The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.
Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
This reverts commit 8d31705806.
In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.
This change was merged to master but never released, so I submit that
it is safe to revert.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: Ibb48983f7edef1c2df50ba998f6a95741f933168
Add Flask resources for access rules config. This exposes listing all
configured access rules or filtering by service type, which users can use to
be informed about what rules are valid. It does not expose the ability to
check a rule against the configured list, which is only used internally.
This API is deliberately unprotected.
bp whitelist-extension-for-app-creds
Change-Id: I9e25087b2ddb6e76e39eb62893378678a5cbc03c
Convert S3 and EC2 auth to flask native dispatching.
Test changes required:
* Eliminate direct reference of the EC2 / S3 controllers, originally
this direct reference was to verify signature checking. Since
signature checking is an @staticmethod now, direct reference of
the API resources covers everything.
* Direct import of keystone.common.controller - due to an oddity in
how our WSGI code work(s) in test, if nothing imports the common
controller module, the tests fail using the oslo import_class
mechanism.
Change-Id: I06e95957b3ea3a55b0da28959548bd5eb628c70b
Partial-Bug: #1776504
Convert the projects API to Flask native dispatching.
Change-Id: I3406284acfb7950b701f6a98a3a173a427415f97
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Partial-Bug: #1776504
Convert /v3/users to use flask native dispatching.
The following test changes were required:
* Application Credentials did not have the plural form
in the JSON Home document. The JSON Home document was
corrected both in code and in tests.
* Application Credentials "patch" test needed to be
refactored to look for METHOD_NOT_ALLOWED instead
of NOT FOUND for invalid/unimplemented methods.
The "assertValidErrorResponse" method was
insufficient and the test now uses the flask
test_client mechanism instead.
Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
Convert OS-INHERIT API to flask native dispatching.
NOTE: A minor test change was needed, the test was mis-constructing the
URI with multiple slashes. The test now properly constructs the URI
using an lstrip when combining the direct_url bits.
Change-Id: I0907eb00cdfb9849342220f9b528f94175e71545
Partial-Bug: #1776504
Convert OS-FEDERATION to flask native dispatching.
NOTE: Two changes occured that impact testing in this patch.
* The JSON Home test now uses assertDictEquals to make it
easier to debug json_home document errors
* It was by general good luck that the overloaded relation
'identity_providers' worked as expected. The relation was
used for both '/OS-FEDERATION/identity_providers' and
the Identity-Provider-Specific WebSSO path. The change
to the JSON Home document and the tests make the
Identity-Provider-Specific WebSSO path now a relation
of 'identity_providers_websso' to more closely align
with 'websso' relation for
'/auth/OS-FEDERATION/websso/{protocol_id}'. While
this constitutes a minor break in our contract (the
output of the json home document) it was required to
ensure consistency and functionality. The alternative
is to not represent '/OS-FEDERATION/identity_providers'
(list endpoint) in the JSON Home document at all, instead
represent only the WebSSO endpoint.
Change-Id: If746c14491322d4a5f88fa0cbb31105f6d38c240
Partial-Bug: #1776504
Convert the /system API (used for granting roles to the system scope) to
Flask native dispatching.
Change-Id: I48b04f2d0e9d858b0c709687beee27227e516843
Partial-Bug: #1776504
Convert Roles and Implied Roles (all paths under /v3/roles) to
flask native dispatching. This change does not convert
/v3/role_inferences to flask native dispatching.
Change-Id: I114380e96c6a2b3c167676fa1525e4470560b541
Partial-Bug: #1776504
Migrate the OS-EP-FILTER API to flask-native dispatching. This does
not migrate the standard catalog "region", "service" or "endpoint"
APIs.
Change-Id: Ia7c2ab211e2f7fb136e5817390751121f97f4340
Partial-Bug: #1776504
Convert limits and registered limits to flask native dispatching.
NOTE: A minor test change was needed. The limit JSON Home data
was incorrectly formatted and did not properly isolate the
singular forms of "limit" and "registered_limit" from the
plural (list) APIs.
Change-Id: Ib3ceeb0a249ccc73c143730fac78d9f54c67174e
Partial-Bug: #1776504
Move the Credentials API to Flask Native dispatching.
This change fixes some circular importing in the
conversion.
Change-Id: I5e2485ba471d09c3454e78ca2c9dfa19aaf0e4e2
Partial-Bug: #1776504
Move the JSON Home Document and Version Discovery Documents out of
the webob-based mapper and into Flask.
This change removes the keystone.version.controller and
keystone.version.router modules as they have been moved into
keystone.api.discovery.
The keystone.api.discovery module is somewhat specialized as there
are no "resources" and it must handle multiple types of responses
based upon the ACCEPTS header (JSON Home or JSON). In lieu of the
flask-RESTful mechanisms, keystone.api.discovery utilizes bare
flask blueprint and functions. Minor scaffolding work has been done
to ensure the discovery blueprint can be loaded via the loader loop
in keystone.server.flask.application (a stub object in
keystone.api.discovery).
Partial-Bug: #1776504
Change-Id: Ib25380cefdbb7147661bb9853de7872a837322e0