The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
Another fixture taken wholesale from nova. This configures our logging
to ensure we trigger but don't capture DEBUG-level logs. It also lowers
the level of some less important logs like sqlalchemy-migrate.
Change-Id: Ia1090f1810d6cddda724a8a048647b4ffeaa733e
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
token_bytes is an standard library secrets function ,we can get the information from link https://www.python.org/dev/peps/pep-0506/
Change-Id: I7e6b1df5eac59bac33674934d7b3e8cdd16cea27
In I59335b4f318bae2e29ab139cdea089a4d6e14305, oslo.db
is now emitting deprecation warnings for SQLAlchemy-migrate
functions. This breaks Keystone tests which raise on
DeprecationWarning, so add to the filters.
Change-Id: I42f0abc2ddf8c53239d5098d5f32b667314b942d
should_cache_fn function is removed from keystone when oslo_cache
was adopted. A function still mentions about it. This patch updates
the doc string mentioning about should_cache_fn.
Change-Id: Ib9693f1c020e0ed251d4119c0fbf8ffef693102a
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Change-Id: Ic440219814ee0c2b98217e9a821f38f5baf482ec
SQLAlchemy 1.4 will be introducing a new warning
class called RemovedIn20Warning, which will indicate behaviors
and APIs that are planned on being changed for the
SQLAlchemy 2.0 release [1]. As SQLAlchemy 2.0 is planned on
being a more major API break, applications will normally need
to wait until they are fully on SQLAlchemy 1.4 only as well as
Python 3 only in order to begin using new APIs that will allow
migration to 2.0.
For now, Keystone and others don't have a need to be raising
for this warning as there are not yet clear upgrade paths
established.
[1] https://docs.sqlalchemy.org/en/14/changelog/migration_20.html#sqlalchemy-1-x-to-2-0-transition
Change-Id: Icb005b2e7b9d851f5a3e8677599b32a6e3edddc2
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This change modifies the policies for domain config
API to be more self-service by properly checking for
system scopes. It also includes the test cases.
Subsequent patches will -
- add functionality for system admin for domain config API
- domains user test coverage for domain config API
- project user test coverage for domain config API
- Removing obsolete policies in policy.v3cloudsample.json file
Change-Id: I3c0a00d3fb77485f3e303f4ce5f90a7ea4301563
Partial-Bug: #1805366
Add in support for resource options for roles and projects (including
domains). No options are currently implemented for roles or projects.
Scaffolding has been implemented so that adding options should be
straight forward. This will allow for implementing options such
as an immutable flag.
As a mechanism to isolate SQL Models from the Driver implementation
especially when adding in complexity of the resource options, the
models for the Resource backend and the Role Backend (SQL) have been
move to their own module.
Partial-Bug: #1807751
Depends-On: https://review.opendev.org/678379
Required-By: https://review.opendev.org/678380
Change-Id: I456a7c19506d28d5846534f884b8abe0d3079c96
This change modifies the policies for endpoint_groups
API to be more self-service by properly checking for
system scopes. It also includes the test cases.
Subsequent patches will -
- add functionality for system admin
- domains user test coverage
- project user test coverage
Change-Id: Ie13fd2296f2836466d38544c4f672ee95c4156b0
Partial-Bug: #1818734
Since pki-setup was removed in pike.This
patch removes the config options that were
left for backward compatibility, as PKI is
not supported.
Partial-Bug: #1829453
Change-Id: I83cd08e57fbc046ad69bd42eb2e5fa1ace6e8a28
Implement system scopes, namely 'admin', 'reader', and 'member' for
the application credential API. Thus, making it consistent with other
system-scoped policy definitions.
For the application credential API, the follow policies will be enforced:
- system admin can fetch, list, lookup, and delete user's application
credentials.
- system member and reader can only fetch, list, and lookup user's application
credentials. Deleting a user's application credential other their own is
strictly prohibitted.
- domain and project admins can no longer touch user's application credentials
other their own.
- domain and project readers cannot touch user's application credentials
other their own.
- domain and project members cannot touch user's application credentials
other their own.
- create an application credential can only be done by the owner. No one else
can create an application credential on behalf of another user.
Test cases are added to guard the above policy changes.
Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe
Closes-Bug: 1818725
Closes-Bug: 1750615
In 7eec2c5d we removed the _VERSIONS constant from the api discovery
module. By a quirk of the way the unit tests are ordered, the mock to
patch this constant continued to work if the whole test suite was run,
but it doesn't work if we just run that test alone or the test_versions
suite alone. This patch cleans up the unneeded mock.
Change-Id: If88db5b8f4cb3425fd7a568213aa094fe7800c38
Several of the test clases for testing the service provider API were
duplicating a method to build a request body. Instead of duplicating
a common and useful utility, we can move it to a generic place and
share it.
This commit creates a new method in keystone.tests.unit.core for
building service provider entities to be used in API and backend
tests. A subsequent patch will rely on this for testing policy
protection of the service provider API.
Change-Id: I78e697f9f5fb975b4694ab1a61f608a6dce0fd3b
This option was deprecated in Pike. It's used no where now. Safe
to remove it.
Change-Id: I48a962488e25c07aea3a53f6aaa9b5f4a4218e4a
bp: removed-as-of-stein
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.
Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.
Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
This commit moves loadapp to BaseTestCase so that it can be
used by test classes inheriting from BaseTestCase without having
to invoke all the extra stuff from TestCase.
Change-Id: Ida1e7b65a5d88e03701fe0334155f1eb5d03ae86
The ksfixtures.Policy object used to accept two arguments. One was
the path of the policy file and the other was the test fixture. Since
policy is now kept in code and the default policy file has been
removed from keystone source, we can simplify the fixture to
optionally deal with a file path, instead of passing a non-existant
file to it all the time.
Change-Id: I9d8c4cbf963099fe73e39dbf46e03f66f9a79f43
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
The unit test uses sqlite for test which closes db foreign keys
function by default. This patch enabled the sqlite foreign keys
function for unit test by default.
The "project" table is a self referencing FK table(id <-> domain_id
column). So when the FK is enabled, there must exists a root record
before insert data to this table. It's <<keystone.domain.root>>.
Usually, the <<keystone.domain.root>> recored is inserted into the
table once operators run "keystone-manage db_sync" command when
deploy Keystone. But the unit test code doesn't run this command,
it initialise the db schema by reading sqlalchemy object model, so
the <<keystone.domain.root>> record is missed. Then we can't create
any project record, it'll raise FK error.
So in this patch, before creating any projects in the test, we must
ensure the <<keystone.domain.root>> record exists first.
Change-Id: I565d12395ca39a58ba90faf8641a9e02d986aeb9
Closes-Bug: #1744195
When the API Prefix is used in a Flask API, it is possible the flask
view argument specification will bleed through to the self link instead
of a properly formated url.
The add_self_reference_links mechanism in keystone.server.flask.common
now substitutes out the self link to the {} substitution and applies
a .format() utilizing the view args to the URI in the self link.
Change-Id: Ic5c89c285ed964de7411b273567bb97fcf43da06
closes-bug: #1794552
Enable the sqlite foreign keys function for unit test.
This patch is the first part to solve sql backend test issues.
Change-Id: I5d29d05e64b76ff6530c9af5ee39a2df1b26aa03
Partial-Bug: #1744195
Now user can add the description to the role when user creates the role.
Added support for a ``description`` attribute for V3 Identity Roles.
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Co-Authored-By: Deepak Mourya<deepakmoriya7@gmail.com>
Change-Id: I230af9cc833af13064636b5d9a7ce6334c3f6e9a
Closes-Bug: #1669080
Move the Credentials API to Flask Native dispatching.
This change fixes some circular importing in the
conversion.
Change-Id: I5e2485ba471d09c3454e78ca2c9dfa19aaf0e4e2
Partial-Bug: #1776504
Add in support for JSON Home documents, a ResourceBase implementing
basic functionality, and full testing of the new flask_RESTful
scaffolding.
Change-Id: I5bcc8660b68c0b39a2110089f6c67531769d14ef
Parital-Bug: #1776504
This change makes (for test purposes) the Flask app return a 418
instead of a 404 if the path is unrouted. This allows easy
identification (programmatically) if the 404 is issued from Flask
or is a handled 404 such as "UserNotFound"
Parital-Bug: #1776504
Change-Id: I0475d9b6315250d9c3384be63c14a81fbd1c7b7c
Move the JSON Home Document and Version Discovery Documents out of
the webob-based mapper and into Flask.
This change removes the keystone.version.controller and
keystone.version.router modules as they have been moved into
keystone.api.discovery.
The keystone.api.discovery module is somewhat specialized as there
are no "resources" and it must handle multiple types of responses
based upon the ACCEPTS header (JSON Home or JSON). In lieu of the
flask-RESTful mechanisms, keystone.api.discovery utilizes bare
flask blueprint and functions. Minor scaffolding work has been done
to ensure the discovery blueprint can be loaded via the loader loop
in keystone.server.flask.application (a stub object in
keystone.api.discovery).
Partial-Bug: #1776504
Change-Id: Ib25380cefdbb7147661bb9853de7872a837322e0
JSON Home Resources must be stored in a location other
than the router for Flask as we are not composing routers
in the same way as we used to with the home-grown webob
based WSGI setup.
Partial-Bug: #1776504
Closes-Bug: #1776506
Change-Id: I292ea9e923ff2f49041dfd417994bcdd797d0520
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.
* The keystone-paste.ini file has been removed.
* All options have been removed (without deprecation) as they are no
longer referenced.
* The TokenAuthMiddleware code (with deprecation warning) has been
removed as it was only provided to ensure compatibility with paste.ini
files that were not updated (ensuring not breaking a deployer that
did not update paste.ini file to remove it from the pipeline).
* Paste deploy entrypoints have been removed.
Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
The "driver" configuration should be removed with the removal of
uuid token. Keystone now doesn't support persistence token.
Change-Id: Ibea6660cd85c07abc9c4bc011180c08dd5017ced
bp: removed-as-of-rocky
This will help with testing since SQLite will start enforcing the
foreign key relationships.
We will still have a problem with migrations for tables that refer to
each other. SQLite can't alter tables and sqlalchemy-migrates tmp table
strategy for migrations fails in this situation.
This patch did:
1. Add FK support for the tests. Disable it by default.
2. Make sure the Fk is disabled for test_sql_upgrade and
identity.backens.test_sql
Partial-Bug: #1744195
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Change-Id: I276af7c0125dc2cb2c54215d54491665db1caa22
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278