Limited use trusts

Trusts now have a "remaining_uses" field that tracks how many times a trust can still issue a token. It is decremented by 1 each time a trust related authentication occurs (call to /auth/tokens), until it reaches 0 and no token can be issued through this trust anymore. If set to null (default value), trusts can be used indefinitely to authenticate. This is the client side of the implementation. Closes-Bug: #1250617 Implements: bp trusts-chained-delegation Change-Id: Ib035a9772b7f035c3a9af102e8e15a860a96a96d
2013-11-20 17:55:49 +01:00 · 2013-11-20 17:55:49 +01:00 · 5528f1a5be
parent 4481b65ac3
commit 5528f1a5be
2 changed files with 13 additions and 1 deletions
--- a/keystoneclient/tests/v3/test_trusts.py
+++ b/keystoneclient/tests/v3/test_trusts.py
@ -40,6 +40,14 @@ class TrustTests(utils.TestCase, utils.CrudTests):
        ref['impersonation'] = False
        super(TrustTests, self).test_create(ref=ref)

+    def test_create_limited_uses(self):
+        ref = self.new_ref()
+        ref['trustor_user_id'] = uuid.uuid4().hex
+        ref['trustee_user_id'] = uuid.uuid4().hex
+        ref['impersonation'] = False
+        ref['remaining_uses'] = 5
+        super(TrustTests, self).test_create(ref=ref)
+
    def test_create_roles(self):
        ref = self.new_ref()
        ref['trustor_user_id'] = uuid.uuid4().hex
--- a/keystoneclient/v3/contrib/trusts.py
+++ b/keystoneclient/v3/contrib/trusts.py
@ -37,7 +37,7 @@ class TrustManager(base.CrudManager):

    def create(self, trustee_user, trustor_user, role_names=None,
               project=None, impersonation=False, expires_at=None,
-               **kwargs):
+               remaining_uses=None, **kwargs):
        """Create a Trust.
        :param string trustee_user: user who is capable of consuming the trust
        :param string trustor_user: user who's authorization is being delegated
@ -45,6 +45,9 @@ class TrustManager(base.CrudManager):
        :param string project: project which the trustor is delegating
        :param boolean impersonation: enable explicit impersonation
        :param datetime.datetime expires_at: expiry time
+        :param integer remaining_uses: how many times this trust can be used
+                                       to generate a token. None means
+                                       unlimited tokens.
        """
        # Convert role_names list into list-of-dict API format
        if role_names:
@ -62,6 +65,7 @@ class TrustManager(base.CrudManager):
            expires_at=expires_str,
            impersonation=impersonation,
            project_id=base.getid(project),
+            remaining_uses=remaining_uses,
            roles=roles,
            trustee_user_id=base.getid(trustee_user),
            trustor_user_id=base.getid(trustor_user),