assertItemsEqual was removed from Python's unittest.TestCase in
Python 3.3 [1][2]. We have been able to use them since then, because
testtools required unittest2, which still included it. With testtools
removing Python 2.7 support [3][4], we will lose support for
assertItemsEqual, so we should switch to use assertCountEqual.
[1] - https://bugs.python.org/issue17866
[2] - https://hg.python.org/cpython/rev/d9921cb6e3cd
[3] - testing-cabal/testtools#286
[4] - testing-cabal/testtools#277
Change-Id: I7725cead76c0c7349af9a8c8e8a54290caebce9c
When you setup a user with a role assignment on a domain
and then a role assignment on a project "acting as a domain",
you can't actually remove them. The database throws you the
error "Multiple rows were found for one()" since it gets two
results for "actor_id" with the same "target_id".
This patch fixes this problem by filtering the database query
by "type" field to determine whether it is a user domain relation
or a user project and then removing the assignment.
Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580
Closes-Bug: #1754677
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
Without this patch, if there are multiple role assignments on the system
and they are not all the same role, querying for role assignments with
/v3/role_assignments?role.id={role_id} may leak some role assignments
that don't match the role_id, making the returned results incorrect.
This patch fixes the issue by using a list comprehension instead of a
for loop over a list that was being modified within the loop.
Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012
Without this patch, if a project ID is not passed as query argument, a
target of {} is passed to the enforcer and causes a type error to be
raised ("'NoneType' object is not callable") which then is emitted as a
validation error to the user rather than as a server error. This patch
fixes the issue by correctly passing in None as the default target,
which is what the enforcer expects, which then allows the validation to
continue and return a more helpful error message about the required
query parameter.
Change-Id: If7f0fa4dd072b0f00172161da4f7b91f8c1e1f10
The unit test uses sqlite for test which closes db foreign keys
function by default. This patch enabled the sqlite foreign keys
function for unit test by default.
The "project" table is a self referencing FK table(id <-> domain_id
column). So when the FK is enabled, there must exists a root record
before insert data to this table. It's <<keystone.domain.root>>.
Usually, the <<keystone.domain.root>> recored is inserted into the
table once operators run "keystone-manage db_sync" command when
deploy Keystone. But the unit test code doesn't run this command,
it initialise the db schema by reading sqlalchemy object model, so
the <<keystone.domain.root>> record is missed. Then we can't create
any project record, it'll raise FK error.
So in this patch, before creating any projects in the test, we must
ensure the <<keystone.domain.root>> record exists first.
Change-Id: I565d12395ca39a58ba90faf8641a9e02d986aeb9
Closes-Bug: #1744195
Convert OS-INHERIT API to flask native dispatching.
NOTE: A minor test change was needed, the test was mis-constructing the
URI with multiple slashes. The test now properly constructs the URI
using an lstrip when combining the direct_url bits.
Change-Id: I0907eb00cdfb9849342220f9b528f94175e71545
Partial-Bug: #1776504
Test case exposing the issue described in that bug
also, adding the expected result commented, to be
removed the commented tags, after the bug be fixed.
Change-Id: I0e7b181977a1850a9a93472892407817561bfa0a
Partial-Bug: 1754677
If a group gets deleted out-of-band in an LDAP environment, the role
assignments cannot be cleaned as it checks the existence of the group
before triggering the deletion. This fix adds the ability to ignore
non-existant group and clean up stale role assignments. We take the
same approach with user assignments.
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I975c8325f50b412c3aa256e1940a27082c009cce
Closes-Bug: #1751045
This will help with testing since SQLite will start enforcing the
foreign key relationships.
We will still have a problem with migrations for tables that refer to
each other. SQLite can't alter tables and sqlalchemy-migrates tmp table
strategy for migrations fails in this situation.
This patch did:
1. Add FK support for the tests. Disable it by default.
2. Make sure the Fk is disabled for test_sql_upgrade and
identity.backens.test_sql
Partial-Bug: #1744195
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Change-Id: I276af7c0125dc2cb2c54215d54491665db1caa22
This commit removes system role assignments when querying keystone
for a list of assignments pertaining to a specific role. For example,
`GET /v3/role_assignments?role.id={role_id}`, now returns assignments
only for that role. Previously, the list contained false positives
because some system role assignments weren't being removed. This
was introduced in queens with the system scope work.
Change-Id: Iab35ae01bb715da5813e62cd09900de555dceaaa
Closes-Bug: 1748970
Keystone removes role assignments that groups have on projects and
domains when deleting groups. This should apply to system role
assignments, too.
Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
Closes-Bug: 1749267
Project and domain role assignment are cleaned up when deleting
groups. This commit introduces a test case that shows this isn't the
case for system role assignments. A subsequent patch will implement
a fix to make sure system role assignments are removed when groups
are deleted, to be consistent with project and domain assignments.
Change-Id: I9b452aff144fd8867cdac2f44cbcaa0d1de63a12
Partial-Bug: 1749267
Keystone removes role assignments that users have on projects and
domains when deleting users. This should also apply to system role
assignments, too.
Change-Id: Ied51b9c3b58714b2d5dbcb933eca1839d1351fc7
Closes-Bug: 1749264
Project and domain role assignment are cleaned up when deleting
users. This commit introduces a test case that shows this isn't the
case for system role assignments. A subsequent patch will implement
a fix to make sure system role assignments are removed when users
are deleted, to be consistent with project and domain assignments.
Change-Id: I1a1e7395f462159037e939aa143e9e24aefb1841
Partial-Bug: 1749264
The role_assignment API supports a bunch of query parameters that
gives users flexibility when querying for role assignments. This
commit exposes an issue when querying keystone for a specific role
using /role_assignments?role.id={role_id}. The expected result was
that the returned list would only contain role assignments for that
specific role ID. The actual result is a set of role assignments with
that role ID and all system role assignments.
This caused issues in tempest because tempest goes through and cleans
up resources using `tearDownClass`, and it is common to remove
specific roles used in the test class. The problem is that keystone
queries the role assignment API for all role assignment with a
specific role ID, which is the equivalent to
`GET /v3/role_assignments?role.id={role_id}` when deleting a role. The
list returned included false positives, which were system role
assignments, resulting in revocation events getting persisted for
users in those role assignments. This prevented the administrator in
tempest from cleaning up the rest of the resources because the
revocation event would make the token being used to do resource
cleanup.
This commit exposes the bug using tests.
Change-Id: If93400be3c9d3fe8e266bb36c16accca93d77154
Partial-Bug: 1748970
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
This commit makes it so users can query the /role_assignments API
with ?scope.system=all.
bp system-scope
Change-Id: I1476c8da8ace1d60a832dfc3197c147e92f63837
This commit wires up the remaining bits to expose system role
assignments for groups via the assignment API.
bp system-scope
Change-Id: I5051aa97dbecb88ee706749b26a4140f9798e084
This commit wires up the remaining bits to expose system role
assignments via the assignment API.
bp system-scope
Change-Id: Ie17a473c12c9a67bbc5b26f18d8b29e8ad4529d2
Also add test GET and HEAD requests member_url for tests with not exist user.
Change-Id: I00b40026bd2893e7976d97482ea06ba2b056935f
Closes-Bug: #1703245
The response body of getting role inference rule api lacks a 'links' object,
comparing with the api-ref [1]. This patch is to add the 'links' object to
make the response body consistent with the api-ref.
[1] https://developer.openstack.org/api-ref/identity/v3/index.html#get-role-inference-rule
Closes-Bug: 1691048
Change-Id: I31ddb4addce22cde68bfa2ff8ffd18386fd44136
When a role on a group scoped to project/domain is revoked, it persists
revocation event in revoke_event table which is invalidating all tokens
created with same role in project/domain. Since token validations are happening
by populating role assignments at validation time, the need for persistence of
revocation events is no longer needed.
Change-Id: I112d5d4684f739d320606cea651e0a108f18d245
Closes-Bug: #1662514
Domain specific roles have a main limitation: they are not considered an
"effective" role assignment, which means a user can't authenticate
using such assignment.
This also means that, although we can create cross domain implied roles,
this doesn't bypass the assignments isolation due the condition above.
This patch adds a test to enforce this behavior.
Change-Id: Id4f96f7cf07f7f8f15cfa2e7a82a64c44123cff1
When listing role assignments with the ?include_names option,
the inheritance flag was not honored.
This change fixes that behavior and enables the test that was
submitted in the parent patch.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Closes-Bug: #1625230
Change-Id: Ic0d32f3e47ee82015d86cec8b7502a440b66c021
When listing role assignments with ?include_names, the inheritance flag
was not returned properly.
Related-Bug: #1625230
Change-Id: Ibe467246da90d30cb40564667642056da4816139
When calling list_role_assignment and including the "include_names"
parameter, it would return the domain name and ID for each party
except for roles.
This will return the domain name and id for roles when the parameter
is included, if the role has a domain.
Added tests for roles with domains at manager and API level.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Closes-Bug: #1607114
Change-Id: I5dae9299522b5116f8530455dd3d3376e9597b52
CONF.os_inherit.enabled is planed to be removed in Ocata as the
deprecated message and this patch removes it.
Partially implements bp: removed-as-of-ocata
Change-Id: I9072419ba1cfcf3cefb814a224fc499c9067ae30
Needed-by: Id3dd322b3a0585ed95eb2dea4ad35a7949bb9b1f
When assigning a Domain specific role to a user it is OK if the user
is from a different domain, but the project's domain must match the
role's domain.
Closes-Bug: 1590587
Change-Id: I1d63415de0130794939998c3e142ebdce9ddf39d
dogpile.cache's region invalidation is not designed to work across
processes. This patch enables distributed invalidation of keys in a
region.
Instead of using a static cache key, we use the original cache key
and append a dynamic value to it. This value is looked up in
memcached using the region name as a key. So anytime the value of
the region key changes the cache keys in that region are
effectively invalidated.
Closes-Bug: #1590779
Change-Id: Ib80d41d43ef815b37282d72ad68e7aa8e1ff354e
This makes it so that we properly advance the clock after revocation events.
Is also makes it easier to switch to Fernet as the default token provider.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I83509e81e4da26cad48ed3cb3f9733ddb7ae965e
Partial-Bug: 1561054
This commit prepares the tests in keystone/tests/unit/test_v3_assignment.py for
the switch to make Fernet the default token provider. Since Fernet doesn't
support sub-second precision it is possible to get the wrong response when
using the token API within the same second as a revocation event. We can either
introduce a sleep (which slows down our tests) or mock the system clock.
We can use freezegun to mock the system clock. This commit uses freezegun to
increment the clock by one second in cases that fail with the Fernet provider.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I2604376f63cd84c2a3d1a640dfcfbc29e5682c73
Partial-Bug: 1561054
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
assertEqual expects that the arguments provided to it should be
(expected, observed). If a particluar order is kept as a convention,
then it helps to provide a cleaner message to the developer if Unit
Tests fail. The following patch fixes this issue.
Change-Id: I85628a1d60fa809f80d658ed7d66dbd5d7e03010
Closes-Bug: #1259292
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
Implement the HEAD method for all get-one and list-all operations in the
v3 API (non-extended). While this may never be used by
python-openstackclient, it is useful to operators and application
developers for quickly obtaining metainformation about API resources,
and for "testing hypertext links for validity, accessibility, and
recent modification"[1].
[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4
Closes-bug: #1370335
Change-Id: Iae26ebea1aa40d3b5c6c676dabe4f60a86a4f99f
The documentation build was printing warnigs like
doc/source/auth-totp.rst:111: SEVERE: Title level inconsistent:
Tokens
======
This is because subtitle is being used incorrectly, see[1]. The
subtitles are changed to section headers instead.
[1] http://docutils.sourceforge.net/docs/user/rst/quickstart.html#document-title-subtitle
Also corrected these warnings:
keystone/tests/unit/test_v3_assignment.py:docstring of
keystone.tests.unit.test_v3_assignment.ImpliedRolesTests.
test_list_role_assignments_with_implied_roles:9: ERROR: Unexpected
indentation.
keystone/keystone/tests/unit/test_v3_assignment.py:docstring of
keystone.tests.unit.test_v3_assignment.ImpliedRolesTests.
test_list_role_assignments_with_implied_roles:10: WARNING: Block
quote ends without a blank line; unexpected unindent.
Change-Id: Ib88dbc7a31a6aed8048966574ac998b5332862c7