aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/trust
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/trust')
-rw-r--r--keystone-moon/keystone/trust/backends/sql.py7
-rw-r--r--keystone-moon/keystone/trust/controllers.py39
-rw-r--r--keystone-moon/keystone/trust/core.py28
-rw-r--r--keystone-moon/keystone/trust/schema.py7
4 files changed, 38 insertions, 43 deletions
diff --git a/keystone-moon/keystone/trust/backends/sql.py b/keystone-moon/keystone/trust/backends/sql.py
index 4f5ee2e5..95b18d40 100644
--- a/keystone-moon/keystone/trust/backends/sql.py
+++ b/keystone-moon/keystone/trust/backends/sql.py
@@ -16,6 +16,7 @@ import time
from oslo_log import log
from oslo_utils import timeutils
+from six.moves import range
from keystone.common import sql
from keystone import exception
@@ -135,15 +136,15 @@ class Trust(trust.Driver):
query = query.filter_by(deleted_at=None)
ref = query.first()
if ref is None:
- return None
+ raise exception.TrustNotFound(trust_id=trust_id)
if ref.expires_at is not None and not deleted:
now = timeutils.utcnow()
if now > ref.expires_at:
- return None
+ raise exception.TrustNotFound(trust_id=trust_id)
# Do not return trusts that can't be used anymore
if ref.remaining_uses is not None and not deleted:
if ref.remaining_uses <= 0:
- return None
+ raise exception.TrustNotFound(trust_id=trust_id)
trust_dict = ref.to_dict()
self._add_roles(trust_id, session, trust_dict)
diff --git a/keystone-moon/keystone/trust/controllers.py b/keystone-moon/keystone/trust/controllers.py
index 60e34ccd..39cf0110 100644
--- a/keystone-moon/keystone/trust/controllers.py
+++ b/keystone-moon/keystone/trust/controllers.py
@@ -16,18 +16,18 @@ import uuid
from oslo_config import cfg
from oslo_log import log
+from oslo_log import versionutils
from oslo_utils import timeutils
import six
from keystone import assignment
from keystone.common import controller
from keystone.common import dependency
+from keystone.common import utils
from keystone.common import validation
from keystone import exception
from keystone.i18n import _
-from keystone.models import token_model
from keystone import notifications
-from keystone.openstack.common import versionutils
from keystone.trust import schema
@@ -63,19 +63,15 @@ class TrustV3(controller.V3Controller):
return super(TrustV3, cls).base_url(context, path=path)
def _get_user_id(self, context):
- if 'token_id' in context:
- token_id = context['token_id']
- token_data = self.token_provider_api.validate_token(token_id)
- token_ref = token_model.KeystoneToken(token_id=token_id,
- token_data=token_data)
- return token_ref.user_id
- return None
+ try:
+ token_ref = utils.get_token_ref(context)
+ except exception.Unauthorized:
+ return None
+ return token_ref.user_id
def get_trust(self, context, trust_id):
user_id = self._get_user_id(context)
trust = self.trust_api.get_trust(trust_id)
- if not trust:
- raise exception.TrustNotFound(trust_id=trust_id)
_trustor_trustee_only(trust, user_id)
self._fill_in_roles(context, trust,
self.role_api.list_roles())
@@ -83,7 +79,7 @@ class TrustV3(controller.V3Controller):
def _fill_in_roles(self, context, trust, all_roles):
if trust.get('expires_at') is not None:
- trust['expires_at'] = (timeutils.isotime
+ trust['expires_at'] = (utils.isotime
(trust['expires_at'],
subsecond=True))
@@ -126,15 +122,12 @@ class TrustV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.trust_create, 'trust')
- def create_trust(self, context, trust=None):
+ def create_trust(self, context, trust):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
- if not trust:
- raise exception.ValidationError(attribute='trust',
- target='request')
auth_context = context.get('environment',
{}).get('KEYSTONE_AUTH_CONTEXT', {})
@@ -206,15 +199,16 @@ class TrustV3(controller.V3Controller):
if not expiration_date.endswith('Z'):
expiration_date += 'Z'
try:
- return timeutils.parse_isotime(expiration_date)
+ expiration_time = timeutils.parse_isotime(expiration_date)
except ValueError:
raise exception.ValidationTimeStampError()
+ if timeutils.is_older_than(expiration_time, 0):
+ raise exception.ValidationExpirationError()
+ return expiration_time
def _check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(trust_id)
- if not trust:
- raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
if not any(role['id'] == role_id for role in trust['roles']):
@@ -247,7 +241,7 @@ class TrustV3(controller.V3Controller):
if 'roles' in trust:
del trust['roles']
if trust.get('expires_at') is not None:
- trust['expires_at'] = (timeutils.isotime
+ trust['expires_at'] = (utils.isotime
(trust['expires_at'],
subsecond=True))
return TrustV3.wrap_collection(context, trusts)
@@ -255,9 +249,6 @@ class TrustV3(controller.V3Controller):
@controller.protected()
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
- if not trust:
- raise exception.TrustNotFound(trust_id=trust_id)
-
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
initiator = notifications._get_request_audit_info(context)
@@ -266,8 +257,6 @@ class TrustV3(controller.V3Controller):
@controller.protected()
def list_roles_for_trust(self, context, trust_id):
trust = self.get_trust(context, trust_id)['trust']
- if not trust:
- raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
return {'roles': trust['roles'],
diff --git a/keystone-moon/keystone/trust/core.py b/keystone-moon/keystone/trust/core.py
index de6b6d85..e091ff93 100644
--- a/keystone-moon/keystone/trust/core.py
+++ b/keystone-moon/keystone/trust/core.py
@@ -12,13 +12,14 @@
# License for the specific language governing permissions and limitations
# under the License.
-"""Main entry point into the Identity service."""
+"""Main entry point into the Trust service."""
import abc
from oslo_config import cfg
from oslo_log import log
import six
+from six.moves import zip
from keystone.common import dependency
from keystone.common import manager
@@ -41,6 +42,9 @@ class Manager(manager.Manager):
dynamically calls the backend.
"""
+
+ driver_namespace = 'keystone.trust'
+
_TRUST = "OS-TRUST:trust"
def __init__(self):
@@ -55,9 +59,9 @@ class Manager(manager.Manager):
if not (0 < redelegation_depth <= max_redelegation_count):
raise exception.Forbidden(
_('Remaining redelegation depth of %(redelegation_depth)d'
- ' out of allowed range of [0..%(max_count)d]'),
- redelegation_depth=redelegation_depth,
- max_count=max_redelegation_count)
+ ' out of allowed range of [0..%(max_count)d]') %
+ {'redelegation_depth': redelegation_depth,
+ 'max_count': max_redelegation_count})
# remaining_uses is None
remaining_uses = trust.get('remaining_uses')
@@ -139,13 +143,14 @@ class Manager(manager.Manager):
if requested_count and requested_count > max_redelegation_count:
raise exception.Forbidden(
_('Requested redelegation depth of %(requested_count)d '
- 'is greater than allowed %(max_count)d'),
- requested_count=requested_count,
- max_count=max_redelegation_count)
+ 'is greater than allowed %(max_count)d') %
+ {'requested_count': requested_count,
+ 'max_count': max_redelegation_count})
# Decline remaining_uses
- if 'remaining_uses' in trust:
- exception.ValidationError(_('remaining_uses must not be set '
- 'if redelegation is allowed'))
+ if trust.get('remaining_uses') is not None:
+ raise exception.ValidationError(
+ _('remaining_uses must not be set if redelegation is '
+ 'allowed'))
if redelegated_trust:
trust['redelegated_trust_id'] = redelegated_trust['id']
@@ -179,9 +184,6 @@ class Manager(manager.Manager):
Recursively remove given and redelegated trusts
"""
trust = self.driver.get_trust(trust_id)
- if not trust:
- raise exception.TrustNotFound(trust_id)
-
trusts = self.driver.list_trusts_for_trustor(
trust['trustor_user_id'])
diff --git a/keystone-moon/keystone/trust/schema.py b/keystone-moon/keystone/trust/schema.py
index 087cd1e9..673b786b 100644
--- a/keystone-moon/keystone/trust/schema.py
+++ b/keystone-moon/keystone/trust/schema.py
@@ -15,8 +15,11 @@ from keystone.common.validation import parameter_types
_trust_properties = {
- 'trustor_user_id': parameter_types.id_string,
- 'trustee_user_id': parameter_types.id_string,
+ # NOTE(lbragstad): These are set as external_id_string because they have
+ # the ability to be read as LDAP user identifiers, which could be something
+ # other than uuid.
+ 'trustor_user_id': parameter_types.external_id_string,
+ 'trustee_user_id': parameter_types.external_id_string,
'impersonation': parameter_types.boolean,
'project_id': validation.nullable(parameter_types.id_string),
'remaining_uses': {