Convert /v3/users to use flask native dispatching.
The following test changes were required:
* Application Credentials did not have the plural form
in the JSON Home document. The JSON Home document was
corrected both in code and in tests.
* Application Credentials "patch" test needed to be
refactored to look for METHOD_NOT_ALLOWED instead
of NOT FOUND for invalid/unimplemented methods.
The "assertValidErrorResponse" method was
insufficient and the test now uses the flask
test_client mechanism instead.
Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
The token provider listened for specific callbacks from the
federation and oauth APIs. These were mainly for token invalidation
and token persistence removal. Now that the sql token driver and uuid
token provider have been removed, we can remove the need for
persistence notifications.
Instead, both of these cases can use a generic token cache
invalidation callback. This makes the token provider Manager simpler
because it only has to listen for a single internal notification to
invalidate the token cache, instead of multiple. It also makes the
code sending the notification easier to understand because it's
clearer about what it's doing.
Change-Id: I3281a013ce2764872dda8c183c4e9851974e1d14
This patch add the schema check for authorize
request token API. It'll avoiding some 500 error
caused by invalid input format and it will raise
400 error correctly.
This patch also add role name support for
authorize request token
Closes-bug: #1736875
Change-Id: I9d113692702e7aaa0127ffa9405a17908c0c6ff7
This change converts the usage of self.<provider_api> to
keystone.common.providers_api.ProviderAPIs.<provider_api> in manager
and controller logic. This is the correct way to reference
providers from other managers and controllers now that dependency
injection has been eliminated.
Change-Id: I4e30070111ba1d8ae1653a764fdeed949e536830
Refactors all of keystone's dependency injection to maintain a
single centralized repository of instantiated objects. This
means that we are no longer having to resolve order. All
objects that need to reference the various manager APIs simply
do so via the __getattr__ built into the Manager common object
or the ProviderAPIMixin object.
This is also the first step towards correcting our tests to
where they cannot run "load_backends" multiple times.
This forces any/all managers to properly run super()
as the way to register the api is via __init__.
This eliminates all use of the @dependency.requires and
@dependency.provides decorators, simplifying the objects
all around.
Any instantiations of a Manager after keystone is running
will now generate an error, ensuring everything for keystone
is running before handling requests. An exception is for
CLI and CLI tests, as the CLI may directly instantiate
managers and will not lock the registry.
Change-Id: I4ba17855efd797c0db9f4824936b49e4bff54b6a
When create a request token with header "requested_project_id",
Keystone raise the 400 error:
"Expecting to find requested_project_id in request".
The correct key is "Requested-Project-Id" which use - instead of _
This patch correct the misleading error message.
Change-Id: I2e619a2e7326d0c84756efbdce36d99b0bfbfc56
Change 461736 modifies the url passed to oauth signature verifier to
request url. But in some deployments, https endpoints are terminated
at haproxy and http request is sent to keystone. So request url will
have http as url scheme whereas the endpoint is registered with https
and signature at client is done with https url. This results in OAUTH
signature validation failure.
Update URL sent for OAUTH signature verification with the scheme of
the base url.
Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
Partial-Bug: #1687593
OAUTH signature verification should happen with the same URL used for signing.
Typically at the user end it should be signed with the request URL and hence it
should be verified with the same.
Currently keystone uses public endpoint URL for signature verification.
Modified the URL passed to oauth signature verification to request URL.
Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
Partial-Bug: #1687593
Config options 'access_token_duration' and 'request_token_duration' only
allow value >= 0, so override with value 1 and use freezegun to wait
token to be expired. This commit also enhance condition check for these
two options.
Partial-Bug: #1686921
Change-Id: I65306b9fc5eec6b8146ba5130f7d6e6cb229810e
Merged the decorator logic into a single function that
calls check_policy. Moved authorization logic in authorize.py
Prep for oslo-context fixes
Change-Id: Id1452db131740c68b3756a819792f9a60cff239c
Keystone's various Manager classes typically handle the sending of
a notification. In order to send the notification an `initiator` is
needed. All Manager CRUD methods typically ask for this as a kwarg
since it's not required in all cases.
Most of the controller layers pass the initiator value as a
positional argument. This commit makes it so the controller passes it
as a kwarg since that's how the Manager class method signature
describes it.
Change-Id: Ic805f6ea2767c9c5cf01aa04ad554773b9cc8c39
The audit initiator is basically a context with all the information
about the current operation available. This information is all gathered
from the request and context so we can simplify its generation by moving
it onto the request object.
Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c
This is following up the comments from review [1], and take chance
to update the exception where it's failed at the validation of
payload in headers.
[1] https://review.openstack.org/#/c/361087/
Related-Bug: #1616424
Change-Id: Ibb97a141b5cbb839b4fce062ad3470032e26f67a
The status code returned larger than 399 not indicate the
signature is invalid, only an empty body implies.
For other reasons which cause the failure of creating request
token this patch show the detail message, so that give us
some clue on where is incorrect.
Related-Bug: #1616424
Change-Id: Id3f0b806630697436340ab97f328743d7f811a14
If there is any request from client with any invalid request
parameters, invalid signature for example, keystone should
capture that and raise the exception.
It was `NotImplementedError`, `TypeError` thrown out and
presented directly to end user, and nothing helpful message
is given.
This patch fix that and show as many exception message that
is helpful for diagnosis as possible.
Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
Closes-Bug: #1616424
The code verify the assignment filtered by `user_id` after
verifying the assignment filtered by `user_id` and `project_id`.
The latter should be a subset of the former.
Change-Id: I056f543a1dfbd0ad8965cdd37bb986a665711ab7
Add more information from the auth_context dict to the request context
object and start the process of converting code over to using the
context instead.
Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
This commit moves all the decorated call to validate request inline with the
method. This is one way we can lazily validate requests - which allows us to
pick validation configuration options specifed in config.
Change-Id: Iee71fb3c34d296427cd485180dacb6bf02581845
This patch swaps use of hardcoded int and strings for known http
status codes with the values from six.moves.http_client.
Change-Id: Iab83af97920b950d075036ff1499f388299588a0
The controller get_auth_context method simply fetches a dict from the
environment. We can simply put this method on the request now.
Change-Id: Icba3a0286e5af440108c27f41f54de64c922f29a
The last references to headers in the context_dict are in oauth1 and a
test for the context_dict itself. Remove this test and fixup the oauth
tests to use the request.headers instead.
Change-Id: I94fac7bf5dacc30d6bea7efc066d9cc40dcddc4a
The context['query_string'] is just a dictionary copy of the original
params object that comes from a request. Just use the existing params
instead.
Change-Id: I0ecd7a09e36b39a105c150b3affcbbcd26a544c2
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.
Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
This change allows us to send internal notifications inline instead of invoking
them from decorated methods.
Change-Id: I659546b2cdd27bedaa694cb009d371f504765a72
Several of the methods that the Oauth1DriverV8 driver didn't match
the interface. The driver signature must match the interface.
The driver now matches the interface. In most cases the driver is
changed to match the interface whereas in other cases the interface
is changed to match the driver. The determinant is how the caller is
calling the method.
Change-Id: I826acf75d0336b57831a7d046e8bffac239ea4c1
This cases are using `len()` to check if collection has items.
As collections have a boolean representation too, directly check
for true / false.
Change-Id: I1e552db99fbe6d33ad43bb710af924261dcebb46
Add schema validation on create/update of OAuth1 consumer.
This patch also remove the unnecessary code after schema
validation enforcement.
- Remove the check of `secret` in request body for update
consumer API. It is covered by this schema definition.
'not': {
'required': ['secret']
}
- Remove the check of `description` to consistent with other
entities, such as `user`, `group`. It is covered by the following
schema definition.
'description': validation.nullable(parameter_types.description)
Partially implements: bp schema-validation-extent
Change-Id: I4d7e6188e8120aa4bcb4a27a22a34d7b395d5f49
Remove oauth1 as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.
DocImpact: update keystone-paste and remove oauth1 from pipeline
Change-Id: I0ed1ec44d42c3b379a5c2a40e3e6298842dfc01d
Implements: bp move-extensions