Resolve the following LegacyAPIWarning warning:
The Query.get() method is considered legacy as of the 1.x series of
SQLAlchemy and becomes a legacy construct in 2.0. The method is now
available as Session.get()
Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This reverts commit ebac8330d8.
Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.
Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
Convert /v3/users to use flask native dispatching.
The following test changes were required:
* Application Credentials did not have the plural form
in the JSON Home document. The JSON Home document was
corrected both in code and in tests.
* Application Credentials "patch" test needed to be
refactored to look for METHOD_NOT_ALLOWED instead
of NOT FOUND for invalid/unimplemented methods.
The "assertValidErrorResponse" method was
insufficient and the test now uses the flask
test_client mechanism instead.
Change-Id: Iedaf405d11450b11e2d1fcdfae45ccb8eeb6f255
Partial-Bug: #1776504
Keystone uses translated strings both in
logging an exceptions. This is incorrect.
All strings that are passed to logging
should remain un-translated. This patch
addresses above issue.
Change-Id: Idf4f0bc1bd63eb8dc6dc61d8a49a9e2a93320474
Closes-Bug: #1777671
Sphinx 1.7.5 has some breaking changes that treat a couple specific
warnings as errors. Keystone isn't failing on them directly, but we
do rely on an interface from oauthlib/oauthlib that has compatibility
issues with that version of Sphinx.
This commit overrides those comments in keystone's implementation of
the interface so that we can get our documentation job passing. Once
the oauthlib docstrings are fixed upstream, we can consume a version
of oauthlib that addresses those incompatibilities and remove the
duplication introduced here. This has been reported upstream in the
following GitHub issue:
https://github.com/oauthlib/oauthlib/issues/558
Change-Id: I197bc346ffb2ed75ba68aa2e9c2f82a0cad163e6
Partial-Bug: 1778603
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
The token provider listened for specific callbacks from the
federation and oauth APIs. These were mainly for token invalidation
and token persistence removal. Now that the sql token driver and uuid
token provider have been removed, we can remove the need for
persistence notifications.
Instead, both of these cases can use a generic token cache
invalidation callback. This makes the token provider Manager simpler
because it only has to listen for a single internal notification to
invalidate the token cache, instead of multiple. It also makes the
code sending the notification easier to understand because it's
clearer about what it's doing.
Change-Id: I3281a013ce2764872dda8c183c4e9851974e1d14
The only API we're supporting on the v2.0 path until the T release is
the ec2tokens API. This commit removes all routers from the public
and admin v2.0 applications. This includes the extensions API. This
commit also removes unused v2.0 controller logic.
Change-Id: I523c1215899ac9ee605df6bf717643c0ba87c761
Closes-Bug: 1746798
This patch add the schema check for authorize
request token API. It'll avoiding some 500 error
caused by invalid input format and it will raise
400 error correctly.
This patch also add role name support for
authorize request token
Closes-bug: #1736875
Change-Id: I9d113692702e7aaa0127ffa9405a17908c0c6ff7
This change converts the usage of self.<provider_api> to
keystone.common.providers_api.ProviderAPIs.<provider_api> in manager
and controller logic. This is the correct way to reference
providers from other managers and controllers now that dependency
injection has been eliminated.
Change-Id: I4e30070111ba1d8ae1653a764fdeed949e536830
Refactors all of keystone's dependency injection to maintain a
single centralized repository of instantiated objects. This
means that we are no longer having to resolve order. All
objects that need to reference the various manager APIs simply
do so via the __getattr__ built into the Manager common object
or the ProviderAPIMixin object.
This is also the first step towards correcting our tests to
where they cannot run "load_backends" multiple times.
This forces any/all managers to properly run super()
as the way to register the api is via __init__.
This eliminates all use of the @dependency.requires and
@dependency.provides decorators, simplifying the objects
all around.
Any instantiations of a Manager after keystone is running
will now generate an error, ensuring everything for keystone
is running before handling requests. An exception is for
CLI and CLI tests, as the CLI may directly instantiate
managers and will not lock the registry.
Change-Id: I4ba17855efd797c0db9f4824936b49e4bff54b6a
When create a request token with header "requested_project_id",
Keystone raise the 400 error:
"Expecting to find requested_project_id in request".
The correct key is "Requested-Project-Id" which use - instead of _
This patch correct the misleading error message.
Change-Id: I2e619a2e7326d0c84756efbdce36d99b0bfbfc56
Change 461736 modifies the url passed to oauth signature verifier to
request url. But in some deployments, https endpoints are terminated
at haproxy and http request is sent to keystone. So request url will
have http as url scheme whereas the endpoint is registered with https
and signature at client is done with https url. This results in OAUTH
signature validation failure.
Update URL sent for OAUTH signature verification with the scheme of
the base url.
Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
Partial-Bug: #1687593
OAUTH signature verification should happen with the same URL used for signing.
Typically at the user end it should be signed with the request URL and hence it
should be verified with the same.
Currently keystone uses public endpoint URL for signature verification.
Modified the URL passed to oauth signature verification to request URL.
Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
Partial-Bug: #1687593
Config options 'access_token_duration' and 'request_token_duration' only
allow value >= 0, so override with value 1 and use freezegun to wait
token to be expired. This commit also enhance condition check for these
two options.
Partial-Bug: #1686921
Change-Id: I65306b9fc5eec6b8146ba5130f7d6e6cb229810e
Merged the decorator logic into a single function that
calls check_policy. Moved authorization logic in authorize.py
Prep for oslo-context fixes
Change-Id: Id1452db131740c68b3756a819792f9a60cff239c
This change replaces the use of DictBase with the ModelDictMixin
for any SQL models that do not contain an extra column and renames
the DictBase to a more descriptive name of ModelDictMixinWithExtras.
A Docstring has been added indicating the continued usage of
ModelDictMixinWithExtras should not be done for any "new"
models.
Change-Id: I9a4767cacf7620e878df70084060f3e43e1318df
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
Do not call `to_dict` outside of a session context as if to_dict
interacts with lazy-loaded relationships it can cause errors. For
the most part these are edge-cases and unlikely to happen.
A couple FIXMEs were added to restructure the calls to allow for
`to_dict` to be moved into a method that will act within a session
context.
Change-Id: I769c2cdea1b08a780093d27cdc70bce9f004017b
Keystone's various Manager classes typically handle the sending of
a notification. In order to send the notification an `initiator` is
needed. All Manager CRUD methods typically ask for this as a kwarg
since it's not required in all cases.
Most of the controller layers pass the initiator value as a
positional argument. This commit makes it so the controller passes it
as a kwarg since that's how the Manager class method signature
describes it.
Change-Id: Ic805f6ea2767c9c5cf01aa04ad554773b9cc8c39
The audit initiator is basically a context with all the information
about the current operation available. This information is all gathered
from the request and context so we can simplify its generation by moving
it onto the request object.
Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c
This is following up the comments from review [1], and take chance
to update the exception where it's failed at the validation of
payload in headers.
[1] https://review.openstack.org/#/c/361087/
Related-Bug: #1616424
Change-Id: Ibb97a141b5cbb839b4fce062ad3470032e26f67a
The status code returned larger than 399 not indicate the
signature is invalid, only an empty body implies.
For other reasons which cause the failure of creating request
token this patch show the detail message, so that give us
some clue on where is incorrect.
Related-Bug: #1616424
Change-Id: Id3f0b806630697436340ab97f328743d7f811a14
If there is any request from client with any invalid request
parameters, invalid signature for example, keystone should
capture that and raise the exception.
It was `NotImplementedError`, `TypeError` thrown out and
presented directly to end user, and nothing helpful message
is given.
This patch fix that and show as many exception message that
is helpful for diagnosis as possible.
Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
Closes-Bug: #1616424
Since the API docs have been moved to api-ref, and the docs maintained
in keystone-specs repo have been moved to attic. The href attribute
that points to old `specs.openstack.org` will not be a valid link, this
patch update them to point to the new site.
Change-Id: Idc4995509d262c74ce6d49c6c18b6452fae186d6
The code verify the assignment filtered by `user_id` after
verifying the assignment filtered by `user_id` and `project_id`.
The latter should be a subset of the former.
Change-Id: I056f543a1dfbd0ad8965cdd37bb986a665711ab7
Add more information from the auth_context dict to the request context
object and start the process of converting code over to using the
context instead.
Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
This commit moves all the decorated call to validate request inline with the
method. This is one way we can lazily validate requests - which allows us to
pick validation configuration options specifed in config.
Change-Id: Iee71fb3c34d296427cd485180dacb6bf02581845
This patch swaps use of hardcoded int and strings for known http
status codes with the values from six.moves.http_client.
Change-Id: Iab83af97920b950d075036ff1499f388299588a0
The controller get_auth_context method simply fetches a dict from the
environment. We can simply put this method on the request now.
Change-Id: Icba3a0286e5af440108c27f41f54de64c922f29a
The last references to headers in the context_dict are in oauth1 and a
test for the context_dict itself. Remove this test and fixup the oauth
tests to use the request.headers instead.
Change-Id: I94fac7bf5dacc30d6bea7efc066d9cc40dcddc4a
The context['query_string'] is just a dictionary copy of the original
params object that comes from a request. Just use the existing params
instead.
Change-Id: I0ecd7a09e36b39a105c150b3affcbbcd26a544c2
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.
Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
This patch moves the oauth1 abstract base class out of core and into
backends/base.py
This removes dependencies where backend code references code in the
core. The reasoning being that the core should know about the backend
interface, but the backends should not know anything about the core
(separation of concerns). And part of the risk here is a potential for
circular dependencies.
Partial-Bug: #1563101
Change-Id: I730798c71a6e8be8f32edd5bddb9e86cabd6ff65
Multiple equality comparisons on the same variable are combined with
OR. Instead you could use `in` (f.e.: `a in [1, 2, 3]`)
Change-Id: Icd7e009219e916458a3918064dc7d45991511f62
Stephen Finucane