diff options
Diffstat (limited to 'keystone-moon/keystone/trust')
| -rw-r--r-- | keystone-moon/keystone/trust/backends/sql.py | 7 | ||||
| -rw-r--r-- | keystone-moon/keystone/trust/controllers.py | 39 | ||||
| -rw-r--r-- | keystone-moon/keystone/trust/core.py | 28 | ||||
| -rw-r--r-- | keystone-moon/keystone/trust/schema.py | 7 |
4 files changed, 38 insertions, 43 deletions
diff --git a/keystone-moon/keystone/trust/backends/sql.py b/keystone-moon/keystone/trust/backends/sql.py index 4f5ee2e5..95b18d40 100644 --- a/keystone-moon/keystone/trust/backends/sql.py +++ b/keystone-moon/keystone/trust/backends/sql.py @@ -16,6 +16,7 @@ import time from oslo_log import log from oslo_utils import timeutils +from six.moves import range from keystone.common import sql from keystone import exception @@ -135,15 +136,15 @@ class Trust(trust.Driver): query = query.filter_by(deleted_at=None) ref = query.first() if ref is None: - return None + raise exception.TrustNotFound(trust_id=trust_id) if ref.expires_at is not None and not deleted: now = timeutils.utcnow() if now > ref.expires_at: - return None + raise exception.TrustNotFound(trust_id=trust_id) # Do not return trusts that can't be used anymore if ref.remaining_uses is not None and not deleted: if ref.remaining_uses <= 0: - return None + raise exception.TrustNotFound(trust_id=trust_id) trust_dict = ref.to_dict() self._add_roles(trust_id, session, trust_dict) diff --git a/keystone-moon/keystone/trust/controllers.py b/keystone-moon/keystone/trust/controllers.py index 60e34ccd..39cf0110 100644 --- a/keystone-moon/keystone/trust/controllers.py +++ b/keystone-moon/keystone/trust/controllers.py @@ -16,18 +16,18 @@ import uuid from oslo_config import cfg from oslo_log import log +from oslo_log import versionutils from oslo_utils import timeutils import six from keystone import assignment from keystone.common import controller from keystone.common import dependency +from keystone.common import utils from keystone.common import validation from keystone import exception from keystone.i18n import _ -from keystone.models import token_model from keystone import notifications -from keystone.openstack.common import versionutils from keystone.trust import schema @@ -63,19 +63,15 @@ class TrustV3(controller.V3Controller): return super(TrustV3, cls).base_url(context, path=path) def _get_user_id(self, context): - if 'token_id' in context: - token_id = context['token_id'] - token_data = self.token_provider_api.validate_token(token_id) - token_ref = token_model.KeystoneToken(token_id=token_id, - token_data=token_data) - return token_ref.user_id - return None + try: + token_ref = utils.get_token_ref(context) + except exception.Unauthorized: + return None + return token_ref.user_id def get_trust(self, context, trust_id): user_id = self._get_user_id(context) trust = self.trust_api.get_trust(trust_id) - if not trust: - raise exception.TrustNotFound(trust_id=trust_id) _trustor_trustee_only(trust, user_id) self._fill_in_roles(context, trust, self.role_api.list_roles()) @@ -83,7 +79,7 @@ class TrustV3(controller.V3Controller): def _fill_in_roles(self, context, trust, all_roles): if trust.get('expires_at') is not None: - trust['expires_at'] = (timeutils.isotime + trust['expires_at'] = (utils.isotime (trust['expires_at'], subsecond=True)) @@ -126,15 +122,12 @@ class TrustV3(controller.V3Controller): @controller.protected() @validation.validated(schema.trust_create, 'trust') - def create_trust(self, context, trust=None): + def create_trust(self, context, trust): """Create a new trust. The user creating the trust must be the trustor. """ - if not trust: - raise exception.ValidationError(attribute='trust', - target='request') auth_context = context.get('environment', {}).get('KEYSTONE_AUTH_CONTEXT', {}) @@ -206,15 +199,16 @@ class TrustV3(controller.V3Controller): if not expiration_date.endswith('Z'): expiration_date += 'Z' try: - return timeutils.parse_isotime(expiration_date) + expiration_time = timeutils.parse_isotime(expiration_date) except ValueError: raise exception.ValidationTimeStampError() + if timeutils.is_older_than(expiration_time, 0): + raise exception.ValidationExpirationError() + return expiration_time def _check_role_for_trust(self, context, trust_id, role_id): """Checks if a role has been assigned to a trust.""" trust = self.trust_api.get_trust(trust_id) - if not trust: - raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _trustor_trustee_only(trust, user_id) if not any(role['id'] == role_id for role in trust['roles']): @@ -247,7 +241,7 @@ class TrustV3(controller.V3Controller): if 'roles' in trust: del trust['roles'] if trust.get('expires_at') is not None: - trust['expires_at'] = (timeutils.isotime + trust['expires_at'] = (utils.isotime (trust['expires_at'], subsecond=True)) return TrustV3.wrap_collection(context, trusts) @@ -255,9 +249,6 @@ class TrustV3(controller.V3Controller): @controller.protected() def delete_trust(self, context, trust_id): trust = self.trust_api.get_trust(trust_id) - if not trust: - raise exception.TrustNotFound(trust_id=trust_id) - user_id = self._get_user_id(context) _admin_trustor_only(context, trust, user_id) initiator = notifications._get_request_audit_info(context) @@ -266,8 +257,6 @@ class TrustV3(controller.V3Controller): @controller.protected() def list_roles_for_trust(self, context, trust_id): trust = self.get_trust(context, trust_id)['trust'] - if not trust: - raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _trustor_trustee_only(trust, user_id) return {'roles': trust['roles'], diff --git a/keystone-moon/keystone/trust/core.py b/keystone-moon/keystone/trust/core.py index de6b6d85..e091ff93 100644 --- a/keystone-moon/keystone/trust/core.py +++ b/keystone-moon/keystone/trust/core.py @@ -12,13 +12,14 @@ # License for the specific language governing permissions and limitations # under the License. -"""Main entry point into the Identity service.""" +"""Main entry point into the Trust service.""" import abc from oslo_config import cfg from oslo_log import log import six +from six.moves import zip from keystone.common import dependency from keystone.common import manager @@ -41,6 +42,9 @@ class Manager(manager.Manager): dynamically calls the backend. """ + + driver_namespace = 'keystone.trust' + _TRUST = "OS-TRUST:trust" def __init__(self): @@ -55,9 +59,9 @@ class Manager(manager.Manager): if not (0 < redelegation_depth <= max_redelegation_count): raise exception.Forbidden( _('Remaining redelegation depth of %(redelegation_depth)d' - ' out of allowed range of [0..%(max_count)d]'), - redelegation_depth=redelegation_depth, - max_count=max_redelegation_count) + ' out of allowed range of [0..%(max_count)d]') % + {'redelegation_depth': redelegation_depth, + 'max_count': max_redelegation_count}) # remaining_uses is None remaining_uses = trust.get('remaining_uses') @@ -139,13 +143,14 @@ class Manager(manager.Manager): if requested_count and requested_count > max_redelegation_count: raise exception.Forbidden( _('Requested redelegation depth of %(requested_count)d ' - 'is greater than allowed %(max_count)d'), - requested_count=requested_count, - max_count=max_redelegation_count) + 'is greater than allowed %(max_count)d') % + {'requested_count': requested_count, + 'max_count': max_redelegation_count}) # Decline remaining_uses - if 'remaining_uses' in trust: - exception.ValidationError(_('remaining_uses must not be set ' - 'if redelegation is allowed')) + if trust.get('remaining_uses') is not None: + raise exception.ValidationError( + _('remaining_uses must not be set if redelegation is ' + 'allowed')) if redelegated_trust: trust['redelegated_trust_id'] = redelegated_trust['id'] @@ -179,9 +184,6 @@ class Manager(manager.Manager): Recursively remove given and redelegated trusts """ trust = self.driver.get_trust(trust_id) - if not trust: - raise exception.TrustNotFound(trust_id) - trusts = self.driver.list_trusts_for_trustor( trust['trustor_user_id']) diff --git a/keystone-moon/keystone/trust/schema.py b/keystone-moon/keystone/trust/schema.py index 087cd1e9..673b786b 100644 --- a/keystone-moon/keystone/trust/schema.py +++ b/keystone-moon/keystone/trust/schema.py @@ -15,8 +15,11 @@ from keystone.common.validation import parameter_types _trust_properties = { - 'trustor_user_id': parameter_types.id_string, - 'trustee_user_id': parameter_types.id_string, + # NOTE(lbragstad): These are set as external_id_string because they have + # the ability to be read as LDAP user identifiers, which could be something + # other than uuid. + 'trustor_user_id': parameter_types.external_id_string, + 'trustee_user_id': parameter_types.external_id_string, 'impersonation': parameter_types.boolean, 'project_id': validation.nullable(parameter_types.id_string), 'remaining_uses': { |