args[2]
- except:
- intra_admin_extension_id = ROOT_EXTENSION_ID
+ except IndexError:
+ if 'intra_extension_id' in kwargs:
+ intra_extension_id = kwargs['intra_extension_id']
+ else:
+ intra_admin_extension_id = ROOT_EXTENSION_ID
- intra_extensions_dict = self.admin_api.get_intra_extensions(ADMIN_ID)
+ intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict()
if intra_extension_id not in intra_extensions_dict:
raise IntraExtensionUnknown()
- tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
+ tenants_dict = self.tenant_api.driver.get_tenants_dict(ADMIN_ID)
for _tenant_id in tenants_dict:
if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \
tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id:
intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id']
if not intra_admin_extension_id:
- args[0].moonlog_api.warning("No Intra_Admin_Extension found, authorization granted by default.")
- return func(*args)
+ self.moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.")
+ return func(*args, **kwargs)
else:
- objects_dict = self.admin_api.get_objects_dict(ADMIN_ID, intra_admin_extension_id)
+ objects_dict = self.admin_api.driver.get_objects_dict(ADMIN_ID, intra_admin_extension_id)
object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name
object_id = None
for _object_id in objects_dict:
@@ -141,7 +153,7 @@ def enforce(action_names, object_name, **extra):
action_name_list = (_action_name_list, )
else:
action_name_list = _action_name_list
- actions_dict = self.admin_api.get_actions_dict(ADMIN_ID, intra_admin_extension_id)
+ actions_dict = self.admin_api.driver.get_actions_dict(ADMIN_ID, intra_admin_extension_id)
action_id_list = list()
for _action_name in action_name_list:
for _action_id in actions_dict:
@@ -157,7 +169,7 @@ def enforce(action_names, object_name, **extra):
authz_result = False
break
if authz_result:
- return func(*args)
+ return func(*args, **kwargs)
return wrapped
return wrap
@@ -217,14 +229,14 @@ class ConfigurationManager(manager.Manager):
return sub_meta_rule_algorithm_id
return None
-
@dependency.provider('tenant_api')
-@dependency.requires('moonlog_api')
+@dependency.requires('moonlog_api', 'admin_api')
class TenantManager(manager.Manager):
def __init__(self):
super(TenantManager, self).__init__(CONF.moon.tenant_driver)
+ @filter_input
@enforce("read", "tenants")
def get_tenants_dict(self, user_id):
"""
@@ -242,17 +254,20 @@ class TenantManager(manager.Manager):
"""
return self.driver.get_tenants_dict()
+ @filter_input
@enforce(("read", "write"), "tenants")
def add_tenant_dict(self, user_id, tenant_dict):
tenants_dict = self.driver.get_tenants_dict()
for tenant_id in tenants_dict:
- if tenants_dict[tenant_id]['name'] is tenant_dict['name']:
+ print(tenants_dict[tenant_id])
+ print(tenant_dict)
+ if tenants_dict[tenant_id]['name'] == tenant_dict['name']:
raise TenantAddedNameExisting()
# Sync users between intra_authz_extension and intra_admin_extension
if tenant_dict['intra_admin_extension']:
if not tenant_dict['intra_authz_extension']:
- raise TenantNoIntraAuthzExtension
+ raise TenantNoIntraAuthzExtension()
else:
authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
@@ -262,8 +277,10 @@ class TenantManager(manager.Manager):
for _subject_id in admin_subjects_dict:
if _subject_id not in authz_subjects_dict:
self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
- return self.driver.add_tenant_dict(uuid4().hex, tenant_dict)
+ return self.driver.add_tenant_dict(tenant_dict['id'], tenant_dict)
+
+ @filter_input
@enforce("read", "tenants")
def get_tenant_dict(self, user_id, tenant_id):
tenants_dict = self.driver.get_tenants_dict()
@@ -271,12 +288,14 @@ class TenantManager(manager.Manager):
raise TenantUnknown()
return tenants_dict[tenant_id]
+ @filter_input
@enforce(("read", "write"), "tenants")
def del_tenant(self, user_id, tenant_id):
if tenant_id not in self.driver.get_tenants_dict():
raise TenantUnknown()
self.driver.del_tenant(tenant_id)
+ @filter_input
@enforce(("read", "write"), "tenants")
def set_tenant_dict(self, user_id, tenant_id, tenant_dict):
tenants_dict = self.driver.get_tenants_dict()
@@ -296,6 +315,7 @@ class TenantManager(manager.Manager):
for _subject_id in admin_subjects_dict:
if _subject_id not in authz_subjects_dict:
self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
+
return self.driver.set_tenant_dict(tenant_id, tenant_dict)
@@ -455,9 +475,12 @@ class IntraExtensionManager(manager.Manager):
subject_dict = dict()
# We suppose that all subjects can be mapped to a true user in Keystone
for _subject in json_perimeter['subjects']:
- user = self.identity_api.get_user_by_name(_subject, "default")
- subject_dict[user["id"]] = user
- self.driver.set_subject_dict(intra_extension_dict["id"], user["id"], user)
+ keystone_user = self.identity_api.get_user_by_name(_subject, "default")
+ subject_id = uuid4().hex
+ subject_dict[subject_id] = keystone_user
+ subject_dict[subject_id]['keystone_id'] = keystone_user["id"]
+ subject_dict[subject_id]['keystone_name'] = keystone_user["name"]
+ self.driver.set_subject_dict(intra_extension_dict["id"], subject_id, subject_dict[subject_id])
intra_extension_dict["subjects"] = subject_dict
# Copy all values for objects and actions
@@ -655,8 +678,8 @@ class IntraExtensionManager(manager.Manager):
else:
# if value doesn't exist add a default value
subrule.append(True)
- rules[sub_rule_id].append(subrule)
- self.driver.set_rule_dict(intra_extension_dict["id"], sub_rule_id, uuid4().hex, rules)
+ # rules[sub_rule_id].append(subrule)
+ self.driver.set_rule_dict(intra_extension_dict["id"], sub_rule_id, uuid4().hex, subrule)
@enforce(("read", "write"), "intra_extensions")
def load_intra_extension_dict(self, user_id, intra_extension_dict):
@@ -859,8 +882,10 @@ class IntraExtensionManager(manager.Manager):
if subjects_dict[subject_id]["name"] is subject_dict['name']:
raise SubjectNameExisting()
# Next line will raise an error if user is not present in Keystone database
- subject_item_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default")
- return self.driver.set_subject_dict(intra_extension_id, subject_item_dict["id"], subject_dict)
+ subject_keystone_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default")
+ subject_dict["keystone_id"] = subject_keystone_dict["id"]
+ subject_dict["keystone_name"] = subject_keystone_dict["name"]
+ return self.driver.set_subject_dict(intra_extension_id, uuid4().hex, subject_dict)
@filter_input
@enforce("read", "subjects")
@@ -890,8 +915,10 @@ class IntraExtensionManager(manager.Manager):
if subjects_dict[subject_id]["name"] is subject_dict['name']:
raise SubjectNameExisting()
# Next line will raise an error if user is not present in Keystone database
- subject_item_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default")
- return self.driver.set_subject_dict(intra_extension_id, subject_item_dict["id"], subject_dict)
+ subject_keystone_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default")
+ subject_dict["keystone_id"] = subject_keystone_dict["id"]
+ subject_dict["keystone_name"] = subject_keystone_dict["name"]
+ return self.driver.set_subject_dict(intra_extension_id, subject_dict["id"], subject_dict)
@filter_input
@enforce("read", "objects")
@@ -1490,7 +1517,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
subjects_dict = self.driver.get_subjects_dict(intra_extension_id)
subject_id = None
for _subject_id in subjects_dict:
- if subjects_dict[_subject_id]['name'] is subject_name:
+ if subjects_dict[_subject_id]['keystone_name'] is subject_name:
subject_id = _subject_id
if not subject_id:
raise SubjectUnknown()
@@ -1563,6 +1590,8 @@ class IntraExtensionAdminManager(IntraExtensionManager):
@dependency.provider('moonlog_api')
+# Next line is mandatory in order to force keystone to process dependencies.
+@dependency.requires('admin_api')
class LogManager(manager.Manager):
def __init__(self):
@@ -1699,32 +1728,32 @@ class IntraExtensionDriver(object):
data_values = self.get_subjects_dict(intra_extension_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise SubjectUnknown()
+ raise SubjectUnknown("{} / {}".format(name, data_values))
elif data_name == self.OBJECT:
data_values = self.get_objects_dict(intra_extension_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise ObjectUnknown()
+ raise ObjectUnknown("{} / {}".format(name, data_values))
elif data_name == self.ACTION:
data_values = self.get_actions_dict(intra_extension_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise ActionUnknown()
+ raise ActionUnknown("{} / {}".format(name, data_values))
elif data_name == self.SUBJECT_CATEGORY:
data_values = self.get_subject_categories_dict(intra_extension_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise SubjectCategoryUnknown()
+ raise SubjectCategoryUnknown("{} / {}".format(name, data_values))
elif data_name == self.OBJECT_CATEGORY:
data_values = self.get_object_categories_dict(intra_extension_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise ObjectCategoryUnknown()
+ raise ObjectCategoryUnknown("{} / {}".format(name, data_values))
elif data_name == self.ACTION_CATEGORY:
data_values = self.get_action_categories_dict(intra_extension_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise ActionCategoryUnknown()
+ raise ActionCategoryUnknown("{} / {}".format(name, data_values))
elif data_name == self.SUBJECT_SCOPE:
if not category_uuid:
category_uuid = self.get_uuid_from_name(intra_extension_uuid, category_name, self.SUBJECT_CATEGORY)
@@ -1732,7 +1761,7 @@ class IntraExtensionDriver(object):
category_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise SubjectScopeUnknown()
+ raise SubjectScopeUnknown("{} / {}".format(name, data_values))
elif data_name == self.OBJECT_SCOPE:
if not category_uuid:
category_uuid = self.get_uuid_from_name(intra_extension_uuid, category_name, self.OBJECT_CATEGORY)
@@ -1740,7 +1769,7 @@ class IntraExtensionDriver(object):
category_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise ObjectScopeUnknown()
+ raise ObjectScopeUnknown("{} / {}".format(name, data_values))
elif data_name == self.ACTION_SCOPE:
if not category_uuid:
category_uuid = self.get_uuid_from_name(intra_extension_uuid, category_name, self.ACTION_CATEGORY)
@@ -1748,14 +1777,12 @@ class IntraExtensionDriver(object):
category_uuid)
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise ActionScopeUnknown()
+ raise ActionScopeUnknown("{} / {}".format(name, data_values))
elif data_name == self.SUB_META_RULE:
data_values = self.get_sub_meta_rules_dict(intra_extension_uuid)
- print("name = {}".format(name))
- print("data_values = {}".format(data_values))
if (name and name not in extract_name(data_values)) or \
(uuid and uuid not in data_values.keys()):
- raise SubMetaRuleUnknown()
+ raise SubMetaRuleUnknown("{} / {}".format(name, data_values))
# if data_name in (
# self.SUBJECT_SCOPE,
# self.OBJECT_SCOPE,
@@ -1774,7 +1801,6 @@ class IntraExtensionDriver(object):
category_name=category_name,
category_uuid=category_uuid,
)
- print("get_uuid_from_name {}".format(data_values))
return filter(lambda v: v[1]["name"] == name, data_values.iteritems())[0][0]
def get_name_from_uuid(self, intra_extension_uuid, uuid, data_name, category_name=None, category_uuid=None):
diff --git a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
index 352b69ac..af4d80bb 100644
--- a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
+++ b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
@@ -3,6 +3,7 @@
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+from uuid import uuid4
import sqlalchemy as sql
from keystone.common import sql as k_sql
@@ -20,6 +21,12 @@ def upgrade(migrate_engine):
mysql_charset='utf8')
intra_extension_table.create(migrate_engine, checkfirst=True)
+ intra_extension_table.insert().values(id=uuid4().hex, intra_extension={
+ 'name': "Root Extension",
+ 'description': "The root intra extension",
+ 'model': 'admin'
+ })
+
tenant_table = sql.Table(
'tenants',
meta,
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py
index 5a1f71e6..97442228 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py
@@ -66,7 +66,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase):
#self.admin = self.identity_api.create_user(USER)
IE["policymodel"] = policy_model
IE["name"] = uuid.uuid4().hex
- self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, IE)
+ self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE)
self.assertIsInstance(self.ref, dict)
self.create_tenant(self.ref["id"])
@@ -1311,7 +1311,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase):
IE["policymodel"] = policy_model
IE["name"] = uuid.uuid4().hex
- ref = self.admin_manager.load_intra_extension_dict(DEFAULT_USER_ID, IE)
+ ref = self.admin_manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE)
self.assertIsInstance(ref, dict)
return ref
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py
index e397157f..0e22a1b4 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py
@@ -15,7 +15,7 @@ from keystone.tests.unit.ksfixtures import database
from keystone import resource
from keystone.contrib.moon.exception import *
from keystone.tests.unit import default_fixtures
-from keystone.contrib.moon.core import LogManager, TenantManager
+from keystone.contrib.moon.core import LogManager, TenantManager, ADMIN_ID
CONF = cfg.CONF
@@ -89,7 +89,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
IE["model"] = policy_model
IE["name"] = uuid.uuid4().hex
- ref = self.admin_manager.load_intra_extension_dict(DEFAULT_USER_ID, IE)
+ ref = self.admin_manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE)
self.assertIsInstance(ref, dict)
return ref
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py
index b2fb131f..aa584a65 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py
@@ -68,7 +68,7 @@ class TestIntraExtensionAdminManager(tests.TestCase):
# Create the admin user because IntraExtension needs it
self.admin = self.identity_api.create_user(USER_ADMIN)
IE["policymodel"] = policy_model
- self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, IE)
+ self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE)
self.assertIsInstance(self.ref, dict)
self.create_tenant(self.ref["id"])
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py
index dda1cac8..a0bf9392 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py
@@ -13,10 +13,23 @@ from keystone.tests.unit.ksfixtures import database
from keystone.contrib.moon.exception import *
from keystone.tests.unit import default_fixtures
from keystone.contrib.moon.core import LogManager
+from keystone.contrib.moon.core import ADMIN_ID
+from keystone.common import dependency
-CONF = cfg.CONF
+CONF = cfg.CONF
+USER = {
+ 'name': 'admin',
+ 'domain_id': "default",
+ 'password': 'admin'
+}
+IE = {
+ "name": "test IE",
+ "policymodel": "policy_authz",
+ "description": "a simple description."
+}
+@dependency.requires('admin_api')
class TestTenantManager(tests.TestCase):
def setUp(self):
@@ -24,7 +37,10 @@ class TestTenantManager(tests.TestCase):
super(TestTenantManager, self).setUp()
self.load_backends()
self.load_fixtures(default_fixtures)
+ self.admin = self.create_user(username="admin")
+ self.demo = self.create_user(username="demo")
self.manager = TenantManager()
+ self.root_intra_extension = self.create_intra_extension(policy_model="policy_root")
def load_extra_backends(self):
return {
@@ -36,129 +52,208 @@ class TestTenantManager(tests.TestCase):
self.config_fixture.config(
group='moon',
tenant_driver='keystone.contrib.moon.backends.sql.TenantConnector')
+ self.policy_directory = 'examples/moon/policies'
+ self.config_fixture.config(
+ group='moon',
+ intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector')
+ self.config_fixture.config(
+ group='moon',
+ policy_directory=self.policy_directory)
+
+ def create_user(self, username="admin"):
+
+ _USER = dict(USER)
+ _USER["name"] = username
+ return self.identity_api.create_user(_USER)
+
+ def create_intra_extension(self, policy_model="policy_authz"):
+
+ IE["model"] = policy_model
+ IE["name"] = uuid.uuid4().hex
+ genre = "admin"
+ if "authz" in policy_model:
+ genre = "authz"
+ IE["genre"] = genre
+ ref = self.admin_api.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE)
+ self.assertIsInstance(ref, dict)
+ return ref
def test_add_tenant(self):
- _uuid = uuid.uuid4().hex
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
new_mapping = {
- _uuid: {
- "name": uuid.uuid4().hex,
- "authz": uuid.uuid4().hex,
- "admin": uuid.uuid4().hex,
- }
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
}
- data = self.manager.set_tenant_dict(
- tenant_id=_uuid,
- tenant_name=new_mapping[_uuid]["name"],
- intra_authz_ext_id=new_mapping[_uuid]["authz"],
- intra_admin_ext_id=new_mapping[_uuid]["admin"]
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
)
- self.assertEquals(_uuid, data["id"])
- self.assertEquals(data["name"], new_mapping[_uuid]["name"])
- self.assertEquals(data["authz"], new_mapping[_uuid]["authz"])
- self.assertEquals(data["admin"], new_mapping[_uuid]["admin"])
- data = self.manager.get_tenants_dict()
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
self.assertNotEqual(data, {})
- data = self.manager.get_tenant_uuid(new_mapping[_uuid]["authz"])
- self.assertEquals(_uuid, data)
- data = self.manager.get_tenant_uuid(new_mapping[_uuid]["admin"])
- self.assertEquals(_uuid, data)
- data = self.manager.get_admin_extension_uuid(new_mapping[_uuid]["authz"])
- self.assertEquals(new_mapping[_uuid]["admin"], data)
+ data = self.admin_api.get_intra_extension_dict(ADMIN_ID, new_mapping["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data["id"])
+ data = self.admin_api.get_intra_extension_dict(ADMIN_ID, new_mapping["intra_admin_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data["id"])
def test_del_tenant(self):
- _uuid = uuid.uuid4().hex
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
new_mapping = {
- _uuid: {
- "name": uuid.uuid4().hex,
- "authz": uuid.uuid4().hex,
- "admin": uuid.uuid4().hex,
- }
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
}
- data = self.manager.set_tenant_dict(
- tenant_id=_uuid,
- tenant_name=new_mapping[_uuid]["name"],
- intra_authz_ext_id=new_mapping[_uuid]["authz"],
- intra_admin_ext_id=new_mapping[_uuid]["admin"]
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
)
- self.assertEquals(_uuid, data["id"])
- self.assertEquals(data["name"], new_mapping[_uuid]["name"])
- self.assertEquals(data["authz"], new_mapping[_uuid]["authz"])
- self.assertEquals(data["admin"], new_mapping[_uuid]["admin"])
- data = self.manager.get_tenants_dict()
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
self.assertNotEqual(data, {})
- self.manager.delete(new_mapping[_uuid]["authz"])
- data = self.manager.get_tenants_dict()
+ self.manager.del_tenant(ADMIN_ID, new_mapping["id"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
self.assertEqual(data, {})
def test_set_tenant_name(self):
- _uuid = uuid.uuid4().hex
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
new_mapping = {
- _uuid: {
- "name": uuid.uuid4().hex,
- "authz": uuid.uuid4().hex,
- "admin": uuid.uuid4().hex,
- }
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
}
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
+ )
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
+ self.assertNotEqual(data, {})
+
+ new_mapping["name"] = "demo2"
data = self.manager.set_tenant_dict(
- tenant_id=_uuid,
- tenant_name=new_mapping[_uuid]["name"],
- intra_authz_ext_id=new_mapping[_uuid]["authz"],
- intra_admin_ext_id=new_mapping[_uuid]["admin"]
+ user_id=ADMIN_ID,
+ tenant_id=new_mapping["id"],
+ tenant_dict=new_mapping
)
- self.assertEquals(_uuid, data["id"])
- self.assertEquals(data["name"], new_mapping[_uuid]["name"])
- data = self.manager.set_tenant_name(_uuid, "new name")
- self.assertEquals(_uuid, data["id"])
- self.assertEquals(data["name"], "new name")
- data = self.manager.get_tenant_name_from_id(_uuid)
- self.assertEquals(data, "new name")
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
def test_get_tenant_intra_extension_id(self):
- _uuid = uuid.uuid4().hex
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
new_mapping = {
- _uuid: {
- "name": uuid.uuid4().hex,
- "authz": uuid.uuid4().hex,
- "admin": uuid.uuid4().hex,
- }
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
}
- data = self.manager.set_tenant_dict(
- tenant_id=_uuid,
- tenant_name=new_mapping[_uuid]["name"],
- intra_authz_ext_id=new_mapping[_uuid]["authz"],
- intra_admin_ext_id=new_mapping[_uuid]["admin"]
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
)
- self.assertEquals(_uuid, data["id"])
- data = self.manager.get_extension_id(_uuid)
- self.assertEqual(data, new_mapping[_uuid]["authz"])
- data = self.manager.get_extension_id(_uuid, "admin")
- self.assertEqual(data, new_mapping[_uuid]["admin"])
-
- def test_exception_tenantunknown(self):
- self.assertRaises(TenantNotFound, self.manager.get_tenant_name_from_id, uuid.uuid4().hex)
- self.assertRaises(TenantNotFound, self.manager.set_tenant_name, uuid.uuid4().hex, "new name")
- self.assertRaises(TenantNotFound, self.manager.get_extension_id, uuid.uuid4().hex)
- _uuid = uuid.uuid4().hex
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
+ self.assertNotEqual(data, {})
+
+ def test_exception_tenant_unknown(self):
+ self.assertRaises(TenantUnknown, self.manager.get_tenant_dict, ADMIN_ID, uuid.uuid4().hex)
+ self.assertRaises(TenantUnknown, self.manager.del_tenant, ADMIN_ID, uuid.uuid4().hex)
+ self.assertRaises(TenantUnknown, self.manager.set_tenant_dict, ADMIN_ID, uuid.uuid4().hex, {})
+
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
new_mapping = {
- _uuid: {
- "name": uuid.uuid4().hex,
- "authz": uuid.uuid4().hex,
- "admin": uuid.uuid4().hex,
- }
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
}
- data = self.manager.set_tenant_dict(
- tenant_id=_uuid,
- tenant_name=new_mapping[_uuid]["name"],
- intra_authz_ext_id=new_mapping[_uuid]["authz"],
- intra_admin_ext_id=""
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
+ )
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
+ self.assertNotEqual(data, {})
+
+ self.assertRaises(TenantUnknown, self.manager.get_tenant_dict, ADMIN_ID, uuid.uuid4().hex)
+
+ def test_exception_tenant_added_name_existing(self):
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
+ new_mapping = {
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
+ }
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
)
- self.assertEquals(_uuid, data["id"])
- self.assertRaises(IntraExtensionUnknown, self.manager.get_extension_id, _uuid, "admin")
- self.assertRaises(TenantNotFound, self.manager.get_tenant_uuid, uuid.uuid4().hex)
- # self.assertRaises(AdminIntraExtensionNotFound, self.manager.get_admin_extension_uuid, uuid.uuid4().hex)
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
+ self.assertNotEqual(data, {})
+
+ self.assertRaises(TenantAddedNameExisting, self.manager.add_tenant_dict, ADMIN_ID, new_mapping)
- def test_exception_tenantaddednameexisting(self):
- pass
+ def test_exception_tenant_no_intra_extension(self):
+ authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
+ admin_intra_extension = self.create_intra_extension(policy_model="policy_admin")
+ new_mapping = {
+ "id": uuid.uuid4().hex,
+ "name": "demo",
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension": authz_intra_extension['id'],
+ "intra_admin_extension": admin_intra_extension['id'],
+ }
+ new_mapping['intra_authz_extension'] = None
+ self.assertRaises(TenantNoIntraAuthzExtension, self.manager.add_tenant_dict, ADMIN_ID, new_mapping)
+ new_mapping['intra_authz_extension'] = authz_intra_extension['id']
+ data = self.manager.add_tenant_dict(
+ user_id=ADMIN_ID,
+ tenant_dict=new_mapping
+ )
+ self.assertEquals(new_mapping["id"], data["id"])
+ self.assertEquals(new_mapping["name"], data['tenant']["name"])
+ self.assertEquals(new_mapping["intra_authz_extension"], data['tenant']["intra_authz_extension"])
+ self.assertEquals(new_mapping["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ data = self.manager.get_tenants_dict(ADMIN_ID)
+ self.assertNotEqual(data, {})
- def test_exception_tenantnointraextension(self):
- pass \ No newline at end of file
+ new_mapping['intra_authz_extension'] = None
+ new_mapping['name'] = "demo2"
+ self.assertRaises(TenantNoIntraAuthzExtension, self.manager.set_tenant_dict, ADMIN_ID, new_mapping["id"], new_mapping)