Limited use trusts
Trusts now have a "remaining_uses" field that tracks how many times a trust can still issue a token. It is decremented by 1 each time a trust related authentication occurs (call to /auth/tokens), until it reaches 0 and no token can be issued through this trust anymore. If set to null (default value), trusts can be used indefinitely to authenticate. This is the client side of the implementation. Closes-Bug: #1250617 Implements: bp trusts-chained-delegation Change-Id: Ib035a9772b7f035c3a9af102e8e15a860a96a96d
This commit is contained in:
parent
4481b65ac3
commit
5528f1a5be
|
@ -40,6 +40,14 @@ class TrustTests(utils.TestCase, utils.CrudTests):
|
|||
ref['impersonation'] = False
|
||||
super(TrustTests, self).test_create(ref=ref)
|
||||
|
||||
def test_create_limited_uses(self):
|
||||
ref = self.new_ref()
|
||||
ref['trustor_user_id'] = uuid.uuid4().hex
|
||||
ref['trustee_user_id'] = uuid.uuid4().hex
|
||||
ref['impersonation'] = False
|
||||
ref['remaining_uses'] = 5
|
||||
super(TrustTests, self).test_create(ref=ref)
|
||||
|
||||
def test_create_roles(self):
|
||||
ref = self.new_ref()
|
||||
ref['trustor_user_id'] = uuid.uuid4().hex
|
||||
|
|
|
@ -37,7 +37,7 @@ class TrustManager(base.CrudManager):
|
|||
|
||||
def create(self, trustee_user, trustor_user, role_names=None,
|
||||
project=None, impersonation=False, expires_at=None,
|
||||
**kwargs):
|
||||
remaining_uses=None, **kwargs):
|
||||
"""Create a Trust.
|
||||
:param string trustee_user: user who is capable of consuming the trust
|
||||
:param string trustor_user: user who's authorization is being delegated
|
||||
|
@ -45,6 +45,9 @@ class TrustManager(base.CrudManager):
|
|||
:param string project: project which the trustor is delegating
|
||||
:param boolean impersonation: enable explicit impersonation
|
||||
:param datetime.datetime expires_at: expiry time
|
||||
:param integer remaining_uses: how many times this trust can be used
|
||||
to generate a token. None means
|
||||
unlimited tokens.
|
||||
"""
|
||||
# Convert role_names list into list-of-dict API format
|
||||
if role_names:
|
||||
|
@ -62,6 +65,7 @@ class TrustManager(base.CrudManager):
|
|||
expires_at=expires_str,
|
||||
impersonation=impersonation,
|
||||
project_id=base.getid(project),
|
||||
remaining_uses=remaining_uses,
|
||||
roles=roles,
|
||||
trustee_user_id=base.getid(trustee_user),
|
||||
trustor_user_id=base.getid(trustor_user),
|
||||
|
|
Loading…
Reference in New Issue