openstack
/
keystone
Code Issues Proposed changes

Move trusts to extension 

Change-Id: I32b32fc5df8d8483ae8e99067f0655c13c6f520b
This commit is contained in:
Dolph Mathews 2013-03-21 11:45:03 -05:00
parent 4b8cab7b37
commit 63b8a82b31
6 changed files with 61 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
keystone/auth/controllers.py
View File

@ -171,9 +171,9 @@ class AuthInfo(object):
return
if sum(['project' in self.auth['scope'],
'domain' in self.auth['scope'],
'trust' in self.auth['scope']]) != 1:
'RH-TRUST:trust' in self.auth['scope']]) != 1:
raise exception.ValidationError(
attribute='project, domain, or trust',
attribute='project, domain, or RH-TRUST:trust',
target='scope')
if 'project' in self.auth['scope']:
@ -182,10 +182,11 @@ class AuthInfo(object):
elif 'domain' in self.auth['scope']:
domain_ref = self._lookup_domain(self.auth['scope']['domain'])
self._scope_data = (domain_ref['id'], None, None)
elif 'trust' in self.auth['scope']:
elif 'RH-TRUST:trust' in self.auth['scope']:
if not CONF.trust.enabled:
raise exception.Forbidden('Trusts are disabled.')
trust_ref = self._lookup_trust(self.auth['scope']['trust'])
trust_ref = self._lookup_trust(
self.auth['scope']['RH-TRUST:trust'])
#TODO ayoung when trusts support domain, Fill in domain data here
if 'project_id' in trust_ref:
project_ref = self._lookup_project(

2
keystone/auth/token_factory.py
View File

@ -114,7 +114,7 @@ class TokenDataHelper(object):
raise exception.Forbidden()
if trust['impersonation']:
user_ref = trustor_user_ref
token_data['trust'] = (
token_data['RH-TRUST:trust'] = (
{
'id': trust['id'],
'trustor_user': {'id': trust['trustor_user_id']},

14
keystone/trust/routers.py
View File

@ -22,37 +22,37 @@ from keystone.common import router
def append_v3_routers(mapper, routers):
trust_controller = controllers.TrustV3()
mapper.connect('/trusts',
mapper.connect('/RH-TRUST/trusts',
controller=trust_controller,
action='create_trust',
conditions=dict(method=['POST']))
mapper.connect('/trusts',
mapper.connect('/RH-TRUST/trusts',
controller=trust_controller,
action='list_trusts',
conditions=dict(method=['GET']))
mapper.connect('/trusts/{trust_id}',
mapper.connect('/RH-TRUST/trusts/{trust_id}',
controller=trust_controller,
action='delete_trust',
conditions=dict(method=['DELETE']))
mapper.connect('/trusts/{trust_id}',
mapper.connect('/RH-TRUST/trusts/{trust_id}',
controller=trust_controller,
action='get_trust',
conditions=dict(method=['GET']))
mapper.connect('/trusts/{trust_id}/roles',
mapper.connect('/RH-TRUST/trusts/{trust_id}/roles',
controller=trust_controller,
action='list_roles_for_trust',
conditions=dict(method=['GET']))
mapper.connect('/trusts/{trust_id}/roles/{role_id}',
mapper.connect('/RH-TRUST/trusts/{trust_id}/roles/{role_id}',
controller=trust_controller,
action='check_role_for_trust',
conditions=dict(method=['HEAD']))
mapper.connect('/trusts/{trust_id}/roles/{role_id}',
mapper.connect('/RH-TRUST/trusts/{trust_id}/roles/{role_id}',
controller=trust_controller,
action='get_role_for_trust',
conditions=dict(method=['GET']))

4
tests/test_auth.py
View File

@ -633,7 +633,7 @@ class AuthWithTrust(AuthTest):
"methods": ["token"],
"token": {"id": token}},
"scope": {
"trust": {"id": self.new_trust['id']}}}
"RH-TRUST:trust": {"id": self.new_trust['id']}}}
token_auth_response = (self.auth_v3_controller.authenticate_for_token
({}, v3_req_with_trust))
return token_auth_response
@ -644,7 +644,7 @@ class AuthWithTrust(AuthTest):
trust_token_user = auth_response.json['token']['user']
self.assertEquals(trust_token_user['id'], self.trustor['id'])
trust_token_trust = auth_response.json['token']['trust']
trust_token_trust = auth_response.json['token']['RH-TRUST:trust']
self.assertEquals(trust_token_trust['id'], self.new_trust['id'])
self.assertEquals(trust_token_trust['trustor_user']['id'],
self.trustor['id'])

19
tests/test_v3.py
View File

@ -460,13 +460,14 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
def assertValidProjectTrustScopedTokenResponse(self, r, *args, **kwargs):
token = self.assertValidProjectScopedTokenResponse(r, *args, **kwargs)
self.assertIsNotNone(token.get('trust'))
self.assertIsNotNone(token['trust'].get('id'))
self.assertTrue(isinstance(token['trust'].get('impersonation'), bool))
self.assertIsNotNone(token['trust'].get('trustor_user'))
self.assertIsNotNone(token['trust'].get('trustee_user'))
self.assertIsNotNone(token['trust']['trustor_user'].get('id'))
self.assertIsNotNone(token['trust']['trustee_user'].get('id'))
trust = token.get('RH-TRUST:trust')
self.assertIsNotNone(trust)
self.assertIsNotNone(trust.get('id'))
self.assertTrue(isinstance(trust.get('impersonation'), bool))
self.assertIsNotNone(trust.get('trustor_user'))
self.assertIsNotNone(trust.get('trustee_user'))
self.assertIsNotNone(trust['trustor_user'].get('id'))
self.assertIsNotNone(trust['trustee_user'].get('id'))
def assertValidDomainScopedTokenResponse(self, r, *args, **kwargs):
token = self.assertValidScopedTokenResponse(r, *args, **kwargs)
@ -815,8 +816,8 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
else:
scope_data['domain']['name'] = domain_name
if trust_id:
scope_data['trust'] = {}
scope_data['trust']['id'] = trust_id
scope_data['RH-TRUST:trust'] = {}
scope_data['RH-TRUST:trust']['id'] = trust_id
return scope_data
def build_password_auth(self, user_id=None, username=None,

72
tests/test_v3_auth.py
View File

@ -1015,8 +1015,8 @@ class TestTrustOptional(test_v3.RestfulTestCase):
super(TestTrustOptional, self).setUp(*args, **kwargs)
def test_trusts_404(self):
self.get('/trusts', body={'trust': {}}, expected_status=404)
self.post('/trusts', body={'trust': {}}, expected_status=404)
self.get('/RH-TRUST/trusts', body={'trust': {}}, expected_status=404)
self.post('/RH-TRUST/trusts', body={'trust': {}}, expected_status=404)
def test_auth_with_scope_in_trust_403(self):
auth_data = self.build_authentication_request(
@ -1039,14 +1039,14 @@ class TestTrustAuth(TestAuthInfo):
def test_create_trust_400(self):
raise nose.exc.SkipTest('Blocked by bug 1133435')
self.post('/trusts', body={'trust': {}}, expected_status=400)
self.post('/RH-TRUST/trusts', body={'trust': {}}, expected_status=400)
def test_create_unscoped_trust(self):
ref = self.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id)
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
self.assertValidTrustResponse(r, ref)
def test_trust_crud(self):
@ -1056,48 +1056,48 @@ class TestTrustAuth(TestAuthInfo):
project_id=self.project_id,
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
r = self.get(
'/trusts/%(trust_id)s' % {'trust_id': trust['id']},
'/RH-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=200)
self.assertValidTrustResponse(r, ref)
# validate roles on the trust
r = self.get(
'/trusts/%(trust_id)s/roles' % {
'/RH-TRUST/trusts/%(trust_id)s/roles' % {
'trust_id': trust['id']},
expected_status=200)
roles = self.assertValidRoleListResponse(r, self.role)
self.assertIn(self.role['id'], [x['id'] for x in roles])
self.head(
'/trusts/%(trust_id)s/roles/%(role_id)s' % {
'/RH-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']},
expected_status=204)
r = self.get(
'/trusts/%(trust_id)s/roles/%(role_id)s' % {
'/RH-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']},
expected_status=200)
self.assertValidRoleResponse(r, self.role)
r = self.get('/trusts', expected_status=200)
r = self.get('/RH-TRUST/trusts', expected_status=200)
self.assertValidTrustListResponse(r, trust)
# trusts are immutable
self.patch(
'/trusts/%(trust_id)s' % {'trust_id': trust['id']},
'/RH-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
body={'trust': ref},
expected_status=404)
self.delete(
'/trusts/%(trust_id)s' % {'trust_id': trust['id']},
'/RH-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=204)
self.get(
'/trusts/%(trust_id)s' % {'trust_id': trust['id']},
'/RH-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=404)
def test_create_trust_trustee_404(self):
@ -1105,14 +1105,14 @@ class TestTrustAuth(TestAuthInfo):
trustor_user_id=self.user_id,
trustee_user_id=uuid.uuid4().hex)
del ref['id']
self.post('/trusts', body={'trust': ref}, expected_status=404)
self.post('/RH-TRUST/trusts', body={'trust': ref}, expected_status=404)
def test_create_trust_trustor_trustee_backwards(self):
ref = self.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=self.user_id)
del ref['id']
self.post('/trusts', body={'trust': ref}, expected_status=403)
self.post('/RH-TRUST/trusts', body={'trust': ref}, expected_status=403)
def test_create_trust_project_404(self):
ref = self.new_trust_ref(
@ -1121,7 +1121,7 @@ class TestTrustAuth(TestAuthInfo):
project_id=uuid.uuid4().hex,
role_ids=[self.role_id])
del ref['id']
self.post('/trusts', body={'trust': ref}, expected_status=404)
self.post('/RH-TRUST/trusts', body={'trust': ref}, expected_status=404)
def test_create_trust_role_id_404(self):
ref = self.new_trust_ref(
@ -1130,7 +1130,7 @@ class TestTrustAuth(TestAuthInfo):
project_id=self.project_id,
role_ids=[uuid.uuid4().hex])
del ref['id']
self.post('/trusts', body={'trust': ref}, expected_status=404)
self.post('/RH-TRUST/trusts', body={'trust': ref}, expected_status=404)
def test_create_trust_role_name_404(self):
ref = self.new_trust_ref(
@ -1139,7 +1139,7 @@ class TestTrustAuth(TestAuthInfo):
project_id=self.project_id,
role_names=[uuid.uuid4().hex])
del ref['id']
self.post('/trusts', body={'trust': ref}, expected_status=404)
self.post('/RH-TRUST/trusts', body={'trust': ref}, expected_status=404)
def test_create_expired_trust(self):
ref = self.new_trust_ref(
@ -1149,10 +1149,10 @@ class TestTrustAuth(TestAuthInfo):
expires=dict(seconds=-1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
self.get('/trusts/%(trust_id)s' % {
self.get('/RH-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=404)
@ -1172,7 +1172,7 @@ class TestTrustAuth(TestAuthInfo):
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1209,7 +1209,7 @@ class TestTrustAuth(TestAuthInfo):
r = self.post('/auth/tokens', body=auth_data)
token = r.getheader('X-Subject-Token')
r = self.post('/trusts', body={'trust': ref}, token=token)
r = self.post('/RH-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1251,7 +1251,7 @@ class TestTrustAuth(TestAuthInfo):
r = self.post('/auth/tokens', body=auth_data)
token = r.getheader('X-Subject-Token')
r = self.post('/trusts', body={'trust': ref}, token=token)
r = self.post('/RH-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1292,7 +1292,7 @@ class TestTrustAuth(TestAuthInfo):
r = self.post('/auth/tokens', body=auth_data)
token = r.getheader('X-Subject-Token')
r = self.post('/trusts', body={'trust': ref}, token=token)
r = self.post('/RH-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1321,7 +1321,7 @@ class TestTrustAuth(TestAuthInfo):
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1352,7 +1352,7 @@ class TestTrustAuth(TestAuthInfo):
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1381,19 +1381,19 @@ class TestTrustAuth(TestAuthInfo):
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
self.delete('/trusts/%(trust_id)s' % {
self.delete('/RH-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=204)
self.get('/trusts/%(trust_id)s' % {
self.get('/RH-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=404)
self.get('/trusts/%(trust_id)s' % {
self.get('/RH-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=404)
@ -1414,15 +1414,15 @@ class TestTrustAuth(TestAuthInfo):
del ref['id']
for i in range(0, 3):
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
r = self.get('/trusts?trustor_user_id=%s' %
r = self.get('/RH-TRUST/trusts?trustor_user_id=%s' %
self.user_id, expected_status=200)
trusts = r.body['trusts']
self.assertEqual(len(trusts), 3)
r = self.get('/trusts?trustee_user_id=%s' %
r = self.get('/RH-TRUST/trusts?trustee_user_id=%s' %
self.user_id, expected_status=200)
trusts = r.body['trusts']
self.assertEqual(len(trusts), 0)
@ -1437,7 +1437,7 @@ class TestTrustAuth(TestAuthInfo):
role_ids=[self.role_id])
del ref['id']
r = self.post('/trusts', body={'trust': ref})
r = self.post('/RH-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
@ -1449,7 +1449,7 @@ class TestTrustAuth(TestAuthInfo):
self.assertValidProjectTrustScopedTokenResponse(r, self.user)
trust_token = r.getheader('X-Subject-Token')
self.get('/trusts?trustor_user_id=%s' %
self.get('/RH-TRUST/trusts?trustor_user_id=%s' %
self.user_id, expected_status=200,
token=trust_token)
@ -1463,6 +1463,6 @@ class TestTrustAuth(TestAuthInfo):
auth=auth_data,
expected_status=200))
self.get('/trusts?trustor_user_id=%s' %
self.get('/RH-TRUST/trusts?trustor_user_id=%s' %
self.user_id, expected_status=401,
token=trust_token)