The fix is to copy the missing check from class AuthProtocol
of keystonemiddleware.
Closes-bug: 1999068
Change-Id: I4fd7bf6b194c38815c2a9cdbab92a07315397eab
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.
Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
The method is deprecated since Python 3.2[1] and shows the following
DeprecationWarning.
/usr/lib/python3.9/unittest/case.py:1134: DeprecationWarning:
assertDictContainsSubset is deprecated
warnings.warn('assertDictContainsSubset is deprecated',
[1] https://docs.python.org/3/whatsnew/3.2.html#unittest
Closes-Bug: #1938103
Change-Id: I2372c6f1c748a5cb1c3fcf0566684f49bc5ef715
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Ic65d2fd6ce7215b4a47a6fb41b9cbf991f27773b
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
Without this patch, if there are multiple role assignments on the system
and they are not all the same role, querying for role assignments with
/v3/role_assignments?role.id={role_id} may leak some role assignments
that don't match the role_id, making the returned results incorrect.
This patch fixes the issue by using a list comprehension instead of a
for loop over a list that was being modified within the loop.
Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012
Add in support for resource options for roles and projects (including
domains). No options are currently implemented for roles or projects.
Scaffolding has been implemented so that adding options should be
straight forward. This will allow for implementing options such
as an immutable flag.
As a mechanism to isolate SQL Models from the Driver implementation
especially when adding in complexity of the resource options, the
models for the Resource backend and the Role Backend (SQL) have been
move to their own module.
Partial-Bug: #1807751
Depends-On: https://review.opendev.org/678379
Required-By: https://review.opendev.org/678380
Change-Id: I456a7c19506d28d5846534f884b8abe0d3079c96
The 'bind' option was deprecated and is
in no use now, thus removing it. Also
removing its rst file.
bp:removed-as-of-stein
Change-Id: Ie355733dc031b3c4908fdc4e44f8f1220cff456c
If a user has a role assignment on the system, which implies another
role assignment, the system-scoped token response should include
both role assignments.
This patch exposes a bug in the system-scoped token implementation
where implied roles aren't expanded out before returning the
token response to the user.
Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
Related-Bug: 1788694
Move AuthContextMiddleware to keystone.server.flask.request_processing
to be more in line with the other internally defined middleware.
Change-Id: I25b6a88f4b0dc3af306360ee4e5ec0abfe3cf812
Partial-Bug: #1776504
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
The unit test uses sqlite for test which closes db foreign keys
function by default. This patch enabled the sqlite foreign keys
function for unit test by default.
The "project" table is a self referencing FK table(id <-> domain_id
column). So when the FK is enabled, there must exists a root record
before insert data to this table. It's <<keystone.domain.root>>.
Usually, the <<keystone.domain.root>> recored is inserted into the
table once operators run "keystone-manage db_sync" command when
deploy Keystone. But the unit test code doesn't run this command,
it initialise the db schema by reading sqlalchemy object model, so
the <<keystone.domain.root>> record is missed. Then we can't create
any project record, it'll raise FK error.
So in this patch, before creating any projects in the test, we must
ensure the <<keystone.domain.root>> record exists first.
Change-Id: I565d12395ca39a58ba90faf8641a9e02d986aeb9
Closes-Bug: #1744195
The method dict.get(key) will return None
in the following two cases:
A. if there is no key in the dictionary.
B. if the real value of the key is just None.
The above two cases will results in passing
the assertion which is not the expected
behaviour of the test.
Change-Id: Ib4a7f2d5beb1e4e9b4d8d9dd90de3f52a5c29e74
Now user can add the description to the role when user creates the role.
Added support for a ``description`` attribute for V3 Identity Roles.
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Co-Authored-By: Deepak Mourya<deepakmoriya7@gmail.com>
Change-Id: I230af9cc833af13064636b5d9a7ce6334c3f6e9a
Closes-Bug: #1669080
The RestfulTestCase classes in both rest.py and test_v3.py both
defined an app_conf kwarg in their setUp() method signatures that
was never used. This commit removes app_conf since it doesn't make
sense to define it if it's not used.
Change-Id: Ide8303363c662747e1527f7de553dba40606986e
Originally, the "extra" in token data is generated by auth plugin
and then will be return to users within token data.
In Kilo, the "extra" in token data was deprecated[1], after that
if the auth plugin generate the "extra", a warning log will be
raised. To stop the warning, the auth plugins should stop
generating "extra" field.
After two releases, in Mitaka, the "extra" in token data was
removed[2], but the "extra" was still created by default as an
empty dict {}. Actually, "extra" should not be created any more
in Mitaka because Keystone has warned the auth plugins for two
releases.
Now in Rocky, it's safe enough to remove the "extra" from token
issue flow at all since it has never been used from Mitaka. The
only concern for the out tree plugins about the removal is that
if they still put "extra" into auth_context, Keystone will raise
KeyError. But can it be happened? Only if the out tree plugins
ignore the warning in Kilo, and still contain "extra" but never
use them from Mitaka. For most auth plugins which follow the
Keystone deprecation step, this patch is a silent change.
[1]: https://review.openstack.org/#/c/162662
[2]: https://review.openstack.org/#/c/249480
Change-Id: I828cc0ad3ac265abdfea2e1571806add128ae51e
Tests in keystone.tests.unit.test_v3 and kestone.tests.unit.test_v3_auth
no longer directly instantiate or calls to the auth controllers. The
only exception are test classes that are not used, those have had a
TODO note added to them. This is being done for the conversion to flask
where the auth controllers will no longer exist. All test changes are
done outside of the conversion of webob controller -> flask restful
api.
Change-Id: Ib668ca18faf42b41bc63558c6634fca96224d195
Partial-Bug: #1776504
To ensure the self-link for trusts is sane, mirror the check tempest
does. This change closes a gap on a possibly changing self-link
that would only be caught in tempest making for easier local testing.
Change-Id: I1ede6dcafdeb75b94732efe0d4c80ccfef2a40f0
Partial-Bug: #1776504
These assertions are not used anywhere in keystone's tests. The
assertion for service providers was added but never used:
I62ec9619d8b187cda80100e383d40b158550b71f
The token assertion was no longer used when we removed the v2.0
token API as noted in the commit message of:
I4c3e35f3565b4b60ae4d00cc2490bd04aba1a800
Change-Id: If28273c88518df0ba6b75a98f13f123bee574fb5
The tests used a different schema for the roles in the token
response schema for different token scopes. The role information
shouldn't change depending on the scope, so let's make the test
more DRY by not redefining the role schema in multiple places.
Related-Bug: 1763510
Change-Id: I58d3dc2a3306994890688d5ff40a62cdaedf378e
This will help with testing since SQLite will start enforcing the
foreign key relationships.
We will still have a problem with migrations for tables that refer to
each other. SQLite can't alter tables and sqlalchemy-migrates tmp table
strategy for migrations fails in this situation.
This patch did:
1. Add FK support for the tests. Disable it by default.
2. Make sure the Fk is disabled for test_sql_upgrade and
identity.backens.test_sql
Partial-Bug: #1744195
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Change-Id: I276af7c0125dc2cb2c54215d54491665db1caa22
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
This commit consists of some utilities that we can use when testing
system-scoped tokens. A subsequent patch will use them when
implementing the tests.
bp system-scope
Change-Id: If011ff7630cda1f7330a7657dd8e6249f0af5442
This commit wires up the remaining bits to expose system role
assignments for groups via the assignment API.
bp system-scope
Change-Id: I5051aa97dbecb88ee706749b26a4140f9798e084
This commit wires up the remaining bits to expose system role
assignments via the assignment API.
bp system-scope
Change-Id: Ie17a473c12c9a67bbc5b26f18d8b29e8ad4529d2
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.
Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
Up to now, middleware/auth.py was overwriting the oslo
context generated from keystonemiddleware with a
dictionary that simulated the values of
oslo-context directly pulled out of the token.
As oslo-context gains logic, Keystone has started
to diverge from the rest of the projects that use
oslo-context.
Change-Id: Ie93392f8aabddf8c963b9cb08aaa006d28d37e22
common/authorization.py seems to be the canonical local for all our
information relating to auth parameters. The header definitions should
really be there as well.
Change-Id: I20d5cc94a55dd8936b5fe376ebbabd69909bb4dd
I'm guessing these two links were maintained as part of a larger
refactor some time ago, however there's really no reason to maintain
these references in multiple places. Remove them.
Change-Id: I9a3a6a3b59e0591a47d52512742995d56958e6bf
The code was moved to keystone.tests.common.auth and later
modified. The class in keystone.tests.unit.test_v3 is no
longer being used.
Change-Id: Ib89046b4c991d319c03ecd7dddf452dd315e1aad
This was broken when issue_v2_token was removed, and no one noticed
because there are no tests.
The good news is, Swift3 is content to move toward supporting the
v3 format, so just start inheriting from the v3 controller.
Change-Id: I5d0c18121ba4bf8e33209daa48b9d87864951362
Related-Change: I7d3b583cbec9a095ab8cc20c5d6c0a6127e37068
Related-Change: I747de516ab69a47622eecbf8ab3faa34444b3ad5
Moved AuthContext and AuthInfo to keystone.auth.core as they are shared
code bits and not exclusively controller specific.
Change-Id: I649690d9e39057249e674500d85a053e0c28b30e
In oslo.context 2.12.0 a number of things used by keystone
were deprecated. This causes the keystone tests to fail
since we treat deprecation as errors.
Change-Id: I885431ba957909e709648e03a05bc280441ffbf5
Force the keystone.auth.controllers.Auth.authenticate method to
require the use of an AuthContext object instead of something
duck-typed (dictionary). This is done to ensure the security and
integrity of IDENTITY_KEYS are covered and values are not changed
by a plugin due to the security built into AuthContext being
circumvented since it was not used. This is not pythonic, this
is being done for hardening purposes.
Change-Id: I013846af59587d17b15ca4cf546e6372231f576e
Closes-Bug: #1656076
When calling list_role_assignment and including the "include_names"
parameter, it would return the domain name and ID for each party
except for roles.
This will return the domain name and id for roles when the parameter
is included, if the role has a domain.
Added tests for roles with domains at manager and API level.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Closes-Bug: #1607114
Change-Id: I5dae9299522b5116f8530455dd3d3376e9597b52
The JSONSchema used to validate the token response had a couple of
issues:
- The domain property schema was wrapped in a domain property
- 'bind' in optional was always present already so no need to add it
again.
Change-Id: I512e5a041c6ba96fbff71fac1bfdde02f888a582
The last use of the declaration was removed in
If38e8cc496cc1c3909bbb7fe4da89fa85bdc02f5, but those functions were
removed because they were not being used.
Change-Id: I76397ca655342403805ce655db8b722cc3f6878c
The new user attribute, password_expires_at, is not being returned
during auth; this patch adds it.
bp password-expires-validation
Change-Id: I1f17a849d9da4067d6be7d612c5a561bcb247ebb
The check has been deprecated since Mitaka release and the use of
admin token has been covered by admin_token_auth middleware.
bp removed-as-of-ocata
Change-Id: I24bddc942482288b85070a89b4c84084e6a5b337
This commit implements credential encryption through the following changes:
- additive schema change to store key hashes for credentials
- database migration to encrypt all pre-existing credentials
- contractive schema change to remove unencrypted credential column
- added code to the credential Manager to handle credential encryption
All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.
Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.
Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>
bp credential-encryption
Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
This patch implements the following PCI-DSS requirements:
* PCI-DSS 8.2.4: Change user passwords/passphrases at least once every
90 days.
Once a user's password is expired, they will not be able to authenticate
and be required to reset their password. This patch adds a new
password_expires_at attribute to the user response.
Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: If8979dbfc202bc354b1537a5962143bb7b3be28e
The AuthInfo.context attribute is not used anywhere and all the testing
therefore just passes a None value rather than even try and provide real
values. Let's get rid of it.
Change-Id: I7b69b53915def44f531cbda80c875c7b9b114169
Pete Zaitcev